Vous êtes sur la page 1sur 379

DefensePro User Guide

Software Version 6.07


Document ID: RDWR-DP-V0607_UG1209
September, 2012
DefensePro User Guide

2 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

Important Notices
The following important notices are presented in English, French, and German.

Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2012. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.

Notice importante
Ce guide est sujet aux conditions et restrictions suivantes:
Copyright Radware Ltd. 2012. Tous droits rservs.
Le copyright ainsi que tout autre droit li la proprit intellectuelle et aux secrets industriels
contenus dans ce guide sont la proprit de Radware Ltd.
Ce guide dinformations est fourni nos clients dans le cadre de linstallation et de lusage des
produits de Radware dcrits dans ce document et ne pourra tre utilis dans un but autre que celui
pour lequel il a t conu.
Les informations rpertories dans ce document restent la proprit de Radware et doivent tre
conserves de manire confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement pralable crit de Radware.

Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschrnkungen ausgeliefert:
Copyright Radware Ltd. 2012. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschlielichen Zweck ausgehndigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf fr keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und mssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfltigen, reproduzieren oder offen zu legen.

Document ID: RDWR-DP-V0607_UG1209 3


DefensePro User Guide

Copyright Notices
The following copyright notices are presented in English, French, and German.

Copyright Notices
This product contains code developed by the OpenSSL Project
This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit.
(http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public
domain and distributed with the following license:
@version 3.0 (December 2000)
Optimized ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This code is hereby placed in the public domain.
This product contains code developed by the OpenBSD Project
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
This product includes software developed by Markus Friedl
This product includes software developed by Theo de Raadt
This product includes software developed by Niels Provos
This product includes software developed by Dug Song
This product includes software developed by Aaron Campbell
This product includes software developed by Damien Miller
This product includes software developed by Kevin Steves
This product includes software developed by Daniel Kouril
This product includes software developed by Wesley Griffin
This product includes software developed by Per Allansson
This product includes software developed by Nils Nordman
This product includes software developed by Simon Wilkinson

4 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
ALL THE SOFTWARE MENTIONED ABOVE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product contains work derived from the RSA Data Security, Inc. MD5 Message-Digest
Algorithm. RSA Data Security, Inc. makes no representations concerning either the merchantability
of the MD5 Message - Digest Algorithm or the suitability of the MD5 Message - Digest Algorithm for
any particular purpose. It is provided as is without express or implied warranty of any kind.

Notice traitant du copyright


Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Ce produit inclut un logiciel dvelopp dans le cadre du projet OpenSSL. Pour un usage dans la bote
outils OpenSSL (http://www.openssl.org/).
Copyright (c) 1998-2005 Le projet OpenSSL. Tous droits rservs. Ce produit inclut la catgorie de
chiffre Rijndael.
Limplmentation de Rijindael par Vincent Rijmen, Antoon Bosselaers et Paulo Barreto est du
domaine public et distribue sous les termes de la licence suivante:
@version 3.0 (Dcembre 2000)
Code ANSI C code pour Rijndael (actuellement AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>.
Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termes
de la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets
source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande
auprs de Radware. Une copie de la licence est rpertorie sur:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Ce code est galement plac dans le domaine public.
Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Copyright (c) 1983, 1990, 1992, 1993, 1995
Les membres du conseil de lUniversit de Californie. Tous droits rservs.
La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies:
1. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et lavis de non-responsabilit suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
lavis de non-responsabilit suivant.

Document ID: RDWR-DP-V0607_UG1209 5


DefensePro User Guide

3. Le nom de luniversit, ainsi que le nom des contributeurs ne seront en aucun cas utiliss pour
approuver ou promouvoir un produit driv de ce programme sans lobtention pralable dune
autorisation crite.
Ce produit inclut un logiciel dvelopp par Markus Friedl
Ce produit inclut un logiciel dvelopp par Theo de Raadt Ce produit inclut un logiciel dvelopp par
Niels Provos
Ce produit inclut un logiciel dvelopp par Dug Song
Ce produit inclut un logiciel dvelopp par Aaron Campbell Ce produit inclut un logiciel dvelopp
par Damien Miller
Ce produit inclut un logiciel dvelopp par Kevin Steves
Ce produit inclut un logiciel dvelopp par Daniel Kouril
Ce produit inclut un logiciel dvelopp par Wesley Griffin
Ce produit inclut un logiciel dvelopp par Per Allansson
Ce produit inclut un logiciel dvelopp par Nils Nordman
Ce produit inclut un logiciel dvelopp par Simon Wilkinson.
La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies:
1. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et lavis de non-responsabilit suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
lavis de non-responsabilit suivant.
LE LOGICIEL MENTIONN CI-DESSUS EST FOURNI TEL QUEL PAR LE DVELOPPEUR ET TOUTE
GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS SY LIMITER, TOUTE GARANTIE
IMPLICITE DE QUALIT MARCHANDE ET DADQUATION UN USAGE PARTICULIER EST EXCLUE.
EN AUCUN CAS LAUTEUR NE POURRA TRE TENU RESPONSABLE DES DOMMAGES DIRECTS,
INDIRECTS, ACCESSOIRES, SPCIAUX, EXEMPLAIRES OU CONSCUTIFS (Y COMPRIS, MAIS SANS
SY LIMITER, LACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE DUSAGE,
DE DONNES OU DE PROFITS OU LINTERRUPTION DES AFFAIRES), QUELLE QUEN SOIT LA CAUSE
ET LA THORIE DE RESPONSABILIT, QUIL SAGISSE DUN CONTRAT, DE RESPONSABILIT
STRICTE OU DUN ACTE DOMMAGEABLE (Y COMPRIS LA NGLIGENCE OU AUTRE), DCOULANT DE
QUELLE QUE FAON QUE CE SOIT DE LUSAGE DE CE LOGICIEL, MME SIL A T AVERTI DE LA
POSSIBILIT DUN TEL DOMMAGE.

Copyrightvermerke
Dieses Produkt enthlt einen vom OpenSSL-Projekt entwickelten Code
Dieses Produkt enthlt vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSL
Toolkit. (http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthlt die
Rijndael cipher
Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist
ffentlich zugnglich und wird unter folgender Lizenz vertrieben:
@version 3.0 (December 2000)
Optimierter ANSI C Code fr den Rijndael cipher (jetzt AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>

6 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

Der OnDemand Switch verwendet mglicherweise Software, die im Rahmen der DNU Allgemeine
ffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschlielich LinuxBios und Filo
Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhltlich.
Eine Kopie dieser Lizenz kann eingesehen werden unter:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Dieser Code wird hiermit allgemein zugnglich gemacht.
Dieses Produkt enthlt einen vom OpenBSD-Projekt entwickelten Code
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. Alle Rechte vorbehalten.
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
3. Weder der Name der Universitt noch die Namen der Beitragenden drfen ohne ausdrckliche
vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete
Produkte zu empfehlen oder zu bewerben.
Dieses Produkt enthlt von Markus Friedl entwickelte Software Dieses Produkt enthlt von Theo de
Raadt entwickelte Software Dieses Produkt enthlt von Niels Provos entwickelte Software Dieses
Produkt enthlt von Dug Song entwickelte Software
Dieses Produkt enthlt von Aaron Campbell entwickelte Software Dieses Produkt enthlt von Damien
Miller entwickelte Software Dieses Produkt enthlt von Kevin Steves entwickelte Software Dieses
Produkt enthlt von Daniel Kouril entwickelte Software Dieses Produkt enthlt von Wesley Griffin
entwickelte Software Dieses Produkt enthlt von Per Allansson entwickelte Software Dieses Produkt
enthlt von Nils Nordman entwickelte Software
Dieses Produkt enthlt von Simon Wilkinson entwickelte Software
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
SMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND (AS IS)
BEREITGESTELLT. JEGLICHE AUSDRCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH,
DOCH NICHT BESCHRNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGNGIGKEIT UND DER
ANWENDBARKEIT FR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN.
UNTER KEINEN UMSTNDEN HAFTET DER AUTOR FR DIREKTE ODER INDIREKTE SCHDEN, FR
BEI VERTRAGSERFLLUNG ENTSTANDENE SCHDEN, FR BESONDERE SCHDEN, FR
SCHADENSERSATZ MIT STRAFCHARAKTER, ODER FR FOLGESCHDEN EINSCHLIESSLICH, DOCH
NICHT BESCHRNKT AUF, ERWERB VON ERSATZGTERN ODER ERSATZLEISTUNGEN; VERLUST AN
NUTZUNG, DATEN ODER GEWINN; ODER GESCHFTSUNTERBRECHUNGEN) GLEICH, WIE SIE
ENTSTANDEN SIND, UND FR JEGLICHE ART VON HAFTUNG, SEI ES VERTRGE,
GEFHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLSSIGKEIT
ODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBST
WENN AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.

Document ID: RDWR-DP-V0607_UG1209 7


DefensePro User Guide

Safety Instructions
The following safety instructions are presented in English, French, and German.

Safety Instructions
CAUTION
A readily accessible disconnect device shall be incorporated in the building installation wiring.
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that
involve opening panels or changing components must be performed by qualified service personnel
only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
The following figure shows the caution label that is attached to Radware platforms with dual power
supplies.

Figure 1: Electrical Shock Hazard Label

DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE


The following figure is the warning for Radware platforms with dual power supplies.

Figure 2: Dual-Power-Supply-System Safety Warning in Chinese

Translation of Dual-Power-Supply-System Safety Warning in Chinese:


This unit has more than one power supply. Disconnect all power supplies before maintenance to
avoid electric shock.
SERVICING
Do not perform any servicing other than that contained in the operating instructions unless you are
qualified to do so. There are no serviceable parts inside the unit.
HIGH VOLTAGE
Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided
as much as possible and, when inevitable, must be carried out only by a skilled person who is aware
of the hazard involved.
Capacitors inside the instrument may still be charged even if the instrument has been disconnected
from its source of supply.

8 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

GROUNDING
Before connecting this device to the power line, the protective earth terminal screws of this device
must be connected to the protective earth in the building installation.
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +
A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used for
replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.
Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be
made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power source
matches the requirements of the instrument. Refer to the Specifications for information about the
correct power rating for the device.
48V DC-powered platforms have an input tolerance of 36-72V DC.
SPECIFICATION CHANGES
Specifications are subject to change without notice.

Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN
61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-
11For CE MARK Compliance. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user is required
to correct the interference at his own expense.

VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS

Figure 3: Statement for Class A VCCI-certified Equipment

Translation of Statement for Class A VCCI-certified Equipment:


This is a Class A product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this equipment is used in a domestic environment,
radio disturbance may occur, in which case, the user may be required to take corrective action.

Document ID: RDWR-DP-V0607_UG1209 9


DefensePro User Guide

Figure 4: Statement for Class B VCCI-certified Equipment

Translation of Statement for Class B VCCI-certified Equipment:


This is a Class B product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a
domestic environment, it may cause radio interference.
Install and use the equipment according to the instruction manual.
KCC KOREA

Figure 5: KCCKorea Communications Commission Certificate of Broadcasting and


Communication Equipment

Figure 6: Statement For Class A KCC-certified Equipment in Korean

Translation of Statement For Class A KCC-certified Equipment in Korean:


This equipment is Industrial (Class A) electromagnetic wave suitability equipment and seller or user
should take notice of it, and this equipment is to be used in the places except for home.
SPECIAL NOTICE FOR NORTH AMERICAN USERS
For North American power connection, select a power supply cord that is UL Listed and CSA Certified
3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [10 A], with a minimum
length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply
cord that is internationally harmonized and marked <HAR>, 3 - conductor, 0,75 mm2 minimum
mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated
250 V, 3 A.
RESTRICT AREA ACCESS
The DC powered equipment should only be installed in a Restricted Access Area.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For North America,
equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16,
110 -17, and 110 -18 and the Canadian Electrical Code, Section 12.

10 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or
DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring for each power input.
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,
then an explosion may occur. This is the case for some Lithium batteries and the following is
applicable:
If the battery is placed in an Operator Access Area, there is a marking close to the battery or
a statement in both the operating and service instructions.
If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a
statement in the service instructions.

This marking or statement includes the following text warning:


CAUTION
RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Caution To Reduce the Risk of Electrical Shock and Fire
1. This equipment is designed to permit connection between the earthed conductor of the DC
supply circuit and the earthing conductor equipment. See Installation Instructions.
2. All servicing must be undertaken only by qualified service personnel. There are not user
serviceable parts inside the unit.
3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit.
4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED.
5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label
adjacent to the power inlet, housing the fuse.
6. Do not operate the device in a location where the maximum ambient temperature exceeds
40C/104F.
7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove
and/or check the main power fuse.
CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60
825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001
AC units for Denmark, Finland, Norway, Sweden (marked on product):
Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark
deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket
outlet which is connected to a protective earth. Socket outlets which are not connected to earth
are not to be used!
Finland - (Marking label and in manual) - Laite on liitettv suojamaadoituskoskettimilla
varustettuun pistorasiaan
Norway (Marking label and in manual) - Apparatet m tilkoples jordet stikkontakt
Unit is intended for connection to IT power systems for Norway only.
Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.

To connect the power connection:


1. Connect the power cable to the main socket, located on the rear panel of the device.
2. Connect the power cable to the grounded AC outlet.

Document ID: RDWR-DP-V0607_UG1209 11


DefensePro User Guide

CAUTION
Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one
power supply module. To isolate the unit completely, disconnect all power supplies.

Instructions de scurit
AVERTISSEMENT
Un dispositif de dconnexion facilement accessible sera incorpor au cblage du btiment.
En raison des risques de chocs lectriques et des dangers nergtiques, mcaniques et dincendie,
chaque procdure impliquant louverture des panneaux ou le remplacement de composants sera
excute par du personnel qualifi.
Pour rduire les risques dincendie et de chocs lectriques, dconnectez le dispositif du bloc
dalimentation avant de retirer le couvercle ou les panneaux.
La figure suivante montre ltiquette davertissement appose sur les plateformes Radware dotes
de plus dune source dalimentation lectrique.

Figure 7: tiquette davertissement de danger de chocs lectriques

AVERTISSEMENT DE SCURIT POUR LES SYSTMES DOTS DE DEUX SOURCES DALIMENTATION


LECTRIQUE (EN CHINOIS)
La figure suivante reprsente ltiquette davertissement pour les plateformes Radware dotes de
deux sources dalimentation lectrique.

Figure 8: Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois)

Traduction de la Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois):
Cette unit est dote de plus dune source dalimentation lectrique. Dconnectez toutes les sources
dalimentation lectrique avant dentretenir lappareil ceci pour viter tout choc lectrique.
ENTRETIEN
Neffectuez aucun entretien autre que ceux rpertoris dans le manuel dinstructions, moins dtre
qualifi en la matire. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare.
HAUTE TENSION
Tout rglage, opration dentretien et rparation de linstrument ouvert sous tension doit tre vit.
Si cela savre indispensable, confiez cette opration une personne qualifie et consciente des
dangers impliqus.

12 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

Les condensateurs au sein de lunit risquent dtre chargs mme si lunit a t dconnecte de la
source dalimentation lectrique.
MISE A LA TERRE
Avant de connecter ce dispositif la ligne lectrique, les vis de protection de la borne de terre de
cette unit doivent tre relies au systme de mise la terre du btiment.
LASER
Cet quipement est un produit laser de classe 1, conforme la norme IEC60825 - 1: 1993 + A1:
1997 + A2: 2001.
FUSIBLES
Assurez-vous que, seuls les fusibles courant nominal requis et de type spcifi sont utiliss en
remplacement. Lusage de fusibles rpars et le court-circuitage des porte-fusibles doivent tre
vits. Lorsquil est pratiquement certain que la protection offerte par les fusibles a t dtriore,
linstrument doit tre dsactiv et scuris contre toute opration involontaire.
TENSION DE LIGNE
Avant de connecter cet instrument la ligne lectrique, vrifiez que la tension de la source
dalimentation correspond aux exigences de linstrument. Consultez les spcifications propres
lalimentation nominale correcte du dispositif.
Les plateformes alimentes en 48 CC ont une tolrance dentre comprise entre 36 et 72 V CC.
MODIFICATIONS DES SPCIFICATIONS
Les spcifications sont sujettes changement sans notice pralable.
Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil
numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022
Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC
61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une
protection raisonnable contre les interfrences nuisibles, lorsque lquipement est utilis dans un
environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et,
sil nest pas install et utilis conformment au manuel dinstructions, peut entraner des
interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une
zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas lutilisateur
devra corriger le problme ses propres frais.
DCLARATIONS SUR LES INTERFRENCES LECTROMAGNTIQUES VCCI

Figure 9: Dclaration pour lquipement de classe A certifi VCCI

Traduction de la Dclaration pour lquipement de classe A certifi VCCI:


Il sagit dun produit de classe A, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). Si cet quipement est utilis dans un environnement
domestique, des perturbations radiolectriques sont susceptibles dapparatre. Si tel est le cas,
lutilisateur sera tenu de prendre des mesures correctives.

Document ID: RDWR-DP-V0607_UG1209 13


DefensePro User Guide

Figure 10: Dclaration pour lquipement de classe B certifi VCCI

Traduction de la Dclaration pour lquipement de classe B certifi VCCI:


Il sagit dun produit de classe B, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). Sil est utilis proximit dun poste de radio ou dune
tlvision dans un environnement domestique, il peut entraner des interfrences radio.
Installez et utilisez lquipement selon le manuel dinstructions.
KCC Core

Figure 11: KCCCertificat de la commission des communications de Core pour les equipements de
radiodiffusion et communication.

Figure 12: Dclaration pour lquipement de classe A certifi KCC en langue corenne

Translation de la Dclaration pour lquipement de classe A certifi KCC en langue corenne:


Cet quipement est un matriel (classe A) en adquation aux ondes lectromagntiques et le
vendeur ou lutilisateur doit prendre cela en compte. Ce matriel est donc fait pour tre utilis
ailleurs qu la maison.
NOTICE SPCIALE POUR LES UTILISATEURS NORD-AMRICAINS
Pour un raccordement lectrique en Amrique du Nord, slectionnez un cordon dalimentation
homologu UL et certifi CSA 3 - conducteur, [18 AWG], muni dune prise moule son extrmit,
de 125 V, [10 A], dune longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour la
connexion europenne, choisissez un cordon dalimentation mondialement homologu et marqu
<HAR>, 3 - conducteur, cble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isole. La
prise lextrmit du cordon, sera dote dun sceau moul indiquant: 250 V, 3 A.
ZONE A ACCS RESTREINT
Lquipement aliment en CC ne pourra tre install que dans une zone accs restreint. CODES
DINSTALLATION
Ce dispositif doit tre install en conformit avec les codes lectriques nationaux. En Amrique du
Nord, lquipement sera install en conformit avec le code lectrique national amricain, articles
110-16, 110 -17, et 110 -18 et le code lectrique canadien, Section 12. INTERCONNEXION DES
UNTES.

14 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

Les cbles de connexion lunit RS232 et aux interfaces Ethernet seront certifis UL, type DP-1 ou
DP-2. (Remarque- sils ne rsident pas dans un circuit LPS) PROTECTION CONTRE LES
SURCHARGES.
Un circuit de drivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit
tre intgr au cblage du btiment pour chaque puissance consomme.
BATTERIES REMPLAABLES
Si lquipement est fourni avec une batterie, et quelle est remplace par un type de batterie
incorrect, elle est susceptible dexploser. Cest le cas pour certaines batteries au lithium, les
lments suivants sont donc applicables:
Si la batterie est place dans une zone daccs oprateur, une marque est indique sur la
batterie ou une remarque est insre, aussi bien dans les instructions dexploitation que
dentretien.
Si la batterie est place ailleurs dans lquipement, une marque est indique sur la batterie ou
une remarque est insre dans les instructions dentretien.

Cette marque ou remarque inclut lavertissement textuel suivant:


AVERTISSEMENT
RISQUE DEXPLOSION SI LA BATTERIE EST REMPLACE PAR UN MODLE INCORRECT. METTRE AU
REBUT LES BATTERIES CONFORMMENT AUX INSTRUCTIONS.
Attention - Pour rduire les risques de chocs lectriques et dincendie
1. Cet quipement est conu pour permettre la connexion entre le conducteur de mise la terre du
circuit lectrique CC et lquipement de mise la terre. Voir les instructions dinstallation.
2. Tout entretien sera entrepris par du personnel qualifi. Aucune pice lintrieur de lunit ne
peut tre remplace ou rpare.
3. NE branchez pas, nallumez pas ou nessayez pas dutiliser une unit manifestement
endommage.
4. Vrifiez que lorifice de ventilation du chssis dans lunit nest PAS OBSTRUE.
5. Remplacez le fusible endommag par un modle similaire de mme puissance, tel quindiqu sur
ltiquette de scurit adjacente larrive lectrique hbergeant le fusible.
6. Ne faites pas fonctionner lappareil dans un endroit, o la temprature ambiante dpasse la
valeur maximale autorise. 40C/104F.
7. Dbranchez le cordon lectrique de la prise murale AVANT dessayer de retirer et/ou de vrifier
le fusible dalimentation principal.
PRODUIT LASER DE CLASSE 1 ET RFRENCE AUX NORMES LASER LES PLUS RCENTES: IEC 60
825-1: 1993 + A1: 1997 + A2: 2001 ET EN 60825-1: 1994+A1: 1996+ A2: 2001
Units CA pour le Danemark, la Finlande, la Norvge, la Sude (indiqu sur le produit):
Danemark - Unit de classe 1 - qui doit tre utilise avec un cordon CA compatible avec les
dviations du Danemark. Le cordon inclut un conducteur de mise la terre. Lunit sera
branche une prise murale, mise la terre. Les prises non-mises la terre ne seront pas
utilises!
Finlande (tiquette et inscription dans le manuel) - Laite on liitettv
suojamaadoituskoskettimilla varustettuun pistorasiaan
Norvge (tiquette et inscription dans le manuel) - Apparatet m tilkoples jordet stikkontakt
Lunit peut tre connecte un systme lectrique IT (en Norvge uniquement).
Sude (tiquette et inscription dans le manuel) - Apparaten skall anslutas till jordat uttag.

Pour brancher lalimentation lectrique:


1. Branchez le cble dalimentation la prise principale, situe sur le panneau arrire de lunit.
2. Connectez le cble dalimentation la prise CA mise la terre.

Document ID: RDWR-DP-V0607_UG1209 15


DefensePro User Guide

AVERTISSEMENT
Risque de choc lectrique et danger nergtique. La dconnexion dune source dalimentation
lectrique ne dbranche quun seul module lectrique. Pour isoler compltement lunit, dbranchez
toutes les sources dalimentation lectrique.
ATTENTION
Risque de choc et de danger lectriques. Le dbranchement dune seule alimentation stabilise ne
dbranche quun module Alimentation Stabilise. Pour Isoler compltement le module en cause, il
faut dbrancher toutes les alimentations stabilises.
Attention: Pour Rduire Les Risques dlectrocution et dIncendie
1. Toutes les oprations dentretien seront effectues UNIQUEMENT par du personnel dentretien
qualifi. Aucun composant ne peut tre entretenu ou remplace par lutilisateur.
2. NE PAS connecter, mettre sous tension ou essayer dutiliser une unit visiblement dfectueuse.
3. Assurez-vous que les ouvertures de ventilation du chssis NE SONT PAS OBSTRUES.
4. Remplacez un fusible qui a saut SEULEMENT par un fusible du mme type et de mme
capacit, comme indiqu sur ltiquette de scurit proche de lentre de lalimentation qui
contient le fusible.
5. NE PAS UTILISER lquipement dans des locaux dont la temprature maximale dpasse 40
degrs Centigrades.
6. Assurez vous que le cordon dalimentation a t dconnect AVANT dessayer de lenlever et/ou
vrifier le fusible de lalimentation gnrale.

Sicherheitsanweisungen
VORSICHT
Die Elektroinstallation des Gebudes muss ein unverzglich zugngliches Stromunterbrechungsgert
integrieren.
Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr drfen Vorgnge,
in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschlielich von
qualifiziertem Servicepersonal durchgefhrt werden.
Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gert vor der Entfernung der
Abdeckung oder der Paneele von der Stromversorgung getrennt werden.
Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit
Doppelspeisung angebracht ist.

Figure 13: Warnetikett Stromschlaggefahr

16 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FR SYSTEME MIT DOPPELSPEISUNG


Die folgende Abbildung ist die Warnung fr Radware-Plattformen mit Doppelspeisung.

Figure 14: Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung

bersetzung von Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung:


Die Einheit verfgt ber mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung von
Stromschlag vor Wartungsarbeiten smtliche Stromversorgungsleitungen ab.
WARTUNG
Fhren Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angefhrt sind, es sei
denn, Sie sind dafr qualifiziert. Es gibt innerhalb des Gertes keine wartungsfhigen Teile.
HOCHSPANNUNG
Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geffneten Gert unter
Spannung mssen so weit wie mglich vermieden werden. Sind sie nicht vermeidbar, drfen sie
ausschlielich von qualifizierten Personen ausgefhrt werden, die sich der Gefahr bewusst sind.
Innerhalb des Gertes befindliche Kondensatoren knnen auch dann noch Ladung enthalten, wenn
das Gert von der Stromversorgung abgeschnitten wurde.
ERDUNG
Bevor das Gert an die Stromversorgung angeschlossen wird, mssen die Schrauben der
Erdungsleitung des Gertes an die Erdung der Gebudeverkabelung angeschlossen werden.
LASER
Dieses Gert ist ein Laser-Produkt der Klasse 1 in bereinstimmung mit IEC60825 - 1: 1993 +
A1:1997 + A2:2001 Standard.
SICHERUNGEN
Vergewissern Sie sich, dass nur Sicherungen mit der erforderlichen Stromstrke und der
angefhrten Art verwendet werden. Die Verwendung reparierter Sicherungen sowie die
Kurzschlieung von Sicherungsfassungen muss vermieden werden. In Fllen, in denen
wahrscheinlich ist, dass der von den Sicherungen gebotene Schutz beeintrchtigt ist, muss das
Gert abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden.
LEITUNGSSPANNUNG
Vor Anschluss dieses Gertes an die Stromversorgung ist zu gewhrleisten, dass die Spannung der
Stromquelle den Anforderungen des Gertes entspricht. Beachten Sie die technischen Angaben
bezglich der korrekten elektrischen Werte des Gertes.
Plattformen mit 48 V DC verfgen ber eine Eingangstoleranz von 36-72 V DC. NDERUNGEN DER
TECHNISCHEN ANGABEN
nderungen der technischen Spezifikationen bleiben vorbehalten.
Hinweis: Dieses Gert wurde geprft und entspricht den Beschrnkungen von digitalen Gerten der
Klasse 1 gem Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC
61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 fr Konformitt mit der CE-Bezeichnung.
Diese Beschrnkungen dienen dem angemessenen Schutz vor schdlichen Interferenzen bei Betrieb
des Gertes in kommerziellem Umfeld. Dieses Gert erzeugt, verwendet und strahlt
elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im
Handbuch montiert und benutzt, knnte es mit dem Funkverkehr interferieren und ihn
beeintrchtigen. Der Betrieb dieses Gertes in Wohnbereichen wird hchstwahrscheinlich zu
schdlichen Interferenzen fhren. In einem solchen Fall wre der Benutzer verpflichtet, diese
Interferenzen auf eigene Kosten zu korrigieren.

Document ID: RDWR-DP-V0607_UG1209 17


DefensePro User Guide

ERKLRUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZ

Figure 15: Erklrung zu VCCI-zertifizierten Gerten der Klasse A

bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse A:


Dies ist ein Produkt der Klasse A gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten. In einem solchen Fall wre der Benutzer
verpflichtet, korrigierend einzugreifen.

Figure 16: Erklrung zu VCCI-zertifizierten Gerten der Klasse B

bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse B:


Dies ist ein Produkt der Klasse B gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten.
Montieren und benutzen Sie das Gert laut Anweisungen im Benutzerhandbuch.
KCC KOREA

Figure 17: KCCKorea Communications Commission Zertifikat fr Rundfunk-und


Nachrichtentechnik

Figure 18: Erklrung zu KCC-zertifizierten Gerten der Klasse A

18 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

bersetzung von Erklrung zu KCC-zertifizierten Gerten der Klasse A:


Verkufer oder Nutzer sollten davon Kenntnis nehmen, da dieses Gert der Klasse A fr industriell
elektromagnetische Wellen geeignete Gerten angehrt und dass diese Gerte nicht fr den
heimischen Gebrauch bestimmt sind.
BESONDERER HINWEIS FR BENUTZER IN NORDAMERIKA
Whlen Sie fr den Netzstromanschluss in Nordamerika ein Stromkabel, das in der UL aufgefhrt
und CSA-zertifiziert ist 3 Leiter, [18 AWG], endend in einem gegossenen Stecker, fr 125 V, [10 A],
mit einer Mindestlnge von 1,5 m [sechs Fu], doch nicht lnger als 4,5 m. Fr europische
Anschlsse verwenden Sie ein international harmonisiertes, mit <HAR> markiertes Stromkabel,
mit 3 Leitern von mindestens 0,75 mm2, fr 300 V, mit PVC-Umkleidung. Das Kabel muss in einem
gegossenen Stecker fr 250 V, 3 A enden.
BEREICH MIT EINGESCHRNKTEM ZUGANG
Das mit Gleichstrom betriebene Gert darf nur in einem Bereich mit eingeschrnktem Zugang
montiert werden.
INSTALLATIONSCODES
Dieses Gert muss gem der landesspezifischen elektrischen Codes montiert werden. In
Nordamerika mssen Gerte entsprechend dem US National Electrical Code, Artikel 110 - 16, 110 -
17 und 110 - 18, sowie dem Canadian Electrical Code, Abschnitt 12, montiert werden.
VERKOPPLUNG VON GERTEN Kabel fr die Verbindung des Gertes mit RS232- und Ethernet-
mssen UL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einem
nicht-LPS-Stromkreis)
BERSTROMSCHUTZ
Ein gut zugnglicher aufgefhrter berstromschutz mit Abzweigstromkreis und 15 A Strke muss fr
jede Stromeingabe in der Gebudeverkabelung integriert sein.
AUSTAUSCHBARE BATTERIEN
Wird ein Gert mit einer austauschbaren Batterie geliefert und fr diese Batterie durch einen
falschen Batterietyp ersetzt, knnte dies zu einer Explosion fhren. Dies trifft zu fr manche Arten
von Lithiumsbatterien zu, und das folgende gilt es zu beachten:
Wird die Batterie in einem Bereich fr Bediener eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder Erklrung sowohl im Betriebshandbuch als auch in der Wartungsanleitung.
Ist die Batterie an einer anderen Stelle im Gert eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder einer Erklrung in der Wartungsanleitung.
Diese Markierung oder Erklrung enthlt den folgenden Warntext: VORSICHT
EXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD.
GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN.
Denmark - Unit is class I - mit Wechselstromkabel benutzen, dass fr die Abweichungen in
Dnemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in eine
geerdete Wandsteckdose angeschlossen. Keine Steckdosen ohne Erdungsleitung verwenden!
Finland - (Markierungsetikett und im Handbuch) - Laite on liitettv
suojamaadoituskoskettimilla varustettuun pistorasiaan
Norway - (Markierungsetikett und im Handbuch) - Apparatet m tilkoples jordet stikkontakt
Ausschlielich fr Anschluss an IT-Netzstromsysteme in Norwegen vorgesehen
Sweden - (Markierungsetikett und im Handbuch) - Apparaten skall anslutas till jordat uttag.

Anschluss des Stromkabels:


1. Schlieen Sie das Stromkabel an den Hauptanschluss auf der Rckseite des Gertes an.
2. Schlieen Sie das Stromkabel an den geerdeten Wechselstromanschluss an.
VORSICHT
Stromschlag- und Energiegefahr Die Trennung einer Stromquelle trennt nur ein
Stromversorgungsmodul von der Stromversorgung. Um das Gert komplett zu isolieren, muss es
von der gesamten Stromversorgung getrennt werden.

Document ID: RDWR-DP-V0607_UG1209 19


DefensePro User Guide

Vorsicht - Zur Reduzierung der Stromschlag- und Feuergefahr


1. Dieses Gert ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung des
Gleichstromkreises und dem Erdungsleiter des Gertes zu ermglichen. Siehe
Montageanleitung.
2. Wartungsarbeiten jeglicher Art drfen nur von qualifiziertem Servicepersonal ausgefhrt
werden. Es gibt innerhalb des Gertes keine vom Benutzer zu wartenden Teile.
3. Versuchen Sie nicht, ein offensichtlich beschdigtes Gert an den Stromkreis anzuschlieen,
einzuschalten oder zu betreiben.
4. Vergewissern Sie sich, dass sie Lftungsffnungen im Gehuse des Gertes NICHT BLOCKIERT
SIND.
5. Ersetzen Sie eine durchgebrannte Sicherung ausschlielich mit dem selben Typ und von der
selben Strke, die auf dem Sicherheitsetikett angefhrt sind, das sich neben dem
Stromkabelanschluss, am Sicherungsgehuse.
6. Betreiben Sie das Gert nicht an einem Standort, an dem die Hchsttemperatur der Umgebung
40C berschreitet.
7. Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie die
Hauptsicherung entfernen und/oder prfen.

Altitude and Climate Warning

Note: This warning only applies to The People's Republic of China.

1. Tma 25C

2. 2000m

2000m
DD
2000m

DD
DD.1

20 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide

2000m 2000m

DD.2

Document Conventions
The following describes the conventions and symbols that this guide uses:

Item Description Description (French) Beschreibung (German)


An example scenario Un scnario dexemple Ein Beispielszenarium

Example
Possible damage to Endommagement Mgliche Schden an
equipment, software, or possible de lquipement, Gert, Software oder
data des donnes ou du Daten
Caution: logiciel
Additional information Informations Zustzliche
complmentaires Informationen

Note:
A statement and Rfrences et Eine Erklrung und
instructions instructions Anweisungen

To
A suggestion or Une suggestion ou Ein Vorschlag oder eine
workaround solution Umgehung

Tip:
Possible physical harm to Blessure possible de Verletzungsgefahr des
the operator loprateur Bedieners

Warning:

Document ID: RDWR-DP-V0607_UG1209 21


DefensePro User Guide

22 Document ID: RDWR-DP-V0607_UG1209


Table of Contents
Important Notices .......................................................................................................... 3
Copyright Notices .......................................................................................................... 4
Safety Instructions ......................................................................................................... 8
Altitude and Climate Warning ...................................................................................... 20
Document Conventions ............................................................................................... 21

Chapter 1 Introduction......................................................................................... 31
Introducing DefensePro ............................................................................................... 31
DefensePro System Components ............................................................................... 31
Radware Security Update Service on the Web ........................................................... 32
Typical Deployment ..................................................................................................... 33
Network Connectivity ................................................................................................... 34
Management InterfacesAPSolute Vision and Others .............................................. 34
DefensePro Features .................................................................................................. 35
Security Protections ............................................................................................................. 35
Bandwidth Management ...................................................................................................... 36
Real-time Security Reporting for DefensePro ...................................................................... 36
Historical Security ReportingAPSolute Vision Reporter .................................................. 36
Related Documentation ............................................................................................... 36
DefensePro Release Notes and Maintenance Release Notes ............................................ 37
Radware Installation and Maintenance Guide ..................................................................... 37
APSolute Vision Documentation .......................................................................................... 37
APSolute Vision Reporter Documentation ........................................................................... 38

Chapter 2 Getting Started.................................................................................... 39


DefensePro Physical Ports .......................................................................................... 39
DefensePro Platforms and Models .............................................................................. 39
Logging into APSolute Vision ...................................................................................... 40
Changing Password for Local Users ........................................................................... 40
APSolute Vision User Interface Overview ................................................................... 41
Configuration Perspective .................................................................................................... 41
Monitoring Perspective ........................................................................................................ 43
Security Monitoring Perspective .......................................................................................... 45
Asset Management Perspective .......................................................................................... 46
APSolute Vision Sites .......................................................................................................... 46
APSolute Vision Sites and DefensePro Devices ......................................................... 46

Document ID: RDWR-DP-V0607_UG1209 23


DefensePro User Guide
Table of Contents

Configuring Inspection Ports ...................................................................................... 46


Configuring Port Pairs ......................................................................................................... 47
Managing the Status of Physical Ports ................................................................................ 48
Internal Bypass for RJ-45 Ports .......................................................................................... 49
Updating the Attack Description File .......................................................................... 50
Managing DefensePro Security Groups ..................................................................... 50

Chapter 3 Basic Device Configuration............................................................... 55


Locking and Unlocking a Device ................................................................................ 55
DefensePro Device Setup .......................................................................................... 56
Configuring DefensePro Global Parameters ....................................................................... 56
Configuring Date and Time Synchronization ....................................................................... 57
Configuring Daylight Saving ................................................................................................ 58
Configuring Access Protocols ............................................................................................. 58
Configuring SNMP Supported Versions .............................................................................. 60
Upgrading a License for a DefensePro Device ................................................................... 60
Configuring E-mail Settings ................................................................................................. 61
Configuring RADIUS Authentication for Device Management ............................................ 62
Configuring Syslog Settings ................................................................................................ 64
Managing Certificates ......................................................................................................... 66
Configuring High Availability ................................................................................................ 71
Configuring BOOTP ............................................................................................................ 77
Configuring DNS Client Settings ......................................................................................... 78
Configuring DefensePro Security Signaling ........................................................................ 78
Advanced Parameters ................................................................................................ 80
Configuring Advanced Settings ........................................................................................... 81
Configuring Configuration Auditing ...................................................................................... 82
Configuring Dynamic Protocols ........................................................................................... 82
Configuring Tuning Parameters .......................................................................................... 84
Configuring Security Reporting Settings ............................................................................. 93
Configuring Out-of-Path Settings for DefensePro ............................................................... 96
Configuring Session Table Settings .................................................................................... 97
Configuring Suspend Settings ........................................................................................... 100
Configuring the Device Event Scheduler ........................................................................... 101
Configuring Tunneling Inspection ...................................................................................... 102
Configuring SNMP .................................................................................................... 103
Configuring SNMP Users .................................................................................................. 103
Configuring SNMP Community Settings ........................................................................... 104
Configuring the SNMP Group Table .................................................................................. 105
Configuring SNMP Access Settings .................................................................................. 106
Configuring SNMP Notify Settings .................................................................................... 107
Configuring SNMP View Settings ...................................................................................... 108
Configuring the SNMP Target Parameters Table .............................................................. 108
Configuring SNMP Target Addresses ............................................................................... 109

24 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Table of Contents

Configuring Device Users ......................................................................................... 110


Configuring Access Permissions on Physical Ports ................................................. 112
Configuring Port Pinging ........................................................................................... 113

Chapter 4 Device Network Configuration ........................................................ 115


Configuring Device IP Interfaces .............................................................................. 115
Managing IP Routing ................................................................................................ 116
Configuring IP Routing ...................................................................................................... 116
Configuring ICMP ............................................................................................................. 117
Configuring the ARP Table ............................................................................................... 118
Configuring Ports ...................................................................................................... 119
Configuring Link Aggregation ........................................................................................... 120
Configuring Port Mirroring ................................................................................................. 122
Configuring the Basic Network Parameters .............................................................. 124
IPv4 and IPv6 Support ...................................................................................................... 124
IP Fragmentation .............................................................................................................. 124
Configuring the Basic Networking Parameters ................................................................. 125
Configuring Port Pairs .............................................................................................. 127

Chapter 5 Security Configuration..................................................................... 129


Security Protections .................................................................................................. 129
Selecting a Device for Security Configuration .......................................................... 130
Configuring Global Security Settings ........................................................................ 130
Configuring Global Signature Protection .......................................................................... 131
Configuring DoS Shield Protection ................................................................................... 132
Configuring Global Behavioral DoS Protection ................................................................. 133
Configuring Global Anti-Scanning Protection Settings ..................................................... 139
Configuring Global SYN Flood Protection ........................................................................ 141
Configuring Global Out of State Protection ....................................................................... 142
Configuring Global HTTP Flood Protection ...................................................................... 143
Configuring Global SIP Cracking Protection ..................................................................... 144
Configuring Global Fraud Protection ................................................................................ 145
Configuring Global Packet Anomaly Protection ................................................................ 147
Configuring Global DNS Flood Protection ........................................................................ 150
Managing the Network Protection Policy .................................................................. 156
Configuring the Network Protection Policy ....................................................................... 157
Configuring Signature Protection for Network Protection ................................................. 161
Configuring BDoS Profiles for Network Protection ........................................................... 181
Configuring Anti-Scanning Protection for Network Protection .......................................... 183
Configuring Connection Limit Profiles for Network Protection .......................................... 186
Configuring SYN Profiles for Network Protection ............................................................. 190
Radware-Recommended Verification Type Values .......................................................... 192
Configuring Connection PPS Limit Profiles for Network Protection .................................. 196

Document ID: RDWR-DP-V0607_UG1209 25


DefensePro User Guide
Table of Contents

Configuring DNS Protection Profiles for Network Protection ............................................. 199


Configuring Out of State Protection Profiles for Network Protection ................................. 202
Managing the Server Protection Policy .................................................................... 204
Configuring the Server Protection Policy ........................................................................... 204
Server Cracking Protection ............................................................................................... 206
Configuring HTTP Flood Mitigation Profiles for Server Protection .................................... 216
Configuring White Lists ............................................................................................. 222
Configuring White Lists in Defense Pro ............................................................................. 222
Configuring Black Lists ............................................................................................. 225
Enabling and Disabling the Packet Trace Feature for Black List Rules ............................ 225
Configuring Black List Rules ............................................................................................. 226
Managing the ACL Policy ......................................................................................... 230
Configuring Global ACL Policy Settings ............................................................................ 230
Configuring ACL Policy Rules ........................................................................................... 233
Viewing Active ACL Policy Rules ...................................................................................... 236

Chapter 6 Bandwidth Management .................................................................. 237


Bandwidth Management Overview ........................................................................... 237
Application Classification ................................................................................................... 237
Classification Mode ........................................................................................................... 238
Managing Bandwidth Management Global Settings ................................................. 238
Bandwidth Management Policies ............................................................................. 240
Bandwidth Management Policy Mechanism ...................................................................... 240
Bandwidth Management Classification Criteria ................................................................. 241
Bandwidth Management Rules ......................................................................................... 242
Managing Bandwidth Management Policies ..................................................................... 243
Port Bandwidth ......................................................................................................... 248

Chapter 7 Managing Classes ............................................................................ 249


Configuring Network Classes ................................................................................... 249
Configuring Service Classes .................................................................................... 251
Configuring Basic Filters ................................................................................................... 251
Configuring AND Group Filters .......................................................................................... 257
Configuring OR Group Filters ............................................................................................ 257
Configuring Application Classes ............................................................................... 258
Configuring Physical Port Classes ........................................................................... 259
Configuring VLAN Tag Classes ................................................................................ 260
Configuring MAC Address Classes .......................................................................... 261
Viewing Active Class Configurations ........................................................................ 261
Viewing the Active Network Class Configuration .............................................................. 262
Viewing the Active Service Class Configurations .............................................................. 262
Viewing the Active Application Class Configuration .......................................................... 263

26 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Table of Contents

Viewing the Active Physical Port Class Configuration ...................................................... 263


Viewing the Active VLAN Tag Class Configuration .......................................................... 264
Viewing the Active MAC Address Class Configuration ..................................................... 264
Configuring MPLS RD Groups ................................................................................. 264

Chapter 8 Managing Device Operations and Maintenance ............................ 267


Rebooting a DefensePro Device .............................................................................. 267
Shutting Down a DefensePro Device ....................................................................... 267
Viewing and Setting Device Date and Time ............................................................. 268
Upgrading Device Software ...................................................................................... 268
Downloading a Devices Log File to the APSolute Vision Client .............................. 269
Updating a Radware Signature File or RSA Signature File ...................................... 270
Downloading a Technical Support File to the APSolute Vision Client ...................... 271
Managing DefensePro Device Configurations .......................................................... 272
Configuration File Content ................................................................................................ 272
Downloading a Devices Configuration File ...................................................................... 272
Restoring a Devices Configuration .................................................................................. 273
Updating Policy Configurations on a DefensePro Device ........................................ 274
Checking Device Memory Availability ....................................................................... 274
Resetting the Baseline for DefensePro .................................................................... 274
Enabling and Disabling Interfaces ............................................................................ 275
Scheduling APSolute Vision and Device Tasks ....................................................... 276
Overview of Scheduling .................................................................................................... 276
Configuring Tasks in the Scheduler .................................................................................. 277
Task Parameters .............................................................................................................. 278

Chapter 9 Monitoring DefensePro Devices and Interfaces ............................ 285


Monitoring DefensePro Devices ............................................................................... 285
Monitoring General DefensePro Device Information ........................................................ 285
Monitoring DefensePro High Availability ........................................................................... 286
Monitoring the DefensePro Suspend Table ...................................................................... 288
Monitoring DefensePro CPU Utilization ............................................................................ 288
Monitoring and Clearing DefensePro Authentication Tables ............................................ 289
Monitoring DefensePro SNMP Statistics .......................................................................... 290
Monitoring DME Utilization According to Configured Policies .......................................... 291
Monitoring DefensePro Syslog Information ...................................................................... 292
Monitoring Session Table Information .............................................................................. 292
Monitoring DefensePro IP Statistics ................................................................................. 294
Monitoring DefensePro Bandwidth Management Statistics .............................................. 296
Monitoring Routing Table Information ............................................................................... 298
Monitoring DefensePro ARP Table Information ................................................................ 299
Monitoring MPLS RD Information ..................................................................................... 300
Monitoring Device Interfaces .................................................................................... 300

Document ID: RDWR-DP-V0607_UG1209 27


DefensePro User Guide
Table of Contents

Chapter 10 Real-Time Security Reporting ....................................................... 303


Viewing the Security Dashboard .............................................................................. 303
Viewing and Managing Current Attack Information .................................................. 305
Attack Details .................................................................................................................... 309
Sampled Data Dialog Box ................................................................................................. 320
Viewing Real-Time Traffic Statistics ......................................................................... 321
Viewing Traffic Utilization Statistics ................................................................................... 321
MIB Support for Traffic-Monitoring Data ............................................................................ 324
Viewing Connection Rate Statistics ................................................................................... 325
Viewing Concurrent Connections Statistics ....................................................................... 326
Monitoring Attack SourcesGeographical Map ...................................................... 326
Protection Monitoring ................................................................................................ 327
Displaying Attack Status Information ................................................................................. 328
Monitoring Network Rule Traffic ........................................................................................ 329
Monitoring DNS Flood Attack Traffic ................................................................................. 331
HTTP Reports ........................................................................................................... 334
Monitoring Continuous Learning Statistics ........................................................................ 334
Monitoring Hour-Specific Learning Statistics ..................................................................... 335
HTTP Request Size Distribution ........................................................................................ 336
MIB Support for Real-Time HTTP Monitoring Data ........................................................... 336

Chapter 11 Administering DefensePro ............................................................ 339


Command Line Interface .......................................................................................... 339
CLI Session Time-Out ....................................................................................................... 340
CLI Capabilities ................................................................................................................. 340
CLI Traps .......................................................................................................................... 341
Send Traps To All CLI Users ............................................................................................. 341
Web Based Management ......................................................................................... 341
Web Services ........................................................................................................... 342
API Structure ..................................................................................................................... 342
APSolute API Software Development Kit (SDK) ............................................................... 343

Appendix A Behavioral DoS Advanced Settings ............................................ 345

Appendix B Configuring SSL-Based Protection with AppXcel ..................... 349


Configuring SSL Inspection Layer 4 Ports for DefensePro ...................................... 350

Appendix C Troubleshooting............................................................................ 353


Diagnostic Tools ....................................................................................................... 353
Traffic Capture Tool .......................................................................................................... 353
Trace-Log .......................................................................................................................... 354

28 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Table of Contents

Diagnostic Tools Files Management ................................................................................. 357


Diagnostics Policies .......................................................................................................... 358
Technical Support File .............................................................................................. 359

Appendix D Predefined Basic Filters ............................................................... 361

Appendix E Glossary ......................................................................................... 371

Radware Ltd. End User License Agreement....................................................... 377

Document ID: RDWR-DP-V0607_UG1209 29


DefensePro User Guide
Table of Contents

30 Document ID: RDWR-DP-V0607_UG1209


Chapter 1 Introduction
This guide describes DefensePro 6.07 and how to use it.
Unless specifically stated otherwise, the procedures described in this guide are performed using
APSolute Vision version 2.00.
This chapter introduces Radwares DefensePro and provides a general explanation of its main
features and modules.
This chapter contains the following sections:
Introducing DefensePro, page 31
DefensePro System Components, page 31
Radware Security Update Service on the Web, page 32
Typical Deployment, page 33
Network Connectivity, page 34
Management InterfacesAPSolute Vision and Others, page 34
DefensePro Features, page 35
Related Documentation, page 36

Introducing DefensePro
Radwares award-wining DefensePro is a real-time Intrusion Prevention System (IPS) and DoS-
protection device, which maintains business continuity by protecting the application infrastructure
against existing and emerging network-based threats that cannot be detected by traditional IPSs
such as: network- and application-resource misuse, malware spreading, authentication defeat and
information theft.
DefensePro features full protection from traditional vulnerability-based attacks through proactive
signature updates, preventing the already known attacks, including worms, trojans, bots, SSL-based
attacks, and VoIP attacks.
Unlike market alternatives that rely on static signatures, DefensePro provides unique behavioral-
based, automatically generated, real-time signatures, preventing attacks that are not vulnerability-
based and zero-minute attacks such as: network and application floods, HTTP page floods, malware
propagation, Web application hacking, brute force attacks aiming to defeat authentication schemes,
and moreall without blocking legitimate users traffic and with no need for human intervention.
With multiple-segment protection in a single unit, a pay-as-you-grow license-upgrade approach, and
ease of management through hands-off security features such as no-configuration and self-tuning,
DefensePro is the industrys leading IPS for best functionality, maximum affordability, and ease of
management.

