DefenseFlow User Guide 4-2-0-0

DefenseFlow
INSTALLATION AND USER GUIDE
Software Version 4.2.0.0

Document ID: RDWR-DF-V42000_UG2107 July, 2021
DefenseFlow Installation and User Guide
Important Notices
IMPORTANT NOTICES
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2021. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes:
Copyright Radware Ltd. 2021. Tous droits réservés.
Le copyright ainsi que tout autre droit lié à la propriété intellectuelle et aux secrets industriels
contenus dans ce guide sont la propriété de Radware Ltd.
Ce guide d’informations est fourni à nos clients dans le cadre de l’installation et de l’usage des
produits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celui
pour lequel il a été conçu.
Les informations répertoriées dans ce document restent la propriété de Radware et doivent être
conservées de manière confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement préalable écrit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschränkungen ausgeliefert:
Copyright Radware Ltd. 2021. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschäftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschließlichen Zweck ausgehändigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf für keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und müssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfältigen, reproduzieren oder offen zu legen.
Copyright Notices
This product contains the third party software components included in the following table.
Document ID: RDWR-DF-V42000_UG2106 2

Important Notices
All such third party software components have been included in this products along with each their
respective copyright notices and license terms.
Please refer to the source code of each such software component for its respective copyright notices
and license terms.
Table 1: Third-party Software Licenses
Component Version License

metrics-core 3.0.2 Apache License 2.0
guava 14.0.1 The Apache Software License, Version 2.0
protobuf-java 2.6.1 New BSD license
config 1.2.1 Apache License 2.0
akka-actor_2.10 2.38 Apache License 2.0
akka-osgi_2.10 2.38 Apache License 2.0
commons-collections 3.21 Apache License 2.0
commons-io 2.3 Apache License 2.0
commons-net 3.3 Apache License 2.0
netty 3.10.0.Final Apache License 2.0
javax.ws.rs-api 2 Radware elects to include this software in
this distribution under the CDDL license
http://opensource.org/licenses/CDDL-1.0
jcip-annotations 1
lz4 1.3.0 Apache License 2.0

commons-csv 1.1 Apache License 2.0
httpclient-osgi 4.4 Apache License 2.0
httpcore-osgi 4.4.1 Apache License 2.0

groovy-all 2.3.9 Apache License 2.0
jackson-core-asl 1.9.13 Apache License 2.0
jackson-jaxrs 1.9.13 Apache License 2.0

jackson-mapper-asl 1.9.13 Apache License 2.0
javassist 3.18.1-GA Apache License 2.0

jboss-marshalling 1.4.10.Final Apache License 2.0
jboss-modules 1.4.1.Final Apache License 2.0
resteasy-jaxrs 2.2.1.GA Apache License 2.0
resteasy-multipart-provider 2.2.0.GA Apache License 2.0
json 20080701 http://www.json.org/license.html

scala-library 2.10.0 BSD-like
springframework 3.2.4.RELEASE Apache License 2.0

snappy-java 1.1.1.6 Apache License 2.0
akka-message-java 0.0.1 Apache License 2.0

Important Notices
Table 1: Third-party Software Licenses
Component Version License

cassandra-driver-core 2.1.4 Apache License 2.0
cassandra-driver-mapping 2.1.4 Apache License 2.0
commons-validator 1.4.0 Apache License 2.0
commons-dbcp2 2 Apache License 2.0

cxf-rt-frontend-jaxrs 3.0.3 Apache License 2.0
cxf-rt-frontend-jaxws 3.0.3 Apache License 2.0
cxf-rt-transports-http 3.0.3 Apache License 2.0
cxf-rt-transports-http-jetty 3.0.3 Apache License 2.0

org.osgi.core 1.4.0 Apache License 2.0
org.apache.karaf.jdbc.command 3.0.3 Apache License 2.0
org.apache.karaf.jdbc.core 3.0.3 Apache License 2.0
org.apache.karaf.shell.console 3.0.3 Apache License 2.0
mina-core 2.0.7 Apache License 2.0
hibernate-osgi 4.3.6.Final GNU Lesser General Public License

org.osgi.compendium 4.2.0 Apache License 2.0
slf4j-api 1.7.10 MIT License
Standard Warranty
The following standard warranty is presented in English, French, and German.
Standard Warranty
Radware offers a limited warranty for all its products (“Products”). Radware hardware products are
warranted against defects in material and workmanship for a period of one year from date of
shipment. Radware software carries a standard warranty that provides bug fixes for up to 90 days
after date of purchase. Should a Product unit fail anytime during the said period(s), Radware will, at
its discretion, repair or replace the Product.
For hardware warranty service or repair, the product must be returned to a service facility
designated by Radware. Customer shall pay the shipping charges to Radware and Radware shall pay
the shipping charges in returning the product to the customer. Please see specific details outlined in
the Standard Warranty section of the customer’s purchase order.
Radware shall be released from all obligations under its Standard Warranty in the event that the
Product and/or the defective component has been subjected to misuse, neglect, accident or
improper installation, or if repairs or modifications were made by persons other than Radware
authorized service personnel, unless such repairs by others were made with the written consent of
Radware.
EXCEPT AS SET FORTH ABOVE, ALL RADWARE PRODUCTS (HARDWARE AND SOFTWARE) ARE
PROVIDED BY “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED.

Important Notices
Garantie standard
Radware octroie une garantie limitée pour l’ensemble de ses produits (“Produits”). Le matériel
informatique (hardware) Radware est garanti contre tout défaut matériel et de fabrication pendant
une durée d’un an à compter de la date d’expédition. Les logiciels (software) Radware sont fournis
avec une garantie standard consistant en la fourniture de correctifs des dysfonctionnements du
logiciels (bugs) pendant une durée maximum de 90 jours à compter de la date d’achat. Dans
l’hypothèse où un Produit présenterait un défaut pendant ladite (lesdites) période(s), Radware
procédera, à sa discrétion, à la réparation ou à l’échange du Produit.
S’agissant de la garantie d’échange ou de réparation du matériel informatique, le Produit doit être
retourné chez un réparateur désigné par Radware. Le Client aura à sa charge les frais d’envoi du
Produit à Radware et Radware supportera les frais de retour du Produit au client. Veuillez consulter
les conditions spécifiques décrites dans la partie “Garantie Standard” du bon de commande client.
Radware est libérée de toutes obligations liées à la Garantie Standard dans l’hypothèse où le Produit
et/ou le composant défectueux a fait l’objet d’un mauvais usage, d’une négligence, d’un accident ou
d’une installation non conforme, ou si les réparations ou les modifications qu’il a subi ont été
effectuées par d’autres personnes que le personnel de maintenance autorisé par Radware, sauf si
Radware a donné son consentement écrit à ce que de telles réparations soient effectuées par ces
personnes.
SAUF DANS LES CAS PREVUS CI-DESSUS, L’ENSEMBLE DES PRODUITS RADWARE (MATERIELS ET
LOGICIELS) SONT FOURNIS “TELS QUELS” ET TOUTES GARANTIES EXPRESSES OU IMPLICITES
SONT EXCLUES, EN CE COMPRIS, MAIS SANS S’Y RESTREINDRE, LES GARANTIES IMPLICITES DE
QUALITE MARCHANDE ET D’ADÉQUATION À UNE UTILISATION PARTICULIÈRE.
Standard Garantie
Radware bietet eine begrenzte Garantie für alle seine Produkte (“Produkte”) an. Hardware Produkte
von Radware haben eine Garantie gegen Material- und Verarbeitungsfehler für einen Zeitraum von
einem Jahr ab Lieferdatum. Radware Software verfügt über eine Standard Garantie zur
Fehlerbereinigung für einen Zeitraum von bis zu 90 Tagen nach Erwerbsdatum. Sollte ein Produkt
innerhalb des angegebenen Garantiezeitraumes einen Defekt aufweisen, wird Radware das Produkt
nach eigenem Ermessen entweder reparieren oder ersetzen.
Für den Hardware Garantieservice oder die Reparatur ist das Produkt an eine von Radware
bezeichnete Serviceeinrichtung zurückzugeben. Der Kunde hat die Versandkosten für den Transport
des Produktes zu Radware zu tragen, Radware übernimmt die Kosten der Rückversendung des
Produktes an den Kunden. Genauere Angaben entnehmen Sie bitte dem Abschnitt zur Standard
Garantie im Bestellformular für Kunden.
Radware ist von sämtlichen Verpflichtungen unter seiner Standard Garantie befreit, sofern das
Produkt oder der fehlerhafte Teil zweckentfremdet genutzt, in der Pflege vernachlässigt, einem
Unfall ausgesetzt oder unsachgemäß installiert wurde oder sofern Reparaturen oder Modifikationen
von anderen Personen als durch Radware autorisierten Kundendienstmitarbeitern vorgenommen
wurden, es sei denn, diese Reparatur durch besagte andere Personen wurden mit schriftlicher
Genehmigung seitens Radware durchgeführt.
MIT AUSNAHME DES OBEN DARGESTELLTEN, SIND ALLE RADWARE PRODUKTE (HARDWARE UND
SOFTWARE) GELIEFERT “WIE GESEHEN” UND JEGLICHE AUSDRÜCKLICHEN ODER
STILLSCHWEIGENDEN GARANTIEN, EINSCHLIESSLICH ABER NICHT BEGRENZT AUF
STILLSCHWEIGENDE GEWÄHRLEISTUNG DER MARKTFÄHIGKEIT UND EIGNUNG FÜR EINEN
BESTIMMTEN ZWECK AUSGESCHLOSSEN.
Limitations on Warranty and Liability

The following limitations on warranty and liability are presented in English, French, and German.

Important Notices
Limitations on Warranty and Liability

IN NO EVENT SHALL RADWARE LTD. OR ANY OF ITS AFFILIATED ENTITIES BE LIABLE FOR ANY
DAMAGES INCURRED BY THE USE OF THE PRODUCTS (INCLUDING BOTH HARDWARE AND
SOFTWARE) DESCRIBED IN THIS USER GUIDE, OR BY ANY DEFECT OR INACCURACY IN THIS USER
GUIDE ITSELF. THIS INCLUDES BUT IS NOT LIMITED TO ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION). THE ABOVE LIMITATIONS WILL APPLY EVEN IF RADWARE HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE
EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES OR LIABILITY FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
Limitations de la Garantie et Responsabilité

RADWARE LTD. OU SES ENTITIES AFFILIES NE POURRONT EN AUCUN CAS ETRE TENUES
RESPONSABLES DES DOMMAGES SUBIS DU FAIT DE L’UTILISATION DES PRODUITS (EN CE
COMPRIS LES MATERIELS ET LES LOGICIELS) DECRITS DANS CE MANUEL D’UTILISATION, OU DU
FAIT DE DEFAUT OU D’IMPRECISIONS DANS CE MANUEL D’UTILISATION, EN CE COMPRIS, SANS
TOUTEFOIS QUE CETTE ENUMERATION SOIT CONSIDEREE COMME LIMITATIVE, TOUS DOMMAGES
DIRECTS, INDIRECTS, ACCIDENTELS, SPECIAUX, EXEMPLAIRES, OU ACCESSOIRES (INCLUANT,
MAIS SANS S’Y RESTREINDRE, LA FOURNITURE DE PRODUITS OU DE SERVICES DE
REMPLACEMENT; LA PERTE D’UTILISATION, DE DONNEES OU DE PROFITS; OU L’INTERRUPTION
DES AFFAIRES). LES LIMITATIONS CI-DESSUS S’APPLIQUERONT QUAND BIEN MEME RADWARE A
ETE INFORMEE DE LA POSSIBLE EXISTENCE DE CES DOMMAGES. CERTAINES JURIDICTIONS
N’ADMETTANT PAS LES EXCLUSIONS OU LIMITATIONS DE GARANTIES IMPLICITES OU DE
RESPONSABILITE EN CAS DE DOMMAGES ACCESSOIRES OU INDIRECTS, LESDITES LIMITATIONS
OU EXCLUSIONS POURRAIENT NE PAS ETRE APPLICABLE DANS VOTRE CAS.
Haftungs- und Gewährleistungsausschluss

IN KEINEM FALL IST RADWARE LTD. ODER EIN IHR VERBUNDENES UNTERNEHMEN HAFTBAR FÜR
SCHÄDEN, WELCHE BEIM GEBRAUCH DES PRODUKTES (HARDWARE UND SOFTWARE) WIE IM
BENUTZERHANDBUCH BESCHRIEBEN, ODER AUFGRUND EINES FEHLERS ODER EINER
UNGENAUIGKEIT IN DIESEM BENUTZERHANDBUCH SELBST ENTSTANDEN SIND. DAZU GEHÖREN
UNTER ANDEREM (OHNE DARAUF BEGRENZT ZU SEIN) JEGLICHE DIREKTEN; IDIREKTEN; NEBEN;
SPEZIELLEN, BELEGTEN ODER FOLGESCHÄDEN (EINSCHLIESSLICH ABER NICHT BEGRENZT AUF
BESCHAFFUNG ODER ERSATZ VON WAREN ODER DIENSTEN, NUTZUNGSAUSFALL, DATEN- ODER
GEWINNVERLUST ODER BETRIEBSUNTERBRECHUNGEN). DIE OBEN GENANNTEN BEGRENZUNGEN
GREIFEN AUCH, SOFERN RADWARE AUF DIE MÖGLICHKEIT EINES SOLCHEN SCHADENS
HINGEWIESEN WORDEN SEIN SOLLTE. EINIGE RECHTSORDNUNGEN LASSEN EINEN AUSSCHLUSS
ODER EINE BEGRENZUNG STILLSCHWEIGENDER GARANTIEN ODER HAFTUNGEN BEZÜGLICH
NEBEN- ODER FOLGESCHÄDEN NICHT ZU, SO DASS DIE OBEN DARGESTELLTE BEGRENZUNG ODER
DER AUSSCHLUSS SIE UNTER UMSTÄNDEN NICHT BETREFFEN WIRD.
Document Conventions
The following describes the conventions and symbols that this guide uses:
Item Description Description Beschreibung

An example scenario Un scénario d’exemple Ein Beispielszenarium
Example

Important Notices
Item Description Description Beschreibung

Possible damage to Endommagement Mögliche Schäden an
equipment, software, or possible de l’équipement, Gerät, Software oder
Caution: data des données ou du Daten
logiciel
Additional information Informations Zusätzliche
complémentaires Informationen
Note:
A statement and Références et Eine Erklärung und
instructions instructions Anweisungen
To
A suggestion or Une suggestion ou Ein Vorschlag oder eine
workaround solution Umgehung
Tip:
Possible physical harm to Blessure possible de Verletzungsgefahr des
the operator l’opérateur Bedieners
Warning:

Table of Contents
Table of Contents
IMPORTANT NOTICES ............................................................................................. 2
Copyright Notices .......................................................................................................... 2
Standard Warranty ........................................................................................................ 4
Limitations on Warranty and Liability ............................................................................. 5
Document Conventions ................................................................................................. 6
CHAPTER 1 – OVERVIEW ...................................................................................... 12

DefenseFlow Operational Flow ................................................................................... 12
DefenseFlow Deployments ......................................................................................... 12
Behavioral Detection with Radware's Flow Collector .......................................................... 13
External Detector Deployment ............................................................................................. 13
Layer 3 to Layer 7 DDoS Service with DefensePro as a Detector (DPaaD) ....................... 14
DefenseFlow Features ................................................................................................ 15
DDoS Service Provisioning .................................................................................................. 15
Statistics Collection .............................................................................................................. 18
Attack Detection ................................................................................................................... 19
Attack Life-Cycle Management ............................................................................................ 22
Traffic and Attack Monitoring ............................................................................................... 23
APSolute Vision User Interface ................................................................................... 24
CHAPTER 2 – INSTALLING AND INITIALIZING DEFENSEFLOW ....................... 25

Installing and Initializing DefenseFlow Virtual Appliance (VA) .................................... 25
Minimum Hardware Requirements ...................................................................................... 25
Software Requirements ....................................................................................................... 25
Deployment and Initial Configuration ................................................................................... 25
Connecting to the DefenseFlow Controller Shell ................................................................. 40
Upgrading DefenseFlow .............................................................................................. 42
Upgrade Prerequisites and Notes ........................................................................................ 42
Upgrading a Single Node Configuration .............................................................................. 42
Upgrading a High Availability Configuration ........................................................................ 45
DefenseFlow Cyber Control Menu Options ................................................................. 46
Changing the Default Host User and Root Passwords ........................................................ 46
Access to the Host Shell ...................................................................................................... 47
Generating a Technical Support File ................................................................................... 48
Rebooting the DefenseFlow Cyber Control System ............................................................ 48
Shutting Down the DefenseFlow Cyber Control System ..................................................... 49
Displaying Information for the DefenseFlow Cyber Control System .................................... 50

Table of Contents
CHAPTER 3 – DEFENSEFLOW CONFIGURATION .............................................. 52

Accessing DefenseFlow .............................................................................................. 52
Opening DefenseFlow ......................................................................................................... 52
Global Management Task Buttons ...................................................................................... 53
Viewing Basic Information ........................................................................................... 55
Security Operations ..................................................................................................... 55
Protected Objects ................................................................................................................ 56
Activations ........................................................................................................................... 96
System .............................................................................................................................. 110
Security Settings ....................................................................................................... 119
Protected Objects ............................................................................................................. 119
Workflows ......................................................................................................................... 129
Detections ......................................................................................................................... 137
Operations ........................................................................................................................ 141
Mitigations ......................................................................................................................... 154
Configuring DefenseFlow .......................................................................................... 198
System .............................................................................................................................. 198
Network ............................................................................................................................. 207
Security Settings ............................................................................................................... 224
Monitoring ................................................................................................................. 266
Operation .......................................................................................................................... 266
Security Monitoring .................................................................................................... 275
Risk Levels ....................................................................................................................... 275
Using the Dashboard Views for Real-Time Security Monitoring ....................................... 276
Viewing Real-Time Traffic Reports ................................................................................... 287
Protection Monitoring ........................................................................................................ 289
Alerts Table ............................................................................................................... 292
Enabling SNMP for DefenseFlow .............................................................................. 292
Obtaining up the SNMP Module MIBs .............................................................................. 293
Setting Up the SNMP Module ........................................................................................... 293
SNMP System MIB Objects for Monitoring DefenseFlow ................................................. 294
SNMP Trap Objects for DefenseFlow Alerts .................................................................... 295
APPENDIX A – CLI COMMANDS .......................................................................... 296

CLI Command Syntax ............................................................................................... 296
CLI Help and Auto Completion .................................................................................. 296
CLI Help ............................................................................................................................ 297
Auto Completion ............................................................................................................... 298
CLI Commands ......................................................................................................... 299
dfc-alert ............................................................................................................................. 300
dfc-bgp .............................................................................................................................. 301
dfc-box .............................................................................................................................. 306
dfc-control ......................................................................................................................... 307

Table of Contents
dfc-core ............................................................................................................................. 308

dfc-defensepro .................................................................................................................. 312
dfc-detection ..................................................................................................................... 317
dfc-dns-white-list ............................................................................................................... 318
dfc-filter ............................................................................................................................. 318
dfc-ha ................................................................................................................................ 320
dfc-info .............................................................................................................................. 322
dfc-interfaces .................................................................................................................... 323
dfc-license ......................................................................................................................... 325
dfc-mitigation-device ......................................................................................................... 325
dfc-mitigation-group .......................................................................................................... 328
dfc-mitigation-tunnel ......................................................................................................... 328
dfc-monitor ........................................................................................................................ 329
dfc-network-connect ......................................................................................................... 345
dfc-network-element ......................................................................................................... 345
dfc-network-group ............................................................................................................. 347
dfc-operation ..................................................................................................................... 347
dfc-protected-network ....................................................................................................... 350
dfc-protected-object .......................................................................................................... 351
dfc-route-tag ..................................................................................................................... 365
dfc-security-template ........................................................................................................ 366
dfc-snmp ........................................................................................................................... 366
dfc-source-batching .......................................................................................................... 368
dfc-syslog .......................................................................................................................... 369
dfc-system ........................................................................................................................ 369
dfc-tools ............................................................................................................................ 369
dfc-workflow ...................................................................................................................... 370
dfc-workflow-rule ............................................................................................................... 370
APPENDIX B – ALERTS TABLE ........................................................................... 373

Alerts ......................................................................................................................... 373
DefenseFlow Alerts ........................................................................................................... 374
APPENDIX C – REST API ..................................................................................... 385
APPENDIX D – COMMUNICATIONS PORTS........................................................ 386
APPENDIX E – RBAC — DEFENSEFLOW/APSOLUTE VISION MAPPING ......... 387
APPENDIX F – ADJUSTING SYSTEM SETTINGS................................................ 388

Physical CPU and RAM ............................................................................................ 388
KVM Disk Size ........................................................................................................... 389
Increasing Memory and CPU Limits .......................................................................... 393

Table of Contents
RADWARE LTD. END USER LICENSE AGREEMENT......................................... 395

CHAPTER 1 – OVERVIEW
A well-known DoS attack mitigation and threat detection strategy is to divert suspected traffic from
its normal network path to dedicated attack mitigation infrastructures for cleaning and threat
detection. These infrastructures are also known as security centers or scrubbing centers, mainly
composed of Layer 3 through 7 DoS attack mitigation devices. These scrubbing centers can be
deployed in dedicated remote sites within a network in an out-of-path (OOP) manner (not “inline”
with the native traffic flow), so the diversion of traffic toward these centers is essential. During the
traffic cleaning process, the attack mitigation infrastructure identifies and drops malicious IP packets
and forwards legitimate IP packets back to their originally targeted network destinations. The
scrubbing centers can be located within the enterprise corporate network, data center, or cloud, and
also as part of a carrier's infrastructure.
Another strategy that is becoming common is to buy Layer 3 to Layer 7 DoS attack detection and
mitigation services from a service provider. The service provider must support the ability to provide
various SLAs to different customers, including granular Layer 3 to Layer 7 detection for each
separate customer.
This chapter includes the following topics:
• DefenseFlow Operational Flow, page 12
• DefenseFlow Deployments, page 12
• DefenseFlow Features, page 15
• APSolute Vision User Interface, page 24
DefenseFlow Operational Flow

DefenseFlow leverages network technologies and Radware attack detection and mitigation
technologies to provide attack mitigation as a native network service. It acts as a cyber-defense
control that collects and analyzes various security telemetries. Based on this information,
DefenseFlow provides various intelligent security actions.
With a DefensePro attack mitigation device, DefenseFlow provides a comprehensive and
programmable network-wide security solution that focuses on providing protection both to the
carrier’s infrastructure and to service his end customers.
The DefenseFlow application operation flow consists of the following steps:
1. Collection of traffic statistics and learning of statistics behavior of protected objects during
peacetime. The normal traffic baselines of the protected objects as a whole and for each
separate host are built from these collected statistics.
2. Detection of DoS attack patterns as traffic anomalies deviating from normal baselines.
3. Diversion of suspicious traffic from its normal path to mitigation (scrubbing) centers for traffic
cleansing, selective source blockage, and so on. Clean traffic out of scrubbing centers is re-
injected back into the traffic's original destination.
4. Attack termination.
5. Monitoring traffic and attacks throughout the life of the protected services.
DefenseFlow Deployments
This section describes the different DefenseFlow deployments, including:
• Behavioral Detection with Radware's Flow Collector, page 13

Overview
• External Detector Deployment, page 13

• Layer 3 to Layer 7 DDoS Service with DefensePro as a Detector (DPaaD), page 14
Behavioral Detection with Radware's Flow Collector

DefenseFlow Behavioral Detection can be deployed in NetFlow (and other flow-based protocols)
supported environments using Radware's Flow Collector. This deployment enables customers to
have end-to-end Radware network detection and out-of-path mitigation. As shown in Behavioral
Detection with Flow Collector Workflow, page 13, DefenseFlow facilitates tight integration with
DefensePro, which includes complete synchronization of baselines and information regarding the
attack type and statistics.
Figure 1: Behavioral Detection with Flow Collector Workflow
External Detector Deployment

The External Detector network deployment is deployed with DefenseFlow. This deployment enables
customers who have already deployed a DDoS detector and would like to integrate Radware
mitigation devices with it. As shown in Figure 2 - External Detector Workflow, page 14, DefenseFlow
facilitates tight integration of DefensePro with a third-party detection system, which includes auto-
configuration of protected object sub-networks, definition of ASN-based protected objects, and
synchronizing basic information regarding the attack type and statistics.

Overview
Figure 2: External Detector Workflow
Layer 3 to Layer 7 DDoS Service with DefensePro as a Detector (DPaaD)

Attack detection in this scenario is performed by DefensePro in addition to DefenseFlow’s own
detection algorithms and external detection devices. Each protected object can be serviced by
multiple detection sources and DefenseFlow aggregates all sources.
Figure 3: Layer 3 to Layer 7 DDoD Service with DefensePro as a Detector (DPaaD) Workflow

Overview
As illustrated in Layer 3 to Layer 7 DDoD Service with DefensePro as a Detector (DPaaD) Workflow,
page 14, the required anti-DoS services can support the following scenarios:
• Detection and Mitigation in Tier 2 — The attack is detected by the second tier DefensePro
device. There are two different deployments in this scenario:
— DefensePro Inline — The detection device is inline and can start mitigating the attack
immediately.
— DefensePro in SmarTap mode — The detection device is listening on a tap interface. After
detection, DefenseFlow can divert the traffic so it actually flows through the device for
mitigation.
• Mitigation in Tier 1 — After detection, DefenseFlow can provision mitigation and divert traffic to
mitigation devices in tier 1. There are two deployments in which mitigation devices can be
deployed in tier 1:
— Perimeter Deployment — DefensePro devices are connected directly to the peer routers.
The advantage in this deployment is that the attack traffic is mitigated on the perimeter and
does not enter the core network. The disadvantage is that this deployment mitigates only
attacks coming from outside the network.
— Scrubbing Center — DefensePro devices reside somewhere in the core network connected
to a DDoS router. The scrubbing center can mitigate attacks coming from both outside and
inside the network.
• Blocking of Traffic — Blocking of traffic is usually done on the peer routers. DefenseFlow
supports blocking either with BGP RTBH or with FlowSpec.
DefenseFlow Features
This section describes the main features of DefenseFlow, including:
• DDoS Service Provisioning, page 15
• Statistics Collection, page 18
• Attack Detection, page 19
• Attack Life-Cycle Management, page 22
• Traffic and Attack Monitoring, page 23
DDoS Service Provisioning

DefenseFlow lets network operators provision DDoS protection to new services in a few simple steps
by using predefined, customizable detection methods, security workflows, and templates.
There are two stages to the DefenseFlow setup:
• Network Components — Configuring DefenseFlow with the network component it requires for its
operation. This stage is completed once.
• Service Components — Configuring the security capabilities and manner of operation per each
service.

Overview
Network Components
DefenseFlow requires configured network components to perform detection and control operations
to provide DDoS prevention service. These include: control elements, network elements, and
mitigation devices.
Control Elements
Control elements are other devices and applications that perform control operations in the network
and are integrated into the DefenseFlow service. Typically, each deployment requires a single type of
controller. The following are examples of controllers:
• Radware Flow (xFlow) Collectors — Provides DefenseFlow with flow statistics required for
Radware's Behavioral DoS detection.
• Third-party Detectors — Provides DefenseFlow with attack detection signaling. You can
integrate DefenseFlow with any third-party detector by uploading a pluggable driver to
DefenseFlow.
Network Elements
Network elements represent the network traffic connectivity. DefenseFlow requires only the
knowledge of the switches and routers in the network that have influence over the traffic flow. These
include:
• Network Tier 1 Peers — The network entry points to the outside world. For Network
Infrastructure protection, these peers can be used for collection of statistics for detection and
blocking or diverting the traffic in case of attack.
• Network Tier 2 Peers — The protected services connection to the network. These peers can
also be used for collection of statistics, diversion and re-injection of cleaned traffic back to the
protected network.
• DDoS routers (scrubbing center routers) — These peers are the connection points to the
mitigation devices.
• Route Reflectors — These are routers that operate as route reflectors for traffic diversion.
• Route Tags — In some networks, route tags are used for clean traffic injection.
Mitigation Devices
DefenseFlow mitigation devices are either DefensePro or other third-party mitigation devices located
in the network and used to detect and/or mitigate attacks on the protected networks:
• DefensePro devices — Both DefenseFlow and DefensePro use the same Behavioral DDoS
detection algorithms, and are fully synchronized. Information sharing and DefenseFlow
mitigation provisioning capabilities enable Layer 3 to Layer 7 detection and immediate mitigation
of attack traffic.
DefenseFlow monitors the health and capacity of the DefensePro devices and manages the
provisioning of the mitigation accordingly to avoid overflow of the mitigation device.
DefenseFlow attack monitoring includes information from both DefenseFlow itself and the
DefensePro devices.
• Third-party mitigation devices — DefenseFlow can use third-party mitigation devices as
targets for attack diversions. DefenseFlow does not configure or monitor these devices.
Service Components
The service components are the protected networks and the security services attached to them. To
simplify the provisioning of security services, DefenseFlow enables security administrators to define
principle security settings and re-apply them to as many services as required. These include:
security templates, operations, criteria-based workflows, and protected objects.

Overview
Workflows
DefenseFlow workflows allow the security operator to predefine his security operation model.
DefenseFlow can provision different services and perform different operations based on defined
criteria. For every protected object, the assigned workflow defines the detections, provisioning, and
mitigation capabilities.
Workflow rules define what operations DefenseFlow should perform on detection based on enter
criteria, and to stop based on exit criteria.
Detectors
DefenseFlow can aggregate several detection sources for protection of the same service. A list of
detectors can be defined and assigned to a service.
Security Templates
A security template holds all the security settings required by DefensePro mitigation devices for
mitigating attacks on a protected network. It is a configuration file holding the security profiles and
policies, and is configured on DefensePro upon provisioning of detection and/or mitigation, along
with the network classifications on which it should be applied.
Attaching a security template to a protected object creates a security policy instance specific to that
protected object. Once created, changes to the original template do not change the attached policy.
Upon mitigation provisioning, DefenseFlow configures the security policy on the mitigating devices.
At any given time, the number of security policies configured on the mitigation devices is the
number of concurrent provisioned protected objects in the network.
During the life of the mitigation, SOC operators may tune and change the policy according to the
observed attack. The changes made by the operators are saved. Upon termination of mitigation,
DefenseFlow uploads the policy before removing it from the mitigation devices. The uploaded policy
is saved as the protected object's security policy.
A security policy for a protected object can be reset to the original template or replaced with another
template only in peacetime.
You can create new security templates from a saved security policy either on one of the protected
objects or from the APSolute Vision management system repository.
Operations
An operation lets you define a set of actions to perform as a building block for workflows (from
where to redirect, the mitigation devices to use, and so on). While provisioning a specific anti-DoS
service, or provisioning a protected object, you can use an operation as a template to specify the
various actions required for the specific protected object. Using an operation eases the configuration
and the overall actions required for a protected object.
There are two types of operations:
• Mitigation — This operation type can be defined with any subset of the following actions:
— Divert — Divert attack traffic to a mitigation device or a mitigation device group using BGP
and BGP FlowSpec rules.
— Mitigate — Configure the mitigation devices with all relevant information, including black list
and white lists. This is relevant only for DefensePro mitigation devices.
— Clean traffic injection — Configure the mitigation devices to inject the cleaned traffic back
to the protected object. This option is relevant only for DefensePro mitigation devices.
• Traffic Blocking — Traffic Blocking with a FlowSpec operation can be activated manually either
in manual mode or in user-confirmation mode.
The operation is a reusable object. The same operation can be used for as many workflows as
required. Changes to the operation affect all related Protected Objects.

Overview
Protected Objects
A protected object is the network or network addresses that requires protection.
Classification of a protected object is a set of up to 64 IP addresses or IP subnets, with or without
VLANs. The addresses can be IPv4 or IPv6 addresses. The granularity of the defined classification
defines the detection and diversion granularity:
• Behavioral DoS detection — DefenseFlow supports both IPv4 and IPv6. The learned baselines
and detection sensitivity are performed on the entire protected object. For up to five (5)
protected objects with granular mitigation and up to total of 10000 IP addresses, DefenseFlow
can perform BDoS detection per /32 host. Diversion of traffic in case of an attack diverts
according to the detected target. You can manually override the diversion granularity to a
specific IP address or a subnet within the protected object.
• DefensePro as a Detector — DefenseFlow configures a policy on the detector device per
protected object. Any action based on detection from the DefensePro device can be performed
per the detection granularity.
• Third-party Detector — Diversion of traffic is performed according to the granularity reported
by the detector. You can manually override the diversion granularity to a specific IP address or a
subnet within the protected object.
Provisioning of a security service to a protected object includes:

• Security Policy — The security settings that are configured on DefensePro devices.
• Workflow — The operation methods and detection for performing the actions.
• Manual Thresholds — The Manual thresholds configuration is optional and is enforced in
addition to behavioral detection.
• Advanced Settings — The advanced settings are optional.
— BGP communities — You can define BGP communities per protected object that are
included in the BGP announcements when there are diversions. This option is available only
when DefenseFlow sends the BGP announcements.
— Driver parameters — A list of user-defined parameters that can be used by the control
element pluggable driver. For example, the driver can define a parameter Customer that is
specified per protected object that identifies a target customer by name in the alerts
received from a third-party detector.
Statistics Collection
Statistics collection is used by DefenseFlow to get flow information per protected object for the
Behavioral DoS detection algorithms.
DefenseFlow requires flow statistics on the inbound traffic destined for the protected object. The
flow statistics include both byte count and packet count per the following protocols:
• TCP
• UDP
• ICMP
• Other IP traffic
Statistics collection is provided from a controller suited to each specific deployment.
Radware Flow Collector for Statistics Collection

These are the NetFlow (or other supported flow protocols) statistics as provided by the Radware
Flow Collector.

Overview
Attack Detection
DefenseFlow can detect attacks on a protected object in the following ways: Behavioral DDoS
detection, DefensePro as a Detector (DPaaD), third-party detector signaling, and manual thresholds
that are both granular and for the entire protected object (for BDoS and for thresholds).
Behavioral DDoS Detection

Radware behavioral detection algorithms include proven mitigation accuracy and quality. Using
patented behavioral fuzzy logic detection and combining rate-dependent and independent
parameters, these algorithms can detect all types of network DDoS attacks when an actual attack
happens, while avoiding the false detection of traffic peaks.
With Behavioral DDoS detection, DefenseFlow learns the normal traffic behavior of a network or a
specific host in the network. It can also learn the network sensitivity and adjust its learning
mechanism.
Both DefenseFlow and DefensePro use the same algorithms, enabling full synchronization and
information sharing between devices.
DefensePro as a Detector (DPaaD)

DefensePro devices can be deployed as both detection and mitigation devices. The same device can
operate in both capacities.
DefenseFlow can receive detection indication from DefensePro devices that are defined as detectors
in addition to other detection methods.
DefensePro as a Detector (DPaaD) can be deployed in the following deployment modes:
• Always-On devices — In Always-On mode, traffic towards a protected object goes thorough a
DefensePro device. In this mode, DefensePro can either operate as a detector only (report only
mode) or can immediately start mitigating the attack it detects.
DefenseFlow supports Always-on DefensePro devices in both transparent mode or in IP mode.
Figure 4 - DefensePro Deployment in Transparent Mode, page 19 illustrates two possible
deployments of a transparent DefensePro. In the deployment on the left, DefensePro is inline
with the traffic. DefenseFlow only provisions the security configuration but does not need to
divert the traffic. In the deployment on the right, DefensePro is out-of-path and DefenseFlow
also needs to divert the traffic towards the far-end router address upon service provisioning.
Figure 4: DefensePro Deployment in Transparent Mode

Overview
Figure 5 - DefensePro Deployment in IP Mode, page 20 illustrates a DefensePro deployment in IP

mode. In this mode, DefenseFlow both divert the traffic towards the DefensePro diversion
address and provisions the security configuration to enable it to work as an Always-On
detector.
Figure 5: DefensePro Deployment in IP Mode
• SmarTap devices — DefensePro in SmartTap mode can be deployed only in transparent mode
(see DefensePro in SmarTap Mode, page 20). The tap port from the router copies all the traffic
towards the protected object. In case of attack detection, DefenseFlow can divert the attack
traffic towards another port of the device for mitigation.
Figure 6: DefensePro in SmarTap Mode

Overview
The configuration on the router should specify the tap port to monitor the port towards the
protected object. For example, in an ASR9K router, the configuration would be as follows:
monitor-session mon1 ethernet

destination interface TenGigE0/0/2/2
!
interface TenGigE0/0/2/1
description "DP Traffic In"
ipv4 address 182.10.1.1 255.255.255.252
!
description "TAP traffic to DP"
!
description "Server Side"
ipv4 address 182.30.1.1 255.255.255.252
monitor-session mon1 ethernet direction tx-only
!
!
end
In DefensePro, there are two port pairs to use. For example, the following is the configuration on
the DefensePro device that matches the above configuration:
device static-forwarding-table setCreate 18 -dst 19 -op Process

device static-forwarding-table setCreate 19 -dst 18 -op Process -t Destination
device static-forwarding-table setCreate 17 -dst 20 -op Process
device static-forwarding-table setCreate 20 -dst 17 -op Process -t Destination
— Tap pair — Port 17 and its pair port 20 that should be up but not connected back to the
network. You can use a plug on the port.
— Diversion pair — In DefensePro in SmarTap Mode, page 20, these are ports 18 and 19. Port
19 should be connected to the downstream router so that the traffic does not go back
through T-0/0/2/3 and is copied again by the tap.
Unmanaged DefensePro Devices

DPaaD devices may be managed or unmanaged. For example, a CPE device on the end-customer
premises may give indications of attacks but remains unmanaged. DefenseFlow will not change the
configuration on an unmanaged device.
Note: To be able to delegate mitigation from an unmanaged device to another DefensePro device,
the policy name to be delegated must be the name of the protected object.
Third-Party Detector Signaling

DefenseFlow can receive signaling on attacks from other detection controllers that reside in the
network. Integration of DefenseFlow with an external detector is done by uploading a pluggable
driver suited for the specific detector signaling.
Third-party detectors can transfer new attributes to DefenseFlow upon attack detection, as follows:
• Peacetime traffic baseline — These set of attributes are used by DefensePro to improve the
accuracy of the mitigation and to lower the level of false-positives.

Overview
• Attack and Protected Object URI — These two attributes are used in DefenseFlow as links to
third-party detector management systems.
These attributes are part of the attack_start REST API call. For more information, see the
DefenseFlow REST API Guide.
DefenseFlow can facilitate tight integration of DefensePro mitigation devices with any third-party
detection system that includes basic information regarding the attack type and statistics enabling
immediate mitigation.
Manual Thresholds
DefenseFlow can use manual thresholds for defining hard peak limits. Manual thresholds detection
does not replace the behavioral detection, it complements it. However, manual thresholds can
replace BDoS, especially granular thresholds. Both manual and behavioral detections can operate
simultaneously.
Granular Detection
The ability to adjust detection method per protected object networks provides the most flexible and
targeted security solution for Radware’s customers’ networks.
The following detection methods can be used in combination with the external detector and
DefensePro as a Detector methods to create a mixed multiple detectors method for overall protected
object detection:
• BDoS detection on entire protected object networks.
• Granular BDoS detection that can detect BDoS attacks on a specific host.
• Threshold detection on entire protected object networks.
• Granular threshold detection that can detect attacks on a specific host using a given threshold.
Attack Life-Cycle Management

From the provisioning of a protected object and once an attack is detected, DefenseFlow manages
the attack life-cycle until the attack is terminated.
Mitigation Selection
Based on specified criteria, DefenseFlow selects the appropriate operation and mitigation devices to
handle each attack, and also updates the BGP FlowSpec rule related to the operation. According to
the operation actions, the mitigation can be performed by a single device or by a group of devices
that can all be provisioned to mitigate the same attack.
In User Confirmation mode and Manual mode, you can choose to override the preferences
selected in the operation, and select a different operation with different mitigation device or group of
mitigation devices.
DefenseFlow asserts the availability of selected DefensePro mitigation devices according to
availability and devices capacity. A mitigation device that is not available or has reached the
configured capacity limit is not used to mitigate an attack.
Even if one mitigation device is not available, the mitigation provisioning for the attack fails. A
protected object in User Confirmation mode remains, pending confirmation.
Note: Third-party mitigation devices are not monitored and are used for mitigation even if they are
unavailable.

Overview
Mitigation Provisioning in Real-Time

Mitigation provisioning is available only for DefensePro mitigation devices. Once mitigation devices
are selected for a protected object, mitigation provisioning includes two steps:
1. Security policy configuration — Configure DefensePro devices with the protected object
classifications and security policy.
2. Attack Information — Configure attack information and baselines in DefensePro to enable
immediate transition of DefensePro to detection and mitigation of the attack.
Traffic Diversion and Injection

After the mitigation devices are configured and ready to mitigate the attack, DefenseFlow initiates
the diversion of the traffic. The granularity of the diverted target is determined according to the
detection. If the detection specifies a specific target or a subnet within the protected object, the
diversion is performed on the specified target. Otherwise, the diversion is performed on the entire
protected object classification.
In User Confirmation mode or in Manual mode, you can override the chosen destination with another
target with any chosen granularity as long as it is within the boundaries of the protected object
classification.
By changing the selected operation, you can also change the default group of network elements to
be used for diversion. For example, in a BGP supported-network you may choose to advertise the
announcements to a different group of BGP peers.
BGP Redirection
In addition to BGP itself, with this method you can also use BGP FlowSpec rules. DefenseFlow BGP
supports natively opening BGP peer connections and advertising announcements for both IPv4 and
IPv6. The announcements are performed automatically according to the diverted target and selected
BGP peer group, and removed once the mitigation is complete.
DefenseFlow can also add any user-defined communities per protected object configuration.
Injection
DefenseFlow also defines for DefensePro devices where and how to inject the cleaned traffic back to
the appropriate interface in order to reach the protected object, either with a GRE tunnel, a clean
route tag, or into a dedicated IP address.
This option is available only with DefensePro mitigation devices.
Attack Termination
DefenseFlow continuously monitors the state of the attack until it is sure that the protected object is
no longer under attack. Once the attack is terminated, the traffic returns to its normal path and all
configurations are removed from the mitigation devices.
Any changes made to the security policy during the attack are saved to be used in future attacks.
You can initiate termination of mitigation regardless of the attack status observed by DefenseFlow.
Attack termination for the traffic blocking operation should be performed manually.
Traffic and Attack Monitoring

As the scale, physical distribution, threat landscape, and other factors require security to become
more distributed, the ability to obtain situational awareness across a distributed network becomes a
challenge, specifically when deploying multi-vendor solutions.

Overview
DefenseFlow enables uniform situational awareness, in the context of a protected network or

service, by aggregating reports from across an entire distributed solution. DefenseFlow is designed
as an open system, which also allows integration of third-party detection and collection systems that
enable additional information to be included in DefenseFlow reporting. This lets customers manage
the actual element which is under attack regardless of the underlying equipment used to handle the
attack.
APSolute Vision User Interface

DefenseFlow uses APSolute Vision as the user interface for all activities. DefenseFlow and APSolute
Vision may be installed together on a dedicated server, or separately by installing DefenseFlow as a
virtual machine (VM) on VMware ESX. For more information on using the APSolute Vision user
interface, refer to the APSolute Vision User Guide.

CHAPTER 2 – INSTALLING AND
INITIALIZING DEFENSEFLOW
This chapter describes how to install and initialize DefenseFlow Virtual Appliance (VA). It includes
the following topics:
• Installing and Initializing DefenseFlow Virtual Appliance (VA), page 25
• Upgrading DefenseFlow, page 42
• DefenseFlow Cyber Control Menu Options, page 46
Installing and Initializing DefenseFlow Virtual Appliance

(VA)
This section describes how to install and initialize a DefenseFlow virtual appliance (VA). It includes
the following topics:
• Minimum Hardware Requirements, page 25
• Software Requirements, page 25
• Deployment and Initial Configuration, page 25
• Connecting to the DefenseFlow Controller Shell, page 40
Minimum Hardware Requirements

The following hardware minimum configuration is required for the DefenseFlow VA to use
DefenseFlow:
• 32 GB RAM
• 100 GB HDD
• 8 cores
Software Requirements
The following software is required to use DefenseFlow:
• VMware ESXi 5.x, or KVM 4.4 or above
• Radware DefenseFlow Cyber Control OVA package
• APSolute Vision version 4.40.00 or later
Deployment and Initial Configuration

This procedure describes how to deploy the DefenseFlow Virtual Appliance (VA) for the following
deployment types:
• Deployment and Initial Configuration of a Single Node DefenseFlow, page 26
• Deployment and Initial Configuration of DefenseFlow High Availability, page 37

Installing and Initializing DefenseFlow
Deployment and Initial Configuration of a Single Node DefenseFlow

This section describes deployment of a single node DefenseFlow Virtual Appliance (VA) for the
following virtual environments:
• VMware Deployment, page 26
• KVM Deployment, page 29
• Initial Configuration, page 31
VMware Deployment
This procedure describes how to deploy a single node DefenseFlow using VMware.
To deploy the DefenseFlow Virtual Appliance (VA) using VMware

1. Open VMware vSphere Client.
2. In the Login dialog box, set the parameters and click Login.
— The IP address is the ESXi/vCenter server IP address.
— The User name is a user that is permitted to deploy OVF templates.
3. In the vSphere Client user interface, select File > Deploy OVF Template.
4. In the Deploy OVF Template window, click Browse and select the DFCC OVA package.

5. Click Next.
6. In the OVF Template Details window, click Next.
7. In the End User License Agreement window, scroll down and read all of the terms and
conditions. Click Accept and Next.
8. In the Name and Location window, click Next.
9. In the Disk Format window, click Next.
10. In the Network Mapping window, select the appropriate destination networks for the source
network Management and Control, and then click Next.

11. In the Ready to Complete window, select Power on after deployment and click Finish to
complete the deployment process.
Note: You usually use different destination networks for each interface. For more details on
managing interfaces, see IP Management, page 201.

12. After the deployment process completes successfully, in the Deployment Completed Successfully
dialog box, click Close.
KVM Deployment
This procedure describes how to deploy a single node DefenseFlow using KVM.
This procedure assumes that you know how deploy an image in KVM.
To deploy the DefenseFlow Virtual Appliance (VA) using KVM

1. When deploying DefenseFlow using KVM, use the following guidelines:
— Strictly observe the minimum resource requirements as described in Minimum Hardware
Requirements, page 25.
— You must configure two (2) NICs for DefenseFlow.
— The supported entities are as follows:
• Kernels 4.4.0 or 4.8.0
• QEMU emulator version 2.5.0 (Debian 1:2.5+dfsg-5ubuntu10.9)
• libvirt version 1.3.1
2. Using the guidelines described in step 1, deploy the DefenseFlow KVM image in the same
manner as any other KVM image.

Example KVM deployment

The following is an example of a valid KVM deployment XML file:
<domain type='kvm'>
<name>DFC-2.7.0</name>
<memory unit='KiB'>16777216</memory>
<currentMemory unit='KiB'>16777216</currentMemory>
<vcpu placement='static'>4</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-xenial'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='none'/>
<source file='/var/lib/libvirt/images/DFCC.qcow2'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/>
</disk>
<controller type='ide' index='0'>
function='0x1'/>
</controller>
<controller type='usb' index='0'>
function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<interface type='bridge'>
<source bridge='virbr0'/>
<model type='virtio'/>
<driver name='vhost'/>
function='0x0'/>
</interface>
<interface type='bridge'>
<source bridge='virbr0'/>
<model type='virtio'/>
<driver name='vhost'/>
function='0x0'/>
</interface>

<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='cirrus' vram='16384' heads='1'/>
function='0x0'/>
</video>
<memballoon model='virtio'>
function='0x0'/>
</memballoon>
</devices>
</domain>
Initial Configuration
This procedure describes the initial configuration for a single node DefenseFlow VA.
To perform initial configuration

1. Do one of the following:
— For VMware, in the vSphere Client window, locate the DefenseFlow Cyber Control VA
entry, right-click on it and select Open Console.
— For KVM, connect to the DefenseFlow Cyber Control console per the method of your KVM
manager.
2. From the console, log in to the DFCC system with the radware username. The Cyber Control
main menu displays.
3. If you need to set the management port to use a static IP address, select Network
Management and press Enter.

4. In the Network Configuration menu, press Enter.

5. In the Management Network Configuration dialog box, select the management NIC to use and
press Enter.
6. In the Management Network dialog box, select the management type to use and press Enter.
7. In the Management network configuration dialog box, set the required parameters and press
Enter:
— IPv4 Address — IPv4 address of the management port.
— Netmask — Network mask in quad decimal format.
— Gateway — IPv4 address of the relevant gateway.

8. After successful configuration, a confirmation message displays. Press OK and Back to return to
the main menu.
9. From the Cyber Control Host main menu, select System Management and press Enter.
10. Select Time Zone Configuration and press Enter.
Note: The following devices should have the same time and time zone defined: Radware
Collector, APSolute Vision, DefenseFlow, and the routers.

11. Select the time zone action to perform:
— Show Time Zone Configuration — Displays the time zone defined on the system. If it is
correct, press Enter.
— Edit Time Zone Configuration — Displays the Choose TimeZone dialog. Select the time
zone you want to change to, and press Enter.

12. When the configuration completes successfully, press Enter when a message similar to the
following displays:
13. From the System Management menu, select NTP Configuration and press Enter.

14. From the NTP configuration menu, select 2, Edit NTP configuration.
15. In the Update NTP dialog, enter up to five NTP server IP addresses, as required, and press
Enter.
16. After successful configuration, a confirmation message displays. Press OK and Back to return to
the main menu.
17. From the Cyber Control main menu, select Application Management and press Enter.

18. Select Register APSolute Vision and press Enter.
19. In the Remote APSolute Vision System Information dialog, enter the remote APSolute Vision
system management IP address and the root password, and press Enter.
20. A progress bar indicates the remote registration percentage with the message Running
remote registration process. At the end of the registration, after a message similar to
the following displays, press Enter.
Deployment and Initial Configuration of DefenseFlow High Availability

This section describes how to deploy DefenseFlow High Availability, including:
• Overview, page 38
• Installing and Initializing DefenseFlow High Availability, page 39

Overview
DefenseFlow High Availability increases system stability, and enables service accessibility through
elimination of a single point of failure. When a component fails, DefenseFlow recovers automatically.
The following diagram illustrates the High Availability architecture:
Figure 7: High Availability Architecture
In the DefenseFlow High Availability architecture, there are two identical DefenseFlow nodes: Active
and Standby. Both nodes communicate with each other and maintain full synchronization for both
component state and configuration. The DefenseFlow Active node is continuously accessible using
APSolute Vision for monitoring, configuration, and operation, and continuously syncs the Standby
node.
DefensePro devices serving as detectors (DPaaDs) should be configured to send their syslogs to
both DefenseFlow nodes.
Third-party detectors can transfer new attributes to DefenseFlow upon attack detection using REST
API.
DefenseFlow creates a peer from each Active/Standby node to each router, resulting in two peer
connections for each network element. Each DefenseFlow node sends announcements to the
network element, and as a result the announcements are displayed twice.
Whenever a DefenseFlow node fails, the remaining node continues to communicate with all
registered routers and third-party detectors with zero downtime.
High Availability configuration and setup is accessible via both APSolute Vision and the DefenseFlow
CLI.

Installing and Initializing DefenseFlow High Availability
Notes When installing and initializing DefenseFlow High Availability, note the following:
• Both DefenseFlow nodes must have same software version.
• The control network must be configured on the Standby node.
• Both DefenseFlow nodes must be defined with the same time zone.
To install and initialize DefenseFlow High Availability

1. Install two (2) DefenseFlow nodes, one for the Active and one for the Standby. For instructions
on how to install DefenseFlow nodes, see. Installing and Initializing DefenseFlow Virtual
Appliance (VA), page 25. On each node, do the following:
a. Using the host menu,
• Configure the management interface
• Configure the timezone
• Configure the NTP
b. Using the DefenseFlow CLI,
• Configure the high availability NIC using the following command (for this example, the
interface is G1):
dfc-interfaces:edit -interface G1
• Associate the high availability interface with the NIC you configured with the following
command (for this example, the interface is G1):
dfc-interfaces:associate-edit -interface G1 -network
HIGH_AVAILABILITY
• Configure the control NIC using the following command (for this example, the interface
is G2):
dfc-interfaces:edit -interface G2
• Associate the BGP interface with the configured the NIC you configured (for this, the
interface is G2):
dfc-interfaces:associate-edit -interface G2 -network BGP
Note: If the nodes are not in the same subnet, use the following command to configure to
routes: dfc-interfaces:static-add -type DEFENSEPRO (see dfc-interfaces,
page 323)
2. Use the ping command to check that there is communication between the high availability
interfaces of the nodes.
3. Ensure that the relevant ports are open between the high availability peers. For a list of these
ports, refer to Communications Ports, page 386.
4. On the Active node only, do the following:
a. Register the Active node in APSolute Vision.
b. Add the Standby node either using APSolute Vision or the CLI, as follows:
• Using APSolute Vision:
a. In the Configuration perspective, select System > High Availability.
b. Configure the parameters, and then click Submit to save your changes.

Table 2: High Availability Parameters
Parameter Description
Active The Active DefenseFlow device IP address.
DefenseFlow
Node IP
Enable High Enables or disables High Availability. Select to enable and deselect to disable High
Availability Availability.
Default: Disabled
Standby The Standby DefenseFlow device IP address.
DefenseFlow This parameter displays when you enable High Availability.
Node IP
Enable Enables automatic failover.
Automatic This parameter displays when you enable High Availability.
Failover
Default: Enabled (when High Availability is enabled)
With automatic failover, the Active node continuously sends a heartbeat to the
Standby node. When the Standby node determines that the Active node has
failed, the Standby node assumes the role of the Active node and continues to
provide network service.
c. Wait until you receive confirmation that enabling or disabling the process has
completed.
Note: Adding a standby node can take several minutes. To view its progress, you
can execute the CLI command dfc-info:progress-list [-refresh 5], where
-refresh is the optional auto-refresh mode.
d. Verify that the nodes display in the Monitoring perspective, System > High
Availability.
• Using the CLI:
a. Add the Standby node using the security management interface IP address with the
following command: dfc-ha:add -standby-ip <IP>
b. Verify that the nodes display with the following command: dfc-info:progress-
list
Connecting to the DefenseFlow Controller Shell

This procedure describes how to connect to the DefenseFlow Controller Shell.
To connect to the DefenseFlow Controller Shell

1. Log in to the system with the username radware.
You can connect to the system either by opening a VA console (see To perform initial
configuration, page 31) or over an SSH connection. To connect to the system by using SSH on a
Linux system, open a terminal and enter the following command:
ssh radware@<dfcc_mgmt_ip>
2. From the Cyber Control main menu, select Applications Management and press Enter.

3. From the Application Management menu, select DFC Shell and press Enter.
4. From the DFC shell, enter CLI commands as required at the prompt. For a list of the CLI
commands, see CLI Commands, page 296.
5. Press CTRL+D to return to the main menu.

Upgrading DefenseFlow
This section describes how to upgrade DefenseFlow using the DefenseFlow host, and includes the
following sub-sections:
• Upgrade Prerequisites and Notes, page 42
• Upgrading a Single Node Configuration, page 42
• Upgrading a High Availability Configuration, page 45
Note: You can also update DefenseFlow from within APSolute Vision. For more information, see
Software Upgrade, page 200.
Upgrade Prerequisites and Notes

Before you begin the upgrade, note the following:
• You can only upgrade to version 4.2 if you have a DefenseFlow Subscription license and manage
a DefensePro version 8.x device. For more information on the Subscription license, contact
Radware Technical Support.
• You can only directly upgrade to this version from version 3.3 or later with a Subscription
license. If you have a version earlier than 3.0, you should first install 3.0 then perform the
upgrade.
• Before you upgrade to this version:
— Ensure that your configuration is set to at least 32 GB RAM and 8 cores.
— Ensure that you have at least 10 GB of free disk space on partition /dev/sda2.
• Existing attacks, protections, and pending actions are all preserved during the upgrade
procedure.
• Radware recommends exporting the configuration as a backup before you start the upgrade
procedure in case of an upgrade failure that may result in the configuration being lost or
damaged.
• There is no need to cancel ongoing protections before starting the upgrade.
• If attacks are reported during the upgrade, they will be ignored.
• Until the upgrade is finished, DefenseFlow will not handle new attacks.
Upgrading a Single Node Configuration

This section describes how to upgrade a single node configuration.
Note: APSolute Vision only supports software upgrade. For a full fresh installation, you must use
the DefenseFlow host. For more information, see Installing and Initializing DefenseFlow Virtual
Appliance (VA), page 25.
To upgrade a DefenseFlow node using APSolute Vision

1. For ease of use, Radware recommends upgrading a single node using APSolute Vision from the
Configuration perspective, System > Software Upgrade pane, instead of using the CLI. For
more information, see Software Upgrade, page 200.