DefensePro System Components


Radware DefensePro is an in-line Intrusion Prevention and Denial-of-Service protection system that
detects and prevents network threats in real-time. DefensePro inspects incoming and outgoing
traffic for potential attacks, clearing the network from unwanted malicious traffic. DefensePro also
manages bandwidth and establishes traffic shaping rules.

Document ID: RDWR-DP-V0607_UG1209 31


DefensePro User Guide
Introduction

The DefensePro system contains the following components:


DefensePro deviceThe term device refers to the physical platform and the DefensePro product.
Management interfaceAPSolute Vision and others.
Radware Security Update Service on the Web.

Figure 19: DefensePro System Components


Security Update Service at www.radware.com:

- Weekly Updates
- Emergency Updates
- Custom Updates
e
dat
DefensePro Device: e Up
ur
- Traffic Scanning Against Attacks nat
Sig
- Traffic Shaping

Lo
gg Co
ing nfig
sec ura
uri tion
ty and APSolution Vision Management Station:
dev
ice - Configuring
eve
nts - Monitoring
- Reporting

Radware Security Update Service on the Web


Radwares Security Update Service delivers immediate and ongoing signature updates, protecting
against the latest network and application security threats including worms, trojans, bots, and
application vulnerabilities, to safeguard your applications, network and users.
The Security Update Service consists of the following key service elements:
24/7 Security Operations Center (SOC) ScanningContinuous threat monitoring, detection, risk
assessment and filter creation for threat mitigation.
Emergency FiltersRapid response filter releases for high impact security events through
Emergency Filters.
Weekly UpdatesScheduled periodic updates to the signature files, with automatic distribution
through Radware APSolute Vision, or on-demand download from
http://www.radware.com/content/support/securityzone/serviceinfo/default.asp.
Custom FiltersCustom filters for environment-specific threats and newly reported attacks
reported to the SOC.

For up-to-date security information, refer to the Radware Security Zone, available from the Radware
Web site:
http://www.radware.com/content/support/securityzone/serviceinfo/default.asp.

32 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Introduction

Typical Deployment
The following illustration shows an in-line installation of DefensePro IPS in an enterprise. In this
deployment, DefensePro is located at the gateway, protecting hosts, servers and network resources
against incoming network attacks. DefensePro also protects DMZ servers against attacks targeting
Web, e-mail, VoIP and other services. This Radware deployment is at the enterprise gateway, in
front of the DMZ servers, where DefensePro provides perimeter protection for the enterprise
servers, users, routers and firewalls.

Figure 20: Typical DefensePro Deployment

Document ID: RDWR-DP-V0607_UG1209 33


DefensePro User Guide
Introduction

Network Connectivity
The following figure shows the typical network topology of DefensePro.

Figure 21: Typical Network Connectivity

Management InterfacesAPSolute Vision and Others


APSolute Vision is the main management interface for DefensePro.
Additional management interfaces for DefensePro devices include:
Web-Based Management (WBM)
Command-Line Interface (CLI)

You can perform most tasks using any of the management systems. However, for the most part, this
guide describes management tasks by means of APSolute Vision.
APSolute Vision is a graphical application that enables you to configure, modify, monitor, and
generate reports centrally for single or multiple DefensePro deployments.
You can connect a DefensePro device to management interfaces through network physical interfaces
or through serial ports. DefensePro supports the following port types:
Using the network connection: SNMP, HTTP, HTTPS, Telnet, SSH
Using the serial port connection: RS-232 up to 115 Kbit/s (default is 19,200 Kbit/s)

34 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Introduction

The following table lists the DefensePro physical interfaces and supporting management interfaces:

Table 1: DefensePro Interfaces

Protocol APSolute Vision Web Based Management Command Line Interface


SNMPv1, SNMPv3 9
HTTP 9
Secure Web 9
Telnet 9
SSH 9
RS-232 9

Note: For more information, see Administering DefensePro, page 339.

DefensePro Features
This section provides a brief description of the main DefensePro features and includes the following
topics:
Security Protections, page 35
Bandwidth Management, page 36
Real-time Security Reporting for DefensePro, page 36
Historical Security ReportingAPSolute Vision Reporter, page 36

Security Protections
DefensePros multi-layer security approach combines a set of features detecting and mitigating a
wide range of network attacks.
DefensePro supports the following types of security protections:
Network-wide protectionsProtects against the following:
Behavioral DoSProtects against zero-day flood attacks, including SYN Floods, TCP Floods,
UDP floods, ICMP and IGMP floods.
Scanning and worm protectionZero-day protection against self-propagating worms,
horizontal and vertical TCP and UDP scanning, and ping sweeps.
SYN protectionProtects against any type of SYN flood attack using advanced SYN cookies.
A SYN flood attack is usually aimed at specific servers with the intention of consuming the
servers resources. However, you configure SYN Protection as a Network Protection to allow
easier protection of multiple network elements.
Server protectionsProtects against the following:
Connection limitProtects against session-based attacks, such as half open SYN attacks,
request attacks and connection attacks.
Server-cracking protectionZero-day protection against application-vulnerability scanning,
brute-force and dictionary attacks.
HTTP mitigatorMitigates zero-day HTTP page flood attacks.

Document ID: RDWR-DP-V0607_UG1209 35


DefensePro User Guide
Introduction

Signature-based protectionsProtects against known application vulnerabilities, and common


malware, such as worms, trojans, spyware, and DoS.
Out of State inspectionEnsures that transmission and application stateful rules are enforced
based on the protocol RFCs.
Access Control ListProvides stateful access control.

Bandwidth Management
Using DefensePros Bandwidth Management module, you can define policies to restrict or maintain
the bandwidth that can be sent or received by each application, user, or segment.
You can configure Bandwidth Management policies to guarantee bandwidth for each critical
application or limit non-critical traffic such as P2P. You can also set rules to block or allow specific
traffic types.

Real-time Security Reporting for DefensePro


APSolute Vision provides real-time attack views and security service alarms for DefensePro devices.
When DefensePro detects an attack, the attack is reported as a security event. DefensePros security
monitoring enables you to analyze real-time and historical attacks. When DefensePro detects an
attack, it automatically generates counter-measures that you can observe and analyze using various
monitoring tools.
DefensePro provides you with monitoring tools that show real-time network traffic and application-
behavior parameters. Security monitoring also provides statistical parameters that represent normal
behavior baselines, which are generated using advanced statistical algorithms.

Historical Security ReportingAPSolute Vision Reporter


APSolute Vision supports the APSolute Vision Reporter for DefensePro.
APSolute Vision Reporter is a historical security reporting engine, which provides the following:
Customizable dashboards, reports, and notifications
Advanced incident handling for security operating centers (SOCs) and network operating centers
(NOCs)
Standard security reports
In-depth forensics capabilities
Ticket workflow management

Related Documentation
See the following documents for information related to DefensePro:
DefensePro Release Notes and Maintenance Release Notes
Radware Installation and Maintenance Guide
APSolute Vision Documentation
APSolute Vision Reporter Documentation

36 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Introduction

DefensePro Release Notes and Maintenance Release Notes


See the DefensePro Release Notes and DefensePro Maintenance Release Notes for information about
the relevant DefensePro version.

Radware Installation and Maintenance Guide


See the Radware Installation and Maintenance Guide for the following:
Pre-installation procedures, which include:
Mounting the platform
Verifying accessibility of management ports
Connecting and installing DefensePro, which includes:
Information on DefensePro physical platforms
Connecting the Management port cable
Connecting the inspection ports cables
Installing APSolute Vision
Initializing DefensePro using APSolute Vision, which comprises the following:
Connecting DefensePro using APSolute Vision
Adding a DefensePro device

The Radware Installation and Maintenance Guide includes additional useful information on the
following:
Maintenance and software upgrade
Troubleshooting
Hardware upgrades
Specifications

APSolute Vision Documentation


APSolute Vision documentation includes the following:
APSolute Vision Administrator GuideSee this for information about:
APSolute Vision features
User managementfor example, adding users and defining their permissions.
Adding and removing DefensePro devices.
Configuring siteswhich is a physical or logical representation of a group of managed
devices.
Administration and maintenance tasks on managed devices; such as, scheduling tasks,
making backups, and so on.
APSolute Vision CLI
APSolute Vision User GuideSee this for information about:
APSolute Vision features
APSolute Vision interface navigation
Monitoring APSolute Visionfor example, version, server, database, device-configuration
files, controlling APSolute Vision operations, backing up the APSolute Vision database
Managing auditing and alerts
Scheduling all APSolute Vision and device tasks
APSolute Vision online helpSee this for information about monitoring managed devices

Document ID: RDWR-DP-V0607_UG1209 37


DefensePro User Guide
Introduction

APSolute Vision Reporter Documentation


See the APSolute Vision Reporter online help and APSolute Vision Reporter User Guide for
information about APSolute Vision Reporter and how to use it.

38 Document ID: RDWR-DP-V0607_UG1209


Chapter 2 Getting Started
This chapter describes what to do before you configure DefensePro with security policies.
The Radware Installation and Maintenance Guide covers the information and procedures related to
the physical specifications and basic setup of APSolute Vision server and DefensePro platforms. Read
the relevant information and follow the instructions in the Radware Installation and Maintenance
Guide before you perform the other tasks covered in this chapter.
This chapter contains the following sections:
DefensePro Physical Ports, page 39
DefensePro Platforms and Models, page 39
APSolute Vision User Interface Overview, page 41
APSolute Vision Sites and DefensePro Devices, page 46
Configuring Inspection Ports, page 46
Updating the Attack Description File, page 50
Managing DefensePro Security Groups, page 50

DefensePro Physical Ports


DefensePro platforms are equipped with 8P8C (RJ-45) and fiber-optic ports for inspecting traffic. By
default, the RJ-45 traffic ports are configured in pairs, configured to operate in Process mode, and
they are displayed in the Static Forwarding table (see Configuring Inspection Ports, page 46). You
cannot delete the RJ-45 traffic ports from the Static Forwarding table. You must manually add fiber-
optic ports to the Static Forwarding table, and you can delete the fiber-optic ports from the table as
required. All DefensePro models support CLI commands for managing the status of physical ports.
For more information, see Managing the Status of Physical Ports, page 48.

DefensePro Platforms and Models


DefensePro platforms are equipped with 8P8C (RJ-45) and fiber-optic ports for inspecting traffic.
DefensePro models 506, 1006, and 2006 are based on the OnDemand Switch VL platform.
OnDemand Switch VL is 1U. The OnDemand Switch VL platforms are equipped with two (2) SFP
Gigabit Ethernet (GbE) ports, four (4) RJ-45 GbE ports for traffic and two (2) RJ-45 GbE ports for
out-of-band management. The RJ-45 GbE traffic ports include a configurable internal bypass
mechanism (see Internal Bypass for RJ-45 Ports, page 49).
DefensePro models 1016, 2016, and 3016 are based on the OnDemand Switch 2 S1 platform or
OnDemand Switch 2 S2 platform. OnDemand Switch 2 S1 is 1U. OnDemand Switch 2 S2 is 2U. The
OnDemand Switch 2 platforms are equipped with four (4) SFP Gigabit Ethernet (GbE) ports, twelve
(12) RJ-45 GbE ports for inspecting traffic, and two (2) RJ-45 10/100/1000 Ethernet ports for
management only. The twelve RJ-45 GbE traffic ports include a configurable internal bypass
mechanism (see Internal Bypass for RJ-45 Ports, page 49).
DefensePro x412 Behavioral Protections seriesmodels 4412, 8412, and 12412run on
OnDemand Switch 3 S1. DefensePro x412 IPS and Behavioral Protections series (model numbers
4412 and 8412) run on OnDemand Switch 3 S2 and are equipped with a String Matching Engine
(SME) card. The OnDemand Switch 3 S platforms are equipped with four (4) XFP 10-Gigabit
Ethernet (10GbE) ports, four (4) SFP GbE ports, and eight (8) RJ-45 GbE ports for inspecting traffic,
and two (2) RJ-45 10/100/1000 Ethernet ports for management only. The eight RJ-45 GbE traffic
ports include a configurable internal bypass mechanism (see Internal Bypass for RJ-45 Ports,
page 49).

Document ID: RDWR-DP-V0607_UG1209 39


DefensePro User Guide
Getting Started

Logging into APSolute Vision


To start working with APSolute Vision, you log into the APSolute Vision client.
After successfully logging in with a username and authenticated password, the APSolute Vision client
application opens. The APSolute Vision client connects to the specified APSolute Vision server. This
means that you always works online with APSolute Vision and its managed network elements.
Up to 10 users can access the APSolute Vision server simultaneously.
APSolute Vision supports role-based access control (RBAC) to manage user privileges. Your
credentials and privileges may be managed through a RADIUS Authentication server or through the
local APSolute Vision user database.
For RBAC users, after successful authentication of your username and password, your role is
determined together with the devices that you are authorized to manage. The assigned role remains
fixed throughout your user session, and you can access only the content panes, menus, and
operations that the role allows.
Depending on the configuration of the APSolute Vision server, you may be prompted to change your
user password when you log in for the first time.
If you enter the credentials incorrectly, you are is prompted to re-enter the information. After a
globally defined number of consecutive failures, the APSolute Vision server locks you out of the
system. If you use local user credentials, a user administrator can release the lockout by resetting
the password to the global default password. If you use RADIUS credentials, you must contact the
RADIUS administrator.

To log into APSolute Vision as an existing user

1. Click the APSolute Vision Client program icon.


2. In the login dialog box, specify the following:
User NameThe name of the user.
PasswordThe password for the user. Depending on the configuration of the server, you
may be required to change your password immediately. Default: radware.
Vision ServerThe name or IP address of the APSolute Vision server. This parameter is
displayed if you click Options. Otherwise, the login procedure tries to connect to the
APSolute Vision server that was specified previously.
AuthenticationThe method to authenticate the user: Local or RADIUS. That is, select
whether to use the credential stored in the APSolute Vision server or the credentials
managed by the specified RADIUS Authentication server. This parameter is displayed if you
click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server
using the authentication method that was specified previously.
3. Click OK.

Changing Password for Local Users


If your user credentials are managed through the local APSolute Vision Users table (not RADIUS),
you can change your user password at the login.

40 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Getting Started

To change a password for a local user

1. Click the APSolute Vision Client program icon.


2. Click Options.
3. In the User Name drop-down list, enter your username.
4. Click Change Password.
5. In the dialog box, enter your username, old password, new password, and confirm the new
password.
6. Click OK. Your new password is saved and the APSolute Vision dialog box is displayed.

APSolute Vision User Interface Overview


The APSolute Vision interface follows a consistent hierarchical structure, organized functionally to
enable easy access to options. You start at a high functional level and drill down to a specific
module, function, or object.
Each high-level function, such as device configuration, monitoring, or viewing real-time reports, is
accessible from a separate perspective.
APSolute Vision supports the following perspectives:
Configuration Perspective, page 41
Monitoring Perspective, page 43
Security Monitoring Perspective, page 45
Asset Management Perspective, page 46

Note: You can configure which perspective is displayed by default when you start an APSolute
Vision client session.

Configuration Perspective
Use the Configuration perspective to configure Radware devices. Typically, you choose the device to
configure in the Configuration perspective system pane Organization tab. You can view and modify
device settings in the content pane tabs, which have their own navigation panes for easier
navigation through configuration tasks.
You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.
The Configuration perspective also includes the Properties pane, which displays information about
the currently selected device.

Document ID: RDWR-DP-V0607_UG1209 41


DefensePro User Guide
Getting Started

Figure 22: Configuration PerspectiveDefensePro


System pane Organization tabDisplays,
according to your filter, the site tree,
configured sites, and configured devices

Button that opens Configuration buttonOpens


the APSolute the Configuration perspective
Vision Reporter
Navigation area for the tab
Content area

Properties pane

Alerts paneDisplays the Alerts tab and the Messages tab.


The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.

42 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Getting Started

The following points apply to all configuration tasks in the Configuration perspective:
To configure a device, you must lock it. For more information, see the APSolute Vision
documentation.
When you change a field value, the field label is displayed in italics.
Mandatory fields are displayed in red. You must enter data, or select an option in these fields.
After setting a mandatory field, the field label changes to black.
By default, tables display up to 20 rows per table page. You can change the number of rows per
table up to a maximum of 100 rows.
You can perform one or more of the following operations on table entries:
Add a new entry to the table, and define its parameters.
Edit one or more parameters of an existing table entry.
Delete a table entry.
Device configuration information is saved only on the DefensePro device, not in the APSolute
Vision database. To commit information to the device, you must do the following:
Click OK when you modify settings in a configuration dialog box.
Click (Submit) when you modify settings in a configuration page.
Some configuration changes require an immediate device reboot. When you submit the
configuration change the device will reboot immediately.
Some configuration changes require a device reboot to take effect, but you can save the
change without an immediate reboot. When you submit a change without a reboot, the
Properties pane displays a Reboot Required notification until you reboot the device.
Click Update Policies to implement policy-configuration changes if necessary. Policy-
configuration changes for a device are saved on the DefensePro device, but the device does
not apply the changes until you perform a device configuration update.

Example Device selection in the Configuration perspective


The following example shows the selections you would make to view or change configuration
parameters for a Radware device:
1. Open the Configuration perspective by clicking at the top of the window.
2. Select the required device in the system pane by drilling down through the sites and subsites.
3. Right-click the device name, and select Lock Device.
4. Select the required configuration tab in the content pane. Each tab displays a tab navigation
pane and configuration options.
5. Select an option in the navigation pane.
6. You can now view and change configuration parameters.

Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects,
such as farms and servers. The Monitoring perspective navigation pane contains two navigation
tabs. The System tab contains the physical devices and interfaces. The Properties pane displays
information about the currently selected device. The content pane for each type of entity contains
tabs in which you can view different types of information. Some tabs contain a navigation pane.

Document ID: RDWR-DP-V0607_UG1209 43


DefensePro User Guide
Getting Started

You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.

Figure 23: Monitoring PerspectiveDefensePro


System paneIncludes the Organization, Monitoring buttonopens
Application Delivery, and Physical tabs. The Monitoring perspective
Organization tabs is relevant for DefensePro.
Content area

Navigation area for tab

Properties pane

Alerts paneDisplays the Alerts tab and the Messages tab.


The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.

44 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Getting Started

Security Monitoring Perspective


The Security Monitoring perspective is displayed only for devices that support the relevant Security
module.
You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.
In the Security Monitoring perspective, you can access a collection of real-time security-monitoring
tools that provide visibility regarding current attacks that the DefensePro device has detected. The
Properties pane displays information about the currently selected device.
The Security Monitoring perspective includes the following tabs:
Security DashboardA graphical summary view of all current active attacks in the network
with color-coded attack-category identification, graphical threat-level indication, and instant
drill-down to attack details.
Current AttacksA view of the current attacks in a tabular format with graphical notations of
attack categories, threat-level indication, drill-down to attack details, and easy access to the
protecting rules for immediate fine-tuning.
Traffic MonitoringA real-time graph and table displaying network information, with the
attack traffic and legitimate traffic filtered according to specified traffic direction and protocol.
Geo MapA graphical map view that displays threats by origin with hierarchical drill-down to IP
level.
Protection MonitoringReal-time graphs and tables with statistics on rules, protections
according to specified traffic direction and protocol, along with learned traffic baselines.
HTTP ReportsReal-time graphs and tables with statistics on rules, protections according to
specified traffic direction and protocol, along with learned traffic baselines.

Figure 24: Security Monitoring PerspectiveShowing the Security Dashboard

Document ID: RDWR-DP-V0607_UG1209 45


DefensePro User Guide
Getting Started

Asset Management Perspective


The Asset Management perspective is displayed only to users with the Administrator or User
Administrator role. A user with the User Administrator role can only view and configure local users.
For more information about roles and the Asset Management perspective, see the APSolute Vision
Administrator Guide.

APSolute Vision Sites


You can organize the Radware devices that APSolute Vision manages according to sites. APSolute
Vision displays the sites and managed devices in the system tab. Typically, a site is a group of
devices that share properties, such as location, services, or device type. You can nest sites; that is,
each site can contain subsites and devices.
In the context of role-based access control (RBAC), sites enable administrators to define the scope
of each user.
Sites also play a role in the context of vADCs and ADC-VXs. When you manage a vADC hosted by an
ADC-VX in the Physical tab, you specify the site under which that vADC is displayed in the
Organization tab.

APSolute Vision Sites and DefensePro Devices


A site in APSolute Vision is a physical or logical representation of a group of managed devices, such
as managed DefensePro devices. A site can be based on a geographical location, an administrative
function, device type, and so on. Each site can contain nested sites and devices.
Before you can configure a DefensePro device and security policies through APSolute Vision, the
DefensePro device must be exist on and connected to the APSolute Vision server. The sites and
DefensePro devices are displayed in the System tab.
Only users with the proper permissions can add sites and DefensePro devices to an APSolute Vision
server.
See the APSolute Vision Administrator Guide for information on the following topics:
APSolute Vision sites
Configuring sites
Adding and removing devices
Administration and maintenance tasks on managed devices; such as, scheduling tasks, making
backups, and so on
Monitor managed devices through APSolute Vision. For more information, see the APSolute
Vision online help

Configuring Inspection Ports


An inspection port is a port on a DefensePro device that you can configure to receive, inspect, and
transmit traffic.
This section contains the following:
Configuring Port Pairs
Managing the Status of Physical Ports
Internal Bypass for RJ-45 Ports

46 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Getting Started

Configuring Port Pairs


You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic
from the receiving port is always sent out of the device from its corresponding transmitting port. The
ports are paired; one port receives traffic while another transmits traffic.
You can set the operation mode of a port pair. When the port pair operates in Process mode, the
traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates
in Forward mode, the traffic is forwarded to the destination port without any inspection.

Note: DefensePro x06 models automatically create static-forwarding definitions on the


following port pairswhen they are not assigned to packet trace or trunks: G-1G-2
and G-3G-4.

To configure a pair of ports

1. In the Configuration perspective Networking tab navigation pane, select Port Pairs.
2. Do one of the following:

To add a pair of ports, click the (Add) button.


To edit a pair of ports, double-click the row.
3. Configure the parameters; and then, click OK.

Table 2: Port Pair Parameters

Parameter Description
Port Pairs
Source Port The user-defined source port for received traffic.
Destination Port The user-defined destination port for transmitted traffic.
Operation The operation mode assigned to a pair of ports.
Values:
ForwardThe traffic is forwarded without any inspection.
ProcessThe traffic passes thought the CPU and is inspected for attacks,
bandwidth, and so on.

Document ID: RDWR-DP-V0607_UG1209 47


DefensePro User Guide
Getting Started

Table 2: Port Pair Parameters

Parameter Description
Failure Mode Specifies whether the traffic passes through (bypasses) a pair of RJ-45 ports
when the platform is rebooting or is powered down (for example, if the device
fails).
Values:
Fail-CloseTraffic does not pass through when the platform is powered
down. When a pair of ports enters fail-close state, traffic is blocked and
the link appears to be down (no power), and switches that are connected
to the DefensePro device detect the link as being down.
Fail-OpenTraffic passes through (not processed by DefensePro) when
the platform is powered down.
When you configure Fail-Open for a port pair, you cannot:
Assign the ports into a link aggregation.
Configure either port as a copied destination port.
Configure the ports for SSL inspection.
Note: For more information, see Internal Bypass for RJ-45 Ports, page 49.
In Port Specifies which port in the pair is designated as the inbound portthe source
or destination port. This setting is used in real-time reports for inbound and
outbound traffic.

Advanced Parameters
In DefensePro x06 models, this group box and the Enable Interface Grouping checkbox is not
displayed. In x06 models, Interface Grouping is always enabled.
Enable Interface Specifies whether the device groups the statuses of the port-pair interfaces.
Grouping When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also; so, a
remote device connected to the DefensePro device perceives the same
disconnected status.
Typically, the option is enabled when DefensePro is configured between
switches that use link redundancy. Interface grouping is the only way both
switches always perceive the same DefensePro interfaces status.
Default: Disabled

Managing the Status of Physical Ports


You can manage the status of physical ports using CLI.

To view the status of a physical port using CLI

Run the following command:


device enter-failure-state get <port>
where port is the identifier of the physical port.

48 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Getting Started

To set the status of a physical port using CLI

Run the following command:


device enter-failure-state set <port> -fs <failure-state>
where port is the identifier of the physical port and the value for the failure-state flag can
be:
1 enable
2 disable

Example
device enter-failure-state set 2 -fs 1
sets the status of port 2 on the device to fail. The port will fail to the state that is defined in the
Static Forwarding table (for OnDemand Switch devices).

Internal Bypass for RJ-45 Ports


You can configure whether the traffic passes through (bypasses) a pair of RJ-45 ports when the
platform is rebooting or is powered down (for example, if the device fails). You can choose from two
failure modes: Fail-Close or Fail-Open.
With the Fail-Close option, traffic does not pass through when the platform is powered down. When
a pair of ports enters fail-close state, traffic is blocked and the link appears to be down (no power),
and switches connected to DefensePro detect the link as being down.
With the Fail-Open option, traffic passes through (not inspected by DefensePro) when the platform is
powered down.
When you configure a port pair to use the Fail-Open option, you cannot do the following:
Assign the ports into a link aggregation.
Use either of the ports for management purposes.
Configure either of the ports as a copied destination port.
Configure the ports for SSL inspection.

By default, all the interfaces that support configurable failure modeexcept the last pairare
configured with the Process option for Port Operation with the failure mode set to Fail-Open.
For network debugging or testing purposes, using CLI, you can manually force a pair of ports into
the failure statewithout turning the power off or rebooting the device.
In high-availability, you can set the failure mode of a copper port on a primary device to fail-close.
Thus, when the primary device goes down, the data path will have to change to the secondary
device. On the secondary, device you should consider the fail-open configuration to ensure that
failure of both DefensePro devices will not result in traffic loss.
For the procedure for configuring the failure mode, see Configuring Port Pairs, page 47.

Document ID: RDWR-DP-V0607_UG1209 49


DefensePro User Guide
Getting Started

DefensePro sends appropriate notifications at the following times:


When the configuration of a port pair changes from Fail-Close to Fail-Open.
With the Fail-Open option, when:
A port changes status from up to down.
A port changes status from down to up.

Updating the Attack Description File


The Attack Description file contains descriptions of all the different attacks. You can view a specific
description by entering the attack name. When you first configure APSolute Vision, you should
download the latest Attack Description file to the APSolute Vision server. The file is used for real-
time and historical reports to show attack descriptions for attacks coming from DefensePro devices.
The file versions on APSolute Vision and on the DefensePro devices should be identical; Radware
recommends synchronizing regular updates of the file at regular intervals on APSolute Vision and on
the individual devices.
When you update the Attack Description file, APSolute Vision downloads the file directly from
Radware.com or from the enabled proxy file server.

To update the Attack Description file

1. Do one of the following:


In the Asset Management perspective system pane, select General Settings; and then, in
the content pane, select the Overview tab and click Update in the Attack Description group
box.
In the Asset Management perspective system pane, right-click General Settings; and then,
select Update Attack Description File.
2. Do one of the following:
To update the Attack Description file from Radware, select the Radware.com radio button.
To update the files from the APSolute Vision client host:
a. Select the Client radio button.
b. In the File Name text box, enter the file path of the Attack Description file or click
Browse to navigate to and select the file.
3. Click Send and OK.
4. The Alerts pane displays a success or failure notification and whether the operation was
performed using a proxy server.

Managing DefensePro Security Groups


APSolute Vision can manage Security Groups, which are groups of DefensePro devices that share
security-threat information. The configuration of a Security Group includes senders and receivers.
Senders send security-threat information detected by the Anti-Scanning and/or Server Cracking
modules to APSolute Vision. Receivers receive security-threat information from APSolute Vision as

50 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Getting Started

Dynamic Black List rules. A device can be both a sender and a receiver in the same group. When a
sender detects an attack and sends the information to APSolute Vision, APSolute Vision configures
each receiver with a Dynamic Black List rule that corresponds to the detected threat information.

Note: For more information on black-list rules, see Configuring Black Lists, page 225.

DefensePro devices running version 6.05 and later can be senders and/or receivers. DefensePro
devices running versions prior to 6.05 can be senders only.
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster.
Security Groups reduce false-negatives in various environments and enhance DefensePros proactive
approach to security. Especially in asymmetrical network environments, there are cases where a
DefensePro device inspects only one direction of the traffic while other DefensePro devices inspect
the rest of the traffic. In such cases, without a Security Group to share information, when a
DefensePro device identifies a source as a threat and suspends it (blocks it), other DefensePro
devices can continue to forward traffic from the same source. In an extreme example of an
asymmetric (stateful) environment, a DefensePro device may identify a malicious source based on
server responses, though the DefensePro device cannot block the source because the sources
originated traffic passes through another DefensePro device. In such cases, with a Security Group to
share the information, all the receiver DefensePro devices can block the malicious traffic.

Caution: The Security Groups feature does not support redundant APSolute Vision servers.
Unexpected results may occur if more than one APSolute Vision server manages the
DefensePro devices that are members of a Security Group.

Note: APSolute Vision does not limit the number of Security Groups, the number of senders, or
the number of receivers. Radware has tested the feature with five Security Groups, each
with five senders and five receivers.

Security Group behavior:


1. The Anti-Scanning or Server Cracking module of a sender detects an attack. The configuration of
the Security Group includes the modules (Anti-Scanning and/or Server Cracking) that
participate in the group.
2. The sender notifies APSolute Vision using the regular security-event traps.
3. APSolute Vision configures each receiver with a Dynamic Black List rule.
The rule name is in the following format:
<SecurityGroupName> hhmm $$$$
where:
hhmm is the time (hour and minutes) that the Security Group configured the rule. This is the
time set in the APSolute Vision server (and not on the DefensePro receiver or sender).
$$$$ is a four-character hexadecimal hash of the event ID in the security-event trap.
The configuration of the black-list rule (in the receiver) exposes the Detector Module and the
Detector IP Address (in the Detector Security Module and Detector text boxes), which
identify the protection module (for example, Anti-Scanning) and the sender that detected the
attack.
APSolute Vision does not configure a sender with a black-list rule based on its own security
events. That is, if a DefensePro device is a sender and a receiver in a Security Group, when the
device sends a security-event trap to the Security Group, APSolute Vision does not configure
that same device with the corresponding black-list rule.

Document ID: RDWR-DP-V0607_UG1209 51


DefensePro User Guide
Getting Started

The configuration of the Security Group determines the blocking period and whether the rule
blocks all the traffic from the source or only combination of the following:
Attacked address
Attacked port
Protocol

To configure a DefensePro Security Group

1. In the Asset Management perspective Networking tab navigation pane, select Security Groups.
2. Do one of the following:

To add an entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the parameters; and then, click OK.

Table 3: Security Group Parameters

Parameter Description
Enabled Specifies whether the Security Group is enabled. This enables you to keep
a Security Group configuration even when it is not in use.
Default: Disabled
Group Name The name of the Security Group.
Blocking Period The time, in minutes, that the receivers block traffic. This is the value of
the Expiration Timer in the black-list rule with which APSolute Vision
configures the receivers. The Expiration Timer fields display the time
remaining.
Values: 1120
Note: For information on black lists, see Configuring Black List Rules,
page 220.

Blocking Rule Parameters


The Security Group uses a Boolean AND operator to determine which packets to block. That is, the
more parameters enabled here, the more specific the blocked traffic.
Source (Read-only always enabled) Specifies that the receivers always block all the
traffic from the IP address of the source of the attack.
Destination IP Address Specifies that the receivers block the IP address of the attacked machine.
Default: Disabled
Destination Port Specifies that the receivers block the attacked port of the attacked
machine.
Default: Disabled
Protocol Specifies that the receivers block the protocol used in the attack.
Default: Disabled
Security Modules
Anti-Scanning Specifies that the receivers block malicious traffic detected by the Anti-
Scanning module of the senders.
Default: Enabled

52 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Getting Started

Table 3: Security Group Parameters

Parameter Description
Server Cracking Specifies that the receivers block malicious traffic detected by the Server
Cracking module of the senders.
Default: Enabled

Senders
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available DefensePro devices. The Selected Devices list displays the senders of the Security Group.
Receivers
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available DefensePro devices. The Selected Devices list displays the receivers of the Security
Group.

Document ID: RDWR-DP-V0607_UG1209 53


DefensePro User Guide
Getting Started

54 Document ID: RDWR-DP-V0607_UG1209


Chapter 3 Basic Device Configuration
Users with the proper permissions can add DefensePro devices to the sites tree and configure them.
The following topics describe basic device-configuration tasks:
Locking and Unlocking a Device, page 55
DefensePro Device Setup, page 56
Advanced Parameters, page 80
Configuring SNMP, page 103
Configuring Device Users, page 110
Configuring Access Permissions on Physical Ports, page 112
Configuring Port Pinging, page 113

Locking and Unlocking a Device


When you have permissions to perform device configuration on a specific device, you must lock the
device before you can configure it. Locking the device ensures that other users cannot make
configuration changes at the same time. The device remains locked until you unlock the device, you
disconnect, until the Device Lock Timeout elapses, or an Administrator unlocks it. Locking a device
does not apply to the same device that is configured on another APSolute Vision server, using WBM,
or using CLI.

Note: Only one APSolute Vision server should manage any one Radware device. For more
information, see the APSolute Vision Administrator Guide.

While the device is locked:

The device icon in the main navigation pane System tab includes a small lock symbol for
DefensePro.
Configuration panes are displayed in read-only mode to other users with configuration
permissions for the device.

If applicable, the (Commit) button is displayed.

If applicable, the (Add) button is displayed.

To lock a device

In the Configuration perspective main navigation pane System tab, right-click the device name,
and select Lock Device.

To unlock a device

In the Configuration perspective main navigation pane System tab, right-click the device name,
and select Unlock Device.

Document ID: RDWR-DP-V0607_UG1209 55


DefensePro User Guide
Basic Device Configuration

DefensePro Device Setup


You can configure the following setup parameters for a selected DefensePro device:
Configuring DefensePro Global Parameters, page 56
Configuring Date and Time Synchronization, page 57
Configuring Daylight Saving, page 58
Configuring Access Protocols, page 58
Configuring SNMP Supported Versions, page 60
Upgrading a License for a DefensePro Device, page 60
Configuring E-mail Settings, page 61
Configuring RADIUS Authentication for Device Management, page 62
Configuring Syslog Settings, page 64
Managing Certificates, page 66
Configuring High Availability, page 71
Configuring BOOTP, page 77
Configuring DNS Client Settings, page 78

Configuring DefensePro Global Parameters


You can view the following device information:
Basic device parameters
The time and date settings on the device
Device hardware and software versions

To view and configure DefensePro global parameters

1. In the Configuration perspective Setup tab navigation pane, select Global Parameters.

2. Configure location and contact information, if required; and then, click (Submit) to submit
the changes.

Table 4: DefensePro Global Parameters

Parameter Description
Basic Parameters
Device Description (Read-only) The description configured on the device.
Device Name (Read-only) The device name configured in APSolute Vision.
Location Enter the device location, if required.
Contact Information Enter contact information, if required.
System Up Time (Read-only) The length of time since that the device has been up
since last device reboot.

Date and Time


Device Time (Read-only) The time setting on the device.
Device Date (Read-only) The date setting on the device.

56 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 4: DefensePro Global Parameters

Parameter Description
Version Information
Software Version (Read-only) The version of the product software on the device.
Hardware Version (Read-only) The version of device hardware.

Configuring Date and Time Synchronization


DefensePro uses Network Time Protocol (NTP) to synchronize time and date. NTP enables device
synchronization by distributing an accurate clock across the network. At predefined intervals, a
device sends time query messages to the NTP Server. The server sends the date and time to the
device.
Enabling or disabling the NTP capability results in different levels of accuracy.

Note: When NTP is disabled, the time and date must be set manually for the device.

To configure DefensePro date and time synchronization

1. In the Configuration perspective Setup tab navigation pane, select Time Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 5: NTP Parameters

Parameter Description
Enable NTP Enables or disables the NTP feature.
Default: Disabled
Note: The NTP Server Address must be configured to enable the NTP
feature.
Server Name The IP address of the NTP server.
L4 Port The NTP server port.
Default: 123
Polling Interval The interval, in seconds, between time query messages sent to the NTP
server.
Default: 64

Time Zone The time-zone offset from GMT (-12:00 to +12:00 hours).
Default: 00:00

Document ID: RDWR-DP-V0607_UG1209 57


DefensePro User Guide
Basic Device Configuration

Configuring Daylight Saving


DefensePro supports daylight savings time. You can configure the daylight savings time start and
end dates and times. During daylight savings time, the device automatically adds one hour to the
system clock. The device also indicates whether it is on standard time or daylight saving time.

Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.

To configure DefensePro daylight saving

1. In the Configuration perspective Setup tab navigation pane, select Time Settings > Daylight
Saving.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 6: Daylight Saving Parameters

Parameter Description
Enabled Enables or disables daylight saving time.
Default: Disabled
Begins at The start date and time for daylight saving time.
Ends at The end date and time for daylight saving time.
Current Mode Specifies whether the device is on standard time or daylight saving
time.

Configuring Access Protocols


In addition to managing DefensePro devices using APSolute Vision, you can also use Web Based
Management (WBM) and Command Line Interface (CLI).
You can connect DefensePro devices to the following:
WBM on the device through HTTP and HTTPS
CLI through Telnet and SSH
Web services

To configure access protocols for WBM and CLI

1. In the Configuration perspective Setup tab navigation pane, select Access Protocols.

2. Configure the parameters; and then, click (Submit) to submit the changes.

58 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 7: Access Protocol Parameters

Parameter Description
Web Access
Enable Web Access Specifies whether to enable access to the Web server.
Default: Disabled
L4 Port The port to which WBM is assigned.
Default: 80
Web Help URL The location (path) of the Web help files.
Secured Web Access
Enable Secured Web Access Specifies whether to enable secured access to the Web server.
Default: disabled
L4 Port The port through which HTTPS gets requests.
Default: 443
Certificate The certificate file used by the secure Web server for encryption.
Telnet
Enable Telnet Specifies whether to enable Telnet access to the device.
Default: Disabled
L4 Port The TCP port used by the Telnet.
Default: 23
Session Timeout The period of time, in minutes, the device maintains a connection
during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout
can be up to 10 seconds longer than the configured time.
Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 1060
Default: 30
SSH
Enable SSH Specifies whether to enable SSH access to the device.
Default: Disabled
L4 Port The source port for the SSH server connection.
Default: 22

Document ID: RDWR-DP-V0607_UG1209 59


DefensePro User Guide
Basic Device Configuration

Table 7: Access Protocol Parameters

Parameter Description
Session Timeout The period of time, in minutes, the device maintains a connection
during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore the actual timeout can
be up to 10 seconds longer than the configured time.
Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 1060
Default: 10
Web Services

Enable Web Services Specifies whether to enable access to Web services.


Default: Enabled

Configuring SNMP Supported Versions


APSolute Vision connects to DefensePro devices using SNMP. For information about SNMP, and
configuring SNMP for the DefensePro devices, see Configuring SNMP, page 103.

To configure SNMP supported versions

1. In the Configuration perspective Setup tab navigation pane, select SNMP Versions.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 8: SNMP Supported Version Parameters

Parameter Description
Supported SNMP Versions The currently supported SNMP versions.
Supported SNMP Versions The SNMP versions supported by the SNMP agent after resetting the
after Reset device. Select the SNMP version to support. Clear the versions that
are not supported.

Upgrading a License for a DefensePro Device


You can upgrade the capabilities of a DefensePro device using the licensing procedure.
The license provided to you, is a one-time license. To change licenses, you must use a new license
key, after which, the old license key cannot be reused.

60 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Each license is based on the devices MAC address and on a license ID that is changed every time a
new license is used. To obtain a license upgrade or downgrade, you must include the MAC address
and the current license ID of the device when you order the required license part number. This
information is displayed in the License Upgrade window.
You will receive the new license string by e-mail. After you enter the new license information in the
License Upgrade pane, the old license cannot be reused.

To upgrade a license after receiving new license keys

1. In the Configuration perspective Setup tab navigation pane, select License Upgrade.

2. Configure license upgrade parameters for the new license keys; and then, click (Submit) to
submit the changes.

Table 9: DefensePro License Upgrade Parameters

Parameter Description
Basic Information
Base MAC Address The MAC address of the first port on the device. This is the MAC
address on which the license is based.

License Upgrade
License ID Reports the device software license ID and must be provided to
Radware when requesting a new license.
New License Key The device software license allows you to activate advanced software
functionality.
Throughput License ID Manages the device throughput license ID and must be provided to
Radware when requesting a new throughput license.
Throughput License Key Manages the device throughput level license.

Configuring E-mail Settings


You can configure the device to send information messages via e-mail to device users. This feature
can be used for sending trap information via e-mail. When you configure device users, you can
specify whether an individual user should receive notifications via e-mail and the minimal event
severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity
and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the device.

Note: The device optimizes the mailing process by gathering security and system events,
which it sends in a single notification message when the buffer is full, or when a timeout
of 60 seconds expires.

Document ID: RDWR-DP-V0607_UG1209 61


DefensePro User Guide
Basic Device Configuration

To configure DefensePro e-mail settings

1. In the Configuration perspective Setup tab navigation pane, select Email Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 167.

Table 10: DefensePro E-mail Parameters

Parameter Description
Basic SMTP Parameters
Enable Email Client Specifies whether the e-mail client is enabled, which supports features
that are related to sending e-mail messages.
Default: Disabled
Enable Sending Email upon Specifies whether the device sends notifications via e-mail.
Errors Default: Disabled
SMTP Server Parameters
Primary Server Address The IP address of the SMTP server.
Alternate Server Address An IP address of an alternative SMTP Server. The alternate SMTP
server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP server
closed the connection. The device tries to establish connection to the
main SMTP server, and starts re-using it when available.
SMTP Client Parameters
Email Address The mail address that appears in the Sender field of e-mail messages
generated by the device, for example device1@domain.com.

Configuring RADIUS Authentication for Device Management


DefensePro provides additional security by authenticating the users who access a device for
management purposes. With RADIUS authentication, you can use RADIUS servers to determine
whether a user is allowed to access device management using CLI, Telnet, SSH or Web Based
Management. You can also select whether to use the device User Table when RADIUS servers are
not available.

Note: The DefensePro devices must have access to the RADIUS server and must allow device
access.

62 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To configure RADIUS authentication for device management

1. In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication.
2. Configure RADIUS authentication parameters for the managed Radware device, and then,

click (Submit) to submit the changes.

Table 11: RADIUS Authentication Parameters

Parameter Description
Main
Server IP Address The IP address of the primary RADIUS server.
L4 Port The access port number of the primary RADIUS server.
Values: 1645, 1812
Default: 1645
Secret The authentication password for the primary RADIUS server.
Verify Secret When defining the password, reenter for verification.
Backup
Server IP Address The IP address of the backup RADIUS server.
L4 Port The access port number of the backup RADIUS server.
Values: 1645, 1812
Default: 1645
Secret The authentication password for the backup RADIUS server.
Verify Secret When defining the password, reenter for verification.
Basic Parameters
Timeout The time, in seconds, that the device waits for a reply from the
RADIUS server before a retry, or, if the Retries value is exceeded,
before the device acknowledges that the server is offline.
Default: 1
Retries The number of connection retries to the RADIUS server, after the
RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup RADIUS server is used.
Default: 2
Client Lifetime The time, in seconds, for the client authentication. After the client
lifetime expires, the device re-authenticates the user.
Default: 30

Document ID: RDWR-DP-V0607_UG1209 63


DefensePro User Guide
Basic Device Configuration

Configuring Syslog Settings


Event traps can be mirrored to up to five syslog servers. For each DefensePro device, you can
configure the appropriate information. Any traps generated by the device will be mirrored to the
specified syslog servers.
You can also use additional notification settings, such as Facility and Severity. Facility specifies the
type of device of the sender. Severity specifies the importance or impact of the reported event. The
user-defined Facility value is used when the device sends syslog messages; the Severity value is
determined dynamically by the device for each message that is sent.

Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.

To configure syslog

1. In the Configuration perspective Setup tab, select Syslog.


2. Do one of the following:
To enable the syslog feature, select the Enable Syslog checkbox.
To disable the syslog feature, clear the Enable Syslog checkbox.
Default: Enabled
3. Do one of the following:

To add an entry, click the (Add) button.


To modify an entry, double-click the entry in the table.

4. Configure the parameters; and then, click (Submit) to submit the changes.

Table 12: Syslog Parameters

Parameter Description
Enable Syslog Server Specifies whether the syslog server is enabled.
Default: Enabled
Server Address The IP address or hostname of the device running the syslog service
(syslogd).
Source Port The syslog source port.
Default: 514
Note: Port 0 specifies a random port.
Destination Port The syslog destination port.
Default: 514

64 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 12: Syslog Parameters

Parameter Description
Facility The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages Local 6
Clock Daemon Local 7
Clock Daemon2 Log Alert
FTP Daemon Log Audit
Kernel Messages Mail System
Line Printer Subsystem Network News Subsystem
Local 0 NTP Daemon
Local 1 Syslogd Messages
Local 2 System Daemons
Local 3 User Level Messages
Local 4 UUCP
Local 5
Default: Local Use 6
Protocol The protocol that the device uses to send syslog messages.
Values:
UDPThe device sends syslog messages using UDP. That is, the
device sends syslog messages with no verification of message
delivery.
TCPThe device sends syslog messages using TCP. That is, the device
verifies the message delivery. The device holds undelivered messages
in a backlog. As soon as the connection to the syslog server is re-
established, the device sends them. If the backlog is full (100
messages, non-configurable), the device replaces lower-priority
messages with higher-priority messages (FIFO).
TLSThe device sends syslog messages using TCP with Transport
Layer Security (TLS) and uses the CA certificate specified in the CA
Certificate Name field. That is, the device verifies message delivery.
The device holds undelivered messages in a backlog. As soon as the
connection to the syslog server is re-established, the device sends
them. If the backlog is full (100 messages, non-configurable), the
device replaces lower-priority messages with higher-priority messages
(FIFO).
Default: UDP
Note: Report notification of lost syslog messages to your network
administrator.

Document ID: RDWR-DP-V0607_UG1209 65


DefensePro User Guide
Basic Device Configuration

Table 12: Syslog Parameters

Parameter Description
CA Certificate Name The name of the CA certificate in the Certificate Table that the device uses
to send syslog messages when TLS is selected in the Protocol field.
To configure a new CA certificate, from the drop-down list, select New.

To view the existing certificates, click . And then, to edit a certificate


in the dialog box, double-click on it.
For information on configuring certificates, Managing Certificates,
page 66.

Managing Certificates
This section describes certificates for AppDirector and DefensePro, and how to manage the
certificates using APSolute Vision.

Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually
provided in the form of an electronic key or value. The digital certificate represents the certification
of an individual business or organizational public key but can also be used to show the privileges and
roles for which the holder has been certified. It can also include information from a third-party
verifying identity. Authentication is needed to ensure that users in a communication or transaction
are who they claim to be.
A basic certificate includes the following:
The certificate holders identity
The certificates serial number
The certificate expiry date
A copy of the certificate holders public key
The identity of the Certificate Authority (CA) and its digital signature to affirm the digital
certificate was issued by a valid agency

Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the
Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only
by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is
used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or
interpret the data. The recipient also uses the key to authenticate that the data comes from the
sender.
The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the
appropriate key can the information be easily deciphered or understood. Stolen or copied data would
be incomprehensible without the appropriate key to decipher it and prevent forgery. DefensePro
supports the following key size lengths: 512, 1024, or 2048 bytes.

Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an
HTTPS session, the DefensePro device uses a certificate for identification. By default, the device has
self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.

66 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Modifying Certificate Information for a Selected Device

To view and modify certificate information for a selected device

In the Configuration perspective Setup tab navigation pane, select Certificates.


The Certificates table displays information for each certificate stored on the device. From here,
you can add, edit, and delete certificates. You can also import and export certificates, and show
certificate text.

Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management
(WBM).
You can also create certificate signing requests and keys for new certificates.

To create or modify a certificate or key

1. In the Configuration perspective Setup tab navigation pane, select Certificates.


2. Do one of the following:

To add a certificate, click the (Add) button.


To edit a certificate, double-click the certificate name.
3. Configure certificate parameters and click OK.

Table 13: Certificate Parameters

Parameter Description
Name The name of Key or Certificate.
Type The type of certification.
Values:
Certificate
Certificate of Client CA1
Certificate Signing Request
Intermediate CA Certificate1
KeyWhen you select Key, only the Key Size and Passphrase fields
are available.
Default: Key
Key Size The key size, in bytes.
Larger key sizes offer an increased level of security. Radware
recommends that certificates have a key size of 1024 or more. Using a
certificate of this size makes it extremely difficult to forge a digital
signature or decode an encrypted message.
Values: 512 Bytes, 1024 Bytes, 2048 Bytes
Default: 1024 Bytes

Document ID: RDWR-DP-V0607_UG1209 67


DefensePro User Guide
Basic Device Configuration

Table 13: Certificate Parameters

Parameter Description
Common Name The domain name of the organization (for example, www.radware.com)
or IP address.
Organization The name of the organization.
Email Address Any e-mail address that you want to include within the certificate.
Key Passphrase The Key Passphrase encrypts the key in storage and is required to
export the key. Since Private Keys are the most sensitive parts of PKI
data, they must be protected by a passphrase. The passphrase should
be at least four characters and Radware recommends using stronger
passphrases than that based on letters, numbers and signs.
Verify Key Passphrase After you define the key passphrase, re-enter it for verification.
Locality The name of the city.
State / Province The state or province.
Organization Unit The department or unit within the organization.
Country Name The organization country.
Certificate Expiration The duration, in days, that a certificate remains valid.
Values: 1365
Default: 365

1 If you select this option when it is not allowed (according to the type of certificate you
are using), the device alerts you with an error message.

Configuring Default Certificate Attributes


Use certificate defaults to define your organizations default parameters to be used when creating
signing requests or self-signed certificates.
To configure default attributes, the connection between the APSolute Vision server and the relevant
device must use SNMPv3.

To configure the default certificate attributes

1. In the Configuration perspective Setup tab navigation pane, select Certificates > Default
Attributes.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 14: Default Certificate Parameters

Parameter Description
Common Name The domain name of the organization. For example, www.radware.com.
Locality The name of the city.
State / Province The state or province.
Organization The name of the organization.
Organization Unit The department or unit within the organization.

68 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 14: Default Certificate Parameters

Parameter Description
Country Name The organization country.
Email Address Any e-mail address to include in the certificate.

Importing Certificates
You can import keys and certificates from another machine, and import a certificate to an existing
Signing Request to complete its process.
Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for
certificate, you must import them consecutively with the same entry name.

To import a certificate or key

1. In the Configuration perspective Setup tab navigation pane, select Certificates.


2. Click the Import button below the table.
3. Configure the parameters; and then, click OK to submit the changes.

Table 15: Import Certificate Parameters in DefensePro

Parameter Description
Entry Name A new entry name to create by import, or an existing entry name to
overwrite or complete a Key or CSR.
Entry Type Values:
KeyImports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
CertificateImports a certificate from backup or exported
from another machine. The certificate must be imported onto a
matching key or signing request.
Certificate of Client CAImports a Client CA certificate.
Default: Key
Note: In Web Based Management, DefensePro supports the
following three additional options: Intermediate CA
Certificate, Certificate and Key, SSH Public Key.
Passphrase Since Private Keys are the most sensitive parts of PKI data they
(This parameter is available must be protected by a passphrase. The passphrase should be at
only when the Entry Type is least four characters, and Radware recommends using stronger
Key.) passwords than that based on letters, numbers, and signs.

Verify Passphrase Since Private Keys are the most sensitive parts of PKI data they
(This parameter is available must be protected by a passphrase. The passphrase should be at
only when the Entry Type is least four characters, and Radware recommends using stronger
Key.) passwords than that based on letters, numbers, and signs.

File Name The certificate file to import.

Document ID: RDWR-DP-V0607_UG1209 69


DefensePro User Guide
Basic Device Configuration

Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing
configurations to another system or for completion of Signing Request processes. You can export
certificates from a device by copying and pasting a key or by downloading a file. Keys and
certificates are exported to PEM format.

Note: The Radware key is created without a Radware password at system startup, thus it can
be exported without a Radware password.

To export a certificate or key

1. In the Configuration perspective Setup tab navigation pane, select Certificates.


2. Click the Export button below the table.
3. Configure the parameters; and then, click OK to submit the changes.

Table 16: Export Certificate Parameters

Parameter Description
Entry Name Select the name of the entry to export. By default, the name of the
selected certificate in the Certificates table is displayed.
Entry Type According to the selected entry name, you can export Certificate,
Certificate Chain, Client CA Certificate, Key, or Certificate Signing Request.
Passphrase Required when exporting Keys. Use the passphrase entered when the key
was created or imported. You must enter the key passphrase to validate
that you are authorized to export the key.

Showing Certificate Content


You can display the content of keys, certificates, or signing requests listed in the Certificates table.
The content is displayed in encrypted text format for copy-paste purposes, for example sending
signing requests to a certificate signing authority.

To display certificate content

1. In the Configuration perspective Setup tab navigation pane, select Certificates.


2. Click the Show button below the table.
3. Select the entry name to show. By default, the name of the selected certificate in the
Certificates table is displayed.
4. Select the entry type, and password for the key, if required.
5. Click Show to display the content in the Certificate field.

70 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Configuring High Availability


This section contains the following topics:
High-Availability in DefenseProOverview, page 71
Monitoring DefensePro Cluster in the System Tab, page 73
Configuring the Settings for a DefensePro High-Availability Cluster, page 74
Switching the Device States, page 76

High-Availability in DefenseProOverview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in
a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version, software
license, throughput license, and Radware signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary.
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster.
When you configure a cluster and submit the configuration, the newly designated primary device
configures the required parameters on the designated secondary device.
You can configure a DefensePro high-availability cluster in the following ways:
To configure the primary device of the cluster, the failover parameters, and the advanced
parameters, you can use the High Availability pane (Configuration perspective, Setup >
High Availability). When you specify the primary device, you specify the peer device, which
becomes the secondary member of the cluster.
To configure only the basic parameters of a cluster (Cluster Name, Primary Device, and
Associated Management Ports), you can use the Configuration perspective system pane.

The members of a cluster work in an active-passive architecture.


When a cluster is created:
The primary device becomes the active member.
The secondary device becomes the passive member.
The primary device transfers the relevant configuration objects to the secondary device.

A secondary device maintains its own configuration for the device users, IP interfaces, routing, and
the port-pair Failure Mode.
A primary device immediately transfers each relevant change to its secondary device. For example,
after you make a change to a Network Protection policy, the primary device immediately transfers
the change to the secondary device. However, if you change the list of device users on the primary
device, the primary device transfers nothing (because the secondary device maintains its own list of
device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.
The following situations trigger the active device and the passive device to switch states (active to
passive and passive to active):
The passive device does not detect the active device according to the specified Heartbeat
Timeout.
All links are identified as down on the active device according to the specified Link Down
Timeout.
Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the
specified Idle Line Timeout.
You issue the Switch Over command. To switch the device states, in the Monitoring perspective
system pane, right-click the cluster node; and then select Switch Over.)

Document ID: RDWR-DP-V0607_UG1209 71


DefensePro User Guide
Basic Device Configuration

You cannot perform many actions on a secondary device.


You can perform only the following actions on a secondary device:
Switch the device state (that is, switch over active to passive and passive to active)
Break the cluster if the primary device is unavailable
Configure management IP addresses and routing
Configure the port-pair Failure Mode.
Manage device users
Download a device configuration
Upload a signature file
Download the device log file
Download the support log file
Reboot
Shut down
Change the device name
Change the device time
Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.

Notes
>> Before you can configure a cluster, the devices must be locked.
>> By design, an active device does not to fail over during a user-initiated reboot. Before
you reboot an active device, you can manually switch to the other device in the cluster.
>> You can initiate a baseline synchronization if a cluster member is passive, using CLI or
Web Based Management.
>> When you upgrade the device software, you need to break the cluster (that is, ungroup
the two devices). Then, you can upgrade the software and reconfigure the cluster as you
require.
>> In an existing cluster, you cannot change the role of a device (primary to secondary or
vice versa). To change the role of a device, you need to break the cluster (that is,
ungroup the two devices), and then, reconfigure the cluster as you require.
>> If the devices of a cluster belong to different sites, APSolute Vision creates the cluster
node under the site where the primary device resides; and APSolute Vision removes the
secondary device from the site where it was configured.
>> APSolute Vision issues an alert if the state of the device clusters is ambiguous. For
example, if there has been no trigger for switchover and both cluster members detect
traffic. This state is normal during the initial synchronization process.
>> There is no failback mechanism. There is only the automatic switchover action and the
manual Switch Over command.
>> When a passive device becomes active, any grace time resets to 0 (for example, the
time of the Graceful Startup Mode Startup Timer).
>> You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
>> The Properties pane displays the high-availability information of the selected device.

72 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Monitoring DefensePro Cluster in the System Tab


In the system pane, APSolute Vision identifies the high-availability cluster elements, roles, modes,
and states using various combinations of icons and icon elements.

Note: You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.

The following table describes the icons that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.

Table 17: Icons in the System Pane High-Availability Clusters

Icon Description
Cluster

Primary device

Secondary device

The following table describes the icon elements that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.

Table 18: Icons Elements in the System Pane High-Availability Clusters

Icon Element Description


Active device

Synchronizing

Unavailable

The following table describes some icons that APSolute Vision can displays in the system pane for
DefensePro high-availability clusters.

Table 19: Icons in the System Pane High-Availability ClustersExamples

Icon Description
The cluster is operating nominally.

The cluster is synchronizing its members.

The cluster is unavailable.

The primary device is active, unlocked, and operating nominally.

The primary device is passive, unlocked, and operating nominally.

The secondary device is passive, unlocked, and operating nominally.

Document ID: RDWR-DP-V0607_UG1209 73


DefensePro User Guide
Basic Device Configuration

Table 19: Icons in the System Pane High-Availability ClustersExamples

Icon Description
The secondary device is active, unlocked, and operating nominally.

The secondary device is unlocked and unavailable.

Configuring the Settings for a DefensePro High-Availability Cluster


You can use the High Availability pane in the Configuration perspective to specify the primary device
of the cluster, and configured the failover parameters and advanced parameters.
When you specify the primary device, you specify the peer device, which becomes the secondary
member of the cluster.

To configure the settings for a high-availability cluster

1. In the Configuration perspective Setup tab navigation pane, select High Availability.

2. Configure the parameters; and then, click (Submit) to submit the changes. APSolute Vision
names the cluster Cluster_<IP address of primary device>.

Note: To rename the cluster, in the Configuration perspective system pane, right-click the
cluster node, and select Rename <Cluster Name>. Rename the cluster (up to
32 characters); and then, click outside the cluster node.

Table 20: High Availability Parameters

Parameter Description
Cluster Definition
Cluster Member Specifies whether the device is a member of a two-node cluster for high
availability. If you clear the Cluster Member checkbox in the configuration
(of the primary or secondary member), APSolute Vision breaks the cluster
(after you submit the changes).
Note: You can clear the Cluster Member checkbox in the configuration
of the secondary only when the primary member is unavailable.
Peer Device The name of the other device in the cluster. The drop-down list contains
the names of all the DefensePro devices that are not part of a cluster.
When the device is a member of an existing high-availability cluster, the
drop-down list is unavailable.
Associated Specifies the management (MNG) port or ports through which the primary
Management Ports and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if the
cluster is configured with MNG1+2, and MNG1 is in use, you
cannot change the value to MNG2.

74 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 20: High Availability Parameters

Parameter Description
Failover
Heartbeat Timeout The time, in seconds, that the passive device detects no heartbeat from the
active device before the passive device becomes active.
Values: 110
Default: 5
Link Down Timeout The time, in seconds, after all links to the active device are identified as
being down before the devices switch states.
Values: 165,535
Default: 1
Note: If a dead link or idle line is detected on both cluster members,
there is no switchover.
Use Idle Line Specifies whether the devices switch states due to an idle line detected on
Detection the active device.
Default: Disabled
Note: If an idle line is detected on both cluster members, there is no
switchover.
Idle Line Threshold The minimum bandwidth, in Kbit/s, that triggers a switchover when the
Use Idle Line Detection option is enabled.
Values: 5124,294,967,296
Default: 512
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Idle Line Timeout The time, in seconds, with line bandwidth below the Idle Line Threshold
that triggers a switchover when the Use Idle Line Detection option is
enabled.
Values: 365,535
Default: 10
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Advanced Configuration
Baseline Sync. The interval, in seconds, that the active device synchronizes the BDoS and
Interval HTTP Mitigator baselines.
Values: 360086,400
Default: 3600
Note: The active device synchronizes the baselines also when the
cluster is created.
Switchover Sustain The time, in seconds, after a manual switchover that the cluster members
Timeout will not change states.
Values: 303600
Default: 180

Document ID: RDWR-DP-V0607_UG1209 75


DefensePro User Guide
Basic Device Configuration

Switching the Device States

To switch the device states

1. In the Monitoring perspective system pane, right-click the cluster node.


2. Select Switch Over.

Configuring a High-Availability Cluster in the System Tab


In the Configuration perspective system pane, you can configure the basic parameters of a cluster
(Cluster Name, Primary Device, and Associated Management Ports).

Notes
>> Before you can configure a cluster, the devices must be locked.
>> By design, an active device does not to fail over during a user-initiated reboot. Before
you reboot an active device, you can manually switch to the other device in the cluster.
>> When you upgrade the device software, you need to break the cluster (that is, ungroup
the two devices). Then, you can upgrade the software and reconfigure the cluster as you
require.

To create a DefensePro high-availability cluster from the system pane

1. In the Configuration perspective system pane, select a DefensePro device.


2. Press Ctrl and click the other device for the cluster.
3. Right-click one of the selected devices and select Create Cluster.
4. Configure the parameters; and then click OK.

Cluster Setup Parameters


Parameter Description
Cluster Name The name for the cluster (up to 32 characters).
Primary Device Specifies which of the cluster members is the primary device.
Associated Management Specifies the management (MNG) port or ports through which the
Ports primary and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if
the cluster is configured with MNG1+2, and MNG1 is in use,
you cannot change the value to MNG2.

76 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To break a DefensePro high-availability cluster from the system pane

In the Configuration perspective system pane, right-click the cluster node and select Break
Cluster.
After your confirmation, the cluster node is removed from the tree, and the DefensePro devices
are displayed under the parent node.

To rename an DefensePro high-availability cluster from the system pane

1. In the Configuration perspective system pane, right-click the cluster node, and select Rename
<Cluster Name>.
2. Rename the cluster (up to 32 characters); and then, click outside the cluster node.

To change the associated management ports of a DefensePro high-availability cluster


from the system pane

1. In the Configuration perspective system pane, select the cluster node and click Edit Cluster.
2. Configure the parameters; and then click OK.

Note: You cannot change the value if the currently specified management port is being
used by the cluster. For example, if the cluster is configured with MNG1+2, and
MNG1 is in use, you cannot change the value to MNG2.

Configuring BOOTP
BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.

To configure BOOTP settings

1. In the Configuration perspective Setup tab navigation pane, select BootP.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 21: BOOTP Parameters for DefensePro

Parameter Description
Server Address The IP address of the BootP server. The device forwards BootP requests to
the BootP server and acts as a BootP relay.
Relay Threshold The time, in seconds, that the device waits before relaying requests to the
BootP server. This delay allows local BootP servers to answer first.

Document ID: RDWR-DP-V0607_UG1209 77


DefensePro User Guide
Basic Device Configuration

Configuring DNS Client Settings


You can configure DefensePro to operate as a Domain Name Service (DNS) client. When the DNS
client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must
configure servers for which DefensePro will send out queries for host name resolving.
You can set the DNS parameters and define the primary and the alternate DNS servers for dynamic
DNS. In addition, you can set static DNS parameters.

To configure DNS settings

1. In the Configuration perspective Setup tab, select DNS.

2. Configure basic DNS client parameters, and click (Submit) to submit the changes.
3. To add or modify static DNS entries, do one of the following:

To add an entry, click the (Add) button.


To modify an entry, double-click the entry in the table.
4. Configure the parameters, and click OK.

Table 22: DNS Client Parameters

Parameter Description
DNS Client Parameters
DNS Client Specifies whether the DefensePro device operates as a DNS client
to resolve IP addresses.
Values: Enable, Disable
Default: Disable
Primary DNS Server The IP address of the primary DNS server to which DefensePro
sends queries.
Alternative DNS Server The IP address of the alternative DNS to which DefensePro sends
queries.
Static DNS Table
The static DNS hosts.

Click the (Add) button to add a new static DNS. The configuration of each static DNS
comprises the following parameters:
Host NameThe domain name for the specified IP address
IP AddressThe IP address for the specified domain name

Configuring DefensePro Security Signaling


For more information on this feature, see the DefensePro 6.07 release notes.
This feature is available only in DefensePro 6.07 and later.
DefensePro can expose situational signals through the DefensePro SOAP API and attack data to
specified syslog servers. A Network Operation Center (NOC) or Security Operation Center (SOC)
situated in the cloud can use the signals to monitor and control attack situations.

78 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

For example, if a DefensePro device, working as customer premises equipment (CPE), is configured
to detect low-volume attacks, when a DoS attack starts, the signals will alert the NOC or SOC that
an attack has started. Then, using the information, the NOC or SOC can divert traffic through
additional mitigation devices in the cloud, and thus, prevent pipe saturation.

Note: Typically, in the context of DefensePro signaling, NOCs are carriers, and SOCs are
managed-security-service providers (MSSPs).

When signaling is enabled:


DefensePro exposes situational data through its SOAP interface. The data includes device-health
information, traffic statistics, and management information. Under normal circumstancesthat
is, when there is no attack, the SOAP queries and responses get through. However, during
attacks, the pipe may be saturated, and the SOAP queries and responses get lost.
When DefensePro detects an attack, DefensePro sends signals to a specified syslog server. The
signals include the attack events and, optionally, additional attack data.

For information on the SOAP API and syslog signals, see the DefensePro Signaling API Integration
Guide.
You configure signaling policies to send signals to a syslog server configured in the DefensePro
device. The configuration of each signaling policy specifies the Network Protection Rules, Servers
Protection Rules, and protection types.

To enable or disable signaling

1. In the Configuration perspective Setup tab navigation pane, select Signaling.


2. Select or clear the Enable Signaling checkbox.

3. Click (Submit) to submit the changes.

To configure signaling
1. In the Configuration perspective Setup tab, select Signaling.
2. Do one of the following:

To add an entry, click the (Add) button.


To modify an entry, double-click the entry in the table.
3. Configure the parameters; and then, click OK.

Table 23: Signaling Policy Parameters

Parameter Description
Enabled Specifies whether the signaling policy is enabled.
Default: Enabled
Policy ID A numerical identifier for the signaling policy.
Values: 1100

Document ID: RDWR-DP-V0607_UG1209 79


DefensePro User Guide
Basic Device Configuration

Table 23: Signaling Policy Parameters

Parameter Description
Policy Name The name of the signaling policy.
Maximum characters: 80
Syslog Server The syslog server to which DefensePro sends the attack alert
signals.
Customer Name The name of the customer, which is included in the alert
messages.
Maximum characters: 32
Customer Description The description of the customer, which is included in the alert
messages. This description can include, for example, details of the
specific device or environment.
Maximum characters: 100
Pipe Size The total size, in Mbps, of the ISP link of the customer. DefensePro
uses this value to calculate the pipe-utilization percentage, which
is included in attack alerts.
Signaling Mode Values:
Events and DataAttack signals contain the basic attack
alerts and the additional metadata for the alert events.
Events OnlyAttack signals contain the basic attack alerts
only.
All Network Rules Specifies whether the signaling policy sends signals for all enabled
Network Protection policies/rules or only for specific rule groups.
Default: Enabled
Network-Policies Group ID The ID of the Network-Policies Group ID, which define specific
(This parameter is available Network Protection policies/rules.
only when the All Network
Rules checkbox is cleared.)
All Servers Specifies whether the signaling policy sends signals for all enabled
Server Protection policies/rules or only for specific rule groups.
Default: Enabled
Server-Protection Group ID The ID of the Network-Policies Group ID, which define specific
(This parameter is available Server Protection policies/rules.
only when the All Servers
checkbox is cleared.)

Advanced Parameters
This section describes the advanced parameters that are relevant for the basic configuration of a
DefensePro device.
This section contains the following topics:
Configuring Advanced Settings, page 81
Configuring Configuration Auditing, page 82
Configuring Dynamic Protocols, page 82
Configuring Tuning Parameters, page 84

80 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Configuring Security Reporting Settings, page 93


Configuring Out-of-Path Settings for DefensePro, page 96
Configuring Session Table Settings, page 97
Configuring Suspend Settings, page 100
Configuring the Device Event Scheduler, page 101
Configuring Tunneling Inspection, page 102

Configuring Advanced Settings


The advanced settings comprise the following parameters:
Accept Weak SSL Ciphers
Enable Overload Mechanism
SRP Management Host IP Address

The Overload Mechanismthat is, the overload-protection mechanismidentifies and reports


overload conditions, and acts to reduce operations with high resource consumption.
DefensePro device uses the overload-protection mechanism to prevent the following:
SME OverloadWhen the overload occurs in the string-matching engine (SME), the
accelerator reduces the number of new sessions sent to the SME. The existing sessions continue
to pass through the SME and are inspected. Features that require the SME, including some of
the attack signatures, will not be applied to some of the sessions.
Master OverloadWhen the overload occurs in the Master CPU, only a percentage of the
traffic is processed by the CPU. Behavioral DoS footprint analysis is done on sampled data,
ensuring the continuation of the feature, but SYN Protection does not work.
Accelerator OverloadWhen the overload occurs in the Accelerator CPU, only a percentage of
the traffic is inspected, while the rest passes through using bypass modes. Inspected traffic is
passed to the Master and SME if they are not overloaded.
System Wide OverloadIf all offload operations have failed to prevent overloaded conditions,
then a full bypass is implemented. Every device application is bypassed, including Bandwidth
Management, Statistics, Security, and so on.

To configure advanced settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Advanced
Parameters.

2. Configure the overload mechanism and SRP parameters; and then, click (Submit) to submit
the changes.

Table 24: Advanced Settings Parameters

Parameter Description
Accept Weak SSL Ciphers Specifies whether the device allows management connections over
secure protocols with ciphers shorter than 128 bits.
Default: Enabled

Document ID: RDWR-DP-V0607_UG1209 81


DefensePro User Guide
Basic Device Configuration

Table 24: Advanced Settings Parameters

Parameter Description
Enable Overload Mechanism Specifies whether the device uses the overload mechanism, which
identifies and reports overload conditions.
Radware recommends that the overload-protection mechanism
always be enabled.
SRP Management Host IP The IP address to which the device sends Statistics Reporting
Address Protocol (SRP) data. SRP is a private Radware protocol for efficient
transmission of statistical data from the device to the APSolute Vision
server.
Enter the APSolute Vision server IP address.
This parameter must be configured to view real-time reports and
attack details in APSolute Vision.

Configuring Configuration Auditing


When configuration auditing for devices is enabled on the APSolute Vision server and on the device,
any configuration change on a device using APSolute Vision creates two records in the Audit
database, one from the APSolute Vision server, and one from the device audit message.

Note: To prevent overloading the managed device and prevent degraded performance, the
feature is disabled by default.

To enable configuration auditing for a managed device

1. In the Configuration perspective system pane, select the device for which you want to configure
auditing.
2. In the Advanced Parameters tab navigation pane, select Configuration Audit.
3. To enable configuration auditing, select the Enable Configuration Auditing checkbox.

4. Click (Submit) to submit changes.

Configuring Dynamic Protocols


Dynamic protocols use control or signaling channels that handle data, voice, and audio streaming
channels. For example, FTP has control session and data session; SIP has signaling sessions, data
sessions (RTP), and control sessions (RTCP).
Some dynamic sessions are in the Session Table longer than regular sessions. With VoIP, SIP and
H255, there are times with no traffic, however, the call is still active and the session does not age.
You can configure different aging times for various dynamic protocols, and different policies for
different connections of the same session. In FTP, for example, you can set one policy for FTP data
and another policy for FTP control.
Before you configure dynamic protocols, ensure that the Session table Lookup Mode is Full L4 (which
is the default). To change settings, see Configuring Session Table Settings, page 97.

82 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To configure dynamic protocols

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Dynamic
Protocols.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 25: Dynamic Protocol Parameters

Parameter Description
FTP
Enable FTP Enables/disables FTP Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time The Data Session Aging Time, in seconds.
Default: 0
TFTP
Enable TFTP Enables/disables TFTP Dynamic Protocol.
Default: Enabled
Data Session Aging Time The Data Session Aging Time, in seconds.
Default: 0
Rshell
Enable Rshell Enables/disables Rshell Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time Enter a value for Data Session Aging Time, in seconds.
Rexec
Enable Rexec Enables/disables Rexec Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time The Data Session Aging Time, in seconds.
H.225
Enable H.225 Enables/disables H.225 Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
H.245 Data Session Aging The Data Session Aging Time, in seconds.
Time Default: 0

Document ID: RDWR-DP-V0607_UG1209 83


DefensePro User Guide
Basic Device Configuration

Table 25: Dynamic Protocol Parameters

Parameter Description
SIP
Enable SIP Enables/disables SIP Dynamic Protocol.
Session Initiation Protocol (SIP) is an IETF standard for initiating an
interactive user session involving multimedia elements such as video,
voice, chat, gaming, and so on. SIP can establish, modify, or
terminate multimedia sessions or Internet telephony calls.
When a policy for SIP is configured to block traffic from one direction,
it is not possible to open a SIP connection from another direction (SIP
uses the same port number for both source and destination).
Default: Disabled
Signaling Session Aging The Signaling Session Aging Time, in seconds.
Time When the clients communicate directly with each other, or work with
non-standard SIP ports, increase the aging time of the Signaling
Session Aging Time parameter.
Default: 20
RTCP Session Aging Time The RTCP Session Aging Time, in seconds.
Default: 0
TCP Segments Aging Time The SIP TCP Segments Aging Time, in seconds.
Default: 5

Configuring Tuning Parameters


You can adjusting tuning parameters to use memory resources more efficiently, to conserve memory
resources.

Caution: Radware strongly recommends that you perform any device tuning only after
consulting with Radware Technical Support.
This section contains the following:
Configuring Device Tuning, page 85
Configuring Security Tuning, page 86
Configuring SYN Protection Tuning, page 89
Configuring Classifier Tuning, page 91
Configuring Classifier Tuning, page 91

84 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Configuring Device Tuning

To configure device tuning parameters

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters.
2. To change the current setting, enter the new value in the After Reset column.

3. Click (Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.

Note: Radware recommends performing a memory check before rebooting the device.

Table 26: Device Tuning Parameters

Parameter Description
IP Fragmentation Table The maximum number of IP fragments that the device stores.
Values: 1256,000
Default: 1240
Session Table The maximum number of sessions that the device can track.
Values per model:
x06: 202,000,000
x016: 202,000,000
x412: 204,000,000
Default per model:
x061,800,000
x0161,800,000
x412-NL-O2,885,000
x412-NL-Q2,985,000
x412-BP-O2,985,000
x412-BP-Q3,085,000
Session Resets Entries The maximum number of sessions that the device tracks to
send RESET when Send Reset To Server is enabled in the
Session table.
Values: 110,000
Default: 1000
Routing Table The maximum number of entries in the Routing table.
Values: 2032,767
Default: 64
Pending Table The maximum number of new simultaneous dynamic sessions
the device can open.
Values: 1616,000
Default: 1024

Document ID: RDWR-DP-V0607_UG1209 85


DefensePro User Guide
Basic Device Configuration

Table 26: Device Tuning Parameters

Parameter Description
SIP Call Table The maximum number of SIP calls the device can track.
Values: 16256,000
Default: 1024
TCP Segmentation Table The maximum number of TCP Segments. This parameter is
used when SIP Protocol is enabled and SIP is running over TCP.
Values: 132,768
Default: 256

Configuring Security Tuning


The security tables store information about sessions passing through the device and their sizes,
correlating them to the number of sessions. Some tables store Layer 3 information for every source-
destination address pair of traffic going through the device requiring an entry for each combination.
Some tables keep information about Layer 4 sessions. Every combination of source address, source
port, destination address and destination port requires its own entry in the table.

Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several
TCP sessions to one destination address.

Each security table is responsible for clearing tables of old entries that are no longer required, and
ensuring that traffic is properly classified and inspected.

To configure security tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Security.
2. Configure the tuning parameters.

Table 27: Security Tuning Parameters

Parameter Description
Max. Number of HTTP Mitigator The maximum number of suspect sources in HTTP Mitigation
Suspect Sources policies.
Values: 1000500,000
Default: 100,000
Max. Number of Server The maximum number of entries in the Server Protection policy.
Protection Servers Values: 10010,000
Default: 350
Max. Number of BDoS Policies The maximum number of configurable Behavioral DoS policies.
Values: 1100
Default: 10

86 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 27: Security Tuning Parameters

Parameter Description
Max. Number of DNS Policies The maximum number of configurable DNS Flood Protection
policies.
Values: 1100
Default: 10
Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device
Pairs stores for anti-scanning purposes.
Values: 10,0001,000,000
Default: 50,000
Max. Number of Entries in The maximum number of sessions in which a Destination address
Counter Target Table is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Max. Number of Entries in The maximum number of sessions in which a source address is
Counter Source Table tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic
from a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Max. Number of Entries in The maximum number of sessions in which Source and
Counter Source and Target Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the
number of times traffic from a specific source to a specific
destination matches a signature. When the number of packets
sent from a particular source to a particular destination exceeds
the predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Max. Number of Concurrent The maximum number of filters tracked.
Active DoS Shield Protections DoS Shield filters use thresholds for activation. The tablethe
New Count Per Filter (NCPF) tablecounts the number of times
traffic matches a DoS Shield signature per policy. When the
number of packets exceeds the predefined limit, it is identified as
an attack.
Values: 10016,000
Default: 10,000

Document ID: RDWR-DP-V0607_UG1209 87


DefensePro User Guide
Basic Device Configuration

Table 27: Security Tuning Parameters

Parameter Description
Max. Number of Entries in The maximum number of entries for reports on active concurrent
Counters Report Tracking Signatures attacks.
Values: 10064,000
Default: 20,000
Max. Number of Entries in The maximum number of entries for concurrent active Server
Counters Server Cracking Cracking protections.
Protection When the Server Cracking protection feature is enabled,
DefensePro uses one entry in this table whenever DefensePro
receives a response from the server that can indicate a potential
Server Cracking attack. The entry includes the IP address of the
potential attacker, the protected server, and the protocol. The
entry remains in use as long as DefensePro receives such server
responses.
Values: 10065,536
Default: 100
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Values: 10064,000
Default: 100
Max. Number of Signatures The maximum number of user-configurable IPS signatures and
Configured by User RSA signatures. DefensePro can store up to 500 concurrent RSA
signatures.
Values: 1010,000
Default with fraud protection not enabled: 100
Default with fraud protection not enabled: 3,000
Note: RSA signatures on the device accumulate until the
device ages them. The device ages RSA signatures
according to the specified aging times, Phishing
Signatures Aging, Drop Points Aging, and Malicious
Download Aging. If the Max. Number of Signatures
Configured by User is greater than 500, and number of
RSA signatures reaches 500, you cannot add any new
RSA signature. If you must add new RSA signatures
immediately, you can reduce the aging time, add the
RSA signature, and increase the aging time as
appropriate.
Max. Number of Source IPs in The maximum number of hosts that the Suspend table is able to
Suspend Table block simultaneously.
This value affects the abilities of other defenses, such as, Anti-
Scanning, Server Cracking, and SYN protection.
Values: 1000100,000
Default: 10,000

88 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 27: Security Tuning Parameters

Parameter Description
Max. Number of Concurrent The maximum number of concurrent Connection Packet Rate
Connection PPS Attacks Limit attacks that the device can handle.
Values: 51000
Default: 50
Max. Number of IPs in the The maximum number of IP addresses in the Quarantine table.
quarantine table Values: 1,00010,000
Default: 1000

Configuring SYN Protection Tuning


SYN tables are used to define SYN Flood protection.

To configure SYN Protection tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > SYN Protection.
2. Configure the tuning parameters.

Table 28: SYN Protection Tuning Parameters

Parameter Description
SYN Protection Table The number of entries in the table that stores data regarding the
delayed binding process. An entry exists in the table from the
time a client starts the three-way handshake until the handshake
is complete.
Values: 10500,000
Default: 200,000
SYN Protection Requests Table The number of entries in the table that stores the ACK, or data
packet, the client sends, until the handshake with the server is
complete and the packet is sent to the server.
The Request table and the SYN Protection tables are
approximately the same size, whereas the Triggers table is much
smaller.
Values: 10500,000
Default: 200,000
SYN Protection Signature The number of entries in the table that stores active triggers
Detection Entries that is, the destination IP addresses/ports from which the device
identifies an ongoing attack.
Values: 100020,000
Default: 1000
SYN Statistics Entries The number of entries in the SYN Flood Statistics table.
Values: 100020,000
Default: 1000

Document ID: RDWR-DP-V0607_UG1209 89


DefensePro User Guide
Basic Device Configuration

Configuring Authentication Table Tuning

To configure Authentication Table tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Authentication Tables.
2. Configure the tuning parameters.

Table 29: Authentication Table Tuning Parameters

Parameter Description
Authentication Table Tuning
HTTP Authentication Table Size The number of sources in the HTTP Authentication table.
DefensePro uses the HTTP Authentication table in HTTP Flood
profiles and the HTTP Authentication feature in a SYN Protection
profile.
Values: 500,0002,000,000
Default: 2,000,000
TCP Authentication Table Size The number of sources in the TCP Authentication table.
DefensePro uses the TCP Authentication table for the Safe Reset
Authentication Method feature in SYN Protection profiles.
Values: 500,0002,000,000
Default: 2,000,000
Note: For x412 platforms, the value is fixed at the default
2,000,000, and cannot be tuned.
Authentication Tables Aging
HTTP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the
HTTP Authentication table.
Values: 603600
Default: 1200
TCP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the
TCP Authentication table.
Values: 603600
Default: 1200
DNS Authentication Table Aging The time, in minutes, that the device keeps idle sources in the
DNS Authentication table.
Values: 160
Default: 20
Note: The DNS Authentication Table Aging text box is
empty if DNS Flood Protection has not been enabled on
the device (Configuration perspective > Security
Settings > DNS Flood Protection > Enable DNS
Flood Protection). You can, however, enter a value
even if DNS Flood Protection is not enabled, and the
value will persist.

90 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Configuring Classifier Tuning


APSolute Vision supports the classifier (that is, Classes) module.
A Classifier packet first flows into the system through the classifier. The classifier handles the packet
according to the Bandwidth Management policy that best matches the packet and by these tuning
parameters. You can view and edit the Classifier tuning parameters. The changes take effect after a
device reset.

To configure classifier tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Classifier.
2. To change the current setting, enter the new value in the After Reset column.

3. Click (Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.

Note: Radware recommends performing a memory check before rebooting the device.

Table 30: Classifier Tuning Parameters

Parameter Description
Max. Number of Networks The maximum number of entries in the table for ranges.
Values: 3210,000
Default: 256
Max. Number of Discrete IP The maximum number of entries in the table for IP addresses
Addresses per Network that are allocated to a network.
Values: 161024
Default: 64
Max. Number of Subnets per The maximum number of entries in the table for network
Network subnets.
Values: 16256
Default: 64
Max. Number of MAC Groups The maximum number of entries in the table for MAC groups.
Values:162048
Default: 128
Max. Number of Filter Entries The maximum number of entries in the table for basic filters.
Values:5122048
Default: 512
Max. Number of AND Groups The maximum number of entries in the advanced filters table for
AND groups.
Values: 2562048
Default: 256

Document ID: RDWR-DP-V0607_UG1209 91


DefensePro User Guide
Basic Device Configuration

Table 30: Classifier Tuning Parameters

Parameter Description
Max. Number of OR Groups The maximum number of entries in the advanced filters table for
OR groups.
Values: 2562048
Default: 256
Max. Number of Application The maximum number of entries in the table for application port
Ports Groups groups.
Values: 322000
Default: 512
Max. Number of Content Entries The maximum number of content entries in the table.
Values: 164096
Default: 256

Configuring BWM Tuning


You can view and edit the bandwidth-management (BWM) tuning parameters. The changes take
effect after a device reset.

To configure BWM tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > BWM.
2. To change the current setting, enter the new value in the After Reset column.

3. Click (Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.

Note: Radware recommends performing a memory check before rebooting the device.

Table 31: BWM Tuning Parameters

Parameter Description
Policy Table The number of policy entries in the table.
Values: 256150,000
Default: 1024
Policy Leaves The percentage of hierarchical BWM leaves (that is, hierarchical
BWM policies without a child policy) out of the total number of
policies that the device supports.
Values: 50100
Default: 100

92 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 31: BWM Tuning Parameters

Parameter Description
BW per Traffic Flow sessions The number of traffic flows for which the device can provide
tracking bandwidth or limit the number of sessions.
Values: 16400,000
Default: 2048
Destination Table Displays the number of destination address entries in the table.
Values: 64128,000
Default: 256

Configuring SDM Tuning

To configure SDM tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select


Tuning Parameters > SDM.
2. Configure the tuning parameter.

Table 32: SDM Tuning Parameter

Parameter Description
SDM Table Size The size of the SDM table.
Values: Small, Medium, Large
Default: Medium

Configuring Security Reporting Settings


To support historical and real-time security-monitoring capabilities and provide in-depth attack
information for each attack event, the DefensePro device establishes a data-reporting protocol
between the device and APSolute Vision. This protocol, called Statistical Real-time Protocol (SRP),
uses UDP packets to send attack information.
In addition, DefensePro can provide the APSolute Vision server sampled captured packets that were
identified by the DefensePro as part of the specific attack. DefensePro sends these packets to the
defined IP address, encapsulated in UDP packets.
You can enable the reporting channels used by DefensePro devices to receive information about
attacks, and to report detected attacks based on their various risk levels.
You can also configure DefensePro devices to send captured attack packets along with the attack
event for further offline analysis. Packet reporting and SRP use the same default port, 2088.

Document ID: RDWR-DP-V0607_UG1209 93


DefensePro User Guide
Basic Device Configuration

To configure security reporting channels

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Security
Reporting Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 33: Security Reporting Parameters

Parameter Description
Basic Parameters
Report Interval The frequency, in seconds, the reports are sent though the
reporting channels.
Values: 165,535
Default: 5
Maximal Number of Alerts per The maximum number of attack events that can appear in
Report each report (sent within the reporting interval).
Values: 12000
Default: 1000
Report per Attack Aggregation The number of events for a specific attack during a reporting
Threshold interval, before the events are aggregated to a report. When
the number of the generated events exceeds the Aggregation
Threshold value, the IP address value for the event is
displayed as 0.0.0.0, which specifies any IP address.
Values: 165,535
Default: 5
L4 Port for Reporting The port used for packet reporting and SRP.
Values: 165,535
Default: 2088
Enable Sending Traps When selected, the device uses the traps reporting channel.
Default: Enabled
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Traps the specified risk value or higher are reported.
Default: Low
Enable Sending Syslog When selected, the device uses the syslog reporting channel.
Default: Disabled
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Syslog the specified risk value or higher are reported.
Default: Low
Enable Sending Terminal Echo When selected, the device uses the Terminal Echo reporting
channel.
Default: Disabled
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Terminal Echo the specified risk value or higher are reported.
Default: Low

94 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 33: Security Reporting Parameters

Parameter Description
Enable Sending Email When selected, the device uses the e-mail reporting channel.
Default: Disabled
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Email the specified risk value or higher are reported.
Default: Low
Enable Security Logging When selected, the device uses the security logging reporting
channel.
Packet Reporting and Packet Trace
Enable Packet Reporting Specifies whether the DefensePro device sends sampled
attack packets along with the attack event.
Default: Enabled
Maximum Packets per Report The maximum number of packets that the device can send
within the Report Interval.
Values: 165,535
Default: 100
Destination IP Address The destination IP address for the packet reports.
Default: 0.0.0.0
Note: Only one destination IP address can be configured
for packet reporting, even when more than one
APSolute Vision server manages the device.
Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the
feature and specifies the physical port to which the
DefensePro device sends identified attack traffic (when the
Packet Trace feature is enabled in the policy rule or profile).
Values:
noneThe Packet Trace feature is disabled.
The physical, inspection ports (that is, excluding the
management ports)
Default: none
Caution: A change to this parameter takes effect only
after you update policies.
Note: DefensePro x06 models support the Packet Trace
functionality only for dropped traffic.
Maximum Rate The maximum number of packets per second that the Packet
Trace feature sends.
Values: 1200,000
Default: 50,000
Caution: A change to this parameter takes effect only
after you update policies.

Document ID: RDWR-DP-V0607_UG1209 95


DefensePro User Guide
Basic Device Configuration

Table 33: Security Reporting Parameters

Parameter Description
Maximum Length of Dropped The maximum length, in bytes, of dropped packets that the
Packets Packet Trace feature sends. DefensePro can limit the size of
Packet Trace sent packets only for dropped packets. That is,
when a rule is configured with Report Only (as opposed to
Block), the Packet Trace feature sends the whole packets.
Values: 641550
Default: 1550
Tip: If you are interested only in the packet headers of the
dropped packets, to conserve resources, modify the minimal
value, 64.
Caution: A change to this parameter takes effect only
after you update policies.
netForensics Reporting
Enable netForensics Reporting When selected, enables reporting using netForensics
reporting agent.
Default: Disabled
Agent IP Address The IP address of the netForensics agent.
L4 Port The port used for netForensics reporting.
Values: 165,535
Default: 555
Data Reporting Destinations
Destination IP Address The target addresses for data reporting.
The table can contain up to 10 addresses. By default, when
there is room in the table, addresses are added automatically
when you add a DefensePro device to the tree in the system
pane.

To add an address, click the (Add) button. Enter the


destination IP address; and then, click OK.

Configuring Out-of-Path Settings for DefensePro


When you install DefensePro outside the critical path of the traffic, you can configure the Out-of-Path
Mode to mitigate DoS attacks using the capabilities of the routers access list. When the device
operates in the Out-of-Path mode, the traffic is copied to the device and verified separately from the
main traffic route. When an attack is identified, Behavioral DoS translates the footprint into a router
Access List (ACL) command and configures the router accordingly.