The Software Upgrade pane displays information for the currently installed DefenseFlow version
and lets you upgrade to the latest DefenseFlow version.
Note: If you have a High Availability deployment, the upgrade procedure upgrades the version
for both DefenseFlow nodes (see Upgrading a High Availability Configuration, page 45).
2. After the upgrade is completed, Radware recommends that you reboot the node to apply the
following CVEs:
— CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux
versions)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-
001.md?fbclid=IwAR3P2bbY_RM9dysAvRM1FLe5zPe-
AMlZJ688VXjQGOwLLdPPKqYgxWAwM4c
https://nvd.nist.gov/vuln/detail/CVE-2019-11479
— CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
— CVE-2019-11478: SACK Slowness (Linux ? 4.15) or Excess Resource Usage (all
Linux versions)
— CVE-2019-11477: SACK Panic (Linux ?= 2.6.29)
To upgrade a single DefenseFlow node using the CLI

1. Acquire the upgrade file dfc_host_upgrade.sh from Radware. You can rename it if required.
2. Connect directly to the DefenseFlow host as the root user using SSH. For example:
ssh root@<DeFenseFlow_IP>
3. Copy the upgrade file to a folder on the host. It can be any folder, however Radware
recommends copying it to a newly created folder under /var/lib/docker/shared/ because
there is more available space on this partition.
4. Set executable permission for the file by running the following command:
chmod +x df_upgrade_host.sh
5. Perform the upgrade by running the file, with or without the upgrade option:
— /dfc_upgrade_host.sh
or
— /dfc_upgrade_host.sh upgrade
If the upgrade is successful, the following output displays:

6. After the upgrade completes, log in again to the DefenseFlow node.
Notes
• If the upgrade is successful, only one version of the previous containers is preserved. Older
images are removed to keep the registry clean and to release disk space.
• If there is any failure during the upgrade, automatic rollback will be performed followed by the
relevant formatted/user-friendly error message being displayed after the rollback output.
• You can run the upgrade multiple times. The actual upgrade is performed only after the first
execution. For all subsequent upgrades, the upgrade process determines whether the upgrade
process is actually required.
To restore an upgraded DefenseFlow installation
Note: Before performing a restore to version 3.6, ensure that you disable REST authentication.
> To remove an upgrade and restore the version from which you upgraded, run the upgrade file
with the remove option: /dfc_upgrade_host.sh remove

Notes
• The restored DefenseFlow installation will include the configuration from that restored version.
• Only new images that were installed on the system after upgrade are removed. If the same
image existed in the system prior to the upgrade, it will remain after running the removal.
• You can run the removal multiple times. For all subsequent removals, the removal process
determines what elements should be removed and removes them as required.
To view version details

> To view version details of DefenseFlow files and to run self-validation checks, run the file with
the -i parameter: /dfc_upgrade_host.sh -i
Upgrading a High Availability Configuration

This section describes how to perform a High Availability configuration upgrade.
To upgrade a High Availability configuration using APSolute Vision

Although you can also upgrade your High Availability configuration using the CLI, for ease of use
Radware recommends that you upgrade it using APSolute Vision.
The APSolute Vision procedure upgrades the version for both DefenseFlow nodes without the need to
break the cluster as you do when upgrading using the CLI. It first upgrades the standby node, and
after success, upgrades the active node.

> In the Configuration perspective, select System > Software Upgrade and set the parameters
as required. For more information, see Software Upgrade, page 200.
To upgrade a High Availability configuration using the CLI

1. In APSolute Vision in the Configuration perspective, select System > High Availability, and
deselect Enable High Availability. This deletes the entire configuration from the standby
DefenseFlow node.
2. In the CLI, upgrade the standby and active nodes individually (see To upgrade a single
DefenseFlow node using the CLI, page 43).
3. In APSolute Vision in the Configuration perspective, select System > High Availability, and
select Enable High Availability.
DefenseFlow Cyber Control Menu Options

This section describes DefenseFlow Cyber Control menu options you can use to configure
DefenseFlow VA. This section includes:
• Changing the Default Host User and Root Passwords, page 46
• Access to the Host Shell, page 47
• Generating a Technical Support File, page 48
• Rebooting the DefenseFlow Cyber Control System, page 48
• Shutting Down the DefenseFlow Cyber Control System, page 49
• Displaying Information for the DefenseFlow Cyber Control System, page 50
Changing the Default Host User and Root Passwords

This procedure describes how to change the default host user and host root passwords.
To change the default host user or root password

— To change the host user password, log in to the system with the username radware.
— To change the host root password, log in to the system with the username root.
ssh -p 22 radware@<dfcc_mgmt_ip>
where <dfcc_mgmt_ip> is the IP address of the DFCC system
2. From the Cyber Control main menu, select System Management and press Enter.
3. Select Change the Password for Host User, and press Enter.
4. When the Change password process dialog box displays for either the host user or root user,
enter the required information and press Enter:

5. A message displays when you have successfully confirmed the new password.
6. Press Enter to return to the main menu.
Access to the Host Shell

This procedure describes how to access the host shell.
To access the host shell

1. Log in to the system with your username.
Note: The user you log in with must have OS read-write permissions.
ssh <user_name>@<dfcc_mgmt_ip>
where

— <user_name> is your username
Note: If you log in through SSH as root, you go directly to the DFCC shell. If you log in as
any other user with read-write permissions, you go to the Cyber Control main menu.
— <dfcc_mgmt_ip> is the IP address of the DFCC system
2. If you logged in through SSH as a user other than root, from the Cyber Control main menu,
select Drop to Host Shell and press Enter. This opens the DFCC shell.
3. Press Ctrl + D to return to the main menu.
Generating a Technical Support File

This section describes how to generate a Radware Technical Support file using the Cyber Control
menu.
Note: You can create the support file to be sent to Radware Technical Support using APSolute
Vision. This is the preferred method over using the Cyber Control menu. For more information, see
Support File, page 201.
If you have upgrade-related problems, create the support file from the Cyber Control menu, and not
from APSolute Vision. This is because the upgrade-related logs are part of the host, and are not
included by the support file created using APSolute Vision.
To generate a Radware Technical Support file

1. Log in to the DFCC system with username radware.
configuration, page 31) or over an SSH connection on TCP port 22. To connect to the system by
using SSH on a Linux system, open a terminal and enter the following command:
where <dfcc_mgmt_ip> is the IP address of the DFCC system.
2. Select Technical Support and press Enter.
3. The Remote system information window displays the following information:
— Host IP — IP address of the remote server to which to upload the support file.
— SSH Port — The support file transference occurs over a secured connection (SSH protocol).
This is the port number the remote SSH server is listening on. Default: 22
— Username — The username to connect to the remote SFTP/Linux server.
— Password — The remote user password.
— Path for uploading — Full path to where the support file is uploaded.
4. Enter the required information, select Submit, and press Enter.
The process begins to gather appropriate statistics from the system and creates a support file.
5. The support file is uploaded to the remote server.
When the support file successfully uploads, a Success message displays.
Rebooting the DefenseFlow Cyber Control System

This procedure describes how to reboot the DefenseFlow Cyber Control system.

To reboot the DefenseFlow Cyber Control system

2. From the System Management menu, select Reboot System and press Enter.
3. A the prompt, press Enter to reboot the system.
Shutting Down the DefenseFlow Cyber Control System

This procedure describes how to shut down the DefenseFlow Cyber Control system.
To shut down the DefenseFlow Cyber Control system

2. From the System Management menu, select Shut Down System and press Enter.

3. A the prompt, press Enter to shut down the system.
Displaying Information for the DefenseFlow Cyber Control System

This procedure describes how to display information for the DefenseFlow Cyber Control system.
To display information for the DefenseFlow Cyber Control system

2. Select Information and press Enter. The Application details window displays. The following is
an example Information display:

— DefenseFlow — The DefenseFlow version, build number, and status (UP or DOWN).
— Host Manager — The Host Manager version, build number and status (UP or DOWN). The
Host Manager includes system-related processes that may affect multiple applications,
including DefenseFlow.

CHAPTER 3 – DEFENSEFLOW
CONFIGURATION
This chapter describes how to configure DefenseFlow using APSolute Vision user interface. It
includes the following sections:
• Accessing DefenseFlow, page 52
• Viewing Basic Information, page 55
• Security Operations, page 55
• Security Settings, page 119
• Configuring DefenseFlow, page 198
• Monitoring, page 266
• Security Monitoring, page 275
• Alerts Table, page 292
• Enabling SNMP for DefenseFlow, page 292
Accessing DefenseFlow
Radware recommends that you access DefenseFlow from within APSolute Vision. For more
information about APSolute Vision, refer to the APSolute Vision User Guide.
This section includes the following topics:
• Opening DefenseFlow, page 52
• Global Management Task Buttons, page 53
Opening DefenseFlow
You open the DefenseFlow panes from the APSolute Vision sidebar menu. This includes:
• The DefenseFlow Security Operations dashboard (see To open the DefenseFlow Security
Operations dashboard, page 52)
• The DefenseFlow Security Settings perspective (see To open the DefenseFlow Security Settings
perspective, page 53)
• The DefenseFlow Configuration perspective (see To open the DefenseFlow Configuration
perspective, page 53)
To open the DefenseFlow Security Operations dashboard

> To open the DefenseFlow Security Operations dashboard, from the APSolute Vision sidebar
menu, select DefenseFlow > Security Operations.
For more information on the Security Operations Dashboard, see Protected Objects, page 56.

DefenseFlow Configuration
To open the DefenseFlow Security Settings perspective

> To open the DefenseFlow Security Settings perspective, from the APSolute Vision sidebar menu,
select DefenseFlow > Security Settings.
For more information on the Security Settings perspective, see Security Settings, page 119.
To open the DefenseFlow Configuration perspective

> To open the DefenseFlow Configuration perspective, from the APSolute Vision sidebar menu,
select DefenseFlow > Configuration.
Permissions to use configuration features are based on your user role as assigned by the
APSolute Vision system administrator (for more details, see Appendix E - RBAC — DefenseFlow/
APSolute Vision Mapping, page 387.
The following are the different roles and their permissions:
— Administrator (APSolute Vision Administrator role) — Full read/write permissions for all
features.
— Operator (APSolute Vision Security Admin role) — Full read/write permissions for all
features except the following System features, for which the operator has read permissions
only:
• Global Settings
• Licensing
• Software Upgrade
• IP Management
• High Availability
• TACACS+ Settings
For more information on these System features, see System, page 198.
— Viewer (APSolute Vision Vision Reporter role) — Read permissions only for all features,
except System > Support File (see Support File, page 201).
Global Management Task Buttons

The Global Management task buttons let you perform the following global management tasks:
• Perform operations on the DefenseFlow configuration file and support file. The Operations menu
lets you perform the following operations:
— Importing (Restoring) a Configuration File, page 53
— Exporting (Backing Up) a Configuration File, page 54
Importing (Restoring) a Configuration File

You can restore a DefenseFlow configuration from a backup configuration file on the APSolute Vision
server or client system to the DefenseFlow device. This is a configuration that you may exported
from the current device (see Exporting (Backing Up) a Configuration File, page 54), or from another
device. When you upload the configuration file to the device, it overwrites the existing device
configuration.
After the restore operation is complete, you must reboot the device.

To restore a device’s configuration

1. In the device pane, select the device.
2. Click the arrow of the (Operations) icon.

3. Click Import Configuration File.
4. Configure the upload parameters, and click Submit.
Table 3: Device Configuration File Upload Parameters
Upload From The location of the backup device configuration file to send.
Values: Client, Server
File Name When uploading from the client system, enter or browse to the name of
the configuration file to upload.
When uploading from the server, select the configuration to upload.
5. When the upload completes, reboot the device.
Exporting (Backing Up) a Configuration File

By default, you can save up to five (5) configuration files per device on the APSolute Vision server.
You can change this parameter in the APSolute Vision Setup page up to a maximum of 10. When the
limit is reached, you are prompted to delete the oldest file.
To export a configuration file

1. In the device pane, select the device.
2. Click the arrow of the (Operations) icon.

3. Select Export Configuration File.
4. Configure the download parameters, and then, click OK.
Table 4: Device Configuration File Download Parameters
Destination Where to export (back up) the device configuration file.
Values: Client, Server
• Client — Saves the configuration file as a text file on the client
system.
• Server — Opens the Save As field as a prompt for the file name to be
saved on the server.
Save As If you are exporting the file to the server, the default name is a
combination of the device name and backup date and time. You can
change the default name.

Viewing Basic Information

The DefenseFlow basic information pane displays the following default information based on the
installation:
• Status — Current status of DefenseFlow.
• Platform — Type of platform on which DefenseFlow is installed.
• Version — Specific version number of DefenseFlow.
• License — Current installed license on DefenseFlow
• Device Driver — Current device driver.
Security Operations
The DefenseFlow Security Operations dashboard displays information and statistics for the
DefenseFlow system and the operations on protected objects and activations, for both real time and
historical information.
Note: For optimal viewing of the Security Operations dashboard, Radware recommends setting
your screen resolution as follows:
• On a desktop: 1920x1024
• On a laptop: 1600x900
The dashboard includes the following tabs:
• Protected Objects, page 58
• Activations, page 96
• System, page 110
In addition to these tabs, the Security Operations pane includes the following alerts:

• Pending Actions — At the top-right of the pane, click the Pending Actions button to go
directly to the Confirm Pending Action dialog box. For more information on this dialog box, see
Confirming Pending Actions, page 61.
• System Alert — If there is an element that is down or has an error, the (Alert) icon
displays a red exclamation mark. When this occurs, click the icon and the System tab opens. A
red exclamation mark displays next to the system or systems that have a problem.
Protected Objects
The Protected Objects pane displays monitoring and report metrics that enable you to view and
track real-time and historical information on selected DefenseFlow protected objects and networks.
The Security Operations pane includes the following widgets:
• Operational Status, page 56
• AMS Traffic Statistics, page 57
Operational Status
The Operational Status widget displays the current overall operational status for protected objects
and activations.
An activation or protected object can be counted only once. If an activation has two operations (for
example, Pending Actions and Active Operations), it will be counted only once per the following
priority: Pending, Failed, Active, Provision
Table 5: Protected Objects Statistics
Pending Total number of protected objects that have pending actions.
Active Total number of protected objects that have successful active operations.
Failed Total number of protected objects that have failed.
Provision Total number of protected objects that are being provisioned for mitigation.

When you select the Protected Objects operational status display, the Protected Objects widget
displays at the bottom of the pane. The Protected Objects table includes the set of protected objects
and their related information. For more information on the Protected Objects widget, see Protected
Objects, page 58.
AMS Traffic Statistics

The AMS Traffic Status widget displays the statistics for traffic handled by the Attack Mitigation
Service (AMS):
Table 6: AMS Traffic Statistics
Inbound to Incoming traffic for mitigation, in bits per second or packets per second.
Mitigation
Device
Dropped by Incoming traffic dropped by mitigation, in bits per second or packets per second.
Mitigation
Clean Traffic Clean traffic re-injected after mitigation, in bits per second or packets for second.
Modifying the AMS Traffic Statistics Display

You can make the following modifications to the AMS Traffic Statistics display:
• To select which type of traffic to display, page 57
• To change the time range in the graph display, page 57
• To change the statistics display, page 58
To select which type of traffic to display

> At the top right, select either Bits/s (bits per second) or Packets/s (packets per second).
The display changes per your selection.
To change the time range in the graph display
1. At the top right-hand side of the widget, click the clock icon.
— Select one of the following preset ranges (Quick Range):

• 15m — The last 15 minutes

• 1H — The last hour
• 3H — The last three hours
• 6H — The last six hours
• 12H — The last 12 hours
Default: 15m
— Specify a specific time range (Time Range):
a. Select a specific calendar date for the time range start date (From).
b. Select a specific calendar date for the time range end date (To).
3. Click Apply to apply the configuration.
To change the statistics display

By default, all statistics display in the graph. You can change which statistics display.
1. To remove a statistic from the graph, click the label of that statistic. The label is grayed out and
the statistic is removed from the graph.
2. To reinsert a statistic from the graph, click the grayed out label of that statistic. The statistic
displays in the graphic.
Protected Objects
The Protected Objects table includes the set of protected objects and their related information:

Table 7: Protected Objects Parameters
Status The status of the protected object.
Depending on the status, you can perform actions on the protected object. For
procedures for performing actions on protected objects, see Performing Actions
on Protected Objects, page 61.
Statuses include:
• Pending — There are pending actions to be performed for protected objects in
User Confirmation mode.
• Active — The operation associated with the protected object succeeded.
• Failed — The operation associated with the protected object failed.
• Provision — The protected object is being provisioned for mitigation.
• Enabled — The protected object has been enabled.
• Disabled — The protected object has been disabled.
Name The name of the protected object.
Protected The protected object networks. For multiple networks, left-click the search icon to
Networks the right of the word “Multiple” to see the list of networks.
Activations The number of activations related to the protected object.
Inbound traffic The average incoming traffic bandwidth for mitigation in Mbits per second.
(Mbits/s)
Inbound Packets The average incoming traffic to mitigation in packets per second.
(packets/s)
Dropped Traffic The average incoming traffic that was dropped in Mbits per second, and the
(Mbits/s) percentage of the total incoming traffic that was dropped.
Dropped The average incoming traffic to mitigation that was dropped in packets per
Packets second, and the percentage of the total incoming traffic packets that was
(packets/s) dropped.
Start Time The time the operations were activated for this protected object.
Duration The amount of time the protected object is active.
Workflow The workflow associated with the protected object.
Description Description of the protected object.
Actions you can perform from the Protected Objects table include:
• Changing the Display of the Protected Objects Table, page 59
• Performing Actions on Protected Objects, page 61
• Viewing Protected Objects Details, page 66
Changing the Display of the Protected Objects Table

You can change the display of the table and view more details for each protected object.
To search for a protected object

Instead of scrolling through the full list of protected objects to find a particular protected object, you
can search for that protected object using the Search/Filter field.
1. Mouse-click in the Search/Filter field.

2. Set the search/filter parameters as follows:

— Enter a free-text string to perform the search, and/or
— From the drop-down list in the Search/Filter field, select parameters to search/filter by:
a. Select up to five (5) parameters (the selected parameters have an AND relationship
between them).
The parameters that you select display as data-entry fields in the Search/Filter field.
The parameters you can filter for include the following:
Note: Only those selected parameters that are currently visible in the Protected
Objects table are considered in the search.
• Protected Object Name
• Protected Object Description
• Protected Object Status
• Protected Object Workflow
• Protected Object Network
• Activations
• Start Time (By Day)
• Attack Destination
• Detection ID
• Source Network
• Detector Name
• Detector Type
• Source Port
• Destination Port
• Protocol
• Information
• Operation Type
• Mitigation Device/Group
• Network Element/Group
• Mitigation Status
• Operation Networks
b. In the parameter data-entry field, enter the string for which you want to search.
Note: If the data-entry fields extend past the boundaries of the Search/Filter field, to scroll
between the data-entry fields, hover the mouse over one of the data-entry fields, hold down the
Shift key, and scroll to either horizontal direction with the mouse scroll wheel.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in descending order. Select the up arrow to sort in
ascending order.
3. Click the heading to reset the column sorting.

To remove/add columns from the display
1. Click the icon at the top far right of widget.

2. From the drop-down menu, select which columns to hide. The selected column is hidden from
the table and the column name in the drop-down menu is grayed out.
3. To redisplay a column, from the drop-down menu, select the grayed-out column name. The
column displays and the menu item reverts to blue.
4. To restore the default column display, in the drop-down menu click the icon.
Performing Actions on Protected Objects

You can perform the following actions on protected objects:
• For protected objects that are pending confirmation, confirm the pending action
• For all protected objects, activate or deactivate the protected object
To select actions to perform on protected objects

1. In the Status column, click the button labeled with the protected object’s status.
— For protected objects with the Pending status, a drop-down menu displays with the
following options: Confirm Pending, Activate, Deactivate
— For protected objects with the statuses Activate, Provision, Failed, a drop-down menu
displays with the following options: Activate, Deactivate
— For protected objects with the status Enabled, a drop-down menu displays with the
following options: Activate
— For protected objects with the status Disabled, there are no actions to perform on them
2. In the drop-down menu, select the action you want to perform.
— If you selected Confirm Pending, see To confirm actions, page 61.
— If you selected Activate, see To activate a action for a protected object, page 65.
— If you selected Deactivate, see To deactivate a pending action for a protected object,
page 66.
Confirming Pending Actions

This section describes how to confirm pending actions on protected objects. Pending actions require
user intervention.
To confirm actions
1. If you selected Confirm Pending, the Pending Action dialog box displays with a table of the
pending actions related to the protected object:
Table 8: View Pending Actions Parameters
Protected The protected object name.
Object

Table 8: View Pending Actions Parameters (cont.)
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Detection ID The unique attack ID for the attack. This ID remains with the attack record for the
record’s entire lifetime. This attack ID is internal to DefenseFlow and not related
to any external IDs associated with the attack.
Attack The IP address of the attack destination.
Destination
Pending Action Actions you can perform on the protected object.
• Confirm Start — Confirm starting an individual protection.
• Advanced Confirm — Opens the Advanced Confirm dialog box. This lets
you refine the parameters for confirming the pending action. For more
information, see Advanced Confirm Parameters, page 63.
• Ignore — Ignore a pending action on the protected object and remove it

from the pending actions table.
Pending Action The type of pending action.
Type Values: START, STOP
Start Time Reported attack start time.
Criteria The criteria associated with the pending action.
Operation Name The operation associated with the enter criteria of the workflow associated with
the protected object.
Note: The operation name cannot contain the & (ampersand), <, > (angle
brackets), or " (double quote) characters.
Attack Traffic The total amount of incoming traffic bandwidth received from the detector, in
(Mbits/s) Mbits per second.
Protocol The protocol of the incoming traffic.
Source Port The source port to block as defined in the FlowSpec rule.
TCP Flags The TCP flag to block as defined in the FlowSpec rule.
Fragment The fragment to block as defined in the FlowSpec rule.
External Attack Link to the third-party detector management system that handles the external
URI attack associated with the pending action.
External Link to the third-party detector management system that handles the external
Protected protected object associated with the pending action.
Object URI
2. Do one of the following

— Perform one of the following global actions on all pending actions (these icons display above
the table):
• Confirm All — Confirm all pending actions.

• Ignore All — Ignore all pending actions and remove them from the pending actions
table.
— Perform one of the following actions on the individual pending action:
a. Search — Search for the protected object you want to perform the action.
b. In the Pending Action column, perform one of the actions as required (Confirm Start,
Advanced Confirm, Ignore).
c. If you are performing an Advanced Confirm, go to step 3.
Note: If the protected object is under protection, and you modify an attribute that conflicts
with the ongoing protection, the change is performed only at the next activation of the
protected object.
If you want a modification that affects an ongoing protection to take effect immediately, you
can make this modification from the Edit feature in the Full View pane. For more
information, see Table 14 - Full View Parameters — Current Detection Events and Operations
on Protected Objects, page 69.
3. If you selected Advanced Confirm , the Advanced Confirm dialog box displays with the
following parameters. Configure the parameters as described below and click Submit.
Table 9: Advanced Confirm Parameters
Name The pending action name.
IP Address The IP address of the attacked destination as detected by the selected detection
device.
Configured The configured operation for the protected object.
Operation
Action The action to take on the pending action:
• Ignore — Ignore a pending action and remove it from the pending actions
table.
• Confirm Start — To confirm start of a pending action. For the Confirm start
parameters, see Table 10 - Advanced Confirm — Confirm Start Parameters,
page 63
• Confirm End — To confirm ending a protection.
Table 10: Advanced Confirm — Confirm Start Parameters
Protected IP Select one of the following options:
Address • Activate Entire Networks — This activates the entire protected object.
• Activate Specific IP Address — This activates only a specified IP address, which
you change to any IP address or subnet as required.
Attack This parameter displays if you selected the Activate Specific IP Address
Destination IP parameter. This is the specific IP address attack target to be protected. This must
Address be within the network classification of the protected object.
Operation The operation to use for diversion and mitigation groups preferences. Select from
the list of configured operations. The fields related to the operation type display.

Table 10: Advanced Confirm — Confirm Start Parameters (cont.)
Configured The configured operation for the protected object.
Operation
Action The action to take on the pending action:
• Ignore — Ignore a pending action and remove it from the pending actions
table.
• Confirm Start — Confirm starting a pending action. The Confirm Start
parameters display (see starting with the next entry in this table).
• Confirm End — Confirm ending a protection.
Attack Traffic Specify the attack traffic (bits per second). You can also specify units (for
example, 100M). This is used for verifying that the mitigation devices can handle
the related attack traffic. This is also used to set the DefensePro policy bandwidth
if there is not any BDoS bandwidth ready yet.
Use Busy If selected, DefenseFlow uses the selected DefensePro devices regardless of their
Mitigation monitored capacity.
Device
BGP Community
Operation BGP The BGP community values to be sent to the diversion groups that should receive
Community them per the operation. Multiple communities can be configured separated by a
space.
In addition, well-known communities can be also defined, including: NO_EXPORT,
NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
Use Protected Whether to add the protected object’s defined community in the announcement
Object to the blocking group.
Community When you select this parameter, the Protected Object Community parameter
displays.
Advanced
Minimum IPv4 The minimum IPv4 Advertised Subnet.
Advertised Default: 32
Subnet
Minimum IPv6 The minimum IPv6 Advertised Subnet.
Subnet
Override IPv4 Override the IPv4 Next Hop IP address.
Next Hop
Next Hop
To sort columns
ascending order.


Activating a Pending Action for a Protected Object

This section describes how to activate a pending action for a protected object.
To activate a action for a protected object

1. If you selected Activate, the Activate Protected Object dialog box displays with the Activate
pending action parameters.
Table 11: Pending Actions Activate Protected Object Parameters
Available Protects a specific IP address or set of addresses within the protected object.
Protected Specify the specific IP address attack targets or select from the list. They must be
Networks within the network classification of the protected object.
To protect all networks in the protected object, select Select All.
Maximum number of protected IP addresses: 1024
2. Click Activate.

Deactivating a Pending Action for a Protected Object

This section describes how to deactivate a pending action for a protected object.
To deactivate a pending action for a protected object

1. If you selected Deactivate, the Deactivate Protection dialog box displays.
2. If you want to deactivate the pending action, click Deactivate.
Viewing Protected Objects Details

You can expand the protect object display to see more protected object details. This includes:
• Expanded details — See To see a protected object’s expanded details, page 66
• Full details — See To see the full details of a protected object, page 68
To see a protected object’s expanded details
1. Click the (Details) widget at the left end of the protected object row.
2. The following parameters display:
Table 12: Protected Objects — Expanded Details Parameters
Show By Detection Events
Detection ID The unique attack ID for the attack operation. This ID remains with the attack
record for the record’s entire lifetime.
Attack The IP address of the attacked destination as detected by the selected detection
Destination device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
In Grace Period The attack grace period status.
Values: Yes, No
Start Time Start time of the attack.
Duration Duration of the attack.
Detector Name/ The name and type of the detecting device.
Type
Attack Traffic The last reported total amount of incoming traffic reported by the detection
(Mbits/s) device, in Mbits per second.
Attack Packet The last reported number of incoming packets per second reported the detection
Rate (packets/ device.
s)
Information Details about the attack.
Source Network The source network IP addresses and ranges (CIDRs).
Source Port The source port.

Table 12: Protected Objects — Expanded Details Parameters (cont.)
Destination Port The destination port.
Show By Operations
Mitigation The status of the operation.
Status
Operation ID The operation ID for the attack operation.
Start/Stop The action to perform on the operation based on the status.
• Start — Start an operation that has stopped.
• Stop — Stop an operation.

Operation The operation name and type.
Name/Type
Operation The IP address that is part of the protection operation. For multiple networks,
Networks left-click the search icon to the right of the word “Multiple” to see the list of
networks.
Start Time Start time of the operation.
Duration Duration of the operation.
Mitigation The mitigation device or group name.
Device/Group
Network The network elements or network element group for the protection.
Element/Group
Policy Name The policy name for this protection activation.
BGP FlowSpec The BGP FlowSpec rule associated with the operation.
record’s entire lifetime.
Workflow The workflow associated with the operation.
Blocklist The blocklist associated with the protection activation.
Allowlist The allowlist associated with the protection activation.
Geo IP The geolocation IP address associated with the operation.
Enter Criteria The workflow enter criteria associated with the operation.
Exit Criteria The workflow exit criteria associated with the operation.
Enter User The enter activation mode.
Action Mode Values: Automatic, Manual, User Confirmation
Exit User Action The enter activation mode.
Mode Values: Automatic, Manual, User Confirmation

Protected Objects — Full View

The Full View details include the full set of parameters for a protected object.
To see the full details of a protected object
1. Click the (Full View) widget at the left end of the protected object row.
The following parameters display:
Table 13: Protected Objects — Full View Parameters
Protected Object Full View
Status The status of the protected object.
Protected The IP address of the attacked destination as detected by the selected detection
Networks device. For multiple networks, left-click the search icon to the right of the word
Activations The number of activations for the protected object.
Incoming Traffic The average incoming traffic for mitigation in Mbits per second.
(Mbits/s)
Dropped Traffic The average incoming traffic that was dropped in Mbits per second, and the
(Mbits/s) percentage of the total incoming traffic that was dropped.
Incoming The average incoming traffic to mitigation in packets per second.
Packets
(packets/s)
Dropped Packet The average incoming traffic to mitigation that was dropped in packets per
Rate (packets/ second, and the percentage of the total incoming traffic packets that was
s) dropped.

Table 13: Protected Objects — Full View Parameters (cont.)
Start Time Time when the protected object became active.
Duration The amount of time the protected object is active.
The AMS Traffic Statistics graph displays the current or historical traffic statistics based on which
display you have selected (see Current, Historical, Log below in this table).
Mitigation
Device
Mitigation
Current, Historical, Log — The list of current and historical attacks and operations, and the attack
event log. Click the respective button for each of these lists.
• For the current attack and operation lists, see Full View Parameters — Current Detection Events
and Operations on Protected Objects, page 69
• For the historical attack and operation lists, see Full View Parameters — Historical Detection
Events and Operations for Protected Objects, page 80
• For the protected object event log, see Full View Parameters — Log, page 89
2. The following are navigational actions you can perform in the Full View pane:
— To exit the Full View pane, click the button at the top left edge of the pane.
— To expand the Protected Objects widget display, click the button. The Protect
Object widget expands and the AMS Traffic Statistics widget is hidden.
— To compress the Protect Objects widget, click the button and the AMS Traffic
Statistics widget displays.
— To change the time range for the AMS Traffic Statistics widget, click the clock icon. For
more information, see To change the time range in the graph display, page 57.
Full View Parameters — Current Detection Events and Operations on Protected Objects
The following are the parameters for the Full View Current Detection Events and Operations for
protected objects.
Table 14: Full View Parameters — Current Detection Events and Operations on Protected
Objects
Current Detection Events — List of current detection events
In the Search field above the table, enter a string to search for a current detection event.

Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Action Type The last action value received from the mitigation device for the protected object.
Note: This parameter is only supported starting with version 4.2. If an event
existed before upgrading to version 4.2, the event does not display a value.
Values:
• Forward — DefensePro continues to process the traffic and eventually forwards
the packet to its destination.
• Drop — DefensePro discards the packet.
• Source Reset — DefensePro sends a TCP-Reset packet to the packet source IP
address.
• Dest Reset — DefensePro sends a TCP-Reset packet to the destination IP
address and port.
• Source Dest Reset — DefensePro sends a TCP-Reset packet to both the packet
source IP and the packet destination IP address.
• Proxy
• Challenge — DefensePro challenges the packet.
• Quarantine — DefensePro adds the destination to the Web quarantine.
• Drop and Quarantine — DefensePro discards the traffic and adds the
destination to the Web quarantine.
• HTTP 200 OK — DefensePro sends a 200 OK response using a predefined page
and leaves the server-side connection open.
• HTTP 200 OK Dest Rest — DefensePro sends a 200 OK response using a
predefined page and sends a TCP-Reset packet to the server side to close the
connection.
• HTTP 403 Forbidden — DefensePro sends a 403 Forbidden response using a
predefined page and leaves the server-side connection open.
• HTTP 403 Forbidden Reset Dest — DefensePro sends a 403 Forbidden response
using a predefined page and sends a TCP-Reset packet to the server side to
close the connection.
• External Event — External event from an external detector.
Note: No detailed information is received when the mitigation device is an
external detector. In this case, the Information field displays as N/A.
Detector Name/ The detector name and type.
Type

(cont.)
Information
Click the icon to see the attack details of the detection event.
When the attack details of the detection event display, you can click the icon
to see the attack description.
Note: During the import of a security policy, DefensePro does not override the
attacks in the SYN profile.
Detection Event Traffic Display
Graphically displays the detection event legitimate and total traffic over time for
Behavioral DoS (BDoS) or DNS Flood attacks, as appropriate.
Select the type of traffic to display:
• IPv4 or IPv6 — IP traffic type (for BDoS or DNS Flood attacks, as appropriate).
• bps or pps — Bits per second/packets per second (for BDoS attacks).
• Inbound or Outbound — Inbound/outbound traffic (for BDoS attacks).
BDoS TCP example:
BDoS UDP with rate-variant example:
DNS Flood example:

(cont.)
Information Additional Attack Attributes
(continued) Additional attack attributes for BDoS, DNS Flood, SYN Flood, Anti-Scanning,
Intrusions, Traffic Filters, Out-of-State (Anomalies), DoS Shield, Geolocation,
EAAF-ERT, and HTTPS Flood Protection attacks.
• Risk — The predefined attack severity level.
Values: High, Medium, Low, Info
• Radware ID — The DefensePro Attack-Protection identifier issued by the
device.
• Direction (In/Out) — The direction of the attack, inbound or outbound.
Values: in, out
• Action Type — The last action value received from the mitigation device for the
protected object. See the Action parameter described in this table.
• Attack ID — Unique ID of the attack.
• Physical Port — The port on the device at which the attack packets arrived. In
cases when the DefensePro mitigation device cannot report a specific value,
the field displays 0 (zero) or Multiple.
• Total Packet Count — The number of identified attack packets from the
beginning of the attack.
• VLAN — The VLAN tag value or Context Group in the policy that handled the
attack. The value N/A or 0 (zero) in this field indicates that the VLAN tag or
Context Group is not available.
• MPLS RD — The Multi-protocol Label Switching Route Distinguisher in the
policy that handled the attack. The value N/A or 0 (zero) in this field indicates
that the MPLS RD is not available.
• Source Port — The Layer 4 source port of the attack.
• Packet Type — The detection event packet type.

(cont.)
Information Characteristics
(continued) BDoS attacks:
• State — The state of the protection process.
Values:
— Footprints Analysis — Behavioral DoS Protection has detected an attack
and is currently determining an attack footprint.
— Blocking — Behavioral DoS Protection is blocking the attack based on the
attack footprint created. Through a closed feedback loop operation, the
Behavioral DoS Protection optimizes the footprint rule, achieving the
narrowest effective mitigation rule.
— Non-attack — Nothing was blocked because the traffic was not an attack —
no footprint was detected or the blocking strictness level was not met.
— footprint analysis — BDoS protection has detected an attack and is
currently generating an attack footprint.
— footprint-applied — BDoS protection is blocking the attack based on the
generated footprint. Through a closed-feedback loop operation, BDoS
protection optimizes the footprint rule, achieving the narrowest effective
mitigation rule.
• Flow Label — (IPv6 only) The flow label that the attack uses or used.
• TCP Sequence Number — The TCP sequence number that the attack uses or
used.
• ToS — The ToS that the attack uses or used.
• TTL — The TTL that the attack uses or used.
The following parameters are only relevant when the State is burst-footprint-
blocking:
• Burst Occurring Now — Values: Yes, No
• Current Burst Number — The number of bursts since start of the attack.
• Average Burst Duration — The average duration, in hh:mm:ss format, of the
bursts.
• Average Time Between Bursts — The average time, in hh:mm:ss format,
between separate bursts.
• Average Burst Rate — The average rate, in Kbps, of the bursts.
• Max. burst Rate — The rate, in Kbps, of the biggest burst in this attack.

(cont.)
Information Characteristics (continued)
(continued) DNS Flood attacks:
• DNS Query — The DNS query that the attack uses or used.
• DNS An Query Count — The DNS An query count that the attack uses or used.
• DNS ID — The DNS ID that the attack uses or used.
• DNS Query Count — The DNS query count that the attack uses or used.
• L4 Checksum — The L4 checksum that the attack uses or used.
Values:
— Normal
— Real-Time Signature Analysis
— Blocking
— Real-Time Signature Challenge
— Real-Time Signature Rate Limit
— Collective Challenge
— Collective Rate Limit
— Anomaly
— Strictness Anomaly

(cont.)
(continued) SYN Flood attacks:
• Attack Rate (pps) — The average rate of spoofed SYNs and data connection
attempts per second, calculated every 10 seconds.
• Attack Duration (Hour:Min:Sec) — The duration, in hh:mm:ss format, of the
attack on the protected port.
• Activation Threshold — The configured attack trigger threshold, in half
connections per second.
• TCP Challenge — The Authentication Method that identified the attack:
Transparent Proxy or Safe-Reset.
• TCP Auth. List (%) — The current utilization, in percent, of the TCP
Authentication table.
• HTTP Challenge — The HTTP Authentication Method that identified the attack:
302-Redirect or JavaScript.
• HTTP Auth. List (%) — The current utilization, in percent, of the HTTP
Anti-Scanning attacks:
• Avg. Time Between Probes (sec) — The average time, in seconds, between
scan events.
• Number of Probes — The number of scan events from the time the attack
started.
• Action Reason — Values:
— Configuration—The action is (or was) according to the value in the Action
field in the Anti-Scanning profile.
— Footprint-accuracy-level—There is (or was) insufficient data for a
footprint, because the Include in the Footprint More than Source IP
Address and Protocol option is enabled in the Anti-Scanning profile.
— Multiple-probed-ports—Port scans are (or were) monitored only (not
blocked), because the Monitor but Do Not Block Port Scans option is
enabled in the Anti-Scanning profile.
• Blocking Duration (sec) — The blocking duration, in seconds, of the attacker
source IP address.
• Estimated Release Time — The estimated release time of attacker in local
time.
Intrusions or DoS Shield attacks, as appropriate:
• Current Packet Rate [Packet/Sec] — The current packet rate.
• Average Packet Rate [Packet/Sec] — The average packet rate.
• Attack Duration — The duration of the attack.
• Protected Host — The protected host.

(cont.)
(continued) Traffic Filter attacks:
• Filter Name — The name of the Traffic Filter that matched the traffic.
• Filter ID — The Radware ID of the Traffic Filter that matched the traffic.
Note: The ID is a hyperlink to the configuration of the Traffic Filter.
• Attack Rate (pps) — The rate, in packets/second, of packets that match or
matched the Traffic Filter.
HTTP Flood Protection attacks:
• Detection Method — The method that the module used to detect the attack,
for example: By Rate of HTTPS Requests.
• Mitigation Method — The method that the module used to mitigate the attack,
for example: Rate-Limit Suspected Attackers.
• Authentication Method — The Authentication Method that the module used, for
example: 302 Redirect.
• Total Suspect Sources — The total number of suspect sources, from the start
of the attack.
• Total Req. Challenged — The total number of requests challenged, from the
start of the attack.
• Total Sources Challenged — The total number of sources challenged, from the
• Total Sources Authenticated — The total number of sources authenticated,
from the start of the attack.
• Total Attackers Sources — The total number of attacker sources, from the start
of the attack.
• Auth List Util. — The utilization, in percent, of the Authentication List, from the
• Req. Per Sec — Requests per second.
• Transitory Baseline Value
• Transitory Attack Edge Value
• Long Term Trend Baseline
• Long Term Trend Attack Edge

(cont.)
Information Real-Time Signature
(continued) The latest real-time BDoS. DNS Flood, or Anti-Scanning signature for the
detection event (if relevant to the operation), including the operation’s signature
parameters and their values, the boolean relationship between the parameters,
and, if there are multiple signatures for the same operation, the number of
signatures.
For example:
Scan Details for Anti-Scanning Attacks

• Destination IP Address — The destination IP address of the scan.
• Destination L4 Port — The destination port of the scan.
• TCP Flag/Protocol — Values:
— The TCP flag, for example, “ACK” — Displayed for TCP scans.
— UDP — Displayed for UDP scans.
— ICMP — Displayed for ICMP scans.
For example:

(cont.)
Detection ID The detection control element.
Values: Yes, No
Attack Traffic The last reported total amount of incoming traffic in Mbits per second.
Attack Packet The last reported number of incoming packets per second.
Rate
Filter
Click the (Filter) icon to display the operations related to the attack in the
Current Operations table.
View Additional
Parameters
Click the icon at the left end of the protected object row to see parameters
that are not displayed in the table.
Max Volume Maximum volume in packets per second.
(packet/s)
Max Volume Maximum volume in Mbits per second.
(Mbits/s)
Attack Packet Attack packet rate, packets per second.
Rate (packets/
s)
Attack Traffic Maximum attack traffic, megabits per second.
(Mbits/s)
Detection Name The detection control element.
Operations — List of current operations
In the Search field above the table, enter a string to search for a current operation:
Status
Start/Stop The pending action waiting for confirmation.
Values:
• Start — The protection was terminated. Attempt to rerun the action.
• Stop — Deactivate an active protection.

Name/Type
Operation The IP address of the attacked destination as detected by the selected detection

(cont.)
Device/Group
Element/Group
Capture
To see Packet Capture details for the protected object, click the (Capture)
widget. The Packet Viewer dialog box displays.
For a description of the Packer Viewer parameters, see Packet Viewer, page 90.
Edit
To edit operation details for the protected object, click the (Edit) button. The
Operation Details dialog box displays.
After you edit any of the details, click Apply.
For a description of the Operation Details parameters, see Table 15 - Edit
Operation Details Parameters, page 80.
View Additional
Parameters
User Action The enter activation mode.
Mode Values: Automatic, Manual, User Confirmation
Enter User The enter activation mode.
Action Mode Values: Automatic, Manual, User Confirmation
Device/Group
Exit Criteria The workflow exit criteria associated with the operation.
Enter Criteria The workflow enter criteria associated with the operation.
Policy Name The policy name for this protection activation.

Table 15: Edit Operation Details Parameters
Row Description
Operation Details of the operation, including:
• Description — Description of the operation.
• Operation Type — The type of operation. Values: Mitigation, Traffic Blocking,
Custom
• Diversion Protocol — The diversion protocol. Values: BGP, BGP FlowSpec
Mitigation Group Details of the mitigation devices with the mitigation group associated with the
operation, including:
• Name — Mitigation of the mitigation device name.
• Operational Status — The operational status of the mitigation device.
• CPU Utilization — Percent of the CPU utilization of the mitigation device.
• BW Utilization (GBPS) — Percent of the bandwidth utilization of the mitigation
device.
• Policies Utilization — Percent of the policies table utilization of the mitigation
device.
• Filter List Utilization — Percent of filter list utilization of the mitigation device.
• Managed — Whether the mitigation device is managed.
Values: true, false
• Platform Name — Platform name of the mitigation device.
• Geo Feed Status — The status of the Geolocation Feed on the DefensePro
mitigation device (active, inactive).
• Update Time — Last monitored update time.
• Last Error — The last device access error that was issued.
Allowlist/ If you want to associate a blocklist and/or allowlist to the operation, select them
Blocklist from the drop-down lists.
Geolocation If you want to temporarily override the current geoblocking settings for this
operation for the duration of the protection, select a geolocation or Geolocation
feed group to block or allow, then select the override action:
• Block — Block the selected geolocation or Geolocation feed group.
• Allow — Allow the selected geolocation or Geolocation feed group (default).
DNS Allowlist If you want to associate a DNS allowlist to the operation, select one from the
drop-down list, or click the Upload icon to upload a file with a DNS allowlist
not on the list.
If you want to see the contents of a DNS allowlist, select one from the drop-down
list and click the Download icon to save it as a .txt file.

Policy Edit the associated security policy, if required.
• If it is a GUI type template, the Edit Security Policy Template dialog box
displays with the various security policy sections and parameters. For more
information on configuring these parameters, see Security Policy Templates,
page 155).
• If it is a Text template, the Edit Security Policy Template dialog box displays
with the Description and Template (the policy text) fields. The policy text
includes DefensePro traffic filters.
Full View Parameters — Historical Detection Events and Operations for Protected Objects

The following are the full view Historical Detection Events and Operations for protected objects.
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects
Detection Events — List of historical detection events on the protected object.
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
Action Type The last action value received from the mitigation device for the protected object.
Note: This parameter is only supported starting with version 4.2. If an event
existed before upgrading to version 4.2, the event does not display a value.
Values:
• Forward — DefensePro continues to process the traffic and eventually forwards
the packet to its destination.
• Drop — DefensePro discards the packet.
• Source Reset — DefensePro sends a TCP-Reset packet to the packet source IP
address.
• Dest Reset — DefensePro sends a TCP-Reset packet to the destination IP
address and port.
• Source Dest Reset — DefensePro sends a TCP-Reset packet to both the packet
source IP and the packet destination IP address.
• Proxy
• Challenge — DefensePro challenges the packet.
• Quarantine — DefensePro adds the destination to the Web quarantine.
• Drop and Quarantine — DefensePro discards the traffic and adds the
destination to the Web quarantine.
• HTTP 200 OK — DefensePro sends a 200 OK response using a predefined page
and leaves the server-side connection open.
• HTTP 200 OK Dest Rest — DefensePro sends a 200 OK response using a
predefined page and sends a TCP-Reset packet to the server side to close the
connection.
• HTTP 403 Forbidden — DefensePro sends a 403 Forbidden response using a
predefined page and leaves the server-side connection open.
• HTTP 403 Forbidden Reset Dest — DefensePro sends a 403 Forbidden response
using a predefined page and sends a TCP-Reset packet to the server side to
close the connection.
• External Event — External event from an external detector.
Note: No detailed information is received when the mitigation device is an
external detector. In this case, the Information field displays as N/A.

Objects (cont.)
Information
Click the icon to see the attack details of the detection event.
When the attack details of the detection event display, you can click the icon
to see the attack description.
Note: During the import of a security policy, DefensePro does not override the
attacks in the SYN profile.
Detection Event Traffic Display
Graphically displays the detection event legitimate and total traffic over time for
Behavioral DoS (BDoS) or DNS Flood attacks, as appropriate.
Select the type of traffic to display:
• IPv4 or IPv6 — IP traffic type (for BDoS or DNS Flood attacks, as appropriate).
• bps or pps — Bits per second/packets per second (for BDoS attacks).
• Inbound or Outbound — Inbound/outbound traffic (for BDoS attacks).
BDoS TCP example:
BDoS UDP with rate-variant example:
DNS Flood example:

Objects (cont.)
Information Additional Attack Attributes
(continued) Additional attack attributes for BDoS, DNS Flood, SYN Flood, Anti-Scanning,
Intrusions, Traffic Filters, Out-of-State (Anomalies), DoS Shield, Geolocation,
EAAF-ERT, and HTTPS Flood Protection attacks.
• Risk — The predefined attack severity level.
Values: High, Medium, Low, Info
• Radware ID — The DefensePro Attack-Protection identifier issued by the
device.
• Direction (In/Out) — The direction of the attack, inbound or outbound.
Values: in, out
• Action Type — The last action value received from the mitigation device for the
protected object. See the Action parameter described in this table.
• Attack ID — Unique ID of the attack.
• Physical Port — The port on the device at which the attack packets arrived. In
cases when the DefensePro mitigation device cannot report a specific value,
the field displays 0 (zero) or Multiple.
• Total Packet Count — The number of identified attack packets from the
beginning of the attack.
• VLAN — The VLAN tag value or Context Group in the policy that handled the
attack. The value N/A or 0 (zero) in this field indicates that the VLAN tag or
• MPLS RD — The Multi-protocol Label Switching Route Distinguisher in the
policy that handled the attack. The value N/A or 0 (zero) in this field indicates
that the MPLS RD is not available.
• Source Port — The Layer 4 source port of the attack.
• Packet Type — The detection event packet type.

Objects (cont.)
Information Characteristics
(continued) BDoS attacks:
Values:
— Footprints Analysis — Behavioral DoS Protection has detected an attack
and is currently determining an attack footprint.
— Blocking — Behavioral DoS Protection is blocking the attack based on the
attack footprint created. Through a closed feedback loop operation, the
Behavioral DoS Protection optimizes the footprint rule, achieving the
— Non-attack — Nothing was blocked because the traffic was not an attack —
no footprint was detected or the blocking strictness level was not met.
— footprint analysis — BDoS protection has detected an attack and is
— footprint-applied — BDoS protection is blocking the attack based on the
generated footprint. Through a closed-feedback loop operation, BDoS
protection optimizes the footprint rule, achieving the narrowest effective
mitigation rule.
• Flow Label — (IPv6 only) The flow label that the attack uses or used.
• TCP Sequence Number — The TCP sequence number that the attack uses or
used.
• ToS — The ToS that the attack uses or used.
The following parameters are only relevant when the State is burst-footprint-
blocking:
• Burst Occurring Now — Values: Yes, No
• Current Burst Number — The number of bursts since start of the attack.
• Average Burst Duration — The average duration, in hh:mm:ss format, of the
bursts.
• Average Time Between Bursts — The average time, in hh:mm:ss format,
between separate bursts.
• Average Burst Rate — The average rate, in Kbps, of the bursts.
• Max. burst Rate — The rate, in Kbps, of the biggest burst in this attack.

Objects (cont.)
(continued) DNS Flood attacks:
• DNS Query — The DNS query that the attack uses or used.
• DNS An Query Count — The DNS An query count that the attack uses or used.
• DNS ID — The DNS ID that the attack uses or used.
• DNS Query Count — The DNS query count that the attack uses or used.
• L4 Checksum — The L4 checksum that the attack uses or used.
Values:
— Normal
— Real-Time Signature Analysis
— Blocking
— Real-Time Signature Rate Limit
— Anomaly
— Strictness Anomaly

Objects (cont.)
(continued) SYN Flood attacks:
• Attack Rate (pps) — The average rate of spoofed SYNs and data connection
attempts per second, calculated every 10 seconds.
• Attack Duration (Hour:Min:Sec) — The duration, in hh:mm:ss format, of the
attack on the protected port.
• Activation Threshold — The configured attack trigger threshold, in half
connections per second.
• TCP Challenge — The Authentication Method that identified the attack:
Transparent Proxy or Safe-Reset.
• TCP Auth. List (%) — The current utilization, in percent, of the TCP
• HTTP Challenge — The HTTP Authentication Method that identified the attack:
302-Redirect or JavaScript.
• HTTP Auth. List (%) — The current utilization, in percent, of the HTTP
Anti-Scanning attacks:
• Avg. Time Between Probes (sec) — The average time, in seconds, between
scan events.
• Number of Probes — The number of scan events from the time the attack
started.
• Action Reason — Values:
— Configuration—The action is (or was) according to the value in the Action
field in the Anti-Scanning profile.
— Footprint-accuracy-level—There is (or was) insufficient data for a
footprint, because the Include in the Footprint More than Source IP
Address and Protocol option is enabled in the Anti-Scanning profile.
— Multiple-probed-ports—Port scans are (or were) monitored only (not
blocked), because the Monitor but Do Not Block Port Scans option is
enabled in the Anti-Scanning profile.
• Blocking Duration (sec) — The blocking duration, in seconds, of the attacker
source IP address.
• Estimated Release Time — The estimated release time of attacker in local
time.
Intrusions or DoS Shield attacks, as appropriate:
• Current Packet Rate [Packet/Sec] — The current packet rate.
• Average Packet Rate [Packet/Sec] — The average packet rate.
• Attack Duration — The duration of the attack.
• Protected Host — The protected host.

Objects (cont.)
(continued) Traffic Filter attacks:
• Filter Name — The name of the Traffic Filter that matched the traffic.
• Filter ID — The Radware ID of the Traffic Filter that matched the traffic.
Note: The ID is a hyperlink to the configuration of the Traffic Filter.
• Attack Rate (pps) — The rate, in packets/second, of packets that match or
matched the Traffic Filter.
HTTP Flood Protection attacks:
• Detection Method — The method that the module used to detect the attack,
for example: By Rate of HTTPS Requests.
• Mitigation Method — The method that the module used to mitigate the attack,
for example: Rate-Limit Suspected Attackers.
• Authentication Method — The Authentication Method that the module used, for
example: 302 Redirect.
• Total Suspect Sources — The total number of suspect sources, from the start
of the attack.
• Total Req. Challenged — The total number of requests challenged, from the
• Total Sources Challenged — The total number of sources challenged, from the
• Total Sources Authenticated — The total number of sources authenticated,
from the start of the attack.
• Total Attackers Sources — The total number of attacker sources, from the start
of the attack.
• Auth List Util. — The utilization, in percent, of the Authentication List, from the
• Req. Per Sec — Requests per second.
• Transitory Baseline Value
• Transitory Attack Edge Value
• Long Term Trend Baseline
• Long Term Trend Attack Edge

Objects (cont.)
Information Real-Time Signature
(continued) The latest real-time BDoS. DNS Flood, or Anti-Scanning signature for the
detection event (if relevant to the operation), including the operation’s signature
parameters and their values, the boolean relationship between the parameters,
and, if there are multiple signatures for the same operation, the number of
signatures.
For example:
Scan Details for Anti-Scanning Attacks

• Destination IP Address — The destination IP address of the scan.
• Destination L4 Port — The destination port of the scan.
• TCP Flag/Protocol — Values:
— The TCP flag, for example, “ACK” — Displayed for TCP scans.
— UDP — Displayed for UDP scans.
— ICMP — Displayed for ICMP scans.
For example:

Objects (cont.)
Type
(Mbits/s)
Rate
View Additional
Parameters
Click the icon at the left end of the protected object row to see additional
parameters.
Source Port Source port of the packet.
DefensePro The operational status of the DefensePro mitigation device.
Event Status
End Time End time of the attack.
Detection Name The detection control element.
Maximum Maximum attack packet rate, packets per second.
Attack Packet
Rate (packets/
s)
Maximum Maximum attack traffic, megabits per second.
Attack Traffic
(Mbits/s)
Attack Packet Attack packet rate, packets per second.
Rate (Packets/s)
Operations — List of historical operations on the protected object.
Name The name of the operation
Type The type of operation.
Policy The policy used by the operation.
Duration The duration of the operation.
BGP FlowSpec The FlowSpec rule used by the operation.
Full View Parameters — Log

The following are the protected objects log parameters.
Table 17: Full View Parameters — Log
You can manually add a log. Click Add Log, enter free text in the Add New Log field in the dialog
box, and click Add Log.
Timestamp Attack start time.
Event Type Type of event.
Event Detailed description of the event.
Description
record’s entire lifetime.
User Username for user-generated event.
• For system-initiated logs, the username is system.
• For user-created logs, the username is the user’s username (for example:
Operator).
Click the icon to display the full log details.
Packet Viewer
This section describes the Packet Viewer parameters and functionality for both protected objects and
activations.
Table 18: Packet Viewer Parameters
Widget Description
Packet Capture Note: The Real-time Packet Capture feature requires DefensePro 200/400
running version 8.17.2 or later, DefensePro 20/60 running version 8.18.x or
later, or DefensePro 110/220 running version 8.20 or later.
Dropped packets are highlighted in red, passed packets are highlighted in green.
The following fields display for each attack:
• Capture Settings — These fields include the Mitigation Device/Group drop-
down list and the Capture Filter. The filter is a regular expression that filters
which packets are displayed in the Packet Display table. For more details on
the capture filter regular expressions you can define, see Table 19 - Packet
Capture Filter Regular Expression Parameters, page 93.
— Mitigation Device/Group — Select from which DefensePro device or device
group the packets are captured. The default is the device or group that is
referred to specifically by the attack information.
— Capture Filter — Regular expression to display the packet capture
information from the selected DefensePro device or group of DefensePro
devices. The default device is the device or group that is referred to
specifically by the attack information. From the drop-down list, you can
choose one of the last 10 previous inputs for the filter.

Table 18: Packet Viewer Parameters (cont.)
Widget Description
Packet Capture • Display Settings — These fields include the Match Filter and Display Filter.
(continued) The filters are regular expressions that filter the packets that are displayed in
the Packet Display table. For more details on the regular expressions you can
define, see Table 20 - Match Filter and Display Filter Regular Expression
Parameters, page 93.
— Match Filter — Highlights the packets that match the filter. From the drop-
down list, you can choose one of the last 10 previous inputs for the filter.
— Display Filter — Displays all those packets that match the filter. From the
drop-down list, you can choose one of the last 10 previous inputs for the
filter.
• Legend for the color-codes for packets that match the capture and display
filters:
— — The packet was dropped.

If you export the packet capture to a Wireshark PCAP file, you can filter
out dropped packets from the export by clicking this icon before
exporting.
When you click the icon, a cross-out line displays across it, indicating that
dropped packets are filtered out of the export. To remove the filter, click
the icon and the cross-out line is removed.
— — The packet passed.

If you export the packet capture to a Wireshark PCAP file, you can filter
out passed packets from the export by clicking this icon before exporting.
When you click the icon, a cross-out line displays across it, indicating that
passed packets are filtered out of the export. To remove the filter, click
the icon and the cross-out line is removed.
— — The packet matches the display filters.

Table 18: Packet Viewer Parameters (cont.)
Widget Description
Packet Capture • Display actions — Do one of the following:
(continued)
— Click to begin the packet capture display. The packets display one
at one time based on the filters that you defined.
— Click to stop the packet capture display.
— Click to clear the packet capture display.
— Click Export to export the packet capture to a Wireshark PCAP

file:
a. Select the export parameters:
• From — Select the source of the packet capture information to
export: Captured (default) or Displayed
• Type — Select all the types of data in the packet information to
export: Passed (default), Dropped (default)
b. Click Export.
Note: The exported PCAP file includes additional data (mitigation device
and reason), that is not visible in Wireshark. This additional data is used
when importing the PCAP file back to DefenseFlow.
— Click Import to import a Wireshark PCAP file to DefenseFlow:

a. In the Browse dialog box, select the PCAP file to import.
b. Click Select.
• Packet Display, including:
— Packet Display Table — Includes the following columns:
• Time — Duration of the packet capture
Note: To ensure that the packet capture time is accurate, you must
synchronize the DefenseFlow clock with the mitigation device
(DefensePro) clock. For more information on setting the DefensePro
clock, refer to the DefensePro User Guide.
• Mitigation Device — Name of the mitigation device that is mitigating
the packet
• SRC IP — Source IP address and geolocation of the packet
• SRC Port — Source port of the packet
• DST IP — Destination IP address and geolocation of the packet
• DSP Port — Destination port of the packet
• Protocol — Protocol of the packet
• Length — Packet length
• Reason — Reason for the packet capture
— Decoded Packet — The decoded packet and its protocol layers.
Highlight the individual protocol layers to view their associated code (see
below the line). You can also expand the protocol layer to view its details.
• The following fields display the packet capture status:
— Capture Elapsed Time — The number of seconds since the packet capture
was run.
— Passed Packets — The number of passed packets out of the total number
of packets.