Note: The feature works on Cisco routers that have the capability to mirror an interface and
accept ACL commands to reroute traffic. This feature was tested on Cisco 6509
IOS 12.2.

96 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To configure out-of-path settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Out of Path.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 34: Out of Path Parameters

Parameter Description
Enable Out of Path You must enable and reboot the device before you can configure out-of-
Mode path settings.
When Out of Path is enabled, the only available protection is BDoS.
Router IP Address The IP address of the organization router that manages all the incoming
traffic.
Routers Enable Administrators password for the router.
Password
Verify Password Verification of password for the router.
SSH User Name The name of the SSH user.
SSH Password The password of the SSH user.
Verify SSH Password Verification of password for the SSH user.
Router Interface for The router interface that is being monitored, and traffic from it will be
Receiving Traffic redirected.

Configuring Session Table Settings


DefensePro includes a Session table, which tracks sessions bridged and forwarded by the device.

To configure Session table settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Session
Table Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 35: Session Table Parameters

Parameter Description
Basic Parameters
Enable Session Table Specifies whether the device uses the Session table.
Default: Enabled

Document ID: RDWR-DP-V0607_UG1209 97


DefensePro User Guide
Basic Device Configuration

Parameter Description
Session Aging Parameters
Note: When the Access Control List (ACL) feature is enabled, aging times are determined by the
relevant ACL parameters.
Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP
sessions.
Values: 17200
Default: 100
Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP
sessions.
Values: 17200
Default: 100
Idle SCTP-Session Aging Time The time, in seconds, that the Session table keeps idle SCTP
sessions.
Values: 17200
Default: 100
Idle ICMP-Session Aging Time The time, in seconds, that the Session table keeps idle ICMP
sessions.
Values: 17200
Default: 100
Idle GRE-Session Aging Time The time, in seconds, that the Session table keeps idle GRE
sessions.
Values: 17200
Default: 100
Idle Other-Protocol-Session The time, in seconds, that the Session table keeps idle sessions
Aging Time of protocols other than TCP, UDP, SCTP, ICMP, or GRE.
Values: 17200
Default: 100
Incomplete TCP Handshake How long, in seconds, the device waits for the three-way
Timeout handshake to be achieved for a new TCP-session. When the
timeout elapses, the device deletes the session and, if the Send
Reset To Server checkbox is selected, sends a reset packet to
the server.
Values:
0The device uses the specified Session Aging Time.
110The TCP Handshake Timeout in seconds.
Default: 10
Advanced Parameters
Remove Session Entry at Specifies whether the device removes sessions from the Session
Session End Table after receiving a FIN or RST packet if no additional packets
are received on the same session within the Remove Session
Entry at Session End Timeout period.
Default: Enabled

98 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Parameter Description
Remove Session Entry at When Remove Session Entry at Session End is enabled, the time,
Session End Timeout in seconds, after which the device removes sessions from the
(This option is available only if Session Table after receiving a FIN or RST packet if no additional
Remove Session Entry at packets are received on the same session.
Session End is enabled.) Values: 160
Default: 5
Send Reset to Destination of Specifies whether the DefensePro device sends a RST packet to
Aged TCP Connection the destination of aged TCP sessions.
Values:
EnabledDefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
DisabledDefensePro ages the session normally (using
short SYN timeout), but the destination might hold the
session for quite some time.
Default: Disabled
Session-Table-Full Action The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic
Alert-Start Threshold The percentage of full capacity of the Session Table when the
device starts issuing alerts.
Default: 95
Alert-Stop Threshold The percentage of full capacity of the Session Table when the
device stops issuing alerts.
Default: 90

Document ID: RDWR-DP-V0607_UG1209 99


DefensePro User Guide
Basic Device Configuration

Parameter Description
Lookup Mode The layer of address information that is used to categorize
packets in the Session table.
Values:
Full L4 An entry exists in the Session table for each source
IP, source port, destination IP, and destination port
combination of packets passing through the device.
L4 Destination PortEnables traffic to be recorded based
only on the TCP/UDP destination port. This mode uses
minimal Session table resources (only one entry for each
port that is secured).
Default: Full L4
Caution: Radware recommends that you always use the
Full L4 option. When Session Table Lookup Mode is
Layer 4 Destination Port, the following
protections do not work:
ACL
Anti Scanning
Connection Packet Rate Limit
Connection Rate Limit
HTTP Mitigator
HTTP Replies Signatures
Out-of-State protection
Server Cracking
SYN Protection
Disable Session Aging When enabled, the device enables aging sessions in the Session
(This option is available only for table.
L4 Destination Port Lookup Default: Disabled
Mode.)

Configuring Suspend Settings


DefensePro can suspend traffic from an IP address that was the source of an attack, for a defined
period of time.
Dynamic blocking duration is implemented by the Anti-Scanning and Server Cracking protections
based on the suspend settings that you configure. (Although connection-rate limits and intrusion
signatures can be set manually to suspend the source, they do not support dynamic duration.)
The dynamic blocking duration is usually set by the DefensePro Anti-Scanning and Server Cracking
protections:
The initial suspend time period cannot be lower than the Minimal Aging Timeout.
Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.
When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.

100 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To configure Suspend-table settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend
Table Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 36: Suspend Table Parameters

Parameter Description
Minimal Aging Timeout The time, in seconds, for which the DefensePro suspends first-time
offending source IP addresses.
Default: 10
Maximal Aging Timeout The maximal time, in seconds, for which the DefensePro suspends a
specific source. Each time the DefensePro suspends the same source,
the suspension length doubles until it reaches the Maximal Aging
Timeout.
Default: 600
Maximum Entries with Same The number of times the DefensePro suspends the same source IP
Source IP address before the DefensePro suspends all traffic from that source
IP addressregardless of the specified Suspend Action. For example,
if the value for this parameter is 4 and the specified Suspend Action
is SrcIP-DstIP-SrcPort-DstPort, the DefensePro suspends all traffic
from a source IP address that had an entry in the Suspend list more
than four times, even if the destination IP address, source port, and
destination ports were different for the previous updates to the
Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0

Configuring the Device Event Scheduler


Some network policy rules remain inactive during certain hours of the day, or are activated only
during others. For example, a school library may want to block instant messaging during school
hours, but allow it after school hours, or an enterprise may assign high priority to mail traffic
between 08:00 and 10:00.
You can schedule the activation and inactivation of specific policy rules on the device by using the
Event Scheduler, to create schedules, and then attach them to a policy rules configuration.
Schedules define a date and time for specific actions.

Document ID: RDWR-DP-V0607_UG1209 101


DefensePro User Guide
Basic Device Configuration

To configure the event scheduler

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Event
Scheduler.
2. Do one of the following:

To add a schedule, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the parameters; and then, click OK.

Table 37: Scheduled Event Parameters

Parameter Description
Task Name The name of the schedule.
Frequency How often the event occurs.
Values: daily, once, weekly
Default: once
Time The time on the designated day in the format hhmm.
When multiple days are selected, the value is the same for all the
configured days.
Date If the event frequency is once, configure the date that the event occurs
in the DD/MM/YYYY format.
Days of Week If the selected event frequency is weekly, select the day or days the
event occurs.

Configuring Tunneling Inspection


Carriers, service providers, and large organizations use various tunneling protocols to transmit data
from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS devices and load balancers cannot locate the relevant information because
their decisions are based on information located inside the IP packet in a known offset, and the
original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DefensePro inspects traffic in tunnels, positioning
DefensePro in peering points and carrier network access points.
You can install DefensePro in different environments, which might include encapsulated traffic using
different tunneling protocols.In general, wireline operators deploy MPLS and L2TP for their
tunneling, and mobile operators deploy GRE and GTP.
DefensePro can inspect traffic that may use various encapsulation protocols. In some cases, the
external header (tunnel data) is the data that DefensePro needs to inspect. In other cases,
DefensePro needs to inspect the internal data (IP header and even the payload). You can configure
DefensePro to meet your specific inspection requirements.

Caution: Changing the configuration of this feature takes effect only after a device reset.

102 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To configure tunneling inspection

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tunneling
Inspection.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Configuring SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the
exchange of management information between APSolute Vision and network devices.
Radware devices can work with all versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.
The default Radware user is configured in SNMPv1.

Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the
APSolute Vision are discarded.

Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and
authentication details must match one of the users configured on the device.

The following topics describe the procedures to configure SNMP on a selected device:
Configuring SNMP Users, page 103
Configuring SNMP Community Settings, page 104
Configuring the SNMP Group Table, page 105
Configuring SNMP Access Settings, page 106
Configuring SNMP Notify Settings, page 107
Configuring SNMP View Settings, page 108
Configuring the SNMP Target Parameters Table, page 108
Configuring SNMP Target Addresses, page 109

Configuring SNMP Users


With SNMPv3 user-based management, each user can have different permissions based on the user
name and authentication method. You define the users who can connect to the device, and store the
access parameters for each SNMP user.

Note: In the SNMP configuration, a user name is also known as a security name.

Document ID: RDWR-DP-V0607_UG1209 103


DefensePro User Guide
Basic Device Configuration

To configure an SNMP users for a device connected with SNMPv3 with Authentication
and Privacy

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > SNMP
User Table.
2. Do one of the following:

To add a user, click the (Add) button.


To edit an entry, double-click the row.
3. Configure SNMP user parameters and click OK.

Table 38: SNMP User Parameters

Parameter Description
User Name The user name, also known as a security name. The name can be up
to 18 characters.
Authentication Protocol The protocol used during authentication process.
Values:
None
MD5
SHA
Default: None
Authentication Password If an authentication protocol is specified, enter an authentication
password.
Privacy Protocol The algorithm used for encryption.
Values:
NoneThe data is not encrypted.
DESThe device uses Data Encryption Standard.
Default: None
Privacy Password If a privacy protocol is specified, enter a user privacy password.

Configuring SNMP Community Settings


The SNMP Community Table is used only for SNMP versions 1 and 2 to associate community strings
to users. When a user is connected to a device with SNMPv1 or SNMPv2, the device checks the
community string sent in the SNMP packet. Based on a specific community string, the device maps
the community string to a predefined user, which belongs to a group with certain access rights.
Therefore, when working with SNMPv1 or SNMPv2, users, groups, and access must be defined.
Use the Community Table to associate community strings with user names and vice versa, and to
restrict the range of addresses from which SNMP requests are accepted and to which traps can be
sent.

Note: You cannot change the community string associated with the user name that you are
currently using.

104 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To configure SNMP community settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP >
Community.
2. Do one of the following:

To add an SNMP community entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure SNMP community parameters and click OK.

Table 39: SNMP Community Parameters

Parameter Description
Index A descriptive name for this entry. This name cannot be modified after
creation.
Default: public
Community Name The community string.
Default: public
Security Name The security name identifies the SNMP community used when the
notification is generated.
Default: public
Transport Tag Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps can be sent. The target addresses identified by
this tag are defined in the SNMP Target Addresses table. At least one entry
in the SNMP Target Addresses table must include the specified transport tag.
If no tag is specified, addresses are not checked when an SNMP request is
received or when a trap is sent.

Configuring the SNMP Group Table


SNMPv3 permissions are defined for groups of users. If, based on the connection method, there is a
need to grant different permissions to the same user, you can associate a user to more than one
group. You can create multiple entries with the same group name for different users and security
models.
Access rights are defined for groups of users in the SNMP Access table.

To configure SNMP group settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Group
Table.
2. Do one of the following:

To add a group entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the parameters; and then, click OK.

Document ID: RDWR-DP-V0607_UG1209 105


DefensePro User Guide
Basic Device Configuration

Table 40: SNMP Group Parameters

Parameter Description
Group Name The name of the SNMP group.
Security Model The SNMP version that represents the required security model. Security models
are predefined sets of permissions that can be used by the groups. These sets
are defined according to the SNMP versions. By selecting the SNMP version for
this parameter, you determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User Based (SNMPv3)
Default: SNMPv1
Security Name If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.

Configuring SNMP Access Settings


The SNMP Access table binds groups and security models with SNMP views, which define subsets of
MIB objects. You can define which MIB objects can be accessed for each group and security model.
MIB objects can be accessed for a read, write, or notify action based on the Read View Name, Write
View Name, and Notify View Name parameters.

To configure SNMP access settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Access.
2. Do one of the following:

To add an access entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure SNMP access parameters and click OK.

Table 41: SNMP Access Parameters


Parameter Description
Group Name The name of the group.
Security Model Security models are predefined sets of permissions that can be used by
the groups. These sets are defined according to the SNMP versions.
Select the SNMP version that represents the required Security Model to
determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User BasedThat is, SNMPv3
Default: SNMPv1

106 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 41: SNMP Access Parameters


Parameter Description
Security Level The security level required for access.
Values:
No AuthenticationNo authentication or privacy are required.
Authentication & No PrivacyAuthentication is required, but privacy
is not required.
Authentication & PrivacyBoth authentication and privacy are
required.
Default: No Authentication
Read View Name The name of the View that specifies which objects in the MIB tree are
readable by this group.
Write View Name The name of the View that specifies which objects in the MIB tree are
writable by this group.
Notify View Name The name of the View that specifies which objects in the MIB tree can be
accessed in notifications (traps) by this group.

Configuring SNMP Notify Settings


You can select management targets that receive notifications and the type of notification to be sent
to each selected management target. The Tag parameter identifies a set of target addresses. An
entry in the Target Address table that contains a tag specified in the Notify table receives
notifications.

To configure SNMP notification settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Notify.
2. Do one of the following:

To add an SNMP notify entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure SNMP notify parameters and click OK.

Table 42: SNMP Notify Parameters

Parameter Description
Name A descriptive name for this entry, for example, the type of notification.
Tag A string that defines the target addresses that are sent this notification. All
the target addresses that have this tag in their tag list are sent this
notification.

Document ID: RDWR-DP-V0607_UG1209 107


DefensePro User Guide
Basic Device Configuration

Configuring SNMP View Settings


You can define subsets of the MIB tree for use in the Access Table. Different entries may have the
same name. The union of all entries with the same name defines the subset of the MIB tree and can
be referenced in the Access Table through its name.

To configure SNMP view settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > View.
2. Do one of the following:

To add an SNMP view entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure SNMP view parameters and click OK.

Table 43: SNMP View Parameters

Parameter Description
View Name The name of this entry.
Sub-Tree Note: The Object ID of a subtree of the MIB.
Type Specifies whether the object defined in the entry is included or excluded in the
MIB view.
Values: Included, Excluded
Default: Included

Configuring the SNMP Target Parameters Table


The Target Parameters table defines message-processing and security parameters that are used in
sending notifications to a particular management target. Entries in the Target Parameters table are
referenced in the Target Address table.

To configure SNMP target parameters

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Parameters Table.
2. Do one of the following:

To add a target parameters entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure target parameter settings and click OK.

108 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Table 44: SNMP Target Parameters

Parameter Description
Name The name of the target parameters entry.
Maximum characters: 32
Message Processing The SNMP version to use when generating SNMP notifications.
Model Values: SNMPv1, SNMPv2c, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.
Security Model The SNMP version that represents the required Security Model.
Security models are predefined sets of permissions that can be used by the
groups. These sets are defined according to the SNMP versions. By selecting
the SNMP version for this parameter, you determine the permissions set to
be used.
Values:
SNMPv1
SNMPv2c
User BasedThat is, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.
Security Name If the User Based security model is used, the security name identifies the
user that is used when the notification is generated. For other security
models, the security name identifies the SNMP community used when the
notification is generated.
Security Level Specifies whether the trap is authenticated and encrypted before it is sent.
Values:
No AuthenticationNo authentication or privacy are required.
Authentication and No PrivacyAuthentication is required, but privacy
is not required.
Authentication and PrivacyBoth authentication and privacy are
required.
Default: No Authentication

Configuring SNMP Target Addresses


In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of
traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for
reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of
addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the
Transport Tag of an entry in the community table is not empty it must be included in one or more
entries in the Target Address Table.

Document ID: RDWR-DP-V0607_UG1209 109


DefensePro User Guide
Basic Device Configuration

To configure SNMP target addresses

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Address.
2. Do one of the following:

To add a target address, click the (Add) button.


To edit an entry, double-click the row.
3. Configure target address parameters and click OK.

Table 45: SNMP Target Address Parameters

Parameter Description
Name The name of the target address entry.
IP Address and L4 Port The IP address of the management station (APSolute Vision server)
[IP-port number] and TCP port to be used as the target of SNMP traps. The format of the
values is <IP address >-<TCP port>, where <TCP port> must be
162. For example, if the value for IP Address and L4 Port is 1.2.3.4-
162, 1.2.3.4 is the IP address of the APSolute Vision server and 162 is
the port number for SNMP traps.
Note: APSolute Vision listens for traps only on port 162.
Mask A subnet mask of the management station.
Tag List Specifies sets of target addresses. Tags are separated by spaces. The
tags contained in the list may be either tags from the Notify table or
Transport tags from the Community table.
Each tag can appear in more than one tag list. When a significant event
occurs on the network device, the tag list identifies the targets to which
a notification is sent.
Default: v3Traps
Target Parameters Name The set of target parameters to be used when sending SNMP Traps.
Target parameters are defined in the Target Parameters table.

Configuring Device Users


For each DefensePro device, you can configure a list of users who are authorized to access that
device through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing
is enabled, users can receive e-mail notifications of changes made to the device.

110 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

To configure device users for a selected device

1. In the Configuration perspective Device Security tab navigation pane, select Users Table.
2. Do one of the following:

To add a user, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the parameters; and then, click OK.

Table 46: Device User Parameters

Parameter Description
Device Users Table
User Name The name of the user.
Password The password of the user. Then, repeat to verify.
Email Address The e-mail address of the user to which notifications will be sent.
Minimal Severity for The minimum severity level of traps sent to this user.
Sending Traps Values:
NoneThe user receives no traps.
InfoThe user receives traps with severity info or higher.
WarningThe user receives Warning, Error, and Fatal traps.
ErrorThe user receives Error and Fatal traps.
FatalThe user receives Fatal traps only.
Default: None
Enable Configuration Tracing When selected, the specified user receives notifications of
configuration changes made in the device.
Every time the value of a configurable variable changes, information
about all the variables in the same MIB entry is reported to the
specified users. The device gathers reports and sends them in a
single notification message when the buffer is full or when the
timeout of 60 seconds expires.
The notification message contains the following details:
Name of the MIB variable that was changed.
New value of the variable.
Time of configuration change.
Configuration tool that was used (APSolute Vision, Telnet, SSH,
WBM).
User name, when applicable.
Access Level The users level of access to the WBM and CLI.
Default: Read-Write

Document ID: RDWR-DP-V0607_UG1209 111


DefensePro User Guide
Basic Device Configuration

Table 46: Device User Parameters

Parameter Description
Advanced Parameters
Authentication Mode The method for of authenticating a users access to the device.
Values:
Local User TableThe device uses the User Table to authenticate
access.
RadiusThe device uses the RADIUS servers to authenticate
access.
Radius and Local User TableThe device uses the RADIUS
servers to authenticate access. If the request to the RADIUS
server times out, the device uses the User Table to authenticate
access.
Default: Local User Table
Exclude SNMP Engine ID Specifies whether to exclude the SNMP engine ID and user
and User Information from information from exported configuration files.
Exported Configuration Files Default: Disabled

Configuring Access Permissions on Physical Ports


Access to devices can be limited to specified physical interfaces. Interfaces connected to insecure
network segments can be configured to discard some or all management traffic directed at the
device itself. Administrators can allow certain types of management traffic to a device (for example,
SSH), while denying others such as SNMP. If an intruder attempts to access the device through a
disabled port, the device denies access, and generates syslog and CLI traps as notification.

To configure access permissions for a selected device

1. In the Configuration perspective Device Security tab navigation pane, select Advanced.
2. To edit permissions for a port, double-click the relevant row.
3. Select or clear the checkboxes to allow or deny access; and then, click OK.

Table 47: Port Permission Parameters

Parameter Description
Port (Read-only) The name of the physical port.
SNMP Access When selected, allows access to the port using SNMP.
Telnet Access When selected, allows access to the port using Telnet.
SSH Access When selected, allows access to the port using SSH.
Web Access When selected, allows access to the port using WBM.
SSL Access When selected, allows access to the port using SSL.

112 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Basic Device Configuration

Configuring Port Pinging


You can define which physical interfaces can be pinged. When a ping is sent to an interface for which
ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.

To define the ports to be pinged

1. In the Configuration perspective Device Security tab navigation pane, select Advanced > Ping
Ports.
2. To edit port ping settings, double-click the relevant row.
3. Select or clear the checkbox to allow or not allow pinging, then click OK.

Document ID: RDWR-DP-V0607_UG1209 113


DefensePro User Guide
Basic Device Configuration

114 Document ID: RDWR-DP-V0607_UG1209


Chapter 4 Device Network Configuration
You can perform the following networking configuration tasks for managed devices:
Configuring Device IP Interfaces, page 115
Managing IP Routing, page 116
Configuring Ports, page 119
Configuring the Basic Network Parameters, page 124
Configuring Port Pairs, page 127

Configuring Device IP Interfaces


DefensePro performs routing between all IP interfaces defined on its Layer 2 interfaces (ports,
trunks, and VLANs). DefensePro also performs routing based on other network layers, such as
Layer 4 and Layer 7.

To configure IP interfaces

1. In the Configuration perspective Networking tab navigation pane, select IP Management.


2. Do one of the following:

To add an IP interface, click the (Add) button.


To edit an IP interface, double-click the row.
3. Configure the parameters; and then, click OK.

Table 48: IP Interface Parameters

Parameter Description
IP Address IP address of the interface.
Mask The associated subnet mask.
Port The interface identifier, for example, G-1.
Forward Broadcast Specifies whether the device forwards incoming broadcasts to
this interface.
Default: Enabled
Broadcast Address Specifies whether to fill the host ID in the broadcast address
with ones or zeros.
Values:
Fill 1Fill the host ID in the broadcast address with ones.
Fill 0Fill the host ID in the broadcast address with zeros.
Default: Fill 1

Document ID: RDWR-DP-V0607_UG1209 115


DefensePro User Guide
Device Network Configuration

Table 48: IP Interface Parameters

Parameter Description
VLAN Tag The VLAN tag to be associated with this IP Interface. When
multiple VLANs are associated with the same switch port, the
switch must identify to which VLAN to direct incoming traffic
from that specific port. VLAN tagging provides an indication in
the Layer 2 header that enables the switch to make the correct
decision.
Peer Address The IP address of the interface on the peer device, which is
required in a redundant configurationthat is, a cluster for high
availability.
Default: 0.0.0.0

Managing IP Routing
DefensePro devices forward IP packets to their destination using an IP routing table. This table
stores information about the destinations and how they can be reached. By default, all networks
directly attached to the device are registered in the IP routing table. Other entries can either be
statically configured or dynamically created through the routing protocol.

Configuring IP Routing
IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP
interface that contains an IP address associated with a VLAN.

To configure IP routing

1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP
Routing.
2. Do one of the following:

To add a static route, click the (Add) button.


To edit a static route, double-click the row.
3. Configure the static route settings and click OK.
4. Configure global advanced parameters, if required.

Notes
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.

116 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Device Network Configuration

Parameter Description
Enable Proxy ARP When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled
Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols
ICMP Error of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
Default: Enabled
Note: When this option is enabled, a trap is sent when there is an ICMP
error message.

Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite
and is used by networked computers operating systems to send error messagesindicating, for
instance, that a requested service is not available or that a host or router could not be reached.

To modify ICMP interface parameters

1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP
Routing > ICMP.
2. Double-click the relevant row.
3. Configure the parameters; and then, click OK.

Table 49: ICMP Interface Settings

Parameter Description
IP Address IP address of the interface.
Destination Address IP destination address for multicast Router Advertisements sent from the
interface.
Values:
224.0.0.1The All Hosts multicast group that contains all systems on
the same network segment
255.255.255.255The limited-broadcast address
Advertise Interval
Minimum The minimum time, in seconds, between sending unsolicited multicast
Router Advertisements from the interface.
Values: 3maximum specified interval
Default: 75% of the maximum specified interval

Document ID: RDWR-DP-V0607_UG1209 117


DefensePro User Guide
Device Network Configuration

Table 49: ICMP Interface Settings

Parameter Description
Maximum The maximum time, in seconds, between multicast Router
Advertisements from the interface.
Values: minimum specified interval1800
Lifetime The maximum time, in seconds, that the advertised addresses are
considered valid.
Values: Maximum specified interval9000
Default: Three times (3) the maximum interval
Advertise this Interface Enables you to advertise the device IP using ICMP Router Advertise.
Preference Level The preference level of the address as the default router address, relative
to other router addresses on same subnet.
Reset all Parameters to Resets ICMP interface parameters to default values.
Default

Configuring the ARP Table


When Proxy ARP is enabled, a network host answers ARP queries for the network address that is not
configured on the receiving interface. Proxying ARP requests on behalf of another host effectively
directs all LAN traffic destined for that host to the proxying host. The captured traffic is then routed
to the destination host via another interface.
You can configure and manage the static ARP entries on the local router.

To configure the ARP table

1. In the Configuration perspective Networking tab navigation pane, select IP Management >
ARP Table.
2. Do one of the following:

To add a new entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the ARP parameters and click OK.

4. Modify advanced parameters, if required; and then click (Submit) to submit the changes.

Table 50: ARP Parameters

Parameter Description
Port The interface number where the station resides.
IP Address The stations IP address.

118 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Device Network Configuration

Table 50: ARP Parameters

Parameter Description
MAC Address The stations MAC address.
Type Entry type.
Values:
OtherNot Dynamic or Static.
InvalidInvalidates ARP entry and effectively deletes it.
DynamicEntry is learned from ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the table.
StaticEntry has been configured by the network management
station and is permanent.

Table 51: Advanced Parameters

Parameter Description
Inactive ARP Timeout The time, in seconds, that inactive ARP cache entries can remain in the
ARP table before the device deletes them. If an ARP cache entry is not
refreshed within a specified period, it is assumed that there is a problem
with that address.
Values: 19999999
Default: 60000

Configuring Ports
You can change the physical attributes of each port on the DefensePro devicefor example, speed
and duplex mode.
You can also configure port trunking to combine physical network links into a single logical link for
increased bandwidth.

To configure ports

1. In the Configuration perspective Networking tab navigation pane, select Port Configuration.
2. To change a ports configuration, double-click the row.
3. Configure the port settings and click OK.

Table 52: Port Configuration Parameters

Parameter Description
Port The index number of the port.
Speed The traffic speed of the port.
Values: Ethernet, Fast Ethernet, Giga Ethernet, XG Ethernet
Note: According to standards, this parameter can be changed only for
copper ports. After this parameter is changed, auto-negotiation is
disabled.

Document ID: RDWR-DP-V0607_UG1209 119


DefensePro User Guide
Device Network Configuration

Table 52: Port Configuration Parameters

Parameter Description
Duplex Mode Specifies whether the port allows both inbound and outbound traffic (Full
Duplex) or one way only (Half Duplex).
Note: According to standards, this parameter can be changed only for
copper ports with a speed lower than Gigabit Ethernet. After this
parameter is changed, auto-negotiation is disabled.
Auto Negotiation Specifies whether the port automatically detects and configures the speed
and duplex mode for the interface.

Configuring Link Aggregation


Use link aggregation, also called port trunking, to combine physical network links into a single
logical link for increased bandwidth.

Notes
>> The same algorithm must be applied on the other switch in the trunk.
>> OnDemand Switch 1 and VL implement link aggregation via software and not at the
switch level, (these platforms do not include a Layer 2 switch hardware component).
Therefore, on these platforms, you cannot define trunks as port mirroring participants.

About Link Aggregation


Link aggregation, or port trunking, is a method of combining physical network links into a single
logical link for increased bandwidth. With link aggregation you can increase the capacity and
availability of the communications channel between devices (both switches and end stations) using
existing Fast Ethernet and Gigabit Ethernet technology. This is performed by using a set of multiple
parallel physical links between two devices grouped together to form a single logical link.
Link aggregation also provides load balancing where the processing and communications activity is
distributed across several links in a trunk, ensuring that no single link is overwhelmed. By taking
multiple LAN connections and treating them as a unified, aggregated link, you can achieve higher
link availability and increased link capacity.
Port trunking is supported according to the IEEE 802.3ad standard for link aggregation as follows:
Link aggregation is supported only on links using the IEEE 802.3 MAC.
Link aggregation is supported only on point-to-point links.
Link aggregation is supported only on links operating in Full Duplex mode.
Link aggregation is permitted only among links with the same speed and direction. On the
device bandwidth, increments are provided in units of 100Mbps and 1Gbps respectively.
The failure or replacement of a single link within a Link Aggregation Group will not cause failure
from the perspective of a MAC client.

MAC client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one conversation must be transmitted
through the same physical link. The algorithm for assigning frames to a conversation depends on the
application environment. Radware devices can define conversations on Layer 2, 3, or 4 information,
or on combined layers.

120 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Device Network Configuration

Using link aggregation, depending on the platform, you can define up to seven trunks. Up to eight
physical links can be aggregated into one trunk. In DefensePro, all trunk configurations are static. To
provide optimal distribution for different scenarios, the load sharing algorithm allows decisions
based on source or destination (or both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4
address (TCP/UDP port numbers). These parameters are used as input for a hashing function.

Notes
>> Only connected ports (Link Up) operating in Full Duplex mode can be attached to a
trunk.
>> You can define a management trunk (T-MNG) that includes only the management ports
(MNG-1 and MNG-2). The management ports cannot be a part of any other trunk. Using
the management trunk provides redundancy at the physical level for connectivity to the
management network. One link is active while the other is in backup mode. Failure of
the active link seamlessly activates the backup.
>> A port belonging to a trunk cannot be copied to another port (copy port).
>> Management ports that have preconfigured IP addresses cannot be assigned to a trunk.
Before attaching a physical port to a trunk, make sure that the port is not used in any
configuration (port mirroring, static forwarding).
>> When a trunk is part of a protected segment definition, Port Operation in the Port Pairs
table must be set to Process mode for both directions of this segment.
>> A trunk cannot be assigned with an IP address for management.
>> Ports with internal bypass cannot be assigned into a trunk.
>> It is not possible to set a port within a trunk as the Source or Destination of SSL
inspection.

Configuring Link Aggregation in Defense Pro

To configure link aggregation

1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Link Aggregation.
You can view the MAC address of each trunk and the ports bound to it in the Link Aggregation
Ports table.
2. To change a port assignment, double-click the corresponding row.
3. Configure the port assignment; and then, click OK. When a port is added into a trunk, it receives
the trunk operation status. When a port is removed from a trunk, it maintains its operational
status. When a trunk operational status is set to down, a port removed from the trunk keeps its
down status.

Table 53: Link Aggregation Port Parameters

Parameter Description
Port (Read-only) The physical port index.
Port MAC Address (Read-only) The MAC address assigned to the port.

Document ID: RDWR-DP-V0607_UG1209 121


DefensePro User Guide
Device Network Configuration

Table 53: Link Aggregation Port Parameters

Parameter Description
Trunk Name The trunk to which the port is attached.
The values depend on the platform.
Values:
0Specifies unattached.
T1T7The range of values depends on the platform. That is, the
number of trunks that you can configure depends on the device
platform.
T-MNG
Default: 0
Port Status (Read-only)
Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.

Configuring Port Mirroring


Port Mirroring enables the device to duplicate traffic from one physical port on the device to another
physical port on the device. This is useful when an intrusion detection system (IDS) device is
connected to one of the ports on the device. You can choose to mirror either received and
transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether to
duplicate the received broadcast packets.

Notes
>> Port mirroring is not supported on devices that run on the OnDemand Switch VL
platform, for example DefensePro x06 models.
>> Port mirroring requires that the input port be configured to Static-Forwarding Process
mode. When the input port is configured to Static-Forwarding Forward mode, traffic is
not mirrored.
>> In Static Forwarding mode, traffic with the same destination MAC address as the device
is not mirrored (rare).
To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the
DefensePro device) to a dedicated sniffer port. This allows collecting packet data during an attack
and sending the data to Radwares Security Operation Center (SOC) to develop an attack signature.
DefensePro supports traffic-rate port mirroring also. DefensePro devices can perform traffic-rate
port mirroring when the device is under attack. Traffic-rate port mirroring is based on a specified
traffic threshold. When the threshold value is reached, the DefensePro device starts copying traffic
from the interface to its mirroring output port. The process continues for the specified time, and
then the copying process stops. For example, if you have a single network segment connected
between interfaces 1 and 2, whenever traffic reaches the configured threshold, DefensePro device
copies the traffic arriving on interface #1 to interface #3.

122 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Device Network Configuration

To configure port mirroring

1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Port Mirroring.
2. Do one of the following:

To add a pair of ports to mirror traffic, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the port mirroring settings; and then, click OK.
4. To configure advanced parameters for port mirroring, in the navigation pane, select
Port Mirroring > Advanced Parameters.

5. Configure the advanced parameters; and then, click (Submit) to submit the changes.

Table 54: Port Mirroring Parameters

Parameter Description
Input Interface The traffic port.
Output Port The port for the mirrored traffic.
Traffic to Mirror The direction of the traffic that the device mirrors.
Values: Transmit and Receive, Receive Only, Transmit Only
Enable Promiscuous Values:
Mode EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled
Backup Port The backup port for the mirrored traffic.
Mode The mode of port mirroring.
Values: Enabled, Traffic Rate
Threshold The number of threshold units (PPS/Kbps) that can pass through the
specified input port (Input Interface) before the mirroring process starts.

Note: The Threshold Units parameter and the Threshold Interval parameter are defined
globally for each device and not for each pair of ports.

Document ID: RDWR-DP-V0607_UG1209 123


DefensePro User Guide
Device Network Configuration

Table 55: Port Mirroring Advanced Parameters

Parameter Description
Traffic Threshold Units The units in which the threshold is measured.
Values:
PPSPackets per second
KbpsKilobits per second
Threshold Interval How long, in seconds, mirroring continues after the traffic rate falls below
the specified threshold.
Default: 30
Reset Traffic Rate Click to set the device to record the traffic that exceeds the predefined limit
within a new Threshold Interval.

Configuring the Basic Network Parameters


Use the Basic pane to do the following:
Specify the IP Version Mode (IPv4 or IPv6)
Specify whether jumbo frames bypass the device or are discardedavailable only on platforms
with the DoS Mitigation Engine (DME)
Specify whether to inspect jumbo frames or discard them
Configure the IP Fragmentation parameters
Specifies whether the device passes through all traffic that matches no network policy
configured on the device

IPv4 and IPv6 Support


DefensePro supports IPv6 and IPv4 protocols and provides a fully functional IPS and DoS prevention
solution for IPv6/IPv4 packets. Management works only in IPv4.

Caution: Changing the configuration of this feature takes effect only after a device reset.

DefensePro supports processing of IPv6 packets and ICMPv6 packets, including the following:
Setting networks with IPv6 addresses
Applying security policies
Blocking attacks
Security reporting

IP Fragmentation
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.

124 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Device Network Configuration

Using IP fragmentation, the DefensePro device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments belong to same datagram, then classifies and forwards them
accordingly. The device does not reassemble the original IP packet, but forwards the fragmented
datagrams to their destination, even if the datagrams arrive at the device out of order.

Configuring the Basic Networking Parameters

To configure the Basic Networking parameters

1. In the Configuration perspective Networking tab navigation pane, select Basic.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 56: Basic Networking Parameters

Parameter Description
Basic Parameters
IP Version Mode The IP version that the device supports.
Values:
IPv4The device processes IPv4 packets only.
IPv4 and IPv6The device processes IPv6 and IPv4 packets.
Note: If the IPv4 option is selected and IPv6 network classes are
configured, all IPv6 policies (rules) are automatically
disabled. Policies applied on both IPv4 and IPv6 traffic
continue to process IPv4 traffic only. The IPv6 information
remains visible.
Jumbo Frames
Inspect Jumbo Frames Specifies whether the device inspects jumbo frames or discards
(On platforms with the DoS them.
Mitigation Engine, the Values:
Inspect Jumbo Frames EnabledThe device inspects frames up to 9216 bytes.
checkbox is available only
when the Bypass Jumbo DisabledThe device discards frames that are larger than 1550
Frames checkbox is bytes.
cleared.) Default: Disabled
Notes:
>> Changing the configuration of this option takes effect only
after a device reset.
>> When this option is enabled, all DefensePro monitoring and
protection modules support monitoring, inspection,
detection, and mitigation of traffic and attacks on packets up
to 9216 bytes. For example, when this option is enabled, TCP
Authentication using Transparent Proxy supports an
additional maximum segment size (MSS) value to improve
performance of the protected networks.

Document ID: RDWR-DP-V0607_UG1209 125


DefensePro User Guide
Device Network Configuration

Table 56: Basic Networking Parameters

Parameter Description
Bypass Jumbo Frames Specifies whether jumbo frames bypass the device.
(This parameter is displayed Values:
only on platforms with the EnabledFrames of 15509216 bytes bypass the device without
DoS Mitigation Engine any inspection or monitoring.
(DME) and only when the
Inspect Jumbo Frames DisabledThe device discards frames that are larger than 1550
checkbox is cleared.) bytes.
Default: Disabled
Notes:
>> Changing the configuration of the option takes effect only
after a device reset.
>> When the option is enabled on an x412 platform, there may
be some negative effect on the following features: Packet
Anomalies, Black and White Lists, and BDoS real-time
signatures.
>> When the option is enabled, there is no sampling for Black
List rules.
>> When the option is enabled on an x06 or x016 platform,
there may be some negative effect on Black and White lists.
>> When the option is enabled, TCP SYN Protection may not
behave as expected because the third packet in the TCP
three-way-handshake can include data and be in itself a
jumbo frame.
>> When the option is enabled, some protections that rely on
the DefensePro session table might produce false-negatives
and drop traffic when all the session traffic bypasses the
device in both directions for a period longer than Session
Aging Time.
IP Fragmentation
Enable IP Fragmentation Specifies whether IP fragmentation is enabled.
Default: Enabled
Queuing Limit The percentage of IP packets the device allocates for out-of-sequence
fragmented IP datagrams.
Values: 0100
Default: 25
Aging Time The time, in seconds, that the device keeps the fragmented
datagrams in the queue.
Values: 1255
Default: 1

126 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Device Network Configuration

Table 56: Basic Networking Parameters

Parameter Description
Traffic Exclusion
This group box is available only on x412 platforms with the DME.
Traffic Exclusion Specifies whether the device passes through all traffic that matches
no network policy configured on the device.
Default: Enabled
Caution: If Traffic Exclusion is enabled, to inspect traffic that
matches a Server Protection policy, you must configure
the Server Protection policy as a subset of the Network
Protection Policy/Rule.

Configuring Port Pairs


You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic
from the receiving port is always sent out of the device from its corresponding transmitting port. The
ports are paired; one port receives traffic while another transmits traffic.
You can set the operation mode of a port pair. When the port pair operates in Process mode, the
traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates
in Forward mode, the traffic is forwarded to the destination port without any inspection.

Note: DefensePro x06 models automatically create static-forwarding definitions on the


following port pairswhen they are not assigned to packet trace or trunks: G-1G-2
and G-3G-4.

To configure a pair of ports


1. In the Configuration perspective Networking tab navigation pane, select Port Pairs.
2. Do one of the following:

To add a pair of ports, click the (Add) button.


To edit a pair of ports, double-click the row.
3. Configure the parameters; and then, click OK.

Table 57: Port Pair Parameters

Parameter Description
Port Pairs
Source Port The user-defined source port for received traffic.
Destination Port The user-defined destination port for transmitted traffic.

Document ID: RDWR-DP-V0607_UG1209 127


DefensePro User Guide
Device Network Configuration

Table 57: Port Pair Parameters

Parameter Description
Operation The operation mode assigned to a pair of ports.
Values:
ForwardThe traffic is forwarded without any inspection.
ProcessThe traffic passes thought the CPU and is inspected for attacks,
bandwidth, and so on.
Failure Mode Specifies whether the traffic passes through (bypasses) a pair of RJ-45 ports
when the platform is rebooting or is powered down (for example, if the device
fails).
Values:
Fail-CloseTraffic does not pass through when the platform is powered
down. When a pair of ports enters fail-close state, traffic is blocked and
the link appears to be down (no power), and switches that are connected
to the DefensePro device detect the link as being down.
Fail-OpenTraffic passes through (not processed by DefensePro) when
the platform is powered down.
When you configure Fail-Open for a port pair, you cannot:
Assign the ports into a link aggregation.
Configure either port as a copied destination port.
Configure the ports for SSL inspection.
Note: For more information, see Internal Bypass for RJ-45 Ports, page 49.
In Port Specifies which port in the pair is designated as the inbound portthe source
or destination port. This setting is used in real-time reports for inbound and
outbound traffic.

Advanced Parameters
In DefensePro x06 models, this group box and the Enable Interface Grouping checkbox is not
displayed. In x06 models, Interface Grouping is always enabled.
Enable Interface Specifies whether the device groups the statuses of the port-pair interfaces.
Grouping When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also; so, a
remote device connected to the DefensePro device perceives the same
disconnected status.
Typically, the option is enabled when DefensePro is configured between
switches that use link redundancy. Interface grouping is the only way both
switches always perceive the same DefensePro interfaces status.
Default: Disabled

128 Document ID: RDWR-DP-V0607_UG1209


Chapter 5 Security Configuration
A security policy in an organization is a set of rules and regulations that defines what constitutes a
secure network and how it reacts to security violations. You implement a security policy for your
organization by using the global security settings, network-protection policy, and server-protection
policy. You can adjust a security policy to suit the security needs of different network segments
down to a single server, providing comprehensive protection for your organization.
Each policy consists of multiple rules. Each rule in a policy defines a network segment or server, one
or more protection profiles to be applied, and the action to be taken when the device detects an
attack.
Each protection profile defines the security defenses that provide protection against a specific
network threat. For example, the Signature Protection profile prevents intrusion attempts, and the
Behavioral DoS profile prevents flood attacks aimed at creating denial of service.

Notes
>> All the configuration procedures in this section assume that the relevant device is
selected in the Configuration perspective navigation pane.
>> Some protections are not supported on management interfaces.
This chapter contains the following sections:
Security Protections, page 129
Selecting a Device for Security Configuration, page 130
Configuring Global Security Settings, page 130
Managing the Network Protection Policy, page 156
Managing the Server Protection Policy, page 204
Configuring White Lists, page 222
Configuring Black Lists, page 225
Managing the ACL Policy, page 230

Security Protections
DefensePros multi-layer security approach combines features for detecting and mitigating a wide
range of network and server attacks.

DefensePro supports three types of security protections: Network-wide protections, Server


protections, and Access-control policies.
Network-wide protections comprise the following:
Behavioral DoSProtects against zero-day flood attacks, including SYN Floods, TCP Floods,
UDP floods, ICMP and IGMP floods.
SYN-flood protectionProtects against any type of SYN flood attack using SYN cookies. A
SYN flood attack is usually aimed at specific servers with the intention of consuming the servers
resources. However, you configure SYN Protection as a Network Protection to allow easier
protection of multiple network elements.
Signature-based protectionProtects against known application vulnerabilities, and common
malware, such as worms, trojans, spyware, and DoS.
Fraud protection using RSA feeds.

Document ID: RDWR-DP-V0607_UG1209 129


DefensePro User Guide
Security Configuration

Packet-anomaly protections.
Scanning and worm-propagation protectionProvides zero-day protection against self-
propagating worms, horizontal and vertical TCP and UDP scanning, and ping sweeps.
Out of State protectionEnsures that TCP connections are established based on the protocol
RFCs.
Connection limitProtects against session-based attacks, such as half-open SYN attacks,
request attacks, and connection attacks.
Connection PPS Limit protectionProtects against attacks that use a high PPS rates on one
or several connections to flood a server.

Server protections include the following:


Server-cracking protectionProvides zero-day protection against application-vulnerability
scanning, brute-force, and dictionary attacks.
HTTP-flood protectionMitigates zero-day HTTP page flood attacks.

Access control (ACL) policies block or allow traffic to or from specified networks, based on protocols,
applications, and other criteria.

Selecting a Device for Security Configuration


You configure a security policy in the Configuration perspective.
Before you configure a security policy, select the device in the Configuration perspective navigation
pane.

To select the device for security configuration

Select the required device in the Configuration perspective system pane.

Configuring Global Security Settings


Before you configure the Server Protection Policy or the Network Protection Policy/Rule and their
protection profiles, you must enable the protection features you want to use and configure the
global parameters for the protection features.

Note: After a protection feature is enabled on a device, the device requires a reboot. However,
you need to reboot only once after enabling features within the same navigation branch.

Use APSolute Vision to configure the following protection features on a selected device:
Configuring Global Signature Protection, page 131
Configuring DoS Shield Protection, page 132
Configuring Global Behavioral DoS Protection, page 133
Configuring Global Anti-Scanning Protection Settings, page 139
Configuring Global SYN Flood Protection, page 141
Configuring Global Out of State Protection, page 142

130 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Configuring Global HTTP Flood Protection, page 143


Configuring Global SIP Cracking Protection, page 144
Configuring Global Fraud Protection, page 145
Configuring Global Packet Anomaly Protection, page 147
Configuring Global DNS Flood Protection, page 150

Configuring Global Signature Protection


Signature Protection is enabled by default for all models that support it.

Note: Signature protection (IPS) is not available in DefensePro x412-BP models.

To configure Signature Protection

1. In the Configuration perspective Security Settings tab navigation pane, select Signature
Protection.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 58: Signature Protection Settings

Parameter Description
Enable Application Security If the protection is disabled, enable it before setting up the
Protection protection profiles.
Note: Changing the setting of this parameter requires a
reboot to take effect.
Reassemble Fragmented TCP Specifies whether the device tries to reassemble fragmented
Packets TCP packets.
Default: Enabled
Encoding The encoding (the language and character set) to use for
detecting security events.
Enable Session Drop Mechanism Enable dropping of all session packets when a signature was
detected in one of the session packets.
Minimum Fragment URI Size The minimum permitted size, in bytes, of the fragment.
Security Tracking Tables Free-Up How often, in milliseconds, the device clears unnecessary
Frequency entries from the table, and stores information about newly
detected security events.
Default: 1250

Document ID: RDWR-DP-V0607_UG1209 131


DefensePro User Guide
Security Configuration

Configuring DoS Shield Protection


The DoS Shield mechanism protects against known flood attacks and flood-attack tools that cause a
denial of service effect, making computer resources unavailable to the intended users.

Notes
>> DoS Shield protection is enabled by default.
>> This feature is also supported on management interfaces.