Table 19: Packet Capture Filter Regular Expression Parameters
Parameter Description Examples

You can define regular expressions in the packet capture Capture Filter field using the parameters
described in this table and the ==, AND, OR, and NOT boolean expressions. For more details on
the REAL-TIME PACKET CAPTURE pane, see the description of it in the Table 18 - Packet Viewer
Parameters, page 90.
ip.dst Destination IP address. • ip.dst==224.0.0.2
Values can be with or • ip.dst==[224.0.0.2]
without brackets.
• ip.dst==[1.1.1.1,2.2.2.2,3.3.3.3]
• ip.dst==2001:40b0:7500:205:0:0:9353:8321
ip.proto The packet protocol. • ip.proto==tcp
Values: tcp, udp, icmp, • ip.proto==[udp,tcp]
other
ip.src Source IP address. • ip.src==172.16.01
Values can be with or • ip.src==[224.0.0.2]
without brackets.
• ip.src==[1.1.1.1,2.2.2.2,3.3.3.3]
policy The policy name on the • policy==ProtectedObject_1 AND ip.dst ==
mitigation device. 60.0.0.2/32
A null value indicates • policy==ProtectedObject_1
any policy.
Table 20: Match Filter and Display Filter Regular Expression Parameters

You can define regular expressions in the packet capture Match Filter and Display Filter fields
using the parameters described in this table and the ==, AND, OR, and NOT boolean expressions.
For more details on the REAL-TIME PACKET CAPTURE pane, see the description of it in the Table 18
- Packet Viewer Parameters, page 90.
frame.len Packet length. • frame.len==76
Internet_Proto Internet Protocol (IP) • IPv4
col_Version version layer of the
• NOT IPv4
packet.
• IPv6
• NOT IPv6
ip.dst Destination IP address. • ip.dst==224.0.0.2
Values can be with or • ip.dst==[224.0.0.2]
without brackets.
• ip.dst==172.16.01/24
• ip.dst==10.0.0.0/24
Matches all hosts addresses in the subnet (CIDR)
• NOT ip.dst==224.0.0.2
• ip.dst==[1.1.1.1,2.2.2.2,3.3.3.3]
• ip.dst==2001:40b0:7500:205:0:0:9353:8321
• NOT
ip.dst==2001:40b0:7500:205:0:0:9353:8321

Table 20: Match Filter and Display Filter Regular Expression Parameters (cont.)

ip.src Source IP address. • ip.src==172.16.01
Values can be with or • ip.src==[224.0.0.2]
without brackets.
• ip.src==172.16.01/24
• ip.src==10.0.0.0/24
Matches all hosts addresses in the subnet (CIDR)
• NOT ip.src==172.16.0.1
• ip.src==[1.1.1.1,2.2.2.2,3.3.3.3]
• NOT TCP AND udp.port==161 AND
ip.src==192.168.29.160 AND
frame.len==150
Protocol The packet protocol. • Ethernet
Values: • NOT Ethernet
• Ethernet • UDP
• TCP • NOT UDP
• UDP
• TCP
• ICMP
• NOT TCP
• Other — The
protocols currently • TCP OR UDP
recognized by the • NOT TCP OR UDP
DME. Protocols not
recognized by the
DME are
considered packet
anomalies.
mitigation Mitigation device • mitigation==device_1
name.
• NOT mitigation==device_1
policy The policy name on the • policy==ProtectedObject_1 AND ip.dst ==
mitigation device. 60.0.0.2/32
A null value indicates • policy==ProtectedObject_1
any policy.
reason Reason the packet was • reason==”Dropped due to Behavioral DoS"
dropped.
• reason==”Dropped due to Signature
Protection"
tcp.dstport TCP destination port. • tcp.dstport==23
Up to 10 ports. • tcp.dstport==[23]
A null value indicates • NOT tcp.dstport==23
any policy.
• tcp.dstport==[1111,222]
Values can be with or
without brackets.

Table 20: Match Filter and Display Filter Regular Expression Parameters (cont.)

tcp.port TCP source and • tcp.port==23
destination ports.
• tcp.port==[23]
Up to 10 ports.
• NOT tcp.port==23
A null value indicates
any policy. • tcp.port==[1111,222]
without brackets.
tcp.srcport TCP source port. • tcp.srcport==56760
Up to 10 ports. • tcp.srcport==[56760]
A null value indicates • NOT tcp.srcport==56760
any policy.
without brackets.
udp.dstport UDP destination port. • udp.dstport==646
Up to 10 ports. • udp.dstport==[646]
A null value indicates • NOT udp.dstport==646
any policy.
without brackets.
udp.port UDP source and • udp.port==646
destination ports.
• udp.port==[646]
Up to 10 ports.
• NOT udp.port==646
A null value indicates
any policy. • udp.port==161 or udp.port==60376
Values can be with or • udp.port==161 or udp.port==9999
without brackets. • NOT TCP AND udp.port==161 AND
ip.src==192.168.29.160 AND
frame.len==150
udp.srcport UDP source port. • udp.srcport==646
Up to 10 ports. • udp.srcport==[646]
A null value indicates • udp.srcport==646
any policy.
• NOT udp.srcport==646
without brackets.

Activations
The Activations pane displays monitoring and report metrics that enable you to view and track real-
time and historical information on selected DefenseFlow activations and networks.
The Activations pane includes the following widgets:

• Operational Status, page 96
• AMS Traffic Statistics, page 97
Operational Status
The Operational Status widget displays the current overall operational status for activations.
An activation can be counted only once. If an activation has two operations (for example, Pending
Actions and Active Operations), it will be counted only once per the following priority: Pending,
Failed, Active, Provision
Note: Because a protected object may have multiple activations related to it, the total number of
activations may be greater than the total number of protected objects.

Table 21: Activations Statistics
Pending Total number of activations that have pending actions.
Active Total number of activations that have successful active operations.
Failed Total number of activations that have failed operations.
Provision Total number of activations that are being provisioned for mitigation.

The AMS Traffic Status widget displays the statistics for traffic handled by the Attack Mitigation
Service (AMS):
Table 22: AMS Traffic Statistics
Mitigation
Device
Mitigation
Modifying the AMS Traffic Statistics Display

You can make the following modifications to the AMS Traffic Statistics display:
• To select which type of traffic to display, page 57
• To change the time range in the graph display, page 57
• To change the statistics display, page 58
To select which type of traffic to display

> At the top right, select either Bits/s (bits per second) or Packets/s (packets per second).
The display changes per your selection.

To change the time range in the graph display
1. At the top right-hand side of the widget, click the clock icon.
— Select one of the following preset ranges (Quick Range):
• 1H — The last hour
• 3H — The last three hours
• 6H — The last six hours
Default: 15m
— Specify a specific time range (Time Range):
a. Select a specific calendar date for the time range start date (From).
b. Select a specific calendar date for the time range end date (To).
3. Click Apply to apply the configuration.
To change the statistics display

By default, all statistics display in the graph. You can change which statistics display.
1. To remove a statistic from the graph, click the label of that statistic. The label is grayed out and
the statistic is removed from the graph.
2. To reinsert a statistic from the graph, click the grayed out label of that statistic. The statistic
displays in the graphic.
Activations
The Activations table includes the set of activations for protected objects and their related
information:

Table 23: Activations Parameters
Overall A colored indicator to the left of the Activation ID that indicates the overall attack
Activations operation status. It is related to the protection Status, as described here and as
Status described later in this table.
Overall status indicators include:
• Orange — A pending action is required
• Green — The activation has successful active operations
• Red — The activation failed
• Blue — This is a provisioned activation
• Yellow — The activation is not protected and needs attention
Activation ID The unique attack ID for the activation. This ID remains with the attack record for
the record’s entire lifetime. This attack ID is internal to DefenseFlow and not
related to any external IDs associated with the activation.
Protected The protected object associated with the activation.
Object Name
Source Network The attack operation geolocation source network IP addresses and ranges
(CIDRs).
Up to three CIDRs are displayed. If there are more than three CIDRs for an
attack, the total number of CIDRs is displayed within parentheses (round
brackets).
To view the list of source CIDRs, click the (Edit) icon to the right of the
displayed CIDRs. From the Networks dialog box, you can:
• View the full list of source CIDRs.
• Click the Destination tab and
— Change the protection statuses of any of the destination CIDRs.
— Add a new network to protect in the CIDR field and click Add.
After making any changes, click Submit.
Destination The attack operation geolocation destination network IP addresses and ranges
Network (CIDRs).
brackets).
To view the list of destination CIDRs, click the (Edit) icon to the right of the
• Change the protection statuses of any of the destination CIDRs.
• Add a new network to protect in the CIDR field and click Add.
• Click the Source tab and view the full list of the source CIDRs.

Table 23: Activations Parameters (cont.)
Attack Traffic Number of bytes per seconds (BPS) for the activation.
Displays for an historic attack the maximum BPS that was reported since the start
of the attack until termination of the attack.
The BPS volume is graphically represented as a percentage interval on the BPS
volume gauge per the defined volume range.
The following are the default BPS gauge representations and their associated
volume ranges:
• 0%-25% — 0m < value < 50m
• 25%-50% — 50m < value < 250m
• 50%-75% — 250m < value < 500m
• 75%-100% — value < 500m
You can change the volume range for the gauge using the CLI command dfc-
core-configuration.
For example, if you want to change the top limit of the PPS volume range for 75%
of the gauge from 500m to 70m, run the following CLI command:
dfc-core:configuration-set -name
dfc.attack.dashboard.volume.bps.level075 -value 70m
Attack Packet Number of packets per seconds (PPS) for the attack operation.
Rate Displays for an historic attack the maximum BPS that was reported since the start
The PPS rate is graphically represented as a percentage interval on the PPS rate
gauge per the defined rate range.
The following are the default PPS gauge representations and their associated rate
ranges:
• 0%-25% — 0k < value < 100k
• 25%-50% — 100k < value < 500k
• 50%-75% — 500k < value < 1m
• 75%-100% — 1m < value
You can change the rate range for the gauge using the CLI command dfc-core-
configuration.
For example, if you want to change the top limit of the PPS rate range for 50% of
the gauge from 500k to 400k, run the following CLI command:
dfc.attack.dashboard.volume.pps.level050 -value 400k
Protocol Protocols used by the attack operation.
Detection The detection control element.

Table 23: Activations Parameters (cont.)
Status An icon indicating of the status of the attack operation. To view the status icon
description, hover over the status icon.
Note: The overall attack operation status is represented by a color indicator to
the left of the Attack ID.
Statuses:
• (Protection is not activated) — None of the protections have yet been

activated by the attack operation.
• (Protection has terminated) — All protections have been activated and the
attack has ended.
• (Protection activation has failed) — The protection was not activated.
• (Protection is activated) — All protections have been activated by the

attack operation, but the attack has not yet ended.
• (In progress) — The protection activation or deactivation is in progress.
• (Protection is activated on some of the networks) — Some, but not all, of

the protections have been activated.
• (Attack has terminated) — The unprotected attack has terminated.

Protection Manually start or stop a protection operation for the attack based on the current
status of the protection.
Click one of the following buttons as relevant:
• CONFIRM ALL — Confirm starting or stopping multiple protection operations
for a given attack ID.
• CONFIRM START — Confirm starting a single protection operation for a given
attack ID.
• CONFIRM STOP — Confirm stopping a single protection operation for a given
attack ID.
• START — Start a single protection operation for a given attack ID.
• STOP — Stop a single protection operation for a given attack ID.
• STOP ALL — Stop all protections for multiple operations for a given attack ID.
Notes:
• While a protection operation is in process, you can hover over the Protection
button to view the protection status and to see more details of the operation
by clicking the Details link.
• You can only manually stop a manually activated protection on a protected
object, even if the attack has terminated.
Start Time Attack operation start time and end time of the attack or the protection.
End Time Attack operation end time of the attack or the protection.
Actions you can perform from the Protected Objects table include:
• Changing the Display of the Activations Table, page 102
• Viewing Activations Details, page 102

Changing the Display of the Activations Table

You can change the display of the table and view more details for each activation.
To search for an activation

Instead of scrolling through the full list of activations to find a particular activation, you can search
for that activation using the Search/Filter field.
2. Enter a free-text string to perform the search.
To sort columns
ascending order.
Viewing Activations Details

You can expand the activations display to see more activations details.
To see the full details of an activation

1. Click anywhere on the activation row. The following parameters display:

Table 24: Activations — Full View Parameters
Activation Full View
Protected The protected object associated with the activation.
Object Name
Source The attack operation geolocation represented by the geolocation flag, and the
Networks source network IP addresses and ranges (CIDRs).
brackets).
To view the list of source CIDRs, click the (Edit) icon to the right of the
• View the full list of source CIDRs.
• Click the Destination tab and
— Change the protection statuses of any of the destination CIDRs.
— Add a new network to protect in the CIDR field and click Add.
Destination The attack operation geolocation represented by the geolocation flag, and the
Networks destination network IP addresses and ranges (CIDRs).
brackets).
To view the list of destination CIDRs, click the (Edit) icon to the right of the
• Change the protection statuses of any of the destination CIDRs.
• Add a new network to protect in the CIDR field and click Add.
• Click the Source tab and view the full list of the source CIDRs.
Attack Traffic Number of bytes (Mbits) per seconds for the attack operation.
Displays for an historic attack the maximum BW that was reported since the start
The BW volume is graphically represented as a percentage interval on the BW
volume gauge per the defined volume range.
The following are the default BPS gauge representations and their associated
volume ranges:
• 0%-25% — 0m < value < 50m
• 25%-50% — 50m < value < 250m
• 50%-75% — 250m < value < 500m
• 75%-100% — value < 500m
You can change the volume range for the gauge using the CLI command dfc-
core-configuration.
For example, if you want to change the top limit of the PPS volume range for 75%
of the gauge from 500m to 70m, run the following CLI command:
dfc.attack.dashboard.volume.bps.level075 -value 70m

Table 24: Activations — Full View Parameters (cont.)
Attack Packet Number of packets per seconds (PPS) for the attack operation.
Rate Displays for an historic attack the maximum BPS that was reported since the start
The PPS rate is graphically represented as a percentage interval on the PPS rate
gauge per the defined rate range.
The following are the default PPS gauge representations and their associated rate
ranges:
• 0%-25% — 0k < value < 100k
• 25%-50% — 100k < value < 500k
• 50%-75% — 500k < value < 1m
• 75%-100% — 1m < value
You can change the rate range for the gauge using the CLI command dfc-core-
configuration.
For example, if you want to change the top limit of the PPS rate range for 50% of
the gauge from 500k to 400k, run the following CLI command:
dfc.attack.dashboard.volume.pps.level050 -value 400k
Protocol Protocols used by the attack operation.
Detection The detection control element.
Status An icon indicating of the status of the attack operation. To view the status icon
description, hover over the status icon.
Note: The overall attack operation status is represented by a color indicator to
the left of the Attack ID. Earlier in this table, see the description of this
indicator and its relationship to the attack operation statuses.
Statuses:
• (Protection is not activated) — None of the protections have yet been

activated by the attack operation.
• (Protection has terminated) — All protections have been activated and the
attack has ended.
• (Protection activation has failed) — The protection was not activated.
• (Protection is activated) — All protections have been activated by the

attack operation, but the attack has not yet ended.
• (In progress) — The protection activation or deactivation is in progress.
• (Protection is activated on some of the networks) — Some, but not all, of

the protections have been activated.
• (Attack has terminated) — The unprotected attack has terminated.

Table 24: Activations — Full View Parameters (cont.)
Protection Manually start or stop a protection operation for the attack based on the current
status of the protection.
Click one of the following buttons as relevant:
• CONFIRM ALL — Confirm starting or stopping multiple protection operations
for a given attack ID.
• CONFIRM START — Confirm starting a single protection operation for a given
attack ID.
• CONFIRM STOP — Confirm stopping a single protection operation for a given
attack ID.
• START — Start a single protection operation for a given attack ID.
• STOP — Stop a single protection operation for a given attack ID.
• STOP ALL — Stop all protections for multiple operations for a given attack ID.
Notes:
• While a protection operation is in process, you can hover over the Protection
button to view the protection status and to see more details of the operation
by clicking the Details link.
• You can only manually stop a manually activated protection on a protected
object, even if the attack has terminated.
Start Time Time when the activation became active.
End Time Time when the activation ended.
The AMS Traffic Statistics graph displays the current or historical traffic statistics based on which
display you have selected (see Current, Historical, Log below in this table).
By default, the total data for all devices is displayed. You can filter the statistics to only display the
data for an individual device:
1. Click Select.
2. Select one of the following:
— TOTAL (all devices) — The graph displays the total data for all devices.
— individual device name — The graph displays the data only for the selected device.
Mitigation
Device
Mitigation
Current, Historical, Log — The list of current and historical attacks and operations, and the attack
event log. Click the respective button for each of these lists.
• For the current attack and operation lists, see Full View Parameters — Detection Events and
Operations for Activations, page 106
• For the historical attack and operation lists, see Full View Parameters — Historical Attacks and
Operations for Activations, page 108
• For the protected object event log, see Full View Parameters — Log, page 109
3. The following are navigational actions you can perform in the Full View pane:

— To exit the Full View pane, click the button at the top left edge of the pane.
— To expand the Protected Objects widget display, click the button. The Protect
Object widget expands and the AMS Traffic Statistics widget is hidden.
— To compress the Protect Objects widget, click the button and the AMS Traffic
Statistics widget displays.
Full View Parameters — Detection Events and Operations for Activations
The following are the parameters for the Full View Detection Events and Operations for activations.
Table 25: Full View Parameters — Current Detection Events and Operations on Activations
Current Detection Events — List of current detection events
In the Search field above the table, enter a string to search for a current detection event.
Values: Yes, No
Type
Rate
Protocol The protocol associated with the operation.
Information Details about the attack.
Filter
Click the (Filter) icon to display the operations related to the activation in
the Current Operations table.
View Additional
Parameters
Operations — List of current operations on the activation.
Operations — List of current operations
In the Search field above the table, enter a string to search for a current operation.
Status

Table 25: Full View Parameters — Current Detection Events and Operations on Activations
Name/Type
Operation The IP address that is part of the protection operation. For multiple networks,
Networks left-click the search icon to the right of the word “Multiple” to see the list of
networks.
Device/Group
Element/Group
Start/Stop The pending action waiting for confirmation.
Values:
• Start — The protection was terminated. Attempt to rerun the action.
• Stop — Deactivate an active protection.

Capture
To see Packet Capture details for the activation, click the (Capture) widget.
The Packet Viewer dialog box displays.
For a description of the Packer Viewer parameters, see Packet Viewer, page 90.
Edit
To edit operation details for the activation, click the (Edit) button. The
Operation Details dialog box displays.
After you edit any of the details, click Apply.
For a description of the Operation Details parameters, see Table 26 - Edit
Operation Details Parameters, page 108.
View Additional
Parameters

Table 26: Edit Operation Details Parameters
Row Description
Operation Details of the operation, including:
• Description — Description of the operation.
• Operation Type — The type of operation. Values: Mitigation, Traffic Blocking,
Custom
• Diversion Protocol — The diversion protocol. Values: BGP, BGP FlowSpec
Mitigation Group Details of the mitigation devices with the mitigation group associated with the
operation, including:
• Name — Mitigation of the mitigation device name.
• Operational Status — The operational status of the mitigation device.
• CPU Utilization — Percent of the CPU utilization of the mitigation device.
• BW Utilization (GBPS) — Percent of the bandwidth utilization of the mitigation
device.
• Policies Utilization — Percent of the policies table utilization of the mitigation
device.
• Filter List Utilization — Percent of filter list utilization of the mitigation device.
• Managed — Whether the mitigation device is managed.
Values: true, false
• Platform Name — Platform name of the mitigation device.
• Geo Feed Status — The status of the Geolocation Feed on the DefensePro
mitigation device (active, inactive).
• Update Time — Last monitored update time.
• Last Error — The last device access error that was issued.
Filter List If you want to associate a blocklist and/or allowlist to the operation, select them
from the drop-down lists.
Geolocation If you want to temporarily override the current geoblocking settings for this
operation for the duration of the protection, select a geolocation or Geolocation
feed group to block or allow, then select the override action:
• Block — Block the selected geolocation or Geolocation feed group.
• Allow — Allow the selected geolocation or Geolocation feed group (default).
DNS Protection If you want to associate a DNS allowlist to the operation, select one from the
drop-down list, or click the Upload icon to upload a file with a DNS allowlist
not on the list.
If you want to see the contents of a DNS allowlist, select one from the drop-down
list and click the Download icon to save it as a .txt file.

Policy Edit the associated policy, if required.
Full View Parameters — Historical Attacks and Operations for Activations

The following are the full view Historical Attacks and Operations for activations.
Table 27: Full View Parameters — Historical Attacks and Operations for Activations
Attack History Table — List of historical activations.
Type
Protocol The protocol associated with the operation.
Rate
View Additional
Parameters
Click the icon at the left end of the activation row to see additional
parameters:
• End Time
• Maximum Reported Attack BW
• Maximum Reported Attack PPS
Operation History Table — List of historical operations for the activations.
Name The name of the operation
Type The type of operation.
Policy The policy used by the operation.
Duration The duration of the operation.
BGP FlowSpec The FlowSpec rule used by the operation.
Full View Parameters — Log

The following are the activations log parameters.
Table 28: Full View Parameters — Log
You can manually add a log. Click Add Log, enter free text in the Add New Log field in the dialog
box, and click Add Log.
Timestamp Attack start time.
Event Type Type of event.
Event Detailed description of the event.
Description
record’s entire lifetime. This attack ID is internal to DefenseFlow and not related
to any external IDs associated with the attack.
User Username for user-generated event.
• For system-initiated logs, the username is system.
• For user-created logs, the username is the user’s username (for example:
Operator).
Click the icon to display the full log details.
System
The System pane displays system monitoring and report metrics. These metrics enable you to view
and track real-time and historical information on selected system elements.
Statistics are displayed for the following systems:
• DefenseFlow, page 110
• DefensePro, page 113
• Routers, page 114
DefenseFlow
The DefenseFlow statistics include the following:
• High Availability, page 111
• General Information, page 112
• System Utilization Details, page 112
• Background Processes, page 112

High Availability
The High Availability widget displays the status of High Availability nodes.
Node Description
Active IP The IP address of the active node.
address Indicates the operational status of the Active Node (Up or Down), and the Node
Role. If there is only one node, the node role is Standalone.
Standby IP The IP address of the standby node, if available.
address Indicates the operational status of the Standby Node (Up or Down), and the Node
Role.
APSolute Vision supports high availability for a DefenseFlow-instance pair that is associated with the
APSolute Vision server by allowing a seamless automatic failover from the active DefenseFlow
instance to the standby instance.
All APSolute Vision DefenseFlow functionality relates to the active instance only.
Upon a DefenseFlow failover, APSolute Vision will maintain all data of the failed DefenseFlow
instance to avoid any data loss or discrepancies due to the failover.
The signaling between the DefenseFlow instances and APSolute Vision is done through the
defenseflow system user, by default.
For more information on configuring High Availability, see High Availability, page 203.

General Information
The General Information widget displays DefenseFlow general system information.
Table 30: General Information Parameters
Build Currently installed DefenseFlow software build.
Version Currently installed DefenseFlow software version.
Uptime Time since the last reboot of the system in the format hh:mm:ss (hours:
minutes, seconds).
System Utilization Details

The System Utilization widget displays the current DefenseFlow utilization statistics and set alert
levels.
Table 31: System Utilization Parameters
Container System Utilization Statistics
Note: When containers other than Host are up, a "-" (hyphen) displays for the Disk Space
Utilization for those containers. If a service or container is down, "N/A" displays for all the
utilization values for that container.
Container Name Name of the container monitored by DefenseFlow.
CPU Utilization Percentage of CPU currently being utilized by the container.
Memory Percentage of memory currently being utilized by the container.
Utilization
Disk Space Percentage of disk space currently being utilized by the container.
Utilization
Update Time Last monitored update time.
To dynamically change the utilization alert limits

You can dynamically change the utilization alerts limits.
1. At the top right of the System Utilization Details widget, click the icon.
2. Set the alert limit percentages as required.
3. Click Save.
Background Processes
The Background Process widget displays the statuses of background processes running in
DefenseFlow to help you determine if an unsynchronized task is completed or still running.
Table 32: Background Processes Parameters
Process Description of the background process and sub-processes.
Description
Error Message Error message related to the status update.

Table 32: Background Processes Parameters (cont.)
Update Time Date and time of the status update for the background process.
To search for a background process

Instead of scrolling through the full list of background processes to find a particular background
process, you can search for that background process using the Search/Filter field.
2. Enter the string for which you want to search.
3. To clear the filter and perform a new search, click Clear next to the Search/Filter field.
DefensePro
This DefensePro Device Status table displays statistics for the configured DefensePro mitigation
device.
Table 33: DefensePro Device Status Parameters
Operation The operational status of the mitigation device.
Status
Name The name of the mitigation device.
CPU Utilization Percent of the CPU utilization of the mitigation device.
BW Utilization Percent of the bandwidth utilization of the mitigation device.
(Gbps) Value: percentage_utilized (bandwidth_utilized/total_bandwidth)
Example
5.0% (3.00/60.00)
In this example, 5.0% of the total bandwidth (60.00 Gbps) is utilized (3.00
Gbps).
Policies Percent of the policies table utilization of the mitigation device.
Utilization
Filter Lists Percent of the filter list utilization of the mitigation device.
Utilization
Managed Whether the mitigation device is managed.
Values: true, false

Table 33: DefensePro Device Status Parameters (cont.)
Geo Feed Status Geolocation Feed status:
• Active — The Geolocation Feed on the DefensePro mitigation device is active.
• Inactive — The Geolocation Feed on the DefensePro mitigation device is
inactive.
Default: Active
Last Error The last device access error that was issued.
Examples
A Authentication error
B Unable to connect to the mitigation device
To search for the status of a DefensePro device

Instead of scrolling through the full list of DefensePro devices to find a particular DefensePro device,
you can search for that DefensePro device using the Search/Filter field.
Routers
The Routers tab includes the following sets of statistics:
• BGP Peers, page 114
• Announcements, page 116
• BGP FlowSpec, page 117
BGP Peers
The BGP Peers table displays the statistics for BGP peers.

Table 34: BGP Peers Parameters
Peering State Peering state of the BGP peer.
Values:
• Active — The router did not receive agreement for peer establishment.
• Established — Peering is established and routing begins.
Peer Name The name of the network element.
IP Address The IP address of the BGP peer.
Last The last connectivity time of the BGP peer.
Connectivity
Time
Local Router ID The DefenseFlow BGP peer ID.
The local peer ID in an HA installation is the IPv4 address of the HA Node control
interface.
Local IP Address The local IP address of the DefenseFlow device used to communicate with the
BGP peer. This is the control interface IP address.
In a High Availability (HA) installation, you can use this to distinguish between the
connections opened by the Active and the Standby HA nodes. As a result, in such
an installation there are two node entries per single network element.
The local IP address in an HA installation is the IPv4 address of the HA Node
control interface.
Local AS The local Autonomous System number.
Peer AS The peer Autonomous System number.
Announcements Number of BGP active announcements.
Withdrawals Number of withdrawals.
BGP FlowSpec The FlowSpec state of the BGP peer.
State
To search for the status of a BGP peer

Instead of scrolling through the full list of BGP peers to find a particular BGP peer, you can search for
that BGP peer using the Search/Filter field.
To sort columns
ascending order.


Announcements
The Announcements table displays the statistics of the currently active BGP announcements.
Note: In a High Availability (HA) installation, per announcement, there are two entries representing
the two HA nodes.
Table 35: BGP Announcements Parameters
Protected The name of the protected object for which that the announcement was sent.
Object
Note: If the protected object is under protection, and you modify an attribute
that conflicts with the ongoing protection, the change is performed only at the
next activation of the protected object.
Operation Name The operation of the protected object for which that the announcement was sent.
Status The status of the announcement.
Local IP Address The local IP address of the protected object for which that the announcement was
sent.
Peer Name The name of network element to which the announcement was sent.
Peer IP Address The IP address of the DefenseFlow BGP peer.
Network The destination network of the BGP announcement.
Next Hop The next hop address used for the BGP announcement.
Communities The BGP communities in the announcement.
AS Path The Autonomous System number of network element’s BGP peer.
Update Time The time the announcement was sent.

To search for BGP announcements

Instead of scrolling through the full list of BGP announcements to find a particular BGP
announcement, you can search for that BGP announcement using the Search/Filter field.
To sort columns
ascending order.

BGP FlowSpec
The BGP FlowSpec table displays the statistics of currently advertised FlowSpec rules.
Table 36: BGP FlowSpec Parameters
Protected The protected object name.
Object
Operation Name The operation associated with the protected object.
Rule Name The rule associated with the protected object.
Destinations The destination prefixes to block as defined in the FlowSpec rule.
Source The source prefix to block as defined in the FlowSpec rule.
Peers The IP address to block as defined in the FlowSpec rule.

Table 36: BGP FlowSpec Parameters (cont.)
Communities The community to block as defined in the FlowSpec rule.
Destination Port The destination port to block as defined in the FlowSpec rule.
Port The port to block as defined in the FlowSpec rule.
Protocol The protocol to block as defined in the FlowSpec rule.
ICMP Type The ICMP type to block as defined in the FlowSpec rule.
ICMP Code The ICMP code to block as defined in the FlowSpec rule.
TCP Flags The TCP flag to block as defined in the FlowSpec rule.
Packet Length The packet length to block as defined in the FlowSpec rule.
DSCP The DSCP to block as defined in the FlowSpec rule.
Route Tag Name The name of the route tag to which to redirect as defined in the FlowSpec rule.
Route Tag Route The route tag route to which to redirect as defined in the FlowSpec rule.
Redirection for The mitigation redirection status (enabled or disabled) for the FlowSpec rule.
Mitigation
Redirect The device to which to redirect for mitigation as defined in the FlowSpec rule.
Mitigation Next
Hop
Block The blocking status (enabled or disabled) for the FlowSpec rule.
Rate Limit The rate limit to block as defined in the Flow rule.
(Bytes/s)
Set DSCP The update setting for DSCP header in the FlowSpec rule.
To search for BGP FlowSpec parameters for a protected object

Instead of scrolling through the full list of BGP FlowSpec parameters to find a particular protected
object, you can search for that protected object using the Search/Filter field.
To sort columns
ascending order.


Security Settings
The Security Settings perspective lets you configure protected objects, including their associated
workflows, detections, operations, and mitigations.
The perspective includes the following tabs:

• Workflows, page 129
• Detections, page 137
• Operations, page 141
• Mitigations, page 154
Protected Objects
Protected objects are the services you use DefenseFlow to protect.
Use the Protected Objects pane to view, configure, or delete protected objects. The initial view
displays existing objects and lets you search for a specific protected objects.
To add a protected object

1. From the Security Settings perspective, select Protected Objects.

2. Click the (Add) button.

3. Configure the protected object and click Submit.
Table 37: Protected Object Parameters
Basic Settings
Basic Settings includes General, Protected Networks, and Mitigation parameters.
General • Name — Name of the protected object.
Maximum number of characters: 255
• Description — Description of the protected object.
• Status — Select whether the protected object is enabled or disabled.
Default: Enabled
Protected List of protected networks and their associated edge networks or route tags.
Networks Maximum number of network entries:
• 10,000 for protected objects with an external detector
• 500 for protected objects with Radware’s collector
Note: The total number of networks for all protected objects together is
limited to 250,000.
Click the (Add) button and configure the protected network parameters:
• Use Any Network Address — All networks are protected. By default, it is
disabled. When you deselect it, the Network Address text box displays.
• Network Address — List of IPv4 or IPv6 network addresses with a subnet IP
address separated by a comma (“,”). Examples: 10.10.10.0/24, 11.11.11.0/
24
• Clean Traffic Injection — When you select this option, the protected network
types display (Edge Network and Route Tag). Select one of the options:
— Edge Network — This is the element associated with the protected
networks. In a single-entry multiple network, addresses should all be
associated with the same edge network.
— Route Tag — This option displays when you select the Protected
Network Type as Route Tag, The route tag associated with the protected
networks. Select from the list of configured route tags (see Route Tags,
page 217).

Table 37: Protected Object Parameters (cont.)
Mitigations The mitigation parameters for the protected object, including:
• Update from Security Policy Templates — Select this option if you want to
update the security policy from an existing security policy template or add a
new template.
Note: If this check box is not selected, the Security Policy Template
text box and (Add) button are grayed out and the security policy used is
the one defined using template from the Security Policy Templates pane
(see Security Policy Templates, page 155).
• Security Policy Template — Do one of the following:
— Select the security template from the Security Template drop-down list
and edit it if required by clicking the (Edit) button.
For an existing template:
• If it is a GUI type template, the Edit Security Policy Template dialog
box displays with the various security policy sections and parameters.
For more information on configuring these parameters, see Security
Policy Templates, page 155).
• If it is a Text template, the Edit Security Policy Template dialog box
displays with the Description and Template (the policy text) fields.
The policy text includes DefensePro traffic filters.
— Click the (Add) button and configure a new security template from the
Security Policy Templates pane (see Security Policy Templates, page 155)
• Peak Traffic Bandwidth (bits/sec) — Peak traffic value to use, in bits per
second, in case of activation when no attack information is available.
• Policy Priority — The precedence that this security policy has in relation to
other security policies, where precedence High gets the highest priority, and
precedence None gets the lowest priority. This is relevant for overlapping
protected objects if more than one policy is configured on the DefensePro
device.
Values: None, Low, Medium, High
Default: None
Each of the policy precedence values represent a range of DefensePro priority
values:
— None — For granular mitigation, 8001 – 16000; for non-granular
mitigation, 1 – 8000
— Low — For granular mitigation, 24001 – 32000; for non-granular
— Medium — For granular mitigation, 40001 – 48000; for non-granular
— High — For granular mitigation, 56001 – 63999; for non-granular
Based on the DefenseFlow precedence you selected, DefenseFlow assigns to
the policy the next available priority number in the precedence range. If the
assigned priority number is the same as for the existing policy in DefensePro,
DefensePro adds 10 to the policy’s priority number so that the policy is
executed as expected.

Mitigations This is a continuation of the mitigation parameters for the protected object:
(continued) • Geolocation — If you want this security policy to override the geolocation
operation, select the geolocation from the Geolocation drop-down list and
edit it if required by clicking the (Edit) button, or click the (Add) button
and configure a new geolocation (see Geolocations, page 184).
Select the override action:
— Block — Block the selected geolocation or Geolocation feed group
(default).
— Allow — Allow the selected geolocation or Geolocation feed group
(default).
• Show/Edit Related Security Policy — Show and/or edit the security policy
associated to the protected object.
Click the (Edit) button. The Show/Edit Security Policy dialog box
displays the Security Policy text box, which you can edit as needed. The
policy text includes DefensePro traffic filters.
You can resize the text box as required by dragging the icon at the bottom
right-hand corner of the scroll bar.
Maximum number of characters: 1,000,000

Do one of the following:
• Click the (Add) button to configure a new workflow to be associated with

this protected object:
Note: If you decide that you do not want to add a new workflow but
instead use an existing workflow, click the (Reset) button. Go to the
second option below, which describes how to select an existing workflow.
— Name — Name of the new workflow.
— Description — Description of the new workflow.
— Detection — Select from the list of existing detections to associate with
this workflow. You can edit it if required by clicking the (Edit) button,
or click the (Add) button and configure a new detection (see
Detections, page 137).
— Provisioning — Select from the list of existing operations to be performed
upon provisioning of the protected object associated with this workflow.
You can edit it if required by clicking the (Edit) button, or click the
(Add) button and configure a new operation (see Operations, page 141).
• Select an existing workflow and update it as required:
— Select Workflow — Select from a list of existing workflows and edit it if
required with the (Edit) button.

— Description — (Read-only) Description of the selected workflow.
— Detection — The detection associated with the selected workflow. You can
edit it if required by clicking the (Edit) button, or click the (Add)

button and configure a new detection (see Detections, page 137).
— Provisioning — The operation to be performed upon provisioning of a
protected object associated with the selected workflow. You can edit it if
required by clicking the (Edit) button, or click the (Add) button

and configure a new operation (see Operations, page 141).

Workflow Rules
The set of criteria-based operation rules for the workflow.
Rules
1. Click the (Add) button to add a workflow rule.
2. Set the parameters for the criteria-based operation rules.
The enter and exit criteria comprise a set of conditions with AND or OR
operators. You can define the same criteria with multiple operations.
DefenseFlow performs all operations that meet the operation’s criteria.
— Enter Criteria — The enter criteria for the workflow. DefenseFlow starts the
operation if the criteria are met on detection.
For a description and examples of the possible criteria, see Table 113 -
Workflow Rule Conditions: Events, page 254.
You build the enter criteria by selecting events/conditions and operators
from the Enter Criteria drop-down list. After selecting an event/condition,
if you want to add and AND or OR condition:
a. After the event/condition, type a space, the word AND or OR as
appropriate, then another space.
b. Select the next event/condition.
— Enter Criteria User Action Mode — Select the user action mode for the
enter criteria from the drop-down list. Values:
• Automatic — DefenseFlow performs the chosen operation based on the
enter criteria.
• User Confirmation — When the enter criteria are met, the operator is
prompted to confirm activating the defined operation or to choose
another operation.
— Exit Criteria — The exit criteria for the workflow. DefenseFlow stops the
operation if the criteria are met.
You build the exit criteria by selecting events/conditions and operators
from the Exit Criteria drop-down list. After selecting an event/condition, if
you want to add and AND or OR condition:
— Exit Criteria User Action Mode — Select the user action mode for the exit
criteria from the drop-down list. Values:
exit criteria.
• User Confirmation — When the exit criteria are met, the operator is
another operation.
— Operation — Operation for this workflow rule. This is an operation that is
configured using the Operations pane (see Operations, page 141).
— Operation Type (read-only) — The type of operation as defined for the
operation you selected.
3. To delete a workflow rule, select the rule and click the (Delete) button.

Threshold Detections
FlowDetector The FlowDetector thresholds for the protected object. This is relevant only if
Thresholds DefenseFlow uses Radware DefenseFlow FlowDetector to analyze and use the
network metadata that Layer 3-4 actual sessions flows from the control plane. For
more information, see the latest Radware DefenseFlow FlowDetector User Guide.
Using FlowDetector thresholds is optional and can be used in addition to other
detections. Each activation threshold can be configured regardless of other
thresholds. An attack is reported when traffic exceeds the activation thresholds.
Thresholds are specified in megabits per second (Mbps) and packets per second
(pps), respectively. You can specify units for the value. For example: 50m, 10k
All thresholds apply to both IPv4 and IPv6 traffic.
Values:
• TCP Activation — Manually set the Mbps and/or pps for this threshold.
• UDP Activation — Manually set the Mbps and/or pps for this threshold.
• ICMP Activation — Manually set the Mbps and/or pps for this threshold.
• Total Activation — Manually set the Mbps and/or pps for this threshold.
Advanced Settings
Diversion Diversion settings for the protected object.
Settings
Click the (Edit) button. The Diversion Settings dialog box displays with the
following parameters:
• BGP Community — The BGP community values to be sent to the diversion
groups that should receive them per the operation. Multiple communities can
be configured separated by a space.
In addition, well-known communities can be also defined, including:
NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
• Primary Next Hop IPv4 — The primary IPv4 next hop that is used instead of
the operation next hop.
• Secondary Next Hop IPv4 — The secondary IPv4 next hop that is used instead
of the operation next hop.
• AS Path — The AS-Paths to be used as part of the protected object’s BGP
advertisements.
You can specify multiple AS-Paths delimited by a space or a comma.
Examples:
— 100 200 300 400 600 400 500
— 400, 500
• IPv4 NLRI — When configured, the IPv4 NLRI (Network Layer Reachability
Information) DefenseFlow uses in its BGP advertisements and withdrawals.

Override Default Select this option if you want this security policy to override the default number of
Attack seconds for the attack termination grace period.
Termination Type in the override value, in seconds.
Grace Period
Override If you want this security policy to override the workflow action mode, select the
Workflow Action mode to override from the Workflow Action Mode drop-down list:
Mode • Automatic — DefenseFlow performs the chosen operation based on the defined
criteria.
• Manual — The operator initiates the operation regardless of any detection.
• User Confirmation — When the operation criteria are met, the operator is
prompted to confirm activating the defined operation or to choose another
operation.
Granular Enables Granular DefensePro Detection. This lets you divert a more specific CIDR
DefensePro block within the Protected Object’s defined set of protected networks.
Detector When selected, the following parameters display:
• Granular Protection Prefix IPv4 — The IPv4 CIDR block that is diverted
when the Granular Protection Threshold is reached.
• Granular Protection Prefix IPv6 — The IPv6 CIDR block that is diverted
• Granular Protection Threshold — The number of destination IP addresses
on the same CIDR block before the entire diverted prefix size is diverted.
Values: 1-2147483647
Notes:
• Granular DefensePro Detection is performed when there is a match to the
Workflow rule associated with the Protected Object, and if you have defined a
threshold, when the threshold is met.
• Granular DefensePro detection only works when the following Operations
parameters (see Operations, page 141) are configured with the following
values:
— Divert Entire Protected Object Network — Unselected
— Minimum IPv4 Advertised Subnet — 32
— Minimum IPv4 Advertised Subnet — 128
— Granular Mitigation — Unselected
If you activate Granular DefensePro Detection for an existing Protected
Object, if any of these parameters are not set to the required values, you will
receive an error message indicating this.
If you activate Granular DefensePro Detection with creating a new Protected
Object, if the Granular Protection prefix that you set is smaller than the prefix
set for the Protected Object, you will receive an error messages indicating
this.
• Sample syslogs, as well as Occurred syslogs that include Sample syslogs, are
not included in the Volume and Rate values on the Security Operations
dashboard.
• For this feature, there is no attack termination grace period. Once you receive
a Term syslog for an ongoing Sample, the attack ends.
• Granular DefensePro Detection only works with the regular BGP protocol and
not with the BGP FlowSpec protocol.

Granular • Granular DefensePro Detector configuration.
DefensePro There are two configuration options for Granular DefensePro protection:
Detector
— Diverting multiple attacks — For this option only enable Granular
DefensePro Detection and do not set any of the Granular DefensePro
Detection parameters:
a. If a Start, Sample, or Ongoing syslog for the first attack is issued for
one of the protected network addresses, /32 diversion is performed
on the Protected Object’s defined set of protected network addresses.
b. When subsequent attack IP addresses are detected, /24 diversion is
performed on the entire set of protected network addresses.
c. On the Security Operations dashboard, the first attack is listed as /32
diversion, and all subsequent attacks are listed individually as /24.
— Diverting multiple attacks with a threshold for the number of
attacks — For this option you set the Granular DefensePro Detection
parameters (see Example below):
a. When the number of attacks on IP addresses remains below the
Granular Protection Threshold that you defined, /32 diversion is
performed.
b. When the number of attacks reaches the threshold that you defined,
diversion is performed according to the Granulation Protection
Prefix you defined (IPv4 or IPv6, as appropriate).
Example:
A Protected Object is defined as 4.4.0.0/16. The Granular
Protection Threshold is set to 3. The Granular Protection Prefix
IPv4 size is set to /24.
• If for the first attack IP address 4.4.4.2 is under attack, /32
diversion occurs.
• If for the second attack IP address 4.4.4.3 is under attack, /32
diversion occurs.
• If for the third attack IP address 4.4.4.4 is under attack, the
threshold is met, and /24 diversion occurs.
c. On the Security Operations dashboard, all individual attacks before
and including when the threshold are met are displayed.
To duplicate existing protected objects

You can duplicate an existing protected object to use as a basis for creating a new protected object.
2. Do the following:
— If you do not immediately see the protected object that you want to duplicate in the table,
search for the protected object by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the protected object you want to duplicate, select the protected object and
click the (Duplicate) button to open the protected object.

3. Edit the parameters for the new protected object, and then click Submit to save your changes.
A new protected object is created.
To edit a protected object

— If you do not immediately see the protected object that you want to edit in the table, search
for the protected object by typing a string in the search field.

— When you find the protected object you want to edit, click the (Expand Row) button to
open the protected object.
3. Edit the parameters for the protected object, and then click Submit to save your changes.
To enable/disable protected objects

— If you do not immediately see the protected objects that you want to enable/disable in the
table, search for the protected objects by typing a string in the search field.
— When you find the protected objects you want to enable/disable, do one of the following:
• To enable disabled protected objects, select the protected objects and click the
(Enable) button to enable them.
• To disable enabled protected objects, select the protected objects and click the
(Disable) button to disable them.
A message displays indicating that the protected objects have been enabled or disabled, as
appropriate.
To delete protected objects

You can delete one or multiple protected objects.
— If you do not immediately see the protected objects you want to delete in the table, search
for the protected objects by typing a string in the search field.

— When you find the protected objects you want to delete, select the protected objects and
click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the protected objects.

To sort columns
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.

Workflows
A workflow is a predefined set of criteria-based security operations that DefenseFlow can perform for
a service on provisioning and upon attack.
Use the Workflows pane to view, configure, or delete workflow configurations. The initial view
displays existing workflows and lets you search for a workflow.
To add a workflow
1. From the Security Settings perspective, select Workflows.

3. Configure the workflow and click Submit.
Note: DefenseFlow has predefined workflows that can be used as is, modified, or referenced
for the creation of new workflows, as described in the following table:
Workflow Description
AlwaysOnMitigat Provision mitigation (with no diversion) upon provisioning of the protected object
eOnly on a device that is either in-line with the traffic or the diversion is performed
manually.
BGPFlowSpecBlo Upon attack detection, activate a BGP FlowSpec rule to block the traffic to the
ck protected object on the routers.
BlackHoleDivert Divert traffic from a Tier1 network element group to a black-hole address upon
attack detection.
OutOfPathDivert Upon attack detection, configure mitigation and injection on the mitigation
MitigateInject devices and divert the traffic to them from a Tier1 network element group.
SmartTapDetecti Provision a policy on the device connected in tap mode for detecting attacks on
on the protected object.
SmartTapDivertI Upon attack detection, divert the traffic to the mitigation device and configure
nject clean traffic injection on the mitigation device.
Table 38: Workflow Parameters
Name Name of the workflow.
Description Description of the workflow.
Detection Select a detection method to associate with this workflow using one of the
following options:
• Select a detection method to associate with this workflow. This is a group of
detections that was configured using the Detection pane (see Detections,
page 137).
• Add a new detection method to associate with this workflow. For a description
of how to add a detection method, see Detections, page 137.
Provisioning Select an operation to be performed upon provisioning of a protected object
associated with this workflow using one of the following options:
• Select a operation to associate with this workflow. This is an operation that
was configured using the Operation pane (see Operations, page 141).
• Add a new operation to associate with this workflow. For a description of how
to add an operation, see Operations, page 141.

Table 38: Workflow Parameters (cont.)
Workflow Rules The set of criteria-based operation rules for the workflow.
1. Click the (Add) button to add a workflow rule.

2. Set the parameters for the criteria-based operation rules.
The enter and exit criteria comprise a set of conditions with AND or OR
operators. You can define the same criteria with multiple operations.
DefenseFlow performs all operations that meet the operation’s criteria.
— Enter Criteria — The enter criteria for the workflow. DefenseFlow starts the
You build the enter criteria by selecting events/conditions and operators

from the Enter Criteria drop-down list. After selecting an event/condition,
if you want to add and AND or OR condition:
— Enter Criteria User Action Mode — Select the user action mode for the
enter criteria from the drop-down list. Values:
enter criteria.
• User Confirmation — When the enter criteria are met, the operator is
another operation.
— Exit Criteria — The exit criteria for the workflow. DefenseFlow stops the
You build the exit criteria by selecting events/conditions and operators

from the Exit Criteria drop-down list. After selecting an event/condition, if
you want to add and AND or OR condition:
— Exit Criteria User Action Mode — Select the user action mode for the exit
criteria from the drop-down list. Values:
exit criteria.
• User Confirmation — When the exit criteria are met, the operator is
another operation.
— Operation — Operation for this workflow rule. This is an operation that is
— Operation Type (read-only) — The type of operation as defined for the
operation you selected.

Table 39: Workflow Rule Exit and Enter Criteria
Enter and Exit The following are the set of possible workflow rule events and conditions you can
Criteria select to build the Enter and Exit Criteria:
• AttackStart — The start of attack condition is implicit in enter criteria. It is
required only if it is the only condition.
• AttackTermination — The termination of attack condition cannot be combined
with any other condition (that is, you cannot have an AttackTermination
condition AND an attackx condition).
• ProvisionStart — Performs an operation on provisioning of a protected object
in addition to the operation defined in the Provisioning parameter. This can
be used if multiple operations on provisioning are required.
• ProvisionEnd — Performs an operation when removing a service.
• ActiveOperationsChange — This event is triggered when an event is activated
or at the termination of an operation.
Note: This event is triggered by a protection, regardless of the detection
status. For example, the event is triggered whether the operation was
activated manually or automatically due to syslog detection.
• TimeTriggerEnabled — Event based on the absolute and relative time. For
example, you can define the entry criteria to be activated from between
08:00 and 09:00, or the exit criteria to be activated only after 30 minutes
have passed from the operation termination.
Example 1 (Enter Criteria): TimeTriggerEnabled AND (TIME>=17:00 OR
TIME <= 09:00)
Example 2 (Exit Criteria): TimeTriggerEnabled AND TIME > 09:00 AND
TIME < 17:00
• OperationTerminated — Event to terminate an operation when another
operation is terminated.
Example: OperationTerminate and Operation = AnotherOperation
• AttackDestination — Condition based on the attacked destination. Supported
operators: =, !=, in, not in
Example: AttackDestination in 1.2.3.0/24
• AttackSource — Condition based on the attack destination IP address.
Supported operators: =, !=, in, not in
Example: AttackSource 5.5.5.0/24
• AttackPrefix — Condition based on the attack destination prefix. Supported
operators: =, <, >
Example: AttackPrefix = 32
• AttackBandwidth — Condition based on the size of an attack, in bits per
second. Supported operators: <, >, <=, >=
This condition is only available during an attack, unlike the TrafficBandwidth,
which can also be used in peacetime. This condition can be used to defend
against attack escalation.
Note: If the exit criteria only includes AttackBandwidth, the rule is
matched and the operation is triggered down if the attack bandwidth
decreases to a value less than the configured value before the attack is
terminated. If the attack is terminated when the attack bandwidth is
greater than the configured value, DefenseFlow does not match the rule.
Example: AttackBandwidth > 2G

Table 39: Workflow Rule Exit and Enter Criteria (cont.)
Enter and Exit The following is a continuation of the set of possible workflow rule events and
Criteria conditions you can select to build the Enter and Exit Criteria.
(continued) • AttackRate — Condition based on packets per second. Supported operators: <,
>, <=, >=
Example: AttackRate >1000 AND AttackBandwidth < 5m
Note: If granular detection is enabled, you should not set the AttackRate
as either the Enter or Exit Criteria. Because granular detection only handles
sampled events and ignores ongoing events, the workflow is ignored even
if the workflow conditions are met.
Therefore, only set the AttackRate as the Enter or Exit Criteria when granular
detection is disabled.
The following are the Traffic workflow rule events and conditions:
• TrafficBandwidth — Condition based on the traffic bandwidth, in bits per
second. It does not require combining with an AttackStart condition.
Supported operators: <, >, <=, >=
This condition is used in FlowDetector and DPaaD deployments. In these
deployments, the detection elements constantly update DefenseFlow with the
current traffic bandwidth. As a result, this condition can be used even in
peacetime, unlike the AttackBandwidth condition, which is only available
during an attack.
Value values:
— n — bps (bits per second)
— nK — Kbps (kilobits per second)
— nM — Mbps (megabits per second)
— nG — Gbps (gigabits per second)
— nT — Tbps (terabits per second)
Example: TrafficBandwidth > 100 (meaning 100 bps)
Example: TrafficBandwidth > 2G (meaning 2 gbps)
Note: If granular detection is enabled, you should not set the
TrafficBandwidth as either the Enter or Exit Criteria. Because granular
detection only handles sampled events and ignores ongoing events, the
workflow is ignored even if the workflow conditions are met.
• TrafficRate — Condition based on the traffic bandwidth, in packets per second.
It does not require combining with an AttackStart condition. Supported
operators: <, >, <=, >=
Value values:
— n — pps (packets per second)
— nK — Kpps (kilopackets per second)
— nM — Mbps (megapackets per second)
— nG — Gpps (gigapackets per second)
— nT — Tpps (terapackets per second)
Example: TrafficRate > 100 (100 pps)
Note: If granular detection is enabled, you should not set the TrafficRate
Example: TrafficRate > 2G (2 giga pps)

(continued) • AttackProtocol — Condition based on the attack protocol. Supported
operators: =, !=
Example 1: Protocol =
Example 2: (Protocol = OR AttackDestination not in 3.3.3.0/28) AND
AttackBandwidth < 5m
• DetectorName — Condition based on the detector name. Supported operators:
=, !=
Example: DetectorName = MyExternalDetectorControlElement
• Fragment — Condition based on whether a packet is fragmented. Supported
operators: =,!=
Example 1: Fragment = true
Example 2: Fragment != true
• tcpflags — Condition based on TCP flags. Supported operators: =,!=
Example 1: tcpflags = syn
Example 2: tcpflags = syn-ack
• BGPListenerCommunities includes — Condition based on the BGP Listener
Community.
Example: BgpListenerCommunities include 111:222
Note: Do not use in Exit Criteria.
Note: DefenseFlow can be configured to establish BGP connections with
routers over port 179 to send BGP announcements and BGP FlowSpec
rules. Sending a large number of BGP announcements from the routers to
DefenseFlow might cause slow response time in DefenseFlow. Unless you
are using the BGP Listener feature, routers connected to DefenseFlow
should be configured not to send BGP announcements to DefenseFlow.
• ActiveOperations include — This condition is based on the set of the current
active operations and activated networks.
Example: ActiveOperations include ScrubbingOperation
• ActiveOperationsSameDestination includes — Use this condition to check if an
operation is active for the specific network that is triggered, and to decide
whether to start or stop an existing protection based on another operation
that is on that same network.
Example: ActiveOperationsSameDestination include ScrubbingOperation
• ActiveOperationsCopyCat includes — Use this condition if you want to
automatically trigger OPER2 according to OPER1, as illustrated in the
following example:
Example: If OPER1 should automatically trigger OPER2 and use the same
network, use the following criteria in both the Enter Criteria and Exit
criteria fields:
ActiveOperationsChange AND ActiveOperationsCopycat include OPER1
Example: ActiveOperationsCopyCat include ScrubbingOperation
• ProtectionActivePeriod — Time-based termination of protection. Supported
operators: <,>
Example 1: If a black hole operation is activated, and you want to terminate
if after two hours, use the following exit criteria:
ProtectionActivePeriod > "2 hours"

(continued) • Time — Condition based on the time in HH:MM format. Supported operators:
=, !=, <, >, <=, >=
Example 1: time >= 14:00
Example 2: time != 16:00
• Date — Condition based on the date in YYYY-MM-DD format. Supported
operators: =, !=, <, >, <=, >=
Example 1: date >= 2017-05-21
Example 2: date = 2019-05-05
• Month — Condition based on the month name. Supported operators: =, !=, <,
>, <=, >=
Example 1: month >= January
Example 2: month != December
• Day — Condition based on the day name, where Sunday is the smallest, and
Saturday is the greatest. Supported operators: =, !=, <, >, <=, >=
Example 1: day >= Tuesday
Example 2: day != Monday
• SourcePort — Condition based on the source port. Supported operators: =, !=,
<, >, <=, >=
Example 1: SourcePort > 34
• DestinationPort — Condition based on the destination port. Supported
operators: =, !=, <, >, <=, >=
Example 1: DestinationPort > 34
• DefenseProUp — Condition based on whether DefensePro mitigation devices
are up. Can be a single mitigation device, multiple mitigation devices, a single
mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProUp = dp1
Example 2 (multiple mitigation devices): DefenseProUp in dp1, dp2, dp3
Example 3 (single mitigation group): DefenseProUp include dp_group1
Example 4 (multiple mitigation devices): DefenseProUp include
dp_group1, dp_group2, dp_group3
• DefenseProDown — Condition based on whether DefensePro mitigation
devices are down. Can be a single mitigation device, multiple mitigation
devices, a single mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProDown = dp1
Example 2 (multiple mitigation devices): DefenseProDown in dp1, dp2,
dp3
Example 3 (single mitigation group): DefenseProDown include
dp_group1
Example 4 (multiple mitigation devices): DefenseProDown include

(continued) The following advanced conditions that do not display on the drop-down menus
but you can enter as free text:
• AttackAdditionalDetails — Condition based on the actual syslog message
regular expression matching.
Example: AttackStart and AttackAdditionalDetails match ".*host:.*"
• OperationEnterSuccess — Condition based on the successful completion of
either enter criteria or exit criteria. This is usually used in multiple-tiers
protection.
Example: OperationEnterSuccess=operation1
To duplicate existing workflows

You can duplicate an existing workflow to use as a basis for creating a new workflow.
— If you do not immediately see the workflow that you want to duplicate in the table, search
for the workflow by typing a string in the search field.

— When you find the workflow you want to duplicate, select the workflow and click the
(Duplicate) button to open the workflow.
3. Edit the parameters for the new workflow, and then click Submit to save your changes. A new
workflow is created.
To edit a workflow
— If you do not immediately see the workflow that you want to edit in the table, search for the
workflow by typing a string in the search field.

— When you find the workflow you want to edit, click the (Expand Row) button to open the
workflow.
3. Edit the parameters for the workflow, and then click Submit to save your changes.
To delete workflows
You can delete one or multiple workflows.


— If you do not immediately see the workflows you want to delete in the table, search for the
workflows by typing a string in the search field.

— When you find the workflows you want to delete, select the workflows and click the
(Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the workflows.
To sort columns
descending order.

Detections
Detections should be used to define groups of detection methods and sources to be aggregated as
detectors for the same service.
Use the Detections pane to view, configure, or delete detection configurations. The initial view
displays existing detections and lets you search for a detection.

To add detection groups

1. From the Security Settings perspective, select Detections.

3. Configure the detection group and click Submit.
Table 40: Detection Parameters
General Parameters
Name Name of the detection group.
Description Description of the detection group.
Detectors
Click the (Add) button to add a detector.

Type From the drop-down list, select the detection types to add to this detection
group:
• External Detector — Use an external source of detection signaling. You can
select multiple external detectors.
• BDoS Detector — Use DefenseFlow BDoS detection based on flow statistics.
This checks attacks per an entire network. You can only select one BDoS
detector.
Note: The BDoS Traffic Monitoring reports are populated with data only if the
detector type is set to BDoS Detector. For more information on BDoS Traffic
Monitoring reports, see BDoS Traffic Statistics, page 291.
• DefensePro as a Detector — Use DefensePro in always-on or tap
deployment mode for detection. You can select multiple DefensePro as
Detectors (DPaaDs).
In a DPaaD (DefensePro serves as Detector) deployment, DefenseFlow may
trigger a single alert that may represent a Layer 7 event, such as signature
matching. DefenseFlow can identify this new alert type (an occur event) and
act upon it. DefensePro syslog events that include the occur status are no
longer ignored. Instead, DefenseFlow simulates the attack start, and
immediately simulates the attack termination. This leaves the attack as an
active attack if the attack grace period has not expired.
DefensePro one-time alerts may contain packet anomalies, block/allow lists,
and/or signature protection (IPS). By default, one-time alerts are disabled.
Therefore, you should turn it on when required with the following command:
dfc.attack.detection.defensepro.occur.enabled -value true

Table 40: Detection Parameters (cont.)
Type The following is a continuation of the detection types you can select to this
(continued) detection group:
• DefensePro as a Detector (continued)
Filtering strings in attack alerts from DefensePro
If required, you can ignore syslog attack alerts based on a specified regular
expression (using the CLI only). This feature is disabled by default.
— From the CLI, enable this feature using the following command:
dfc.attack.detection.ignore.regular.expression.enabled
-value true
— Define the regular expression as required using the following command.
Syslog attack alerts that include this expression are ignored.
dfc.attack.detection.ignore.regular.expression.pattern
-value .*"Behavioral-DoS".*
— To disable the feature, enter the following command:
dfc.attack.detection.ignore.regular.expression.enabled
-value false
• Threshold Detector — Use manually-configured thresholds based on flow
statistics. This checks limits for an entire network. You can only select one
threshold detector.
• Granular Threshold Detector — This checks limits for the top 100 networks of
the protected object. It should be used for residential protected objects.
• Granular BDoS Detector — This checks attacks per each IP address in the
networks, limited to 5000 networks per the entire DefenseFlow system. This
should be used for servers with static IP addresses that you want to protect.
• FlowDetector — Use Radware DefenseFlow FlowDetector to analyze and use
the network metadata that Layer 3-4 actual sessions flows from the control
plane.
Control Element Based on the detection Type you selected, select a telemetry source for
detection, either a control element you have defined (flow statistics source or
external detector), or a DefensePro device.
To duplicate an existing detection group

You can duplicate an existing detection group to use as a basis for creating a new detection group.
— If you do not immediately see the detection group that you want to duplicate in the table,
search for the detection group by typing a string in the search field.
To clear the filter and perform a new search, duplicate and/or modify the search text.

— When you find the detection group you want to duplicate, select detection and click the
(Duplicate) button to open the detection group.
3. Edit the parameters for the new detection group, and then click Submit to save your changes. A
new detection group is created.
To edit a detection group

— If you do not immediately see the detection group that you want to edit in the table, search
for the detection group by typing a string in the search field.

To clear the filter and perform a new search, edit and/or modify the search text.
— When you find the detection group you want to edit, click the (Expand Row) button to
open the detection group.
3. Edit the parameters for the detection group, and then click Submit to save your changes.
To delete detection groups

You can delete one or more detection groups.
— If you do not immediately see the detection groups that you want to delete in the table,
search for the detection groups by typing a string in the search field.
— When you find the detection groups you want to delete, select the detection groups and click
the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the detection group.
To delete detection types within detection groups

— If you do not immediately see in the table the detection group that includes the detection
type that you want to delete, search for the detection group by typing a string in the search
field.
— When you find the detection group you are searching for, click the (Expand Row) button
to open the detection group

3. Locate the detection type you want to delete from the group, and click the (Delete) button
for that detection type.
4. In the Confirmation dialog box, click Confirm to delete the detection type.
To sort columns
descending order.

Operations
An operation is a set of actions to be performed on provisioning, attack detection, or manually. It is
the building block for a security operation workflow.
Use the Operations pane to view, configure, or delete operations. The initial view displays existing
operations and lets you search for a specific operation.
To add an operation
1. From the Security Settings perspective, select Operations.

3. Configure the operation as described in the following tables and click Submit.
Notes
— DefenseFlow has predefined operations that can be used as is, modified, or referenced for
the creation of new operations. Some of these operations are used by the predefined
workflows (see Workflows, page 129). The following are the predefined operations:
AlwaysOnMitigat Provision mitigation on a group of DefensePro devices.
eOnly
OutOfPathDivert Provision mitigation and injection on a group of mitigation devices and divert the
MitigateInject traffic to them from a Tier1 network element group.
SmarTapDetecti Provision mitigation on a group of DefensePro devices connected in tap mode.
on
SmarTapDivertI Provision injection on the DefensePro tap devices.
nject
BlackHoleDivert Divert traffic from a Tier1 network element group to a BGP black-hole address.
BgpFlowSpecBlo Block traffic with a FlowSpec block operation on a Tier1 network element group.
ck
— After submitting the configuration, in the table entry for this operation, parameters that
have a defined value or are enabled are indicated by a icon, and parameters that do not
have a defined value or are disabled are indicated by a icon.
— To move between the different sections of the operation, you can either click the name of
the section in Operations Sections menu, or scroll down to the relevant section.
Table 41: Operation General Parameters
Name Name of the operation.
Description Description of the operation.
Table 42: Operations Diversion Parameters
Diversion Toggle this button to enable or disable diversion of the operation per the set
Enable/Disable parameters.
Toggle Button Default: Disabled (Gray)
Diversion The diversion protocol to use. Toggle between the following values:
Protocol • BGP — Use the standard BGP protocol.
• BGP FlowSpec — Use the BGP FlowSpec protocol.
Default: BGP

Table 42: Operations Diversion Parameters (cont.)
BGP FlowSpec The BGP FlowSpec rule to use for the diversion protocol. Select from the list of
Diversion BGP FlowSpec rules you have defined (see BGP FlowSpec Rules, page 188), or
(This parameter click the (Add) button to open the Add New BGP FlowSpec Rule pane to create
is only is a new BGP FlowSpec rule or group.
available if the
Diversion
Protocol is set
to BGP
FlowSpec.)
Diversion Select which diversion actions to take.
Actions • Use Mitigation Device/Network Element Connectivity — Assigns mitigation
devices per network element in a diversion group according to the configured
connectivity.
• Divert Entire Protected Object Network — Divert all the protected object
networks even if a single IP address is attacked.
Include the Select this if the BGP Community of the protected object is included in the
Protected operation.
Object BGP
Community
Community them per the operation. In addition to the protected object’s communities,
multiple communities can be configured separated by a space.
In addition, well-known communities can be also selected, including: No Export,
No Export Subconfed, No Advertise, No Peer
AS Path The AS paths to be used as part of the operation’s BGP advertisements.
You can specify multiple AS paths delimited by a space or a comma.
Examples
A 100 200 300 400 600 400 500
B 400, 500
Include the Merge the AS paths for the relevant protected object, if defined (see Table 37 -
protected object Protected Object Parameters, page 120) with the operation’s AS paths.
AS Path
Example
If the operation’s AS paths are 100, 200, 300, and the relevant protected
object’s AS paths are 200, 300, 400, the merged AS paths are 100, 200, 300,
200, 300, 400.
Use the For BGP diversions only, divert to the next hop of the operation’s relevant
Protected protected object, if defined (see Table 37 - Protected Object Parameters,
Object Next Hop page 120).
Select the Primary or Secondary next hop.
Minimum IPv4 The minimum IPv4 advertised subnet.
Advertised Values:
Subnet
Default: 32

Table 42: Operations Diversion Parameters (cont.)
Advertised Values:
Subnet
Default: 128
Table 43: Operations Mitigation Parameters
Security Select this button to enable or disable security protections for the operation per
Protections the set parameters.
Enable/Disable Default: Disabled (Gray)
Toggle Button
Security Policy The security template used to perform mitigation.
Template Do one of the following:
• Select the security template from the Security Template drop-down list and
edit it if required by clicking the (Edit) button.
— If it is a GUI type template, the Edit Security Policy Template dialog box
displays with the various security policy sections and parameters. For
more information on configuring these parameters, see Security Policy
Templates, page 155).
— If it is a Text template, the Edit Security Policy Template dialog box
displays with the Description and Template (the policy text) fields. The
policy text includes DefensePro traffic filters.
• Click the (Add) button and configure a new security template from the
Security Policy Templates pane (see Security Policy Templates, page 155)
Granular Select if granular mitigation is to be performed.
Mitigation If you do not select this option, the operation is performed on the entire protected
object and not based on any granular detection settings. For more information on
granular detection settings, see Detections, page 137.
Default: Enabled
Allowlist The allowlist to be included when performing mitigation. Select from the
configured allowlists (see Allowlist and Blocklist Groups, page 182), or click the
(Add) button to open the Add New Allowlist pane to create a new allowlist rule
or group.
The allowlist is only used if the mitigation action is selected.
Default: No list is defined
Blocklist The blocklist to be included when performing mitigation. Select from the
configured blocklists (see Allowlist and Blocklist Groups, page 182), or click the
(Add) button to open the Add New Blocklist pane to create a new blocklist rule
or group.
The blocklist is only used if the mitigation action is selected.

Table 43: Operations Mitigation Parameters (cont.)
Geolocation The geolocation to either allow or block when performing mitigation.
1. Select Allow or Block.
2. Select from configured list of geolocations to allow or block (for more
information, see Geolocations, page 184), or click the (Add) button to
open the Add New Geolocation pane to create a new geolocation.
The geolocation setting is only used if the mitigation action is selected.
Default: All geolocations are blocked
DNS Allowlist The DNS allowlist to be used as the allowlist to be enforced by DefensePro when
performing mitigation. DefenseFlow blocks incoming DNS requests that do not
match the allowlist.
Select from the configured list of DNS allowlists (see DNS Allowlist Files,
page 186)
The DNS allowlist is only used if the mitigation action is selected.
Advanced Mitigation Settings
Delegate from This parameter is relevant only if the detection method for the protected object is
Detector DPaaD.
Select this if delegation is to be performed from the detector device to the
mitigation devices group that performs the mitigation. Selecting this copies the
policy and baselines from the detector DefensePro to the selected mitigation
device.
In a DPaaD deployment, DefenseFlow may trigger a single alert that may
represent a Layer 7 event, such as signature matching. DefenseFlow can identify
this new alert type (an occur event) and act upon it. By default, this feature is
disabled. To enable it, use the following CLI command:
configuration-set -name
Submit and Select this if you want to automatically provision the detector DefensePro
Reuse baseline based on previous learning periods.
DefensePro Default: Disabled
Baselines
Block Source IP Select this if you want to block all incoming traffic from a specific source IP
Address Using address towards a specific protected object.
L3 BlockList Default: Disabled

Block Source IP When AppWall is deployed behind a CDN, the Layer 4 source address does not
Address Using identify the real source IP address of the sender. To block the sender, a Layer 7
L7 Signature signature must be provisioned in DefensePro. This signature contains the real
source IP address as part of the XFF HTTP header field.
When enabled, select the response type from the list of Layer 7 signatures.
Values:
• HTTP_DROP
• HTTP_200_OK
• HTTP_200_OK_REST_DEST
• HTTP_403_FORBIDDEN
• HTTP_403_FORBIDDEN_REST_DEST
Default: Disabled
Table 44: Clean Traffic Return Parameters
Clean Traffic Toggle this button to enable or disable clean traffic return for the operation per
Return Enable/ the set parameters. When enabled, DefenseFlow configures the DefensePro
Disable Toggle mitigation devices with the clean traffic injection configuration. Not relevant for
Button third-party mitigation devices.
Default: Disabled (Gray)
Table 45: BGP FlowSpec Parameters
BGP FlowSpec Toggle this button to enable or disable BGP FlowSpec for the operation per the set
Enable/Disable parameters.
Toggle Button Default: Disabled (Gray)
BGP FlowSpec The BGP FlowSpec rule to use for BGP FlowSpec mitigation. Select from a list of
Mitigation BGP FlowSpec Rules you have defined (see BGP FlowSpec Rules, page 188), or
(This parameter click the (Add) button to open the Add New BGP FlowSpec Rule pane to create
is only is a new BGP FlowSpec rule.
available if the
Diversion
Protocol is set
to BGP
FlowSpec.)
Include the Select if the BGP Community of the protected object is included in the operation.
Protected
Object BGP
Community
In addition, well-known communities can be also defined, including: No Export,
No Export Subconfed, No Advertise, No Peer

Table 46: Custom Parameters
You can customize your own operation using any type of programming language. DefenseFlow
ensures that the new customized operation is activated when the rule criteria is met in the workflow
engine.
Each custom operation is associated with a Web service. You can use your own Web server for the
implementation.
For easy implementation, you can use and modify a ready-made example stub that implements a
customized operation that sends an e-mail with all the operation-received arguments. For more
details on using this stub, contact Radware Technical Support.
Note: Radware recommends deploying the Web server on a dedicated external VM and not on
the DefenseFlow VM.
Custom Toggle this button to enable or disable custom operations for the operation per
Operations the set parameters.
Enable/Disable Default: Disabled (Gray)
Toggle Button
Custom Type Select the custom operation you want define.
Parameters Values:
• External Custom Operation — Displays the custom operation parameters with
which you can customize your own operation using any type of programming
language. For a description of these parameters, see the External Custom
Operation Parameters later in this table.
• DefensePro ACLs — Select this operation type if you are using DefensePro
Access Control Lists for mitigation.
Displays the Mitigation Group parameter (for a description of this
parameter, see Table 43 - Operations Mitigation Parameters, page 144).
• BigSwitch Routing — Select this operation type if you are using BigSwitch
routing as your diversion control element (see Table 76 - Network Elements
Parameters, page 213).
Displays the Diversion Group parameter (for a description of this parameter,
see Table 43 - Operations Mitigation Parameters, page 144).
Default: External Custom Operation

Table 46: Custom Parameters (cont.)
External Custom Operation Parameters
Custom URL URL of the remote server where the custom operation resides.
When you set the custom URL, DefenseFlow performs a callback to the remote
server using the /protection_stop and /protection_start suffixes as
required.
Examples
A For HTTP: If the URL configuration is http://10.183.159.159:5000/rest,
DefenseFlow performs a callback to http://10.183.159.159:5000/rest/
protection_start/ when the operation is activated (Entry Criteria), and
http://10.183.159.159:5000/rest/protection_stop/ when the
operation is deactivated (Exit Criteria).
B For HTTPS: If the URL configuration is https://10.183.159.159:443/
rest, DefenseFlow performs a callback to https://10.183.159.159:443/
rest/protection_start/ when the operation is activated (Entry Criteria),
and https://10.183.159.159:443/rest/protection_stop/ when the
For the custom operations callback definition details, see Table 47 - Custom
Operations Callback Definition, page 149.
Note: You can also define a custom operation through the DefenseFlow REST
API (see the POST /config/Operations/add REST API call in the REST API
Guide at http://webhelp.radware.com/DefenseFlow/REST/4_00_00/
index.html).
Remote server (optional) Remote server username.
authentication
user
Remote server (optional) Remote server password.
authentication
password
Confirm Remote (optional) Remote server password confirmation.
server
authentication
password

Table 47: Custom Operations Callback Definition
Callback URL Callback Definitions

https:// • Callback Description — The REST call that is invoked by DefenseFlow upon
Remote_IP:port/ activation of the operation.
protection_start • Callback Arguments:
— id: The protected object ID.
— name: The protected object name.
— awsLoadBalancerType: Not applicable.
— networksDetails: The entire set of PO networks.
— excludedNetworks: The PO networks excluded from detection.
— granularThresholds: POs use granular threshold detection: true, false
— granularBdos: POs use granular BDoS detection: true, false
— awsUseCdn: Not applicable.
— requiredMetricsAzure: Not applicable.
— azureResourceType: Not applicable.
— loadBalancerRequiredMetrics: Not applicable.
— cdnRequiredMetrics: Not applicable.
— actionMode: The protected object action mode.
— operationName: The activated operation name.
— pulseId: The unique ID of the activation.
— workflowName: The PO workflow name.
— enterCriteria: The workflow enter criteria.
— exitCriteria: The workflow exit criteria.
— attackBitsPerSecond: The attack volume.
— activatedNetworks: The attacked networks.
— sequence: The attack sequence number that the attack uses or used.
• Callback HTTP return codes:
— 200 — OK
— Other — ERROR

Table 47: Custom Operations Callback Definition (cont.)

https:// Callback example:
Remote_IP:port/
2018-06-25 20:42:00,368 | INFO | Custom operation REST
protection_start
starting http://192.168.1.30:80//protection_start with data:
(continued) protectedObjectInfo" : {
"id" : 461,
"name" : "PO12",
"awsLoadBalancerType" : "APPLICATION",
"networksDetails" : {
"networks" : [ {
"ip" : "12.0.0.0",
"prefix" : 24
} ]
},
"excludedNetworks" : {
"networks" : [ ]
},
"granularThresholds" : false,
"granularBdos" : false,
"awsUseCdn" : false,
"requiredMetricsAzure" : [ ],,
"azureResourceType" : "IAAS",,
"loadBalancerRequiredMetrics" : [ ],,
"cdnRequiredMetrics" : [ ],
},
"actionMode" : "AUTOMATIC",
"operationName" : "SRPOperation",
"pulseId" : 608,
"workflowName" : "SRPWorkflow",
"enterCriteria" : "AttackStart",
"exitCriteria" : "AttackTermination",
"attackBitsPerSecond" : 10000,
"activatedNetworks" : {
"networks" : [ {
"ip" : "12.0.0.1",
"prefix" : 32
} ]
}
2018-06-25 20:42:00,487 | INFO | Custom operation REST done
http://192.168.1.30//protection_start


Remote_IP:port/ deactivation of the operation.
protection_stop • Callback Arguments:
— 200 — OK
— Other — ERROR


https:// 2018-06-25 20:43:27,604 | INFO | Custom operation REST
Remote_IP:port/ starting http://192.168.1.30:80//protection_stop with data:
protection_stop {
(continued) "protectedObjectInfo" : {
"id" : 461,
"name" : "PO12",
"networks" : [ {
"ip" : "12.0.0.0",
"prefix" : 24
} ]
},
"networks" : [ ]
},
"requiredMetricsAzure" : [ ],
"azureResourceType" : "IAAS",
"loadBalancerRequiredMetrics" : [ ],
"cdnRequiredMetrics" : [ ]
},
"pulseId" : 608,
"networks" : [ {
"ip" : "12.0.0.1",
"prefix" : 32
} ]
}
}
http://192.168.1.30//protection_stop
Table 48: Operation Additional Settings Parameters
Router Group The route name for this mitigation. Select one of the routes that you defined for
mitigation devices. For more information on configuring routes, see The
Mitigation Devices pane lets you monitor the status of mitigation devices.,
page 267.

Table 48: Operation Additional Settings Parameters (cont.)
Mitigation Group The name of the mitigation device or mitigation device group that performs
mitigation. Select from the configured list of mitigation groups (see Mitigation
Devices Groups, page 222).
Mitigation Route The route name for this mitigation. Select one of the routes that you defined for
Name mitigation devices. For more information on configuring routes, see The
Mitigation Devices pane lets you monitor the status of mitigation devices.,
page 267.
Operation Type (Read-only) The type of operation based on the operation types that you enabled/
configured.
Values:
• Report Only — Only Basic parameters have been enabled/configured. No other
operation types have been enabled.
• Diversion
• Mitigation
• Clean Traffic Return
• Diversion and Mitigation
• Diversion, Mitigation, and Clean Traffic Return
• Mitigation, and Clean Traffic Return
• Diversion, and Clean Traffic Return
• FlowSpec Traffic Block — If you enable FlowSpec traffic blocking parameters,
you cannot enable the other types of operations.
• Custom Operation — If you enable Custom Operation parameters, you cannot
enable the other types of operations.
Default: Report Only
To duplicate an existing operation

You can duplicate an existing operation to use as a basis for creating a new operation.
— If you do not immediately see the operation that you want to duplicate in the table, search
for the operation by typing a string in the search field.

— When you find the operation you want to duplicate, select the operation and click the
(Duplicate) button to open the operation.
3. Edit the parameters for the new operation, and then click Submit to save your changes. A new
operation is created.
To edit an operation

— If you do not immediately see the operation that you want to edit in the table, search for the
operation by typing a string in the search field.

— When you find the operation you want to edit, click the (Expand Row) button to open the
operation.
3. Edit the parameters for the operation, and then click Submit to save your changes.
To delete operations
You can one or multiple operations.
— If you do not immediately see the operations that you want to delete in the table, search for
the operations by typing a string in the search field.

— When you find the operations you want to delete, select the operations and click the
3. In the Confirmation dialog box, click Confirm to delete the operations.
To sort columns
descending order.

Mitigations
Upon mitigation provisioning, DefenseFlow configures the security policy on the mitigating devices.
At any given time, the number of security policies configured on the mitigation devices is the
number of concurrent provisioned protected objects in the network.

During the life of the mitigation, SOC operators may tune and change the policy according to the
observed attack. The changes made by the operators are saved. Upon termination of mitigation,
DefenseFlow uploads the policy before removing it from the mitigation devices. The uploaded policy
is saved as the protected object's security policy.
A security policy for a protected object can be reset to the original template or replaced with another
template only in peacetime.
You configure mitigation from the Mitigations tabs on the Security Settings perspective:
• Security Policy Templates, page 155

• Access Lists, page 179
Security Policy Templates

Security templates are the security configurations to provision on DefensePro devices for the
protected object. To support multiple DefensePro versions, each template can include multiple
template instances per DefensePro version.
Use the Security Policy Templates pane to view, configure, or delete security templates. The initial
view displays existing security templates and lets you search for a security template.
You can create new security templates from a saved security policy either on one of the protected
objects or from the APSolute Vision management system repository.
For more information on how security policy templates are assigned in protected objects, see
Protected Objects, page 119.
To add a security policy template

1. From the Security Settings perspective, select Mitigations > Security Policy Templates.
Note: Basic is a predefined security template that you can use to create new templates. You
cannot edit the Basic security template itself.
3. Configure the security template and click Submit.
Table 49: Security Policy Template Basic Parameters
General
The General section includes the following parameters.

Table 49: Security Policy Template Basic Parameters (cont.)
Name Name of the security policy template.
Description Description of the security policy template.
Type Type of security policy template.
(This field is Values:
available • GUI — Displays the Protection Sections that let you configure the various
starting with security policy template fields.
version 4.2)
• Text — Only displays the Template Origin and Policy Name fields.
Template Origin Origin of the security policy template.
(This field Values:
displays if you • Protected Object — Creates a template from an existing policy of a protected
select the Type object.
as Text)
• Vision Template — Creates a template from an existing policy in the APSolute
Vision security templates repository.
Default: Vision Template
Policy Name The name of the protected object or APSolute Vision template to associate with
(This field the security policy template.
displays if you
select the Type
as Text)
BDoS Protection
The BDoS Protection section includes the following parameters.
BDoS Basic View — Displays only the basic BDoS Protection parameters
Action The action that the profile takes when it encounters malicious scanning.
Values: Block and Report, Report Only
Default: Block and Report

Footprint When the Behavioral DoS profile detects a new attack, the module generates an
Strictness attack footprint to block the attack traffic. If the Behavioral DoS profile is unable
to generate a footprint that meets the footprint-strictness condition, the profile
issues a notification for the attack but does not block it. The higher the strictness,
the more accurate the footprint. However, higher strictness increases the
probability that the profile cannot generate a footprint.
Values:
• High — Requires at least two Boolean AND conditions and no Boolean OR
condition in the footprint. This level lowers the probability for false positives
but increases the probability for false negatives (that is, increases the
probability of not identifying attack traffic).
• Medium — Comprises the following:
— At least one Boolean AND condition in the top-level expression.
— No OR condition in the top-level expression.
— Up to two Boolean OR conditions in a nested expression.
Examples:
— A AND B
— (A OR B OR C) AND D
[where “(A OR B OR C)” is a nested expression]
• Low — Allows any footprint suggested by the Behavioral DoS module. This
level achieves the best attack blocking but increases the probability of false
positives.
Default: Low
Note: DefenseFlow always considers the Checksum field and the Sequence
Number fields as High Footprint Strictness fields. Therefore, a footprint with
only a checksum or sequence number is always considered as High Footprint
Strictness.
Advanced View — Displays only the advanced BDoS Protection parameters.
Advanced View — General
Transparent Values:
Optimization • Enabled — DefenseFlow does not mitigate new BDoS attacks until the final
footprint is generated. Some network environments are more sensitive to
dropping packets (for example, VoIP). Enabling the Transparent Optimization
option minimizes the probability that DefenseFlow drops legitimate traffic.
• Disabled — DefenseFlow starts mitigating new BDoS attacks as soon as an
initial footprint is generated.
Default: Disabled
Notes:
• It may take several seconds (and multiple BDoS closed-feedback iterations)
for the final footprint to be generated.
• Packets can be sampled even when Transparent Optimization is selected.
Values in packets that are sampled before the final footprint is generated may
not match the final footprint.

Packet Specifies whether the profile sends sampled attack packets to APSolute Vision for
Reporting offline analysis.
Default: Enabled
Notes:
• When this feature is enabled, for the packet-reporting to take effect, the
global setting must be enabled in DefensePro.
• Packets can be sampled even when Transparent Optimization is selected.
Values in packets that are sampled before the final footprint is generated may
not match the final footprint.
Flood Protection Select the network-flood protection types to apply.
Settings Values:
• SYN Flood
• TCP ACK + FIN Flood
• TCP RST Flood
• TCP SYN+ACK Flood
• TCP Fragmentation Flood
• UDP Flood
• UDP Fragmentation Flood
• ICMP Flood
• IGMP Flood

Baseline Related For each traffic type, specify the quota — the maximum expected percentage of
Values incoming and outgoing traffic out of the total traffic.
Radware recommends that you initially leave these fields empty, so that the
default values will automatically be used. To view default values after creating the
profile, double-click the entry in the table. You can then adjust quota values
based on your network performance.
Caution: After you enter quota values and click Submit, DefenseFlow
calculates the required minimum value for each type. (The calculation uses
various parameters, which include Inbound Traffic and Outbound Traffic.)
If you enter a value that is less than the required minimum, the actual value
automatically changes to the required minimum. There is no alert message for
this automatic action, however the user interface does show the actual values.
Note: The total quota values may exceed 100%, because each value
represents the maximum volume per protocol.
• Inbound
— TCP (%)
— UDP
— Fragmented UDP
— ICMP
— IGMP
• Outbound
— TCP (%)
— UDP
— Fragmented UDP
— ICMP
— IGMP
Burst-Attack • Burst Attack Protection — Specifies whether Burst-Attack Protection is
Protection enabled.
Enabling and configuring Burst-Attack Protection lets DefenseFlow identify
repeated bursts of malicious traffic with the same footprint as belonging to
the same attack. Pauses between bursts sometimes last hours, and some
burst attack last days. Using Burst-Attack Protection, DefenseFlow does not
need to regenerate the attack footprint every time a new burst occurs.
Rather, DefenseFlow can identify a new burst in an attack and mitigate the
attack immediately.
Default: Enabled
Caution: When Burst-Attack Protection is enabled, the BDoS profile may
block some legitimate traffic if that traffic matches the BDoS footprint —
even between bursts.
• Maximum Interval Between Bursts — The time, in minutes, without any burst,
that causes the BDoS profile to consider the attack to be terminated.
Values: 10 – 10,080 (seven days)
Default: 30

Overblocking • Overblocking Prevention — Specifies whether the BDoS profile prevents
Settings blocking too much legitimate traffic. Overblocking is a situation where the
BDoS profile has created a signature that meets all required criteria (blocking
the suspicious traffic and matching the specified strictness level), but the
profile is blocking too much legitimate traffic.
When Overblocking Prevention is enabled, and DefenseFlow identifies an
overblocking situation, the profile returns to footprint analysis state to refresh
the generated footprint. If BDoS protection started blocking the attack but
stopped three times after identifying an overblocking situation, the profile
enters the over-blocking-footprint state. This state remains for 10 minutes,
after which, BDoS protection generates and implements a new footprint.
Default: Disabled
Caution: When Overblocking Prevention is enabled, if the profile
repeatedly enters the over-blocking-footprint state, the BDoS profile may
still block traffic (possibly legitimate), especially when Transparent
Optimization is enabled.
• Overblocking Prevention Threshold — The percentage of the traffic rate — after
beginning the blocking of the attack traffic — below the recent baseline that is
considered as overblocking.
The recent baseline is separate from the normal baseline. The recent baseline
is based on recent, peacetime traffic, whereas the normal baseline is learned
over a much longer period.
Values: 1 – 100
Default: 25
Advanced View — Advanced
UDP Packet Rate To what extent the BDoS engine considers the UDP PPS-rate values (baseline and
Detection current), during the initial learning period.
Sensitivity Values:
• Ignore or Disable
• Low
• Medium
• High
Default: Low

Learning The percentage of the specified bandwidth, below which, DefenseFlow suppresses
Suppression BDoS-baseline learning. The specified bandwidth refers to the Outbound Traffic
Threshold and Inbound Traffic parameters specified in the Bandwidth Parameters tab
above. DefenseFlow calculates the threshold per Protection policy and specified
Direction (Network Protection tab, Network Protection Policy > Direction).
For One Way policies, the Learning Suppression Threshold considers the inbound
bandwidth. DefenseFlow treats Two Way policies as two policies, so the Learning
Suppression Threshold calculates the bandwidth for each policy (inbound/
outbound).
The Learning Suppression Threshold feature helps preserve a good BDoS-
baseline value in scenarios where, at times, DefenseFlow handles very little
traffic.
There are two typical scenarios where, at times, DefenseFlow handles very little
traffic:
• Out-of-path deployments — In an out-of-path deployment, when traffic is
diverted through DefenseFlow for mitigation. During an attack, the traffic is
diverted and routed through DefenseFlow. During peacetime, no traffic
passes through DefenseFlow (except for maintenance messages). When no
traffic is diverted to DefenseFlow, the BDoS learning must be suppressed to
prevent extremely low values affecting the baseline and ultimately increasing
the susceptibility to false positives.
• Environments where traffic rates change dramatically throughout the day.
Values:
• 0 — The BDoS profile uses no Learning Suppression Threshold.
• 1 – 50
Default: 0
Note: Using the DefenseFlow CLI, you can view the Protection policies with a
BDoS profile and the runtime status of the DNS Learning Suppression feature
per Protection policy. For more information, see the DefenseFlow User Guide.
BDoS Rate Limit Specifies whether/how the profile limits the rate of traffic — only a fall-back
measure — when BDoS protection fails to generate the real-time signature.
The rate-limit applies to each flood protection type separately. (The flood
protection types are selected in the BDoS Profile Flood Protection Settings tab.)
Traffic below the rate-limit threshold bypasses the BDoS module. (Traffic that
bypasses the BDoS module may be handled by other DefenseFlow modules.
Traffic above the rate-limit threshold is dropped.)
Having a BDoS Rate Limit insures the uptime of the network that the Protection
policy protects during volumetric attacks. Note however, that when implementing
the BDoS Rate Limit, legitimate traffic may also be dropped.
Values:
• Enabled
• Disabled — While in the Anomaly state or Non-strictness state, the traffic
bypasses the BDoS module.
• Limit to Normal Edge — While in the Anomaly state or Non-strictness state,
the profile limits the traffic rate according to the current Normal baseline.
• Limit to Suspect Edge — While in the Anomaly state or Non-strictness state,
the profile limits the traffic rate according to the current Suspect baseline.
Default: Disabled

User-Defined While in the Anomaly state or Non-strictness state, the profile limits the traffic
Rate Limit rate according to the user-defined rate.
Rate Limit Units The user-defined rate type.
Values: Kbps, Mbps, Gbps
DNS Flood Protection
The DNS Flood Protection section includes the following parameters.
Basic View — Displays only the basic DNS Flood Protection parameters
Profile Action The action that the profile takes on HTTPS traffic during an attack.
Footprint When the DNS Flood Protection profile detects a new attack, the profile generates
Strictness an attack footprint to block the attack traffic. If the profile is unable to generate a
footprint that meets the footprint-strictness condition, the profile issues a
notification for the attack but does not block it. The higher the strictness, the
more accurate the footprint. However, higher strictness increases the probability
that the profile cannot generate a footprint.
Values:
• High — Requires at least two Boolean AND conditions and no Boolean OR
condition in the footprint. This level lowers the probability for false positives
but increases the probability for false negatives (that is, increases the
probability of not identifying attack traffic).
• Medium — Comprises the following:
— At least one Boolean AND condition in the top-level expression.
— No OR condition in the top-level expression.
— Up to two Boolean OR conditions in a nested expression.
Examples:
— A AND B
— (A OR B OR C) AND D
[where “(A OR B OR C)” is a nested expression]
• Low — Allows any footprint suggested by the DNS Flood Protection profile. This
level achieves the best attack blocking but increases the probability of false
positives.
Default: Low
Note: The DNS Flood Protection profile always considers the Checksum field
and the Sequence Number fields as High Footprint Strictness fields.
Therefore, a footprint with only a checksum or sequence number is always
considered as High Footprint Strictness.
Max Allowed The maximum allowed rate of DNS queries per second, when the Manual Triggers
QPS option is not enabled (that is, when the Use Manual Triggers checkbox is
cleared in the Manual Triggers tab).
Values: 0 – 4,000,000
Default: 0
Caution: If the Max Allowed QPS is lower than the DNS baseline, the profile
drops every packet that matches the real-time signature.

Expected DNS The expected rate, in queries per second, of DNS queries.
Query Rate
Caution: After you change the Expected DNS Query Rate and click Submit,
the quota settings automatically change to the default values appropriate for
the query rate. There is no alert message for this automatic action, however
the user interface does show the actual values.
Advanced View — Displays only the advanced DNS Flood Protection parameters.
Default: Enabled
Notes:
• When this feature is enabled, for the packet-reporting to take effect, the
• Packets can be sampled even when Enable Transparent Optimization is
selected. Values in packets that are sampled before the final footprint is
generated may not match the final footprint.
Flood Protection For each DNS query type to protect, specify the quota — the maximum expected
Settings percentage of DNS traffic out of the total DNS traffic — and select the checkbox in
Baseline Related the row.
Values Radware recommends that you initially leave these fields empty so that the
default values will automatically be used. To view default values after creating the
profile, double-click the entry in the table. You can then adjust quota values
based on your network performance.
Caution: After you enter quota values and click Submit, DefenseFlow
calculates the required minimum value for each type. (The calculation uses
various parameters, which include Expected DNS Query Rate.) If you enter a
value that is less than the required minimum, the actual value automatically
changes to the required minimum. There is no alert message for this automatic
action, however the user interface does show the actual values.
Note: The total quota values may exceed 100%, because each value
represents the maximum volume per query type.
• A Query
• MX Query
• PTR Query
• AAAA Query
• Text Query
• SOA Query
• NAPTR Query
• SRV Query
• Other Queries
Other Rate Signature Rate-Limit Target — The maximum level of DNS traffic, in percent,
Settings relative to the DNS baseline, that the profile allows during a DNS-flood attack.
This is relevant to the traffic that matches the real-time signature.

Manual Triggers Manual Triggers
• Enabled/Disabled — When enabled, displays the manual triggers that specify
whether the profile uses user-defined DNS QPS thresholds instead of the
learned baselines.
Default: Disabled
• Activation Threshold — The number of total queries per second, per protected
destination network — after the specified Activation Period — above which,
DefenseFlow considers there to be an ongoing attack.
When DefenseFlow detects an attack, it starts challenging all sources.
DefenseFlow continues the challenges unless the specified Max QPS (see
below) is reached. Above the specified Max QPS, DefenseFlow limits the rate
of total QPS towards the protected network.
Values: 0 – 4,000,000
Default: 0
• Activation Period — The number of consecutive seconds that the DNS traffic
exceeds the Activation Threshold that determines when DefenseFlow
considers an attack to be in progress.
Values: 1 – 30
Default: 3
• Termination Threshold — The maximum number of queries per second — after
the specified Termination Period — that causes DefenseFlow to consider the
attack to have ended.
Values: 0 – 4,000,000
Default: 0
Note: The Termination Threshold must be less than or equal to the
Activation Threshold.
• Termination Period — The time, in seconds, that the DNS traffic is continuously
below the Termination Threshold, which causes DefenseFlow to consider
the attack to have ended.
Values: 1 – 30
Default: 3
• Max QPS — The maximum allowed rate of DNS queries per second.
Values: 0 – 4,000,000
Default: 0
• Escalation Period — The time, in seconds, that DefenseFlow waits before
escalating to the next enabled Mitigation Action.
Values: 0 – 30
Default: 3

Advanced View — Advanced
Learning The percentage of the specified Expected DNS Query Rate below which,
Suppression DefenseFlow suppresses DNS-baseline learning. DefenseFlow calculates the
Threshold threshold per Network Protection policy, per IP version (IPv4 or IPv6).
Example: Consider a Protection policy, Policy1. Policy1 has a DNS profile with the
Expected DNS Query Rate value 1000, and the DNS Learning Suppression
Threshold is 5(%). The baseline for Policy1 will not change (that is, learning is
suppressed) if the traffic rate drops below 50 QPS.
The Learning Suppression Threshold feature helps preserve a good DNS-baseline
value in scenarios where, at times, DefenseFlow handles very little traffic.
There are two typical scenarios where, at times, DefenseFlow handles very little
traffic:
• Out-of-path deployments — In an out-of-path deployment, when traffic is
diverted through DefenseFlow for mitigation. During an attack, the traffic is
diverted and routed through DefenseFlow. During peacetime, no traffic
passes through DefenseFlow (except for maintenance messages). When no
traffic is diverted to DefenseFlow, the DNS learning must be suppressed to
prevent extremely low values affecting the baseline and ultimately increasing
the susceptibility to false positives.
• Environments where traffic rates change dramatically throughout the day.
Values:
• 0 — Specifies that the DNS-baseline learning is always active.
• 1 – 100
Default: 0
Out-of-State Protection
The Out-of-State Protection section includes the following parameters.
Profile Action The action that the profile takes when it encounters out-of-state packets.
Activation The rate, in PPS, of out-of-state packets above which the profile considers the
Threshold packets to be part of a flood attack. When DefenseFlow detects an attack, it
issues an appropriate alert and drops the out-of-state packets that exceed the
threshold. Packets that do not exceed the threshold bypass the DefenseFlow
device.
Values: 1 – 250,000
Default: 5000
Termination The rate, in PPS, of out-of-state packets below which the profile considers the
Threshold flood attack to have stopped; and DefenseFlow resumes normal operation.
Values: 0 – 249,999
Default: 4000

Allow SYN-ACK Values:
• Enabled — DefenseFlow opens a session and processes a SYN-ACK packet
even when DefenseFlow has identified no SYN packet for the session. This
option supports asymmetric environments, when the first packet that
DefenseFlow receives is the SYN-ACK.
• Disabled — When DefenseFlow receives a SYN-ACK packet and has identified
no SYN packet for the session, DefenseFlow passes through the SYN-ACK
packet (unprocessed) if the packet is below the specified activation threshold,
and DefenseFlow drops the packet if it is above the specified activation
threshold.
Default: Enabled
Risk Level The risk — for reporting purposes — assigned to the attack that the profile detects.
Values: Info, Low, Medium, High
Default: Low
Packet Specifies whether the profile reports out-of-state packets.
Reporting Default: Disabled
Caution: When this feature is enabled here, for the packet-reporting to take
effect, the global setting must be enabled in DefensePro. In addition, a change
to this parameter takes effect only after you click Update Policies to activate
your configuration changes.
Signature Protection
The Signature Protection section includes the following parameters.
Profile The name of the signature profile.

SYN Flood Protection
The SYN Flood Protection section includes the following parameters.
Basic View — Displays only the basic SYN Flood Protection parameters.
Protection Name Assign SYN Flood protections to the security policy.
1. From the Available list, select the SYN Flood protections for this security
policy (to assign all available SYN Flood protections, select Select All).
2. Click the icon to move the selected protections to the Selected list.
Advanced View — Displays the advanced SYN Flood parameters

Tracking Method Values:
• Tracking per Destination IP Address — The profile tracks SYN packets
individually for each pair composed of the destination IP address and port.
• Spoofed SYN Attack Protection - Aggregated Tracking for All Destination IP
Addresses in Policy — The profile tracks and counts traffic by aggregating the
SYN packets sent toward any and all IP addresses included in the DST
Network configured in the Protection policy. (For more information, see
Spoofed SYN Attack Protection below.)
Default: Tracking per Destination IP Address

Spoofed SYN Attack Protection
(These parameters are available only when the Tracking Method is Spoofed SYN Attack
Protection.)
DefenseFlow’s Spoofed SYN Attack Protection handles attacks that use multiple, spoofed, source
subnets and/or CIDRs.
Spoofed-SYN–flood attacks are not the “usual/typical” SYN-flood attack. Spoofed-SYN–flood
attacks are slow-rate SYN-flood attacks, sourcing from multiple subnets (/22 – /24) to multiple
destination subnets (/22 – /24). A spoofed-SYN–flood attack resembles a highly distributed scan
attack, originating from many source subnets to many destination subnets. These attacks are also
called carpet-bombing attacks.
If you observe a drastic increase in the number of incomplete three-way TCP handshakes, over
various protocols (such as DNS, HTTP, HTTPS, C-LDAP, and so on) — where the source of the SYN
packets is distributed across a wide range of subnets, you may be facing a spoofed-SYN–flood
attack, where your system is the reflector. As the reflector, your system generates a flood of SYN-
ACK–packets towards the spoofed destination.
Destination Values:
Ports • All Traffic Matching Policy Regardless of Destination Port — The profile tracks
all traffic that matches the destination IP addresses of the Protection policy,
regardless of the destination port.
• Traffic Matching Destination Ports Included in SYN Protections in Profile — The
profile tracks traffic whose destination port is included in the Application
Port Group configured for one of the SYN Flood Protections in the SYN Flood
Protection profile.
Default: All Traffic Matching Policy Regardless of Destination Port
Activation Mode Values:
• Continuous — The profile applies the authentication methods configured in the
profile immediately. The profile authenticates all SYN packets received by the
associated Protection policy.
• Threshold-Based — The profile applies the authentication methods configured
in the profile after reaching the configured Activation Threshold value (of
SYN packets per second). The profile authenticates all subsequent SYN
packets received by the associated Protection policy.
Default: Threshold-Based
Network Level Authentication
Use TCP Reset Specifies whether DefenseFlow uses the TCP-Reset method for HTTP, HTTPS,
for Supported SMTP, and custom-protocol traffic rather than the default Authentication Method:
Protocols Safe Reset.
(This option is Radware recommends enabling the Use TCP Reset for Supported Protocols
available only option in symmetric and ingress-only environments that include HTTP, HTTPS,
when the and SMTP traffic.
Authentication Default: Disabled
Method is Safe
Reset.) Note: Using the Safe-Reset method, when DefenseFlow receives a SYN
packet, DefenseFlow responds with an ACK packet with an invalid Sequence
Number field as a cookie. If the client responds with RST and the cookie,
DefenseFlow discards the RST packet, and adds the source IP address to the
TCP Authentication Table. The next SYN packet from the same source
(normally, a retransmit of the previous SYN packet) passes through
DefenseFlow, and the session is approved for the server. DefenseFlow saves
the source IP address for a specified time.

Authentication The authentication method that DefenseFlow uses at the transport layer.
Method When DefenseFlow is installed in an ingress-only topology, select the Safe Reset
option.
Values:
• Transparent Proxy — When DefenseFlow receives a SYN packet, DefenseFlow
replies with a SYN ACK packet with a cookie in the Sequence Number field. If
the response is an ACK packet that contains the cookie, DefenseFlow
considers the session to be legitimate. Then, DefenseFlow opens a connection
with the destination and acts as transparent proxy between the source and
the destination.
• Safe Reset — When DefenseFlow receives a SYN packet, DefenseFlow
responds with an ACK packet with an invalid Sequence Number field as a
cookie. If the client responds with the RST packet with the cookie and
retransmits the original SYN packet within the specified time range
(Minimum Allowed SYN Retransmission Time and Maximum Allowed
SYN Retransmission Time), DefenseFlow discards the RST packet, and
adds the source IP address to the TCP Authentication Table. The next SYN
packet from the same source passes through DefenseFlow, and the session is
approved for the server. DefenseFlow saves the source IP address for a
specified time.
Default: Safe Reset
Notes:
• If you select Transparent Proxy, Use HTTP Authentication, and Use SSL
Mitigation, DefenseFlow uses the TCP-Reset method for HTTP, HTTPS, SMTP,
and custom-protocol traffic rather than the Transparent-Proxy method.
• If you select Transparent Proxy and Use HTTP Authentication (without
Use SSL Mitigation), DefenseFlow performs the HTTP Authentication before
performing the Transparent-Proxy actions.

Application Level Authentication
HTTP Specifies whether DefenseFlow authenticates the transport layer of HTTP traffic
Authentication using SYN cookies and then authenticates the HTTP application layer using the
Method specified HTTP Authentication Method.
Values:
• Disabled — DefenseFlow handles HTTP traffic using the specified TCP
Authentication Method.
• Redirect — DefensePro authenticates HTTP traffic using a 302-redirect
response code.
• JavaScript — DefensePro authenticates HTTP traffic using a JavaScript object,
which DefensePro generates.
Default: Disable
Notes:
• Some attack tools are capable of handling 302-redirect responses. The 302-
Redirect HTTP Authentication Method is not effective against attacks that use
those tools. The JavaScript HTTP Authentication Method requires an engine
on the client side that supports JavaScript, and therefore, the JavaScript
option is considered stronger. However, the JavaScript option has some
limitations, which are relevant in certain scenarios.
• Limitations when using the JavaScript HTTP Authentication Method:
— If the browser does not support JavaScript calls, the browser will not
answer the challenge.
— When the protected server is accessed as a sub-page through another
(main) page only using JavaScript, the user session will fail (that is, the
browser will not answer the challenge).
Use SSL Specifies whether DefensePro sends traffic to the specified SSL-decryption-and-
Mitigation encryption component and uses the SSL Mitigation mechanism.
(This parameter SSL Mitigation works with HTTP Authentication. If you select the Use SSL
is available only Mitigation checkbox, DefensePro selects the Use HTTP Authentication checkbox
when the HTTP automatically.
Authentication
Method is
enabled)
Traffic Filters
The Traffic Filters section includes the following parameters.
Basic and Advanced Views — Display the Action parameter the basic Traffic Filter table. The
Advanced view displays more parameters in the Traffic Filters table.
Action The action that the profile takes when it detects traffic matching a Traffic Filter
configuration.

Traffic Filters List
You can configure the Traffic Filters List parameters.
Click the (Add) button to add a new Filters list with the following parameters:
Filter Threshold
Filter Name The name of the Traffic Filter.
Maximum characters: 29
Apply Traffic Values:
Filter To • Matching Traffic — Apply the filter to traffic that matches all the parameters in
the Filter Criteria.
• Non-Matching Traffic — Apply the filter to traffic that does not match all the
parameters in the Filter Criteria.
Default: Matching Traffic
IPv4 Source The IPv4 prefix length that specifies the subnet size for tracking source
Prefix Length addresses.
Values: 1 – 32
Default: 32
IPv6 Source The IPv6 prefix length that specifies the subnet size for tracking source
Values: 1 – 128
Default: 128
IPv4 Destination The IPv4 prefix length that specifies the subnet size for tracking destination
Values: 1 – 32
Default: 32
IPv6 Destination The IPv6 prefix length that specifies the subnet size for tracking destination
Values: 1 – 128
Default: 128
Basic Filter
Source Network The IP address or predefined Network class object that defines the source of the
packets to match to the Traffic Filter.
Values:
• As in Policy — The filter matches only source networks that match the
Protection policy.
• A discrete IP address.
• A Network class displayed in the Classes tab.
Default: As in Policy
Caution: If you specify a Network class, the class can represent up to 50
discrete IP addresses.

Destination The IP address or predefined Network class object that defines the destination of
Network the packets that the policy applies to.
Values:
• As in Policy — The filter matches only destination networks that match the
Protection policy.
• A discrete IP address.
• A Network class displayed in the Classes tab.
Default: As in Policy
Caution: If you specify a Network class, the class can represent up to 50
discrete IP addresses.
Protocol The protocol that defines the packets that the Traffic Filter applies to.
Values:
• Any Supported Protocol — The filter matches any of the protocols in the
Protocol drop-down list.
• TCP
• UDP
• ICMP
• IGMP
• ICMPv6
• Other Protocol(s) — The filter matches the protocol number or numbers
specified in the Other Protocol Number(s) text box.
Default: Any Supported Protocol
Caution: When you select GRE — or when you specify 47 in the Other
Protocol Number(s) text box, the GRE Traffic parameter in the Tunnel
Inspection configuration must be Inspect the Outer Headers in
DefensePro.
Caution: When you select IP-in-IP — or when you specify 4 and/or 41 in the
Other Protocol Number(s) text box, the IP-in-IP Traffic parameter in the
Tunnel Inspection configuration must be Inspect the Outer Headers in
DefensePro.
Caution: If Protocol is Any Supported Protocol and a checkbox for TCP
Flags is selected, the effective value for Protocol is TCP.
Note: In DefensePro version 8.24, if Any Supported Protocol is selected, the
filter matches any of the protocols in the following list, and also matches the
GRE and IP-in-IP protocols (even though they are not listed).

Other Protocol The IANA-assigned number or numbers that identify the protocol or protocols that
Number(s) define the packets that the Traffic Filter applies to.
(This parameter Values:
is available only • 0 – 255
when the value
for the • A list of comma-separated values in the range 0 – 255
Protocol • A range of values 0 – 255, in the format a-b
parameter is
Other Caution: When the selected Protocol value is Other Protocol(s), for the
Protocol(s).) Traffic Filter to apply, the Report Action for Packet Anomaly Unsupported L4
Protocol (ID 110) must be Process.
Caution: If you specify 47 in the Other Protocol Number(s) text box, the
GRE Traffic parameter in the Tunnel Inspection configuration must be
Inspect the Outer Headers in DefensePro.
Caution: If you specify 4 and/or 41 in the Other Protocol Number(s) text
box, the IP-in-IP Traffic parameter in the Tunnel Inspection configuration
must be Inspect the Outer Headers in DefensePro
Note: You can enter a list with a combination of numbers and ranges.
Example: 1-20,47,48,58-62
Source Port The port or predefined Application Port Group class object that defines the source
(This parameter of the packets that the Traffic Filter applies to.
is available only Values:
when the value • Any — The filter matches any source application port.
for the
Protocol • A specific application-port number.
parameter is • A list of comma-separated application-port numbers.
Any Supported
• An Application Port Group class displayed in the Classes tab.
Protocol, TCP,
or UDP.) Default: Any
Destination Port The port or predefined Application Port Group class object that defines the
(This parameter destination of the packets that the Traffic Filter applies to.
is available only Values:
when the value • Any — The filter matches any destination application port.
for the
Protocol • A specific application-port number.
parameter is • A list of comma-separated application-port numbers.
Any Supported
• An Application Port Group class displayed in the Classes tab.
Protocol, TCP,
or UDP.) Default: Any

Packet Size The size, in bytes, of the packets that the Traffic Filter applies to.
(Bytes) Values:
• None
• 64 – 1542
• A list of comma-separated values in the range 64 – 1542
• A range of values 64 – 1542, in the format a-b
Default: None
Caution: You can specify up to a total of 50 packet-size values.
Notes:
• You can enter a list with a combination of specific packet sizes and packet-
size ranges. Example: 64-80,90,92,101-130
• The Packet Size value does not account for the CRC.
Advanced Filter
(The checkboxes for TCP flags are available only when the value for the Protocol parameter is Any
Supported Protocol or TCP.)
TCP Flags - SYN Select the TCP flags to match toward the Traffic Filter.
TCP Flags - ACK DefenseFlow combines multiple values using a Boolean OR operator.
TCP Flags - RST Default: None
TCP Flags - Caution: If you select a TCP flag, you cannot specify a value for the Fragment
SYN+ACK Offset or Fragment ID parameter.
TCP Flags -
FIN+ACK
TCP Flags -
PSH+ACK
Time to Live The time-to-live (TTL) value in the packet header.
(TTL) Values:
• None
• A specific value
• A list of comma-separated values
• A range of values, in the format a-b
Default: None
Caution: You can specify up to 50 TTL values, in the comma-separated list or
in the range.
Note: You can enter a list with a combination of values and ranges. Example:
6-10,12,13,15-64

TCP Sequence The TCP-sequence value in the packet header.
Number Values:
(This parameter • Any
is available only
when the value • A specific value
for the • A list of comma-separated values
Protocol
parameter is
Any Supported Default: None
Protocol or Maximum characters: 255
TCP.)
Caution: You can specify up to a total of 50 TCP-sequence values, in the
comma-separated list or in the range.
Caution: If you specify a value for this parameter, you cannot specify a value
for the Fragment Offset or Fragment ID parameter.
6-10,12,13,15-64
Context Tag The context tag in the packet header.
Values:
• None
• A context-tag value
• A list of comma-separated context-tag values
• A Context Group class displayed in the Classes tab
Caution: You can specify up to 50 tags, in the comma-separated list or in the
class.
Type of Service The type-of-service (ToS) value or Differentiated Services Code Point (DSCP)
(ToS) - DSCP value in the packet header.
Values:
• None
Default: None
Caution: You can specify up to a total of 50 ToS/DSCP values, in the comma-
separated list or in the range.
8-14,24,26,32-38

Fragment Offset The fragment offset value in the packet header.
Values:
• None
Default: None
Caution: You can specify up to a total of 50 fragment-offset values, in the
Caution: If you specify a value for this parameter, you cannot select a TCP flag
or specify a value for the TCP Sequence Number parameter.
0-8,16,32,64-100
Fragment ID The fragment identifier value in the packet header.
Values:
• None
Default: None
Caution: You can specify up to a total of 50 fragment-ID values, in the
Caution: If you specify a value for this parameter, you cannot select a TCP flag
or specify a value for the TCP Sequence Number parameter.
0-3,5,7,9-20
Regular The regular expression that the filter tries to match to the contents of the packet
Expression payload. This field supports only text represented by the specified regular
expression — anywhere in the packet payload.
Caution: Configuring a regular expression in this field may reduce
performance.
Filter Action
Threshold Units Values: Packets per Second, Kbits per Second,
Default: Packets per Second
Threshold The rate, in the specified units, at which DefenseFlow triggers the Traffic Filter.
Values:
• 0 — The filter blocks all traffic.
• For Packets per Second: 1 – 200,000,000
• For Kilobits per Second: 1 – 156,250,000

Tracking Mode The traffic, matching the specified criteria, that the Traffic Filter tracks, counts,
and acts upon.
Options:
• All — The Traffic Filter applies the specified Filter Action on all the traffic
above the specified Threshold.
• Per Source — The Traffic Filter applies the specified Filter Action on the traffic
above the specified Threshold, per source. The source can be a discrete IP
address or a subnet, according to the specified Source Prefix Length. For
example, if the specified Source Prefix Length for IPv4 is 32, per source is
per discrete source IPv4 address.
• Per Destination — The Traffic Filter applies the specified Filter Action on the
traffic, above the specified Threshold, per destination. The destination can
be a discrete IP address or a subnet, according to the specified Destination
Prefix Length. For example, if the specified Destination Prefix Length for
IPv4 is 32, per destination is per discrete destination IPv4 address.
You may select this option in a Traffic Filter for HTTP-flood protection.
• Per Source and Destination Pair — The Traffic Filter applies the specified Filter
Action on the traffic, above the specified Threshold, per source-and-
destination pair. Each source and destination can be a discrete IP address or a
subnet, according to the specified Source Prefix Length and Destination
Prefix Length. For example, if the specified Source Prefix Length for IPv4
is 32, the per source part of the source-and-destination pair is per discrete
source IPv4 address.
• Track Returning Traffic from Destination and Suspend Corresponding
Sources — The Traffic Filter tracks the traffic that matches the specified
Regular Expression, per destination IP address, from the specified
Destination Port — and when the traffic rate is above the specified
Threshold, the filter places the corresponding source IP address into the
Suspend Table, and drops all subsequent packets from that IP address, until
the aging period expires.
When you select this option:
— You must enter a Regular Expression.
— The Destination Port field must not be Any.
Caution: Except for the All option, specifying any of these options may reduce
performance.
Default: Disabled
Note: When this feature is enabled, for the packet-reporting to take effect, the
To duplicate an existing template

You can duplicate an existing template to use as a basis for creating a new template.