DoS Shield profiles prevent the following:


Known TCP, UDP, and ICMP floods
Known attack tools available in the Internet
Known floods created by BOTs, which are automated attacks

DoS Shield protection uses signatures from the Radware Signatures database. This database is
continuously updated and protects against all known threats.
Radware Signature profiles include all DoS Shield signatures as part of the signature database and
Radware predefined profiles that already include DoS Shield protection. To create a profile that
includes DoS Shield protection, you configure a profile with the Threat Type attribute set to Floods.
Radware also supplies a predefined profile, the All-DoS-Shield profile, which provides protection
against all known DoS attacks. The All-DoS-Shield profile is applied when a DoS-only solution is
required. Note that if the DoS Shield Radware-defined profile is applied, you cannot apply other
Signature profiles in the same security policy.
To prevent denial of service, DoS Shield samples traffic flowing through the device and limits the
bandwidth of traffic recognized as a DoS attack with predefined actions.
Most networks can tolerate sporadic attacks that consume negligible amounts of bandwidth. Such
attacks do not require any counter action. An attack becomes a threat to the network when it starts
to consume large amounts of the networks bandwidth. DoS Shield detects such events using an
advanced sampling algorithm for optimized performance, acting automatically to solve the problem.
The DoS Shield considers two protection states:
Dormant stateIndicates that Sampling mechanism is used for recognition prior to active
intervention. A protection in Dormant state becomes active only if the number of packets
entering the network exceeds the predefined limit.
Active stateIndicates that the action is implemented on each packet matching the Attack
Signature, without sampling.

DoS Shield counts packets matching Dormant and Active states. Samples of the traffic are compared
with the list of protections in Dormant state. When a specified number of packets is reached, the
status of the protection changes to Active.
The DoS Shield module uses two processes working in parallel. One process statistically monitors
traffic to check if any dormant protection has become active. Then, when DoS Shield detects the
protection as active, the module compares each packet that passes through the device to the list of
Currently Active Protections. The module compares some of the packets that do not match the
Active signature with the Dormant protections list. The module forwards the rest of the packets to
the network without inspection.
In DefensePro, to configure DoS Shield protection, you must enable Signature Protection. For more
information, see Configuring Global Signature Protection, page 131.

132 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

To configure DoS Shield protection

1. In the Configuration perspective Security Settings tab navigation pane, select DoS Shield.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 59: DoS Shield Parameters

Parameter Description
Enable DoS Shield Specifies whether the DoS Shield feature is enabled.
Note: If the protection is disabled, enable it before configuring the
protection profiles.
Sampling Time How often, in seconds, DoS Shield compares the predefined thresholds
for each dormant attack to the current value of packet counters
matching the attack.
Default: 5
Note: If the sampling time is very short, there are frequent
comparisons of counters to thresholds, so regular traffic bursts
might be considered attacks. If the sampling time is too long,
the DoS Shield mechanism cannot detect real attacks quickly
enough.
Packet Sampling Ratio The packet-sampling frequency. For example, if the specified value is
5001, the DoS Shield mechanism checks 1 out of 5001 packets.
The default value depends on the device model. For x06, x016, and x412
modules, the value is 5001.

To include DoS Shield protection in the network-protection policy

1. In the Configuration perspective Network Protection tab navigation pane, select Network
Protection Rules.
2. In the Add New Network Protection Rule dialog box, from the Signature Protection Profile
drop-down list, select All-DoS-Shield.
For more information, see Configuring the Network Protection Policy, page 157.

Configuring Global Behavioral DoS Protection


Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your network-
protection policy, defends your network from zero-day network-flood attacks. These attacks fill
available network bandwidth with irrelevant traffic, denying use of network resources to legitimate
users. The attacks originate in the public network and threaten Internet-connected organizations.
The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks
by identifying the footprint of the anomalous traffic.

Document ID: RDWR-DP-V0607_UG1209 133


DefensePro User Guide
Security Configuration

Network-flood protection types include:


TCP floodswhich include TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and
TCP Fragmentation Flood
UDP flood
ICMP flood
IGMP flood

The main advantage of BDoS Protection is the ability to detect statistical traffic anomalies and
generate an accurate DoS-attack footprint based on a heuristic protocol information analysis. This
ensures accurate attack filtering with minimal risk of false positives. The default average time for a
new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood
attacks can last for minutes and sometimes hours.

Note: This feature is also supported on management interfaces.

Enabling BDoS Protection


Before you configure BDoS Protection profiles, enable BDoS Protection. You can also change the
default global device settings for BDoS Protection. The BDoS Protection global settings apply to all
the network protection-policy rules with BDoS profiles on the device.

To enable BDoS Protection and configure global settings

1. In the Configuration perspective Security Settings tab navigation pane, select BDoS
Protection.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 60: BDoS Protection Global Parameters

Parameter Description
Basic Parameters
Enable BDoS Protection Specifies whether BDoS Protection is enabled.
Note: Changing the setting of this parameter requires a reboot to
take effect.
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: Day, Week, Month
Default: Week

134 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 60: BDoS Protection Global Parameters

Parameter Description
Enable Traffic Statistics Specifies whether the BDoS module uses traffic-statistics sampling
Sampling during the creation phase of the BDoS footprint. When the BDoS
module is trying to generate a real-time signature and there is a high
rate of traffic, the device evaluates only a portion of the traffic. The
BDoS module tunes the sampling factor automatically, according to
the traffic rate. The BDoS module screens all traffic at low traffic
rates (below 100K PPS) and only a portion of the traffic at higher
rates (above 100K PPS).
Default: Enabled
Note: For best performance, Radware recommends that the
parameter be Enabled.
Footprint Strictness When the Behavioral DoS module detects a new attack, the module
generates an attack footprint to block the attack traffic. If the
Behavioral DoS module is unable to generate a footprint that meets
the footprint-strictness condition, the module issues a notification for
the attack but does not block it. The higher the strictness, the more
accurate the footprint. However, higher strictness increases the
probability that the device cannot generate a footprint.
Values:
HighEnforces at least three Boolean ANDs and no other
Boolean OR value in the footprint. This level lowers the
probability for false positives but increases the probability for
false negatives.
MediumEnforces at least two Boolean ANDs and no more than
two additional Boolean OR values in the footprint.
LowAllows any footprint suggested by the Behavioral DoS
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Notes:
>> DefensePro always considers the checksum field and the
sequence number fields as High Footprint Strictness fields.
Therefore, a footprint with only a checksum or sequence
number is always considered as High Footprint Strictness.
>> Footprint Strictness Examples, page 136 shows examples of
footprint strictness requirements.

Advanced Parameters
These settings affect periodic attack behavior. The settings are used to effectively detect and block
these attack types.
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Analysis State stays below the hard-coded threshold in the Analysis state. When the
time elapses, DefensePro declares the attack to be terminated.
Values:
0DefensePro declares the attack to be terminated
immediately.
130
Default: 0

Document ID: RDWR-DP-V0607_UG1209 135


DefensePro User Guide
Security Configuration

Table 60: BDoS Protection Global Parameters

Parameter Description
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Blocking State stays below the hard-coded threshold in the Blocking state. When the
time elapses, DefensePro declares the attack to be terminated.
Values:
0DefensePro declares the attack to be terminated
immediately.
1300
Default: 10
Note: There is no typical use case for reducing the value from the
default.
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Anomaly or Non- stays below the hard-coded threshold in the Anomaly state or the
Strictness State Non-strictness state. When the time elapses, DefensePro declares
the attack to be terminated.
Values:
0DefensePro declares the attack to be terminated
immediately.
1300
Default: 10

Table 61: Footprint Strictness Examples

Footprint Example Strictness Level


Low Medium High
TTL Yes No No
TTL AND Packet Size Yes Yes No
TTL AND Packet Size AND Destination Port Yes Yes Yes

Configuring BDoS Footprint Bypass


You can define footprint bypass types and values that will not be used as part of a real-time
signature. The types and values not be used in OR or in AND operations within the blocking rule
(real-time signature) even when the protection-engine suggests that the traffic is a real-time
signature candidate.

To configure footprint bypass

1. In the Configuration perspective Security Settings tab navigation pane, select


BDoS Protection > BDoS Footprint Bypass.
2. From the Footprint Bypass Controller drop-down list, select the attack protection for which
you want to configure footprint bypass, and click Go. The table displays the bypass types and
values for the selected attack protection.
3. To edit bypass type settings, double-click the corresponding row.
4. Configure the footprint bypass parameters for the selected bypass type; and then, click OK.

136 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 62: BDoS Footprint Bypass Parameters

Parameter Description
Footprint Bypass Controller (Read-only) The selected attack protection for which you are
configuring footprint bypass.
Bypass Field (Read-only) The selected bypass type to configure.
Bypass Status The bypass option.
Values:
BypassThe Behavioral DoS module bypasses all possible
values of the selected Bypass Field when generating a footprint.
AcceptThe Behavioral DoS module bypasses only the
specified values (if such a value exists) of the selected Bypass
Field when generating a footprint.
Bypass Values If the value of the Bypass Status parameter is Accept, when
generating the footprint, the Behavioral DoS mechanism does not
use the specified Bypass Values of the corresponding selected
Bypass Field. The valid Bypass Values vary according to the selected
Bypass Field. Multiple values in the Bypass Values field must be
comma-delimited.

Configuring Early Blocking of DoS Traffic

Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair
the accuracy of the DoS-attack footprint that DefensePro generates.
When DefensePro detects a new DoS attack (by default, after 10 seconds), DefensePro generates a
DoS-attack footprint and then blocks or drops the relevant flood traffic.
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start
blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DoS Traffic,
you can configure thresholds for generating DoS-attack footprints, which shorten the time to start
blocking the relevant traffic.
DefensePro generates each footprint using values from fields (parameters) in the packet header (for
example: Sequence Number, Checksum, and IP ID). The values from fields in the packet header
characterize the attack.

Document ID: RDWR-DP-V0607_UG1209 137


DefensePro User Guide
Security Configuration

The thresholds that you can configure for the protection to change from the Analysis state to the
Blocking state are Packet-header fields or Packet-header-field values:
The Packet-header fields threshold is the number of anomalously distributed packet-header
fields that DefensePro must detect to generate a footprint and start early blocking prior to the
default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) You
can define either the number of packet-header fields, or the specific fields that DefensePro must
detect. For more information, see Selecting Packet Header Fields for Early Blocking of DoS
Traffic, page 139.
The Packet-header-field values threshold is the number of anomalous packet-header-field values
that DefensePro must detect to generate a footprint and start early blocking.

Note: The threshold (that is, the packet-header fields or the number of packet-header fields)
cannot conflict with the Footprint Strictness level. You cannot change the specified
Footprint Strictness to one that is lower than the strictness necessary for the BDoS
mechanism to operate properly. Likewise, you cannot configure fewer packet-header
fields than the specified strictness level requires for the BDoS mechanism to operate
properly.

To configure early blocking for BDoS

1. In the Configuration perspective Security Settings tab navigation pane, select


BDoS Protection > BDoS Early Blocking.
2. To modify a protection type for early blocking, double-click the row.
3. Configure the parameters; and then, click OK.

Table 63: Early Blocking Parameters

Parameter Description
Protection Type (Read-only) The protection for which you are configuring early
blocking.
Any Packet Header Field When selected, DefensePro blocks DoS traffic early based on the
specified number of packet-header fields and number of packet-
header-field values thresholds.
Clear the selection to use specific packet header fields that you select
in the BDoS Packet Header table.
Any Packet Header Field The number of anomalous packet-header fields that DefensePro must
Threshold detect to generate a footprint and start early blocking.
Values: 120
Default (per protection): ICMP18, IGMP11, TCP-ACK-FIN14,
TCP-Fragment17, TCP-RST14, TCP-SYN14, TCP-SYN-ACK
14, UDP21.
Packet Header Field Values The number of anomalous packet-header-field values that
DefensePro must detect to generate a footprint and start early
blocking.
The number of packet-header-field values must not be less than the
specified packet-header field threshold.
Values: 11000
Default 500

138 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Selecting Packet Header Fields for Early Blocking of DoS Traffic


You can select specific packet header fields be included in the set of specific packet headers that
DefensePro must detect to generate a footprint and start early blocking.

To select packet header fields for early blocking

1. In the Configuration perspective Security Settings tab navigation pane, select BDoS
Protection > Packet Header.
2. Select the protection type and click Go. The BDoS Packet Header table displays the relevant
packet header fields.
3. To change the early blocking enabling setting for a field, double-click the row, change the setting
in the dialog box, and click OK.

Table 64: Packet Header Field Parameters

Parameter Description
Protection Type (Read-only) The protection for which you are configuring early
blocking.
Packet Header Field (Read-only) The packet header field.
Enable Early Blocking When selected, the packet header is included in the set of specific
Condition packet headers that DefensePro must detect to generate a footprint
and start early blocking.

Configuring Global Anti-Scanning Protection Settings


Anti-Scanning Protection protects against malicious, scanning activity, which includes zero-day self-
propagating network worms, horizontal scans, and vertical scans. When Anti-Scanning Protection is
enabled, upon detecting an attack, the protection implements the blocking footprint rule for a
predefined, initial blocking duration. When the protection identifies repeated scanning activities from
the same source, the protection extends the blocking duration based on a dynamic blocking-
duration mechanism. This mechanism includes a random factor that sets an unpredictable blocking
duration. When a source continues to scan the network, the device can restart the global Maximal
Blocking Duration.

To configure global Anti-Scanning Protection settings

1. In the Configuration perspective Security Settings tab navigation pane, select Anti-Scanning.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Document ID: RDWR-DP-V0607_UG1209 139


DefensePro User Guide
Security Configuration

Table 65: Global Anti-Scanning Settings

Parameter Description
Anti-Scanning Parameters
Enable Anti-Scanning Specifies whether Anti-Scanning Protection is enabled. Anti-Scanning
Protection Protection prevents zero-day self-propagating network worms, horizontal
scans, and vertical scans.
Default: Enabled
Note: Changing the setting of this parameter requires a reboot to take
effect.
Enable Protection for Specifies whether Anti-Scanning Protection blocks slow scans, which can
Very Slow Scans result in very long blocking periods. When enabled, Anti-Scanning
Protection adapts the blocking interval based on the scanner-activity
frequency. Thus, the device will redetect the scanner activity before the
blocking duration elapses. The blocking duration is calculated as the time
between scanning events multiplied by the Attack Trigger value.
Radware recommends using this option only in exceptional circumstances,
when one scan attempt in 20 minutes is considered a security threat.
Default: Disabled
Enable High Port Specifies whether the Anti-Scanning Protection emphasizes inspecting
Response scans aimed at ports greater than 1024 (that is, usually unassigned
ports).
Values:
EnabledThe Anti-Scanning Protection emphasizes inspecting scans
aimed at ports greater than 1024. Select this checkbox when using
applications that utilize standard system ports (that is, port values
less than 1024).
DisabledThe Anti-Scanning Protection treats all the scan activities
equally. Clear this checkbox when using applications utilizing non-
standard ports (that is, port values greater than 1024).
Default: Enabled
Note: When the parameter is enabled and you have legitimate
applications using high-range ports, the DefensePro device is
prone to more false positives.
Maximal Blocking The maximum time, in seconds, that the Anti-Scanning Protection blocks
Duration the source of a scanif that source continues to scan the network.
Values: 203600
Default: 80
Note: This setting overrides the maximum time set in the suspend
table parameters.

140 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Configuring Global SYN Flood Protection


A SYN flood attack is usually aimed at specific servers with the intention of consuming the servers
resources. However, you configure SYN Protection as a Network Protection to allow easier protection
of multiple network elements.
Before you configure SYN profiles for the network-protection policy, ensure the following:
SYN Protection is enabled the SYN Flood Protection global parameters are configured.
The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session
Table Settings, page 97.

To configure global SYN Flood Protection

1. In the Configuration perspective Security Settings tab navigation pane, select SYN Flood
Protection Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 66: SYN Flood Protection Settings Parameters

Parameter Description
Basic Parameters
Enable SYN Flood Protection Specifies whether SYN Flood Protection is enabled on the device.
Default: Enabled
Note: Changing the setting of this parameter requires a reboot to
take effect.
Advanced Parameters
Tracking Time The number of SYN packets directed to same destination must be
lower than the value of the Termination Threshold for this amount of
time, in seconds, to stop the protection of the destination.
Values: 110
Default: 5
SSL Parameters
For more information on the SSL Mitigation feature, see Configuring SSL Mitigation Policies,
page 194.
Enable SSL Mitigation Specifies whether the device enables the SSL Mitigation mechanism
with an Alteon device.
Caution: DefensePro versions 6.05 and later support inspection of
jumbo frames (see Configuring the Basic Network
Parameters, page 124), however Alteon cannot handle
jumbo frames. Therefore, when the Enable SSL
Mitigation and Inspect Jumbo Frames checkboxes
are both selected, the Alteon device will drop packets
larger than the Alteon devices specified maximum frame
size (which can be part of the TCP or HTTP
authentication phases), even though the packets may
belong to legitimate connections.
Alteon MNG IP The IP address of the Alteon management port.

Document ID: RDWR-DP-V0607_UG1209 141


DefensePro User Guide
Security Configuration

Table 66: SYN Flood Protection Settings Parameters

Parameter Description
Health-Check Port The health-check port (that is, the SNMP Traps port) on the Alteon
device.
DefensePro Assigned Ports The table that displays the pair of static-forwarding ports.

Configuring Global Out of State Protection

Out of State Protection detects out-of-state packets to provide additional protection for application-
level attacks.
You configure Out-of-State Protection globally (here) and per policy (see Configuring Out of State
Protection Profiles for Network Protection, page 202).

To configure global Out of State Protection

1. In the Configuration perspective Security Settings tab navigation pane, select Out of State.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 67: Out-of-State Protection Parameters

Parameter Description
Global Parameters
Enable Out-of-State Specifies whether the device enables Out-of-State Protection
Protection learning.
Default: Disabled
Activate (Without Reboot) Specifies whether the device starts and stops Out-of-State Protection
without rebooting the device.
Default: Disabled

142 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Parameter Description
Startup Mode The behavior of the device after startup. Out-of-State Protection
cannot be applied to existing traffic; therefore, the device can either
drop existing traffic and apply Out-of-State Protection to all new
traffic, or suspend Out-of-State Protection for a period of time, which
is used to learn traffic and sessions.
Values:
OnStart the protection immediately. Existing sessions are
dropped and only new sessions are allowed.
OffDo not protect.
GracefulStart the protection while maintaining existing
sessions for the time specified by the Startup Timer parameter.
Default: Graceful
Startup Timer For Graceful startup mode, this parameter specifies the time, in
seconds, after startup when the device ignores Out-of-State
Protection and registers all sessions in the Session table, including
those whose initiation was not registered (for example, SYN with
TCP). After this time, the device drops new sessions whose initiation
was not registered (for example, SYN with TCP).
Values: 065,535
Default: 1800

Configuring Global HTTP Flood Protection


The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The
HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then, using
fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and identifies the
malicious sources.

To configure global HTTP Flood Protection

1. In the Configuration perspective Security Settings tab navigation pane, select HTTP Flood
Protections.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 68: HTTP Mitigator Parameters

Parameter Description
Enable HTTP Mitigator Specifies whether the HTTP Mitigator is enabled on the device.
HTTP flood protection must be enabled to set HTTP flood protection
parameters.
Default: Enabled
Learning Period before The time, in days, the HTTP Mitigator takes to collect the data
Activation needed to establish the baseline that HTTP Mitigation uses.
Values: 065,536
Default: 7

Document ID: RDWR-DP-V0607_UG1209 143


DefensePro User Guide
Security Configuration

Table 68: HTTP Mitigator Parameters

Parameter Description
Learning Mode The learning mode of the HTTP Mitigator.
Values:
Continuous OnlyThe learning process about the traffic
environment is continuous.
AutomaticThe HTTP Mitigator can switch to 24x7 learning
when it detects a recurring pattern per hour of the day of the
week in a period of 4, 8, or 12 weeks (based on sensitivity).
Learning Sensitivity The period from which the HTTP Mitigator establishes baselines.
Select the time unit based on the site characteristics. For example, if
the site traffic fluctuates during the course of a day, but fluctuates
the same way each day, select Day; but if there are significant
fluctuations between the days of the week, select Week.
Values: Day, Week, Month
Default: Week
Mitigation Failure Condition The number of automatic attempts the device makes before
announcing it cannot mitigate the attack.
Values: 1100
Default: 3

Configuring Global SIP Cracking Protection


SIP Cracking protection, which provides VoIP protection similar to FTP, POP3, and server-based
crack protections, is designed to detect and mitigate the following types of threats:
Brute-force and dictionary attacksOn registrar and proxies SIP servers.
SIP application scanning activitiesOn SIP servers and SIP phones.
SIP DoS flood attacksOn SIP servers and SIP phones. The types of attacks that are detected
through the SIP crack mechanism include those that use repeated spoofed register and invite
messages.
Pre-SPIT (Spam over IP Telephony) activitiesTO TAG Invite messages are used.

DefensePro detects attacks based on the frequency and quantity of SIP reply codes.
DefensePro performs analysis of authentication, call initiation, registration processes, and reply
codes per source IP address and the SIP URI (SIP FROM).
A SIP server can send replies and error responses to clients either on the same connection or open a
new connection for this purpose. This is also applicable for UDP, where either the same flow or a new
one is used. To support such environments, the SIP Server Cracking protection can monitor all
outgoing messages from the protected server to the SIP Application Port Group or from the SIP
Application Port Group.
When DefensePro detects an attack, it does the following:
Adds the source IP address of the attacker to the Suspend table. The suspend entry will have
both the SIP port and the server IP address.
Blocks all traffic from the attacker to the protected server and to the SIP Application Port group.
The device also drops existing sessions or flows from the attacker to the protected server and to
the Application Port Group.

144 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Before you configure global SIP Cracking Protection, you must configure a profile that includes SIP
protection. For more information, see Configuring Server Cracking Profiles for Server Protection,
page 213.

To configure global SIP Cracking Protection

1. In the Configuration perspective Security Settings tab navigation pane, select SIP Cracking.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 69: SIP Cracking Parameters

Parameter Description
Tracking Type The data that the SIP Cracking feature monitors.
Values: SIP-URI, Source IP, Both
Application Code for Reset The SIP error code that is sent back to the source IP address.
Values:
AmbiguousEvent number 485.
Busy EverywhereEvent number 600
Busy HereEvent number 486
DeclineEvent number 603
Forbidden
Not Acceptable ErrorEvent number 606
Not Acceptable Fail
Not Acceptable HereEvent number 488
Not FoundEvent number 404
Request TerminatedEvent number 487
Temporarily UnavailableEvent number 480
Default: Not Acceptable Error
Detect Error Codes in Server Enables detection of error codes on sessions that originate from
Originated Sessions the server to the client.
Default: Disabled

Configuring Global Fraud Protection


Fraud Protection uses RSA-signature feeds to protect your network from malicious, fraudulent sites.
Such sites include phishing sites, trojan drop points, and malicious-download sites.

Note: RSA updates require purchasing a relevant license.

DefensePro can periodically receive the RSA-signature feeds by means of a scheduled task, Update
RSA Security Signature. You can also trigger an update of RSA signatures manuallyusing the
Update Security Signature operation.
DefensePro can store up to 500 concurrent RSA signatures.

Document ID: RDWR-DP-V0607_UG1209 145


DefensePro User Guide
Security Configuration

When RSA finds a new malicious server or URL, RSA approaches the hosting provider or service
provider to take the site down. DefensePro expects that the feeds it receives become irrelevant after
a certain time. DefensePro ages the stored signatures according to the specified estimated time for
bringing down various types of malicious sites.
When Fraud Protection is enabled, you can configure Network Protection with a Signature Profile rule
that uses one or more of the following threat-type attribute values:
Fraud - Phishing
Fraud - Drop Points
Fraud - Malicious Download

To configure fraud protection

1. In the Configuration perspective Security Settings tab navigation pane, select Fraud
Protection.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 70: Fraud Protection Parameters

Parameter Description
General Settings
Enable Fraud Protection Specifies whether fraud protection is enabled.
Default: Disabled
Advanced Settings
Error Reporting Frequency How often, in hours, the device sends a trap notifying when an
expected feed was not received.
Values: 124
Default: 1
Phishing Signatures Aging How often, in hours, the device deletes the signatures of phishing
sites.
Values: 1168
Default: 48
Drop Points Aging How often, in hours, the device deletes the addresses of drop points.
Values: 1168
Default: 70
Malicious Download Aging How often, in hours, the device deletes the addresses of malicious-
download sites.
Values: 1168
Default: 48

146 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Configuring Global Packet Anomaly Protection


This feature is not supported on management interfaces.
Packet Anomaly protection detects and provides protection against packet anomalies.

Enabling and Disabling the Packet Trace Feature for Packet Anomaly Protection
When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends
anomalous packets to the specified physical port.
You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on
the device.

Notes
>> When this feature is enabled, for the feature to take effect, the global setting must be
enabled (Configuration perspective, Advanced Parameters > Security Reporting
Settings > Enable Packet Trace on Physical Port).
>> A change to the parameter takes effect only after you update policies.

To enable or disable the Packet Trace feature for Packet Anomaly Protection

1. In the Configuration perspective Security Settings tab navigation pane, select Packet
Anomaly.

2. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.

Configuring Packet-Anomaly Protection

To configure packet-anomaly protection

1. In the Configuration perspective Security Settings tab navigation pane, select Packet
Anomaly.
2. Double-click the relevant row.
3. Configure the parameters, and then, click OK.
For more information about packet anomalies and their default configurations, see Table 72 -
Default Configuration of Packet-Anomaly Protections, page 149.

Table 71: Packet-Anomaly Protection Parameters

Parameter Description
ID (Read-only) The ID number for the packet-anomaly protection. The ID
is a Radware ID that appears in the trap sent to APSolute Vision Security
logs.
Protection Name (Read-only) The name of the packet-anomaly protection.

Document ID: RDWR-DP-V0607_UG1209 147


DefensePro User Guide
Security Configuration

Table 71: Packet-Anomaly Protection Parameters

Parameter Description
Action The action that the device takes when the packet anomaly is detected.
The action is only for the specified packet-anomaly protection.
Values:
DropThe device discards the anomalous packets and issues a
trap.
ReportThe device issues a trap for anomalous packets. If the
Report Action is Process, the packet goes to the rest of the device
modules. If the Report Action is Bypass, the packet bypasses the
rest of the device modules.
No ReportThe device issues no trap for anomalous packets. If
the Report Action is Process, the packet goes to the rest of the
device modules. If the Report Action is Bypass, the packet
bypasses the rest of the device modules.
Note: Click Drop All to set the action for all packet-anomaly
protections to Drop. Click Report All to set the action for all
packet-anomaly protections to Report. Click No Report All
to set the action for all packet-anomaly protections to No
Report.
Risk The risk associated with the trap for the specific anomaly.
Values: Info, Low, Medium, High
Default: Info
Report Action The action that the DefensePro device takes on the anomalous packets
when the specified Action is Report or No Report. The Report Action is
only for the specified packet-anomaly protection.
Values:
BypassThe anomalous packets bypass the device.
ProcessThe DefensePro modules process the anomalous
packets. If the anomalous packets are part of an attack,
DefensePro can mitigate the attack.
Note: You cannot select Process for the following packet-anomaly
protections:
104Invalid IP Header or Total Length
107Inconsistent IPv6 Headers
131Invalid L4 Header Length

148 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 72: Default Configuration of Packet-Anomaly Protections

Anomaly Description
Unrecognized L2 Format1 Packets with more than two VLAN tags or MPLS labels, L2 broadcast,
or L2 multicast traffic.
ID: 100
Default Action: No Report
Default Risk: Low
Default Report Action: Process
Incorrect IPv4 Checksum1 The IP packet header checksum does not match the packet header.
ID: 103
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Invalid IPv4 Header or Total The IP packet header length does not match the actual header length,
Length or the IP packet total length does not match the actual packet length.
ID: 104
Default Action: Drop
Default Risk: Low
Report Action: Bypass2
TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1.
ID: 105
Default Action: Report
Default Risk: Low
Default Report Action: Process
Inconsistent IPv6 Headers Inconsistent IPv6 headers.
ID: 107
Default Action: Drop
Default Risk: Low
Report Action: Bypass2
IPv6 Hop Limit Reached IPv6 hop limit is not be greater than 1.
ID: 108
Default Action: Report
Default Risk: Low
Default Report Action: Process
Unsupported L4 Protocol Traffic other than UDP, TCP, ICMP, or IGMP.
ID: 110
Default Action: No Report
Default Risk: Low
Default Report Action: Process

Document ID: RDWR-DP-V0607_UG1209 149


DefensePro User Guide
Security Configuration

Table 72: Default Configuration of Packet-Anomaly Protections

Anomaly Description
Invalid TCP Flags The TCP flags combination is not according to the standard.
ID: 113
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Source or Dest. Address The IP packet source address or destination address is equal to the
same as Local Host local host.
ID: 119
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Source Address same as The source IP address and the destination IP address in the packet
Dest Address (Land Attack) header are the same. This is referred to as a LAND, Land, or LanD
attack.
ID: 120
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero.
ID: 125
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid.
ID: 131
Default Action: Drop
Default Risk: Low
Report Action: Bypass2

1 This anomaly is available only on x412 platforms with the DME. This anomaly cannot be
sampled.

2 You cannot select Process for this packet-anomaly protection.

Configuring Global DNS Flood Protection


DNS Flood Protection, which you can use in your network-protection policy, defends your network
from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant traffic,
denying legitimate users DNS lookups. The attacks originate in the public network and threaten
Internet-connected organizations.
The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood attacks
by identifying the footprint of the anomalous traffic.

150 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

DNS Flood Protection types can include the following DNS query types:
A
MX
PTR
AAAA
Text
SOA
NAPTR
SRV
Other

DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack
footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering
with minimal risk of false positives. The default average time for a new signature creation is between
10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes and
sometimes hours.
Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You
can also change the default global device settings for DNS Flood Protection. The DNS Flood
Protection global settings apply to all the network protection-policy rules with DNS Flood profiles on
the device.

To enable DNS Flood Protection and configure global settings

1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood
Protection.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 73: DNS Flood Protection Global Parameters

Parameter Description
Basic Parameters
Enable DNS Flood Protection Specifies whether DNS Flood Protection is enabled.
Note: Changing the setting of this parameter requires a reboot to
take effect.
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: Day, Week, Month
Default: Week

Document ID: RDWR-DP-V0607_UG1209 151


DefensePro User Guide
Security Configuration

Table 73: DNS Flood Protection Global Parameters

Parameter Description
Footprint Strictness When the DNS Flood Protection module detects a new attack, the
module generates an attack footprint to block the attack traffic. If the
module is unable to generate a footprint that meets the footprint-
strictness condition, the module issues a notification for the attack
but does not block it. The higher the strictness, the more accurate
the footprint. However, higher strictness increases the probability
that the module cannot generate a footprint.
Values:
HighEnforces at least three Boolean ANDs and no other
Boolean OR value in the footprint. This level lowers the
probability for false positives but increases the probability for
false negatives.
MediumEnforces at least two Boolean ANDs and no more than
two additional Boolean OR values in the footprint.
LowAllows any footprint suggested by the DNS Flood Protection
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Notes:
>> The DNS Flood Protection module always considers the
checksum field and the sequence number fields as High
Footprint Strictness fields. Therefore, a footprint with only a
checksum or sequence number is always considered as High
Footprint Strictness.
>> Table 74 - DNS Footprint Strictness Examples, page 153
shows examples of footprint strictness requirements.
Mitigation Actions
When the protection is enabled and the device detects that a DNS-flood attack has started, the
device implements the mitigation actions in escalating orderin the order that they appear in the
group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after a
certain Escalation Period), the device implements the next more-severe enabled mitigation
actionand so on. As the most severe mitigation action, the device always implements the
Collective Rate Limit, which limits the rate of all DNS queries to the protected server.
Enable Signature Challenge Specifies whether the device challenges suspect DNS queries that
match the real-time signature.
Default: Enabled
Note: DefensePro challenges only A and AAAA query types.
Enable Signature Rate Limit Specifies whether the device limits the rate of DNS queries that
match the real-time signature.
Default: Enabled
Enable Collective Challenge Specifies whether the device challenges all unauthenticated DNS
queries to the protected server.
Default: Enabled
Note: DefensePro challenges only A and AAAA query types.
Enable Collective Rate Limit (Read-only) The device limits the rate of all DNS queries to the
protected server.
Value: Enabled

152 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 73: DNS Flood Protection Global Parameters

Parameter Description
Advanced Parameters
These settings affect periodic attack behavior. The settings are used to effectively detect and block
these attack types.
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Analysis State stays below the hard-coded threshold in the Analysis state. When the
time elapses, DefensePro declares the attack to be terminated.
Values:
0DefensePro declares the attack to be terminated
immediately.
130
Default: 0
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Blocking State stays below the hard-coded threshold in the Blocking state. When the
time elapses, DefensePro declares the attack to be terminated.
Values:
0DefensePro declares the attack to be terminated
immediately.
1300
Default: 10
Note: There is no typical use case for reducing the value from the
default.
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Anomaly or Non- stays below the hard-coded threshold in the Anomaly state or the
Strictness State Non-strictness state. When the time elapses, DefensePro declares
the attack to be terminated.
Values:
0DefensePro declares the attack to be terminated
immediately.
1300
Default: 10
Enable DNS Protocol Specifies whether the device checks each DNS query for DNS
Compliance Checks protocol compliance and drops the non-compliant queries.
(This parameter is available Default: Disabled
only when the SDM table is
enabled.)

Table 74: DNS Footprint Strictness Examples

Footprint Example Strictness Level


Low Medium High
DNS Query Yes No No
DNS Query AND DNS ID Yes Yes No
DNS Query AND DNS ID AND Packet Size Yes Yes Yes

Document ID: RDWR-DP-V0607_UG1209 153


DefensePro User Guide
Security Configuration

Configuring DNS Footprint Bypass


You can define footprint bypass types and values that will not be used as part of a real-time
signature. The types and values not be used in OR or in AND operations within the blocking rule
(real-time signature) even when the protection-engine suggests that the traffic is a real-time
signature candidate.

To configure DNS footprint bypass

1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood
Protection > DNS Footprint Bypass.
2. From the Footprint Bypass Controller list, select the DNS query type for which you want to
configure footprint bypass, and click Go. The table displays the bypass fields for the selected
DNS query type.
3. To edit bypass type settings, double-click the corresponding row.
4. Configure the footprint bypass parameters for the selected bypass field; and then, click OK.

Table 75: DNS Footprint Bypass Parameters

Parameter Description
Footprint Bypass (Read-only) The selected DNS query type for which you are configuring
Controller footprint bypass.
Bypass Field (Read-only) The selected Bypass Field to configure.
Bypass Status The bypass option.
Values:
BypassThe DNS Flood Protection module bypasses all possible
values of the selected Bypass Field when generating a footprint.
AcceptThe DNS Flood Protection module bypasses only the
specified values (if such a value exists) of the selected Bypass Field
when generating a footprint.
Bypass Values Used if the value of the Bypass Status parameter is Accept. DNS Flood
Protection bypasses only the values of a selected Bypass Type, while it
may use all other values. These values vary according to the Bypass Field
selected. The values in the field must be comma-delimited.

Configuring Early Blocking of DNS Traffic

Caution: Modifying the values exposed in the Early Blocking of DNS Traffic feature may impair
the accuracy of the DNS-Flood-attack footprint that DefensePro generates.
When DefensePro detects a new DNS-flood attack (by default, after 10 seconds), the device
generates a DNS-flood-attack footprint and then blocks or drops the relevant flood traffic.
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start
blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DNS Traffic,
you can configure thresholds for generating DNS-flood-attack footprints, which shorten the time to
start blocking the relevant traffic.
DefensePro generates each footprint using values from fields in the packet header (for example:
Sequence Number, Checksum, and IP ID). The values from fields in the packet header characterize
the attack.

154 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

The thresholds that you can configure for the protection to change from the Analysis state to the
Blocking state are Packet-header fields or Packet-header-field values:
The Packet-header fields threshold is the anomalously distributed packet-header fields that the
DefensePro device must detect to generate a footprint and start early blocking prior to the
default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) You
can define either the number of packet-header fields, or the specific fields that the DefensePro
device must detect. For more information, see Selecting Packet Header Fields for Early Blocking
of DNS Traffic, page 156.
The Packet-header-field values threshold is the number of anomalous packet-header-field values
that the DefensePro device must detect to generate a footprint and start early blocking.

Note: The threshold (that is, the packet-header fields or number of packet-header fields)
cannot conflict with the Footprint Strictness level. You cannot change the specified
Footprint Strictness to one that is lower than the strictness necessary for the DNS Flood
Protection mechanism to operate properly. Likewise, you cannot configure fewer packet-
header fields than the specified strictness level requires for the DNS Flood Protection
mechanism to operate properly.

To configure early blocking for DNS Flood Protection

1. In the Configuration perspective Security Settings tab navigation pane, select


BDoS Protection > DNS Early Blocking.
2. To modify a protection type for early blocking, double-click the row.
3. Configure the parameters; and then, click OK.

Table 76: DNS Early Blocking Parameters

Parameter Description
Protection Type (Read-only) The protection for which you are configuring early
blocking.
Any Packet Header Field When selected, DefensePro blocks DNS traffic early based on the
specified number of packet-header fields and number of packet-
header-field values thresholds.
Clear the selection to use specific packet header fields that you select
in the DNS Packet Header table.
Any Packet Header Field The number of anomalous packet-header fields that DefensePro must
Threshold detect to generate a footprint and start early blocking.
Values: 030
Default: 21
Packet Header Field Values The number of anomalous packet-header-field values that
DefensePro must detect to generate a footprint and start early
blocking.
The number of packet-header-field values must not be less than the
specified packet-header field threshold.
Values: 11000
Default 500

Document ID: RDWR-DP-V0607_UG1209 155


DefensePro User Guide
Security Configuration

Selecting Packet Header Fields for Early Blocking of DNS Traffic


You can select specific packet header fields be included in the set of specific packet headers that the
DefensePro device must detect to generate a footprint and start early blocking.

To select packet header fields for early blocking

1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood
Protection > Packet Header.
2. From the Protection Type drop-down list, select the protection type and click Go. The DNS
Packet Header table displays the relevant packet header fields.
3. To change the early blocking enabling setting for a field, double-click the row, change the setting
in the dialog box, and click OK.

Table 77: DNS Packet Header Field Parameters

Parameter Description
Protection Type (Read-only) The protection for which you are configuring early
blocking.
Packet Header Field (Read-only) The packet header field.
Enable Early Blocking When selected, the packet header is included in the set of specific
Condition packet headers that DefensePro must detect to generate a footprint
and start early blocking.

Managing the Network Protection Policy


The network-protection policy protects your configured networks using protection profiles.
Individual network protection rules make up the network-protection policy. Each rule uses one or
more protection profiles that are applied on a predefined network segment. In addition, each rule
includes the action to take when an attack is detected.
Before you configure rules and profiles for the network-protection policy, ensure that you have
enabled all the required protections and configured the corresponding global protection parameters
in the Security Settings tab.
There are two main types of network protections, Intrusion Preventions (see Table 78 - Intrusion
Prevention Protections, page 156) and Denial of Service protection (see Table 79 - Denial of Service
Protections, page 157).

Table 78: Intrusion Prevention Protections

Protection Description
Signatures Prevents known application vulnerabilities, exploitation attempts, and
protects against known DoS/DDoS flood attacks.
Anti-Scanning Prevents zero-day self-propagating network worms, horizontal scans,
and vertical scans.

156 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 79: Denial of Service Protections

Protection Description
Behavioral DoS Detects and prevents zero-day DoS/DDoS flood attacks.
Connection Limit Protects against connection flood attacks.
SYN Protection Prevents SYN flood attacks using SYN cookies.
Connection PPS Limit Protects against DoS attacks that use a high PPS rate in a certain
connection.
DoS Shield Protects against known flood attacks and flood attack tools that cause a
denial of service effect.
DNS Protection Detects and prevents zero-day DNS-flood attacks.
Out of State Protection Detects out-of-state packets to provide additional protection for
application-level attacks.

Configuring the Network Protection Policy


Each rule in a network-protection policy consists of two parts:
The classification that defines the protected network segment.
The action to be applied when an attack is detected on the matching network segment. The
action defines the protection profiles to be applied to the network segment, and whether the
malicious traffic should be blocked. Malicious traffic is always reported.

Before you configure a rule, ensure that you have configured the following:
The Classes that will be required to define the protected network segment. For more
information, see Managing Classes, page 249.
The Network Protection profiles. For more information see:
Configuring Signature Protection for Network Protection, page 161
Configuring BDoS Profiles for Network Protection, page 181
Configuring Anti-Scanning Protection for Network Protection, page 183
Configuring Connection Limit Profiles for Network Protection, page 186
Configuring SYN Profiles for Network Protection, page 190
Configuring Connection PPS Limit Profiles for Network Protection, page 196
Configuring DNS Protection Profiles for Network Protection, page 199
Configuring Out of State Protection Profiles for Network Protection, page 202

Caution: When you configure the policy, APSolute Vision stores your configuration changes, but
it does not download your configuration changes to the device. To apply changes onto
the device, you must activate the configuration changes.

Document ID: RDWR-DP-V0607_UG1209 157


DefensePro User Guide
Security Configuration

To configure a network-protection rule

1. In the Configuration perspective Network Protection tab navigation pane, select Network
Protection Rules.
2. To add or modify a network-protection rule, do one of the following:

To add an entry to the table, click the (Add) button.


To edit an entry in the table, double-click the entry.
3. Configure the network-protection rule parameters; and then, click OK.
4. To activate your configuration changes on the device, click Activate Latest Changes.

Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 274.

Table 80: Network Protection Rule Parameters

Parameter Description
Basic Parameters
Enabled Specifies whether the rule is enabled.
Rule Name The name of the network-protection rule.

Classification
SRC Network The source of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
any
DST Network The destination of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
any
Port Group The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class displayed in the Classes tab
The physical ports on the device
None

158 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Parameter Description
Direction The direction of the traffic to which the rule relates.
Values:
One WayThe protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
Two WayThe protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One Way
VLAN Tag Group The VLAN Tag class that the rule uses.
Values:
A VLAN Tag class displayed in the Classes tab
None
Note: If you specify a VLAN group, you cannot specify an MPLS RD
group.
MPLS RD Group The MPLS route distinguisher (RD) class that the rule uses. The device
dynamically associates the MPLS tag value with configured MPLS RD
values installed between P and PE routers in the providers MPLS
backbone.
Values:
An MPLS RD class displayed in the Classes tab
None
Note: If you specify a MPLS RD group, you cannot specify an VLAN
group.
Action
Protection Profile (Displayed in the table) The profile to be applied to the network
segment defined in this rule.
BDoS Profile The BDoS profile to be applied to the network segment defined in this
rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
DNS Profile The DNS Protection profile to be applied to the network segment
defined in this rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Anti Scanning Profile The Anti-Scanning profile to be applied to the network segment
defined in this rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Signature Protection Profile The Signature Protection profile to be applied to the network segment
defined in this rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.

Document ID: RDWR-DP-V0607_UG1209 159


DefensePro User Guide
Security Configuration

Parameter Description
Connection Limit Profile The Connection Limit profile to be applied to the network segment
defined in this rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
SYN Flood Profile The SYN Flood profile to be applied to the network segment defined in
this rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Connection PPS Limit The Connection PPS Limit profile to be applied to the network segment
Profile defined in this rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Out of State Profile The Out of State profile to be applied to the network segment defined
in this rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Web Quarantine Specifies whether the device quarantines all outbound Web traffic
(This parameter is available from internal hosts in the destination segment in the network policy
only in devices with an after matching a signature configured with Web-quarantine option
SME.) enabled (Network Protection tab > Signature Protection >
Signatures > Web Quarantine Option).
To enable this option, the value for the Direction field must be Two
Way.
Values: Enable, Disable
Default: Disable
Note: For more information, see Configuring Signature Protection
Signatures, page 164 and Configuring Web Quarantine
Actions and Quarantined Sources, page 176.
Action The default action for all attacks under this policy.
Values:
Block and ReportThe malicious traffic is terminated and a
security event is generated and logged.
Report OnlyThe malicious traffic is forwarded to its destination
and a security event is generated and logged.
Default: Block and Report
Note: Signature-specific actions override the default action for the
policy.
Packet Reporting and Trace Setting
Packet Reporting Specifies whether the device sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Reporting).

160 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Parameter Description
Packet Reporting Specifies whether the configuration of the Packet Reporting feature
Configuration on Policy here, on this policy rule takes precedence over the configuration of the
Takes Precedence Packet Reporting feature in the associated profiles.
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Trace on
Physical Port). In addition, a change to this parameter
takes effect only after you update policies.
Packet Trace Configuration Specifies whether the configuration of the Packet Trace feature here,
on Policy Takes Precedence on this policy rule, takes precedence over the configuration of the
Packet Trace feature in the associated profiles.
Caution: A change to this parameter takes effect only after you
update policies.

Configuring Signature Protection for Network Protection

Note: Signature Protection is not available in DefensePro models running on the OnDemand
Switch 3 S1 platform.

Signature Protection detects and prevents network-oriented attacks, Operation System (OS)
oriented attacks and application-oriented attacks by comparing each packet to the set of signatures
stored in the Signatures database.
The attacks handled by this protection can be divided into the following groups:
Server-based vulnerabilities:
Web vulnerabilities
Mail server vulnerabilities
FTP server vulnerabilities
SQL server vulnerabilities
DNS server vulnerabilities
SIP server vulnerabilities
Worms and viruses
Trojans and backdoors
Client-side vulnerabilities
IRC bots
Spyware
Phishing
Anonymizers

Document ID: RDWR-DP-V0607_UG1209 161


DefensePro User Guide
Security Configuration

Configuration Considerations with Signature Protection


You can configure Signature Protection using Radware Security Operations Center (SOC) signature
profiles or using user-defined signature profiles.
Radware recommends that you configure policies containing Signature Protection profiles using
Networks with Source = Any, the public network, and Destination = Protected Network. You can
configure policies to use VLAN tags, application ports, physical ports, and MPLS RDs.
For implications of direction settings for rules and protections, see Table 81 - Implications of Policy
Directions, page 162.
Policies containing Signature Protection profiles can be configured with Direction set to either One
Way or Two Way.
Protections can be configured with the Direction values Inbound, Outbound, or In-Outbound.
While most of the attacks (such as worm infections) are detected through their inbound pattern,
some attacks require inspecting outbound patterns initiated by infected hosts. For example, trojans
require inspecting outbound patterns initiated by infected hosts.
Policies configured with Source = Any and Destination = Any inspect only In-Outbound attacks.
Radware provides you with a set of predefined signature profiles for field installation, such as
Corporate Gateway, DMZ and LAN protections, Carrier links protections, and so on. Radware profiles
are continuously updated along with the weekly signature database maintained by the Radware
SOC. You cannot edit Radware signature profiles.

Table 81: Implications of Policy Directions

Policy Direction Policy Action Packet Signature Direction


Direction
Inbound Outbound Inbound or
Outbound
From To One way Ex to in Inspect Ignore Inspect
In to ex Ignore Inspect Ignore
From To Two way Ex to in Inspect Ignore Inspect
In to ex Ignore Inspect Inspect
Any to any N/A N/A Ignore Ignore Inspect

Configuring Signature Protection Profiles


A Signature Protection profile contains one or more rules for the network segment you want to
protect. Each rule defines a query on the Signatures database. DefensePro activates protections
from the signature database that comply with the set of rules. The user-defined profile is updated
each time you download an updated Signatures database.
Each rule in the profile can include one or more entries from the various attribute types.
Rules define a query on the Signatures database based on the following logic:
Values from the same type are combined with logical OR.
Values from different types are combined with logical AND.

162 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

The rules are combined in the profile with a logical OR.

Note: Rules in the profile are implicit. That is, when you define a value, all signatures that
match a specific selected attribute plus all the signatures that have no attribute at all.
This logic ensures that signatures that may be relevant to the protected network are
includedeven if they are not associated explicitly (by SOC) with the application in the
network.

To configure Signature Protection profiles, IPS protection must be enabled and global DoS Shield
parameters must be configured. For more information, see Configuring Global Signature Protection,
page 131 and Configuring DoS Shield Protection, page 132.

To configure Signature Protection profiles

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Profiles.
2. Do one of the following:

To add a profile, click the (Add) button, and enter a profile name.
To edit a profile, double-click the entry in the table.
To display the list of signatures associated with the configured protections for the profile,
double-click the entry in the table; and then, click Show Matching Signatures.
3. To add a rule:
a. In the rules table, right-click and select, Add New Signature Profile.
b. Enter a profile name, and select an attribute and its value.
c. Click OK. The new rule is displayed in the rule table. You can now add more attributes to the
rule, and add more values to existing rule attributes.
4. To add an attribute to an existing rule:
a. In the rules table, right-click the rule, and select Add Attribute Type.
b. Select an attribute and its value.
c. Click OK. The new attribute is displayed in the rule.
5. To add a value to an existing rule attribute:
a. In the rules table, right-click the rule attribute, and select Add Attribute Value.
b. Select a value for the attribute.
c. Click OK. The new attribute value is displayed in the rule.
6. To save the signature profile configuration, click OK.

Table 82: Signature Profile Parameters

Parameter Description
Profile Name The name of the signature profile. For a new profile, enter a profile
name.
Show Matching Signatures This button appears only when editing a profile. Click to display the
list of signatures associated with the configured protections for the
profile.

Document ID: RDWR-DP-V0607_UG1209 163


DefensePro User Guide
Security Configuration

Table 82: Signature Profile Parameters

Parameter Description
Signature Profile Rules Table
The table displays details of the configured rules for the selected profile. Each rule can contain
more than one attribute type, and each attribute type can contain one or more attribute values.
Rule Name The name of the signature profile rule.
Note: This field is read-only when adding an attribute type or
attribute value.
Attribute Type Select from the list of predefined attribute types, which are based
on the various aspects taken into consideration when defining a
new attack.
Attribute Value Select the value for the defined attribute type.

Configuring Signature Protection Signatures


A signature is a building block of the protection profile. Each signature contains one or more
protection filters and attributes that determine which packets are malicious and how they are
treated.
Signature settings parameters define how malicious packets are tracked and treated once their
signature is recognized in the traffic. Each attack is bound to a tracking function that defines how
the packet is handled when it is matched with a signature. The main purpose of these functions is to
determine whether the packet is harmful and to apply an appropriate action.
The Signatures table provides you with filters that allow viewing Radware and user-defined
signatures. You can define filtering criteria, so that all signatures that match the criteria are
displayed in the Signatures table. You can also add user-defined signatures.

Note: You can edit and remove only user-defined signatures. For Radware-defined signatures,
you can edit the general parameters only.

To view Signature Protection signatures

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Signatures.
2. To view all signatures, do one of the following:
Click Filter by ID, then click Go.
Click Filter by Attribute, select All Signatures in the Display list, then click Go.
3. To view user-defined signatures, click Filter by Attribute, select User Signatures in the
Display list, then click Go.

164 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

4. To filter the signatures for display:


To filter by ID, click Filter by ID, enter the required ID number and click Go.
To filter by attribute, click Filter by Attribute, configure the following parameters and click
Go.

Parameter Description
Display Specifies which sets of signatures to display.
Values:
User SignaturesUser-defined signatures. You can edit and
remove these signatures.
Static SignaturesRadware-defined signatures. You can edit
only the general parameters of these signatures.
All SignaturesUser-defined and Radware-defined signatures.
Attribute Type Select from the list of predefined attribute types, which are based
on the various aspects taken into consideration when defining a
new attack.
Attribute Value Select the value for the defined attribute type.

To configure Signature Protection signatures

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Signatures.
2. To add or edit a signature, do one of the following:

To add a signature, click the (Add) button.


To edit a signature, display the required signature, then double-click the signature.
3. Configure the parameters; and then click OK.

Table 83: Signature Parameters

Parameter Description
Signature Name The name of the signature, up to 29 characters.
Signature ID (Read-only) The ID assigned to the signature by the system.
Enabled Specifies whether the signature can be used in protection profiles.
Tracking Time The time, in milliseconds, for measuring the Active Threshold. When a
number of packets exceeding the threshold passes through the device
within the configured Tracking Time period, the device recognizes it as an
attack.
Default: 1000

Document ID: RDWR-DP-V0607_UG1209 165


DefensePro User Guide
Security Configuration

Table 83: Signature Parameters

Parameter Description
Tracking Type Specifies how the device determines which traffic to block or drop when
under attack.
Values:
bobo2KDestination CountSelect this option when the defined attack
is destination-basedthat is, the hacker is attacking a specific
destination, such as a Web server, for example, Ping Floods or DDoS
attacks.
DHCP
Drop AllSelect this option when each packet of the defined attack is
harmful, for example, Code Red and Nimda attacks.
Caution: On devices without the SME, this option may have a
negative impact on performance.
Fragments
FTP Bounce
Land Attack
ncpsdcan
SamplingSelect this option when the defined attack is based on
sampling, that is a DoS Shield attack.
Source and Destination CountSelect this option when the attack
type is a source and destination-based attackthat is, the hacker is
attacking from a specific source IP to a specific destination IP
address, for example, Port Scan attacks.
Source CountSelect this option when the defined attack is source-
basedthat is, the attack can be recognized by its source address,
for example, a Horizontal Port Scan, where the hacker scans a certain
application port (TCP or UDP) to detect which servers are available in
the network.
Default:
Drop AllOn devices without the SME.
SamplingOn devices without the SME.
Action Mode The action taken when an attack is detected.
Values:
DropThe packet is discarded.
Report OnlyThe packet is forwarded to the defined destination.
MM7If the packet contains a threat, the device drops the message
and sends an application-level error message to the server to remove
the message from the queue to prevent a re-transmission. Contains
Transaction ID, Content Length and Message ID. Reset Source
Sends a TCP-Reset packet to the packet source IP address.
Reset DestinationSends a TCP-Reset packet to the destination
address.
Reset BidirectionalSends a TCP-Reset packet to both the packet
source IP and the packet destination IP address.
Default: Drop

166 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 83: Signature Parameters

Parameter Description
Suspend Action Specifies which session traffic the device suspends for the duration of the
attack.
Values:
NoneThe suspend action is disabled for this attack.
Source IPAll traffic from the IP address identified as the source of
this attack, is suspended.
Source IP and Destination IPTraffic from the IP address identified as
the source of this attack to the destination IP under attack, is
suspended.
Source IP and Destination PortTraffic from the IP address identified
as the source of this attack to the application (destination port) under
attack, is suspended.
Source IP, Destination IP and PortTraffic from the IP address
identified as the source of this attack to the destination IP and port
under attack, is suspended.
Source IP and Port, Destination IP and Port Traffic from the IP
address and port identified as the source of this attack to the
destination IP and port under attack, is suspended.
Direction The protection inspection path. The protections can inspect the incoming
traffic only, the outgoing traffic only, or both.
Values: Inbound, Outbound, Inbound & Outbound
Default: Inbound & Outbound
Activation Threshold The maximum number of attack packets allowed in each Tracking Time
unit. Attack packets are recognized as legitimate traffic when they are
transmitted within the Tracking Time period.
When the value for Tracking Type is Drop All, the DefensePro device
ignores this parameter.
Default: 50
Drop Threshold After an attack has been detected, the device starts dropping excessive
traffic only when this threshold is reached. This parameter is measured in
PPS.
When the value for Tracking Type is Drop All, the profile ignores this
parameter.
Default: 50
Termination Threshold When the attack PPS rate drops below this threshold, the profile changes
the attack from active mode to inactive mode.
When the value for Tracking Type is Drop All, the DefensePro device
ignores this parameter.
Default: 50
Packet Reporting Enables the sending of sampled attack packets to APSolute Vision for
offline analysis.
Default: Disabled
Exclude Source IP The source IP address or network whose packets the profile does not
Address inspect.
Default: None

Document ID: RDWR-DP-V0607_UG1209 167


DefensePro User Guide
Security Configuration

Table 83: Signature Parameters

Parameter Description
Exclude Destination IP The destination IP address or network whose packets the profile does not
Address inspect.
Default: None
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security Reporting
Settings > Enable Packet Trace on Physical Port). In
addition, a change to this parameter takes effect only after
you update policies.
Web Quarantine Option Specifies whether the device can quarantine all Web traffic from internal
(This parameter is hosts after matching this signature.
available only in To enable this option:
devices with an SME.) The value for the Direction field must be Inbound & Outbound.
The value for the Tracking Type field must be Drop All.
Values: Enable, Disable
Default: Disable
Caution: The device implements this option for the signature only
when the Web Quarantine checkbox in the Network Policy
(Network Protection tab > Network Protection Rules) is
selected also.
Filters Table Filters are components of a protection, each containing one specific attack
signature, that scan and classify predefined traffic. Filters match scanned
packets with attack signatures in the Signatures database.
For each custom protection, you define custom filters. You cannot use
filters from other protections when customizing protection definitions.
To add a filter, right-click and select Add New Filter.
To edit a filter, right-click and select Edit Filter.
Note: For more information, see Table 84 - Signature Filter
Parameters, page 168.
Attributes Table The attributes that you select for the signature determine the attack
characteristics used in the rule creation process.
To add an attribute value, right-click in the table; and then, select Add
New Attribute Value.

Table 84: Signature Filter Parameters

Parameter Description
Basic Parameters
Each filter has a specified name and specified protocol-properties parameters.
Filter Name The name of the signature filter.

168 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Parameter Description
Protocol The protocol used.
Values:
ICMP
ICMPv6
IP
Non IP
TCP
UDP
Default: IP
Source Application Port For UDP and TCP traffic only.
Select from the list of predefined Application Port Groups.
Destination Application For UDP and TCP traffic only.
Port Select from the list of predefined Application Port Groups.
Packet Parameters
Packet parameters are used to match the correct packet length in different layers.
Packet Size Type Specifies whether the length is measured for Layer 2, Layer 3, Layer 4 or
Layer 7 content.
Values:
L2The complete packet length is measured, including Layer 2
headers.
L3The Layer 2 data part of the packet is measured (excluding the
Layer 2 headers).
L4The Layer 3 data part of the packet is measured (excluding the
Layer 2/Layer 3 headers).
L7The L4 data part of the packet is measured (excluding the
Layer 2/Layer 3/Layer 4 headers).
None
Default: None
Packet Size Length The range of values for packet length.
Notes:
>> The size is measured per packet only.
>> The size is not applied on reassembled packets.
>> Fragmentation of Layer 4Layer 7 packets may result in tails that
do not contain the Layer 4Layer 7 headers. The check is
bypassed, as no match with Type = L4L7 is detected.

Document ID: RDWR-DP-V0607_UG1209 169


DefensePro User Guide
Security Configuration

Parameter Description
OMPC Parameters
Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define rules
for pattern lookups. The OMPC rules look for a fixed size pattern of up to four bytes that uses fixed
offset masking. This is useful for attack recognition, when the attack signature is a TCP/IP header
field or a pattern in the data/payload in a fixed offset.
OMPC Condition The OMPC condition.
Values:
Equal
Greater Than
Not Applicable
Less Than
Not Equal
Default: Not Applicable
OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data:
Values:
Not Applicable
1 Byte
2 Bytes
3 Bytes
4 Bytes
Default: 1 Byte
OMPC Offset The location in the packet from where data checking starts looking for
specific bits in the IP/TCP header.
Values: 01513
Default: 0
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative.
Values:
None
IP Header
IP Data
L4 Data
L4 Header
Ethernet
Default: None
OMPC Pattern The fixed size pattern within the packet that OMPC rules attempt to find.
Values: A combination of hexadecimal numbers (09, af). The value is
defined by the OMPC Length parameter.
The OMPC Pattern definition contain eight symbols. When the OMPC
Length is less than four bytes, complete it with zeros.
For example, when the OMPC Length is two bytes, the OMPC Pattern can
be abcd0000.
Default: 00000000

170 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Parameter Description
OMPC Mask The mask for the OMPC data.
Values: A combination of hexadecimal numbers (09, af). The value is
defined by the OMPC Length parameter.
The OMPC Mask definition contains eight symbols. When the OMPC Length
value is less than four bytes, complete it with zeros.
For example, When the OMPC Length is two bytes, the OMPC Mask can be
abcd0000.
Default: 00000000
Content Parameters
The Content parameters define the rule for a text/content string lookup for attack recognition,
when the attack signature is a text/content string within the packet payload. The Content
parameters are available only for TCP, UDP and ICMP protocols.
Content Type Enables you to search for a specific content type, which you select from a
long list.
For the list of valid values, see Table 85 - Content Types, page 172.
Default: N/AThe device will not filter the content based on type.
Content Encoding Application Security can search for content in languages other than
English, for case-sensitive or case-insensitive text, and hexadecimal
strings.
Values:
Not Applicable
Case Insensitive
Case Sensitive
Hex
International
Default: Not Applicable
Note: The value of this field corresponds to the Content Type
parameter.
Content The value of the content search, except for HTTP headers, cookies, and
FTP commands.
Values: <space> ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd
efghijklmnopqrstuvwxyz{|}~
Content Offset The location in the packet from which the content is checked. The offset
location is measured from the beginning of the UDP or TCP header.
Values: 065,535
Default: 0
Content Max Length The maximum length to be searched within the selected Content Type.
Values: 065,535
Default: 0
Note: The Content Max Length value must be equal to or greater than
the Offset value.

Document ID: RDWR-DP-V0607_UG1209 171


DefensePro User Guide
Security Configuration

Parameter Description
Content Data Encoding Application Security can search for data in languages other than English,
for case-sensitive or case-insensitive data, and hexadecimal strings.
Values:
Not Applicable
Case Insensitive
Case Sensitive
HEX
International
Default: Not Applicable
Note: The value of this field corresponds to the Content Type
parameter.
Content Data The content type for the content search.
Values:
HTTP HeaderThe value of the HTTP Header. The header is defined
by the Content field.
CookieThe cookie value. The cookie is defined by the Content field.
FTP CommandThe FTP command arguments. The FTP command is
defined by the Content field.
Distance Range A range that defines the allowable distance between two content
characters. When the distance exceeds the specified range, it is
recognized as an attack.
Regular Expression Specifies whether the Content Data field value is formatted as a regular
Content expression (and not as free text to search). You can set a regex search for
all content types.
Regular Expression Specifies whether the Content Data value is formatted as a regular
Content Data expression (and not as free text to search).

The following table describes the Content types that you can configure the device to examine as part
of the attack signature.

Table 85: Content Types

Content Type Description


Cookie HTTP cookie field. The Content field includes the cookie name, and the
Content Data field includes the cookie value.
DCE-RPC Distributed Computing Environment/Remote Procedure Calls.
File Type The requested file type in the HTTP GET command (JPG, EXE, and so on).
FTP Command Parses FTP commands to commands and arguments, while normalizing
FTP packets and stripping Telnet opcodes.
FTP Content Scans data transmitted using FTP, normalizes FTP packets and strips
Telnet opcodes.
Header Field HTTP Header field. The Content field includes the header field name, and
the Content Data field includes the field value.
Host Name In the HTTP header.
HTTP Reply Data The data of the HTTP reply. This is available only in devices with an SME.

172 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 85: Content Types

Content Type Description


HTTP Reply Header The header of the HTTP reply. This is available only in devices with an
SME.
Mail Domain In the SMTP header.
Mail From In the SMTP header.
Mail Subject In the SMTP header.
Mail To In the SMTP header.
MM7 File Attachment The file associated with the MM7 request.
MM7 Request The request for an MM7 Error message.
Normalized URL To avoid evasion techniques when classifying HTTP requests, the URL
content is transformed into its canonical representation, interpreting the
URL the same way the server would.
The normalization procedure supports the following:
Directory referencing by reducing /./ into / or A/B/../ to A/.
Changing backslash (\) to slash (/).
Changing HEX encoding to ASCII characters. For example, the hex
value %20 is changed to a space.
Unicode support, UTF-8 and IIS encoding.
POP3 User User field in the POP3 header.
RPC Reassembles RPC requests over several packets.
RPC RFC 1831 standard provides a feature called Record Marking
Standard (RM). This feature is used to delimit several RPC requests sent
on top of the transport protocol. For a stream-oriented protocol (like TCP),
RPC uses a kind of fragmentation to delimit between records. In spite of
its original purpose, fragmentation may also divide records in the middle,
not only at their boundaries. This functionality is used to evade IPS
systems.
Text Anywhere in the packet.
URI Length Length of the URI packet in bytes.
URL The HTTP Request URI. No normalization procedures are taken.

Configuring Signature Protection Attributes


Attributes are components of the protection rules set in the process of rule-based profile
configuration. Attributes are organized according to types based on the various aspects taken into
consideration when defining a new attack, such as environment, applications, threat level, risk levels
and so on.
Each signature is assigned with attributes in different types. The Radware Security Operation Center
(SOC) assigns the attributes when creating the signature creation as a way to describe the signature
in attribute types.
You can use the existing attributes, add new attributes, or remove attributes from the list.

Note: You can view properties of attribute types, and for the attribute types Complexity,
Confidence, and Risk you can also specify the Match Method (Minimum or Exact). For
more information, see Viewing and Modifying Attribute Type Properties, page 175.

Document ID: RDWR-DP-V0607_UG1209 173


DefensePro User Guide
Security Configuration

Attributes are derived from the Signatures database and are added dynamically with any update.
For information about attribute types and their system values, see Table 86 - Attribute Types, page
174.

To configure Signature Protection attributes

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Attributes.
2. To view attributes:
To view all attributes, select All and click Go.
To view attributes for a single attribute type, select the attribute type and click Go.
3. To add a new attribute:

a. Click the (Add) button.


b. Select the attribute type, and enter the attribute name.
c. Click OK.

Table 86: Attribute Types

Attribute Type Description


Applications The applications that are vulnerable to this exploit.
Examples: Web servers, mail servers, browsers
The parameter is optional; that is, the attribute may or may not contain a
value.
There can be multiple values.
Complexity The level of analysis performed as part of the attack lookup mechanism.
There can be only a single value for the parameter.
Values:
LowThis signature has negligible impact on device performance.
HighThis signature has stronger impact on the device
performance.
Confidence The level of certainty to which an attack can be trusted. The confidence
level is the opposite of the false-positive level associated with an attack.
For example, if an attacks confidence level is set to high, its false-
positive level is low.
The parameter is mandatory.
There can be only a single value for the parameter.
Values: Low, High, Medium
Groups Enables you to create customized attack groups.
Platforms The operating systems that are vulnerable to this exploit.
Examples: Windows, Linux, Unix
The parameter is optional; that is, the attribute may or may not contain a
value.
There can be multiple values.

174 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Attribute Type Description


Risk The risk associated with the attack. For example, attacks that impact on
the network are very severe and are defined as high-risk attacks.
The parameter is mandatory.
There can be only a single value for the parameter.
Values: Info, Low, Medium, High
Services The protocol that is vulnerable to this exploit.
Examples: FTP, HTTP, DNS
The parameter is optional; that is, the parameter may or may not contain
a value.
There can be only a single value for the parameter.
Target The target of the threatclient side or server side.
Threat Type The threats that best describe the signature.
Examples: floods, worms
There can be multiple values.

Viewing and Modifying Attribute Type Properties


You can view the following properties of the attribute types that the device supports:
Multiple Values in AttackSpecifies whether the attribute type may contain multiple values
in any one signature.
Multiple Values in RuleSpecifies whether the attribute type may contain multiple values in
any one signature profile rule.
Multiple Values in StaticSpecifies whether the attribute type may contain multiple values in
signatures from the signature file.
Match MethodRelevant only for the attribute types Complexity, Confidence, and Risk, which
have Attribute Values with ascending-descending levels.
Values:
MinimumSpecifies that the Attribute Value includes the results for the lower-level Attribute
Values. For example, for the attribute type Risk with Match Method Minimum, the Attribute
Value High includes the results for Info, Low, and Medium. Minimum is the default for
Complexity, Confidence, and Risk.
ExactSpecifies that the Attribute Value uses only its own results. For example, for the
attribute type Risk with Match Method Exact, the Attribute Value High uses only for High-risk
results.
You can change the Match Method for the attribute types Complexity, Confidence, and Risk.

To view attribute types that the device supports

In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Attributes > Attribute Type Properties.

Document ID: RDWR-DP-V0607_UG1209 175


DefensePro User Guide
Security Configuration

To change the Match Method for Complexity, Confidence, and Risk attribute types

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Attributes > Attribute Type Properties.
2. Double-click the attribute type.
3. From the Match Method drop-down list, select Minimum or Exact.
4. Click OK.

Configuring Web Quarantine Actions and Quarantined Sources


This feature is available only in devices with an SME.
The Web Quarantine feature enables DefensePro to quarantine all Web traffic from internal hosts in
a protected network segment after matching a signature. When you enable the Web Quarantine
mechanism, traffic from internal hosts whose traffic has matched a signature marked for quarantine
enters the Quarantine table. (The Quarantine table is a subset of the Suspend table.) DefensePro
blocks new HTTP connections from these internal hoststo any external destination. DefensePro
responds to the connection requests according to the Quarantine action defined for the network
policy.
The Web Quarantine configuration involves the following:
Configuring quarantine actions. For more information, see Configuring Web Quarantine Actions,
page 176.
Configuring quarantined sources. For more information, see Configuring Quarantined Sources,
page 180.
Enabling the Web Quarantine option in the Network Protection rule (Network Protection tab >
Network Protection Rules > Web Quarantine). For more information, see Configuring the
Network Protection Policy, page 157.
Enabling the Quarantine Web Traffic from Internal Hosts option in the configuration of the
signature (Network Protection tab > Signature Protection > Signatures > Quarantine Web
Traffic from Internal Hosts). For more information, see Configuring Signature Protection
Signatures, page 164.

Configuring Web Quarantine Actions

To configure Web Quarantine actions

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Web Quarantine> Quarantine Actions.
2. Do one of the following:

To add an entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the parameters; and then, click OK.

176 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 87: Quarantine Action Parameters

Parameter Description
Network Protection Policy The name of the Network Protection Rule.
Action The action that the device takes on outbound Web traffic from the
quarantined internal hosts.
Values:
Quarantine WarningThe device returns the default message or
the specified, Custom HTML Page.
The default message is as follows:
Access Error: Unauthorized
Your computer is currently under quarantine because the system
identified malicious activity originating from your IP
address. Please contact your system administrator.
Quarantine attack name: <SignatureName> ID: <SignatureID>
IP: <HostIPAddress>
For more information, see Managing the Quarantine Warning
Page, page 178.
RedirectThe device redirects outbound Web traffic from the
quarantined internal hosts to the specified Redirection Location.
Default: Quarantine Warning
Redirection Location The location where the device redirects quarantined internal hosts.
(This parameter is available Typically, the location is an HTML page with a message from the
only when the Action is network administrator.
Redirect.) Caution: To prevent an endless loop, the routing to the Redirection
Location must not include the DefensePro device.
Add Metadata Specifies whether to add metadata to URL of the redirected HTTP GET
requests from the quarantined internal hosts. The metadata
comprises the attack name (that is, the signature name), the attack
ID (that is, the signature ID), and the IP address of the quarantined
host.
The format of the metadata is as follows:
<RedirectServer>/?attack=<attackName>&rdwrId=<ID>&ip=<IP>
Example:
MyServer.com/?attack=Worm-Slammer&rdwrId=3204&ip=10.2.3.4
Values: Enable, Disable
Default: Disable

Document ID: RDWR-DP-V0607_UG1209 177


DefensePro User Guide
Security Configuration

Table 87: Quarantine Action Parameters

Parameter Description
Aging (Hours) The number of hours that the device quarantines all Web traffic from
the internal hosts in a protected network segment after matching a
signature.
Values:
0168That is one week. The value 168 is valid only if the value
for the Aging (Minutes) is 0.
When Aging (Hours) and Aging (Minutes) are both 0 (zero),
the device quarantines the Web traffic indefinitely.
Aging (Minutes) The number of minutes that the device quarantines all Web traffic
from the internal hosts in a protected network segment after matching
a signature.
Values:
059The maximum Aging time (hours + minutes) cannot
exceed 168 hours, 0 minutes.
When Aging (Hours) and Aging (Minutes) are both 0 (zero),
the device quarantines the Web traffic indefinitely.

Managing the Quarantine Warning Page


When Quarantine Warning is the specified Web Quarantine Action, the device returns the default
message or the specified, Custom HTML Page for outbound Web traffic from the quarantined internal
hosts.
The device sends the hard-coded, default quarantine-warning page under the following
circumstances:
No file has been specified.
The specified file is invalid.
The code for the quarantine-warning page can be up to 750 bytes long.

To set the code for the quarantine-warning page

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Web Quarantine > Quarantine Actions.
2. Do one of the following:

To add an entry, click the (Add) button.


To edit an entry, double-click the row.
3. Click Upload Custom HTML Page.
4. Configure the parameters; and then, click OK.

178 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 88: Set Custom Page Parameters

Parameter Description
Policy Name (Read-only) The name of the Network Protection Rule.
Export From The source type of the custom code for the quarantine-warning
page.
Values:
File
Text
Default: File
File Name The filepath of the file with the code for the quarantine-warning
(This parameter is available page. Click Browse to navigate to the file; and then, click OK.
only when Export From is File.)
Text The code for the quarantine-warning page.
(This parameter is available
only when Export From is Text.)

To view/get the custom code of the quarantine-warning page

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Web Quarantine> Quarantine Actions.
2. Do one of the following:

To add an entry, click the (Add) button.


To edit an entry, double-click the row.
3. Click Show Custom HTML Page.
4. Configure the parameters; and then, click OK.

Table 89: Get Page Code Parameters

Parameter Description
Policy Name (Read-only) The name of the Network Protection Rule.
Export To The target type of the custom code for the quarantine-warning page.
Values:
Text
File
Default: Text
Text The code for the quarantine-warning page.
(This parameter is available
only when Export To is Text.)
File The filepath target for the user-defined quarantine-warning-page
(This parameter is available code.
only when Export To is File.)

Document ID: RDWR-DP-V0607_UG1209 179


DefensePro User Guide
Security Configuration

Configuring Quarantined Sources

To configure quarantined sources

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Web Quarantine > Quarantined Sources.
2. Do one of the following:

To add an entry, click the (Add) button.


To edit an entry, double-click the row.
3. Configure the parameters; and then, click OK.

Table 90: Quarantined Source Parameters

Parameter Description
Network Protection Policy The Network Protection rule.
Web Quarantine IP Address The IP address of the quarantined host.
Aging (Hours) The number of hours that the device quarantines all Web traffic
from the internal hosts in a protected network segment after
matching a signature.
Values:
0168That is one week. The value 168 is valid only if the
value for the Aging (Minutes) is 0.
When Aging (Hours) and Aging (Minutes) are both 0
(zero), the device quarantines the Web traffic indefinitely.
Aging (Minutes) The number of minutes that the device quarantines all Web traffic
from the internal hosts in a protected network segment after
matching a signature.
Values:
059The maximum Aging time (hours + minutes) cannot
exceed 168 hours, 0 minutes.
When Aging (Hours) and Aging (Minutes) are both 0
(zero), the device quarantines the Web traffic indefinitely.
Quarantine Time (Read-only) The time the entry was created.
Matched Signature (Read-only) The name of the signature that caused the
quarantine.
Note: If this is a user-defined entry, the field is empty.

To delete all quarantined sources

1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Web Quarantine > Quarantined Sources.
2. Click Delete All.

180 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Configuring BDoS Profiles for Network Protection


When you configure Behavioral DoS profiles, you need to configure the bandwidth and quota
settings. Setting the bandwidth and quota values properly and accurately is important, because
initial baselines and attack detection sensitivity are based on these values.
Recommended settings for policies that include Behavioral DoS profiles are as follows:
Configure rules containing Behavioral DoS profiles using Networks with source = Any, the public
network, and destination = Protected Network. It is recommended to create multiple Behavioral
DoS rules, each one protecting a specific servers segment (for example, DNS servers segment,
Web server segments, Mail servers segments, and so on). This assures optimized learning of
normal traffic baselines.
It is not recommended to define a network with the Source and Destination set to Any, because
the device collects statistics globally with no respect to inbound and outbound directions. This
may result in lowered sensitivity to detecting attacks.
When a rules Direction is set to One Way, the rule prevents incoming attacks only. When a rules
Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both
cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal
detection.

You can configure footprint bypass to bypass specified footprint types or values. For more
information, see Configuring BDoS Footprint Bypass, page 136.

To configure a BDoS profile

1. In the Configuration perspective Network Protection tab navigation pane, select BDoS Profiles.
2. Do one of the following:

To add a profile, click the (Add) button.


To edit a profile, double-click the entry in the table.
3. Configure the parameters; and then, and click OK.

Table 91: BDoS Profile Parameters

Parameter Description
Profile Name The name of the BDoS profile.
Enable Transparent Specifies whether transparent optimization is enabled.
Optimization Some network environments are more sensitive to dropping packets (for
example, VoIP), therefore it is necessary to minimize the probability that
legitimate traffic is dropped by the IPS device. This transparent
optimization can occur during BDoSs closed-feedback iterations until a
final footprint is generated.
Note: When transparent optimization is enabled, the profile does not
mitigate the attack until the final footprint is generated, which
takes several seconds.

Document ID: RDWR-DP-V0607_UG1209 181


DefensePro User Guide
Security Configuration

Table 91: BDoS Profile Parameters

Parameter Description
Flood Protection Settings
SYN Flood Select the network-flood protection types to apply.
TCP ACK + FIN Flood
TCP RST Flood
TCP SYN + ACK Flood
TCP Fragmentation
Flood
UDP Flood
ICMP Flood
IGMP Flood

Bandwidth Settings
Inbound Traffic The maximum inbound traffic bandwidth, in Kbit/s, expected on your
links. DefensePro derives the initial baselines from the bandwidth and
quota settings.
Minimum: 1
Values: 02,147,483,647
Caution: You must configure this setting to start Behavioral DoS
protection.
Outbound Traffic The maximum outbound traffic bandwidth, in Kbit/s, expected on your
links. DefensePro derives the initial baselines from the bandwidth and
quota settings.
Minimum: 1
Values: 02,147,483,647
Caution: You must configure this setting to start Behavioral DoS
protection.
Quota Settings
Radware recommends that you initially leave these fields empty so that the default values will
automatically be used. To view default values after creating the profile, double-click the entry in the
table. You can then adjust quota values based on your network performance.
Note: The total quota values may exceed 100%, as each value represents the maximum volume
per protocol.
TCP The maximum expected percentage of TCP traffic out of the total traffic.
UDP The maximum expected percentage of UDP traffic out of the total traffic.
ICMP The maximum expected percentage of ICMP traffic out of the total traffic.
IGMP The maximum expected percentage of IGMP traffic out of the total traffic.

182 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 91: BDoS Profile Parameters

Parameter Description
Advanced Parameters
UDP Packet Rate The packet-rate detection sensitivitythat is, to what extent the BDoS
Sensitivity engine considers the UDP PPS-rate values (baseline and current).
(For certain versions, This parameter is relevant only for only for BDoS UDP protection.
this parameter is Values:
labeled Level Of
Regularization.) Disable
Low
Medium
High
Default: Low
Packet Reporting and Trace Setting
Packet Report Specifies whether the profile sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Enabled
Note: When this feature is enabled, for the feature to take effect, the
global setting must be enabled (Configuration perspective,
Advanced Parameters > Security Reporting Settings >
Enable Packet Reporting).
Packet Trace Specifies whether the profile sends attack packets to the specified
physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security Reporting
Settings > Enable Packet Trace on Physical Port). In
addition, a change to this parameter takes effect only after
you update policies.

Configuring Anti-Scanning Protection for Network Protection


Worm-propagation prevention and anti-scanning prevent zero-day self-propagating network worms,
horizontal scans, and vertical scans.
A self-propagating worm is an attack that spreads by itself using network resources. This worm uses
a random-IP-address-generation technique (that is, network scanning) to locate a vulnerable host to
infect. When a vulnerable host is identified, the worm immediately executes its code on this host,
thereby infecting the computer with the worms malicious code. Then, the infected hosts initiate
similar scanning techniques and infect other hosts propagating exponentially.
There are several random IP address generation techniques, commonly characterized with
horizontal scanning schemes.
Prior to launching an attack, hackers try to identify what TCP and UDP ports are open on the victim
machine. An open port represents a service, an application or a back door. Ports left open
unintentionally can create serious security problems. These scanning techniques commonly utilize a
vertical scanning scheme.
The worm propagation activity is detected and prevented by DefensePros Anti-Scanning protection.

Document ID: RDWR-DP-V0607_UG1209 183


DefensePro User Guide
Security Configuration

Anti-Scanning profiles defend against the following threats:


TCP Horizontal Scanning
TCP Vertical Scanning
TCP stealth scans
UDP Horizontal Scanning
UDP Vertical Scanning
Ping Sweep

Note: In some cases, you may find that network elements legally perform scanning as part of
their normal operation. It is recommended to place such elements in the White List to
avoid network operation interruption.

Before you configure anti-scanning profiles, ensure the following:


The Session table Lookup Mode is Full Layer 4.
Anti-Scanning is enabled and the global parameters are configured. Anti-Scanning global
parameters are defined for all profiles on the device.

Configuring Anti-Scanning Profiles for Network Protection


The following describe the recommended settings for rules that include Anti-Scanning profiles:
Configure policies containing Anti-Scanning profiles using Networks with Source = Any, the
public networkand Destination = Protected Network. This assures optimized attack detection
sensitivity. You can set policies using a VLAN tag, MPLS RD, or physical ports.
It is not recommended to define a network in which the Source and Destination are set to Any,
as it results in lower detection sensitivity.
When a policys Direction is set to One Way, DefensePro prevents incoming attacks only. When a
policys Direction is set to Two Way, the device prevents both incoming and outgoing attacks. In
either case, the device inspects incoming and outgoing traffic for connection scoring.

Before you configure an Anti-Scanning profile, ensure the following:


The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session
Table Settings, page 97.
Anti-scanning protection is enabled and the global parameters are configured. For more
information, see Configuring Global Signature Protection, page 131.

To configure an Anti-Scanning profile

1. In the Configuration perspective Network Protection tab navigation pane, select Anti-Scanning
Profiles.
2. To add or modify an Anti-Scanning profile, do one of the following:

To add a profile, click the (Add) button.


To edit a profile, double-click the entry in the table.
3. Configure anti-scanning profile parameters and click OK.

184 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 92: Anti-Scanning Profile Parameters

Parameter Description
Rule Name The name of the new profile.
Enable TCP Protection Protects against horizontal and vertical TCP scans, including worm
propagation activity, over TCP.
Enable UDP Protection Protects against horizontal and vertical UDP scans, including worm
propagation activity, over UDP.
Enable ICMP Protection Protects against ping sweeps.
Type The type of traffic protected using Anti-Scanning profiles.
Values:
GWDetects incoming or outgoing scanning attempts, such as
scanning worms.
CarrierDetects large scale scanning worms for carrier links.
InternalPrevents the spreading of worm activity in corporate
LANs.
Detection Sensitivity Level The level of sensitivity to scanning activities before the profile
activates Anti-Scanning protection. High means few scanning attempts
trigger the Anti-Scanning protection, whereas Very Low means a high
number of scanning attempts trigger the Anti-Scanning protection.
Values: High, Medium, Low, Very Low
Default: Low
Accuracy The accuracy level that determines the minimum number of
parameters used in the footprint. The higher the accuracy, the more
parameters required to appear in the footprint. If DefensePro is unable
to find a footprint with the minimum number of parameters for the
specified accuracy level, DefensePro does not block the attack.
Values: High, Medium, Low
Note: Higher accuracy means that more parameters are required to
appear in the footprint.
Default: Medium
Single Port Specifies whether the DefensePro device only blocks scans that are
done on a single L4 port. Scans on a single L4 port are usually network
worms. When enabled, DefensePro does not block scans that are done
from the same source on multiple L4 ports.
Default: Disabled
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Trace on
Physical Port). In addition, a change to this parameter
takes effect only after you update policies.

Document ID: RDWR-DP-V0607_UG1209 185


DefensePro User Guide
Security Configuration

Configuring Anti-Scanning Trusted Ports


You can configure a list of Layer 4 ports on which scanning is allowed. That is, when Anti-Scanning is
enabled, there is no blocking of scans that target these ports. By default, DefensePro ignores port
113 activity.

To configure Anti-Scanning trusted ports

1. In the Configuration perspective Network Protection tab navigation pane, select Anti-Scanning
Profiles > Anti-Scanning Trusted Ports.
2. To view the trusted ports for a profile, select the profile and click Go.

3. To add a trusted port for the selected profile, click the (Add) button.
4. Enter the Layer 4 trusted port on which scanning is allowed. Values: 165,535.
5. Click OK.

Configuring Connection Limit Profiles for Network Protection


Connection Limit profiles defend against session-based attacks, such as half open SYN attacks,
request attacks, and full connection attacks.
Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports.
DefensePro counts the number of TCP connections, or UDP sessions, opened per client, per server,
or per client plus server combination, for traffic that matches a Connection Limit policy attack
definition. Once the number of connections per second reaches the specified threshold, any session/
connection over the threshold is dropped, unless the action mode defined for this attack is Report
Only.
You can also define whether to suspend the source IP address, dropping traffic from this source for a
number of seconds according to the Suspend table parameters.
Recommended settings for policies that include Connection Limit profiles:
Configure policies containing Connection Limit profiles using Networks only with source = Any,
the public network, and destination = Protected Network. You can define segments using VLAN
tag, MPLS RDs, and physical ports.
It is not recommended to define networks when the Source and Destination are set to Any.
Policies containing Connection Limit profiles can be configured with Direction set to either One
Way or Two Way.

Before you configure a Connection Limit profile, ensure the following:


Connection Limit protection is enabled (under the Security Settings tab).
The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session
Table Settings, page 97.
(Recommended) The required Connection Limit protections are configured. For more
information, see Configuring Connection Limit Protections, page 187.

186 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

To configure a Connection Limit profile

1. In the Configuration perspective Network Protection tab navigation pane, select Connection
Limit Profiles.
2. To add or modify a profile, do one of the following:

To add a profile, click the (Add) button. Enter the profile name and click OK.
To edit a profile, double-click the entry in the table.
3. To add Connection Limit protections to the profile, in the Edit Connection Limit Profile dialog box
protections table:
a. Right-click and select Add New Connection Limit Protection.
b. Select the protection name and click OK.
4. To define additional Connection Limit protections for the profile, click Go To Protection Table.
For more information, see Connection Limit Protection Parameters, page 188.

Note: A Connection Limit profile should include all the Connection Limit attacks that you want
to apply in a network-policy rule.

Table 93: Connection Limit Profile Parameters

Parameter Description
Profile Name (Read-only) The name of the Connection Limit profile.
Connection Limit Protection Lists the Connection Limit protection name and ID for each protection
Table to be applied for the selected profile.
To add a protection, in the table, right-click and select Add New
Connection Limit Protection. Select the protection name and click
OK.
Note: In each rule, you can use only one Connection Limit profile.
Therefore, ensure that all the protections that you want to
apply to a rule are contained in the profile specified for that
rule.
Go To Protection Table Opens the Connection Limit Protection dialog box in which you can
add and modify Connection Limit protections.

Configuring Connection Limit Protections


Configure Connection Limit protections to add to Connection Limit profiles for network protection.

Note: Connection Limit protections are sometimes referred to as Connection Limit Attacks.

Document ID: RDWR-DP-V0607_UG1209 187


DefensePro User Guide
Security Configuration

To configure a Connection Limit protection

1. In the Configuration perspective Network Protection tab navigation pane, select Connection
Limit Profiles > Connection Limit Protections.
2. To add or modify a protection, do one of the following:

To add a protection, click the (Add) button.


To edit a protection, double-click the entry in the table.
3. Configure the parameters; and then, click OK.

Table 94: Connection Limit Protection Parameters

Parameter Description
Protection ID (Read-only) The ID number assigned to the Connection Limit
protection.
Protection Name A descriptive name for easy identification when configuring and
reporting.
Application Port Group The group of Layer 4 ports that represent the application you want to
Name protect.
Protocol The Layer 4 protocol of the application you want to protect.
Values: TCP, UDP
Default: TCP
Number of Connections The maximum number of new TCP connections, or new UDP sessions,
per second, allowed for each source, destination or source-and-
destination pair. All additional sessions are dropped. When the
threshold is reached, attacks are identified and a security event
generated.
Default: 50
Tracking Type The counting rule for tracking sessions.
Values:
Source and Target CountSessions are counted per source IP
and destination IP address combination.
Source CountSessions are counted per source IP address.
Target CountSessions are counted per destination IP address.
Default: Source Count
Note: When Tracking Type is Target Count, the Suspend Action
can only be None.
Action Mode The action when an attack is detected.
Values:
DropThe packet is discarded.
Report-onlyThe packet is forwarded to the destination IP
address.
Reset SourceSends a TCP-Reset packet to the packet source IP
address.
Default: Drop

188 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 94: Connection Limit Protection Parameters

Parameter Description
Packet Report Specifies whether to enable logging a copy of the filtered packet.
Default: Disabled
Risk The risk assigned to this attack for reporting purposes.
Values: High, Info, Low, Medium
Default: Medium
Suspend Action Specifies which session traffic the device suspends for the attack
duration.
Values:
NoneSuspend action is disabled for this attack.
Source IPAll traffic from the IP address identified as the source
of this attack is suspended.
Source IP + Destination IPTraffic from the IP address identified
as the source of this attack to the destination IP address under
attack is suspended.
Source IP + Destination PortTraffic from the IP address
identified as the source of this attack to the application
(Destination port) under attack is suspended.
Source IP + Destination IP and PortTraffic from the IP address
identified as the source of this attack to the destination IP
address and port under attack is suspended.
Source IP and Port + Destination IP and PortTraffic from the IP
address and port identified as the source of this attack to the
destination IP address and port under attack is suspended.
Default: None
Note: When Tracking Type is Target Count, the Suspend Action
can only be None.
Packet Reporting and Trace Setting
Packet Report Specifies whether the device sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Reporting).
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Trace on
Physical Port). In addition, a change to this parameter
takes effect only after you update policies.

Document ID: RDWR-DP-V0607_UG1209 189


DefensePro User Guide
Security Configuration

Configuring SYN Profiles for Network Protection


SYN Profiles defend against SYN flood attacks.
During a SYN flood attack, the attacker sends a volume of TCP SYN packets requesting new TCP
connections without completing the TCP handshake, or completing the TCP handshake, but not
requesting data. This fills up the server connection queues, which denies service to legitimate TCP
users.
Before you configure a SYN profile, ensure the following:
The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session
Table Settings, page 97.
SYN Flood protection is enabled and the global parameters are configured. You can change the
global settings. The SYN flood global settings apply to all the profiles on the device. For more
information, see Configuring Global SYN Flood Protection, page 141.

To configure a SYN profile

1. In the Configuration perspective Network Protection tab navigation pane, select SYN Profiles.
2. To add or modify a profile, do one of the following:

To add a profile, click the (Add) button. Enter the profile name and click OK.
To edit a profile, double-click the entry in the table.
3. To add a SYN flood protection to the profile:
a. Right-click in the table and select Add New SYN Flood Protection.
b. From the Profile Name drop-down list, select the protection.
c. Click OK.
4. To define additional SYN flood protections for the profile, click Go To Protection Table.

Note: A SYN profile should contain all the SYN flood protections that you want to apply in a
network-policy rule.

Table 95: SYN Profile Parameters

Parameter Description
Profile Name (Read-only) The name of the profile.
SYN Protection Table Contains the protections to be applied for the selected profile.
To add a protection, in the table, right-click and select Add New SYN
Flood Protection. Select the protection name and click OK.
Note: In each rule, you can use only one SYN profile. Therefore,
ensure that all the protections that you want to apply to a
rule are contained in the profile specified for that rule.
Go To Protection Table Opens the Syn Protections dialog box in which you can add and
modify SYN protections.

190 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Defining SYN Flood Protections


After you define SYN flood protections, you can add them to SYN profiles.

Caution: DefensePro x06 and x016 models do not support physical-port classification for SYN
Protection. When triggered, all traffic that matches the attacked destination
classified by destination IP address, Layer 4 port number, and optionally a VLAN tag
will be challenged, regardless or the physical port identification. That is, even if the
attack is carried out through a specific physical port, all traffic from all ports that
matches the other parameters will be challenged.

To configure a SYN protection

1. In the Configuration perspective Network Protection tab navigation pane, select SYN Profiles >
SYN Protections.
2. To add or modify a protection, do one of the following:

To add a protection, click the (Add) button.


To edit a protection, double-click the entry in the table.
3. Configure the parameters; and then, click OK.

Table 96: SYN Flood Protection Parameters

Parameter Description
Protection Name A name for easy identification of the attack for configuration and reporting.
Note: Predefined SYN Protections are available for the most common
applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP,
and Telnet. The thresholds are predefined by Radware. You can
change the thresholds for these attacks.
Protection ID (Read-only) The ID number assigned to the protection.
Application Port Group The group of TCP ports that represent the application that you want to
protect. Select from the list predefined port groups, or leave the field
empty to select any port.
Activation Threshold If the average rate of SYN packets received at a certain Destination is
higher than this threshold, the protection is activated.
Values: 1150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain Destination for the
duration of the tracking period drops below this threshold, the protection is
stopped.
Values: 1150,000
Default: 1500
Risk The risk level assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High
Default: Low
Source Type (Read-only) Specifies whether the SYN protection is a predefined (static)
or user-defined (user) protection.

Document ID: RDWR-DP-V0607_UG1209 191


DefensePro User Guide
Security Configuration

Radware-Recommended Verification Type Values

Protocol Destination Port Verification Type


FTP_CNTL 21 ack
HTTP 80 request
HTTPS 443 request
IMAP 143 ack
POP3 110 ack
RPC 135 ack
RTSP 554 request
SMTP 25 ack
TELNET 23 ack

Managing SYN Protection Profile Parameters


After you define a SYN Protection profile, you can configure the authentication parameters for it.