Note: Basic is a predefined security policy template that you can use to create new templates.
You cannot edit the Basic security template itself.
— If you do not immediately see the security policy template that you want to duplicate in the
table, search for the security policy template by typing a string in the search field.
— When you find the security policy template you want to duplicate, select the security policy
template and click the (Duplicate) button to open the security policy template.
3. Edit the parameters for the new security policy template, and then click Submit to save your
changes. A new security policy template is created.
To edit a security policy template

Note: Basic is a predefined security policy template that you can use to create new templates.
— If you do not immediately see the security policy template that you want to edit in the table,
search for the security policy template by typing a string in the search field.
— When you find the security policy template you want to edit, click the (Expand Row)
button to open the security policy template.
3. Edit the parameters for the security policy template, and then click Submit to save your
changes.
To delete security policy templates

You can delete one or multiple security policy templates.
— If you do not immediately see the security policy templates that you want to delete in the
table, search for the security policy templates by typing a string in the search field.
— When you find the security policy templates you want to delete, select the security policy
templates and click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the security policy templates.

To sort columns
descending order.

Access Lists
You can define the following types of access lists:
• Blocklists and allowlists, and groups of these lists, for a single mitigation device or a group of
mitigation devices. You define these lists and groups in from the Access Lists pane.
• Geolocation feed groups that include a list of geolocations that you can assign to a protected
object to block or allow only a set of geographic locations.
• DNS Subdomains Allowlists that DefenseFlow can automatically delegate from the CPE
DefensePro to a scrubbing center.
The Access Lists pane includes the following types of lists and groups:
• Allowlists and Blocklist Rules, page 180
• Allowlist and Blocklist Groups, page 182
• Geolocations, page 184
• DNS Allowlist Files, page 186

Allowlists and Blocklist Rules

This procedure describes how to view, create, and edit allowlist and blocklist rules.
For more information on how allowlist and blocklists are assigned in protected objects, see Protected
Objects, page 119.
To add an allowlist or blocklist rule

1. From the Security Settings perspective, select Mitigations > Access Lists > Allowlist and
Blocklist Rules.

3. Configure the parameters for the allowlist or blocklist rule, and then click Submit to save your
changes:
Table 50: Allowlist/Blocklist Rule Parameters
Name Name of the allowlist or blocklist rule.
Description Description of the allowlist or blocklist rule.
Addresses The IPv4 and/or IPv6 addresses that are allowed or blocked. The IP addresses
can include source and destination port ranges and protocols.
Examples:
• 192.168.66.0/24
• 172.31.15.12
• 10.1.1.1 src port 12-44 protocol 5
• 10.1.1.0/24 src port 12 dst port 12-13 protocol tcp
• 3001:e12::/32
• 2001:cdba:0000:0000:0000:0000:3257:9652
Note: The protocol numbers used by DefenseFlow are mapped to the
following protocols:
• 0 — Any
• 1 — TCP
• 2 — UDP
• 3 — ICMP
• 4 — IGMP
• 5 — SCTP
• 7 — ICMPv6
To duplicate an existing allowlist or blocklist rule

You can duplicate an existing allowlist or blocklist to use as a basis for creating a new allowlist or
blocklist.
1. From the Security Settings perspective, select Mitigations > Allowlist and Blocklist Rules.

— If you do not immediately see the allowlist or blocklist that you want to duplicate in the
table, search for the allowlist or blocklist by typing a string in the search field.
— When you find the allowlist or blocklist you want to duplicate, select the allowlist or blocklist
rule and click the (Duplicate) button to open the allowlist or blocklist rule.
3. Edit the parameters for the new allowlist or blocklist, and then click Submit to save your
changes. A new allowlist or blocklist rule is created.
To edit an allowlist or blocklist rule

— If you do not immediately see the allowlist or blocklist that you want to edit in the table,
search for the allowlist or blocklist by typing a string in the search field.
— When you find the allowlist or blocklist you want to edit, click the (Expand Row) button
to open the allowlist or blocklist.
3. Edit the parameters for the allowlist or blocklist, and then click Submit to save your changes.
To delete allowlist or blocklist rules

— If you do not immediately see the allowlists or blocklists that you want to delete in the table,
search for the allowlists or blocklists by typing a string in the search field.
— When you find the allowlists or blocklists you want to delete, select the allowlists or
blocklists and click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the allowlist or blocklist rules.
To sort columns
descending order.


Allowlist and Blocklist Groups

This procedure describes how to view, create, and edit allowlist and blocklist groups. You can group
multiple allowlists or blocklists together for common filtering. An allowlist or blocklist can be placed
in one or more allowlist and blocklist group.
For more information on how allowlist and blocklist groups are assigned in protected objects, see
To add an allowlist or blocklist group

Blocklist Groups.

3. Configure the parameters for the allowlist or blocklist group, and then click Submit to save your
changes:
Table 51: Allowlist/Blocklist Group Parameters
Name Name of the allowlist or blocklist group.
Description Description of the allowlist or blocklist group.
Rule List Select defined allowlists or blocklists for inclusion in the group by moving them
with the directional arrows from the Available list to the Selected list.
After selecting the rules for this group, the Rule Count parameter displays the
number of rules you have set for the group.
To duplicate an existing allowlist or blocklist group

You can duplicate an existing allowlist or blocklist group to use as a basis for creating a new group.
Blocklist Groups.
— If you do not immediately see the allowlist or blocklist group that you want to duplicate in
the table, search for the allowlist or blocklist group by typing a string in the search
field.

— When you find the allowlist or blocklist group you want to duplicate, select the allowlist or
blocklist group click the (Duplicate) button to open the allowlist or blocklist group.
3. Edit the parameters for the new allowlist or blocklist group, and then click Submit to save your
changes. A new allowlist or blocklist is created.
To edit an allowlist or blocklist group

Blocklist Groups.
— If you do not immediately see the allowlist or blocklist group that you want to edit in the
table, search for the allowlist or blocklist group by typing a string in the search field.
— When you find the allowlist or blocklist group you want to edit, click the (Expand Row)
button to open the allowlist or blocklist group.
3. Edit the parameters for the allowlist or blocklist group, and then click Submit to save your
changes.
To delete allowlist or blocklist groups

You can delete one or multiple allowlist or blocklist groups.
1. From the Security Settings perspective, select Mitigations > Allowlist and Blocklist Groups.
— If you do not immediately see the allowlist or blocklist groups that you want to delete in the
table, search for the allowlist or blocklist groups by typing a string in the search field.
— When you find the allowlist or blocklist groups you want to delete, select the allowlist or
blocklist groups and click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the allowlist or blocklist groups.
To sort columns
descending order.


Geolocations
This procedure describes how to view, create, and edit a DefenseFlow Geolocation feed group that
can be used for geoblocking in a protected object. In the protected object, you can use a single
geolocation from your Geolocation feed or you can use a Geolocation feed group that you define.
This feature requires that the DefensePro device used for mitigation be version 8.21 or later.
For more information on how Geolocation feed groups are assigned in protected objects, see
The Geolocation functionality requires a Geolocation subscription. To identify the geolocation that
traffic originates from, the Geolocation feature uses the Geolocation feed from the Geolocation
subscription. APSolute Vision manages the Geolocation subscription and the Geolocation feed.
Before you can configure a Geolocation feed group, you must configure and run a Geolocation Feed
task in APSolute Vision that targets the DefensePro device used for mitigation. If the DefensePro
device has a valid Geolocation subscription and a user-defined scheduled task of type Geolocation
Feed, the task uploads the feed to the Geolocation database on the DefensePro device.
For information on how to configure the scheduled task, refer to the APSolute Vision User Guide.
To add a Geolocation feed group

1. From the Security Settings perspective, select Mitigations > Access Lists > Geolocations.

3. Configure the parameters for the geolocation, and then click Submit to save your changes:
Table 52: Geolocation Parameters
Name Name of the Geolocation feed group.
Description Description of the Geolocation feed group.
Geolocation List You can group multiple geolocations (countries) together from your Geolocation
feed into a Geolocation feed group.
When defining geoblocking for a protected object, you can use a single
geolocation from your Geolocation feed or you can use a Geolocation feed group
that you define.
To add geolocations to the Geolocation group, select defined geolocations by
moving them with the directional arrows from the Available list to the Selected
list.

To edit a Geolocation feed group

1. From the Security Settings perspective, select Mitigations > Geolocations.
— If you do not immediately see the geolocation that you want to edit in the table, search for
the geolocation by typing a string in the search field.

— When you find the geolocation you want to edit, click the (Expand Row) button to open
the geolocation.
3. Edit the parameters for the geolocation, and then click Submit to save your changes.
To duplicate an existing Geolocation feed group

You can duplicate an existing geolocation feed group to use as a basis for creating a new geolocation
feed group.
— If you do not immediately see the geolocation feed group that you want to duplicate in the
table, search for the geolocation feed group by typing a string in the search field.
— When you find the geolocation feed group you want to duplicate, select the geolocation feed
group and click the (Duplicate) button to open the geolocation feed group.
3. Edit the parameters for the new geolocation feed group, and then click Submit to save your
changes. A new geolocation feed group is created.
To delete Geolocation feed groups

You can delete or more geolocation feed groups.
— If you do not immediately see the geolocations that you want to delete in the table, search
for the geolocation groups by typing a string in the search field.

— When you find the geolocation groups you want to delete, select the geolocation feed groups
and click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the geolocations.

To sort columns
descending order.

DNS Allowlist Files

DefenseFlow can automatically delegate a DNS Subdomains allowlist from the CPE DefensePro
device to a scrubbing center. Upon attack, a syslog signal from the tier-2 mitigation device (DPaaD
or CPE DefensePro) is sent to DefensePro. As a result, DefenseFlow exports the current policy from
the DPaaD along with its associated DNS allowlist, and imports the policy into the scrubbing center
mitigation device. Once the attack is diverted by DefenseFlow to the scrubbing center, the scrubbing
center already has the DNS allowlist deployed in order to clean the traffic and block the DNS attack.
To add a DNS allowlist file

1. From the Security Settings perspective, select Mitigations > Access Lists > DNS Allowlist
Files.

3. Configure the parameters for the DNS allowlist, and then click Submit to save your changes:

Table 53: DNS Allowlist File Parameters
DNS Allowlist Import the file with the DNS allowlist:
File Parameters 1. Click Browse to find the DNS allowlist file you want to import.
2. Click Import to import the file.
Note: The DNS allowlist file should contain text only.
The file contains lines of code in the following format:
<FQDN>, <mode>
where mode is:
• m (manual)
• a (automatic)
Examples
A www.example1.com, a
B www.example2.com, m
To export a DNS allowlist file

Files.
— If you do not immediately see the DNS allowlist file that you want to export in the table,
search for the DNS allowlist file by typing a string in the search field.
— When you find the DNS allowlist file you want to export, select the DNS allowlist file and click
the (Export) button to export the DNS allowlist file. The DNS allowlist file is downloaded
to your local computer.
3. In the Confirmation dialog box, click Close to delete the DNS allowlist file.
To delete DNS allowlist files

You can delete one or multiple DNS allowlist files.
Files.
— If you do not immediately see the DNS allowlist file that you want to delete in the table,
search for the DNS allowlist files by typing a string in the search field.
— When you find the DNS allowlists files you want to delete, select the DNS allowlist files and
click the (Delete) button to delete them.

3. In the Confirmation dialog box, click Confirm to delete the DNS allowlist files.
To sort columns
descending order.
BGP FlowSpec
The BGP FlowSpec node includes the following sub-nodes:
• BGP FlowSpec Rules, page 188

• BGP FlowSpec Groups, page 194
• FlowSpec Strictness Profiles, page 196
BGP FlowSpec Rules

In an operation, you set the method that is used for mitigation, either the standard BGP protocol or
the BGP FlowSpec protocol. If you use the BGP FlowSpec protocol, you select a set of BGP FlowSpec
rules that you define. The BGP FlowSpec Rules pane lets you create BGP FlowSpec rules.
If there is an event for a network that is already protected for the same operation, the FlowSpec
rules for that operation are updated to take into account the new event.
Note: This capability is only applicable to automatic user action mode.
To add a BGP FlowSpec rules

1. From the Security Settings perspective, select Mitigations > BGP FlowSpec > Rules.

3. Configure the parameters for the BGP FlowSpec rule, and then click Submit to save your
changes:
Table 54: BGP FlowSpec Rule Parameters
Name Name of the BGP FlowSpec rule.
Description Description of the BGP FlowSpec rule.

Table 54: BGP FlowSpec Rule Parameters (cont.)
Destination The destination prefix to match.
Prefix Values:
• Attacked IP — The actual destination IP addresses are inherited from the
protected object’s networks or IP addresses under attack or manually
activated.
• Entire Networks — The actual destination IP addresses are inherited from the
protected object that uses this rule for its various operations or manual
actions.
• Specific Prefix — The Prefix to Block field displays, letting you define a set of
IP prefixes for the destination prefix.
Default: Attacked IP
Source Prefix Defines one or more IPv4 or IPv6 source prefixes, each IP prefix separated by a
space.
Values: IPv4 or IPv6 address in the format n1.n2.n3.n4/5
Maximum number of networks: 100
Prefix to Block Defines one or more IPv4 or IPv6 destination prefixes, each IP prefix separated
(This field by a space.
displays only if Values: IPv4 or IPv6 address in the format n1.n2.n3.n4/5
you have Maximum number of networks: 100
selected
Specific prefix
as the
Destination
Prefix.)
Port Defines a set of operation/value pairs that match the source or destination /UDP
ports.
Values:
• A single value
• A complex condition using the < (Less Than), > (Greater Than), = (Equal), &
(AND), space (OR) operators.
Example =100 >=80&90 means a value that equals 100 or a

value between 80 and 90, including 80.
Destination Port Defines a set of operation/value pairs that match the destination /UDP ports.
Values:
• A single value


Source Port Defines a set of operation/value pairs that match the source /UDP packets.
Values:
• A single value

Protocol Defines the IP protocols to match.
Values: tcp, udp, icmp, gre, protocol number, range of protocol numbers
The value can be:
• A single value
• A set of values surrounded by brackets ([]) and separated by a space.
• A range of protocol numbers.
Examples
A [gre]
B [tcp udp]
C [3]
D [1-3 8-9]
ICMP Type Defines a set of operation/value pairs that match the type field of an ICMP
packet.
Values:
• echo-reply • router-advertisement
• echo-request • router-solicit
• info-reply • source-quench
• info-request • time-exceeded
• mask-reply • timestamp
• mask-request • timestamp-reply
• parameter-problem • unreachable
• redirect
The value can be:
• A single value

ICMP Code Defines a set of operation/value pairs that match the code field of an ICMP
packet.
Values:
• communication-prohibited-by- • redirect-for-host
filtering • redirect-for-network
• destination-host-prohibited • redirect-for-tos-and-host
• destination-host-unknown • redirect-for-tos-and-net
• destination-network-unknown • required-option-missing
• fragmentation-needed • source-host-isolated
• host-precedence-violation • source-route-failed
• ip-header-bad • ttl-eq-zero-during-reassembly
• network-unreachable • ttl-eq-zero-during-transit
• network-unreachable-for-tos
• port-unreachable
The value can be:
• A single value
TCP Flag Defines the set of operation/value pairs used as a bit-mask to match TCP flags.
Values: fin, syn, rst, push, ack, urgent
The value can be:
• A single value
Example [fin] [syn] [push]

• The following multiple value combinations, surrounded by brackets, are
supported:
— [fin & ack]
— [syn & ack]
Note: The following operators are not supported in the TCP Flag field:
• AND (&) for multiple value combinations other than [fin & ack] and [syn &
ack]
• NOT (!)
Packet Length Defines the set of operation/value pairs to match the total IP packet length.
Values:
• A single value


DSCP Defines the set of operation/value pairs to match the 6-bit DSCP field.
Values:
• A single value

Fragment Defines the set of operation/value pairs used as a bit-mask to match fragment
bits.
Note: Some router types might not support the is-fragment and do-not-
fragment fragment bits. Check the router vendor’s documentation for more
details.
Values:
• A single value
• A set of values separated by a space.
Actions
Note: Some router vendors might not support all actions. Check the router vendor’s
documentation for more details.
FlowSpec Select a BGP FlowSpec Strictness profile to associate with this FlowSpec rule.
Strictness For more information on FlowSpec Strictness profiles, see FlowSpec Strictness
Profile Profiles, page 196.
Redirect to VRF The route tag to which to redirect traffic. Select from a list of route tags for which
you have defined a route target. For more information, see Route Tags,
page 217.
Redirect for Enables or disables redirection to the operation’s mitigation group. The next hop
Mitigation IP addresses are inherited from the mitigation group of the protected object that
uses this rule for its various operations or manual actions.
Block Enables or disables traffic blocking (drop all matching packets).
Rate Limit The rate limit in bytes per second.
(bytes/s)
Set DSCP Defines how to update the DSCP header of the matching packets.
Values: 0 – 63
To duplicate an existing BGP FlowSpec rule

You can duplicate an existing BGP FlowSpec rule to use as a basis for creating a new BGP FlowSpec
rule.
— If you do not immediately see the BGP FlowSpec rule that you want to duplicate in the table,
search for the BGP FlowSpec rule by typing a string in the search field.

— When you find the BGP FlowSpec rule you want to duplicate, select the BGP FlowSpec rule
and click the (Duplicate) button to open the BGP FlowSpec rule.
3. Edit the parameters for the BGP FlowSpec rule, and then click Submit to save your changes. A
new BGP FlowSpec rule is created.
To edit a BGP FlowSpec rule

— If you do not immediately see the BGP rule that you want to edit in the table, search for the
BGP rule by typing a string in the search field.

— When you find the BGP rule you want to edit, click the (Expand Row) button to open the
BGP rule.
3. Edit the parameters for the BGP rule, and then click Submit to save your changes.
To delete BGP FlowSpec rules

You can delete one or multiple BGP rules.
— If you do not immediately see the BGP rules that you want to delete in the table, search for
the BGP rules by typing a string in the search field.

— When you find the BGP rules you want to delete, select the BGP rule and click the
3. In the Confirmation dialog box, click Confirm to delete the BGP rules.
To sort columns
descending order.

BGP FlowSpec Groups

You can group BGP FlowSpec rules into groups, and reference the group in other DefenseFlow
features.
Note: When you activate an operation with a BGP FlowSpec rule, you can update that rule before
the activation, but for a FlowSpec rule within a BGP group, you can only update the rule after the
activation.
To add a BGP FlowSpec groups

1. From the Security Settings perspective, select Mitigations > BGP FlowSpec > Groups.

3. Configure the parameters for the BGP FlowSpec group, and then click Submit to save your
changes:
Table 55: BGP FlowSpec Groups Parameters
Name The name of the BGP FlowSpec.
Description Description of the BGP FlowSpec group.
Rule List Select BGP FlowSpec rules to be included in the BGP FlowSpec group.
1. From the Available BGP FlowSpec rules, highlight the rule you want to be
part of the group.
2. For each rule, click the > button to move it to the Selected list.
To edit a BGP FlowSpec group

— If you do not immediately see the BGP group that you want to edit in the table, search for
the BGP group by typing a string in the search field.

— When you find the BGP group you want to edit, click the (Expand Row) button to open
the BGP group.
3. Edit the parameters for the BGP group, and then click Submit to save your changes.

To duplicate an existing BGP FlowSpec group

You can duplicate an existing BGP FlowSpec group to use as a basis for creating a new workflow.
— If you do not immediately see the BGP FlowSpec group that you want to duplicate in the
table, search for the BGP FlowSpec group by typing a string in the search field.
— When you find the BGP FlowSpec group you want to duplicate, select the BGP FlowSpec
group and click the (Duplicate) button to open the BGP FlowSpec group.
3. Edit the parameters for the new BGP FlowSpec group, and then click Submit to save your
changes. A new BGP FlowSpec group is created.
To delete BGP FlowSpec groups

You can delete one or multiple BGP FlowSpec groups.
— If you do not immediately see the BGP FlowSpec groups that you want to delete in the table,
search for the BGP FlowSpec groups by typing a string in the search field.
— When you find the BGP FlowSpec groups you want to delete, select the BGP FlowSpec
groups and click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the BGP FlowSpec groups.
To sort columns
descending order.


FlowSpec Strictness Profiles

A FlowSpec Strictness profile lets you perform more granular mitigation using a BGP FlowSpec rule.
After defining a profile, you associate it to the BGP FlowSpec rule you want to be governed by that
profile. For rules that are auto-populated, DefenseFlow checks if the attack event matches that
profile.
To add a FlowSpec strictness profile

1. From the Security Settings perspective, select Mitigations > BGP FlowSpec > BGP FlowSpec
Strictness Profiles.

3. Configure the parameters for the BGP FlowSpec Strictness profiles, and then click Submit to
save your changes:
Table 56: BGP FlowSpec Strictness Profile Parameters
Name The name of the BGP FlowSpec Strictness profile.
Description Description of the BGP FlowSpec Strictness profile.
Minimum The minimum number of BGP FlowSpec attributes required by DefenseFlow to
Number of trigger a new protection for a specific attack event.
Attributes Values: 1 – 6
Associated The associated DefensePro protections that are required to trigger a new
DefensePro protection.
Protections Includes: All (all DefensePro protections), Allowlist/Blocklist, BDoS, SYN, DNS,
Traffic Filters, OOS, DDoS-Shield
Mandatory BGP Select BGP FlowSpec attributes to be included in the BGP FlowSpec Strictness
FlowSpec profile that are required to trigger a new protection for an operation.
Attributes 1. From the Available attributes, highlight the attribute you want to be part of
the strictness profile.
2. For each attribute, click the > button to move it to the Selected list.
Note: For the Mandatory Attributes Available and Selected values to
display, you must first set the dfc.bgp.flowspec.populate values to true:
• dfc.bgp.flowspec.populate.destination.port
• dfc.bgp.flowspec.populate.fragment
• dfc.bgp.flowspec.populate.protocol
• dfc.bgp.flowspec.populate.source.network
• dfc.bgp.flowspec.populate.source.port
• dfc.bgp.flowspec.populate.tcp.flags

To duplicate an existing BGP FlowSpec Strictness profile

You can duplicate an existing BGP FlowSpec strictness profile to use as a basis for creating a new
BGP FlowSpec strictness profile.
— If you do not immediately see the BGP FlowSpec strictness profile that you want to duplicate
in the table, search for the BGP FlowSpec strictness profile by typing a string in the search
field.
— When you find the BGP FlowSpec strictness profile you want to duplicate, select the BGP
FlowSpec strictness profile and click the (Duplicate) button to open the BGP FlowSpec
strictness profile.
3. Edit the parameters for the new BGP FlowSpec strictness profile, and then click Submit to save
your changes. A new BGP FlowSpec strictness profile is created.
To edit a BGP FlowSpec Strictness profile

— If you do not immediately see the BGP FlowSpec Strictness profile that you want to edit in
the table, search for the BGP FlowSpec Strictness profile by typing a string in the search
field.
— When you find the BGP FlowSpec Strictness profile you want to edit, click the (Expand
Row) button to open the BGP FlowSpec Strictness profile.
3. Edit the parameters for the BGP FlowSpec Strictness profile, and then click Submit to save your
changes.
To delete BGP FlowSpec Strictness profiles

You can delete one or multiple BGP FlowSpec Strictness profiles.
— If you do not immediately see the BGP FlowSpec Strictness profiles that you want to delete
in the table, search for the BGP FlowSpec Strictness profiles by typing a string in the search
field.

— When you find the BGP FlowSpec Strictness profiles you want to delete, select the BGP
FlowSpec Strictness profiles and click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the FlowSpec Strictness profiles.
To sort columns
descending order.

Configuring DefenseFlow
The Configuration perspective is used to view and configure the system, network, and security
settings for the device.
• System, page 198
• Network, page 207
• Security Settings, page 224
System
The System perspective lets you view and enter new licensing information, and to configure
DefenseFlow IP interfaces in addition to the configured interface to APSolute Vision.
• Global Settings, page 199
• Licensing, page 199
• Software Upgrade, page 200
• Support File, page 201
• IP Management, page 201
• High Availability, page 203
• Syslog Alerts, page 204
• TACACS+ Settings, page 206

Global Settings
The Global Settings pane displays the DefenseFlow global settings that are applicable to all
DefenseFlow operations.
To configure global settings

1. In the Configuration perspective, select System > Global Settings. The Global Settings pane
includes the following parameters:
Table 57: Global Settings Parameters
Attack termination The attack termination grace period, in seconds.
grace period Attack termination is the time since a detector specified an attack as
terminated and until DefenseFlow considers the attack as actually
terminated. The grace period prevents hysteresis in protections due to
multiple starts and stops of attacks.
Default: 3600
Automatic Action Mode The global user action mode for workflows and protected objects.
• When enabled, the workflow and protected object user action mode is
set to Automatic.
• When disabled, all workflow and protected object user actions that are
set to Automatic are set to User Confirmation instead.
For more information on workflow user actions, see Table 112 - Workflow
Parameters, page 252. For more information on protected object user
actions, see Table 116 - Protected Object Parameters, page 259.
Default: Enabled
Blocklist or Allowlist When blocklist or allowlists are defined for operations, determines which
Precedence in list type takes precedence globally on DefensePro devices.
DefensePro For more information on blocklists and allowlists, see Filters, page 233.
Values: Blocklist Takes Precedence, Allowlist Takes Precedence
Default: Blocklist Takes Precedence
2. Click Submit.
Licensing
The Licensing pane displays the current licenses installed for DefenseFlow and any BDoS capacity
available.
To enter a new DefenseFlow license

1. In the Configuration perspective, select System > Licensing. The Licensing pane includes the
following parameters:
Table 58: Licensing Parameters
Base MAC Address (Read-only) The base MAC address for license generation displays.

Table 58: Licensing Parameters (cont.)
License String If required, enter the new license string as provided by Radware.
Installed Licenses
DefenseFlow Cyber (Read-only) The current DefenseFlow state. DefenseFlow is Enabled after
Control (View Only) proper license installation.
Behavioral DoS (Read only) The current BDoS per protected object capacity, if any.
Capacity (View Only)
Max Allowed Protected The maximum number of protected objects related to this DefenseFlow
Objects license.
License Expiration Date The license expiration date for non-perpetual licenses. If the license has
expired, you will need to renew the license key in order to use
DefenseFlow.
2. Click Submit.
Software Upgrade
The Software Upgrade pane displays information for the currently installed DefenseFlow version and
lets you upgrade to the latest DefenseFlow version. If you have a High Availability deployment, the
upgrade procedure upgrades the version for both DefenseFlow nodes.
Note: APSolute Vision only supports software upgrade. For a full fresh installation, you must use
the DefenseFlow host. For more information, see Installing and Initializing DefenseFlow Virtual
Appliance (VA), page 25.
To upgrade to the latest DefenseFlow version

1. In the Configuration perspective, select System > Software Upgrade. The Software Upgrade
pane includes the following parameters:
Table 59: Software Upgrade Parameters
Current Software (Read-only) The current version of the software that is installed, including
Version the build number.
Example 3.3.0.0-473
Previous Software (Read-only) The version of the software that was installed before the
Version current version.
Example 3.3.0.0-464

Table 59: Software Upgrade Parameters (cont.)
Last Upgrade Time (Read-only) The date and time when the last upgrade was performed.
Example 17-03-2019 17:37:57

Software Upgrade Log Click Download Log File to download the log file for the last upgrade.
Software Upgrade File Click Browse. From the dialog box locate the latest upgrade file that you
received from Radware, and click Open.
Upgrade Status The status of the upgrade displays after you have initiated the upgrade
process (see step 2).
2. After you have selected the upgrade file, click Upgrade.
Support File
This procedure explains how to prepare a DefenseFlow support file to be sent to Radware Technical
Support.
Note: Creating the support file to be sent to Radware Technical Support using APSolute Vision is the
preferred method over using the Cyber Control menu.
If you have upgrade-related problems, create the support file from the Cyber Control menu, and not
from APSolute Vision. This is because the upgrade-related logs are part of the host, and are not
included by the support file created using APSolute Vision. For more information, see Generating a
Technical Support File, page 48.
To prepare a support file

1. In the Configuration perspective, select System > Support File.
2. In the Support File pane, click Create Support File. The support file creation progress displays
in the Support File pane.
3. When the support file creation is completed, it downloads to the client.
4. Locate the downloaded support file and send it to Radware Technical Support per instructions
from them.
IP Management
The IP Management pane lets you configure DefenseFlow network interfaces to be used for
accessing the DefenseFlow control elements, network elements, and mitigation devices.
Note: The initial configuration is defined when DefenseFlow is installed and initially set up.
• Network Interfaces, page 202
• Interfaces Associations, page 203

Network Interfaces
The Network Interfaces pane lets you configure network interfaces.
To configure network interfaces

1. In the Configuration perspective, select System > IP Management > Network Interfaces.
2. To edit a network interface, do one of the following:
— Highlight the network interface and click the (Edit) button.

— Search for the network interface by typing a string in one of the network interface search
fields and clicking the (Search) button:
Table 60: Network Interfaces Search Parameters
Enable Interface Search for enabled or disabled network interfaces.
Interface Name String to search for in the network interface name.
IPv4 Address IPv4 address for the network interface to search for.
IPv6 Address IPv6 address for the network interface to search for.
To clear the filter and perform a new search, click Clear next to the (Search) button.
3. Configure the parameters for the network interface, and then click Submit to save your
changes:
Table 61: Network Interfaces General Parameters
Enable Interface Select to enable the network interface.
Interface Name (read-only) Interface name.
You can define additional interfaces using the VMware console. After defining the
additional interface, you can associate it to a network (see Interfaces
Associations, page 203).
Mode The mode for setting the network interface IP address.
Values:
• DHCP — The IP address is set automatically using DHCP. With this mode, the
IP address cannot be manually overridden. The supported DHCP mode is
infinite lease.
• STATIC — You can override the IP address that was set using DHCP. This is the
recommended setting.
Default: DHCP
IP Version 4
IPv4 Address IPv4 address.
IPv4 Mask IPv4 mask.
IPv4 Gateway IPv4 gateway.
IP Version 6

Table 61: Network Interfaces General Parameters (cont.)
IPv6 Address IPv6 address.
IPv6 Mask IPv6 mask.
IPv6 Gateway IPv6 gateway.
Interfaces Associations
The Interfaces Associations pane lets you configure interface associations.
To configure network interfaces associations

1. In the Configuration perspective, select System > IP Management > Interfaces
Associations.
By associating network x to the interface, DefenseFlow sends all x-related network traffic
through the assigned interface. This also affects, when relevant, the default router used for
communication with each destination IP address.
2. To edit an interface association, do one of the following:
— Highlight the interface association and click the (Edit) button.

— Search for the interface association by typing a string in one of the interface association
search fields and clicking the (Search) button:
Table 62: Interfaces Associations Search Parameters
Network String to search for in the network name.
Interface String to search for in the associated interface name.
3. Configure the parameters for the interface association, and then click Submit to save your
changes:
Table 63: Interfaces Associations General Parameters
Network (read-only) The network to which to associate an interface.
Interface The interface to associate to the network.
You can define additional interfaces using the VMware console. After defining the
additional interface, you can associate it to a network.
High Availability
Use the High Availability pane to configure or modify High Availability settings. You can also
configure these settings using the CLI. For information on how to install and initialize DefenseFlow
High Availability, see Installing and Initializing DefenseFlow High Availability, page 39

To configure High Availability

1. In the Configuration perspective, select System > High Availability.
2. Configure the parameters, and then click Submit to save your changes.
Active The Active DefenseFlow device IP address.
DefenseFlow
Node IP
Enable High Enables or disables High Availability. Select to enable High Availability, and
Availability deselect to disable High Availability.
Default: Disabled
Standby The Standby DefenseFlow device IP address.
DefenseFlow This parameter displays when you enable High Availability.
Node IP
Enable Enables automatic failover.
Automatic This parameter displays when you enable High Availability.
Failover
Default: Enabled (when High Availability is enabled)
With automatic failover, the Active node continuously sends a heartbeat to the
Standby node. When the Standby node determines that the Active node has
failed, the Standby node assumes the role of the Active node and continues to
provide network service.
3. Wait until you receive confirmation that enabling or disabling the process has completed.
Note: Adding a standby node can take several minutes. To view its progress, you can execute
the CLI command dfc-info:progress-list [-refresh 5], where -refresh is the
optional auto-refresh mode.
4. Verify that the nodes display as configured in the Monitoring perspective, System > High
Availability.
Syslog Alerts
This pane displays the syslog servers that receive DefenseFlow syslog alerts. For a list of
DefenseFlow syslog alerts, see Appendix - Alerts Table, page 373.
To configure syslog alerts

1. In the Configuration perspective, select System > Syslog Alerts.
2. To add or edit a syslog alert, do one of the following:
— To add a syslog alert, click the (Add) button.

— To edit a syslog alert, do one of the following:
• Highlight the syslog alert and click the (Edit) button.

• Search for the syslog alert by typing a string in one of the syslog alert search fields and
clicking the (Search) button:
Table 65: Syslog Alerts Search Parameters
Syslog String to search for in the syslog server destination IP address.
Destination IP
Port String to search for in the syslog server port number.
Severity Syslog alert severity to search for.
Values:
• DEBUG
• ERROR
• FATAL
• INFO
• WARNING
Description String to search for in the syslog server descriptions.
Update Time The syslog alert update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the syslog alert, and then click Submit to save your changes:
Table 66: Syslog Alerts Parameters
IP Syslog server destination IP address to which syslog alerts are sent.
Port Syslog server port number to which syslog alerts are sent.
Severity Syslog alert severity.
Values:
• DEBUG
• ERROR
• FATAL
• INFO
• WARNING
Description Syslog server description.
To add audit log events to the syslog serve

If required, you can send the audit log events to syslog server (using the CLI only). This feature is
disabled by default.
1. From the CLI, enable this feature using the following command:
dfc.audit.log.send.syslog.server.enabled -value true
2. Set the audit log to be sent to an external syslog server and port using the following command:

dfc-alert:syslog-add -ip {external_syslog_IP_address} -port {port_number}

-severity INFO
Note: -port is optional. If no specific port is specified, port 514 is the default.
3. To disable the feature, enter the following command:
dfc.audit.log.send.syslog.server.enabled -value true
TACACS+ Settings
When you access DefenseFlow via APSolute Vision or the REST API, TACACS+ authentication and
authorization is handled by APSolute Vision.
The TACACS+ Settings feature lets you configure TACACS+ authentication settings for your primary
and secondary TACACS+ servers for access to the DefenseFlow CLI via SSH.
When enabled, CLI user access credentials and permissions are determined by the TACACS+ server.
CLI user permissions are determined by the TACACS+ server priv_level parameter according to the
following values:
• 0-14 — CLI user access is read-only
• 15 — CLI user access is read-write
The name of a TACACS+ authenticated user is included in the audit log for any activities that user
performs.
To configure TACACS+ settings

1. In the Configuration perspective, select System > TACACS+ Settings.
2. Configure the TACACS+ parameters, and then click Submit to save your changes:
Table 67: TACACS+ Parameters
Enable Enables TACACS+ authentication. When you enable TACACS+ authentication,
TACACS+ user access credentials and permissions to DefenseFlow through SSH or
DefenseFlow CLI are set based on the settings in the TACACS+ server.
If TACACS+ is disabled or unreachable, only the root, radware, radwareread,
or locally-added users can be used.
If either primary or secondary TACACS+ servers are unreachable, user access
credentials and permissions are determined by the local DefenseFlow user table.
Default: Disabled (When TACACS+ authentication is disabled, the local
DefenseFlow user table determines access credentials and permissions.)
Primary Set the following parameters for your primary TACACS+ server:
TACACS+ • Server IP Address — The primary server IP address.
Server
• Server Listening Port — The primary server listening port.
Tab
• Server Secret Key — The primary server secret key.
• Confirm Server Secret Key — Confirmation of the primary server secret key.

Table 67: TACACS+ Parameters (cont.)
Secondary Set the following parameters for your secondary TACACS+ server:
TACACS+ • Server IP Address — The secondary server IP address.
Server
• Server Listening Port — The secondary server listening port.
Tab
• Server Secret Key — The secondary server secret key.
• Confirm Server Secret Key — Confirmation of the secondary server secret key.
Shared Set the following parameters that are shared by the TACACS+ servers:
Parameters • Service Name — Service shared by the TACACS+ servers.
Tab The string cannot be a value reserved by the TACACS+ server.
Recommended value: dfc
Network
Use the Network pane to view or edit various control, network, and mitigation elements and devices.
• BGP, page 207
• Control Elements, page 208
• Network Elements, page 212
• Network Elements Groups, page 216
• Route Tags, page 217
• Mitigation, page 218
BGP
Use the BGP pane to configure DefenseFlow global BGP parameters.
Notes
• BGP is a dynamic routing protocol that announces and distributes routing information between
routers.
• DefenseFlow can work as a BGP speaker, supporting announcements to multiple BGP peers in
IPv4 and IPv6 for diversion purposes. The global parameters are relevant only if DefenseFlow
BGP is enabled (default). To configure this support, see To add network interfaces for
announcements to multiple BGP peers, page 208.
To configure BGP parameters
Note: Changing the global BGP configuration causes all existing BGP peers to restart.
1. In the Configuration perspective, select Network > BGP.
2. Configure the BGP parameters and click Submit.

Table 68: BGP Parameters
DefenseFlow DefenseFlow BGP router ID
Router ID Default: the control interface IP address
Hold Time The BGP hold time, in seconds.
Default: 180
Local AS The local Autonomous System number.
Default: 65001
To add network interfaces for announcements to multiple BGP peers

1. Open VMware vSphere Client.
2. Select the DefenseFlow VM.
3. Edit the Virtual Machine settings.
4. Add Ethernet adapters as required (up to three).
5. Reset the DefenseFlow VM.
6. Verify that the Ethernet adapters you added are either G-3, G-4, or G-5.
Control Elements
Use the Control Elements pane to search for, configure, or delete control elements. The initial view
displays existing control elements and lets you search for a specific network element.
To configure a control element

1. In the Configuration perspective, select Network > Control Elements.
2. To add or edit a control element, do one of the following:
— To add a control element, click the (Add) button.

— To edit a control element, do one of the following:
• Highlight the control element and click the (Edit control element) button.
• Type a string in the (Search) field, and in the control element you want to edit,
click the (Edit control element) button.

3. Configure the parameters for the control element, and then click Submit to save your changes:
Table 69: Control Element General Parameters
Enable Control Enables or disables the control element.
Element Default: Enabled
Name Control element logical name.
Description Description of the control element.

Table 69: Control Element General Parameters (cont.)
Type Type of control element.
Values:
• External Detector — For External Detector parameters, see Table 70 - Control
Element External Detector Access Information Parameters, page 209.
• Radware Collector — For Radware Collector parameters, see Table 71 - Control
Element Radware Collector Access Information Parameters, page 210.
• FlowDetector — For FlowDetector parameters, see Table 72 - Control Element
FlowDetector Access Information Parameters, page 211.
• Radware AppWall — For Radware AppWall parameters, see Table 73 - Radware
AppWall Access Information Parameters, page 211.
• BGP-Listener — For BGP-Listener parameters, see Table 74 - BGP-Listener
Access Information Parameters, page 212.
Table 70: Control Element External Detector Access Information Parameters
Control Element The source IP address of the external detector.
Management The management IP address should be the source IP address of the syslog
Address messages received from the external detector (NetFlow Detector, AppWall, or
other).
Protocol Protocol used by the external detector for sending detection signals.
Values: TCP, UDP
Default: UDP
DefenseFlow L4 Layer 4 port for receiving detection signals from the external detector.
Port Values: 0 – 65535

Table 70: Control Element External Detector Access Information Parameters (cont.)
Attach Driver Select which driver to use for the control element.
Click the (Add) button to add a new driver.

You can select a Genie Collector as the external detector. If you select a Genie
Collector driver, the following parameters display:
• Genie Collector Settings
— User Name — Genie Collector management user name.
— Password — Genie Collector management password.
— Protocol — Protocol to connect with the Genie Collector. Values: HTTP,
HTTPS
• High Availability (HA) Support
— Standby Genie Collector IP Address — If there is a Genie HA environment,
the IP address of the standby Genie Collector. Both Genie Collectors must
have the same user name and password.
Notes:
• To use Genie traffic collection, the Genie Collector and DefenseFlow must
have the same time zone configuration.
• To pull statistics from the Genie Collector, the protected object name and the
Genie subnetwork name must be identical, irrespective of the protected
networks. Traffic statistics are only displayed in the APSolute Vision
DefenseFlow Traffic Statistics pane, and the DefenseFlow Analytics and Traffic
Utilization reports, and not in the Security Operations panes.
• DefenseFlow always fetches data from the Control Element Management
Address (if reachable), or the Standby Genie Collector IP Address (if the
Control Element Management Address is unreachable).
• If you have an existing Genie control element and you want to update the
Genie control element as a collector, do the following:
To update an existing Genie control element as a collector

1. On the Genie Collector, add a username and password.
2. On the Genie Collector, Do one of the following:
— Add a new detection or edit an existing detection to enforce traffic
statistics collection. or
— Restart the DefenseFlow service.
Table 71: Control Element Radware Collector Access Information Parameters

Admin User The Admin User parameters include:
• User Name — User name to log in to the control element.
• Password — Login password.

Table 71: Control Element Radware Collector Access Information Parameters (cont.)
Management The Management Access parameters include:
Access • Management protocol — Management protocol of the control element.
Values: HTTPS, HTTP, SSH
Default: HTTPS
• IP address — IP address of the control element.
• IP Port — Port number of the control element
• URI — URI to use when the management protocol is HTTP or HTTPS.
Note: This parameter is not used for the Radware collector. If you using
the Radware collector, leave this parameter empty.
Table 72: Control Element FlowDetector Access Information Parameters
Attach Driver Select the FlowDetector driver to use for the control element.
Click the (Add) button and select the driver from the drop-down list.
Admin User The Admin User parameters include:
• User Name — User name to log in to the control element. Default: admin
• Password — Login password. Default: radware
Management The Management Access parameters include:
Access • IP address — IP address of the control element.
• IP Port — Port number of the control element. Default: 10007
Table 73: Radware AppWall Access Information Parameters
Tunnels The IP addresses representing the external public IP address of the Web Server
that is located behind the AppWall device.
Note: By default, Use any network address in the Security Settings >
Protected Objects > Protected Network pane is selected. If you are using
AppWall as the external detector, Radware recommends that Use any
network address remain selected. If you choose to deselect it, for the
AppWall detector to work properly you must ensure that the protected network
is the same IP address as the AppWall tunnel address.
To add a tunnel:
1. Click the (Add AppWall Tunnel) button.

2. Set the Tunnel Name and Tunnel IP Address. When you specify multiple
IP addresses, use a comma to separate the values. For example:
11.11.11.11,12.12.12.12,13.13.13.13
3. Click Submit.
Control Element The source IP address of the external detector.
Management The management IP address should be the source IP address of the syslog
Address messages received from the external detector (NetFlow Detector, AppWall, or
other).

Table 73: Radware AppWall Access Information Parameters (cont.)
Protocol Protocol used by Radware AppWall for sending detection signals.
Values: TCP, UDP
Default: UDP
DefenseFlow L4 Layer 4 port for receiving detection signals from Radware AppWall.
Port Values: 0 – 65535
Table 74: BGP-Listener Access Information Parameters
Communities One or more BGP communities, separated by a space.
With this parameter, you indicate which exact BGP communities will be analyzed
by the control element to activate or deactivate a protection.
DefenseFlow is triggered upon attack detection from various sources such as
NetFlow Detector, AppWall, and DefensePro. An MSSP can provide security
services to its customers and let these customers activate or deactivate their
protection using BGP announcements.
The BGP-Listener control element listens to BGP announcements and activates
attack protection on a protected object assigned to the network. It also listens to
withdrawal messages that terminate the attack protection of the protected
network.
To delete a control element
Note: A control element cannot be deleted if it used by another object.

1. In the Configuration perspective, select Network > Control Elements.
2. Select a specific control element.
3. Click (Delete).
4. Click Yes to delete the selected control element.
Network Elements
Use the Network Elements pane to search for, configure, or delete network elements. The initial view
displays existing network elements and lets you search for a specific network element.
To configure a network element

1. In the Configuration perspective, select Network > Network Elements.
2. To add or edit a network element, do one of the following:

— To add a network element, click the (Add) button.

— To edit a network element, do one of the following:
• Highlight the network element and click the (Edit) button.

• Search for the network element by typing a string in one of the network element search
Table 75: Network Elements Search Parameters
Status Search for network elements set to Disabled or Enabled.
Name Network element name to search for.
Description String to search for in the network element descriptions.
Control The diversion control to search for.
Values: Name of a control element name that will enable the diversion, BGP, None
Update Time The network element update time to search for.
button.
3. Configure the parameters for the network element, and then click Submit to save your
changes:
Table 76: Network Elements Parameters
Enable Network Enables or disables the network element.
Element Default: Enabled
Name Name of the network element.
Description Description of the network element.
Statistics Control element for statistics collection.
Collection
Note: This parameter is relevant only in deployments where DefenseFlow is
Control
the detector.
Values:
• Name of a control element that collects the statistics from this network
element
• None
Default: None

Table 76: Network Elements Parameters (cont.)
Control Type of diversion control.
Note: This field is relevant only when DefenseFlow is set to initiate diversion of
traffic from this network element.
Values:
• Name of a control element that will enable the diversion
• BGP — This opens the BGP Configuration and Advanced Settings tabs. See
BGP Configuration in this table.
• BigSwitch — Select this option if you use the BigSwitch network server in your
solution topology. This opens the Management Settings tab. See
Management Settings in this table.
• None
Default: None
Network Groups You can group multiple network elements together for common detection and
diversion actions within a protected object’s configuration. A network element can
be placed in one or more network element groups. Select one of the defined
network groups by moving it from the Available list to the Selected list.
For more information on placing network elements into a group, see Network
Elements Groups, page 216.
BGP Configure the BGP parameters for the network element:
Configuration • Support BGP FlowSpec — Should be selected for network elements that
(This tab only support FlowSpec and should be used for BGP FlowSpec rules, and blocking
displays when traffic based on those rules.
BGP is selected • BGP Peer Address — The IP address used by the network element for BGP
in the peering. You can enter either an IPv4 or IPv6 address.
Diversion
Control field) • MD5 Key — The MD5 secret of the network element.
• Confirm MD5 Key — Enter the MD5 secret of the network element again.
• 4 Bytes Support — Specifies whether AS numbers encoded as a 4-byte entity
are supported.
• DefenseFlow Router ID — The BGP router ID of the network element. The
default is the Router ID defined per the global BGP parameters (see BGP,
page 207).
• Local AS — The local Autonomous System number DefenseFlow uses for the
network element’s BGP peer.
• Peer AS — The Autonomous System number of network element’s BGP peer.
• Hold Time — The BGP hold time of the network element, in seconds.
• Route Refresh — Enables/disables the BGP Route Refresh option.
Values: Enabled, Disabled
Default: Enabled
• Graceful Restart — Enables/disables the BGP Graceful Restart option.
Values: Enabled, Disabled
Default: Enabled
• Graceful Restart Time — The BGP Graceful Restart time in seconds.
• Diversion Connectivity — This specifies network elements that have
connectivity (tunnels) from this network element for diversion purposes. Click
the (Add) button to add a network:
— Destination Network Element — Select the network element.

Table 76: Network Elements Parameters (cont.)
Advanced In the Network field, select the BGP network for the network element.
Settings
(This tab only
displays when
BGP is selected
in the
Diversion
Control field)
Management When you want to use your BigSwitch network server as you diversion control
Settings element, provide the values for the following BigSwitch parameters defined for
(This tab only that server:
displays when • Network Element Management IP Address — BigSwitch Network Element
BigSwitch is Management IP address.
selected in the • BigSwitch Policy Name — BigSwitch policy name.
Diversion
Control field) • BigSwitch Port — BigSwitch port.
• BigSwitch User — BigSwitch username.
• BigSwitch Password — BigSwitch password.
• Confirm BigSwitch Password — Confirmation of BigSwitch password.
• Enable Health Check — Receive an alert through SNMP, syslog, or e-mail when
the BigSwitch BSN status changes from DOWN to UP, or UP to DOWN.
Default: Enabled
• BigSwitch Hello Interval — This parameter is only available when Enable
Health Check is selected. Sets how often a hello packet is sent to the
BigSwitch network device/element.
Values: 30 – 1800 seconds
Default: 60
• BigSwitch Hold Time — This parameter is only available when Enable Health
Check is selected. Sets how long to wait for a response from the BigSwitch
network device/element. If the BigSwitch BSN status changes after the Hold
Time is finished, an alert is sent. The Hold Time value must be at least three
times greater than the Hello Interval value.
Values: 90 – 5400 seconds
Default: 180
To delete a network element
Note: A control element cannot be deleted if it used by another object.

1. In the Configuration perspective, select Network > Network Elements.
2. Select a specific network element.
3. Click (Delete).
4. Click Yes to delete the selected network element.

Network Elements Groups

Use the Network Elements Groups pane to search for, configure, or delete network elements groups.
The initial view displays existing network elements groups and lets you search for a specific network
element group. Network elements groups can be used to specify operations on more than one
network element. There are three predefined groups: Tier1, Tier2, and scrubbing. These groups
cannot be deleted.
To configure a network element group

1. In the Configuration perspective, select Network > Network Elements Groups.
2. To add or edit a network element group, do one of the following:
— To add a network element group, click the (Add) button.

— To edit a network element group, do one of the following:
• Highlight the network element group and click the (Edit) button.
• Search for the network element group by typing a string in one of the network element
group search fields and clicking the (Search) button:
Table 77: Network Elements Groups Search Parameters
Group Name Name of the network element group for which to search.
Description String to search for in the network element group descriptions.
Update Time The control element update time to search for.
button.
3. Configure the parameters for the network element group, and then click Submit to save your
changes:
Table 78: Network Elements Groups Parameters
Name Name of the network element group.
Description Description of the network element group.
Available List of configured network elements that are available to put into the network
element group.
Selected List of selected network elements that are currently in the group.
To delete a network elements group

1. In the Configuration perspective, select Network > Network Elements Groups.
2. Select a specific network elements group.
3. Click (Delete).

4. Click Yes to delete the selected network elements group.
Route Tags
Route tags can be used as a clean traffic injection method and for BGP FlowSpec diversion.
Use the Route Tags pane to search for, configure, or delete route tags for clean traffic injection. The
initial view displays the existing route tags and lets you search for a specific route tag.
To configure a route tag

1. In the Configuration perspective, select Network > Route Tags.
2. To add or edit a route tag, do one of the following:
— To add a route tag, click the (Add) button.

— To edit a route tag, do one of the following:
• Highlight the route tag and click the (Edit) button.

• Search for the route tag by typing a string in one of the route tag search fields and
Table 79: Route Tag Search Parameters
Name Name of the route tag for which to search.
Description String to search for in the route tag descriptions.
Route Target String to search for in the route targets.
Update Time The route tag update time to search for.
button.
3. Configure the parameters for the route tag, and then click Submit to save your changes:
Table 80: Route Tag Parameters
Name Name of the route tag.
Description Description of the route tag.
Route Target (Optional) Route target of the route tag.
Define the route target of the route tag if you are using a BGP FlowSpec rule for
traffic redirection. This identifies the route tag you select in the FlowSpec rule for
VFR redirection.
Values: The route in one of the following formats:
• ASN:ID (for example, 65000:100)
• ASNL:ID (for example, 65001L:200)
• IP:ID (for example, 1.2.3.4:300)

To delete a route tag

1. In the Configuration perspective, select Network > Route Tags.
2. Select a specific route tag.
3. Click (Delete).
4. Click Yes to delete the route tag.
Mitigation
The Mitigation node lets you configure and monitor mitigation devices and mitigation device groups.
It includes the following panes:
• Mitigation Devices, page 218
• Mitigation Devices Groups, page 222
• Health Monitoring, page 223
Mitigation Devices
Use the Mitigation Devices pane to search for, configure, or delete mitigation devices. The initial view
displays existing mitigation devices and lets you search for a specific mitigation device.
Note: When you set the mitigation device to be DefensePro, you first must ensure that the
DefensePro device has been added using APSolute Vision. If you are adding it just now using this
procedure, after adding it to APSolute Vision, wait approximately a minute, and then set it as the
mitigation device for DefenseFlow, after which the DefenseFlow-device icon in the APSolute Vision
device pane includes two triangles — . For more information on adding a DefensePro device using
APSolute Vision, refer to the APSolute Vision User Guide.
To configure a mitigation device

1. In the Configuration perspective, select Network > Mitigation > Mitigation Devices.
2. To add or edit a mitigation device, do one of the following:
— To add a mitigation device, click Add Mitigation Device.
— To edit a mitigation device, do one of the following:
• Highlight the mitigation device and click the (Edit Mitigation) icon for that device.
• Set a filter to search for the mitigation device:
a. Type a string in the Filter table by: field. All mitigation devices that include the
string in any of its parameters display:
Table 81: Mitigation Devices Filter Parameters
Admin Status Filter for mitigation devices set to Disabled or Enabled.
Type Type of the mitigation devices for which to filter.
Values: DefensePro, Third Party

Table 81: Mitigation Devices Filter Parameters (cont.)
Name Name of the mitigation devices for which to filter.
Description String to filter for in the mitigation device descriptions.
Update Time The mitigation device update time to filter for.
b. Locate the mitigation device you want to edit and click the (Edit Mitigation) icon
for that device.
c. To clear the filter, clear the text in the Filter table by: field.
3. Configure the parameters for the mitigation device, and then click Submit to save your
changes:
Table 82: Mitigation Devices Parameters
Enabled Enable or disable the mitigation device.
Default: Enabled
Type The type of mitigation device.
Values: DefensePro, Third Party
Default: DefensePro
Note: If you use DefensePro as the mitigation device, DefensePro health
monitoring must be set to enabled. For more information, see Health
Monitoring, page 223.
Name Names of the mitigation devices.
For DefensePro mitigation devices, it is a list of the available devices that are
configured in the APSolute Vision management system.
For third-party mitigation devices, it is an free text field.
Description Description of the mitigation device. For DefensePro mitigation devices, it is as
configured in the APSolute Vision management system, which you can edit.
Version (Read-only) Software version of the DefensePro mitigation device as configured in
the APSolute Vision management system.
Management IP (Read-only) IP address of the DefensePro mitigation device as configured in the
APSolute Vision management system.
Managed Device Select if this device is managed by DefenseFlow.
Default: Not selected

Table 82: Mitigation Devices Parameters (cont.)
Diversion and Set the diversion and injection parameters:
Injection Tab • Route Name — Select or configure a route configuration to be used with this
mitigation device:
— Select a route configuration to which the mitigation device diverts traffic.
The configuration for the route you selected is displayed in the remaining
parameters in the Diversion and Injection tab.
The Default route is the route you defined when you first configured this
mitigation device.
— To add a new route for this mitigation device:
a. Click Add Route Name....
b. Set the route name, and click Add.
c. Set the remaining parameters in the Diversion and Injection tab.
— To delete a route:
a. Select a route name.
b. Click Delete Route Name.
Note: By default, this feature is disabled. When disabled, the only choice
for a route configuration are the set of parameters you set when you first
configure the mitigation device.
To enable this feature, do the following:
— Upgrade the DefenseFlow device driver to the version provided to you by
Radware Technical Support. For more information on how to upgrade the
DefenseFlow device driver, see the APSolute Vision User Guide.
— From the DefenseFlow CLI, run the following command: dfc-
core:configuration-set -name
dfc.mitigation.route.name.enabled -value true
• Diversion address IPv4 — IPv4 address of the mitigation device to be used as
the destination for diverted traffic.
• Diversion address IPv6 — IPv6 address of the mitigation device to be used as
the destination for diverted traffic.

Table 82: Mitigation Devices Parameters (cont.)
Diversion and • Clean traffic injection — Clean traffic injection is relevant only for DefensePro
Injection Tab devices. Set the clean traffic injection options and click Submit:
(continued) — Fixed Injection Points — To add the IPv4 and IPv6 route addresses to be
used for injection to all protected objects, click Add Injection IP:
•
First IPv4 Injection Point Address — The first IPv4 injection point
address.
• Second IPv4 Injection Point Address — The backup IPv4 injection point
address.
• First IPv6 Injection Point Address — The first IPv6 injection point
address.
• Second IPv6 Injection Point Address — The backup IPv6 injection point
address.
— Tunnels Table — You can add a tunnel or edit and existing tunnel that are
used for clean traffic injection:
• To add a tunnel, click Add Tunnel, and configure the tunnel
parameters:
• Protected Network Type — Values: Remote Network, Route Tag
• Remote Network/Route Tag — If you selected Remote Network
as the Protected Network Type, select a remote network for this
tunnel. If you selected Route Tag as the Protected Network
Type, select a Route Tag for this tunnel.
• Tunnel Address — The tunnel IP address.
• Tunnel Description — Tunnel text description.
• To edit an existing tunnel, do one of the following:
• Highlight the tunnel and click the (Edit) icon for that tunnel.
• Type a string in the Filter table by: field. All tunnels that include
the string in any of its parameters display. Locate the tunnel you
want to edit and click the (Edit) icon for that tunnel.
Physical A list of network elements to which the mitigation device is directly connected. A
Connectivity Tab mitigation device can be connected to multiple network elements. Select from the
defined network elements by moving it from the Available list to the Selected
list.
When you connect network elements to a mitigation device, this connects the
mitigation device to the peers in the operation diversion group as represented by
the network element, if in the operation the Use Connectivity parameter is
enabled.
Mitigation A list of mitigation groups to which the mitigation device should be part of. A
Devices Groups mitigation device can be part of multiple mitigation groups. Select from the
Tab defined mitigation device groups by moving it from the Available list to the
Selected list.
To delete a mitigation device

1. In the Configuration perspective, select Network > Mitigation > Mitigation Devices.
2. Select a specific mitigation device.
3. Click (Delete).