To configure SYN Protection profile parameters

1. In the Configuration perspective Network Protection tab navigation pane, select SYN
Protection Profiles > Profiles Parameters.
2. Double-click the relevant profile.
3. Configure the parameters; and then, click OK.

Table 97: SYN Flood Protection Profile Parameters

Parameter Description
Profile Name (Read-only) The name of the profile.

192 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 97: SYN Flood Protection Profile Parameters

Parameter Description
Authentication Method The Authentication Method that the device uses at the transport layer.
When the device is installed in and ingress-only topology, select the
Safe-Reset method.
Values:
Transparent ProxyWhen the device receives a SYN packet, the
device replies with a SYN ACK packet with a cookie in the
Sequence Number field. If the response is an ACK that contains
the cookie, the device considers the session to be legitimate.
Then, the device opens a connection with the destination and acts
as transparent proxy between the source and the destination.
Safe-ResetWhen the device receives a SYN packet, the device
responds with an ACK packet with an invalid Sequence Number
field as a cookie. If the client responds with RST and the cookie,
the device discards the packet, and adds the source IP address to
the TCP Authentication Table. The next SYN packet from the same
source passes through the device, and the session is approved for
the server. The device saves the source IP address for a specified
time. Typically, you specify this method when the network policy
rule handles only ingress traffic.
Default: Transparent Proxy
HTTP Authentication
Use HTTP Authentication Specifies whether the device authenticates the transport layer of HTTP
traffic using SYN cookies and then authenticates the HTTP application
layer using the specified HTTP Authentication Method.
Values:
EnabledThe device authenticates the transport layer of HTTP
traffic using SYN cookies and then authenticates the HTTP
application layer using the specified HTTP Authentication Method.
DisabledThe device handles HTTP traffic using the specified TCP
Authentication Method.
Default: Disabled

Document ID: RDWR-DP-V0607_UG1209 193


DefensePro User Guide
Security Configuration

Table 97: SYN Flood Protection Profile Parameters

Parameter Description
HTTP Authentication The method that the profile uses to authenticate HTTP traffic at the
Method application layer.
Values:
302-RedirectThe device authenticates HTTP traffic using a 302-
Redirect response code.
JavaScriptThe device authenticates HTTP traffic using a
JavaScript object generated by the device.
Default: 302-Redirect
Notes:
>> Some attack tools are capable of handling 302-redirect
responses. The 302-Redirect HTTP Authentication Method is
not effective against attacks that use those tools. The
JavaScript HTTP Authentication Method requires an engine on
the client side that supports JavaScript, and therefore, the
JavaScript option is considered stronger. However, the
JavaScript option has some limitations, which are relevant in
certain scenarios.
>> Limitations when using the JavaScript HTTP Authentication
Method:
If the browser does not support JavaScript calls, the
browser will not answer the challenge.
When the protected server is accessed as a sub-page
through another (main) page only using JavaScript, the
user session will fail (that is, the browser will not answer
the challenge.) For example, if the protected server
supplies content that is requested using a JavaScript tag,
the DefensePro JavaScript is enclosed within the original
JavaScript block. This violates JavaScript rules, which
results in a challenge failure. Example: The request in
bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service/
appMy.jsp?dlid=12345";
document.getElementsByTagName("head")[0].appendChild(js)
;
},1000);
</script>
The returned challenge page contains the <script> tag
again, which is illegal, and therefore, it is dropped by the
browser without making the redirect.

Configuring SSL Mitigation Policies


DefensePro can mitigate SSL-flood attacks with SSL Mitigation policies. When SYN Protection is
triggered for TCP port 443 protection and the SYN Protection profile is configured with the Use
HTTP Authentication checkbox selected (Network Protection tab > SYN Protection Profiles >
Profiles Parameters), an active SSL Mitigation policy challenges new SSL connections using a

194 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Safe-Reset method. To decrypt and re-encrypt the SSL packets during the challenge process,
DefensePro uses the SSL engine of a specified Alteon device. DefensePro allows traffic from
validated clients to pass through the DefensePro device to the protected server.
The DefensePro SSL Mitigation mechanism works as follows:
1. The DefensePro device receives a SYN packet from a client on port 443.
2. DefensePro responds with an ACK packet with an invalid Sequence Number field as a cookie.
3. If the client responds with RST and the cookie, DefensePro discards the packet, and adds the
source IP address to the TCP Authentication Table.
4. The DefensePro device passes the next SYN packet from the same source to the SSL engine of
the specified Alteon device.
5. The Alteon device performs the SSL handshake with the client.
6. The DefensePro device passes the following HTTPS GET or POST request from the same source
to the SSL engine of the Alteon device.
7. The Alteon device communicates with the DefensePro device to generate an encrypted
challenge.
8. The DefensePro device sends the encrypted HTTPS challenge to the client.
9. The DefensePro device receives a valid response from the client and considers the connection to
be legitimate.
10. The DefensePro device adds the source IP address to the HTTP Authentication Table.
11. The DefensePro device passes the encrypted HTTPS response to the SSL engine of the Alteon
device.
12. The Alteon device communicates with the DefensePro device to generate an encrypted
termination message.
13. The next SYN packet from the validated source passes through the DefensePro device to the
server that is under attack, and DefensePro acts as a transparent proxy for the remainder of the
session.

To configure an SSL mitigation policy

1. In the Configuration perspective Network Protection tab navigation pane, select SYN
Protection Profiles > SSL Mitigation Policies Parameters.
2. To add or modify a policy, do one of the following:

To add a policy, click the (Add) button.


To edit a policy, double-click the entry in the table.
3. Configure the parameters; and then, click OK.

Table 98: SSL Mitigation Policy Parameters

Parameter Description
Name The name of the policy.
SSL VIP The IPv4 VIP address on the Alteon device.
SSL Server IP Address The IPv4 address of the SSL server specified on the Alteon device.
VIP MAC The MAC address of the Alteon device.

Document ID: RDWR-DP-V0607_UG1209 195


DefensePro User Guide
Security Configuration

Table 98: SSL Mitigation Policy Parameters

Parameter Description
Network Policy Name The name of the existing Network Protection Rule.
State Specifies whether the policy is active.
Values: active, inactive
Default: active

Configuring Connection PPS Limit Profiles for Network Protection


Connection PPS Limit profiles defend against attacks that flood established TCP connections (not
necessarily many connections) with a high PPS rate of legitimate or non-legitimate packets.
Before you configure a connection PPS limit profile, ensure the following:
The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session
Table Settings, page 97.
(Recommended) The required Connection PPS Limit protections are configured. For more
information, see Configuring Connection Limit Protections, page 187.

Note: A PPS Connection Limit profile should contain all the Connection Limit protections that
you want to apply in a network policy rule.

To configure a connection PPS limit profile

1. In the Configuration perspective Network Protection tab navigation pane, select Connection
PPS Limit Profiles.
2. To add or modify a profile, do one of the following:

To add a profile, click the (Add) button. Enter the profile name and click OK.
To edit a profile, double-click the entry in the table.
3. To add Connection PPS Limit protections to the profile, in the Edit Connection PPS Limit Profile
dialog box protections table:
a. Right-click and select Add New Connection PPS Limit Protection.
b. Select the protection name and click OK.
4. To define additional Connection Limit protections for the profile, click Go to Protection Table.
For more information, see Connection PPS Limit Profile Parameters, page 197.

196 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 99: Connection PPS Limit Profile Parameters

Parameter Description
Profile Name (Read-only) The name of the Connection PPS Limit profile.
Connection PPS Limit Lists the connection PPS limit protection name and ID for each
Protection Table protection to be applied for the selected profile.
To add a protection, in the table, right-click and select Add New
Connection PPS Limit Protection. Select the protection name and
click OK.
Note: In each rule, you can use only one Connection PPS Limit
profile. Therefore, ensure that all the protections that you
want to apply to a rule are contained in the profile specified
for that rule.
Go To Protection Table Opens the Connection PPS Limit Protection dialog box in which you
can add and modify Connection PPS Limit protections.

Defining Connection PPS Limit Protections


Define Connection PPS Limit protections to add to Connection PPS Limit profiles for network
protection.

To configure a Connection PPS Limit protection

1. In the Configuration perspective Network Protection tab navigation pane, select Connection
PPS Limit Profiles > Connection PPS Limit Protections.
2. To add or modify a protection, do one of the following:

To add a protection, click the (Add) button.


To edit a protection, double-click the entry in the table.
3. Configure the Connection PPS Limit protection parameters and click OK.

Table 100: Connection PPS Limit Protection Parameters

Parameter Description
ID (Read-only) The ID number assigned to the Connection PPS Limit
protection.
Name Descriptive name for easy identification when configuring and
reporting.
Action The action that the device takes when an attack is detected.
Values: Report Only, Drop
Default: Report Only

Document ID: RDWR-DP-V0607_UG1209 197


DefensePro User Guide
Security Configuration

Table 100: Connection PPS Limit Protection Parameters

Parameter Description
Application Port The group of Layer 4 ports representing the application you want to
protect.
Values:
The name of an Application Port class displayed in the Classes
tab
An application-port number
Empty (specifies all ports)
Caution: When the field is empty, no matter which port the traffic
is destined, as soon as the traffic exceeds the Activation
Threshold, the device applies the specified Action.
Tracking Type On what the protection tracks the PPS rate.
Value: Per Connection
Activation Threshold The PPS threshold on a single connection that activates the
protection after the specified Activation Period.
Values: 14,294,967,295
Default: 10,000
Drop Threshold The PPS rate that the protection allows on the connections during an
attack. The device drops packets exceeding the specified Drop
Threshold.
Values: 14,294,967,295
Default: 0
Termination Threshold The PPS threshold on all the connections that deactivates the
protectionafter the Termination Period. That is, when the PPS rate
falls below the specified threshold on all the connections, the device
considers the attack to have endedafter the Termination Period.
Values: 14,294,967,295
Default: 9,000
Note: The Termination Threshold must be less than or equal to the
Activation Threshold.
Risk The risk assigned to this attack for reporting purposes.
Values: High, Info, Low, Medium
Default: Medium
Activation Period The time, in seconds, after the PPS rate on a connection has
exceeded the Activation Threshold, that the device considers a PPS
attack to have started and starts the configured protection measures.
Values: 1120
Default: 5

198 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 100: Connection PPS Limit Protection Parameters

Parameter Description
Termination Period The time, in seconds, after the PPS rate on a connection has fallen
below the Termination Threshold, that the device considers a PPS
attack to have ended.
Values: 1120
Default: 5
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Trace on
Physical Port). In addition, a change to this parameter
takes effect only after you update policies.

Configuring DNS Protection Profiles for Network Protection


When you configure DNS Protection profiles, you need to configure the query and quota settings.
Setting the query and quota values properly and accurately is important, because initial baselines
and attack detection sensitivity are based on these values.
DNS Protection profiles can be used only in one-way policies.
It is recommended to configure policies that include DNS Protection profiles using Networks with
source = Any, the public network, and destination = Protected Network.
You can configure footprint bypass to bypass specified footprint types or values.

To configure a DNS Protection profile

1. In the Configuration perspective Network Protection tab navigation pane, select DNS
Protection Profiles.
2. Do one of the following:

To add a profile, click the (Add) button.


To edit a profile, double-click the entry in the table.
3. Configure the parameters; and then, and click OK.

Document ID: RDWR-DP-V0607_UG1209 199


DefensePro User Guide
Security Configuration

Table 101: DNS Protection Profile Parameters

Parameter Description
Name The name of the profile.

Query Protections and Quotas


Radware recommends that you initially leave these fields empty so that the default values will
automatically be used. To view default values after creating the profile, double-click the entry in the
table. You can then adjust quota values based on your network performance.
Note: The total quota values may exceed 100%, as each value represents the maximum volume
per protocol.
A Query For each DNS query type to protect, specify the quotathe maximum
expected percentage of DNS traffic out of the total DNS trafficand
MX Query
select the checkbox in the row.
PTR Query
AAAA Query
Text Query
SOA Query
NAPTR Query
SRV Query
Other Queries
Set Default Quotas Configures all the quotas with the hard-coded default values after you
have specified the DNS Queries Rate.
DNS Queries Rate The expected rate, in queries per second, of DNS queries.

Manual Triggers
Use Manual Triggers Specifies whether the profile uses user-defined DNS QPS thresholds
instead of the learned baselines.
Default: Disabled
Activation Threshold The minimum number of queries per secondafter the specified
Activation Periodon a single connection that causes the device to
consider there to be an attack. When the device detects an attack, it
issues an appropriate alert and drops the DNS packets that exceed the
threshold. Packets that do not exceed the threshold bypass the
DefensePro device.
Values: 04,000,000
Default: 0
Activation Period The number of consecutive seconds that the DNS traffic on a single
connection exceeds the Activation Threshold that causes the device to
consider there to be an attack.
Values: 030
Default: 3
Termination Threshold The maximum number of queries per secondafter the specified
Termination Periodon a single connection that cause the device to
consider the attack to have ended.
Values: 04,000,000
Default: 0
Note: The Termination Threshold must be less than or equal to the
Activation Threshold.

200 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 101: DNS Protection Profile Parameters

Parameter Description
Termination Period The time, in seconds, that the DNS traffic on a single connection is
continuously below the Termination Threshold, which causes the device to
consider the attack to have ended.
Values: 030
Default: 3
Max QPS The maximum allowed rate of DNS queries per second.
Values: 04,000,000
Default: 0
Escalation Period The time, in seconds, that the device waits before escalating to the next
specified mitigation action.
Values: 030
Default: 3
Advanced Report Settings
Packet Report Specifies whether the device sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Disabled
Note: When this feature is enabled, for the feature to take effect, the
global setting must be enabled (Configuration perspective,
Advanced Parameters > Security Reporting Settings >
Enable Packet Reporting).
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security Reporting
Settings > Enable Packet Trace on Physical Port). In
addition, a change to this parameter takes effect only after
you update policies.
Action and Escalation
Note: The device implements the parameters in this group box only when the Manual Triggers
option is not enabled.
Profile Action The action that the profile takes on DNS traffic during an attack.
Values: Block & Report, Report Only
Default: Block & Report

Document ID: RDWR-DP-V0607_UG1209 201


DefensePro User Guide
Security Configuration

Table 101: DNS Protection Profile Parameters

Parameter Description
Max allowed QPS The maximum allowed rate of DNS queries per second, when the Manual
Triggers option is not enabled.
Values: 04,000,000
Default: 0
Note: When the Manual Triggers option is enabled, the Max QPS value
specified in the Manual Triggers group box takes precedence.
Signature Rate-limit The percentage of the DNS traffic that matches the real-time signature
Target that the profile will not mitigate above the baseline.
Values: 0100
Default: 0

Configuring Out of State Protection Profiles for Network Protection


Out of State Protection detects out-of-state packets to provide additional protection for application-
level attacks.

Caution: In cases of overlapping network policies configured with Out-of-State profiles, attacks
triggered on both policies are reported twice, once per policy. As a consequence, in
traffic monitoring, there might be some inconsistencies in the value for discarded
traffic value, because the value is the sum of all detected attacks.

Caution: DefensePro x016 and x06 platforms use two CPUs to handle the activation and
termination of Out of State protection. DefensePro issues an Occurred trap when half
the threshold is reached on one CPU, and DefensePro does not issue start or term
(terminated) traps. There is a small chance that DefensePro will report Out-of-State
security events even if the specified thresholds have not been reached.

To configure an Out of State Protection profile

1. In the Configuration perspective Network Protection tab navigation pane, select Out of State
Protection Profiles.
2. Do one of the following:

To add a profile, click the (Add) button.


To edit a profile, double-click the entry in the table.
3. Configure the parameters; and then, and click OK.

202 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 102: Out of State Protection Profile Parameters

Parameter Description
Profile Name The name of the profile.
Activation Threshold The rate, in PPS, of out-of-state packets above which the profile
considers the packets to be part of a flood attack. When the device
detects an attack, it issues an appropriate alert and drops the out-of-
state packets that exceed the threshold. Packets that do not exceed
the threshold bypass the DefensePro device.
Values: 1250,000
Default: 5000
Termination Threshold The rate, in PPS, of out-of-state packets below which the profile
considers the flood attack to have stopped; and the device resumes
normal operation.
Values: 1250,000
Default: 4000
Profile Risk The riskfor reporting purposesassigned to the attack that the
profile detects.
Values: Info, Low, Medium, High
Default: Low
Allow SYN-ACK Values:
EnabledThe DefensePro device opens a session and processes
a SYN-ACK packet even when the device has identified no SYN
packet for the session. This option supports asymmetric
environments, when the first packet that the device receives is
the SYN-ACK.
DisabledWhen the DefensePro device receives a SYN-ACK
packet and has identified no SYN packet for the session, the
device passes through the SYN-ACK packet (unprocessed) if the
packet is below the specified activation threshold, and the device
drops the packet if it is above the specified activation threshold.
Default: Enabled
Enable Packet Trace Specifies whether the profile sends out-of-state packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Trace on
Physical Port). In addition, a change to this parameter
takes effect only after you update policies.

Document ID: RDWR-DP-V0607_UG1209 203


DefensePro User Guide
Security Configuration

Table 102: Out of State Protection Profile Parameters

Parameter Description
Enable Packet Reporting Specifies whether the profile reports out-of-state packets.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Reporting). In
addition, a change to this parameter takes effect only
after you update policies.
Profile Action The action that the profile takes when it encounters out-of-state
packets.
Values: Block and Report, Report Only
Default: Block and Report

Managing the Server Protection Policy


The Server Protection policy protects servers against targeted attacks. Each rule in the policy
contains Server Protection profiles to defend a specific server against network and application
attacks. You can specify an HTTP flood profile and a Server Cracking profile for each rule. These
profiles are activated when DefensePro identifies an attack on the corresponding protected server.
Before you configure rules and profiles for the Server Protection policy, ensure that you have
enabled all the required protections and configured the corresponding global protection parameters
under the Security Settings tab.
This section contains the following topics:
Configuring the Server Protection Policy, page 204
Configuring Server Cracking Profiles for Server Protection, page 213
Configuring HTTP Flood Mitigation Profiles for Server Protection, page 216

Configuring the Server Protection Policy


The Server Protection policy defines the protected servers in your network, and the actions that
DefensePro takes when an attack on a protected server is detected.

Caution: When you configure the policy, APSolute Vision stores your configuration changes, but
it does not download your configuration changes to the device. To apply changes onto
the device, you must activate the configuration changes.

204 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

To configure the Server Protection policy

1. In the Configuration perspective Server Protection tab navigation pane, select Server
Protection Policy.
2. Do one of the following:

To add an entry, click the (Add) button.


To edit an entry, double-click the entry in the table.
3. Configure the parameters; and then, click OK.
4. To activate your changes on the device, click Activate Latest Changes.

Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 274.

Table 103: Server Protection Parameters

Parameter Description
Server Name The name of the server.
IP Range The IP address or IP-address range of the protected server. You
can assign an HTTP profile to a server definition that contains one
discrete IP address. You can assign a Server Cracking profile to
ranges, networks, and discrete IP addresses.
Enabled Specifies whether the protection is enabled.
HTTP Flood Profile The HTTP Flood profile to be activated against an attack.
Note: You can click the adjacent button to open the dialog box
in which you can add and modify profiles.
Server Cracking Profile The Server Cracking profile to be activated against an attack.
Each DefensePro device supports up to 20 Server Cracking
profiles.
Note: You can click the adjacent button to open the dialog box
in which you can add and modify profiles.
VLAN Tag Group The VLAN Tag Group of the traffic.
Note: You can click the adjacent button to open the dialog box
in which you can add and modify VLAN Tag groups.
Packet Reporting and Trace Setting
Packet Reporting Specifies whether the device sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
Caution: When this feature is enabled here, for the feature to
take effect, the global setting must be enabled
(Configuration perspective, Advanced
Parameters > Security Reporting Settings >
Enable Packet Reporting).

Document ID: RDWR-DP-V0607_UG1209 205


DefensePro User Guide
Security Configuration

Parameter Description
Packet Reporting Configuration Specifies whether the configuration of the Packet Reporting
on Policy Takes Precedence feature here, on this policy rule takes precedence over the
configuration of the Packet Reporting feature in the associated
profiles.
Packet Trace Specifies whether the DefensePro device sends attack packets to
the specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to
take effect, the global setting must be enabled
(Configuration perspective, Advanced Parameters
> Security Reporting Settings > Enable Packet
Trace on Physical Port). In addition, a change to
this parameter takes effect only after you update
policies.
Packet Trace Configuration on Specifies whether the configuration of the Packet Trace feature
Policy Takes Precedence here, on this policy rule, takes precedence over the configuration
of the Packet Trace feature in the associated profiles.
Caution: A change to this parameter takes effect only after
you update policies.

Server Cracking Protection


Server Cracking Protection provides application-level protection that monitors error responses from
various applications and blocks hacking attempts from suspicious sources while allowing legitimate
traffic to pass.

Note: When a Server Cracking attack occurs, you can view it in the APSolute Vision Security
Dashboard and the Current Attacks table view. From both locations, you can drill down
and view attack details. For more information, see Real-Time Security Reporting,
page 303.

This section contains the following main topics:


Server Cracking Protection Network Topography, page 207
Server Cracking Attack Types, page 207
Server Protection Policies/Rules, Profiles, and Protections, page 208
Server Cracking Threats and Server Cracking Protection Strategies, page 209
Server Cracking Mitigation with Server Cracking Protection, page 209
Server Cracking Protection Technology, page 209
Errors that Server Cracking Protection Monitors, page 211
Server Cracking Protection Limitations, page 213
Configuring Server Cracking Profiles for Server Protection, page 213
Viewing Radware-defined Server Cracking Protections, page 215

206 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Server Cracking Protection Network Topography


Server Cracking protection requires a symmetric environment. Tracking requires inspection of server
responses. Blocking requires inspection or source request.

Figure 25: Server Cracking Protection

Server Cracking Attack Types


This section describes the following server-cracking attack types:
Cracking, Brute Force, and Dictionary Attacks, page 207
Application-Vulnerability Scanning, page 207
SIP Scanning, page 208
SIP Brute-Force Attacks, page 208

Cracking, Brute Force, and Dictionary Attacks


Cracking, brute force, and dictionary attacks use scripts or other tools to try to break into an
application by guessing user names and passwords from known lists.
The risk associated with these types of attacks is clear: once a useful username and password are
obtained, the attacker has free access to a service, information, or even to the server itself.
Additional risks are denial of service, by triggering built-in protections in the application that lock
users, or by consuming system resources during the authentication attempts.

Application-Vulnerability Scanning
Scanning attacks try to find services that are known to be vulnerable or actual vulnerabilities at the
application level. The attacker later exploits the vulnerable server or application vulnerability. The
scanners, which can be automatic or manual, send a legitimate request to the server. The request is
used to expose the existence of the vulnerability. As such, the scan will not trigger an IPS-based
signature. In most cases, the server will not be vulnerable and will respond with an error message.

Document ID: RDWR-DP-V0607_UG1209 207


DefensePro User Guide
Security Configuration

Application scanning attempts are usually precursors to more serious exploitation attempts.
Scanning attempts generate a higher than normal error-response rate from the application. Blocking
such attempts helps prevent the vulnerabilities from being disclosed.

SIP Scanning
In Session Initiation Protocol (SIP) scanning, the attacker's aim is slightly different. While it is
possible to find vulnerable SIP implementations, the actual advantage of SIP scanning is to obtain a
list of SIP subscribers, which can be used to send SPIT (SPAM over Internet Telephony). An attacker
can use scripts to send SPIT messages to a guessed list of subscribers and harvest the existing
subscribers according to the received replies. SPIT can annoy subscribers and even disrupt service if
carried out in high volumes.

SIP Brute-Force Attacks


A register brute force attack is an attempt to gain access to a user account, and through it, to the
service, thus allowing the attacker to exploit a service without paying for it, causing revenue loss,
reputation loss, and increased bill-verification activities.

Server Protection Policies/Rules, Profiles, and Protections


Each Server Protection policy/rule can include one Server Cracking Protection profile. Depending on
the configuration of the specific DefensePro device, DefensePro supports between 100 to 1000
Server Protection policies/rules. The default is 350.
Each DefensePro device supports up to 20 different profiles. You can use Server Cracking profiles for
multiple Server Protection policies/rules.
A Server Cracking Protection profile specifies the protections that DefensePro applies to protect
application servers in your network against cracking attempts and other vulnerability scans. For
information on the default configuration of each protection, see Viewing Radware-defined Server
Cracking Protections, page 215.
DefensePro supports the following protections:
Brute Force DNS
Brute Force FTP
Brute Force IMAP
Brute Force LDAP
Brute Force MSSQL
Brute Force MySQL
Brute Force POP3
Brute Force SIP (TCP)
Brute Force SIP (UDP)
Brute Force SIP DST (TCP)
Brute Force SIP DST (UDP)
Brute Force SMB
Brute Force SMTP
Brute Force Web
SIP Scan (TCP)
SIP Scan (UDP)
SIP Scan DST (TCP)
SIP Scan DST (UDP)
SMTP Scan
Web Scan

208 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Server Cracking Threats and Server Cracking Protection Strategies


DefensePro identifies attackers using source tracking and a fuzzy-logic decision engine. The
detection mechanism uses the frequency and quantity of server-based error responses, and
uniquely identifies them per protected application. The analysis is done per source IP address and
protected server. DefensePro sends these parameters to the Fuzzy Inference System (FIS), which
calculates the degree of attack (DoA).
Application scanning and authentication brute-force attempts are usually precursors to more serious
exploitation attempts. The attacker sends a list of legitimate-looking requests and analyzes the
responses in order to discover a known vulnerability or gain access to restricted parts of the
application.
Both cracking and scanning attempts are characterized by higher-than-normal rates of error
responses from the application to specific users, in terms of frequency and quantity. Blocking such
attempts helps prevent more severe attacks.

Server Cracking Mitigation with Server Cracking Protection


DefensePro adds a source identified as an attacker to the Suspend table even when the protection
action is set to Report Only. The data in the Suspend table is affected by the specific protection
configuration. The data can include several combinations of source IP address and destination
details, such as, IP address and/or port.
When DefensePro detects an attack, the first blocking period is a random value between 10 to 30
seconds. Upon inserting the source IP address into the Suspend table, the system keeps tracking
the source for the duration of the blocking period and an additional expiration time, which is defined
by the Sensitivity set for the specific attack (see Sensitivity Parameter, page 210). If the source
keeps attacking the network during the monitoring interval, DefensePro blocks it again using a new
blocking period, which is more than twice the last blocking periodup to the maximal blocking
period, which is 120 seconds.

Server Cracking Protection Technology


This section describes the following aspects of the Server Cracking Protection technology:
DefensePro in the Network, page 209
The Detection Mechanism and Available Protections, page 209
Behavioral Parameters and States/Degrees of Attack, page 209
Sensitivity Parameter, page 210

DefensePro in the Network


DefensePro is a hardware appliance that is placed in-line with network traffic, typically between
the clients and the protected servers. A symmetric network environment is mandatory because
Server Cracking protection is done by inspecting server responses.

The Detection Mechanism and Available Protections


The detection mechanism is based on the analysis of server error-code replies. The codes are
identified by matching server response signatures. The signatures are part of the signature file,
which the Radware SOC team updates.

Behavioral Parameters and States/Degrees of Attack


An exponential moving average mechanism derives behavioral parameters (frequency and quantity
of code replies) per source IP address and protected server.
These parameters are further analyzed through a Fuzzy Logic Inference System that generates a
degree of attack (DoA), which, in turn, determines the DoA of each source IP address:
Attack stateThe user (source) is blocked using the Suspend table.

Document ID: RDWR-DP-V0607_UG1209 209


DefensePro User Guide
Security Configuration

Suspect stateThe system continues to follow the user for a predefined duration (suspect
monitoring interval time-out).
Normal stateThe system continues to follow the user for a predefined duration (that is, the
normal monitoring interval time-out, which is lower than the suspect state monitoring interval
time-out).

During the Attack state, the user is added to the Suspend table (a block list). When the user is
released from block, the monitoring interval is set again.

Sensitivity Parameter
The Sensitivity parameter of each Server Cracking protection defines thresholds for the quantity and
frequency of server-side error messages. DefensePro tracks server-side error messages to trigger
attack detection. High sensitivity means that only a few cracking attempts trigger the protection,
while Minor means that a very high number of attempts trigger the protection. The default is
Medium.
During the Attack state, the attacker is added to the Suspend table, which is the list of blocked
sources. When the user is released from the Suspend table, the monitoring interval is set again.

Table 104: Degree-of-Attack States and Sensitivity Values

State SensitivityMonitoring Interval in Seconds


High Medium Low Minor
Normal state 20 15 10 5
Suspect state 40 30 15 10

Attack state1 60 45 20 15

1 In the Attack state, the user is added to the block list, and the monitoring interval is set when the
user is released from block.

There may be cases where you need to tune the value of the Sensitivity parameter. For example, if
you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error
replies at an abnormal rate, which the device will falsely identify as an attack. In such a case, set
the sensitivity to Low.

Note: Application-scanning and brute-force attempts are usually generated through multiple
L4 connections. If the attack attempts are using the same L4 connection (that is, a TCP
or UDP connection), the detection sensitivity will be automatically set to a higher value
than those that are specified in the above table. Thus, the quantity and frequency of
attempts needed to trigger the protection action will be lower.

Table 105: Sensitivity Levels for Brute-Force Indications

Sensitivity Counter (Request Trigger) Frequency (Requests/Second)


High 20 5
Medium 40 10
Low 60 15
Minor 80 20

210 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 106: Sensitivity Levels for Cracking Indications (Single Layer 4 Connections)

Sensitivity Counter (Request Trigger) Frequency (Requests/Second)


High 5 1
Medium 10 2
Low 15 4
Minor 20 6

Table 107: Sensitivity Levels for Scanning Indications

Sensitivity Counter (Request Trigger) Frequency (Requests/Second)


High 10 0.5
Medium 30 1
Low 25 3
Minor 45 30

Errors that Server Cracking Protection Monitors


The following table lists that protocol errors that Server Cracking Protection monitors to identify
various server-cracking attacks.

Table 108: Protocol Errors and Server Cracking Protections

Error Code Error Web Scan SIP/Web SIP Scan Additional Server
Brute Force Cracking Protection
0xc000006a STATUS_WRONG_PAS Brute Force SMB
SWORD
0xc000006d STATUS_LOGON_FAIL Brute Force SMB
URE
0xc0000022 STATUS_ACCESS_DE Brute Force SMB
NIED
48 Inappropriate Brute Force LDAP
Authentication
49 Invalid Credentials Brute Force LDAP
50 Insufficient Access Brute Force LDAP
Rights
400 Bad Request 9 9
401 Unauthorized 9
402 Payment Required 9
403 Forbidden 9 9
404 Not Found 9 9
405 Method Not Allowed 9 9
406 Not Acceptable 9 9
407 Proxy Authentication 9 9
Required
408 Request Timeout 9 9

Document ID: RDWR-DP-V0607_UG1209 211


DefensePro User Guide
Security Configuration

Table 108: Protocol Errors and Server Cracking Protections

Error Code Error Web Scan SIP/Web SIP Scan Additional Server
Brute Force Cracking Protection
409 Conflict 9
410 Gone 9 9
411 Length Required 9
412 Precondition Failed 9
413 Request Entity Too 9 9
Large
414 Request-URI Too 9 9
Large
415 Unsupported Media 9 9
Type
416 Unsupported URI 9 9
Scheme
417 Unknown Resource- 9 9
Priority
420 Bad Extension 9
421 Extension Required 9
423 Interval Too Brief 9
481 Call/Transaction Does 9
Not Exist
483 Too Many Hops 9
485 Ambiguous 9
486 Busy Here 9
488 Not Acceptable Here 9
530 User not logged in Brute Force FTP
535 Authentication Brute Force SMTP
unsuccessful/Bad
username or
password
550 Mailbox Unavailable SMTP Scan
1045 Access denied for Brute Force MySQL
user
8003 Response, No such Brute Force DNS
name
18456 Login Failed Brute Force MSSQL
-ERR General POP3 error Brute Force POP3
No - generic error Brute Force IMAP
code

212 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Server Cracking Protection Limitations


Server Cracking Protection has the following known limitations:
Server Cracking protection relies on generic protocol error messagesThe signatures of
Server Cracking protection are based on these messages, which are defined in protocol RFCs.
Server Cracking Protection can identify traffic using these generic errors, but Server Cracking
Protection might miss cracking attempts of applications and services that do not use generic
protocol error messages.
Web servers that respond with error messages inside the HTTP content or use HTTP
200 OK might not be inspected, and malicious attempts will not be detected and
blocked.
Web authenticationWhen the authentication is done at the application level without using
HTTP error codes, the Server Cracking module will not be able to detect the attack.
Web scansWhen the server replies with HTTP 200 OK to requests, the Server Cracking
module will not be able to detect the attack. While this practice is not recommended by the RFC,
it is sometimes used by Web server administrators. Support for such customized error pages is
planned.

Configuring Server Cracking Profiles for Server Protection


Server Cracking profiles defend the applications in your network against server flooding,
authorization hacking, vulnerability scanning, and application floods. Each protection protects
against one specific cracking activity.
You configure Server Cracking profiles with Radware-defined protections.
Each DefensePro device supports up to 20 Server Cracking profiles.
Before you configure a Server Cracking profile, ensure the following:
The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session
Table Settings, page 97.
IPS protection is enabled and the global parameters are configured. For more information, see
Configuring Global Signature Protection, page 131.

To configure a Server Cracking profile

1. In the Configuration perspective Server Protection tab navigation pane, select Server Cracking
Profiles.
2. To add or a profile:

a. Click the (Add) button.


b. Enter a name for the profile and click OK.
c. Configure the actions and protections for the profile and click OK.
3. To modify a profile:
a. Double-click the entry in the table.
b. Modify the actions and protections of the profile; and then, and click OK.

Document ID: RDWR-DP-V0607_UG1209 213


DefensePro User Guide
Security Configuration

Table 109: Server Cracking Profile Parameters

Parameter Description
Profile Name (Read-only) The name of the Server Cracking profile.
Action The action that the device takes when an attack that matches the
configured protection occurs.
Values: Block and Report, Report Only
Default: Report Only
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Trace on
Physical Port). In addition, a change to this parameter
takes effect only after you update policies.
Server Cracking Protection Contains the protections to be applied if there is an attack on the
table server. To configure a protection, see Configuring Server Cracking
Protections for a Server Cracking Profile, page 214.
Note: In each Server Cracking policy/rule, you can use only one
Server Cracking profile. Therefore, ensure that all the
protections that you want to apply to a rule are contained in
the profile specified for that rule.

Configuring Server Cracking Protections for a Server Cracking Profile


In each Server Cracking policy/rule, you can use only one Server Cracking profile. Therefore, ensure
that all the Server Cracking protections that you want to apply to a rule are contained in the profile
specified for that rule.

To configure a Server Cracking protection for a Server Cracking profile

1. In the table of the Server Cracking Profile dialog box (Configuration perspective Server

Protection tab navigation pane > Server Cracking Profiles > click (Add) or double-click
the entry in the table), do one of the following:
To add a protection, right-click in the table and select Add New Server Cracking
Protection.
To modify the configuration of an already specified protection, double-click the entry.
2. Configure the parameters; and then, click OK.

214 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 110: Server Cracking Protection Parameters

Parameter Description
Profile Name (Read-only) The name of the Server Cracking profile.
Server Cracking Protection (Read-only when modifying the configuration) The name of the
Name Server Cracking protection.
Notes:
>> You can view the default configuration of each protection in
Server Cracking Protections pane (see Viewing Radware-
defined Server Cracking Protections, page 215).
>> For more information on the Server Cracking protections, see
Server Protection Policies/Rules, Profiles, and Protections,
page 208 and Server Cracking Protection Technology,
page 209.
Sensitivity The detection sensitivity of module. The sensitivity level defines
thresholds for the number and frequency of server-side error
messages.
Values: High, Medium, Low, Minor
Default: Medium
Note: For more information, see Sensitivity Parameter, page 210.
Risk The risk assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High

Viewing Radware-defined Server Cracking Protections


You can view the default configurations of the Radware-defined Server Cracking protections.

To view Radware-defined Server Cracking protections

In the Configuration perspective Server Protection tab navigation pane, select Server Cracking
Profiles > Server Cracking Protections. The Server Cracking Protections table is displayed
with the read-only Radware-defined Server Cracking protections.

Table 111: Radware-defined Server Cracking Protection Parameters

Parameter Description
Protection ID The unique identifying number.
Protection Name The name for the Protection. The Protection Name is used when DoS Shield
sends information about attack status changes.
Risk The risk assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High

Document ID: RDWR-DP-V0607_UG1209 215


DefensePro User Guide
Security Configuration

Table 111: Radware-defined Server Cracking Protection Parameters

Parameter Description
Sensitivity The detection sensitivity of module. The sensitivity level defines thresholds for
the number and frequency of server-side error messages. These messages are
tracked for attack detection. High sensitivity specifies that the protection
needs few cracking attempts to trigger the protection. Minor sensitivity
specifies that the device needs a very high number of attempts.
Values: High, Medium, Low, Minor
Default: Medium
Note: If you are protecting a Web server that is not maintained or not
updated, it may generate HTTP-error replies at an abnormal rate,
which the device will falsely identify as an attack. In such a case, set
the sensitivity to Low.
Action Mode The action that the device takes when an attack is detected.
Direction The direction of the traffic to inspect. A protection may include attacks that
should be searched only for traffic from client to server or only on traffic from
server to client.
Values:
InboundThe Protection inspects traffic from policy Source to policy
Destination.
OutboundThe Protection inspects traffic from policy Destination to
policy Source
Inbound & OutboundThe Protection inspects all traffic between policy
Source to policy Destination
Suspend Action Specifies what traffic to suspend for a period of time.
Values:
NoneSuspend action is disabled for this attack.
SrcIPAll traffic from the IP address identified as the source of the attack
is suspended.
SrcIP, DestIPTraffic from the IP address identified as the source of the
attack to the destination IP address under attack is suspended.
SrcIP, DestPortTraffic from the IP address identified as source of the
attack to the application (destination port) under attack is suspended.
SrcIP, DestIP, DestPortTraffic from the IP address identified as the
source of the attack to the destination IP address and port under attack is
suspended.
SrcIP, DestIP, SrcPort, DestPortTraffic from the IP address and port
identified as the source of the attack to the destination IP address and
port under attack is suspended.

Configuring HTTP Flood Mitigation Profiles for Server Protection


HTTP Flood Mitigation profiles defend the applications in your network against server flooding.
Server flood attacks are aimed at specific servers causing denial of service at the server level. These
types of attacks disrupt a server by sending more requests than the server can handle, thereby
preventing access to a service.
Server attacks differ from network-flood attacks either in the attack volume or in the nature of the
requests used in the attack. Server flood attacks use legitimate requests that cannot be
distinguished from regular customer requests.

216 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Before you configure an HTTP Flood Mitigation profile, ensure that HTTP mitigation is enabled and
the global parameters are configured. For more information, see Configuring Global HTTP Flood
Protection, page 143.

To configure an HTTP Flood profile

1. In the Configuration perspective Server Protection tab navigation pane, select HTTP Flood
Profiles.
2. Do one of the following:

To add a profile, click the (Add) button. Enter the profile name and click OK.
To edit a profile, double-click the entry in the table.
3. Configure the parameters; and then, click OK.

Table 112: HTTP Flood Profile Parameters

Parameter Description
Basic Parameters
Profile Name The name of the profile.
Sensitivity Level When User-Defined Attack Triggers are not used, this parameter specifies
how sensitive the profile is to deviations from the baseline. High specifies
that the profile identifies an attack when the device detects only a small
deviation from the baselines.
Values:
Minor
Low
Medium
High
Default: Medium
Action The action that the profile takes when the profile detects suspicious traffic.
Values:
Block and ReportBlocks and reports on the suspicious traffic.
Report OnlyReports the suspicious traffic.
Default: Block and Report
Automatic Attack Triggers
GET and POST Request Specifies whether the profile identifies an HTTP flood attack when the rate
Rate of GET and POST requests exceeds the learned baseline.
Default: Enabled

Document ID: RDWR-DP-V0607_UG1209 217


DefensePro User Guide
Security Configuration

Table 112: HTTP Flood Profile Parameters

Parameter Description
Other Request-Type Specifies whether the profile identifies an HTTP flood attack when the rate
Request Rate of requests that are not GET or POST requests exceeds the learned
baseline.
Default: Enabled
Caution: If Outbound HTTP Bandwidth is enabled and Other Request-
Type Request Rate is disabled, an attack consisting of other
(that is, not GET or POST) requests may cause high outbound
HTTP bandwidth consumption. An attack consisting of other
(that is, not GET or POST) requests may cause high outbound
HTTP bandwidth consumption also if Outbound HTTP
Bandwidth is enabled and Other Request-Type Request Rate
is enabled too but the rate does not exceed the threshold.
The high outbound HTTP bandwidth consumption may cause
the Outbound HTTP Bandwidth mechanism to consider the
attack to be an anomaly, and the profile will not mitigate it.
Outbound HTTP Specifies whether the profile identifies an HTTP flood attack when the
Bandwidth outbound HTTP bandwidth exceeds the learned baseline.
Default: Enabled
Requests-per-Source Specifies whether the profile identifies an HTTP flood attack when the rate
Rate of requests per source exceeds the learned baseline.
Default: Enabled
Requests-per- Specifies whether the profile identifies an HTTP flood attack when the rate
Connection Rate of requests per connection exceeds the learned baseline.
Default: Enabled
User-Defined Attack Triggers
Use the following Specifies whether the profile uses static, user-defined thresholds to
thresholds to identify identify when an attack is in progress or checks the server traffic and
HTTP flood attacks compares the traffic behavior to the baseline to identify when an attack is
in progress.
Default: Disabled
Get and POST Request- The maximum number of GET and POST requests allowed, per server per
Rate Trigger second.
Values:
0The profile ignores the threshold.
14,294,967,296
Default: 0

218 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 112: HTTP Flood Profile Parameters

Parameter Description
Other Request-type The maximum number of requests that are not GET or POST (for example,
Request-Rate Trigger HEAD, PUT, and so on) allowed, per server per second.
Values:
0The profile ignores the threshold.
14,294,967,296
Default: 0
Caution: If Outbound HTTP BW Trigger is enabled and Other Request-
type Request-Rate Trigger is disabled, an attack consisting of
other (that is, not GET or POST) requests may cause high
outbound HTTP bandwidth consumption. An attack consisting
of other (that is, not GET or POST) requests may cause high
outbound HTTP bandwidth consumption also if Outbound
HTTP BW Trigger is enabled and Other Request-type Request-
Rate Trigger is enabled too but the rate does not exceed the
threshold. The high outbound HTTP bandwidth consumption
may cause the Outbound HTTP BW Trigger mechanism to
consider the attack to be an anomaly, and the profile will not
mitigate it.
Outbound HTTP BW The maximum allowed bandwidth of HTTP responses in kilobits per
Trigger second.
Values:
0The profile ignores the threshold.
14,294,967,296
Default: 0
Requests-per-Source The maximum number of requests allowed per source IP per second.
Trigger Values:
0The profile ignores the threshold.
14,294,967,296
Default: 5
Requests-per- The maximum number of requests allowed from the same connection.
Connection Trigger Value:
0The profile ignores the threshold.
14,294,967,296
Default: 5
Suspicious Source Characterization Thresholds
Request-Rate The number of HTTP requests per second from a source that causes the
Threshold profile to consider the source to be suspicious.
Values: 165,535
Default: 5
Requests-per- The number of HTTP requests for a connection that causes the profile to
Connection Threshold consider the source to be suspicious.
Values: 165,535
Default: 5

Document ID: RDWR-DP-V0607_UG1209 219


DefensePro User Guide
Security Configuration

Table 112: HTTP Flood Profile Parameters

Parameter Description
Packet Report Specifies whether the profile sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Enabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security Reporting
Settings > Enable Packet Reporting).
Packet Trace Specifies whether the profile sends attack packets to the specified physical
port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security Reporting
Settings >Enable Packet Trace on Physical Port). In
addition, a change to this parameter takes effect only after
you update policies.
Mitigation Settings
When the protection is enabled and the profile detects that a HTTP-flood attack has started, the
device implements the mitigation actions in escalating orderin the order that they appear in the
group box. If the first enabled mitigation action does not mitigate the attack satisfactorily, after a
certain escalation period, the device implements the next more-severe enabled mitigation action
and so on.
Escalation periods are not configurable.
Challenge Suspects Specifies whether the profile challenges HTTP sources that match the real-
time signature.
Default: Enabled
Challenge All Specifies whether the profile challenges all HTTP traffic toward the
protected server.
Default: Enabled

220 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 112: HTTP Flood Profile Parameters

Parameter Description
Block Suspects Specifies whether the profile blocks all traffic from the suspect sources.
Default: Enabled
Challenge Mode Specifies how the profile challenges suspect HTTP sources.
Values:
302 RedirectThe device authenticates HTTP traffic using a 302-
Redirect response code.
JavaScriptThe device authenticates HTTP traffic using a JavaScript
object generated by the device.
Default: 302 Redirect
Notes:
>> Some attack tools are capable of handling 302-redirect responses.
The 302-Redirect Challenge Mode is not effective against attacks
that use those tools. The JavaScript Challenge Mode requires an
engine on the client side that supports JavaScript, and therefore,
the JavaScript option is considered stronger. However, the
JavaScript option has some limitations, which are relevant in
certain scenarios.
>> Limitations when using the JavaScript Challenge Mode:
If the browser does not support JavaScript calls, the browser
will not answer the challenge.
When the protected server is accessed as a sub-page through
another (main) page only using JavaScript, the user session
will fail (that is, the browser will not answer the challenge.)
For example, if the protected server supplies content that is
requested using a JavaScript tag, the DefensePro JavaScript is
enclosed within the original JavaScript block. This violates
JavaScript rules, which results in a challenge failure.
Example: The request in bold below accesses a secure
server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service/appMy.jsp?dlid=12345";
document.getElementsByTagName("head")[0].appendChild(js);
},1000);
</script>
The returned challenge page contains the <script> tag again,
which is illegal, and therefore, it is dropped by the browser
without making the redirect.

Document ID: RDWR-DP-V0607_UG1209 221


DefensePro User Guide
Security Configuration

Configuring White Lists


The White List determines the traffic that is exempt from security inspection.
For each protection, you can set different White List rules.

Configuring White Lists in Defense Pro


The configuration of White Lists in DefensePro depends on the device version.
In Defense Pro, a White List rule can use explicit values or predefined classes to classify the traffic.
The classes are displayed in the Classes tab. For more information, see Managing Classes,
page 249.
You can configure a White List rule from a specified source Network class or source IP address to
bypass (that is, be exempt from) specific protection modulesfor example, Server Cracking. When
you specify specific protection modules in a White List rule, the device uses only the source Network
class or explicit source IP address.