4. Click Yes to delete the selected mitigation device.
Mitigation Devices Groups

Use the Mitigation Devices Groups pane to view, configure, or delete mitigation device groups. The
initial view shows existing mitigation devices groups and lets you search for a specific mitigation
device groups. A predefined group All automatically includes all mitigation devices.
To configure a mitigation device group

1. In the Configuration perspective, select Network > Mitigation > Mitigation Devices Groups.
2. To add or edit a mitigation device group, do one of the following:
— To add a mitigation device group, click the (Add) button.

— To edit a mitigation device group, do one of the following:
• Highlight the mitigation device group and click the (Edit) button.
• Search for the mitigation device group by typing a string in one of the mitigation device
Table 83: Mitigation Devices Groups Search Parameters
Group Name The name of the mitigation device groups to search for.
Description String to search for in the mitigation device group descriptions.
Cluster IPv4 Cluster IPv4 address to search for.
Address
Cluster IPv6 Cluster IPv6 address to search for.
Address
Update Time The mitigation devices group update time to search for.
button.
3. Configure the parameters for the mitigation device group, and then click Submit to save your
changes:
Table 84: Mitigation Devices Groups Parameters
Name Name of the mitigation device group.
Description Description of the mitigation device group.
Cluster IPv4 Cluster IPv4 address of the mitigation device to use as the destination of diverted
Address traffic. If not defined, DefenseFlow uses the diversion target address from the
mitigation devices themselves.
Cluster IPv6 Cluster IPv6 address of the mitigation device to use as the destination of diverted
Address traffic. If not defined, DefenseFlow uses the diversion target address from the
mitigation devices themselves.
Available List of available DefensePro devices that can be put into this group.
Selected List of DefensePro devices that are currently in this group.

To delete a mitigation device group
Note: A mitigation device group cannot be deleted if it used by another object.

1. In the Configuration perspective, select Network > Mitigation > Mitigation Devices Groups.
2. Select a specific mitigation device group.
3. Click (Delete).
4. Click Yes to delete the selected mitigation device group.
Health Monitoring
Use the Health Monitoring pane to configure global health monitoring parameters for the DefensePro
mitigation devices. Third-party mitigation devices are not monitored.
To configure health monitoring

1. In the Configuration perspective, select Network > Mitigation > Health Monitoring.
2. Configure the health monitoring parameters and click Submit.
Table 85: Health Monitoring Parameters
Enable health Enables DefensePro health monitoring.
monitoring Default: Enabled
Note: Radware recommends that health monitoring should remain enabled to
ensure DefensePro mitigation service availability. If you disable health
monitoring, the DefensePro mitigation devices are no longer monitored and
updates to them are not reflected in DefenseFlow.
Health The health monitoring interval.
monitoring Default: 10 seconds
interval
Health Number of health monitoring retries. After these retries, the status is changed to
monitoring DOWN.
retries Default: 3
Mitigation Devices Capacity Upper Bounds
Max Allowed The maximum allowed CPU utilization for mitigation devices. If the CPU utilization
CPU Utilization is greater than the maximum allowed, the device is considered BUSY.
for mitigation Default: 80%
device
Max Allowed BW The maximum allowed bandwidth utilization for mitigation devices. If bandwidth
Utilization for utilization is greater than the maximum allowed, the device is considered BUSY.
mitigation Default: 80%
device

Table 85: Health Monitoring Parameters (cont.)
Max allowed Maximum protected object policies utilization for mitigation devices. If the
protected object protected object policies utilization is greater than the maximum allowed, the
policies device is considered BUSY.
utilization for Default 90%
mitigation
device
Max allowed Maximum allowed filter list policies utilization for mitigation devices. If the filter
filter list policies list policies utilization is greater than the maximum allowed, the device is
utilization for considered BUSY.
mitigation Default 80%
device
Security Settings
Use the Security Settings node to view or edit protected objects and various detection and
mitigation elements related to them.
The perspective includes the following tabs:
• Network Elements Parameters, page 3115
• Filters, page 233
• Geolocation Feed Group, page 235
• DNS AllowList, page 236
• Operations, page 237
• Detection, page 248
• Workflows, page 251
Security Templates
Security templates are the security configurations to provision on DefensePro devices for the
protected object. To support multiple DefensePro versions, each template can include multiple
template instances per DefensePro version.
Use the Security Templates pane to view, configure, or delete security templates. The initial view
displays existing security templates and lets you search for a security template.
To create a security template

1. In the Configuration perspective, select Security Settings > Security Templates.
Note: Basic is a predefined security template that you can use to create new templates. You
cannot edit the Basic security template itself.
3. Configure the security template and click Submit.

Table 86: Security Template Parameters
Name Name of the security template.
Description Description of the security template.
Template Origin Origin of the security template.
Values:
• Protected Object — Creates a template from an existing policy of a protected
object.
• Vision Template — Creates a template from an existing policy in the APSolute
Vision security templates repository.
Policy Name The security policy name from which to create the template.
To edit a security template

1. In the Configuration perspective, select Security Settings > Security Templates.
2. To edit a security template, do one of the following:
— Highlight the security template and click the (Edit) button.
Note: Basic is a predefined security template that you can use to create new templates.
— Search for the security template by typing a string in one of the security template search
Table 87: Security Template Search Parameters
Name The name of the security template to search for.
Description String to search for in the security template description.
Creation Date The creation date to search for.
3. Configure the parameters for the security template, and then click Submit to save your
changes:
Table 88: Security Template Parameters
Name (Read-only) Name of the security template.
Template Edit the security template as required.
BGP FlowSpec
The BGP FlowSpec node includes the following sub-nodes:
• BGP FlowSpec Rules, page 226

• BGP FlowSpec Groups, page 230

• FlowSpec Strictness Profiles, page 231
BGP FlowSpec Rules

In an operation, you set the method that is used for mitigation, either the standard BGP protocol or
the BGP FlowSpec protocol. If you use the BGP FlowSpec protocol, you select a set of BGP FlowSpec
rules that you define. The BGP FlowSpec Rules pane lets you create BGP FlowSpec rules.
If there is an event for a network that is already protected for the same operation, the FlowSpec
rules for that operation are updated to take into account the new event.
Note: This capability is only applicable to automatic user action mode.
To add or edit a BGP FlowSpec rule

1. In the Configuration perspective, select Security Settings > BGP FlowSpec > BGP FlowSpec
Rules.
2. To add or edit a BGP FlowSpec rule, do one of the following:
— To add a BGP FlowSpec rule, click the (Add) button.

— To edit a BGP FlowSpec rule, do one of the following:
• Highlight the BGP FlowSpec rule and click the (Edit) button.
• Search for the BGP FlowSpec rule by typing a string in one of the BGP FlowSpec rules
Table 89: BGP FlowSpec Rules Search Parameters
Name The name of the BGP FlowSpec rule to search for.
Description String to search for in the BGP FlowSpec rule description.
FlowSpec The strictness profile associated with the BGP FlowSpec rule to search for.
Strictness
Profile
Redirect to VRF The route tag (VRF) to search for.
Redirect to Search for a rule based on whether redirect to mitigation is Enabled or
Mitigation Disabled.
Block Search for a rule based on whether blocking is Enabled or Disabled.
Rate Limit The rate limit, in bytes per second, to search for.
(bytes per
second)
Set DSCP The DSCP to search for.
Update Time The BGP FlowSpec rule update time to search for.
button.
3. Configure the parameters for the BGP FlowSpec rule, and then click Submit to save your
changes:

Table 90: BGP FlowSpec Rule Parameters
Name Name of the BGP FlowSpec rule.
Description Description of the BGP FlowSpec rule.
Destination The destination prefix to match.
Prefix Values:
activated.
actions.
• Specific prefix — The Prefix to Block field displays, letting you define a set of
Prefix to Block Defines one or more IPv4 or IPv6 destination prefixes, each IP prefix separated
(This field by a space.
displays only if Values: IPv4 or IPv6 address in the format n1.n2.n3.n4/5
you have Maximum number of networks: 100
selected
Specific prefix
as the
Destination
Prefix.)
Source Prefix Defines one or more IPv4 or IPv6 source prefixes, each IP prefix separated by a
space.
Values: IPv4 or, IPv6 address in the format n1.n2.n3.n4/5
Maximum number of networks: 100
Port Defines a set of operation/value pairs that match the source or destination /UDP
ports.
Values:
• A single value

Destination Port Defines a set of operation/value pairs that match the destination /UDP ports.
Values:
• A single value


Source Port Defines a set of operation/value pairs that match the source /UDP packets.
Values:
• A single value

Protocol Defines the IP protocols to match.
Values: tcp, udp, icmp, gre, protocol number, range of protocol numbers
The value can be:
• A single value
• A range of protocol numbers.
Examples
A [gre]
B [tcp udp]
C [3]
D [1-3 8-9]
ICMP Type Defines a set of operation/value pairs that match the type field of an ICMP
packet.
Values:
• echo-reply • router-advertisement
• echo-request • router-solicit
• info-reply • source-quench
• info-request • time-exceeded
• mask-reply • timestamp
• mask-request • timestamp-reply
• parameter-problem • unreachable
• redirect
The value can be:
• A single value

ICMP Code Defines a set of operation/value pairs that match the code field of an ICMP
packet.
Values:
• communication-prohibited-by- • redirect-for-host
filtering • redirect-for-network
• destination-host-prohibited • redirect-for-tos-and-host
• destination-host-unknown • redirect-for-tos-and-net
• destination-network-unknown • required-option-missing
• fragmentation-needed • source-host-isolated
• host-precedence-violation • source-route-failed
• ip-header-bad • ttl-eq-zero-during-reassembly
• network-unreachable • ttl-eq-zero-during-transit
• network-unreachable-for-tos
• port-unreachable
The value can be:
• A single value
Flag Defines the set of operation/value pairs used as a bit-mask to match TCP flags.
Values: fin, syn, rst, push, ack, urgent
The value can be:
• A single value
Example [fin] [syn] [push]

• The following multiple value combinations, surrounded by brackets, are
supported:
— [fin & ack]
— [syn & ack]
Note: The following operators are not supported in the TCP Flag field:
• AND (&) for multiple value combinations other than [fin & ack] and [syn &
ack]
• NOT (!)
Packet Length Defines the set of operation/value pairs to match the total IP packet length.
Values:
• A single value


DSCP Defines the set of operation/value pairs to match the 6-bit DSCP field.
Values:
• A single value

Fragment Defines the set of operation/value pairs used as a bit-mask to match fragment
bits.
Note: Some router types might not support the is-fragment and do-not-
fragment fragment bits. Check the router vendor’s documentation for more
details.
Values:
• A single value
• A set of values separated by a space.
FlowSpec Select a BGP FlowSpec Strictness profile to associate with this FlowSpec rule.
Strictness For more information on FlowSpec Strictness profiles, see FlowSpec Strictness
Profile Profiles, page 231.
Actions
Note: Some router vendors might not support all actions. Check the router vendor’s
documentation for more details.
you have defined a route target. For more information, see Route Tags,
page 217.
Redirect to Enables or disables redirection to the operation’s mitigation group. The next hop
Rate Limit The rate limit in bytes per second.
(bytes per
second)
Values: 0 – 63
BGP FlowSpec Groups

You can group BGP FlowSpec rules into groups, and reference the group in other DefenseFlow
features.
Note: When you activate an operation with a BGP FlowSpec rule, you can update that rule before
the activation, but for a FlowSpec rule within a BGP group, you can only update the rule after the
activation.

To add or edit a BGP FlowSpec group

1. In the Configuration perspective, select Security Settings > BGP FlowSpec > BGP FlowSpec
Rules.
2. To add or edit a BGP FlowSpec group, do one of the following:
— To add a BGP FlowSpec group, click the (Add) button.

— To edit a BGP FlowSpec group, do one of the following:
• Highlight the BGP FlowSpec group and click the (Edit) button.
• Search for the BGP FlowSpec group by typing a string in one of the BGP FlowSpec group
Table 91: BGP FlowSpec Groups Search Parameters
Name The name of the BGP FlowSpec group to search for.
Description String to search for in the BGP FlowSpec group description.
Update Time The BGP FlowSpec group update time to search for.
button.
3. Configure the parameters for the BGP FlowSpec group, and then click Submit to save your
changes:
Table 92: BGP FlowSpec Groups Parameters
Name The name of the BGP FlowSpec.
Description Description of the BGP FlowSpec group.
Available/ Select BGP FlowSpec rules to be included in the BGP FlowSpec group.
Selected 1. From the Available BGP FlowSpec rules, highlight the rule you want to be
part of the group.
2. For each rule, click the > button to move it to the Selected list.
FlowSpec Strictness Profiles

A FlowSpec Strictness profile lets you perform more granular mitigation using a BGP FlowSpec rule.
After defining a profile, you associate it to the BGP FlowSpec rule you want to be governed by that
profile. For rules that are auto-populated, DefenseFlow checks if the attack event matches that
profile.
To add or edit a FlowSpec strictness profile

1. In the Configuration perspective, select Security Settings > BGP FlowSpec > FlowSpec
2. To add or edit a BGP FlowSpec strictness profile, do one of the following:

— To add a BGP FlowSpec strictness profile, click the (Add) button.

— To edit a BGP FlowSpec strictness profile, do one of the following:
• Highlight the BGP FlowSpec strictness profile and click the (Edit) button.
• Search for the BGP FlowSpec strictness profile by typing a string in one of the BGP
FlowSpec strictness profile search fields and clicking the (Search) button:
Table 93: BGP FlowSpec Strictness Profile Search Parameters
Auto-populate The auto-populate profile name of the BGP FlowSpec Strictness profile to search
Profile Name for.
Profile String to search for in the BGP FlowSpec Strictness profile description.
Description
Minimum Search for the minimum number of BGP FlowSpec attributes required by
Number of DefenseFlow to trigger a new protection for a specific attack event.
Update Time The BGP FlowSpec Strictness profile update time to search for.
button.
3. Configure the parameters for the BGP FlowSpec Strictness profile, and then click Submit to save
your changes:
Table 94: BGP FlowSpec Strictness Profile Parameters
Auto-populate The name of the BGP FlowSpec Strictness profile.
Profile Name
Profile Description of the BGP FlowSpec Strictness profile.
Description
Minimum The minimum number of BGP FlowSpec attributes required by DefenseFlow to
Number of trigger a new protection for a specific attack event.
ASSOCIATED The associated DefensePro protections that are required to trigger a new
DEFENSEPRO protection.
PROTECTIONS Includes: ALL (all DefensePro protections), Blocklist/Allowlist, BDoS, SYN, DNS,
Traffic Filters, OOS, DDoS Shield

Table 94: BGP FlowSpec Strictness Profile Parameters (cont.)
Mandatory Select BGP FlowSpec attributes to be included in the BGP FlowSpec Strictness
Attributes profile that are required to trigger a new protection for an operation.
Available/ 1. From the Available attributes, highlight the attribute you want to be part of
Selected the strictness profile.
2. For each attribute, click the > button to move it to the Selected list.
Note: For the Mandatory Attributes Available and Selected values to
display, you must first set the dfc.bgp.flowspec.populate values to true:
• dfc.bgp.flowspec.populate.destination.port
• dfc.bgp.flowspec.populate.fragment
• dfc.bgp.flowspec.populate.protocol
• dfc.bgp.flowspec.populate.source.network
• dfc.bgp.flowspec.populate.source.port
• dfc.bgp.flowspec.populate.tcp.flags
Filters
You can define blocklists and allowlists (filter lists), and groups of lists (filter groups), for a single
mitigation device or a group of mitigation devices. You define these filter lists and filter groups in the
Filters node. For more information on how filter lists and filter groups are applied to blocklists and
allowlists, see Operations, page 237.
You can also define Geolocation feed groups that include a list of geolocations that you can assign to
a protected object to block or allow only a set of geographic locations.
The Filters node includes the following sub-nodes:
• Filter Lists, page 233
• Filter Groups, page 234
• Geolocation Feed Group, page 235
Filter Lists
This procedure describes how to view, create, and edit filter lists.
To add or edit a filter list

1. In the Configuration perspective, select Security Settings > Filters > Filter Lists.
2. To add or edit a filter list, do one of the following:
— To add a filter list, click the (Add) button.

— To edit a filter list, do one of the following:
• Highlight the filter list and click the (Edit) button.

• Search for the filter list by typing a string in one of the filter list search fields and clicking
the (Search) button:

Table 95: Filter List Search Parameters
Name The name of the filter list to search for.
Description String to search for in the filter list description.
Addresses IP addresses in the filters to search for.
Update Time The filter list update time to search for.
button.
3. Configure the parameters for the filter list, and then click Submit to save your changes:
Table 96: Filter List Parameters
Name Name of the filter list.
Description Description of the filter list.
Addresses The IPv4 and/or IPv6 addresses that are filtered. The IP addresses can include
source and destination port ranges and protocols.
Examples:
• 192.168.66.0/24
• 172.31.15.12
• 10.1.1.1 src port 12-44 protocol 5
• 10.1.1.0/24 src port 12 dst port 12-13 protocol tcp
• 3001:e12::/32
• 2001:cdba:0000:0000:0000:0000:3257:9652
Note: The protocol numbers used by DefenseFlow are mapped to the
following protocols:
• 0 — Any
• 1 — TCP
• 2 — UDP
• 3 — ICMP
• 4 — IGMP
• 5 — SCTP
• 7 — ICMPv6
Filter Groups
This procedure describes how to view, create, and edit filter list groups.
To add or edit a filter group

1. In the Configuration perspective, select Security Settings > Filters > Filter Groups.
2. To add or edit a filter group, do one of the following:
— To add a filter group, click the (Add) button.

— To edit a filter group, do one of the following:
• Highlight the filter group and click the (Edit) button.

• Search for the filter group by typing a string in one of the filter group search fields and
Table 97: Filter Groups Search Parameters
Group Name The name of the filter group to search for.
Description String to search for in the filter group description.
Update Time The filter group update time to search for.
button.
3. Configure the parameters for the filter group, and then click Submit to save your changes:
Table 98: Filter Group Parameters
Name Name of the filter group.
Description Description of the filter group.
Filter Groups You can group multiple filter lists together for common filtering. A filter list can
be placed in one or more filter groups. Select one of the defined filter lists by
moving it from the Available list to the Selected list.
For more information on filter lists, see Filter Lists, page 233.
Geolocation Feed Group

This procedure describes how to view, create, and edit a DefenseFlow Geolocation feed group that
can be used for geoblocking in a protected object. In the protected object, you can use a single
geolocation from your Geolocation feed or you can use a Geolocation feed group that you define.
This feature requires that the DefensePro device used for mitigation be version 8.21 or later.
For more information on how Geolocation feed groups are assigned in protected objects, see
The Geolocation functionality requires a Geolocation subscription. To identify the geolocation that
traffic originates from, the Geolocation feature uses the Geolocation feed from the Geolocation
subscription. APSolute Vision manages the Geolocation subscription and the Geolocation feed.
Before you can configure a Geolocation feed group, you must configure and run a Geolocation Feed
task in APSolute Vision that targets the DefensePro device used for mitigation. If the DefensePro
device has a valid Geolocation subscription and a user-defined scheduled task of type Geolocation
Feed, the task uploads the feed to the Geolocation database on the DefensePro device.
For information on how to configure the scheduled task, refer to the APSolute Vision User Guide.
To add or edit a Geolocation feed group

1. In the Configuration perspective, select Security Settings > Filters > Geolocation Feed
Group.
2. To add or edit a Geolocation feed group, do one of the following:

— To add a Geolocation feed group, click the (Add) button.

— To edit a Geolocation feed group, do one of the following:
• Highlight the Geolocation feed group and click the (Edit) button.
• Search for the Geolocation feed group by typing a string in one of the Geolocation feed
Table 99: Geolocation Feed Group Search Parameters
Group Name The name of the Geolocation feed group to search for.
Description String to search for in the Geolocation feed group description.
Update Time The Geolocation feed group update time to search for.
button.
3. Configure the parameters for the Geolocation feed group, and then click Submit to save your
changes:
Table 100: Geolocation Feed Group Parameters
Name Name of the Geolocation feed group.
Description Description of the Geolocation feed group.
Geolocations You can group multiple geolocations together from your Geolocation feed into a
Geolocation feed group.
When defining geoblocking for a protected object, you can use a single
geolocation from your Geolocation feed or you can use a Geolocation feed group
that you define.
To add a geolocation to the Geolocation group, select one of the defined
geolocations by moving it from the Available list to the Selected list.
For more information on how Geolocation feed groups are used in protected
objects, see Protected Objects, page 258.
DNS AllowList
DefenseFlow can automatically delegate a DNS Subdomains Allowlist from the CPE DefensePro to a
scrubbing center. Upon attack, a syslog signal from the tier-2 mitigation device (DPaaD or CPE DP) is
sent to DefensePro. As a result, DefenseFlow exports the current policy from the DPaaD along with
its associated DNS allowlist, and imports the policy into the scrubbing center mitigation device. Once
the attack is diverted by DefenseFlow to the scrubbing center, the scrubbing center already has the
DNS allowlist deployed in order to clean the traffic and block the DNS attack.
To configure a DNS allowlist

1. In the Configuration perspective, select Security Settings > DNS AllowList.
2. To add or edit a DNS allowlist, do one of the following:
— To add a DNS allowlist, click the (Add) button.

— To edit a DNS allowlist, do one of the following:

• Highlight the DNS allowlist and click the (Edit) button.

• Search for the DNS allowlist by typing a string in one of the DNS allowlist search fields
and clicking the (Search) button:
Table 101: DNS Allowlist Search Parameters
File Name The name of the DNS allowlist to search for.
Update Time The DNS allowlist update time to search for.
button.
3. Configure the parameters for the DNS allowlist, and then click Submit to save your changes:
Table 102: Operations Parameters
DNS Allowlist File with the DNS allowlist.
File 1. Click Browse to find the DNS allowlist file you want to import.
2. Click Import to import the file.
Note: The DNS allowlist file should contain text only.
The file contains lines of code in the following format:
<FQDN>, <mode>
where mode is:
• m (manual)
• a (automatic)
Examples
A www.example1.com, a
B www.example2.com, m
Operations
An operation is a set of actions to be performed on provisioning, attack detection, or manually. It is
the building block for a security operation workflow.
Use the Operations pane to view, configure, or delete operations. The initial view displays existing
operations and lets you search for a specific operation.
To configure an operation
1. In the Configuration perspective, select Security Settings > Operations.
2. To add or edit an operation, do one of the following:
— To add an operation, click the (Add) button.

— To edit an operation, do one of the following:

• Highlight the operation and click the (Edit) button.

• Search for the operation by typing a string in one of the operation search fields and
Table 103: Operations Search Parameters
Name The name of the operation to search for.
Description String to search for in the operation description.
Operation Type The operation type to search for.
Values: Mitigation, Traffic Blocking, Custom
Diversion The diversion protocol to search for.
Protocol Values: BGP, BGP FlowSpec
Use Mitigation Use connectivity setting to search for.
Device/Network Values: Enabled, Disabled
Element
Connectivity
Update Time The operation update time to search for.
Mitigation Group The mitigation group name to search for.
L7 Signature The Layer 7 signature HTTP response type to search for.
HTTP Response
Type
Blocking Group The blocking group name to search for.
button.
3. Configure the parameters for the operation, and then click Submit to save your changes:
Note: DefenseFlow has predefined operations that can be used as is, modified, or referenced
for the creation of new operations. Some of these operations are used by the predefined
workflows (see Workflows, page 251). The following are the predefined operations:
AlwaysOnMitigat Provision mitigation on a group of DefensePro devices.
eOnly
OutOfPathDivert Provision mitigation and injection on a group of mitigation devices and divert the
MitigateInject traffic to them from a Tier1 network element group.
SmarTapDetecti Provision mitigation on a group of DefensePro devices connected in tap mode.
on
SmarTapDivertI Provision injection on the DefensePro tap devices.
nject
BlackHoleDivert Divert traffic from a Tier1 network element group to a BGP black-hole address.
BgpFlowSpecBlo Block traffic with a FlowSpec block operation on a Tier1 network element group.
ck

Table 104: Operations Parameters
Name Name of the operation.
Description Description of the operation.
Operation Type The type of operation.
Values:
• Mitigation — Displays the mitigation parameters. See Table 105 - Operations
Mitigation Parameters, page 239.
• Traffic Blocking — Displays the traffic blocking parameters. See Table 106 -
Operations Traffic Blocking Parameters, page 243.
• Custom — Displays the custom operation parameters. Displays the Custom
Type parameter from which you select the type of custom operation to
define.
Default: Mitigation
Custom Type If you selected the Custom operation type, this drop-down list displays. Select
the custom operation you want define.
Values:
• External Custom Operation — Displays the custom operation parameters with
which you can customize your own operation using any type of programming
language. For a description of these parameters, see Table 107 - External
Custom Operations Parameters, page 244.
• BigSwitch Routing — Select this operation type if you are using BigSwitch
routing as your diversion control element (see Table 2230 - Network
Elements Parameters, page 3115).
Displays the Diversion Group parameter (for a description of this parameter,
see Table 105 - Operations Mitigation Parameters, page 239).
• DefensePro ACLs — Select this operation type if you are using DefensePro
Access Control Lists for mitigation.
Displays the Mitigation Group parameter (for a description of this
parameter, see Table 105 - Operations Mitigation Parameters, page 239).
Default: Mitigation
Table 105: Operations Mitigation Parameters
Actions Mitigation actions to be performed by the operation. You can select multiple
actions.
Values:
• Divert — DefenseFlow initiates traffic diversion.
• Mitigate — DefenseFlow configures the DefensePro mitigation devices with the
security policy. Not relevant for third-party mitigation devices.
• Inject Clean Traffic — DefenseFlow configures the DefensePro mitigation
devices with the clean traffic injection configuration. Not relevant for third-
party mitigation devices.
Default: All actions are not selected (meaning report only)

Diversion
Diversion Group The network element diversion group from which the diversion of traffic is
initiated. With BGP diversion, these groups receive the BGP announcements.
Note: This is relevant only if DefenseFlow is configured to initiate the diversion
(Divert action), or mitigation (Mitigate action) and the Use Connectivity
diversion action are selected.
Do one of the following:
• Select the network element or network element group from the set of
available groups defined in DefenseFlow.
• To use and edit one of the network element groups, select the network
element group click the (Edit) button. This opens the Add Network
Elements Group pane. For more information, see Network Elements Groups,
page 216.
• To add and use a new network element group, click the (Add) button. This
opens the Add Network Elements Group pane. For more information, see
Network Elements Groups, page 216.
Diversion The diversion protocol to use.
Protocol Values:
• BGP — Use the standard BGP protocol.
• BGP FlowSpec — Use the BGP FlowSpec protocol.
Default: BGP
BGP FlowSpec The BGP FlowSpec rule to use for the diversion protocol. Select for a list of BGP
(This parameter FlowSpec Rules you have defined (see BGP FlowSpec Rules, page 226).
is only is
available if the
Diversion
Protocol is set
to BGP
FlowSpec.)
Diversion Diversion actions to take.
Options • Use Mitigation Device/Network Element Connectivity — Assigns mitigation
devices per network element in a diversion group according to the configured
connectivity.
• Divert Entire Protected Object Network — Divert all the protected object
networks even if a single IP address is attacked.
• Use the Protected Object Next Hop — For BGP diversions only, divert to the
next hop of the operation’s relevant protected object, if defined (see Table
116 - Protected Object Parameters, page 259). Select the Primary or
Secondary next hop.
Default: Use Connectivity
BGP Community
Include the Whether the BGP Community of the protected object is included in the operation.
Protected
Object BGP
Community

AS Path The AS-Paths to be used as part of the operation’s BGP advertisements.
Examples
A 100 200 300 400 600 400 500
B 400, 500
Include the Merge the AS-Paths for the relevant protected object, if defined (see Table 116 -
protected object Protected Object Parameters, page 259) with the operation’s AS-Paths.
AS Path
Example
If the operation’s AS-Paths are 100, 200, 300, and the relevant protected
object’s AS-Paths are 200, 300, 400, the merged AS-Paths are 100, 200, 300,
200, 300, 400.
Advanced
Advertised Values:
Subnet
Default: 32
Advertised Values:
Subnet
Default: 128
Mitigation
Security The security template used to perform mitigation. Select from the configured list
Template
of security templates or click the (Add) button to open the Add Template
pane. For more information, see Security Templates, page 224.
Geolocations The geolocation or Geolocation feed group to either allow or block when
performing mitigation. Select from the list a geolocation or Geolocation feed
group to allow or block (for more information, see Geolocation Feed Group,
page 235).
The geolocation setting is only used if the mitigation action is selected.
Default: No geolocation or Geolocation feed group is selected and all geolocations
are allowed
Blocklist The filter list or filter list group to be used as the bloc list to be included when
performing mitigation. Select from the configured list of filter lists or filter list
groups (see Filters, page 233).
The blocklist is only used if the mitigation action is selected.

Allowlist The filter list or filter list group to be used as the allowlist to be included when
performing mitigation. Select from the configured list of filter lists or filter list
groups (see Filters, page 233).
The allowlist is only used if the mitigation action is selected.
DNS Allowlist The DNS allowlist to be used as the allowlist to be enforced by DefensePro when
performing mitigation. DefenseFlow blocks incoming DNS requests that do not
match the allowlist.
Select from the configured list of DNS allowlists (see DNS AllowList, page 236).
The DNS allowlist is only used if the mitigation action is selected.
Mitigation Group The name of the mitigation device or mitigation device group that performs
mitigation. Select from the configured list of mitigation groups (see Mitigation
Devices Groups, page 222).
Delegate from This parameter is relevant only if the detection method for the protected object is
Detector DPaaD.
Select this if delegation is to be performed from the detector device to the
mitigation devices group that performs the mitigation. Selecting this copies the
policy and baselines from the detector DefensePro to the selected mitigation
device.
In a DPaaD deployment, DefenseFlow may trigger a single alert that may
represent a Layer 7 event, such as signature matching. DefenseFlow can identify
this new alert type (an occur event) and act upon it. By default, this feature is
disabled. To enable it, use the following CLI command:
configuration-set -name
Granular Select if granular mitigation is to be performed.
Mitigation If you do not select this option, the operation is performed on the entire protected
object and not based on any granular detection settings. For more information on
granular detection settings, see Detection, page 248.
Default: Enabled
Save and Reuse Select this if you want to automatically provision the detector DefensePro
DefensePro baseline based on previous learning periods.
Baselines Default: Disabled
Block Source IP Select this if you want to block all incoming traffic from a specific source IP
Address using address towards a specific protected object.
L3 Block List Default: Disabled

Block Source IP When AppWall is deployed behind a CDN, the Layer 4 source address does not
Address using identify the real source IP address of the sender. To block the sender, a Layer 7
L7 Signature signature must be provisioned in DefensePro. This signature contains the real
source IP address as part of the XFF HTTP header field.
When enabled, select the response type from the list of Layer 7 signature HTTP
response types.
Values:
• HTTP_DROP
• HTTP_200_OK
• HTTP_200_OK_REST_DEST
• HTTP_403_FORBIDDEN
• HTTP_403_FORBIDDEN_REST_DEST
Default: Disabled
Name mitigation devices. For more information on configuring routes, see Mitigation
Devices, page 218.
Table 106: Operations Traffic Blocking Parameters
Blocking
Blocking Group The network elements group that performs the traffic blocking.
Select from the list of configured network elements groups (see Network
Elements Groups, page 216).
BGP FlowSpec The BGP FlowSpec rule to use for the diversion protocol. Select from a list of BGP
FlowSpec Rules you have defined (see BGP FlowSpec Rules, page 226).
BGP Community
Include the Whether the BGP Community of the protected object is included in the operation.
Protected
Object BGP
Community
Community them per the operation. in addition to the protected object’s communities,

Table 107: External Custom Operations Parameters
You can customize your own operation using any type of programming language. DefenseFlow
ensures that the new customized operation is activated when the rule criteria is met in the workflow
engine.
Each custom operation is associated with a Web service. You can use your own Web server for the
implementation.
For easy implementation, you can use and modify a ready-made example stub that implements a
customized operation that sends an e-mail with all the operation-received arguments. For more
details on using this stub, contact Radware Technical Support.
Note: Radware recommends deploying the Web server on a dedicated external VM and not on
the DefenseFlow VM.
Custom URL URL of the remote server where the custom operation resides.
When you set the custom URL, DefenseFlow performs a callback to the remote
server using the /protection_stop and /protection_start suffixes as
required.
Examples
A For HTTP: If the URL configuration is http://10.183.159.159:5000/rest,
DefenseFlow performs a callback to http://10.183.159.159:5000/rest/
protection_start/ when the operation is activated (Entry Criteria), and
http://10.183.159.159:5000/rest/protection_stop/ when the
B For HTTPS: If the URL configuration is https://10.183.159.159:443/
rest, DefenseFlow performs a callback to https://10.183.159.159:443/
rest/protection_start/ when the operation is activated (Entry Criteria),
and https://10.183.159.159:443/rest/protection_stop/ when the
For the custom operations callback definition details, see Table 108 - Custom
Operations Callback Definition, page 245.
Note: You can also define a custom operation through the DefenseFlow REST
API (see the POST /config/Operations/add REST API call in the REST API
Guide at http://webhelp.radware.com/DefenseFlow/REST/3_40_00/
index.html).
Remote server (optional) Remote server username.
authentication
user
Remote server (optional) Remote server password.
authentication
password
Confirm Remote (optional) Remote server password confirmation.
server
authentication
password

Table 108: Custom Operations Callback Definition

Remote_IP:port/ activation of the operation.
protection_start • Callback Arguments:
— sequence: The attack sequence number that the attack uses or used.
— 200 — OK
— Other — ERROR


https:// Callback example:
Remote_IP:port/
2018-06-25 20:42:00,368 | INFO | Custom operation REST
protection_start
starting http://192.168.1.30:80//protection_start with data:
(continued) protectedObjectInfo" : {
"id" : 461,
"name" : "PO12",
"networks" : [ {
"ip" : "12.0.0.0",
"prefix" : 24
} ]
},
"networks" : [ ]
},
"requiredMetricsAzure" : [ ],,
"azureResourceType" : "IAAS",,
"loadBalancerRequiredMetrics" : [ ],,
"cdnRequiredMetrics" : [ ],
},
"pulseId" : 608,
"networks" : [ {
"ip" : "12.0.0.1",
"prefix" : 32
} ]
}
http://192.168.1.30//protection_start


Remote_IP:port/ deactivation of the operation.
protection_stop • Callback Arguments:
— 200 — OK
— Other — ERROR


https:// 2018-06-25 20:43:27,604 | INFO | Custom operation REST
Remote_IP:port/ starting http://192.168.1.30:80//protection_stop with data:
protection_stop {
(continued) "protectedObjectInfo" : {
"id" : 461,
"name" : "PO12",
"networks" : [ {
"ip" : "12.0.0.0",
"prefix" : 24
} ]
},
"networks" : [ ]
},
"requiredMetricsAzure" : [ ],
"azureResourceType" : "IAAS",
"loadBalancerRequiredMetrics" : [ ],
"cdnRequiredMetrics" : [ ]
},
"pulseId" : 608,
"networks" : [ {
"ip" : "12.0.0.1",
"prefix" : 32
} ]
}
}
http://192.168.1.30//protection_stop
Detection
Detection should be used to define groups of detection methods and sources to be aggregated as
detectors for the same service.
Use the Detection pane to view, configure, or delete detection configurations. The initial view
displays existing detections and lets you search for a detection.

To configure a detection
1. In the Configuration perspective, select Security Settings > Detection.
2. To add or edit a detection, do one of the following:
— To add a detection, click the (Add) button.

— To edit a detection, do one of the following:
• Highlight the detection and click the (Edit) button.

• Search for the detection by typing a string in one of the detection search fields and
Table 109: Detection Search Parameters
Name The name of the detection to search for.
Description String to search for in the detection description.
Update Time The detection update time to search for.
button.
3. Configure the parameters for the detection, and then click Submit to save your changes:
Note: My Detection is a predefined detection that is used by the default workflows (see
Workflows, page 251). Its parameters are not set and you should either configure it with the
appropriate detectors or replace it in any workflow that is used for a protected object, as
required.
Table 110: Detection Parameters
Name Name of the detection.
Description Description of the detection.

Detectors The set of detectors defined for this detection.
Click the (Add) button to add a detector:

• Type — Select the detector type.
Values:
— BDoS Detector — Use DefenseFlow BDoS detection based on flow
statistics. This checks attacks per an entire network. You can only select
one BDoS detector.
Note: The BDoS Traffic Monitoring reports are populated with data only if
the detector type is set to BDoS Detector. For more information on BDoS
Traffic Monitoring reports, see BDoS Traffic Statistics, page 291.
— DefensePro as Detector — Use DefensePro in always-on or tap
deployment mode for detection. You can select multiple DefensePro as
Detectors (DPaaDs).
In a DPaaD (DefensePro serves as Detector) deployment, DefenseFlow
may trigger a single alert that may represent a Layer 7 event, such as
signature matching. DefenseFlow can identify this new alert type (an
occur event) and act upon it. DefensePro syslog events that include the
occur status are no longer ignored. Instead, DefenseFlow simulates the
attack start, and immediately simulates the attack termination. This
leaves the attack as an active attack if the attack grace period has not
expired.
DefensePro one-time alerts may contain packet anomalies, block lists/
allow lists, and/or signature protection (IPS). By default, one-time alerts
are disabled. Therefore, you should turn it on when required with the
following command:
dfc.attack.detection.defensepro.occur.enabled -value
true
Filtering strings in attack alerts from DefensePro
If required, you can ignore syslog attack alerts based on a specified
regular expression (using the CLI only). This feature is disabled by
default.
a. From the CLI, enable this feature using the following command:
dfc.attack.detection.ignore.regular.expression.enabl
ed -value true
b. Define the regular expression as required using the following
command. Syslog attack alerts that include this expression are
ignored.
dfc.attack.detection.ignore.regular.expression.patte
rn -value .*"Behavioral-DoS".*
c. To disable the feature, enter the following command:
dfc.attack.detection.ignore.regular.expression.enabl
ed -value false

• Type — Select the detector type.
Values:
— External Detector — Use an external source of detection signaling. You
can select multiple external detectors.
— FlowDetector — Use Radware DefenseFlow FlowDetector to analyze and
use the network metadata that Layer 3-4 actual sessions flows from the
control plane.
— Granular BDoS Detector — This checks attacks per each IP address in the
networks, limited to 5000 networks per the entire DefenseFlow system.
This should be used for servers with static IP addresses that you want to
protect.
— Granular Thresholds Detector — This checks limits for the top 100
networks of the protected object. It should be used for residential
protected objects.
— Thresholds Detector — Use manually-configured thresholds based on flow
statistics. This checks limits for an entire network. You can only select one
threshold detector.
• Type Detector — Based on the detector Type you selected, select a telemetry
source for detection, either a control element (flow statistics source or
external detector) or a DefensePro device.
Workflows
A workflow is a predefined set of criteria-based security operations that DefenseFlow can perform for
a service on provisioning and upon attack.
Use the Workflows pane to view, configure, or delete workflow configurations. The initial view
displays existing workflows and lets you search for a workflow.
To configure a workflow
1. In the Configuration perspective, select Security Settings > Workflows.
2. To add or edit a workflow, do one of the following:
— To add a workflow, click the (Add) button.

— To edit a workflow, do one of the following:
• Highlight the workflow and click the (Edit) button.

• Search for the workflow by typing a string in one of the workflow search fields and
Table 111: Workflow Search Parameters
Name The name of the workflow to search for.
Description String to search for in the workflow description.

Table 111: Workflow Search Parameters (cont.)
Detection String to search for in the workflow detection method.
To view and/or edit the workflow detection associated with a workflow, select the
link in the Detection column, and the Edit Detection pane for that detection
displays. For more information on detections, see Detection, page 248.
Provisioning String to search for in the workflow operation that is performed upon provisioning
a protected object associated with this workflow.
To view and/or edit the workflow operation associated with a workflow, select the
link in the Provisioning column, and the Edit Operation pane for that detection
displays. For more information on detections, see Operations, page 237.
Update Time The workflow update time to search for.
button.
3. Configure the parameters for the workflow, and then click Submit to save your changes:
Note: DefenseFlow has predefined workflows that can be used as is, modified, or referenced
for the creation of new workflows, as described in the following table:
AlwaysOnMitigat Provision mitigation (with no diversion) upon provisioning of the protected object
eOnly on a device that is either in-line with the traffic or the diversion is performed
manually.
BGPFlowSpecBlo Upon attack detection, activate a BGP FlowSpec rule to block the traffic to the
ck protected object on the routers.
BlackHoleDivert Divert traffic from a Tier1 network element group to a black-hole address upon
attack detection.
OutOfPathDivert Upon attack detection, configure mitigation and injection on the mitigation
MitigateInject devices and divert the traffic to them from a Tier1 network element group.
SmartTapDetecti Provision a policy on the device connected in tap mode for detecting attacks on
on the protected object.
SmartTapDivertI Upon attack detection, divert the traffic to the mitigation device and configure
nject clean traffic injection on the mitigation device.
Table 112: Workflow Parameters
Name Name of the workflow.
Description Description of the workflow.
Detection Select a detection method to associate with this workflow. This is a group of
detections that is configured using the Detection pane (see Detection, page 248)
Provisioning Select an operation to be performed upon provisioning of a protected object
associated with this workflow. The operation is configured using Operation pane
(see Operations, page 237).

Table 112: Workflow Parameters (cont.)
Workflow Rules The set of criteria-based operation rules for the workflow.
Click the (Add) button to add a workflow rule:

• Enter Criteria — The enter criteria for the workflow. DefenseFlow starts the
• Enter Criteria User Action Mode — User action mode for the enter criteria.
Values:
— Automatic — DefenseFlow performs the chosen operation based on the
enter criteria.
— User Confirmation — When the enter criteria are met, the operator is
another operation.
• Exit Criteria — The exit criteria for the workflow. DefenseFlow stops the
• Exit Criteria User Action Mode — User action mode for the exit criteria.
Values:
exit criteria.
— User Confirmation — When the exit criteria are met, the operator is
another operation.
• Operation — Operation for this workflow rule. This is an operation that is
Default: Automatic
For more information on the global configuration of the Action mode, see the
Enable Automatic User Action Mode parameter in Global Settings, page 3189.
For more information on overriding the Workflow Rule Action mode, see the
Override Workflow Action Mode option in Protected Objects, page 258.
The enter and exit criteria comprise a set of conditions with AND or OR operators.
You can define the same criteria with multiple operations. DefenseFlow performs
all operations that meet the operation’s criteria. See Workflow Rule Conditions:
Events, page 254 for the list of possible conditions.

Table 113: Workflow Rule Conditions: Events
Workflow Rules The following are the set of possible workflow rule events:
• AttackStart — The start of attack condition is implicit in enter criteria. It is
required only if it is the only condition.
• AttackTermination — The termination of attack condition cannot be combined
with any other condition (that is, you cannot have an AttackTermination
condition AND an attackx condition).
• ProvisionEnd — Performs an operation when removing a service.
• ProvisionStart — Performs an operation on provisioning of a protected object
in addition to the operation defined in the Provisioning parameter. This can
be used if multiple operations on provisioning are required.
• ActiveOperationsChange — This event is triggered when an event is activated
or at the termination of an operation.
Note: This event is triggered by a protection, regardless of the detection
status. For example, the event is triggered whether the operation was
activated manually or automatically due to syslog detection.
• TimeTriggerEnabled — Event based on the absolute and relative time. For
example, you can define the entry criteria to be activated from between
08:00 and 09:00, or the exit criteria to be activated only after 30 minutes
have passed from the operation termination.
Example 1 (Enter Criteria): TimeTriggerEnabled AND (TIME>=17:00 OR
TIME <= 09:00)
Example 2 (Exit Criteria): TimeTriggerEnabled AND TIME > 09:00 AND
TIME < 17:00
• OperationTerminated — Event to terminate an operation when another
operation is terminated.
Example: OperationTerminate and Operation = AnotherOperation

Table 114: Workflow Rule Conditions: Conditions
Workflow Rules The following are the set of possible workflow rule conditions:
• AttackDestination — Condition based on the attacked destination. Supported
operators: =, !=, in, not in
Example: AttackDestination in 1.2.3.0/24
• AttackSource — Condition based on the attack destination IP address.
Example: AttackSource 5.5.5.0/24
• AttackPrefix — Condition based on the attack destination prefix.
Example: AttackPrefix = 32
• AttackBandwidth — Condition based on the size of an attack, in bits per
second. Supported operators: >, <, >=, <=
This condition is only available during an attack, unlike the TrafficBandwidth,
which can also be used in peacetime. This condition can be used to defend
against attack escalation.
Example: AttackBandwidth > 2G
• AttackRate — Condition based on packets per second. Supported operators: >,
<, >=, <=
Example: AttackRate >1000 AND AttackBandwidth < 5m
Note: If granular detection is enabled, you should not set the AttackRate
Therefore, only set the AttackRate as the Enter or Exit Criteria when granular
detection is disabled.
• TrafficBandwidth — Condition based on the traffic bandwidth, in bits per
second. It does not require combining with an AttackStart condition.
This condition is used in Flow Collector and DPaaD deployments. In these
deployments, the detection elements constantly update DefenseFlow with the
current traffic bandwidth. As a result, this condition can be used even in
peacetime, unlike the AttackBandwidth condition, which is only available
during an attack.
Value values:
— n — bps (bits per second)
— nK — kbps (kilobits per second)
— nM — mbps (megabits per second)
— nG — gbps (gigabits per second)
— nT — tbps (terabits per second)
Example: TrafficBandwidth > 100 (meaning 100 bps)
Example: TrafficBandwidth > 2G (meaning 2 gbps)
Note: If granular detection is enabled, you should not set the
TrafficBandwidth as either the Enter or Exit Criteria. Because granular
detection only handles sampled events and ignores ongoing events, the
workflow is ignored even if the workflow conditions are met.

Table 114: Workflow Rule Conditions: Conditions (cont.)
Workflow Rules The following is a continuation of the set of possible workflow rule conditions:
(continued) • TrafficRate — Condition based on the traffic bandwidth, in packets per second.
It does not require combining with an AttackStart condition.
Value values:
— n — pps (packets per second)
— nK — kpps (kilopackets per second)
— nM — mbps (megapackets per second)
— nG — gpps (gigapackets per second)
— nT — tpps (terapackets per second)
Example: TrafficRate > 100 (100 pps)
Note: If granular detection is enabled, you should not set the TrafficRate
Example: TrafficRate > 2G (2 giga pps)
• AttackProtocol — Condition based on the attack protocol. Supported
operators: =, !=
Example 1: Protocol =
Example 2: (Protocol = OR AttackDestination not in 3.3.3.0/28) AND
AttackBandwidth < 5m
• DetectorName — Condition based on the detector name.
Example: DetectorName = MyExternalDetectorControlElement
• BgpListenerCommunities — Condition based on the BGP Listener Community.
Example: BgpListenerCommunities include 111:222
Note: Do not use in Exit Criteria.
Note: DefenseFlow can be configured to establish BGP connections with
routers over port 179 to send BGP announcements and BGP FlowSpec
rules. Sending a large number of BGP announcements from the routers to
DefenseFlow might cause slow response time in DefenseFlow. Unless you
are using the BGP Listener feature, routers connected to DefenseFlow
should be configured not to send BGP announcements to DefenseFlow.
• ActiveOperations — This condition is based on the set of the current active
operations and activated networks.
Example: ActiveOperations include ScrubbingOperation
• ActiveOperationsSameDestination — Use this condition to check if an
operation is active for the specific network that is triggered, and to decide
whether to start or stop an existing protection based on another operation
that is on that same network.
Example: ActiveOperationsSameDestination include ScrubbingOperation

(continued) • ActiveOperationsCopyCat — Use this condition if you want to automatically
trigger OPER2 according to OPER1, as illustrated in the following example:
Example: If OPER1 should automatically trigger OPER2 and use the same
network, use the following criteria in both the Enter Criteria and Exit
criteria fields:
ActiveOperationsChange AND ActiveOperationsCopycat include OPER1
Example: ActiveOperationsCopyCat include ScrubbingOperation
• ProtectionActivePeriod — Time-based termination of protection.
Example 1: If a black hole operation is activated, and you want to terminate
if after two hours, use the following exit criteria:
ProtectionActivePeriod > "2 hours"
• Time — Condition based on the time in HH:MM format. Supported operators:
>, <, >=, <=, =, !=
Example 1: time >= 14:00
Example 2: time != 16:00
• Date — Condition based on the date in YYYY-MM-DD format. Supported
operators: >, <, >=, <=, =, !=
Example 1: date >= 2017-05-21
Example 2: date = 2019-05-05
• Month — Condition based on the month name. Supported operators: >, <,
>=, <=, =, !=
Example 1: month >= January
Example 2: month != December
• Day — Condition based on the day name, where Sunday is the smallest, and
Saturday is the greatest. Supported operators: >, <, >=, <=, =, !=
Example 1: day >= Tuesday
Example 2: day != Monday
• AttackAdditionalDetails — Condition based on the actual syslog message
regular expression matching.
Example: AttackStart and AttackAdditionalDetails match ".*host:.*"
• OperationEnterSuccess — Condition based on the successful completion of
either enter criteria or exit criteria. This is usually used in multiple-tiers
protection.
Example: OperationEnterSuccess=operation1

(continued) • SourcePort — Condition based on the source port. Supported operators: >, <,
>=, <=, =, !=
Example 1: SourcePort > 34
• DestinationPort — Condition based on the destination port. Supported
operators: >, <, >=, <=, =, !=
Example 1: DestinationPort > 34
• Fragment — Condition based on whether a packet is fragmented. Supported
operators: =,!=
Example 1: Fragment = true
Example 2: Fragment != true
• tcpflags — Condition based on TCP flags. Supported operators: =,!=
Example 1: tcpflags = syn
Example 2: tcpflags = syn-ack
• DefenseProUp — Condition based on whether DefensePro mitigation devices
are up. Can be a single mitigation device, multiple mitigation devices, a single
mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProUp = dp1
Example 2 (multiple mitigation devices): DefenseProUp in dp1, dp2, dp3
Example 3 (single mitigation group): DefenseProUp include dp_group1
Example 4 (multiple mitigation devices): DefenseProUp include
• DefenseProDown — Condition based on whether DefensePro mitigation
devices are down. Can be a single mitigation device, multiple mitigation
devices, a single mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProDown = dp1
Example 2 (multiple mitigation devices): DefenseProDown in dp1, dp2,
dp3
Example 3 (single mitigation group): DefenseProDown include
dp_group1
Example 4 (multiple mitigation devices): DefenseProDown include
Protected Objects
Protected objects are the services you use DefenseFlow to protect.
Use the Protected Objects pane to view, configure, or delete protected objects. The initial view
displays existing objects and lets you search for a specific protected objects.
To configure a protected object

1. In the Configuration perspective, select Security Settings > Protected Objects.
2. To add or edit a protected object, do one of the following:
— To add a protected object, click the (Add) button.

— To edit a protected object, do one of the following:

• Highlight the protected object and click the (Edit) button.

• Search for the protected object by typing a string in one of the protected object search
Table 115: Protected Object Search Parameters
Status Status of the protected object to search for.
Name Name of the protected object to search for.
Description String to search for in the protected objects description.
Update Time The protected object update time to search for.
button.
3. Configure the parameters for the protected object, and then click Submit to save your changes:
Table 116: Protected Object Parameters
Enable Whether the protected object is enabled or disabled.
Protected Default: Enabled
Object
Name Name of the protected object.
Description Description of the protected object.
Protected List of protected networks and their associated edge networks or route tags.
Networks Tab Maximum number of network entries:
• 10,000 for protected objects with an external detector
• 500 for protected objects with Radware’s collector
Note: The total number of networks for all protected objects together is
limited to 250,000.
Click the (Add) button and configure the protected network parameters:
• Use any network address — All networks are protected. By default, it is
selected. When you deselect it, the Network Address(es) text box displays.
• Network Address(es) — List of IPv4 or IPv6 network addresses with a subnet
IP address separated by a comma (“,”). Examples: 10.10.10.0/24,
11.11.11.0/24
• Protected Network Type — Select Edge Network or Route Tag.
• Clean Traffic Injection — This option displays when you select the Protected
Network Type as Edge Network. The edge network element associated with
the protected networks. In a single-entry multiple network, addresses should
all be associated with the same edge network.
• Route Tag — This option displays when you select the Protected Network
Type as Route Tag, The route tag associated with the protected networks.
Select from the list of configured route tags (see Route Tags, page 217).

Security The security policy and workflow for the protected object.
Settings Tab Values:
• Policy Precedence — The precedence that this security policy has in relation to
other security policies, where precedence 1 gets the highest priority, and
precedence None gets the lowest priority. This is relevant for overlapping
protected objects if more than one policy is configured on the DefensePro
device.
Values: 1 – 3, None
Default: None
Each of the policy precedence values represent a range of DefensePro priority
values:
— None — For granular mitigation, 8001 – 16000; for non-granular
— 1 — For granular mitigation, 56001 – 63999; for non-granular mitigation,
48001 – 56000
32001 – 40000
16001 – 24000
Based on the DefenseFlow precedence you selected, DefenseFlow assigns to
the policy the next available priority number in the precedence range. If the
assigned priority number is the same as for the existing policy in DefensePro,
DefensePro adds 10 to the policy’s priority number so that the policy is
executed as expected.
• Peak Traffic Bandwidth — Peak traffic value to use, in bits per second, in case
of activation when no attack information is available.
• Workflow — The security operation workflow associated with this protected
object. Select from a list of existing workflow, or click the (Add) button
and configure a workflow. For more information, see Workflows, page 251.

Security Values:
Settings Tab • Override Geolocation Operation — If you want this security policy to override
(continued) the geolocation operation, select this option.
Select the geolocation or Geolocation feed group to block or allow, then select
the override action:
— Allow — Allow the selected geolocation or Geolocation feed group
(default).
— Block — Block the selected geolocation or Geolocation feed group
(default).
For more information on defining Geolocation feed groups, see Geolocation
Feed Group, page 235.
• Override Workflow Action Mode — If you want this security policy to override
the workflow action mode, select the mode to override from the User Action
Mode drop-down list:
defined criteria.
— Manual — The operator initiates the operation regardless of any detection.
— User Confirmation — When the operation criteria are met, the operator is
another operation.
• Update Policy from Security Template — Select this option if you want to
update this security policy from an existing security template. Select the
security template from the Security Template drop-down list, or click the
(Add) button and configure a new security template (see Security
Templates, page 224).
Note: If check box this is selected, the Policy text box is grayed out, and
you cannot edit the security template from within the Protected Object, but
only from the Security Templates node (see Security Templates,
page 224).
• Override Default Attack Termination Grace Period — Select this option if you
want this security policy to override the default number of seconds for the
attack termination grace period.
• Policy — This option is only available in Edit mode. If you want to update the
Security Settings based on a different Security Template, click Update policy
from security template. The policy text displays in the Policy text box,
which you can edit as needed. The policy text includes DefensePro traffic
filters.
You can resize the text box as required by dragging the icon at the bottom
right-hand corner of the scroll bar.
Maximum number of characters: 1,000,000

Global Manual The global manual thresholds for the protected object. This is relevant only if
Thresholds Tab DefenseFlow receives the traffic statistics for the protected object (with the
workflow detection that includes manual threshold protection).
Using manual thresholds is optional and can be used in addition to other
detections. Each pair of thresholds for activation and termination can be
configured regardless of other thresholds. An attack is reported when traffic
exceeds the activation thresholds and is terminated when traffic recedes from the
termination threshold.
Thresholds are specified in bits per second (bps) and packets per second (pps),
respectively. You can specify units for the value. For example: 50m, 10k
Values:
• Activation IPv4 — Manually set the bps and pps for this threshold.
• UDP Activation IPv4 — Manually set the bps and pps for this threshold.
• ICMP Activation IPv4 — Manually set the bps and pps for this threshold.
• Other IP Activation IPv4 — Manually set the bps and pps or this threshold.
• Total Activation IPv4 — Manually set the bps and pps for this threshold.
• Termination IPv4 — Manually set the bps and pps for this threshold.
• UDP Termination IPv4 — Manually set the bps and pps for this threshold.
• ICMP Termination IPv4 — Manually set the bps and pps for this threshold.
• Other IP Termination IPv4 — Manually set the bps and pps for this threshold.
• Total Termination IPv4 — Manually set the bps and pps for this threshold.