Note: Since networks on the White List are not inspected, certain protections are not applied
to sessions in the opposite direction. For example, with SYN protection, this can cause
servers to not be added to known destinations due to ACK packets not being inspected.

To configure a white list

1. In the Configuration perspective ACL tab navigation pane, select White List.
2. To add or modify a white list rule, do one of the following:

To add a rule, click the (Add) button.


To edit a rule, double-click the entry in the table.
3. Configure white list rule parameters.
4. To activate your configuration changes on the device, click Activate Latest Changes.

Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 274.

Table 113: White List Rule Parameters

Parameter Description
Identification
Name The name of the rule up to 50 characters.
Description The user-defined description of the rule.
Enable When selected, the rule is active.

222 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 113: White List Rule Parameters

Parameter Description
Module Bypass
Bypass All Modules Specifies whether the rule includes all specific protection modules.
Values:
EnabledThe specified Classification criteria determine the
traffic that is exempt from security inspection. The checkboxes
for the protection modules are unavailable.
DisabledThe specified source (that is, the source Network class
or source IP address) and specified protection modules
determine the traffic that is exempt from security inspection. The
checkboxes for the protection modules are available.
Default: Enabled
Note: Performance is better when Bypass All Modules is enabled
(Bypass All Modules checkbox is selected) rather than
having the having the modules enabled individually.
Bypass SYN Protection When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses SYN Protection
inspection.
Default: Enabled
Bypass Anti Scanning When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Anti-Scanning
inspection.
Default: Enabled
Bypass Signature Protection When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Signature Protection
inspection.
Default: Enabled
Bypass HTTP Flood When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses HTTP Flood inspection.
Default: Enabled
Bypass Server Cracking When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Server Cracking
inspection.
Default: Enabled
Classification
Source Network The source of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
any

Document ID: RDWR-DP-V0607_UG1209 223


DefensePro User Guide
Security Configuration

Table 113: White List Rule Parameters

Parameter Description
Source Port The source Application Port class or application-port number that the
rule uses.
Values:
An Application Port class displayed in the Classes tab
An application-port number
None
Destination Network The destination of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
any
Destination Port The destination Application Port class or application-port number that
the rule uses.
Values:
An Application Port class displayed in the Classes tab
An application-port number
None
Physical Ports The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class displayed in the Classes tab
The physical ports on the device
None
VLAN Tag The VLAN Tag class that the rule uses.
Values:
A VLAN Tag class displayed in the Classes tab
None
Protocol The protocol of the traffic that the rule uses.
Values:
Any
GRE
ICMP
ICMPv6
IGMP
SCTP
TCP
UDP
L2TP
GTP
IP in IP
Default: Any

224 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 113: White List Rule Parameters

Parameter Description
Direction The direction of the traffic to which the rule relates.
Values:
One-directionalThe protection applies to sessions originating
from sources to destinations that match the network definitions
of the policy.
Bi-directionalThe protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One-directional
Action
Action (Read-only) The action for a White List rule is always Bypass.

Configuring Black Lists


The Black List comprises the traffic that the device always blocks without inspection. You use the
Black List as policy exceptions for security policies.
This feature is not supported on management interfaces.

Enabling and Disabling the Packet Trace Feature for Black List Rules
You enable or disable the Packet Trace feature for all the Black List rules on the device.
When the Packet Trace feature is enabled for Black Lists, the DefensePro device sends blacklisted
packets to the specified physical port.

Notes
>> When this feature is enabled, for the feature to take effect, the global setting must be
enabled (Configuration perspective, Advanced Parameters > Security Reporting
Settings > Enable Packet Trace on Physical Port).
>> A change to the parameter takes effect only after you update policies.

To enable or disable the Packet Trace feature for all the Black List rules on the device

1. In the Configuration perspective ACL tab navigation pane, select Black List.

2. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.

Document ID: RDWR-DP-V0607_UG1209 225


DefensePro User Guide
Security Configuration

Configuring Black List Rules


The Black List module supports the Packet Trace feature. You enable or disable the feature globally
that is, for all the of the associated Black List rules.

To configure a Black List rule

1. In the Configuration perspective ACL tab navigation pane, select Black List.
2. To add or modify a black list rule, do one of the following:

To add a rule, click the (Add) button.


To edit a rule, double-click the entry in the table.
3. Configure the parameters; and then, click OK.
4. To activate your configuration changes on the device, click Activate Latest Changes.

Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 274.

Table 114: Black List Rule Parameters

Parameter Description
Identification
Name The name of the rule.
Maximum characters: 29
Note: If a Security Group configured this Black List rule, the rule
name is in the format <SecurityGroupName> hhmm $$$$,
where hhmm is the time (hour and minutes) that Security Group
configured the rule and $$$$ is a four-character hexadecimal
hash of the event ID in the security-event trap.
Description The user-defined description of the rule.
Enable When selected, the rule is active.
Default: Enabled
Classification
Source Network The source of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
None
any
Default: any

226 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 114: Black List Rule Parameters

Parameter Description
Source Port The source Application Port class or application-port number that the rule
uses.
Values:
An Application Port class displayed in the Classes tab
An application-port number
None
Destination Network The destination of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
None
any
Default: any
Destination Port The destination Application Port class or application-port number that the
rule uses.
Values:
An Application Port class displayed in the Classes tab
An application-port number
None
Physical Ports The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class displayed in the Classes tab
The physical ports on the device
None
VLAN Tag The existing VLAN Tag class for the rule.
Values:
A VLAN Tag class displayed in the Classes tab
None
Protocol The protocol of the traffic that the policy inspects.
Values:
Any
GRE
ICMP
ICMPv6
IGMP
SCTP
TCP
UDP
IP in IP
Default: Any

Document ID: RDWR-DP-V0607_UG1209 227


DefensePro User Guide
Security Configuration

Table 114: Black List Rule Parameters

Parameter Description
Direction The direction to which the rule relates.
Values:
One-directionalThe protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
Bi-directionalThe protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One-directional
Dynamic Rule Parameters
Dynamic Specifies whether the rule implements the Expiration Timer.
Default: Disabled
Note: Changing the configuration of this option takes effect only after
you update policies (click Activate Latest Changes).
Entry Expiration Timer Specifies the hours and minutes remaining for the rule.
Notes:
>> The maximum Expiration Timer is two hours.
>> The Expiration Timer can be used only with dynamic Black List
rules. The Expiration Timer for a static Black List rule must be set
to 0 (zero hours and zero minutes).
>> When the rule expires (that is, when the Entry Expiration Timer
elapses), the rule disappears from the Black List Policy table
when the table refreshes.

228 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 114: Black List Rule Parameters

Parameter Description
Detector Security A DefensePro security module that can identify the root cause of the
Module black list rule. This parameter has no affect on the device operation.
If a Security Group configured this Black List rule, the Detector Security
Module value displays the DefensePro security module of the Security
Group Sender.
Values:
AdminThe default value in the context of a user-defined, dynamic
Black List rule.
Server CrackingDisplays if a Security Group configured this Black
List rule and it was the Server Cracking module of the Security
Group Sender that detected the threat.
Anti-ScanDisplays if a Security Group configured this Black List
rule and it was the Anti-Scanning module of the Security Group
Sender that detected the threat.
Vision Reporter
Connection Limit
Application Security
Syn Protection
HTTP Flood
Behavioral DoS
DNS Flood
Default: Admin
Note: For more information on Security Groups, see Managing
DefensePro Security Groups, page 50.
Detector An IP address that can identify the root cause of the black list rule
identify. This parameter has no affect on the device operation.
If a Security Group configured this Black List rule, the Detector value
displays the IP address of the Security Group Sender.
Note: For more information on Security Groups, see Managing
DefensePro Security Groups, page 50.
Action
Action (Read-only) The action for a Black List rule is always Drop.
Report Specifies whether the device issues traps for the rule.
Packet Report Specifies whether the device sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Reporting).

Document ID: RDWR-DP-V0607_UG1209 229


DefensePro User Guide
Security Configuration

Managing the ACL Policy


The Access Control List (ACL) module is a stateful firewall that enables you to configure a flexible
and focused stateful access-control policy. You can modify and view the active ACL policy. You can
also view ACL report summaries and the ACL log analysis.
ACL in DefensePro does not work on the physical management ports (MNG 1 and MNG 2).
When enabled and activated, the relevant ACL configuration takes precedence over the Session
Table Aging parameter. For more information, see Configuring Session Table Settings, page 97.
To operate correctly, ACL needs to determine the direction of session packets.
ACL determines packet direction as follows:
TCP directionAccording to the first SYN packet that creates a session.
UDP directionAccording to the first packet in the flow.
ICMP directionAccording to the ICMP message type (that is, reply or request type).
Non-TCP, Non-UDP and Non-ICMP session directionAccording to the first L3 (IP) packet
in the flow.
Non-IP directionAccording to the first packet in the flow.

When ACL is enabled and activated, the device learns about the existing sessions for a specified
amount of time (by default, 10 minutes). During this learning period, the device accepts all sessions
regardless of any unknown direction. However, for the certain cases, ACL treats the session
according to the configured policies.
ACL treats the session according to the configured policies in the following cases:
A new TCP session starts with a SYN packet.
A new ICMP session starts with a request packet.

Configuring the ACL feature involves the following steps:


1. Configuring Global ACL Policy Settings, page 230.
2. Configuring ACL Policy Rules, page 233.

Note: Enabling an ACL policy requires a device reboot.

Configuring Global ACL Policy Settings


Before you configure an ACL policy, ensure that the ACL feature is enabled.

Caution: In a high-availability (HA) setup, when you enable ACL on the primary device, you
must reboot the device immediately. If you do not reboot, the secondary device may
synchronize its configuration and reboot automatically, causing traffic sent to the
secondary device to be blocked in the event of a switchover.

Notes
>> Enabling ACL requires a device reboot.
>> When the ACL feature is disabled, you cannot view or configure ACL policies.

230 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

To configure global ACL settings

1. In the Configuration perspective ACL tab navigation pane, select ACL Policy > Global
Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 115: Global ACL Parameters

Parameter Description
Global Settings
Enable ACL Specifies whether the ACL feature is enabled.
When you change this setting, the device requires an immediate
reboot.
Default: Disabled
Caution: The default configuration of the Default ACL policy drops
(that is, blocks) all traffic. Use the Default Policy Action
parameter to specify the action of the Default ACL policy
when the device reboots.
Default Policy Action The action of the Default ACL policy when the device reboots after
(This parameter is available selecting the Enable ACL checkbox.
only when the ACL feature Values:
is disabled.) Accept When the device reboots after selecting the Enable ACL
checkbox, the Default ACL policy accepts all traffic.
DropWhen the device reboots after selecting the Enable ACL
checkbox, the Default ACL policy drops all traffic.
CurrentWhen the device reboots after selecting the Enable
ACL checkbox, the Default ACL policy uses the Action option that
is currently specified.
Default: Current
Note: After clearing the Enable ACL checkbox and rebooting, the
Default Policy Action option reverts to Current.
Learning Period The time, in seconds, the device takes to learn existing sessions
before starting the protection.
During the learning period, the device accepts all sessions regardless
of any unknown direction.
However, for the following cases, ACL will treat the session according
to the configured policies:
A new TCP session that starts with a SYN packet
A new ICMP session that starts with a request packet
Values:
0The protection starts immediately
14,294,967,295
Default: 600
TCP Handshake Timeout The time, in seconds, the device waits for the three-way handshake
to complete before the device drops the session.

Document ID: RDWR-DP-V0607_UG1209 231


DefensePro User Guide
Security Configuration

Table 115: Global ACL Parameters

Parameter Description
TCP Timeout in Established The time, in seconds, an idle session remains in the Session table. If
State the device receives packets for a timed-out, discarded session, the
device considers the packets to be out-of-state and drops them.
Values: 607200
Default: 3600
TCP FIN Timeout The time, in seconds, the session remains in the Session table after
the device receives a FIN packet from both sides (from the client and
from the server).
Values: 1600
Default: 10
TCP RST Timeout The time, in seconds, the session remains in the Session table after
the device receives a TCP RST packet for the session.
Values: 1600
Default: 30
TCP Mid Flow Mode Specifies what the device does with out-of-state packets.
Values: Drop, Allow
Default: Drop
TCP Reset Validation Mode Specifies the action that the device takes when RST packet validation
fails (that is, the packet sequence number is not within the permitted
range).
Values: Drop, Allow, Report Only
Default: Drop
UDP Timeout The time, in seconds, that the device keeps an idle UDP session open.
After the timeout, the session is removed from the Session table.
Values: 13600
Default: 180
Unsolicited ICMP Specifies whether the ACL module permits unsolicited ICMP reply
messages.
ICMP Timeout The time, in seconds, that the device keeps an idle ICMP session
open. After the timeout, the session is removed from the Session
table.
Values: 1300
Default: 60
GRE Timeout The time, in seconds, that the device keeps an idle GRE session open.
After the timeout, the session is removed from the Session table.
Values: 17200
Default: 3600
SCTP Timeout The time, in seconds, that the device keeps an idle SCTP session
open. After the timeout, the session is removed from the Session
table.
Values: 17200
Default: 3600

232 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 115: Global ACL Parameters

Parameter Description
Other IP Protocols Timeout The time, in seconds, that the device keeps an idle session of other IP
protocols (not UDP, not ICMP) open. After the timeout, the session is
removed from the Session table.
Values: 17200
Default: 600
Report and Trace Settings
Interval for Sending The frequency, in seconds, that the device produces ACL reports.
Summary Reports Values: 1600
Default: 60
Send Reports Using SRP When enabled, that the device sends ACL policy reports to the
APSolute Vision server.
Note: The Statistics Reporting Protocol (SRP) management host IP
address must be configured to send ACL policy reports. For
more information, see Configuring Advanced Settings,
page 81.
Max Number of Report The maximum number of detailed reports that the device generates
Traps per second.
Values: 1100
Default: 10
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Advanced Parameters > Security
Reporting Settings > Enable Packet Trace on
Physical Port). In addition, a change to this parameter
takes effect only after you update policies.

Configuring ACL Policy Rules


Configure ACL policy rules to create a flexible and focused stateful access-control policy.
You can activate and de-activate rules using predefined event schedules. For more information
about configuring event schedules, see Configuring the Device Event Scheduler, page 101.
Before you configure ACL rules, ensure that you have configured classes for the networks, physical
port groups, and VLAN tag groups that you want to use in the rules. For more information, see
Managing Classes, page 249.

Document ID: RDWR-DP-V0607_UG1209 233


DefensePro User Guide
Security Configuration

To configure an ACL policy rule

1. In the Configuration perspective ACL tab navigation pane, select ACL Policies > Modify
Policy.
2. To add or modify a policy rule, do one of the following:

To add a rule, click the (Add) button.


To edit a rule, double-click the entry in the table.
3. Configure the parameters.
4. To activate your configuration changes on the device, click Activate Latest Changes.

Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 274.

Table 116: ACL Rule Parameters

Parameter Description
Identification
Rule Name The name of the rule up to 50 characters.
Rule Index The index number for the rule. DefensePro examines policy rules
according to the ascending order of index numbers.
Values: 14,294,967,295
Enabled When selected, the rule is active.
Description The user-defined description of the rule.
Activate Schedule The predefined event schedule that activates the policy.
Default: None
De-activate Schedule The predefined event schedule that de-activates the policy.
Default: None
Report Specifies whether the device issues traps for the rule.
Classification
Protocol The protocol of the traffic that the policy inspects.
Values:
Any
ICMP
Other
TCP
UDP
Default: Any

234 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Security Configuration

Table 116: ACL Rule Parameters

Parameter Description
Source The existing source Network class of the packets that the policy
inspects.
Values:
The Network classes displayed in the Classes tab
any
any_ipv4
any_ipv6
None
Default: any
Destination The existing destination Network class of the packets that the policy
inspects.
Values:
The Network classes displayed in the Classes tab
any
any_ipv4
any_ipv6
None
Default: any
Physical Port Group The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class displayed in the Classes tab
The physical ports on the device
None
VLAN Tag Group The existing VLAN Tag class for the rule.
Values:
The VLAN Tag classes displayed in the Classes tab
None
Default: None
Service The Service for the rule. Services characterize traffic based on
(This parameter is available Layer-37 criteria. A Service is a configuration of a basic filter, which
only when TCP or UDP is may combine with logical operators to achieve more sophisticated
selected for the Protocol filters (AND Group filters and OR Group filters). You can choose from
parameter.) a long list of predefined basic filters.

Action The action that the policy takes on packets that match the
classification.
Values:
Accept
Drop
Drop + RST Source
Default: Accept

Document ID: RDWR-DP-V0607_UG1209 235


DefensePro User Guide
Security Configuration

Table 116: ACL Rule Parameters

Parameter Description
ICMP Flags
Source Quench The ICMP flags in the packets that the policy inspects. DefensePro
inspects only the packets with the selected flags.
TIME STAMP
You can specify ICMP flags only when ICMP is the specified protocol.
Information
Address Mask
Alternate Host Address
Domain
Router Advertisement
Router Solicitation
Destination Unreachable
REDIRECT
Time Exceeded
Parameter Problem
Echo
Packet Too Big
Home Agent

Viewing Active ACL Policy Rules


You can view the active rules in the ACL policy configured on the device.

To view the active ACL rule configuration

In the Configuration perspective Classes tab navigation pane, select ACL Policies > Active
Policy.
The table displays details of the current ACL rules configured on the device. For information
about ACL rule parameters, see Configuring ACL Policy Rules, page 233.

236 Document ID: RDWR-DP-V0607_UG1209


Chapter 6 Bandwidth Management
This chapter describes the Bandwidth Management module.
This chapter contains the following sections:
Bandwidth Management Overview, page 237
Managing Bandwidth Management Global Settings, page 238
Bandwidth Management Policies, page 240
Port Bandwidth, page 248

Bandwidth Management Overview


The Bandwidth Management module includes a feature set that enables you to gain full control over
their available bandwidth. Using these features, you can prioritize applications according to a wide
array of criteria, while taking the bandwidth used by each application into account. For example,
Bandwidth Management allows you to give HTTP traffic priority over SMTP traffic, which, in turn,
may have priority over FTP traffic. At the same time, a Bandwidth Management solution can track
the actual bandwidth used by each applicationand either ensure a guaranteed bandwidth for a
certain application and/or set limits as to how much each classified traffic pattern can utilize.
The Bandwidth Management module enables you to define policies that restrict or maintain the
bandwidth that can be sent or received by each application, user, or segment. Therefore, you can
control the maximal bandwidth that DoS attacks can consume from corporate resourcesthus
ensuring that mission-critical operations are not affected, maintaining the service level required to
guarantee smooth business operation. In a similar manner, if you are a carrier, you can ensure that
a DoS attack launched on one customer does not compromise another customers Service License
Agreement (SLA).
Using the Bandwidth Management module, a device can classify traffic passing through it according
to predefined criteria and can enforce a set of actions on traffic. A comprehensive set of user-
configurable policies controls how the device identifies each packet and what it does with each
packet.
When a packet is matched, the device forwards the packet but drops the packet when maximum
bandwidth is reached.

Application Classification
The BWM module supports the following options for Application Classification:
Per PacketIf you configure Application Classification with the Per Packet option, the device
classifies every packet that flows through it. In this mode, every single packet must be
individually classified.
Per SessionIf you configure Application Classification with the Per Session option, all packets
are classified by session. The BWM module uses an complex algorithm to classify all packets in a
session until a best fit policy is found, fully classifying the session. Once the BWM module fully
classifies the session, the module classifies all packets belonging to the same session
accordingly. This not only allows for traffic classification according to application, but also saves
some overhead for the classifier, as it only needs to classify sessions, and not every single
packet.

Document ID: RDWR-DP-V0607_UG1209 237


DefensePro User Guide
Bandwidth Management

Classification Mode
The BWM module supports the following classification modes:
PoliciesThe device classifies each packet or session by matching it to policies configured by
the user.
DiffservThe device classifies packets only by the Differentiated Services Code Point (DSCP)
value.
ToSThe device classifies packets only by the ToS (Type of Service) bit value.

Managing Bandwidth Management Global Settings


Before setting up Bandwidth Manager policies, you need to define the general bandwidth
management parameters.

To configure the BWM global settings

1. In the Configuration perspective BWM tab navigation pane, select Global Settings.

2. Configure the parameters; and then, click (Submit) to submit the changes.

Table 117: BWM Global Settings

Parameter Description
Global Settings
Classification Mode The classification to be used.
Values:
DiffservThe device classifies packets only by the DSCP
(Differentiated Services Code Point) value.
DisabledNo classification. The BWM feature is disabled.
PoliciesThe device classifies each packet according to
various policies configured by the user. The policies can
use parameters, such as source and destination IP
addresses, application, and so on. If required, the DSCP
field in the packets can be marked according to the policy
the packet matches.
ToSThe device classifies packets only by the ToS (Type
of Service) bits value.
Default: Disabled
Note: If you change the value for this parameter, you
must reset the device.

238 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Bandwidth Management

Table 117: BWM Global Settings

Parameter Description
Application Classification The type of application classification.
The process of session classification considers either of the
following:
Each packet of the session is classified until the number
of Max Packets for Session Classification is reached.
There is a match based on Force Best Fit.
There is a match with a policys Content/OMPC
definitions.
Values:
Per SessionPackets are classified by session. All
packets in a session are classified until a best fit policy is
found, fully classifying the session. Once the session is
fully classified, all packets belonging to the same session
are classified accordingly.
Per PacketThe device classifies every packet that flows
through it.
Default: Per Session
Bandwidth per Traffic Flow Aging The time, in seconds, that the device keeps a non-active
traffic flow in the Bandwidth per Traffic Flow Sessions
Tracking table.
Default: 20
Max Packets for Session When the Application Classification mode is Per Session and
Classification one of the policies is configured to search for content, this
parameter specifies the maximum number of packets that the
device searches for the configured content.
If the device fails to find the content after the number of the
configured parameter, the device stops searching for the
content in the session.
Max Packets for Session Classification affects only packets
that contain Layer 4 data. For TCP, the device does not count
the three-way handshake packets.
The device counts packets in each direction of the session. If
the configured value is 5 for example, the device counts up to
five request packets and up to five reply packets.
In some cases, when classifying FTP traffic, the default value
should be higher, since the searched content may appear
after the first five packets.
Values:
0The device searches for the content in all the packets
belonging to the session.
1100
Default: 5
Enable Policy Statistics Monitoring Specifies whether the device sends BWM policy statistics.
Default: Disabled

Document ID: RDWR-DP-V0607_UG1209 239


DefensePro User Guide
Bandwidth Management

Table 117: BWM Global Settings

Parameter Description
Policy Statistics Reporting Period The time, in seconds, that the device monitors policy
statistics.
Values: 1999999999
Default: 60
Forward Reporting to Management Specifies whether the device sends BWM statistics to
System APSolute Vision.
Default: Disabled
Report Settings
Reports Start Threshold The threshold for starting to send reports regarding a specific
policy. The threshold is the percentage of the specified
Maximum Bandwidth. When reporting is enabled and the
bandwidth consumption reaches the threshold, the device
starts sending the reports.
Values: 1100
Default: 95
Reports Termination Threshold The threshold for stopping the sending of reports regarding a
specific policy. The threshold is the percentage of the
specified Maximum Bandwidth and must be less than or equal
to the Reports Start Threshold. When reporting is enabled
and the bandwidth consumption falls below the threshold for
the specified Reports Sustained Period, the device stops
sending the reports.
Values: 1100
Default: 5
Reports Sustained Period The time, in seconds, that the bandwidth consumption must
be less than or equal to the specified Reports Termination
Threshold before the device stops sending the reports.
Values: 13600
Default: 60

Bandwidth Management Policies


This section describes Bandwidth Management policies and contains the following topics:
Bandwidth Management Policy Mechanism, page 240
Bandwidth Management Classification Criteria, page 241
Bandwidth Management Rules, page 242
Managing Bandwidth Management Policies, page 243

Bandwidth Management Policy Mechanism


The policy mechanism enables you to classify and manage the bandwidth on the traffic passing
through the device.
A policy consists of a set of conditions (classification criteria) and a set of actions that apply as a
consequence of the conditions being matched.

240 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Bandwidth Management

Bandwidth Management Classification Criteria


You can use an object (for example, a network object) that you have already configured or you can
add an IP address manually. Radware recommends that you work with objects that you have already
configured.
A policy includes the following traffic classification criteria:
SourceSpecifies the source of the traffic. This can be specific IP addresses, a range of IP
addresses or IP Subnet address. You should first configure Networks. The default value is any,
which covers traffic from any source.
DestinationSpecifies the destination of the traffic. This can be specific IP addresses, a range
of IP addresses or IP Subnet address. The default value is any, which covers traffic to any
destination.

Note: To limit or block access to the devices interface, type the IP address of the interface
in the Destination box.

DirectionSetting the direction mode to one way enables asymmetric BWM. When a policy is
set to One Way, the classifier searches for traffic in one direction only, while with Two Way, the
device searches both directions. When a rule is set to One Way, the device classifies only one
direction of the traffic and the return traffic is not classified. When a rule is set to Two Way, on
the way back, the device replaces the source and destination IP addresses and ports (in case the
rule is a Layer 4 or Layer 7 rule).
ServiceSpecifies the traffic type. The Service configured per policy can allow the policy to
consider other aspects of the packet, such as the protocol (IP/TCP/UDP), TCP/UDP port
numbers, bit patterns at any offset in the packet, and actual content (such as URLs or cookies)
deep in the upper layers of the packet. Available Services are very granular. The default value is
None, which covers all protocols.
Inbound Physical Port GroupClassifies only traffic received on certain interfaces of the
device. Enables you to set different policies to identify traffic classes that are received on
different interfaces of the device.
VLAN Tag GroupSpecifies VLAN traffic classification according to VLAN ID (VLAN Identifier)
tags.
Traffic Flow IdentificationSpecifies what type of traffic flow we are going to limit via this
policy. The available options are:
Client (source IP)
Session (source IP and port)
Connection (source IP and destination IP)
Full L4 Session (source and destination IP and port)
Session Cookie (must configure cookie identifier)
Cookie Field IdentifierA string that identifies the cookie field whose value must be used to
determine the different traffic flows.

Note: This is required only when Traffic Flow Identification is set to SessionCookie. When
Traffic Flow Identification is set to SessionCookie, the BWM classifier searches for
the Cookie Field Identifier followed by an equal sign (=) and classifies flows
according to the value.

Document ID: RDWR-DP-V0607_UG1209 241


DefensePro User Guide
Bandwidth Management

Example
If you have the following rule:
Source: IP_A
Destination: IP_B
Service: HTTP
Direction: One Way
only traffic with a source IP, IP_A and a destination IP IP_B with source port X and destination
port 80 would be classified. The return packet, with source IP_B and destination IP IP_A, with
source port x and destination port 80 would not be classified.

Example
If you have the following rule:
Source: NET_A
Destination: NET_B
Service: HTTP
Direction: Two Way
a packet with source IP belongs to NET_A with a destination IP belongs to NET_B requesting a
HTTP request will be matched, while a packet with source IP belongs to NET_B with a destination
IP belongs to NET_A requesting a HTTP request will not be matched, even if the rule is set to two
ways.

Bandwidth Management Rules


Once the traffic is classified and matched to a policy, the Bandwidth Management rules can be
applied to the policy.

Priority
The packet is classified according to the configured priority. There are nine (9) options available:
real-time forwarding and priorities 0 through 7.

Guaranteed Bandwidth
You can configure the policy to guarantee a minimum bandwidth. The BWM module will not allow
packets that were classified through this policy to exceed this allotted bandwidth, unless borrowing
is enabled. Note that the maximum bandwidth configured for the entire device overrides per-policy
bandwidth configurations. That is, the sum of the guaranteed bandwidth for all the policies cannot
exceed the total device bandwidth.

Max Concurrent Sessions


The Max Concurrent Sessions allowed for the BWM policy.

Packet Marking
Packet Marking refers to Differentiated Services Code Point (DSCP) or Diffserv. It enables the device
to mark the packet with a range of bits.

242 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Bandwidth Management

Policy Index
The policy order or index is a number that determines the order of the policy in the entire policy
database. When the classifier receives a packet, it tries to find a policy that matches the packet. The
classifier searches the policy database starting with policy #1, in descending order. Once a policy is
matched, the process is stopped. Using this logic, the very last policy configured should be the policy
that is enforced on all packets that do not match any other policies. In other words, the last
configured policy should be the default policy.

Managing Bandwidth Management Policies


You can view the configuration of active BWM policies, as well as configure new ones.
The policy database comprises two sections. The first section is the temporary or inactive portion.
You can alter and configure these policies without affecting the current operation of the device. As
these policies are adjusted, the changes do not take effect unless the inactive database is activated.
The activation updates the active policy database, which is what the device uses to filter the packets
that flow through it.
This section contains the following topics:
Configuring BWM Policies, page 243
Viewing the Configuration of Active BWM Policies, page 247

Configuring BWM Policies

To configure a BWM policy

1. In the Configuration perspective BWM tab navigation pane, select Modify Policies.

Note: The pane is displayed with a table comprising a column for each BWM Rule
parameter. To define the columns, right-click the table heading row, and select or
deselect the relevant values.

2. To add or modify a BWM policy rule, do one of the following:

To add an entry to the table, click the (Add) button.


To edit an entry in the table, double-click the entry.
3. Configure the parameters and click OK.
4. To activate your changes on the device, click Activate Latest Changes.

Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 274.

Document ID: RDWR-DP-V0607_UG1209 243


DefensePro User Guide
Bandwidth Management

Table 118: BWM Rule Parameters

Parameter Description
Identification
Name The user-defined name of the policy.
Values: 1100,000
Note: This value is read-only after creation.
Index The index number of the policy.
Description A description of the policy.
Enable Policy Specifies whether the policy is enabled.
Values:
EnabledWhen BWM policies are updated, this policy is used to be
matched against packets.
DisabledWhen BWM policies are updated, this policy is not used
to be matched against packets.
Default: Enabled
Report Specifies whether the device issues traps for the rule.
Activate Schedule The Event Schedule for activation of the policy.
Note: The schedule must be configured already.
De-activate Schedule The Event Schedule for de-activation of the policy.
Note: The schedule must be configured already.
Classification
Source Network The source of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
any
Default: any
Destination Network The destination of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
any
Default: any
Port Group The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class displayed in the Classes tab
The physical ports on the device
None
Default: None

244 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Bandwidth Management

Table 118: BWM Rule Parameters

Parameter Description
VLAN Tag Group The VLAN Tag class that the rule uses.
Values:
A VLAN Tag class displayed in the Classes tab
None
Default: None
Service Type The type of Service (filter).
Values:
None
Basic Filter
AND Group
OR Group
Default: None
Note: For more information, see Configuring Service Classes,
page 251.
Service Name The name of the service required for this policy, based on the Service
Type.
Direction The direction of the traffic to which the rule relates.
Values:
One WayThe rule applies to sessions originating from sources to
destinations that match the network definitions of the policy.
Two WayThe rule applies to sessions that match the network
definitions of the policy regardless of their direction.
Default: Two Way
Action
Guaranteed Bandwidth The bandwidth limitation, in Kbit/s, for packets matching this policy.
Default: 0
Note: The value for Guaranteed Bandwidth must be less than or
equal to the value for Maximum Bandwidth.
Maximum Bandwidth The maximum bandwidth, in kbit/s, for packets matching this policy.
Values:
Unlimited
0The rule drops all matching packets
18,000,000
Priority The priority attached to the packet by which it is forwarded.
Values:
Real Time
077 is the lowest priority.
Default: Real Time

Document ID: RDWR-DP-V0607_UG1209 245


DefensePro User Guide
Bandwidth Management

Table 118: BWM Rule Parameters

Parameter Description
Per Traffic Flow
Traffic Flow Identification The type of traffic flow that this policy manages.
Values:
None
ClientSource IP
SessionSource IP and port
ConnectionSource IP and destination IP
Full L4 SessionSource and destination IP and port
Session CookieMust configure cookie identifier
SIP Call ID
Traffic Flow Maximum The maximum bandwidth, in Kbit/s, allowed per traffic flow.
Bandwidth
Force Best Fit Specifies whether the device classifies traffic according to Best Fit as
opposed to First Fit.
Values:
EnabledThe traffic is classified per packet instead of per session.
DisabledThe traffic is classified directly from the policy.
Default: Disabled
Cookie Field Identifier A string that identifies the cookie field whose value to use to determine
(This parameter is the different traffic flows.
displayed only when When Traffic Flow Identification is set to SessionCookie, the BWM
Traffic Flow Identification classifier searches for the Cookie Field Identifier followed by = and
is set to SessionCookie.) classifies flows according to the value. For example, if the value of the
Cookie Field Identifier is name, then all sessions that have name=a will
share the configured maximum bandwidth, and all packets with name=b
will share the maximum configured bandwidth.
Packet Marking Type Marks the packet with a range of bits displayed in the drop-down list.
Values:
NoneNo marking
DSCPDifferentiated Services Code Point
ToSType of Service
Default: None
Packet Marking Value The Packet Marking value.
Values:
None
063For DCSP
07For ToS
Default: None

246 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Bandwidth Management

Table 118: BWM Rule Parameters

Parameter Description
Advanced
Maximum Concurrent The maximum number of concurrent sessions allowed for a client IP
Sessions address.
Default: 0
Note: This option is not available if the Traffic Flow Identifier is set to
Session or Full L4 Session.
Maximum HTTP Requests The maximum number of requests (for example GET, POST, or HEAD)
Per Second per second per traffic flow. The device can implement this feature only
when Traffic Flow Identification and Traffic Flow Max BW parameters are
not None or 0 respectively.
Default: 0

Viewing the Configuration of Active BWM Policies

To view the configuration of an active BWM policy

1. In the Configuration perspective BWM tab navigation pane, select Active Policies. The pane is
displayed with a table displaying all the active BWM policies, read-only.

Note: The pane is displayed with a table comprising a column for each BWM Rule
parameter. To define the columns, right-click the table heading row, and select or
deselect the relevant values.

2. To view the configuration of a specific, active BWM policy rule (read-only), double-click the entry
in the table.
3. View the parameters and click OK. to close the dialog box.

Table 119: Active BWM Rule Parameters

Parameter Description
Identification
Name The user-defined name of the policy.
Index The index number of the policy.
Description A description of the policy.
Report Specifies whether the device issues traps for the rule.
Activate Schedule The Event Schedule for activation of the policy.
De-activate Schedule The Event Schedule for de-activation of the policy.

Classification
Source Network The source of the packets that the rule uses.
Destination Network The destination of the packets that the rule uses.
Port Group The Physical Port class that the rule uses.

Document ID: RDWR-DP-V0607_UG1209 247


DefensePro User Guide
Bandwidth Management

Table 119: Active BWM Rule Parameters

Parameter Description
VLAN Tag Group The VLAN Tag class that the rule uses.
Service Type The type of Service (filter).
Note: For more information, see Managing Classes, page 249.
Service Name The name of the service required for this policy, based on the Service
Type.
Direction The direction of the traffic to which the rule relates.

Action
Guaranteed Bandwidth The bandwidth limitation, in Kbit/s, for packets matching this policy.
Maximum Bandwidth The maximum bandwidth, in kbit/s, for packets matching this policy.
Priority The priority attached to the packet by which it is forwarded.

Per Traffic Flow


Traffic Flow Identification The type of traffic flow that this policy manages.
Traffic Flow Maximum The maximum bandwidth, in Kbit/s, allowed per traffic flow.
Bandwidth
Force Best Fit Specifies whether the device classifies traffic according to Best Fit as
opposed to First Fit.
Cookie Field Identifier A string that identifies the cookie field whose value must be used to
determine the different traffic flows.
Packet Marking Type Marks the packet with a range of bits displayed in the drop-down list.
Packet Marking Value The Packet Marking value.
Maximum Concurrent The maximum number of concurrent sessions allowed for a client IP
Sessions address.

Port Bandwidth
To optimize the queuing algorithm, it is essential for the BWM module to be aware of the maximum
available bandwidth on the ports. This can configured via the BWM port Bandwidth table. By default,
the maximum available throughput is determined by the port type100 Mbit/s for the FE ports
and 1 Gbit/s for the Gigabit Ethernet ports. The priority mechanism will only begin to function upon
link saturation. Configuring the maximum throughput is the only way of telling if the link is
saturated.

To define a maximum available bandwidth for a port

1. In the Configuration perspective BWM tab navigation pane, select Ports Bandwidth Table.
2. Double-click the port whose maximum available bandwidth you want to define.
3. In the Port Bandwidth text box, type the required value.
4. Click OK.

248 Document ID: RDWR-DP-V0607_UG1209


Chapter 7 Managing Classes
This chapter contains the following sections:
Configuring Network Classes, page 249
Configuring Service Classes, page 251
Configuring Application Classes, page 258
Configuring Physical Port Classes, page 259
Configuring VLAN Tag Classes, page 260
Configuring MAC Address Classes, page 261
Viewing Active Class Configurations, page 261
Configuring MPLS RD Groups, page 264

Classes define groups of elements of the same type of entity.


You can configure classes based on the following:
Networksto classify traffic in a Network Protection policy/rule or a bandwidth management
rule.
Servicesto classify traffic based on criteria for Layers 37. A Service is a configuration of a
basic filter, which may combine with logical operators to achieve more sophisticated filters (AND
Group filters and OR Group filters).
Application portsto define or modify applications based on Layer 4 destination ports.
Physical device portsto classify traffic in a network-protection rule or a bandwidth
management rule.
VLAN tagsto classify traffic in a Network Protection policy/rule or a bandwidth management
rule.
MAC addressesto classify traffic whose source or destination is a transparent network
device.
MPLS RDsto classify traffic in a Network Protection policy/rule.

After you create or modify a class, the configuration is saved in the APSolute Vision database. You
must activate the configuration to download it to the device. You can also view the current class
configurations on your device. After creation, you cannot modify the name of a class, or the
configuration of application, MAC, or physical port classes.

Configuring Network Classes


A network class is identified by a name and defined by a network address and mask, or by a range
of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2
can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2
can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration.
Using classes allows you to define a network comprised of multiple subnets and/or IP ranges, all
identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and
10.1.1.1 to 10.1.1.7.

Document ID: RDWR-DP-V0607_UG1209 249


DefensePro User Guide
Managing Classes

You can use network classes in the following:


Black lists
White lists
Network-protection policies/rules to match source or destination traffic

Note: APSolute Vision often uses the term rule (or rules), whereas DefensePro uses the
term policy (or policies).

Bandwidth management rules

To configure a network class

1. In the Configuration perspective Classes tab navigation pane, select Modify Configuration >
Networks.
2. To add or modify a network class, do one of the following:

To add a class, click the (Add) button.


To edit a class, double-click the entry in the table.
3. Configure the network class parameters.
4. To activate your configuration changes on the device, click Activate Latest Changes.

Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 274.

Table 120: Network Class Parameters

Parameter Description
Network Name The name of the network class.
The network name is case-sensitive.
The network name cannot be an IP address.
Network Type Values: IPv4, IPv6
Entry type Whether the network is defined by a subnet and mask, or by an IP
range.
Values: IP Mask, IP Range
Network Address The network address.
(For an IP Mask entry only)
Mask The mask of the subnet, which you can enter in either of the
(For an IP Mask entry only) following ways:
A subnet mask in dotted decimal notationfor example,
255.0.0.0 or 255.255.0.0.
An IP prefix, that is, the number of mask bitsfor example, 8 or
16.

250 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Managing Classes

Table 120: Network Class Parameters

Parameter Description
From IP The first IP address in the range.
(For an IP Range entry only)
To IP The last IP address in the range.
(For an IP Range entry only)

Configuring Service Classes


The ACL and BWM modules can use Services to filter traffic. Services classify traffic based on criteria
for Layers 37. A Service is a configuration of a basic filter, which may combine with logical
operators to achieve more sophisticated filters (AND Group filters and OR Group filters). The ACL
and BWM modules support a long list of predefined basic filters. A basic filter includes attributes that
specify parameters such as protocol, application port, and content type. When the protocol of a
basic filter is TCP or UDP, the filter can include a text string.
You can configure Services separately from policies. When you configure a policy, you can associate
it with an existing Service.
This section contains the following topics:
Configuring Basic Filters, page 251
Configuring AND Group Filters, page 257
Configuring OR Group Filters, page 257

Configuring Basic Filters


The ACL and BWM modules support an extensive list of predefined basic filters (see Predefined Basic
Filters, page 252). You can also configure your own basic filters.
A basic filter includes the following components:
ProtocolThe specific protocol that the packet should carry. The choices are IP, TCP, UDP,
ICMP, NonIP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and
UDP) will be considered.
When configuring TCP or UDP protocol, the following additional parameters are available:
Destination Port (From-To)Destination port number for that protocol. For example, for
HTTP, the protocol would be configured as TCP and the destination port as 80. The port
configuration can also allow for a range of ports to be configured.
Source Port (From-To)Similar to the destination port, the source port that a packet should
carry in order to match the filter can be configured.
Offset Mask Pattern Condition (OMPC)The OMPC is a means by which any bit pattern can
be located for a match at any offset in the packet. This can aid in locating specific bits in the IP
header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful.
It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there
should be an OMPC match in addition to a protocol (and source/destination port) match. In
other words, if an OMPC is configured, the packet needs to match the configured protocol (and
ports) and the OMPC.
Content SpecificationsWhen the protocol of a basic filter is TCP or UDP, you can search for
any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the
packet. HTTP URLs are perfect examples of how a text search can help in classifying a session.

Document ID: RDWR-DP-V0607_UG1209 251


DefensePro User Guide
Managing Classes

You can choose from the many types of configurable contentfor example, URL, hostname,
HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so
on.
When the content type is URL, for example, the module assumes the session to be HTTP with a
GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to
find a match for the configured text. In this case, the configured offset is meaningless, since the
GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module
searches the entire packet for the content text, starting at the configured offset.
By allowing a filter to take actual content of a packet/session into account, the module can
recognize and classify a wider array of packets and sessions.
Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule
exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if
one exists) and the Content Rule.

Predefined Basic Filters


The BWM module supports an extensive list of predefined basic filters.
The ACL and BWM modules support an extensive list of predefined basic filters. You cannot modify or
delete predefined basic filters. For the list of predefined basic filters, see Appendix D - Predefined
Basic Filters, page 361.

Configuring a Basic Filter

To configure a basic filter

1. In the Configuration perspective Classes tab navigation pane, select Modify Configuration >
Services > Basic Filters.
2. Do one of the following:

To add an entry to the table, click the (Add) button.


To edit an entry in the table, double-click the entry.
3. Configure the parameters; and then, click OK.

Table 121: Basic Filter Parameters

Parameter Description
Name The name of the filter.
Protocol Values:
IP
TCP
UDP
ICMP
NonIP
ICMPV6
SCTP
Default: IP

252 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Managing Classes

Table 121: Basic Filter Parameters

Parameter Description
Source App. Port The Layer-4 source port for TCP, UDP, or SCTP traffic.
Values:
dcerpc priviledged-services
dns radius
ftp rexec
h225 rshell
http rtsp
https sccp (skinny)
imap sip
irc smb
ldap smtp
ms-sql-m snmp
ms-sql-s ssh
msn ssl
my-sql sunrpc
oracle telnet
ntp tftp
pop3
Destination App. Port The Layer-4 destination port for TCP, UDP, or SCTP traffic.
Values:
dcerpc priviledged-services
dns radius
ftp rexec
h225 rshell
http rtsp
https sccp (skinny)
imap sip
irc smb
ldap smtp
ms-sql-m snmp
ms-sql-s ssh
msn ssl
my-sql sunrpc
oracle telnet
ntp tftp
pop3

Document ID: RDWR-DP-V0607_UG1209 253


DefensePro User Guide
Managing Classes

Table 121: Basic Filter Parameters

Parameter Description
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
Values:
None
IPv4 Header
IPv6 Header
IP Data
L4 Data
ASN1
Ethernet
L4 Header
OMPC Offset The location in the packet where the data starts being checked for specific
bits in the IP or TCP header.
Values: 01513
OMPC Mask The mask for OMPC data. The value must be defined according to the
OMPC Length parameter.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts to
find. The value must be defined according to the OMPC Length parameter.
The OMPC Pattern must contain eight hexadecimal symbols. If the value
for the OMPC Length parameter is smaller than Four Bytes, you need to
pad the OMPC Pattern with zeros. For example, if OMPC Length is two
bytes, the OMPC Pattern can be abcd0000.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Condition Values:
None
Equal
Not Equal
Greater Than
Less Than
Default: None
OMPC Length Values:
None
One Byte
Two Bytes
Three Bytes
Four Bytes
Default: None
Content Offset The location in the packet at which the checking of content starts.
Values: 01513

254 Document ID: RDWR-DP-V0607_UG1209


DefensePro User Guide
Managing Classes

Table 121: Basic Filter Parameters

Parameter Description
Content The value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ;
<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~.
Content Type The specific content type to search for.
Values:
None Normalized URLA normalized
URLA URL in the HTTP URL in the HTTP request URI.
request URI. POP3 UserThe POP3 User field
TextText anywhere in the in the POP3 header.
packet. URI LengthFilters according
HostnameA hostname in the to URI length.
HTTP header. The host names in FTP CommandParses FTP
the Hostname List of an L7 commands to commands and
Policy are not algorithmically arguments, while normalizing
related to a host name FTP packets and stripping Telnet
configured for a basic filter. opcodes.
Header FieldA header field in FTP ContentScans the data
the HTTP header. transmitted using FTP,
ExpressionText anywhere in normalizes FTP packets and
the packet represented by a strips Telnet opcodes.
regular expression specified in Generic UrlThe generic URL in
the Content field. the HTTP Request URI. No
Mail DomainThe Mail Domain normalization procedures are
in the SMTP header. taken. GET/HEAD/POST is not
required when this type is
Mail ToThe Mail To SMTP selected. This is applicable for
header. protocols like SIP, BitTorrent,
Mail FromThe Mail From SMTP and so on.
header. Generic HeaderIn the HTTP
Mail SubjectThe Mail Subject Request URI. No normalization
SMTP header. procedures are taken. GET/
HEAD/POST is not required
File TypeThe type of the
when this type is selected. This
requested file in the HTTP GET
is applicable for protocols like
command (for example, JPG,
SIP, BitTorrent, and so on.
EXE, and so on).
Generic CookieIn the HTTP
CookieThe HTTP cookie field.
Request URI. No normalization
The Content field includes the
procedures are taken. GET/
cookie name, and the Content
HEAD/POST is not required
Data field includes the cookie
when this type is selected. This
value.
is applicable for protocols like
SIP, BitTorrent, and so on.
Default: None
Content End Offset The location in the packet at which the checking of content ends.
Values: 01513
Content Data Refers to the search for the content within the packet.

Document ID: RDWR-DP-V0607_UG1209 255


DefensePro User Guide
Managing Classes