Granular Manual The granular manual thresholds for the protected object. This is relevant only if
Thresholds Tab DefenseFlow receives the traffic statistics for the residential protected objects
(with the workflow detection that includes manual threshold protection).
Using granular manual thresholds is optional and can be used in addition to other
detections. Each pair of thresholds for activation and termination can be
configured regardless of other thresholds. An attack is reported when traffic
exceeds the activation thresholds and is terminated when traffic recedes from the
termination threshold.
Thresholds are specified in bits per second (bps) and packets per second (pps),
respectively. You can specify units for the value. For example: 50m, 10k
Values:

FlowDetector The FlowDetector thresholds for the protected object. This is relevant only if
Thresholds Tab DefenseFlow uses Radware DefenseFlow FlowDetector to analyze and use the
network metadata that Layer 3-4 actual sessions flows from the control plane. For
more information, see the latest Radware DefenseFlow FlowDetector User Guide.
Using FlowDetector thresholds is optional and can be used in addition to other
detections. Each activation threshold can be configured regardless of other
thresholds. An attack is reported when traffic exceeds the activation thresholds.
Thresholds are specified in megabits per second (Mbps) and packets per second
(pps), respectively. You can specify units for the value. For example: 50m, 10k
All thresholds apply to both IPv4 and IPv6 traffic.
Values:
• TCP Activation — Manually set the Mbps and/or pps for this threshold.
• UDP Activation — Manually set the Mbps and/or pps for this threshold.
• ICMP Activation — Manually set the Mbps and/or pps for this threshold.
• Total Activation — Manually set the Mbps and/or pps for this threshold.
Advanced Advanced settings for the protected object.
Settings Tab Values:
• BGP Community — The BGP community values to be sent to the diversion
groups that should receive them per the operation. Multiple communities can
be configured separated by a space.
In addition, well-known communities can be also defined, including:
NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
• AS Path — The AS-Paths to be used as part of the protected object’s BGP
advertisements.
Examples:
— 100 200 300 400 600 400 500
— 400, 500

Advanced • Granular DefensePro Detection — Enables Granular DefensePro Detection. This
Settings Tab lets you divert a more specific CIDR block within the Protected Object’s
defined set of protected networks.
When selected, the following parameters display:
— Granular Protection Prefix IPv4 — The IPv4 CIDR block that is diverted
— Granular Protection Prefix IPv6 — The IPv6 CIDR block that is diverted
— Granular Protection Threshold — The number of destination IP
addresses on the same CIDR block before the entire diverted prefix size is
diverted. Values: 1-2147483647
Notes:
— Granular DefensePro Detection is performed when there is a match to the
Workflow rule associated with the Protected Object, and if you have
defined a threshold, when the threshold is met.
— Granular DefensePro detection only works when the following Operations
parameters (see Operations, page 237) are configured with the following
values:
• Divert Entire Protected Object Network — Unselected
• Minimum IPv4 Advertised Subnet — 32
• Minimum IPv4 Advertised Subnet — 128
• Granular Mitigation — Unselected
If you activate Granular DefensePro Detection for an existing Protected
Object, if any of these parameters are not set to the required values, you
will receive an error message indicating this.
If you activate Granular DefensePro Detection with creating a new
Protected Object, if the Granular Protection prefix that you set is smaller
than the prefix set for the Protected Object, you will receive an error
messages indicating this.
— Sample syslogs, as well as Occurred syslogs that include Sample syslogs,
are not included in the Volume and Rate values on the Security
Operations dashboard.
— For this feature, there is no attack termination grace period. Once you
receive a Term syslog for an ongoing Sample, the attack ends.
— Granular DefensePro Detection only works with the regular BGP protocol
and not with the BGP FlowSpec protocol.

Advanced • Granular DefensePro Detection configuration.
Settings Tab There are two configuration options for Granular DefensePro protection:
— Diverting multiple attacks — For this option only enable Granular
DefensePro Detection and do not set any of the Granular DefensePro
Detection parameters:
a. If a Start, Sample, or Ongoing syslog for the first attack is issued for
one of the protected network addresses, /32 diversion is performed
on the Protected Object’s defined set of protected network addresses.
b. When subsequent attack IP addresses are detected, /24 diversion is
performed on the entire set of protected network addresses.
c. On the Security Operations dashboard, the first attack is listed as /32
diversion, and all subsequent attacks are listed individually as /24.
— Diverting multiple attacks with a threshold for the number of
attacks — For this option you set the Granular DefensePro Detection
parameters (see Example below):
a. When the number of attacks on IP addresses remains below the
Granular Protection Threshold that you defined, /32 diversion is
performed.
b. When the number of attacks reaches the threshold that you defined,
diversion is performed according to the Granulation Protection
Prefix you defined (IPv4 or IPv6, as appropriate).
Example:
A Protected Object is defined as 4.4.0.0/16. The Granular
Protection Threshold is set to 3. The Granular Protection Prefix
IPv4 size is set to /24.
• If for the first attack IP address 4.4.4.2 is under attack, /32
diversion occurs.
• If for the second attack IP address 4.4.4.3 is under attack, /32
diversion occurs.
• If for the third attack IP address 4.4.4.4 is under attack, the
threshold is met, and /24 diversion occurs.
c. On the Security Operations dashboard, all individual attacks before
and including when the threshold are met are displayed.
Monitoring
The Monitoring perspective lets you view system information and statistics and the operation of
protected objects in real-time.
These include protected objects for:
• Operation, page 266
Operation
The Operation pane lets you manage protected objects and manually activate them using the
Protected Objects pane.
These protected objects include:

• BGP, page 272
The Mitigation Devices pane lets you monitor the status of mitigation devices.
To monitor mitigation devices

1. In the Monitoring perspective, select Operation > Mitigation Devices.
2. Highlight the mitigation device or search for the mitigation device by typing a string in one of the
mitigation device search fields and clicking the (Search) button:
Table 117: Mitigation Devices View/Search Parameters
Name The name of the mitigation device.
To view and/or edit a mitigation device, select the link in the Name column, and
the Edit Mitigation Device pane for that mitigation device displays. For more
information on mitigation devices, see Mitigation Devices, page 218.
Note: Any modification you make is deployed immediately on the mitigation
device.
Operational The operational status of the mitigation device.
Status
CPU Utilization Percent of the CPU utilization of the mitigation device.
BW Utilization Percent of the bandwidth utilization of the mitigation device.
(Gbps) Value: percentage_utilized (bandwidth_utilized/total_bandwidth)
Example
5.0% (3.00/60.00)
In this example, 5.0% of the total bandwidth (60.00 Gbps) is utilized (3.00
Gbps).
Policies Percent of the policies table utilization of the mitigation device.
Utilization
Filter List Percent of the filter list utilization of the mitigation device.
Utilization
Managed Whether the mitigation device is managed.
Values: true, false
Last Error The last device access error that was issued.
Examples
A Authentication error
B Unable to connect to the mitigation device

Table 117: Mitigation Devices View/Search Parameters (cont.)
Geo Feed Status Geolocation Feed status:
• Active — The Geolocation Feed on the DefensePro mitigation device is active.
• Inactive — The Geolocation Feed on the DefensePro mitigation device is
inactive.
Default: Active
Protected Objects
The Protected Objects pane lets you monitor protected objects and manually activate them.
To monitor protected objects

1. In the Monitoring perspective, select Operation > Protected Objects.
2. Highlight the protected object or search for the protected object by typing a string in one of the
protected object search fields and clicking the (Search) button:
Table 118: Protected Object View/Search Parameters
Name The name of the protected object.
To view and/or edit a protected object, select the link in the Name column, and
the Edit Protected Object pane for that protected object displays. For more
information on protected objects, see Protected Objects, page 56.
If you want a modification that affects an ongoing protection to take effect
immediately, you can make this modification from the Edit feature in the Security
Operations Protected Objects Full View pane. For more information, see Table
2134 - Full View Parameters — Current Detection Events and Operations on
Detection The detection status of the protected object.
Status Values:
• Learning — DefenseFlow learns protected object baselines.
• Normal — No attack is currently detected for the protected object.
• Attacked — The protected object is under attack.
Action Status The action status of the protected object.
Values:
• Active — The configured actions are active. This means that the action
specified for the protected object is now enabled. The action can be enabled
automatically or manually.
• Not Active — The configured actions are currently not active.

Table 118: Protected Object View/Search Parameters (cont.)
Pending Action The pending action waiting for confirmation for a protected object that is in User
Confirmation mode.
Values:
• Activate — An attack was detected for the protected object. The user can
confirm activation of the configured actions.
• Deactivate — The attack was terminated. The user can confirm deactivation of
the active actions.
Workflow Workflow associated with the protected object.
To view and/or edit a workflow associated with a protected object, select the link
in the Workflow column, and the Edit Workflow pane for that workflow displays.
For more information on workflows, see Workflows, page 129.
To activate a protected object

1. In the Monitoring perspective, select Operation > Protected Objects.
2. Click the (Edit) button.

— To activate the configured action on a protected object (Manual mode), for the Action
select Activate.
Performing this action on a protected object that is not in Manual mode changes the
protected object’s configuration to Manual.
Do the following:
a. Select one of the following:
• Activate Entire Networks, to protect the entire protected object.
• Activate Specific IP, to protect a specific IP address or set of addresses within the
protected object. In the Protected IP(s) text field, specify the specific IP address
attack targets. They must be within the network classification of the protected
object. Maximum number of protected IP addresses: For DefensePro mitigation
devices versions 6.x and 7.x, 64; For DefensePro mitigation devices versions 8.x,
1024
b. If you want to configure an individual operation, select Advanced and edit the
Advanced parameters as described in step 4.
c. Select one of the following:
• Activate Entire Networks, to protect the entire protected object.
• Activate Specific IP, to protect a specific IP address or set of addresses within the
protected object. In the Protected IP(s) text field, specify the specific IP address
attack targets. They must be within the network classification of the protected
object. Maximum number of protected IP addresses:
• For DefensePro mitigation devices versions 6.x and 7.x, 64

• for DefensePro mitigation devices versions 8.x, 1024

— If you want to configure an individual operation, select Advanced and edit the Advanced
parameters as described in step 4.
— To deactivate a protected object, for the Action, select Deactivate.
Delete all the entries that should be deactivated from the list of activated destinations.
Note: Deactivation applies to all running protected object operations, including provisioned
operations.
4. Configure the activation parameters, as required:
— The activation parameters display only if you have selected Advanced (see step 3).
Table 119: Advanced Parameters
Operation The operation to use for diversion and mitigation groups preferences. Select from
Attack Source This displays only if you selected a Mitigation operation. This is the specific IP
IP address attack target to be protected. This must be within the network
classification of the protected object.
The operation to use for diversion and mitigation groups preferences. Select from
Attack Specify the attack bandwidth (bits per second) (this displays only if you selected
Bandwidth a Mitigation operation). You can also specify units (for example, 100M). This is
used for verifying that the mitigation devices can handle the related attack
bandwidth. This is also used to set the DefensePro policy bandwidth if there is not
any BDoS bandwidth ready yet.
Use busy This displays only if you selected a Mitigation operation. If selected, DefenseFlow
mitigation uses the selected DefensePro devices regardless of their monitored capacity.
devices
BGP Communities
Community them per the operation. Multiple communities can be configured separated by a
space.
Use Protected Whether to add the protected object’s defined community in the announcement
Object to the blocking group.
Community When you select this parameter, the Protected Object Community parameter
displays.
Protected The protected object’s BGP community values to be sent to the diversion groups
Object BGP that should receive them per the operation. Multiple communities can be
Community configured separated by a space.
(This parameter In addition, well-known communities can be also defined, including: NO_EXPORT,
displays only NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
when the Use
Protected
Object
Community
parameter is
selected.)

Table 119: Advanced Parameters (cont.)
The following parameters let you advertise BGP announcements following a predefined operation
prefix size. This is useful for an advertisement over the WAN or any other network where the router
restricts the advertisement for certain classes.
For example, if DefenseFlow receives an attack alert for IP address 204.1.1.3/32 and the network
allows only an advertisement of /24 or lower, you can set the DefenseFlow prefix size to 24.
Minimum IPv4 Minimum IPv4 advertised BGP announcement subnet.
Subnet
Minimum IPv6 Minimum IPv6 advertised BGP announcement subnet.
Subnet
Next Hop
Next Hop
Name mitigation devices. For more information on configuring routes, see Mitigation
Devices, page 218.
— If the operation you selected is a FlowSpec operation, the FlowSpec parameters display (for
more information on defining FlowSpec operations, and for mitigation with BGP FlowSpec
rules, see Operations, page 141):
Table 120: FlowSpec Parameters
Flow Rules
(The FlowSpec rules display only if you have selected a BGP FlowSpec operation to activate the
protected object).
Destination The destination prefix to block as defined in the Flow rule.
Prefix Values:
activated.
actions.
• Specific prefix — The Prefix to Block field displays, letting you define a set of
Prefix to Block Defines one or more IP destination prefixes, each IP prefix separated by a space.
(This field Values: IP address
displays only if Maximum number of networks: 100
you have
selected
Specific prefix
as the
Destination
Prefix.)

Table 120: FlowSpec Parameters (cont.)
Source Prefix The source prefix to block as defined in the Flow rule.
Port The port to block as defined in the Flow rule.
Destination Port The destination port to block as defined in the Flow rule.
Protocol The protocol to block as defined in the Flow rule.
Source Port The source port to block as defined in the Flow rule.
ICMP Type The ICMP type to block as defined in the Flow rule.
ICMP Code The ICMP code to block as defined in the Flow rule.
TCP Flag The TCP flag to block as defined in the Flow rule.
Packet Length The packet length to block as defined in the Flow rule.
DSCP The DSCP to block as defined in the Flow rule.
Fragment The fragment to block as defined in the Flow rule.
you have defined a route target. For more information, see Route Tags, page 217
Redirect to Enables or disables redirection to the operation’s mitigation group. The next hop
Rate Limit The rate limit in MB/s or GB/s.
Values:
• Example for MB/s: 103M
• Example for GB/s: 1G
5. Click Submit.
BGP
The BGP pane lets you monitor the status of BGP peers and announcements.
These include:
• FlowSpecs, page 272
FlowSpecs
The FlowSpecs pane lets you monitor the status of currently advertised FlowSpec rules.
You can edit the advertised FlowSpec rules “on-the-fly” in real-time. When you edit a rule on-the-fly,
DefenseFlow withdraws the ongoing rule and advertises the new modified rule. This on-the-fly
modification is one-time and does not affect the regular configuration of the ongoing rule.
To monitor the status of FlowSpec rules and edit them

1. In the Monitoring perspective, select Operation > BGP > FlowSpecs.

2. Highlight the FlowSpec announcement or search for the FlowSpec announcement by typing a
string in one of the FlowSpec announcement search fields and clicking the (Search)
button:
3. To edit the FlowSpec rule, click the (Edit) button, and click Submit:
Table 121: FlowSpec View/Search and Edit Parameters
ID (Read-only) The ID to block as defined in the FlowSpec rule.
Protected (Read-only) The protected object to block as defined in the FlowSpec rule.
Object To view and/or edit a protected object associated with a FlowSpec rule, select the
link in the Name column, and the Edit Protected Object pane for that protected
object displays. For more information on protected objects, see Protected
Objects, page 58.
Operation (Read-only) The operation to block as defined in the FlowSpec rule.
To view and/or edit an operation associated with a FlowSpec rule, select the link
in the Operation column, and the Edit Operation pane for that operation
displays. For more information on operations, see Operations, page 141.
Activated Rule The activated rule name to block as defined in the FlowSpec rule.
Name To view and/or edit a FlowSpec rule, select the link in the Activated Rule Name
column, and the Edit GP FlowSpec pane for that rule displays. For more
information on BGP FlowSpec rules, see BGP FlowSpec Rules, page 188.

Table 121: FlowSpec View/Search and Edit Parameters (cont.)
Peer IP Address The IP address to block as defined in the FlowSpec rule.
(This parameter
is not available
in the Edit
pane)
Community (Read-only) The community to block as defined in the FlowSpec rule.
Destination (Read-only) The destination prefix to block as defined in the FlowSpec rule.
Source The source prefix to block as defined in the FlowSpec rule.
Port The port to block as defined in the FlowSpec rule.
Destination Port The destination port to block as defined in the FlowSpec rule.
Protocol The protocol to block as defined in the FlowSpec rule.
ICMP Type The ICMP type to block as defined in the FlowSpec rule.
ICMP Code The ICMP code to block as defined in the FlowSpec rule.
TCP Flag The TCP flag to block as defined in the FlowSpec rule.
Packet Length The packet length to block as defined in the FlowSpec rule.
DSCP The DSCP to block as defined in the FlowSpec rule.
Route Tag Name The name of the route tag to which to redirect as defined in the FlowSpec rule.
Route Tag Route The route tag route to which to redirect as defined in the FlowSpec rule.
(This parameter
is not available
in the in the Edit
pane)
Redirect The mitigation redirection status (enabled or disabled) for the FlowSpec rule.
Mitigation
Enabled
Redirect The device to which to redirect for mitigation as defined in the FlowSpec rule.
Mitigation
NextHop
(This parameter
is not available
in the in the Edit
pane)
Block The blocking status (enabled or disabled) for the FlowSpec rule.
Rate Limit The rate limit to block as defined in the Flow rule.
(bytes per
second)
Set DSCP The update setting for DSCP header in the FlowSpec rule.

Security Monitoring
When an attack is detected, DefenseFlow creates and reports a security event, which includes the
information relevant to the specific attack. The Security Monitoring perspective displays information
relevant to the specific attack along with real-time network traffic and statistical parameters. Use
the Security Monitoring perspective to observe and analyze the attacks that the device detected and
the countermeasures that the device implemented.
The following main topics describe security monitoring in APSolute Vision:
• Risk Levels, page 275
• Using the Dashboard Views for Real-Time Security Monitoring, page 276
• Viewing Real-Time Traffic Reports, page 287
• Protection Monitoring, page 289
Notes
• Your user permissions (your RBAC user definition) determine the DefenseFlow mitigation devices
and protected objects that the Security Monitoring perspective displays to you. You can view and
monitor only the attacks blocked by the DefenseFlow mitigation devices and protected objects
that are available to you.
• APSolute Vision also manages and issues alerts for new security attacks.
• DefenseFlow calculates traffic baselines, and uses the baselines to identify abnormalities in
traffic levels.
• At the time of writing, APSolute Vision collects the sampled attack data that DefenseFlow sends
to it at the rate of two samples per two minutes per attack. Please note that the rate is subject
to change without notice.
• You can use the APSolute Vision REST API to view security events from DefenseFlow mitigation
devices or DefenseFlow devices. For more information, see the APSolute Vision REST API
documentation.
• You can use the APSolute Vision CLI to export security events from DefenseFlow mitigation
devices or DefenseFlow devices.
Risk Levels
The following table describes the risk levels that DefenseFlow supports to classify security events.
Note: For some protections, the user can specify the risk level for an event. For these protections,
the descriptions in the following table are recommendations, and specifying the risk level is the
user’s responsibility.
Table 122: Risk Levels
Risk Level Description

Info The risk does not pose a threat to normal service operation.
Low The risk does not pose a threat to normal service operation, but may be part of
a preliminary action for malicious behavior.
Medium The risk may pose a threat to normal service operation, but is not likely to
cause complete service outage, remote code execution, or unauthorized access.

Table 122: Risk Levels (cont.)
Risk Level Description

High The risk is very likely to pose a threat to normal service availability, and may
cause complete service outage, remote code execution, or unauthorized access.
Using the Dashboard Views for Real-Time Security Monitoring

• Configuring the Display Parameters of a Dashboard View, page 276
• Using the Current Attacks Table, page 278
• Using the Ongoing Attacks Monitor, page 281
• Attack Details, page 282
• Sampled Data Tab, page 286
• Viewing Real-Time Traffic Reports, page 287
Use a Dashboard View in the Security Monitoring perspective to analyze activity and security events
in the network, identify security trends, and analyze risks.
In DefenseFlow, you can view information a protected object, multiple protected objects, or all
configured protected objects. The dashboard monitoring display automatically refreshes providing
ongoing real-time analysis of the system.
The Dashboard View node comprises the following tabs, which display the same summary
information:
• Current Attacks Table — which is a table display (see Figure 8 - Current Attacks Table —
DefenseFlow, page 279).
• Ongoing Attacks Monitor — which includes a graphical, chart display (see Figure 9 - Ongoing
Attacks Monitor, page 282).
The Scope and other display parameters that you configure apply to the Current Attacks Table and
to the Ongoing Attacks Monitor. For more information, see Configuring the Display Parameters of a
Dashboard View, page 276.
By default, the display of the Dashboard View refreshes every 15 seconds. Administrators can
configure the refresh rate (APSolute Vision Configuration view System perspective, General
Settings > Monitoring > Polling Interval for Reports).
Configuring the Display Parameters of a Dashboard View

The following table describes the display parameters of the Dashboard View in the Security
Monitoring perspective. The Scope and Display Last parameters that you configure in the Current
Attacks Table applies to the Ongoing Attacks Monitor and vice versa.
Table 123: Security Monitor Dashboard View — Display Parameters
Scope The Protected Object, ports, and policies that the dashboard displays.
By default, the Scope is Any Protected Object; Any Port; Any Policy.
That is, by default, the Security Dashboard displays all the information.
To control the scope of the information that the dashboard displays in
DefenseFlow, see the procedure To control the scope of the information
that the Dashboard View displays, page 277.

Table 123: Security Monitor Dashboard View — Display Parameters (cont.)
Display Last How long the dashboard displays attacks after the attack terminates.
That is, the dashboard displays all attacks that are currently ongoing or
that terminated within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
• 2 Hours
• 6 Hours
• 12 Hours
• 24 Hours
Default: 10 Minutes
Top Attacks to Display The number of attacks that the Ongoing Attacks Monitor displays.
(This parameter is Values: 1 – 50
available only in the Default: 20
Ongoing Attacks
Monitor.)
Sort By Values:
(This parameter is • Top Total Packet Count — The Ongoing Attacks Monitor displays the
available only in the attacks with the highest number of packets.
Ongoing Attacks • Top Volume — The Ongoing Attacks Monitor displays the attacks with
Monitor.) the highest volume.
• Most Recent — The Ongoing Attacks Monitor displays the most recent
attacks.
• Attack Risk — The Ongoing Attacks Monitor displays the attacks
according to attack risk.
Default: Top Packet Count
To control the scope of the information that the Dashboard View displays
1. Click . Three tables open. One table has the Protected Object, one table has the Device
Name and Port columns, and the third table has the Device Name and Policy columns.
2. To toggle the sort order of the information in any of the columns, hover over the column heading
until you see an arrow, and then, click the arrow.

Using the Current Attacks Table

The Current Attacks Table displays information on current and recent attacks. The configuration of
the display parameters determine the information that the Current Attacks Table displays (see
Configuring the Display Parameters of a Dashboard View, page 276).
To display the Current Attacks Table

1. In the Security Monitoring perspective, select the mitigation device, Site, or Logical Group for
which to display data.
2. Select Dashboard View > Current Attacks Table.
You can do the following in the Current Attacks Table:
• Filter the rows — You can filter table rows according to values in the table columns.
• Sort the rows — You can change the row order from ascending to descending or vice versa. To
do this, hover the cursor (pointer) over the column to display the arrow and change the order.
• View additional information for a specific attack — To do this, select the relevant row, and
click (View Attack Details). For more information, see Attack Details, page 282.
• Go to the policy that handled attack — To do this, click (Go to Policy).
• Export the information in the table to a CSV file — To do this, click (CSV). Then, you can
view the file or specify the location and file name.
• Pause the refresh of the table display — To do this, click (Pause). When the table display
is not paused, it refreshes approximately every 15 seconds.

Figure 8: Current Attacks Table — DefenseFlow

Scope — Displays the tables to Function buttons:
select the protected objects that the ● View Attack Details Arrow for
Dashboard View displays. ● Go to Policy sorting
● Export Table to CSV ascending or
The Scope summary. ● Pause descending.
Table 124: Current Attacks Table Parameters
Source Type The source of the signal entry.
Values:
• DP — DefensePro
• DF — DefenseFlow
Start Time The date and time that the attack started.1
Attack Category The threat type to which this attack belongs.
Values:
• Anomalies (in DefenseFlow, detection was performed by an external
detector)
• Behavioral DoS (in DefenseFlow, detection was performed by
DefenseFlow BDoS)

Table 124: Current Attacks Table Parameters (cont.)
Status The last-reported status of the attack.1
Values:
• Started — An attack containing more than one security event has been
detected. (Some attacks contain multiple security events, such as DoS,
Scans, and so on.)
• Occurred (Signature-based attacks) — Each packet matched with
signatures was reported as an attack and dropped.
• Sampled (available only in DefenseFlow) — The last reading for each
protocol and the totals for all protocols, for a single device. This
information is only available when viewing a single device.
• Ongoing — The attack is currently taking place, that is, the time
between Started and Terminated (for attacks that contain multiple
security events, such as DoS, Scans, and so on).
• Terminated — There are no more packets matching the characteristics
of the attack, and the device reports that the attack has ended.
Risk The predefined attack severity level (see Risk Levels, page 275).
Values:
• — High
• — Medium
• — Low
• — Info
Attack Name The name of the detected attack.
Source Address The source IP address of the attack. If there are multiple IP sources for an
attack, this field displays Multiple. The multiple IP addresses are displayed
in the Attack Details window. Multiple may also refer to cases when the
mitigation device cannot report a specific value.
The Search string can be any legal IPv4 or IPv6 address, and can include a
wildcard (*).
Destination Address The destination IP address of the attack. If there are multiple IP sources
for an attack, this field displays Multiple. The multiple IP addresses are
displayed in the Attack Details window. Multiple may also refer to cases
when the mitigation device cannot report a specific value.
Policy In DefenseFlow, the name of the configured Security Policy that was set to
mitigate this attack. The default policy name is the name of the protected
object. Policies in DefenseFlow cannot be edited.
Radware ID The DefenseFlow Attack-Protection identifier issued by the device.
Direction The direction of the attack, inbound or outbound.
Values: in, out
Total Packet Count The number of identified attack packets from the beginning of the attack.
Volume For most protections, this value is the volume of the attack, in kilobits,
from when the attack started.
Protected Object The name of the protected object that was attacked.

Table 124: Current Attacks Table Parameters (cont.)
Application Protocol1 The transmission protocol used to send the attack.
Values:
• TCP
• UDP
• ICMP
• IP
MPLS RD 1 The Multi-protocol Label Switching Route Distinguisher in the policy that
handled the attack. The value N/A or 0 (zero) in this field indicates that
the MPLS RD is not available.
VLAN Tag / Context1 The VLAN tag value or Context Group in the policy that handled the attack.
The value N/A or 0 (zero) in this field indicates that the VLAN tag or
Source Port1 The Layer 4 source port of the attack.
Destination Port1 The Layer 4 destination port of the attack. If there are multiple destination
L4 ports, this field displays Multiple. In cases when the mitigation device
cannot report a specific value, the field displays 0 (zero).
Physical Port1 The port on the device at which the attack packets arrived. In cases when
the mitigation device cannot report a specific value, the field displays 0
(zero) or Multiple.
1 – This column is not displayed by default in the Current Attacks tab.

To display the column, click the (Table Settings) button and then select the relevant
checkbox. Click the button again to close the Table Settings list.
Using the Ongoing Attacks Monitor

The Ongoing Attacks Monitor comprises two charts: the Ongoing Attacks Monitor and Drop Intensity
gauges. The information that the charts display is according to the configuration of the display
parameters (see Configuring the Display Parameters of a Dashboard View, page 276).
To display the Ongoing Attacks Monitor

2. Select Dashboard View > Ongoing Attacks Monitor.
The Ongoing Attacks Monitor is a graphical representation of current and recent attacks. Each icon in
the monitor represents a separate attack. The icon type (see the legend) represents the type of
protection that the attack violates. A flashing icon represents an ongoing attack. The horizontal
position of each icon in the chart indicates the attack risk (see Risk Levels, page 275). The vertical
position of the icon in the chart indicates the attack duration; the higher in the chart, the longer the
attack has existed. Attacks that have started recently are lower in the monitor. The icon size
indicates the amount of dropped data for the attack type relative to other attacks of the same type.
Hover the cursor (pointer) over an icon to display summary information for the attack. Double-click
an icon to display detailed information for the attack. For more information, see Attack Details,
page 282.

There are two Drop Intensity gauges: Packets and Bandwidth. The Packets gauge indicates the
proportion of dropped packets relative to the total packets. The Bandwidth gauge indicates the
proportion of dropped bandwidth relative to the total bandwidth (according to the license). The
gauges show the calculated ranges Low (up to 30% dropped), Medium (up to 70% dropped), and
High (more than 70% dropped).
Figure 9: Ongoing Attacks Monitor

Scope — Displays the tables to select the physical ports and protected objects that the
dashboard displays.
Hover the cursor (pointer) over an icon to display

The Scope summary. summary information for the attack.
Attack Details
APSolute Vision displays attack details for the following attacks:
• , page 283
• Intrusions Attack Details, page 285
For DefenseFlow Attack Details, the Attack Details tab displays.

The Attack Characteristics tab displays information that is also available in the hidden columns of the
Current Attacks Table. The Attack Description tab displays the information from the Attack
Descriptions file. An attack description is displayed only if the Attacks Description file has been
uploaded on the APSolute Vision server.
Notes
• To display hidden columns of the Current Attacks Table, click the (Table Settings) button and
then select the relevant checkbox. Click the button again to close the Table Settings list.
In addition to viewing the details of the attack, in each Attack Details tab, you can do the following:

• View sampled data from the attack — To do this, click the (View Sampled Data) button.
For more information, see Sampled Data Tab, page 286.
• Go to the policy that handled attack — To do this, click the (Go to Policy) button.
• Export the DoS Attack Details, page 353 files related to the selected attack to a ZIP file —
To do this, click the (Export Attack Capture Files) button, and enter a file name in the file
selection dialog box.
Notes
— You can send the CAP file to a packet analyzer.
— Up to 255 bytes of packet information is saved in the CAP file. That is, DefenseFlow exports
full packets but APSolute Vision trims them to 255 bytes.
— The file is available only as long as it is displayed in the Current Attacks table.
— The file is created only if packet reporting is enabled in the protection configuration for the
profile that was violated.
— DefenseFlow exports only the last packet in a sequence that matches the filter. Furthermore,
if traffic matches a signature that consists of more than one packet, the reported packet will
not include the whole expression in the filter.
— For DoS attacks of very short duration, there might be no sampling or ongoing traps.
Consequently, for such attacks, there might be no sampled data or capture files. (For more
information, see DoS Attack Details, page 353.)
Attack Details
Table 125: Attack Details: Characteristics Parameters
Note: Some fields can display multiple values, when relevant and available. The values that
these field display depend on the current stage of the attack. If a field is part of the dynamic
signature (that is, a specific value or values appear in all the attack traffic), the field displays the
relevant value or values.
Protocol The protocol that the attack uses or used.
Source L4 Port The source L4 port that the attack uses or used.
Physical Port The physical port that the attack uses or used.
Packet Count The packet count of the attack.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN Tag / Context The VLAN tag value or Context Group in the policy that handled the
attack.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.
TTL The TTL that the attack uses or used.
L4 Checksum The L4 checksum that the attack uses or used.
TCP Sequence Number The TCP sequence number that the attack uses or used.
IP ID Number The IP ID number that the attack uses or used.
Fragmentation Offset The fragmentation offset that the attack uses or used.

Table 125: Attack Details: Characteristics Parameters (cont.)
Fragmentation Flag The fragmentation flag that the attack uses or used. 0 indicates that
fragmentation is allowed. 1 indicates that fragmentation is not allowed.
Flow Label (IPv6 only) The flow label that the attack uses or used.
ToS The ToS that the attack uses or used.
Packet Size The packet size that the attack uses or used.
ICMP Message Type The ICMP message type that the attack uses or used.
(This is displayed only if
the protocol is ICMP.)
Source IP The source IP address that the attack uses or used.
Destination IP The destination IP address that the attack uses or used.
Source Ports The source ports that the attack uses or used.
Destination Ports The destination port that the attack uses or used.
DNS ID The DNS ID that the attack uses or used.
DNS Query The DNS query that the attack uses or used.
DNS Query Count The DNS query count that the attack uses or used.
Table 126: Attack Details: Info Parameters
Packet Size Anomaly The statistical region of the attack packets.
Region The formula for the packet-size baseline for a policy is as follows:
{(AnomalyBandwidth/AnomalyPPS)/(NormalBandwidth/
NormalPPS)}
Values:
• Large Packets — The attack packets are approximately 15% larger
than the normal packet-size baseline for the policy.
• Normal Packets — The attack packets are within approximately 15%
either side of the normal packet-size baseline for the policy.
• Small Packets — The attack packets are approximately 15% smaller
than the normal packet-size baseline for the policy.
State The state of the protection process.
Values:
• footprint analysis — BDoS protection has detected an attack and is
• footprint-applied — BDoS protection is blocking the attack based on
the generated footprint. Through a closed-feedback loop operation,
BDoS protection optimizes the footprint rule, achieving the
• non-attack — Nothing was blocked because the traffic was not an
attack. That is, no footprint was detected or the blocking strictness
level was not met.

Table 127: Attack Details: Footprint Parameters
The footprint-blocking rule generated by the Behavioral DoS Protection, which provides the
narrowest effective blocking rule against the flood attack.
Table 128: Attack Details: Attack-Identification Statistics Table
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time
values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black
indicates the learned normal traffic baselines. Table columns are displayed according to the
protocols: TCP (includes all flags), UDP, or ICMP.
Table 129: Attack Details: Attack-Identification Statistics Graph
The graph displays a snapshot of the relevant traffic type for the 15-second period during which the
attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue line
represents the normal adapted traffic baseline.
Table 130: Attack Details: Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Intrusions Attack Details
Table 131: Intrusions Attack Details: Characteristics Parameters
Protocol The protocol that the attack uses or used.
Physical Port 1 The physical port that the attack uses or used.
Packet Count The packet count of the attack.

Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN1 The VLAN that the attack uses or used.
MPLS RD1 The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.

1 – This parameter is not resolved, and the value Multiple is always displayed.
Table 132: Intrusions Attack Details: Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.

Sampled Data Tab

You can display the Sampled Data dialog box for the all attack types that support sampled data.
The Sampled Data tab contains a table with data on sampled attack packets. Each row in the table
displays the data for one sampled attack packet. The title bar includes the category of the data — for
example, Behavioral DoS.
The table in the Sampled Data tab comprises the following columns:
• Time
• Source Address
• Source L4 Port
• Destination Address
• Destination L4 Port
• Protocol
• VLAN / Context
• MPLS RD
• Physical Port
To display the Sampled Data tab

2. Select Dashboard View.
3. Do one of the following to open the Attack Details tab:
— Select Current Attacks Table, and then, double-click the relevant row.
— Select Ongoing Attacks Monitor, and then, double-click the icon.
4. Click the (View Sampled Data) button.

You can export some rows of the table in the Sampled Data dialog box to a CSV file.
To save sampled data to a CSV file

2. Select Dashboard View.
3. Do one of the following to open the Attack Details tab:
— Select Current Attacks Table, and then, double-click the relevant row.
— Select Ongoing Attacks Monitor, and then, double-click the icon.
4. Click the (View Sampled Data) button.

5. Select the row with which you want the data rows in the file to start.
6. Click the (CSV) button.

7. View the file or specify the location and file name.

Viewing Real-Time Traffic Reports

You can also view graphs of connection rates and concurrent connections based on data from the
Session table.
By default, all traffic is presented in these graphs and tables. In each graph, you can filter the
display by protocol or traffic direction, but not for concurrent connections.
You can monitor the following traffic information in the Traffic Monitoring tab:
• Viewing the Traffic Utilization Report, page 287
Viewing the Traffic Utilization Report

The Traffic Utilization Report displays statistics for the following:
• Traffic Statistics — Displays information for the selected protected object as a graph. The graph
contains information for a selected protocol or the total for all protocols over a period of time.
There is a curve on the graph for each the following:
— Inbound traffic
— Dropped inbound traffic
— Diverted inbound traffic
— Discarded inbound traffic
— Clean inbound traffic
To hide or show a curve for a particular traffic type, click the corresponding colored square in the
legend.
• Last Sample Statistics — Displays the last reading for each protocol and provides totals for all
protocols, for a single device. (This information is only available when viewing a single device.)
To view or save a CSV file, click (CSV).
Tip: To get the current traffic rate in packets or bytes per second (calculated as the average rate in
15 seconds), you can use the following CLI command on the DefenseFlow device:
dp rtm-stats get [port number]
Caution: When the Scope is Devices/Policies, the Traffic Utilization Report does not include
inbound traffic that the module blocked. This is because the module processes traffic before the
classification of a Protection policy.
Notes
• For packets received through the 1G, 10G, or 40G ports, packet-size information and counters
do not account for the CRC.
• The Traffic Utilization Report and the statistical traffic information that Protection Monitoring
provides are based on different counters. (For information on the statistical traffic information
that Protection Monitoring provides, see Protection Monitoring, page 289.)
To view the Traffic Utilization Report

1. In the Security Monitoring perspective, select Traffic Monitoring > Traffic Utilization.
2. Change display settings for the graph and table, as required.

3. For the Statistics Graph and Last Sample Statistics, set filter options for the displayed traffic
data, as required. The displayed information refreshes automatically.
Table 133: Traffic Utilization Report: Display Parameters for Graph and Table
Scope The protected objects that the Traffic Utilization Report displays.
By default, the Scope is Any Protected Object.
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Scope The scope of the graph view.
(drop-down list) Values:
• Devices/Physical Ports — The graph shows traffic according to physical
ports on the specified device.
• Devices/Policies — The graph shows traffic according to Protection
policies on the specified device.
Default: Devices/Physical Ports
Units The units for the traffic rate.
Values:
• Kbps — Kilobits per second
• Packet/Sec — Packets per second
Table 134: Traffic Utilization Report: Filter Parameters for the Traffic Statistics Graph
Protocol The traffic protocol to display.
Values:
• TCP — Show the statistics of the TCP traffic.
• UDP — Show the statistics of the UDP traffic.
• ICMP — Show the statistics of the ICMP traffic.
• IGMP — Show the statistics of the IGMP traffic.
• SCTP — Show the statistics of the SCTP traffic.
• Other — Show the statistics of the traffic that is not TCP, UDP, ICMP,
IGMP, or SCTP.
• All — Show total traffic statistics.
Caution: When the Scope is Devices/Policies, the Other traffic does
not include IPsec traffic.

Table 135: Traffic Utilization Report: Last Sample Statistics Parameters
Protocol The traffic protocol.
Values:
• TCP
• UDP
• ICMP
• IGMP
• SCTP
• Other — The statistics of the traffic that is not TCP, UDP, ICMP, IGMP, or
SCTP.
• All — Total traffic statistics.
Caution: When the Scope is Devices/Policies, the Other traffic does
not include IPsec traffic.
Inbound The amount of inbound traffic for the protocol identified in the row.
Discarded Inbound The amount of discarded inbound traffic for the protocol identified in the row.
Clean The amount of clean traffic for the protocol identified in the row.
Dropped The amount of traffic dropped traffic for the protocol identified in the row.
Diverted The amount of traffic diverted traffic for the protocol identified in the row.
Discard % The percentage of discarded traffic for the protocol identified in the row.
Excluded Inbound The amount of excluded inbound traffic for the protocol identified in the row.
Protection Monitoring
Protection Monitoring provides the real-time traffic monitoring per protected object, either for the
network as a whole — if BDoS Protection is configured, or for DNS traffic — if DNS Flood Protection is
configured. The statistical traffic information that Protection Monitoring provides can help you better
understand the traffic that flows through the protected network, how the configured protection is
working, and, most importantly, how anomalous traffic is detected.
For information about displaying protection information for a selected device, see the following:
• Monitoring the Traffic Under BDoS Protection, page 290
Note: The statistical traffic information that Protection Monitoring provides and Traffic Utilization
Report are based on different counters. (For information on the Traffic Utilization Report, see
Viewing the Traffic Utilization Report, page 287.)

Monitoring the Traffic Under BDoS Protection

You can monitor the traffic for a protected object that includes BDoS protection.
Traffic information is displayed in the following tabs:
• BDoS Traffic Statistics, page 291
• Last Sample Statistics, page 292
Caution: The BDoS Traffic Monitoring Reports interface displays the names of Protection policies
from the past year — even policies that were deleted. The interface displays no statistics from more
than 60 minutes in the past. The interface displays no statistics for deleted Protection policies.
Caution: When traffic matches multiple protected objects with Out-of-State protection, the value
that APSolute Vision displays for the total dropped traffic represents the sum of all dropped traffic for
all relevant protected objects. This is because when traffic matches multiple protected objects with
Out-of-State protection, all those protected objects count the same dropped traffic.
Note: APSolute Vision displays the Protection Monitoring graphs using averaged values, and
therefore, points on the curves might diverge from the exact values.
Note: The BDoS Traffic Monitoring reports are populated with data only if the detector type is set to
BDoS Detector. For more information on detection parameters, see Detection, page 248.
To display traffic information for a protected object that includes BDoS protection
1. In the Security Monitoring perspective, select the device to monitor.
2. Select Protection Monitoring > BDoS Traffic Monitoring Reports.
3. Configure the general parameters for the display of the BDoS Traffic Statistics graph and Last
Sample Statistics table.
Table 136: BDoS Traffic Monitoring Reports: General Parameters
Scope The protected object. The list only displays policies that are configured with
a BDoS profile.
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Direction The direction of the traffic that the Statistics Graph and Last Sample
Statistics table display.
Values: Inbound

Table 136: BDoS Traffic Monitoring Reports: General Parameters (cont.)
Units The unit according to which the Statistics Graph and Last Sample Statistics
table display the traffic.
Values:
• Kbps — Kilobits per second
• Packets/Sec — Packets per second
BDoS Traffic Statistics

The graph displays the traffic rates for the selected protected object according to the specified
parameters.
Table 137: BDoS Traffic Statistics Parameters
IP Version The IP version of the traffic that the graph displays.
Values: IPv4, IPv6
Protection Type The protection type to monitor.
Values:
• UDP
• ICMP
• TCP
• Other
Scale The scale for the presentation of the information along the Y-axis.
Values: Linear, Logarithmic
Table 138: Statistics Graph Legend
Line Description
Total Traffic The total traffic that the device sees for the specific protection type
( dark blue) and direction.
Legitimate Traffic The actual forwarded traffic rate, after the mitigation device managed
( light blue) to block the attack.
When there is no attack, the Total Traffic and Legitimate Traffic are
equal.
Normal Edge The statistically calculated baseline traffic rate.
( dashed green)
Suspected Edge The traffic rate that indicates a change in traffic that might be an
( dashed orange) attack.
Attack Edge The traffic rate that indicates an attack.
( dashed red)

Last Sample Statistics

Use the Last Sample Statistics table to view information about last relevant sample.
Table 139: Last Sample Statistics Parameters
Traffic Type The protection type. Each specific traffic type and direction has a baseline
that the device learns automatically.
Baseline The normal traffic rate expected by the device.
Total Traffic The total traffic rate that the mitigation device sees for the specific traffic
type and direction.
Baseline Portion % An indication for the rate invariant baseline — that is, the normal percentage
of the specific traffic type to all other traffic in the same direction.
RT Portion % The actual percentage of the specific traffic type relative to all other traffic in
the same direction.
Traffic Peak Peak traffic value, in bps, to use in case of a manual action without attack
volume information available.
Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or
greater signifies an attack.
Alerts Table
DefenseFlow warnings and messages display in the Alerts Table along with APSolute Vision and
DefensePro warnings and messages at the bottom of the window.
The following information displays for the alerts:
• Ack
• Severity
• Time and Date
• Device Name
• Device IP
• Module
• Device Type
• User Name
• Message
For a full list of available DefenseFlow alerts, refer to Appendix B - Alerts Table, page 373.
Enabling SNMP for DefenseFlow

This procedure is optional.
This section explains how to enable SNMP from the DefenseFlow CLI, and includes the following
sections:
• Obtaining up the SNMP Module MIBs, page 293
• Setting Up the SNMP Module, page 293
• SNMP System MIB Objects for Monitoring DefenseFlow, page 294
• SNMP Trap Objects for DefenseFlow Alerts, page 295

Obtaining up the SNMP Module MIBs

This section describes how to obtain the SNMP module MIBs.
To obtain the SNMP module MIBs

1. From the DefenseFlow documentation download section on the Radware Customer Portal,
download the following MIBs:
— The Radware MIB (which uses multiple standard MIBs)
— DefenseFlow MIBs. DefenseFlow uses RFC MIB 2981, the MIB module for defining event
triggers and actions for network management purposes.
2. Copy to the MIBs to the DefenseFlow server.
Setting Up the SNMP Module

This section describes how to set up the SNMP module from the DefenseFlow CLI.
To set up the SNMP module
Note: SNMP commands take approximately 20 seconds to run. Wait for a confirmation message
after running a command before continuing.
1. Enable SNMP by running the following command on the DefenseFlow server:
dfc-snmp:polls-edit -admin-status ENABLED
2. Prepare the client destination IP address and port to receive traps by running the following
command on the server:
dfc-snmp:trap-client-add -ip <IP> -port <port> -community <community
string>
3. Set the SNMP threshold error and CPU warning by running the following command on the
server:
dfc-snmp:trap-threshold-edit -threshold-error <threshold-error> -
threshold-warning <threshold-warning> -type CPU
4. Set the SNMP threshold error and disk warning by running the following command on the
server:
dfc-snmp:trap-threshold-edit -threshold-error <threshold-error> -
threshold-warning <threshold-warning> -type DISK
5. Show a list of all the clients by running the following command on the server:
dfc-snmp:trap-clients-list
6. Show if SNMP polls are disabled/enabled by running the following command on the server:
dfc-snmp:polls-show
7. Show the SNMPv2 community configuration by running the following command on the server:
dfc-snmp:show-configuration-v2
8. Show the SNMP table thresholds by running the following command on the server:
dfc-snmp:trap-threshold-list

Description of the SNMP Configuration Parameters

The following is a description of the SNMP configuration parameters:
• community — SNMP agent community string.
• system statistics — System alerts thresholds to be sent as SNMP traps:
— type DISK — Disk usage threshold. Percentage of the disk usage, for all disks:
•threshold-warning — Default: 80. When more than 80% of the disk is used, an SNMP
warning trap is issued.
• threshold-error — Default: 90. When more than 90% of the disk is used, an SNMP error
trap is issued.
— type CPU — System load threshold. Percentage of the CPU usage:
• threshold-warning — Default: 95. When more than 95% of the CPU is used, an SNMP
warning trap is issued.
• threshold-error — Default: 99. When more than 99% of the CPU is used, an SNMP error
trap is issued.
• show — Show
— show-configuration-v2 — Shows the SNMPv2 community configuration.
• polls — SNMP polls commands.
— polls-show — Show the SNMPv2 polls settings.
• agent_info — SNMP agent physical location and contact information:
— address — Physical address, Street address
— city — Physical address, City
— country — Physical address, Country
— full_name — The name of the system administrator, contact name.
— email_address — E-mail address of the system administrator.
• trap — Operating System authentication failure trap commands.
— trap-client-add — Add an SNMP traps client.
— trap-clients-list — Show the list of SNMP traps clients.
— trap-threshold-edit — Edit a trap threshold.
— trap-threshold-list — Show the list of trap thresholds.
— trap-threshold-error — Set the percentage for which a trap threshold error is issued.
— trap-threshold-warning — Set the percentage for which a trap threshold warning is issued.
SNMP System MIB Objects for Monitoring DefenseFlow

The following table lists the SNMP system MIB objects for monitoring DefenseFlow:
Object OID Type Description Values

dfcHAStatus 1.3.6.1.4.1.89.35.1 Integer The DefenseFlow High • 1 — enabled (0)
0.110.1 (32-bit) Availability status • 2 — ha-one-node-
down (1)
• 3 — disabled (2)
• 4 — error (100)
dfcServiceStatus 1.3.6.1.4.1.89.35.1 Integer The DefenseFlow • 1 — started (0)
0.110.2 (32-bit) service status • 2 — one-of-
services-down (1)
• 4 — stopped (100)

Object OID Type Description Values

hrProcessorLoad 1.3.6.1.2.1.25.3.3.1 Integer The average, over the 0-100
.2 (32-bit) last minute of the
percentage of the
time the disk
processor was not idle
dskPercent 1.3.6.1.4.1.2021.9. Integer Percentage of space 0-100
1.9 (32-bit) used on disk
SNMP Trap Objects for DefenseFlow Alerts

The following table lists the SNMP traps:
Enterprise Variable Value Alert Description Alert Type Alert Category

defenseflow dfcHAStatus 1 The DefenseFlow High Info HA
Availability status
defenseflow dfc ServiceStatus 2 The DefenseFlow service Info Service
status
defenseflow dskPercent 3 Disk capacity warning Warning System
defenseflow dskPercent 4 Disk capacity error Error System
defenseflow hrProcessorLoad 5 CPU warning Warning System
defenseflow hrProcessorLoad 6 CPU error Error System
Example
The following example is for a CPU error alert:
defenseflow.0.6 notification received from: 10.183.154.211 at 1/9/2019
3:54:33 PM

CLI Commands
APPENDIX A – CLI COMMANDS

This appendix describes the CLI commands accessible from the DFC shell, including the following
sections:
• CLI Command Syntax, page 296
• CLI Help and Auto Completion, page 296
• CLI Commands, page 299
CLI Command Syntax

The DefenseFlow CLI commands use the following syntax:
command [arguments]
CLI Commands, page 299 describes the DefenseFlow commands and arguments.
CLI Help and Auto Completion

The DefenseFlow CLI includes help and auto completion to assist you in using the CLI commands.
This section includes:
• CLI Help, page 297
• Auto Completion, page 298

CLI Commands
CLI Help
All CLI commands support the --help argument. For example:
dfc-mitigation-device:add --help
DESCRIPTION
dfc-mitigation-device:add
Add mitigation device
SYNTAX
dfc-mitigation-device:add [options]
OPTIONS
-admin-status
Admin status {ENABLED|DISABLED}
-network-element
Physically attached network elements (multiple values can be
specified: -option value1 -option value2)
-address
Mitigation device address
-bgp-asn
BGP AS number
-injection-type
Clean traffic injection type {FIXED_IPS|TUNNELS}
-name
Mitigation device name
-version
Mitigation device version
-bgp-loopback
BGP Loopback IP
-group
Mitigation devices groups names (multiple values can be
specified: -option value1 -option value2)
-injection-ip
Clean traffic single injection IP (Clean route tag) (multiple
values can be specified: -option value1 -option value2)
-password
Password
-description
Mitigation device description
--help
Display this help message
-user
User

CLI Commands
Auto Completion
For each command, sub-command, and argument, you can display their available sub-commands, arguments, and values by typing that
command, sub-command, or argument and then pressing the <TAB> key.
Example 1 Display the sub-commands for a top-level command

Type the following:
dfc-protected-obj <TAB>
This displays the following:
dfc-protected-object dfc-protected-object:add dfc-protected-object:delete

dfc-protected-object:edit dfc-protected-object:export-policy dfc-protected-object:list
dfc-protected-object:plan dfc-protected-object:reset-policy dfc-protected-object:show
Example 2 Display the arguments for a sub-command

Type the following:
dfc-network-group:add - <TAB>
--help -description -element -name

CLI Commands
Example 3 Display the values for an argument

Type the following:
dfc-mitigation-device:add -name DP8 -injection-type <TAB>
FIXED_IPS TUNNELS
CLI Commands
This section includes the syntax, arguments, and descriptions for each of the CLI commands.
• dfc-alert, page 300
• dfc-bgp, page 301
• dfc-control, page 307
• dfc-core, page 308
• dfc-defensepro, page 312
• dfc-detection, page 317
• dfc-dns-white-list, page 318
• dfc-filter, page 318
• dfc-ha, page 320
• dfc-info, page 322
• dfc-interfaces, page 323
• dfc-license, page 325
• dfc-mitigation-device, page 325
• dfc-mitigation-group, page 328
• dfc-mitigation-tunnel, page 328
• dfc-monitor, page 329

CLI Commands
• dfc-network-connect, page 345

• dfc-network-element, page 345
• dfc-network-group, page 347
• dfc-operation, page 347
• dfc-protected-network, page 350
• dfc-protected-object, page 351
• dfc-route-tag, page 365
• dfc-security-template, page 366
• dfc-snmp, page 366
• dfc-source-batching, page 368
• dfc-syslog, page 369
• dfc-system, page 369
• dfc-tools, page 369
• dfc-workflow, page 370
• dfc-workflow-rule, page 370
dfc-alert
The following commands are used with DefenseFlow alerts:
• dfc-alert:send — Sends an alert with a user-supplied message.
• dfc-alert:show — Configures alert printouts to the CLI console.
Table 140: dfc-alert:send/show Arguments
Argument Description Mandatory Values

enable Print alerts to CLI console No {true|false}
id Alert ID Yes Text
message User-provided message Yes Text
severity show alert from severity No {DEBUG|INFO|WARNING|ERROR|FATAL}
Default: DEBUG

CLI Commands
• dfc-alert:syslog-add — Adds the syslog destination.

• dfc-alert:syslog-delete — Deletes the syslog destination.
• dfc-alert:syslog-list — List syslogs.
• dfc-alert:syslog-show — Show alert syslog destination.
Table 141: dfc-alert:syslog Arguments

description syslog description No Text
Default: null
ip syslog destination IP address No IPv4, IPv6
port syslog destination port No Integer
Default: 514
severity show alert from severity No {DEBUG|INFO|WARNING|ERROR|FATAL}
Default: DEBUG
dfc-bgp
The following commands are used for DefenseFlow BGP commands:
• dfc-bgp:announcement-add — Adds a BGP announcement.
• dfc-bgp:announcement-delete — Deletes a BGP announcement.
Table 142: dfc-bgp:announcement Arguments

communities BGP FlowSpec communities. No Text
Specify several communities with spaces.
Example \200:100 200:200\
next-hop Next hop IP address. Yes IP address
peer-ip Peer IP address. Yes IP address
target-network Target network CIDR. Yes Network IP addresses and ranges

CLI Commands
• dfc-bgp:flowspec-add — Adds a BGP FlowSpec.

• dfc-bgp:flowspec-delete — Delete a BGP FlowSpec.
• dfc-bgp:flowspec-edit — Edit a BGP FlowSpec.
• dfc-bgp:flowspec-list — Lists BGP FlowSpec rules.
• dfc-bgp:flowspec-show — Show a BGP FlowSpec.
Table 143: dfc-bgp:flowspec Arguments

action-block BGP FlowSpec action block No {true|false}
action-rate-limit BGP FlowSpec action rate limit bytes per second No Integer
action-redirect- BGP FlowSpec action redirect to mitigation No {true|false}
to-mitigation
action-redirect- BGP FlowSpec action redirect to mitigation next No IPv4, IPv6
to-mitigation- hop. Supply IP address for routing
next-hop
action-redirect- BGP FlowSpec action redirect to route tag. Enter No Text
to-route-tag an existing route tag name.
action-redirect- BGP FlowSpec action redirect to route tag target No
to-route-tag- route
target-route
action-set-dscp BGP FlowSpec action set DSCP No
communities BGP FlowSpec communities. Specify several No Text
communities with spaces, For example:
\200:100 200:200\
description BGP FlowSpec description. No Text
destination-port BGP FlowSpec filter for destination port. In No Text
addition to single value, range can be specified.
For example, to specify value equal to 100 or
value between 80 and 90, including 80 and
excluding 90, use ">=80&<90 100". For "and"
use &, for "or" use space. Allowed operators are
=,<,>,<=,>=

CLI Commands
Table 143: dfc-bgp:flowspec Arguments (cont.)

destination- BGP FlowSpec filter for destination prefix No List of IP addresses
prefix
destination-type BGP FlowSpec filter for destination type {ATTACKED_IP|ENTIRE_NETWORKS|SPECIFIC}
dscp-filter BGP FlowSpec filter for DSCP. Integer
Values: 0-63
fragment BGP FlowSpec filter for fragment No Text
{not-a-fragment|dont-fragment|is-fragment|first-
fragment|last-fragment}
flowspec- BGP FlowSpec strictness profile name No Text
strictness-
profile
icmp-code BGP FlowSpec filter for icmp code No Text
{communication-prohibited-by-filtering|destination-host-
prohibited|destination-host-unknown|destination-network-
unknown|fragmentation-needed|host-precedence-
violation|ip-header-bad|network-unreachable|network-
unreachable-for-tos|||port-unreachable|redirect-for-
host|redirect-for-network|redirect-for-tos-and-
host|redirect-for-tos-and-net|required-option-
missing|source-host-isolated|source-route-failed|ttl-eq-
zero-during-reassembly|ttl-eq-zero-during-transit}
icmp-type BGP FlowSpec filter for icmp type No Text
{echo-reply|echo-request|info-reply|info-request|mask-
reply|mask-request|parameter-problem|redirect|router-
advertisment|router-solicit|source-quench|time-
exceeded|timestamp|timestamp-reply|unreachable}
name BGP FlowSpec name Text
next-hop BGP FlowSpec next hop No IPv4, IPv6

CLI Commands
Table 143: dfc-bgp:flowspec Arguments (cont.)

packet-length BGP FlowSpec filter for packet length. In No Text
=,<,>,<=,>=
peer-ip Peer IP address No IPv4, IPv6
port BGP FlowSpec filter for port. In addition to No Text
single value, range can be specified. For
example, to specify value equal to 100 or value
between 80 and 90, including 80 and excluding
90, use ">=80&<90 100". For "and" use &, for
"or" use space. Allowed operators are
=,<,>,<=,>=
protocol BGP FlowSpec filter for protocol. Only single No {icmp|tcp|udp|gre}
protocol can be specified per flow rule.
rate-limit BGP FlowSpec action rate limit (in bytes per Yes, if action is Integer
second) set to Rate
Limit.
source-port BGP FlowSpec filter for source port. In addition No Integer
to single value, range can be specified. For
=,<,>,<=,>=
source-prefix BGP FlowSpec filter for source prefix No List of IP addresses
tcp-flag BGP FlowSpec filter for TCP flag No Text
{fin|syn|rst|push|ack|urgent}
vrf-id BGP FlowSpec VRF identification string No Text

CLI Commands
• dfc-bgp-flowspec-group:add — Add a BGP FlowSpec group.

• dfc-bgp-flowspec-group:delete — Delete a BGP FlowSpec group.
• dfc-bgp-flowspec-group:edit — Edit a BGP FlowSpec group.
• dfc-bgp-flowspec-group:list — List BGP FlowSpec groups.
• dfc-bgp-flowspec-group:show — Show a BGP FlowSpec groups
Table 144: dfc-bgp-flowspec-group Arguments

flow Names of associated BGP FlowSpecs. Yes Multiple values can be specified: value1 value2 ...option
name Bgp FlowSpec group name. Yes Text
description Bgp FlowSpec group description No Text
• dfc-bgp:global-list — Lists BGP global settings.

• dfc-bgp:global-set-local-asn — Updates BGP global locale ASN.
• dfc-bgp:global-set-router-id — Updates BGP global router ID.
• dfc-bgp:global-set-hold-time — Updates BGP global hold time.
Table 145: dfc-bgp:global Arguments

value Local ASN (with global-set-local-asn) Yes Integer
value Hold time in seconds (with global-set-hold-time) Yes Integer
• dfc-bgp:peer-add — Adds BGP peer.

• dfc-bgp:peer-delete — Deletes BGP peer.
Table 146: dfc-bgp:peer Arguments

hold-time Hold time (seconds) Yes Integer
local-asn Local ASN Yes Integer
local-ip Local IP Yes IPv4, IPv6

CLI Commands
Table 146: dfc-bgp:peer Arguments (cont.)

md5 MD5 key Yes Text
network-use BGP network No Text
BGP, BGP_2, BGP_3
peer-asn Peer ASN Yes Integer
peer-ip Peer IP address Yes IPv4, IPv6
restart Graceful Restart Yes {true|false}
restart-time Graceful Restart Time Yes Integer
router-id Router ID Yes Text
route-refresh Route Refresh Yes {true|false}
• dfc-bgp:peer-reset — Resets the BGP peer.
Table 147: dfc-bgp:peer-reset Arguments

name Network element name Yes Text
seconds The number of seconds the peer remains Yes Integer
deleted before re-adding it. Default: 30
• dfc-bgp:service-action — Controls the BGP service.
Table 148: dfc-bgp:service-action Arguments

action Action to perform on BGP Yes {START|STOP|RESTART|STATUS|RELOAD}
dfc-box
The following commands are used to DefenseFlow box services:
• dfc-box:list — List box services

CLI Commands
Table 149: dfc-box:list Arguments

refresh Auto refreshes the list every X seconds. No Integer
• dfc-box:wait — Waits for at least one box service connection.
dfc-control
The following commands are used with DefenseFlow control elements:
• dfc-control:add — Adds a control element.
• dfc-control:delete — Deletes a control element.
• dfc-control:edit — Edits a control element.
• dfc-control:list — Lists controls elements.
• dfc-control:show — Shows a control element.
Table 150: dfc-control Arguments

admin-status Admin status No {ENABLED|DISABLED}
bgp-listener- Community No Text
communities Multiple values can be specified: value1 value2 ...option
description Control element description No Text
detector-port Detector port (for example, incoming syslog No Integer
port)
detector- Detector protocol No {TCP|UDP}
protocol
driver Name of handling driver Yes Text
genie-standby- Genie standby IP address No IPv4, IPv6
ip
ip IP address No IPv4, IPv6

CLI Commands
Table 150: dfc-control Arguments (cont.)

management- Management port No Integer
port
management- Management protocol No {SSH|HTTPS|HTTP}
protocol
name Control element name Yes Text
password Password No Text
type Type Yes {THIRD_PARTY_DETECTOR|RADWARE_APPWALL|BGP_LIST
ENER}
uri HTTPS URI No Text
user User No Text
• dfc-control:driver-list — Lists drivers.

This command has no arguments.
• dfc-control:driver-upload — Uploads a new/updated driver.
Table 151: dfc-control:driver-upload Arguments

path Path to driver X.tar.gz file No Text
dfc-core
The following commands are used with the DefenseFlow core:
• dfc-core:configuration-dump — Dumps the configuration.
• dfc-core:configuration-export — Exports the configuration.
Table 152: dfc-core:configuration-dump/export Arguments

path Path of exported file No Text

CLI Commands
• dfc-core:configuration-get — Shows configuration settings.
Table 153: dfc-core:configuration-get Arguments

name Search pattern for configuration name No Text
You can set the maximum number of BGP FlowSpec
announcements using the following syntax:
dfc.bgp.flowspec.announcements.system.max.lim
it -value max_value
Default: 0 (no limit)
Maximum value: 92233720368547758
modified Select only modified configuration. No {true|false}
Default: false
value Configuration value No Text
• dfc-core:configuration-import — Imports a configuration.
Table 154: dfc-core:configuration-import Arguments

delete-existing- • true — Delete existing configuration No {true|false}
configuration • false — Append to existing configuration
path Path to configuration file Yes Text
• dfc-core:configuration-set — Sets the configuration settings.
Table 155: dfc-core:configuration-set Arguments

force Force update of the configuration for restricted No {true|false}
configuration

CLI Commands
Table 155: dfc-core:configuration-set Arguments (cont.)

name Configuration key name Yes Text
value Configuration value Yes Text
• dfc-core:create-help — Create the help file.
Table 156: dfc-core:create-help Arguments

create-help-as- Create help as file No {true|false}
file
delete-help-files Delete help files No {true|false}
path Path of exported help file No Text
• dfc-core:dashboard-attacks-cleanup — Clean all attacks sent to the APSolute Vision dashboard.

• dfc-core:init-database — Initialize the DefenseFlow database.
Table 157: dfc-core:init-database Arguments

delete- Delete configuration Yes {true|false}
configuration
delete-geo-feed Delete geolocation feed Yes {true|false}
delete-license Delete license Yes {true|false}
• dfc-core:log-file — Send the log to a file.
Table 158: dfc-core:log-file Arguments

create true=create, false=delete Yes {true|false}
Default: true
file Log file name Yes text

CLI Commands
• dfc-core:log-level — Set the dfc.full.log log level.
Table 159: dfc-core:log-level Arguments

appender-name Select Appender name No Text
level Log level Yes {TRACE|DEBUG|INFO}
• dfc-core:log-protected-object — Log a message per protected object.
Table 160: dfc-core:log-protected-object Arguments

message Message to log Yes Text
protected- Protected object name Yes Text
object
• dfc-core:remove-attacks-by-sequences — The command get a list of sequences from the user and delete them.
Table 161: dfc-core:remove-attacks-by-sequences Arguments

sequence Attack sequence to remove No Text
These are the attacks that display with the dfc- Multiple values can be specified.
monitor:attacks-list command and on the Example: -sequence value1 -sequence value2
APSolute Vision dashboard.
• dfc-core:support-file-create — Create a support file.
Table 162: dfc-core:support-file-create Arguments

path Path to support file No Text
include-key Include security key as part of support No {true|false}
Default: false
• dfc-core:support-file-delete — Delete all support files.

CLI Commands
• dfc-core:vision-register — Register DefenseFlow in APSolute Vision.
Table 163: dfc-core:vision-register Arguments

ip IP address of the APSolute Vision management Yes IPv4, IPv6
interface.
password Password of the DefenseFlow system user in Yes Text
APSolute Vision.
user User name of the DefenseFlow system user in Yes Text
APSolute Vision.
• dfc-core:vision-set-active — Set DefenseFlow active node IP in APSolute Vision.

• dfc-core:vision-get-active — Get DefenseFlow active node IP from APSolute Vision.
dfc-defensepro
The following commands are used with DefensePro:
• dfc-defensepro:check-dns — Check if DNS is enabled.
• dfc-defensepro:data-route-create — Create data route.
• dfc-defensepro:data-route-delete — Delete data route.
• dfc-defensepro:dynamic-run — Dynamically run a command.
• dfc-defensepro:get-status — Get DefensePro status.
• dfc-defensepro:list-templates — Lists security template files.
• dfc-defensepro:policy-delete — Deletes a policy from DefensePro.
• dfc-defensepro:policy-export — Exports a policy from DefensePro.
• dfc-defensepro:policy-to-template — Creates a template from a policy file.
Table 164: dfc-defensepro:check-dns, data-route-delete, dynamic-run, get-status, list-templates, policy Arguments

cli-password CLI Password Yes Text
cli-user CLI User Yes Text

CLI Commands
Table 164: dfc-defensepro:check-dns, data-route-delete, dynamic-run, get-status, list-templates, policy Arguments (cont.)

defensepro-ip DefensePro IP management IP address Yes IPv4, IPv6
defensepro- DefensePro Defensepro version Yes Text
version
destination- Destination Network Yes IPv4, IPv6
network
https-user HTTPS User Yes Text
https-password HTTPS Password Yes Text
snmp-v2-read- SNMP V1/V2 write community Yes Text
community
snmp-v2-write- SNMP V1/V2 read community Yes Text
community
snmp-v3- SNMP V3 authentication password Yes Text
authentication-
password
snmp-v3- SNMP V3 authentication protocol Yes Text
authentication-
protocol
snmp-v3- SNMP V3 privacy password Yes Text
privacy-
password
snmp-v3- SNMP V3 privacy protocol Yes Text
privacy-protocol
snmp-v3-use- SNMP V3 use privacy Yes {true|false}
privacy
snmp-v3-user SNMP V3 User Yes Text
snmp-version SNMP Version Yes {V1|V2|V3}
snmp-v3-use- SNMP V3 use authentication Yes {true|false}
authentication
• dfc-defensepro:add-blacklist — Adds an entity row to a black list.

CLI Commands
• dfc-defensepro:add-whitelist — Adds an entity row to a white list.

• dfc-defensepro:remove-blacklist — Removes an entity row from a black list.
• dfc-defensepro:remove-whitelist — Removes an entity row from white list.
Table 165: dfc-defensepro:add/remove blacklist/whitelist Arguments

defensepro- DefensePro Defensepro version Yes Text
version
network
destinationPort Destination port Yes Integer
filterName Name of the entity row in black/white list table Yes Text
protocol Protocol type Yes Text
community
community
authentication-
password
authentication-
protocol
privacy-
password

CLI Commands
Table 165: dfc-defensepro:add/remove blacklist/whitelist Arguments (cont.)

privacy-protocol
privacy
authentication
sourcePort Source port Yes {true|false}
version DefensePro version Yes Text
• dfc-defensepro:set-precedence — Sets the precedence of filter list type.
Table 166: dfc-defensepro:set-precedence Arguments

network
filterlist Choose which filter list to have precedence Yes {BLACK | WHITE}
Default: BLACK
community
community

CLI Commands
Table 166: dfc-defensepro:set-precedence Arguments (cont.)

authentication-
password
authentication-
protocol
privacy-
password
privacy-protocol
privacy
authentication
• dfc-defensepro:vdirect-restart — Restart the vDirect service.


CLI Commands
dfc-detection
The following commands are used for DefenseFlow detection:
• dfc-detection:add — Adds a detection.
• dfc-detection:delete — Deletes a detection.
• dfc-detection:edit — Edits a detection.
• dfc-detection:list — Lists detections.
• dfc-detection-show — Shows detections.
Table 167: dfc-detection Arguments

bdos Detecting a BDoS control element No Text
bdos-complete Detecting the entire protected object BDoS No Text
control element.
bdos-granular Detecting a granular BDoS control element. No Text
description Detection description. No Text
external- Detecting third-party detectors. No Multiple values can be specified: value1 value2 ...option
detector
mitigation Detecting a mitigation group. No Multiple values can be specified: value1 value2 ...option
name Detection name Yes Text
threshold Detecting threshold control element No Text
threshold- Detecting an entire protected object threshold No Text
complete control element
threshold- Detecting a granular threshold control element No Text
granular

CLI Commands
dfc-dns-white-list
The following commands are used for DefenseFlow DNS white lists:
• dfc-dns-white-list:add — Adds a DNS white list.
• dfc-dns-white-list:delete — Deletes a DNS white list.
• dfc-dns-white-list:eport — Exports a DNS white list.
• dfc-dns-white-list:list — Lists the DNS white lists.
Table 168: dfc-dns-white-lists Arguments

content The DNS white list content. No Text
Note: This should not be defined if the path
argument is set.
name DNS white list name. Yes Text
path One of the followng: No Text
• When adding a DNS white list The location
of DNS white list import file.
Note: This should not be defined if the
content argument is set.
• When exporting a DNS white list, the path
to the exported file.
dfc-filter
The following commands are used for DefenseFlow filters:
• dfc-filter-group:add — Adds a filter group.
• dfc-filter-group:delete — Deletes a filter group.
• dfc-filter-group:edit — Edits a filter group.
Table 169: dfc-filter-group Arguments

description Filter group description Yes Text

CLI Commands
Table 169: dfc-filter-group Arguments (cont.)

name Filter group name. Yes Text
list Names of associated filter lists. No Multiple values can be specified: value1 value2 ...option
• dfc-filter-group:list — Lists filter groups.

• dfc-filter-group:show — Shows a filter group.
Table 170: dfc-filter-group:showArguments

name Filter group name. Yes Text
• dfc-filter-list:add — Adds a filter group.

• dfc-filter-list:delete — Deletes a filter group.
• dfc-filter-list:edit — Edits a filter group.
Table 171: dfc-filter-list Arguments

addresses Network addresses. No IPv4, IPv6
description Filter list description Yes Text
name Filter list name. Yes Text
• dfc-filter-list:list — Lists filter groups.

• dfc-filter-list:show — Shows a filter group.
Table 172: dfc-filter-list:show Arguments

name Network element name. Yes Text

CLI Commands
dfc-ha
The following commands are used for DefenseFlow High Availability or APSolute Vision configuration synchronization, as appropriate:
• dfc-ha:add — Adds a High Availability node.
• dfc-ha:delete — Deletes a High Availability node.
• dfc-ha:diagnose — Diagnoses current High Availability node.
• dfc-ha:edit — Edits the High Availability configuration.
Table 173: dfc-ha:edit Arguments

admin-status Admin status Yes {ENABLED|DISABLED}
• dfc-ha:failover — Fails over to the other node.
Table 174: dfc-ha:failover Arguments

standby-ip For add, IP address of the Standby node. Yes IPv4, IPv6
force For add, reruns adding the Standby node even if No {true|false}
it has already been added.
For delete and failover, ignores failures even if
the other node is not available
• dfc-ha:list — List High Availability nodes.
Table 175: dfc-ha:list Arguments

refresh Auto refresh the list every x seconds No Integer
• dfc-ha:run-cli — Runs a CLI command on the other High Availability node.

CLI Commands
Table 176: df-ha:run-cli Arguments

cli The CLI command to tun on the other High Yes Text
Availability node.
• dfc-ha:recover — Recovers a node as a standalone node.

• dfc-ha:sync — Forces a sync from the Active to the Standby node.
• dfc-ha:upgrade-prepare — Prepare for upgrade.
• dfc-ha:vision-failover — After manually switching between the active and standby instances in APSolute Vision, run this command so that
DefenseFlow recognizes the switch.
• dfc-ha:vision-list — List APSolute Vision configuration-synchronization instances.
Table 177: df-ha:vision-list Arguments

refresh Auto refresh the list every x seconds No Integer
• dfc-ha:vision-register-standby — Register the APSolute Vision configuration-synchronization standby node.

CLI Commands
Table 178: df-ha:vision-register-standby Arguments

ip Using the APSolute Vision System Yes IPv4
Configuration-Synchronization feature, after
configuring the APSolute Vision standby
instance on both the APSolute Vision active and
standby instances, run this command for
DefenseFlow to recognize the instances. For
more information on the APSolute Vision
System Configuration-Synchronization feature,
refer to the APSolute Vision User Guide.
dfc-info
The following commands are used for DefenseFlow information:
• dfc-info:actor-ping — Pings an actor
• dfc-info:actors-list — Lists actors.
• dfc-info:actors-statistics — Shows actor statistics.
• dfc-info:actors-statistics-reset — Resets actor statistics.
Table 179: dfc-info:actors Arguments

filter Filter actors No {FAIL|SUCCESS}
path Actor path Yes Text
pattern List only progresses and sub tasks with specific No Text
patterns
refresh Auto refresh the list every X seconds No Integer

CLI Commands
• dfc-info:problem-list — Lists current problems.
Table 180: dfc-info:problem-list Arguments

show-ignored Also show ignored messages Yes {HIDE_IGNORED|SHOW_ONLY_IGNORED|SHOW_ALL}
Default: HIDE_IGNORED
• dfc-info:problem-handle — Ignores, shows, or deletes problems.
Table 181: dfc-info:problem-handle Arguments

id ID to configure Yes {ID|ALL}
action Action to perform Yes {SHOW|HIDE|DELETE}
• dfc-info:progress-list — Lists progresses.

• dfc-info:status-list — DefenseFlow status list.
• dfc-info:status-reset — DefenseFlow status reset.
dfc-interfaces
The following commands are used with DefenseFlow interfaces.
• dfc-interfaces:associate-edit — Edits thenetwork interface association.
Table 182: df-interfaces:associate-edit Arguments

interface The interface name Yes Text
Example: G2
network The network type that uses the interface. Yes {VISION|DEFENSE_PRO|BGP|CONTROL|ALERT_SYSLOG}
• dfc-interfaces:associate-show — Shows network interface association.

CLI Commands
Table 183: dfc-interfaces:associate show Arguments

network The network type that uses the interface. Yes {VISION|DEFENSE_PRO|BGP|CONTROL|ALERT_SYSLOG}
• dfc-interfaces:edit — Edits interface configurations.
Table 184: dfc-interfaces:edit Arguments

admin-status Admin status Yes {ENABLED|DISABLED}
interface The interface name. Yes For example: G2
ipv4-address IP address (A.B.C.D format) No IPv4
ipv4-gateway IP address (A.B.C.D format) No IPv4
ipv6-address IPv6 address No IPv6
ipv6-gateway IPv6 Gateway No IPv6
ipv4-mask Mask (A.B.C.D format) No IPv4
ipv6-mask IPv6 mask No IPv6
mode Mode No
• dfc-interfaces:show — Shows interface configuration.
Table 185: dfc-interfaces:show Arguments

Example: G2
• dfc-interfaces:static-add — Adds a static route.

• dfc-interfaces:static-delete — Deletes a static route.

CLI Commands
Table 186: dfc-interfaces:static-add/delete Arguments

ip-address IP address (A.B.C.D format) No IPv4
Example: G2
• dfc-interfaces:routes-list — Lists routes.

dfc-license
The following commands are used for DefenseFlow licensing.
• dfc-license:apply — Applies a license.
• dfc-license:show — Shows a license.
Table 187: dfc-license Arguments

bdos-license Protected object BDoS license No Text
control-license Cyber control license No Text
• dfc-license:cleanup — Removes all licenses so you can create a new valid license.
• dfc-license:mac-reset — Resets the license MAC address.
• dfc-license:validate — Validates a license.
dfc-mitigation-device
The following commands are used with DefenseFlow mitigation devices:
• dfc-mitigation-device:add — Adds a mitigation device.
Note: The mitigation device must be added in APSolute Vision before adding it through the CLI, and the mitigation device must have the
same name in both.

CLI Commands
• dfc-mitigation-device:delete — Deletes a mitigation device.

• dfc-mitigation-device:edit — Edits a mitigation device.
• dfc-mitigation-device:list — Lists mitigation devices.
• dfc-mitigation-device:show — Shows mitigation devices.
Table 188: dfc-mitigation-device Arguments

address Mitigation device management IP address Yes IPv4, IPv6
cli-password CLI password Yes Text
cli-user CLI user Yes Text
description Mitigation device description No Text
diversion- Diversion target IPv4 address No IPv4
address-ipv4
diversion- Diversion target IPv6 address No IPv6
address-ipv6
group Mitigation devices groups names No Multiple values can be specified: value1 value2 ...option
https-password HTTPS password No Text
https-user HTTPS user No Text
injection-ip Clean traffic single injection IP (Clean route No Multiple values can be specified: value1 value2 ...option
target)
injection-type Clean traffic injection type Yes {FIXED_IPS|TUNNELS}
managed This device is managed by DefenseFlow No {true|false}
Default: true
mitiganetwork- Physically attached network elements No Multiple values can be specified: value1 value2 ...option
elementtion
name Mitigation device name Yes Text
password Password No Text
smart-tap Mitigation device is connected as smart tap. No {true|false}
Used for traffic utilization aggregation. Default: false

CLI Commands
Table 188: dfc-mitigation-device Arguments (cont.)

snmp-version SNMP version No {V1|V2|V3}
snmp-v2-read- SNMP V1/V2 read community No Text
community
snmp-v2-write- SNMP V1/V2 write community No Text
community
snmp-v3- SNMP v3 authentication password No Text
authentication-
password
snmp-v3- SNMP v3 authentication protocol No Text
authentication-
protocol
snmp-v3- SNMP v3 privacy password No Text
privacy-
password
snmp-v3- SNMP v3 privacy protocol No Text
privacy-protocol
snmp-v3-use- SNMP v3 use authentication No {true|false}
authentication
snmp-v3-use- SNMP v3 use privacy No {true|false}
privacy
snmp-v3-user SNMP v3 user No Text
tier Mitigation device tier. Used for traffic utilization No Integer
aggregation. Default:
• 1, if the mitigation device does not act as a DPaaD
• 2, if the mitigation device acts as a DPaaD
type Mitigation device type No {DEFENSE_PRO|THIRD_PARTY}
version Mitigation device version No Text

CLI Commands
dfc-mitigation-group
The following commands are used with DefenseFlow mitigation groups.
• dfc-mitigation-group:add — Adds a mitigation device group.
• dfc-mitigation-group:delete — Deletes a mitigation device group.
• dfc-mitigation-group:edit — Edits a mitigation device group.
• dfc-mitigation-group:list — Lists mitigation device groups.
• dfc-mitigation-group:show — Shows a mitigation device group.
Table 189: dfc-mitigation-group Arguments

description Mitigation devices group description No Text
diversion- Cluster diversion IPv4 address (should be No IPv4
address-ipv4 configured on the appropriate router)
diversion- Cluster diversion IPv6 address (should be No IPv6
address-ipv6 configured on the appropriate router)
mitigation Associated mitigation devices names No Multiple values can be specified: value1 value2 ...option
name Mitigation devices group name Yes Text
dfc-mitigation-tunnel
The following commands are used with DefenseFlow mitigation tunnels:
• dfc-mitigation-tunnel:add — Adds a mitigation device GRE tunnel.
• dfc-mitigation-tunnel:delete — Deletes a mitigation device GRE tunnel.
• dfc-mitigation-tunnel:edit — Edits a mitigation device GRE tunnel.
• dfc-mitigation-tunnel:list — Lists mitigation device GRE tunnels.
• dfc-mitigation-tunnel:show — Shows a mitigation device GRE tunnel.
Table 190: dfc-mitigation-tunnel Arguments

description Description No Text

CLI Commands
Table 190: dfc-mitigation-tunnel Arguments (cont.)

mitigation Name of mitigation device starting the tunnel Yes Text
network-group Name of network group ending the tunnel Yes (one route Text
tag or network
group should
be specified.
tunnel-ip Tunnel IP address Yes IPv4, IPv6
route-tag Name of route tag ending the tunnel Yes (one route Text
tag or network
group should
be specified.
dfc-monitor
The following commands are used for DefenseFlow monitoring:
• dfc-monitor:action-activate — Activates a protection.
Table 191: dfc-monitor:action-activate Arguments

attack-volume Specify the attack volume for bandwidth No The following units can be specified: K, M, G, T
capacity planning. The default units are bits per
second
bgp- BGP custom community string. No Multiple values can be specified: value1 value2 ...option
community-
custom
bgp- BGP well-known community string No Multiple values can be specified: value1 value2 ...option
community- {NO_EXPORT|NO_ADVERTISE|NO_EXPOERT_S
well-known UBCONFED|NOPER}
bgp-flow-spec- BGP FlowSpec action block. No {true|false}
action-block
bgp-flow-spec- BGP FlowSpec action rate limit bytes per No
action-rate-limit second.

CLI Commands
Table 191: dfc-monitor:action-activate Arguments (cont.)

bgp-flow-spec- BGP FlowSpec action redirect to mitigation. No {true|false}
action-redirect-
to-mitigation
bgp-flow-spec- BGP FlowSpec action redirect to route tag. Enter No Text
action-redirect- an existing route tag name.
to-route-tag
bgp-flow-spec- BGP FlowSpec action No Text
action-type
bgp-flow-spec- BGP FlowSpec filter for dscp No Text
dscp
bgp-flow-spec- BGP FlowSpec filter for destination port. In No Integer
destination-port addition to single value, range can be specified.
For example,to specify value equal to 100 or
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for destination prefix No List of IP addresses
destination-
prefix
bgp-flow-spec- BGP FlowSpec filter for destination type No Text
destination-type {ATTACKED_IP|ENTIRE_NETWORKS|SPECIFIC}
bgp-flow-spec- BGP FlowSpec filter for DSCP. No Integer
dscp-filter Values: 0-63
bgp-flow-spec- BGP FlowSpec filter for fragment No Text
fragment {not-a-fragment|dont-fragment|is-fragment|first-

CLI Commands

bgp-flow-spec- BGP FlowSpec filter for icmp code No Text
icmp-code {communication-prohibited-by-filtering|destination-host-
bgp-flow-spec- BGP FlowSpec filter for icmp type No Text
icmp-type {echo-reply|echo-request|info-reply|info-request|mask-
bgp-flow-spec- BGP FlowSpec filter for packet length. In No Integer
packet-length addition to single value, range can be specified.
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for source port. In addition No Integer
port to single value, range can be specified. For
example,to specify value equal to 100 or value
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for protocol. Only single No {icmp|tcp|udp|gre}
protocol protocol can be specified per flow rule.
bgp-flow-spec- BGP FlowSpec action rate limit (in bytes per No Integer
rate-limit second)

CLI Commands

bgp-flow-spec- BGP FlowSpec filter for port. In addition to No Integer
source-port single value, range can be specified. For
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for source prefix No List of IP addresses
source-prefix
bgp-flow-spec- BGP FlowSpec filter for tcp flag No Text
tcp-flag {fin|syn|rst|push|ack|urgent}
minimum- Override the default IPv4 minimum prefix for No {true|flase}
advertised-ipv4 BGP announcements.
minimum- Override the default IPv6 minimum prefix for No {true|flase}
mitigation- Override the strategy mitigation group. No Text
group
network Network IP/prefix format, IPv4 and IPv6 can be No Multiple values can be specified: value1 value2 ...option
specified. If not specified, the entire protected
networks are selected.
operation Override the operation to use. No Text
override- Activate all the configured protected object No {true|false}
network-use-all networks. Relevant for activate action only
object
track Track the action progress. No {true|false}
use-bgp- Use BGP communities No Text
community
use-busy- Use mitigation devices even these are busy, or No {true|false} Default: false
devices the free bandwidth cannot hole the attack
volume.

CLI Commands
• dfc-monitor:action-activate-simple — Activates a protection in a simple manner.
Table 192: dfc-monitor:action-activate-simple Arguments

network Network IP/prefix format, IPv4 and IPv6 can be No Multiple values can be specified: value1 value2 ...option
specified. If not specified, the entire protected
networks are selected.
object
• dfc-monitor:action-deactivate — Deactivates a protection.
Table 193: dfc-monitor:action-deactivate Arguments

network The protected network to deactivate If not No Multiple values can be specified: value1 value2 ...option
specified, the entire protections are deactivated
operation-filter Operation filter. This is used to identify the No Text
actual entity for which to perform the action.
object
• dfc-monitor:action-cancel — Cancels all protections, and changes them to manual mode.
Table 194: dfc-monitor:action-cancel Arguments

object
• dfc-monitor:attacks-list — Lists current attacks.

CLI Commands
Table 195: dfc-monitor:attacks Arguments

protected- Protected object name No Text
object
• dfc-monitor:bdos-activate — Activates BDoS for a protected object.
Table 196: dfc-monitor:bdos-activate Arguments

object
• dfc-monitor:bdos-adjust — Adjusts BDoS baseline and standard deviation.

• dfc-monitor:bdos-granular-delete — Deletes BDoS granular learned statistics.
• dfc-monitor:bdos-recreate — Resets BDoS data and update learning time.
Table 197: dfc-monitor:bdos-recreate Arguments

baseline The new value for the baseline for the specified No Text
protocol and dimension.
dimension The dimension to update Yes {PPS|APS}
ip The granular IP to handle. If not specified, the No IPv4, IPv6
entire protected object is handled.
object
protocol The protocol to handle. If not specified, all No [TCP|UDP|ICMP|OTHER]
protocols are handled.
standard- The new value for the standard deviation for the No
deviation specified protocol and dimension.
• dfc-monitor:bdos-reset — Reset BDoS learned data.

CLI Commands
Table 198: dfc-monitor:bdos-reset Arguments

protected- Protected object name. No Text
object
protocol The protocol to handle. If not specified, all No [TCP|UDP|ICMP|OTHER|TCP_IPV6|UDP_IPV6|ICMP_IPV6|O
protocols are handled. THER_IPV6]
• dfc-monitor:bdos-status — Shows the status of BDoS detections.

• dfc-monitor:bgp-announcements-list — Lists announcements for all BGP peers.
Table 199: dfc-monitor:bgp-announcements-list Arguments

active Show only active announcements, No {true|false}
Default: true
• dfc-monitor:event — Show the workflow events history.
Table 200: dfc-monitor:event Arguments

protected- Protected object name. No Text
object
• dfc-monitor:bgp-flowspec-delete — Deletes BGP FlowSpec rules.

• dfc-monitor:bgp-flowspec-edit — Edits BGP FlowSpec rules.
Table 201: dfc-monitor:bgp:flowspec Arguments

action-block BGP FlowSpec action block No {true|false}
action-rate-limit BGP FlowSpec action rate limit bytes per second No Integer

CLI Commands
Table 201: dfc-monitor:bgp:flowspec Arguments (cont.)

action-redirect- BGP FlowSpec action redirect to mitigation No {true|false}
to-mitigation
action-redirect- BGP FlowSpec action redirect to route tag. Enter No Text
to-route tag an existing route tag name.
action-set-dscp BGP FlowSpec action set DSCP No
destination-port BGP FlowSpec filter for destination port. In No Text
=,<,>,<=,>=
destination- BGP FlowSpec filter for destination prefix. Use No Multiple values can be specified: value1 value2 ...option
prefix format of a.b.c.d/n
dscp-filter BGP FlowSpec filter for DSCP. Integer
Values: 0-63
fragment BGP FlowSpec filter for fragment No Text
{not-a-fragment|dont-fragment|is-fragment|first-
icmp-code BGP FlowSpec filter for icmp code No Text
{communication-prohibited-by-filtering|destination-host-

CLI Commands
Table 201: dfc-monitor:bgp:flowspec Arguments (cont.)

icmp-type BGP FlowSpec filter for icmp type No Text
{echo-reply|echo-request|info-reply|info-request|mask-
id Active BGP FlowSpec ID No Text
name BGP FlowSpec name Text
packet-length BGP FlowSpec filter for packet length. In No Text
=,<,>,<=,>=
port BGP FlowSpec filter for port. In addition to No Text
single value, range can be specified. For
=,<,>,<=,>=
protocol BGP FlowSpec filter for protocol. Only single No {icmp|tcp|udp|gre}
protocol can be specified per flow rule.
source-port BGP FlowSpec filter for source port. In addition No Integer
to single value, range can be specified. For
=,<,>,<=,>=
source-prefix BGP FlowSpec filter for source prefix No List of IP addresses
tcp-flag BGP FlowSpec filter for TCP flag No Text
{fin|syn|rst|push|ack|urgent}

CLI Commands
• dfc-monitor:bgp-flowspec-list — Lists BGP FlowSpec rules.
Table 202: dfc-monitor:bgp-flowspec-list Arguments

peer-ip Peer IP address. No IPv4, IPv6
• dfc-monitor:bgp-peer-list — Lists BGP peers statuses.
Table 203: dfc-monitor:bgp-peer-list Arguments

show-only- Show only network elements. No {true|false}
network- Default: true
elements
• dfc-monitor:last-statistics — Shows the last statistics for protected objects.
Table 204: dfc-monitor:last-statistics Arguments

human Show number in a human readable format. No {true|false}
Default: false
flags Show TCP flags data. No {true|false}
Default: false
granular Show granular data (per IP address). No {true|false}
Default: false
object
• dfc-monitor:list — Monitors protected objects.

CLI Commands
Table 205: dfc-monitor:list Arguments

protected- Protected object name No Name
object
• dfc-monitor:pending-confirm — Confirms a pending confirmation.
Table 206: dfc-monitor:pending-confirm Arguments

second
community-
custom
bgp- BGP well-known community string No Multiple values can be specified: value1 value2 ...option
community- {NO_EXPORT|NO_ADVERTISE|NO_EXPOERT_S
well-known UBCONFED|NOPER}
bgp-flow-spec- BGP FlowSpec action redirect to mitigation. No {true|false}
action-redirect-
to-mitigation
bgp-flow-spec- BGP FlowSpec action rate limit bytes per second No Integer
action-rate-limit
action-redirect- an existing route tag name
to-route tag
action-redirect- an existing route tag name
to-route-tag
bgp-flow-spec- BGP FlowSpec action set DSCP. No Text
action-set-dscp

CLI Commands
Table 206: dfc-monitor:pending-confirm Arguments (cont.)

bgp-flow-spec- BGP FlowSpec action No Text
action-type
bgp-flow-spec- BGP FlowSpec filter for dscp No Text
dscp
bgp-flow-spec- BGP FlowSpec filter for destination type. No {ATTACKED_IP|ENTIRE_NETWORKS|SPECIFIC}
destination-type
bgp-flow-spec- BGP FlowSpec filter for destination port. In No Integer
destination-port addition to single value, range can be specified.
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for destination prefix No List of IP addresses
destination-
prefix
bgp-flow-spec- BGP FlowSpec filter for destination type. No Text
destination-type
bgp-flow-spec- BGP FlowSpec filter for DSCP. No Integer
dscp-filter Values: 0-63
bgp-flow-spec- BGP FlowSpec filter for fragment No Text
fragment {not-a-fragment|dont-fragment|is-fragment|first-

CLI Commands

bgp-flow-spec- BGP FlowSpec filter for icmp code No Text
icmp-code {communication-prohibited-by-filtering|destination-host-
bgp-flow-spec- BGP FlowSpec filter for icmp type No Text
icmp-type {echo-reply|echo-request|info-reply|info-request|mask-
bgp-flow-spec- BGP FlowSpec filter for packet length. In No Integer
packet-length addition to single value, range can be specified.
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for source port. In addition No Integer
port to single value, range can be specified. For
example,to specify value equal to 100 or value
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for protocol. Only single No {icmp|tcp|udp|gre}
protocol protocol can be specified per flow rule.
bgp-flow-spec- BGP FlowSpec action rate limit (in bytes per No Integer
rate-limit second)

CLI Commands

bgp-flow-spec- BGP FlowSpec filter for port. In addition to No Integer
source-port single value, range can be specified. For
=,<,>,<=,>=
bgp-flow-spec- BGP FlowSpec filter for source prefix No List of IP addresses
source-prefix
bgp-flow-spec- BGP FlowSpec filter for tcp flag No Text
tcp-flag {fin|syn|rst|push|ack|urgent}
minimum- Override the default IPv4 minimum prefix for No (true|false}
minimum- Override the default IPv6 minimum prefix for No (true|false}
group
network Network No IP address range
operation Override the mitigation group. No Text
actual entity to for which to perform the action.
override- Network IP/prefix format, IPv4 and IPv6 can be No IPv4, IPv6
network specified. Relevant for activate action only.
override- Activate all the configured protected object No {true|false}
network-use-all networks. Relevant for activate action only
object
use-bgp- Use BGP communities No Text
community

CLI Commands

use-busy- Use mitigation devices even these are busy, or No {true|false}
devices the free bandwidth cannot hole the attack Default: false
volume.
• dfc-monitor:pending-ignore — Ignores a pending conformation.
Table 207: dfc-monitor:pending-ignore Arguments

network Network No IP address range
actual entity for which to perform the action.
object
• dfc-monitor:pending-list — Lists pending confirmations.

• dfc-monitor:protection-list — Lists ongoing protections.
• dfc-monitor:protection-reload — Lists ongoing protections.
Table 208: dfc-monitor:protection-reload Arguments

id Protection id. Yes Text
• dfc-monitor:threshold-status — Shows the status of a threshold detections.
Table 209: dfc-monitor:threshold-status Arguments

granular Displays the data per IP address. No {true|false}
Default: false

CLI Commands
Table 209: dfc-monitor:threshold-status Arguments (cont.)

human Displays the threshold number in human- No {true|false}
readable format. Default: false
ip Filter the results by IP address. No {true|false}
object
• dfc-monitor:mitigators-list — Lists statuses of the enabled mitigation devices.
Table 210: dfc-monitor:mitigators-list Arguments

detailed Include detailed information No {true|false}
Default: false
• dfc-monitor:plan — Describes a protection plan.
Table 211: dfc-monitor:plan Arguments

second
group
network Network IP address/prefix format, IPv4 and No Multiple values can be specified: value1 value2 ...option
IPv6 can be specified. If not specified, the entire
protected networks are selected.
operation Override the operation to use. No Text

CLI Commands
Table 211: dfc-monitor:plan Arguments (cont.)

object
use-busy- Use mitigation devices even these are busy, or No {true|false}
devices the free bandwidth cannot hole the attack Default: false
volume.
dfc-network-connect
The following commands are used with DefenseFlow network connections:
• dfc-network-connect:add — Adds a network element connection.
• dfc-network-connect:delete — Deletes a network element connection.
• dfc-network-connect:edit — Edits a network element connection.
• dfc-network-connect:list — Lists a network element connection.
• dfc-network-connect:show — Shows a network element connection.
Table 212: dfc-network-connect Arguments

from Name of network element to divert network Yes text
from (the peer)
to Name of network element to divert network to Yes text
(the scrubbing)
dfc-network-element
The following commands are used with DefenseFlow network elements:
• dfc-network-element:add — Adds a network element.
• dfc-network-element:delete — Deletes a network element.
• dfc-network-element:edit — Edits a network element.
• dfc-network-element:list — List network elements.
• dfc-network-element:show — Shows network elements.

CLI Commands
Table 213: dfc-network-element Arguments

bgp-md5 BGP MD5 key No Text
bgp-asn- BGP ASN 4 bytes support No {true|false}
4bytes-support Default: true
bgp-flow-spec BGP FlowSpec supported. No {true|false}
Default: true
bgp-graceful- BGP Graceful Restart No {true|false}
restart
bgp-hold-time BGP Hold Time (seconds) No Integer
bgp-local-asn BGP Local ASN No Integer
bgp-loopback BGP loopback IP No IPv4, IPv6
bgp-peer-asn BGP Peer ASN No Integer
bgp-restart- BGP Graceful Restart Time No Integer
time
bgp-route- BGP Route Refresh No {true|false}
refresh
big-switch-mng- BigSwitch management IP address No IPv4, IPv6
ip
big-swtich- BigSwitch password No Text
password
big-switch- BigSwitch policy name No Text
policy
big-switch-port BigSwitch port No Integer
big-switch-user BigSwitch user No Text
diversion Diversion control name No Text
group Network groups names No Multiple values can be specified: value1 value2 ...option

CLI Commands
Table 213: dfc-network-element Arguments (cont.)

is-big-switch A BigSwitch router is present No {true|false}
Default: false
description Network element description No Text
name Network element name Yes Text
network-use Network association for the network element No SDN value
statistics Statistics collection control No Text
dfc-network-group
The following commands are used with DefenseFlow network groups:
• dfc-network-group:add — Adds a network element group.
• dfc-network-group:delete — Deletes a network element group.
• dfc-network-group:edit — Edits a network element group.
• dfc-network-group:list — Lists network element groups.
• dfc-network-group:show — Shows a network element group.
Table 214: dfc-network-group Arguments

description Network element group description No Text
element Names of associated network elements No Multiple values can be specified: value1 value2 ...option
name Network element group name Yes Text
dfc-operation
The following commands are used with DefenseFlow operations:
• dfc-operation:add — Adds an operation.
• dfc-operation:delete — Deletes an operation.
• dfc-operation:edit — Edits an operation.

CLI Commands
• dfc-operation:list — Lists operations.

• dfc-operation:show — Shows operations.
Table 215: dfc-operation Arguments

action Action Yes {DIVERT_DIVERT_MITIGATE_AND_INJECT|DIVERT_AND_M
ITIGATE|MITIGATE|MITIGATE_AND_INJECT|REPORT|BGP_F
LOW_SPEC}
community-
custom
bgp- BGP well-known community string. No {NO_EXPORT|NO_ADVERTISE|NO_EXPORT_SUBCONFED|N
community- OPEER}
well-known Multiple values can be specified: value1 value2 ...option
bgp-flow-spec Name of the BGP FlowSpec to use. No Text
black-list Name of the filter list or group that will be used No Text
as the black list on the DefensePro device.
blocking-group Block network group name. No Text
custom-op- Confirm password for a custom operation. No Text
confirm-
password
custom-op- Password for a custom operation. No Text
password
custom-op-url URL of the remote server for a custom No URL
operation. Must end with /protection_start or /
protection_stop.
custom-op- Username for custom a operation. No Text
username
delegate-from- Delegate the policy and baselines from the No {true|false}
detector DefensePro detector if available. Default: true
description Operation description No Text
diversion-group Diversion network group name. No Text

CLI Commands
Table 215: dfc-operation Arguments (cont.)

diversion- diversion protocol. No {BGP|BGP_FLOW_SPEC}
protocol
dns-white-list Name of the DNS white list No Text
granular- Create policy and clean traffic injection only for No {true|false}
mitigation the attacked IP addresses and not for the entire Default: true
protected object networks.
keep-baseline- Save the BDoS baselines from the DefensePro No {true|false}
by-defense-pro device, and use them for the next activation. Default: false
minimum- IPv4 minimum prefix for BGP announcements No List of IP addresses
advertised-ipv4
minimum- IPv6 minimum prefix for BGP announcements No List of IP addresses
advertised-ipv6
mitigation- Mitigation devices group name No Text
group
name Operation name Yes Text
source-network- Block the reported source IP address using a No {true|false}
block-black-list Layer 3 black list Default: false
source-network- Block the reported source IP address using a No {true|false}
block-signature Layer 7 signature Default: false
source-network- Layer 7 signature response type to use for No {HTTP_DROP|HTTP_200_OK|HTTP_200_OK_REST_DEST|H
signature- blocking TTP_403_FORBIDDEN|HTTP_403_FORBIDDEN_REST_DEST
response-type }
template DefensePro security template name No Text
use-community Use community for announcements. No {true|false}
Default: true
use connectivity Use connectivity to allocate mitigation devices. No {true|false}
Default: true
use-entire- Use the entire protected object networks upon No {true|false}
networks diversion. Default: false

CLI Commands
Table 215: dfc-operation Arguments (cont.)

white-list Name of the filter list or group that will be used No Text
as the white list on the DefensePro device.
dfc-protected-network
The following commands are used with DefenseFlow protected networks:
• dfc-protected-network:add — Adds a protected network.
• dfc-protected-network:delete — Deletes a protected network.
• dfc-protected-network:list — Lists protected objects.
• dfc-protected-network:multiple — Adds multiple networks to a protected object. Networks are specified by only one of the path arguments, or
by the networks argument.
• dfc-protected-network:show — Shows protected objects.
Table 216: dfc-protected-network Arguments

delete Delete the existing protected networks. Yes {true|false}.
If false is specified, the networks in the file are Default: true
appended to the existing protected networks.
network Networks (IP address/prefix, IPv4 or IPv6 can Yes IPv4,IPv6
be specified)
networks List of networks (CIDRs only), separated by Yes IPv4,IPv6
commas or spaces. For example:
-networks '3.3.3.0/24, 3.3.4.5,
3.3.5.6/32'
To exclude a sub-network, use an exclamation
mark (!) before the subnet. For example:
-networks ‘4.4.4.0/24, !4.4.4.10/32’
network-group Network group name Yes Text

CLI Commands
Table 216: dfc-protected-network Arguments (cont.)

path Path to a file with a list of networks (CIDRs Yes IPv4, IPv6
only), separated by commas or spaces.
object
route-tag Route tag name Yes Text
dfc-protected-object
The following commands are used with DefenseFlow protected objects:
• dfc-protected-object:add — Adds a protected object.
• dfc-protected-object:change-all — Change for all protected objects.
Table 217: dfc-protected-object:change-all Arguments

admin-status Update all the admin status of protected No {ENABLED|DISABLED}
objects. If not specified, the admin status
remains unchanged
clear-policy Clear all protected objects policy. if not No [true|false]
specified, the policy remains unchanged.
• dfc-protected-object:delete — Deletes a protected object.

• dfc-protected-object:edit — Edits a protected object.
Table 218: dfc-protected-object:show Arguments

protected- Protected object name. Yes Text
object

CLI Commands
• dfc-protected-object:show — Shows a protected object.

• dfc-protected-object:list — Lists protected objects.
Table 219: dfc-protected-object Arguments

bandwidth Default attack bandwidth to be used for Yes The following units can be specified: K, M, G, T
DefensePro and for capacity plan. The default
units are bits per second,
bgp- Bgp custom community string No Multiple values can be specified: value1 value2 ...option
community-
custom
bgp- Bgp well-known community string No {NO_EXPORT|NO_ADVERTISE|NO_EXPORT_SUBCONFED|N
community- OPEER}
well-known Multiple values can be specified: value1 value2 ...option
description Description No Text
enable- Enable/Disable action override mode Yes {true|false}
override-mode
grace-period Attack termination grace period in seconds. If No Integer
specified, set the override-grace-period
argument to true.
idle Idle timeout for the protected object. No {true|false}
Note: If a protected object is in the idle Default: false
state, the DefensePro time-to-live (TTL)
period value
(dfc.attack.detection.defensepro.ttl.period) in
the packet header value is ignored.
name Name Yes Text
policy- Policy precedence. 0 is for no precedence No {0|1|2|3}
precedence usage; 1 is highest precedence; 3 is lowest
precedence. Default is 0.
override-grace- Override default DefenseFlow attack termination No {true|false}
period grace period.

CLI Commands
Table 219: dfc-protected-object Arguments (cont.)

override-mode Action override mode. No {AUTOMATIC|MANUAL|USER_CONFIRMATION}
override- Override the workflow operation’s security No {true|false}
security- template with a specific protected object related
template security template.
security- Specific protected object related security No Text
template template. If specified, set the override-security-
template argument to true
threshold- Complete protected object threshold ICMP IPv4 No Integer and unit.
complete-icmp- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
complete-icmp- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv6
complete-icmp- activation (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv4
complete-icmp- activation (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv6
complete-icmp- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv4
complete-icmp- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv6

CLI Commands

threshold- Complete protected object threshold other IPv4 No Integer and unit.
complete-other- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv4
complete-other- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv6
complete-other- termination (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv4
termination-
pps-ipv6
complete-other- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
complete-other- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv6
complete-other- activation (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv4
complete-other- activation (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv6

CLI Commands

termination-
pps-ipv4
termination-
pps-ipv6
threshold- Complete protected object threshold TCP IPv4 No Integer and unit.
complete-tcp- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
activation-bps-
ipv6
complete-tcp- activation (pps). Examples: 50K, 10M, 5G
activation-ps-
ipv4
activation-pps-
ipv6
complete-tcp- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv4
complete-tcp- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv6

CLI Commands

complete-tcp- termination (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv4
complete-tcp- termination (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv6
threshold- Complete protected object threshold total IPv4 No Integer and unit.
complete-total- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
complete-total- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv6
complete-total- activation (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv4
complete-total- activation (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv6
complete-total- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv4
complete-total- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv6

CLI Commands

complete-total- termination (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv4
complete-total- termination (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv6
threshold- Complete protected object threshold UDP IPv4 No Integer and unit.
complete-udp- activation (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
activation-bps-
ipv6
complete-udp- activation (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv4
activation-pps-
ipv6
activation-bps-
ipv4
activation-bps-
ipv6

CLI Commands

activation-pps-
ipv4
activation-pps-
ipv6
complete-udp- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv4
complete-udp- termination (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv6
complete-udp- termination (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv4
complete-udp- termination (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv6
activation-bps-
ipv4
activation-bps-
ipv6

CLI Commands

activation-pps-
ipv4
activation-pps-
ipv6
threshold- Granular IP threshold ICMP IPv4 activation No Integer and unit.
granular-icmp- (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
activation-bps-
ipv6
granular-icmp- (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv4
activation-pps-
ipv6
threshold- Granular IP threshold ICMP IPv4 termination No Integer and unit.
termination-
bps-ipv4
termination-
bps-ipv6

CLI Commands

termination-
pps-ipv4
termination-
pps-ipv6
threshold- Granular IP threshold other IPv4 activation No Integer and unit.
granular-other- (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
activation-bps-
ipv6
granular-other- (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv4
activation-pps-
ipv6
threshold- Granular IP threshold other IPv4 termination No Integer and unit.
termination-
bps-ipv4
termination-
bps-ipv6

CLI Commands

termination-
pps-ipv4
termination-
pps-ipv6
threshold- Granular IP threshold TCP IPv4 activation (bps). No Integer and unit.
granular-tcp- Examples: 50K, 10M, 5G
activation-bps-
ipv4
threshold- Granular IP threshold TCP IPv6 activation (bps). No Integer and unit.
activation-bps-
ipv6
threshold- Granular IP threshold TCP IPv4 activation (pps). No Integer and unit.
activation-pps-
ipv4
threshold- Granular IP threshold TCP IPv6 activation (pps). No Integer and unit.
activation-pps-
ipv6
threshold- Granular IP threshold TCP IPv4 termination No Integer and unit.
granular-tcp- (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv4
granular-tcp- (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv6

CLI Commands

granular-tcp- (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv4
granular-tcp- (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv6
threshold- Granular IP threshold total IPv4 activation No Integer and unit.
granular-total- (bps). Examples: 50K, 10M, 5G
activation-bps-
ipv4
activation-bps-
ipv6
granular-total- (pps). Examples: 50K, 10M, 5G
activation-pps-
ipv4
activation-pps-
ipv6
threshold- Granular IP threshold total IPv4 termination No Integer and unit.
termination-
bps-ipv4
termination-
bps-IPv6

CLI Commands

termination-
pps-ipv4
termination-
pps-IPv6
threshold- Granular IP threshold UDP IPv4 activation (bps). No Integer and unit.
granular-udp- Examples: 50K, 10M, 5G
activation-bps-
ipv4
threshold- Granular IP threshold UDP IPv6 activation (bps). No Integer and unit.
activation-bps-
ipv6
threshold- Granular IP threshold UDP IPv4 activation (pps). No Integer and unit.
activation-pps-
ipv4
threshold- Granular IP threshold UDP IPv6 activation (pps). No Integer and unit.
activation-pps-
ipv6
threshold- Granular IP threshold UDP IPv4 termination No Integer and unit.
granular-udp- (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv4
granular-udp- (bps). Examples: 50K, 10M, 5G
termination-
bps-ipv6

CLI Commands

granular-udp- (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv4
granular-udp- (pps). Examples: 50K, 10M, 5G
termination-
pps-ipv6
workflow Workflow name. Yes Text
• dfc-protected-object:csv-push — Simulates traffic for a protected object.

• dfc-protected-object:policy-export — Exports the protected object policy.
• dfc-protected-object:policy-clear — Delete the protected object policy. The policy will be re-ceated at the next protection.
• dfc-protected-object:granular-list — List granular IP addresses.
Table 220: dfc-protected-object:granular-list Arguments

path Path of CSV file Yes Text
object
• dfc-protected-object:push-measurement — Simulates a measurement for a protected object.
Table 221: dfc-protected-object:push-measurement Arguments

collection- Control element collection interval seconds Yex Integer
interval-seconds
icmp-bytes ICMP bytes No Integer
icmp-packets ICMP packets No Integer

CLI Commands
Table 221: dfc-protected-object:push-measurement Arguments (cont.)

ipv6 Measurement is for IPv6. No {true|false}
Default: false
other-bytes OTHER bytes No Integer
other-packets OTHER packets No Integer
object
tcp-bytes TCP bytes No Integer
tcp-packets TCP packets No Integer
times Send this measurement x times. No Integer
Default: 1
udp-bytes UDP bytes No Integer
udp-packets UDP packets No Integer
dfc-route-tag
The following commands are used for DefenseFlow route tag:
• dfc-route-tag:add — Adds a route tag.
• dfc-route-tag:delete — Deletes a route tag.
• dfc-route-tag:edit — Edits a route tag.
• dfc-route-tag:list — Lists route tags.
• dfc-route-tag:show — Shows route tags.
Table 222: dfc-route-tag Arguments

description Route tag description. No Text
name Route tag name. Yes Text

CLI Commands
Table 222: dfc-route-tag Arguments (cont.)

route-target Route target to be used in BGP FlowSpec. No Valid formats:
• ASN:ID (for example: 65000:100)
• ASNL:ID (for example: 65001L:200)
• IP:ID (for example: 1.2.3.4:300)
dfc-security-template
The following commands are used with DefenseFlow security templates:
• dfc-security-template:add — Adds a security template.
• dfc-security-template:delete — Deletes a security template.
• dfc-security-template:list — Lists security templates.
Table 223: dfc-security-template Arguments

description Security template description No Text
name Security template name Yes Text
origin Security template origin Yes {PROTECTED_OBJECT|VISION_TEMPLATES}
object
vision- Vision mitigation device template name. No Text
mitigation-
device-
template-name
dfc-snmp
The following commands are used for DefenseFlow SNMP configuration:
• dfc-snmp:set-configuration-v2 — Sets the SNMPv2 configuration.

CLI Commands
Table 224: dfc-snmp:set-configuration-v2 Arguments

community SNMPv2 community Yes Text
• dfc-snmp:show-configuration-v2 — Displays the SNMPv2 configuration.

• dfc-snmp:test-poll — Tests the SNMP configuration.
Table 225: dfc-snmp:test-poll Arguments

action SNMPv2 action No {ha|state}
oid SNMPv2 OID No Text
port SNMPv2 port number Yes Integer
server SNMPv2 server ID Yes Text
version SNMPv2 version Yes {v2|v3}
• dfc-snmp:trap-clients-list — Lists the SNMP clients.

• dfc-snmp:trap-client-add — Adds the SNMP sink server.
Table 226: dfc-snmp:trap-client-add Arguments

ip The sink server IP address Yes IPv4, IPv6
port The sink server port No Integer
Default: 162
• dfc-snmp:trap-client-delete — Deletes the SNMP sink server.

CLI Commands
Table 227: dfc-snmp:trap-client-delete Arguments

ip The sink server IP address Yes IPv4, IPv6
port The sink server port No Integer
Default: 162
• dfc-snmp:trap-threshold-edit — Sets the SNMP trap threshold.
Table 228: dfc-snmp:trap-threshold-edit Arguments

threshold-error Error threshold Yes Percent
threshold- Warning threshold Yes Percent
warning
type threshold type Yes {DISK|CPU}
• dfc-snmp:trap-threshold-list — Lists the SNMP trap thresholds.

• dfc-snmp:polls-edit — Edits the SNMP admin status.
Table 229: dfc-snmp:polls-edit Arguments

• dfc-snmp:polls-show — Displays the SNMP admin status.

dfc-source-batching
The following commands are used for DefenseFlow source batching:
• dfc-source-batching:flush — Force starts protections for all source attacks that are waiting to be activated.
• dfc-source-batching:list — Lists delayed source attacks.

CLI Commands
dfc-syslog
The following commands are used for DefenseFlow syslog operations:
• dfc-syslog:rfc-5424 — Saves syslog messages in RC 5424 format.
Table 230: dfc-syslog Arguments

enable When enabled, syslogs are saved in RFC 5424 No {true|false}
format. Default: false
dfc-system
The following commands are used for DefenseFlow system operations:
• dfc-system:info — Shows system information.
• dfc-system:set-alert-level — Sets an alert level.
• dfc-system:verify-show — Verify the DefenseFlow system status.
Table 231: dfc-system Arguments

cpu-alert level CPU utilization alert level. No Integer
memory-alert- Memory utilization alert level No Integer
level
refresh Auto refresh the list every x seconds. No Integer
track Track the action progress No {true|false}
Default: false
dfc-tools
The following commands are used for DefenseFlow tools:
• dfc-tools:ping — Executes a ping.
• dfc-tools:ping6 — Executes a ping6.
• dfc-tools:traceroute — Executes a traceroute.

CLI Commands
• dfc-tools:traceroute6 — Executes a traceroute6.
Table 232: dfc-tools Arguments

command Network address. Yes IPv4, IPv6
arguments
dfc-workflow
The following commands are used for DefenseFlow workflows:
• dfc-workflow:add — Adds a workflow.
• dfc-workflow:delete — Deletes a workflow.
• dfc-workflow:edit — Edits a workflow.
• dfc-workflow:list — Lists workflows.
• dfc-workflow:show — Shows workflows.
Table 233: dfc-workflow Arguments

description Detection description. No Text
detection Detection to use. Yes Text
name Workflow name. Yes Text
dfc-workflow-rule
The following commands are used for DefenseFlow workflow rules:
• dfc-workflow-rule:add — Adds a workflow rule.
• dfc-workflow-rule:delete — Deletes a workflow rule.
• dfc-workflow-rule:edit — Edits a workflow rule.
• dfc-workflow-rule:list — Lists workflow rules.
• dfc-workflow-rule:show — Shows a workflow rule.

CLI Commands
Table 234: dfc-workflow-rule Arguments

enter-criteria Enter criteria. Criteria configures the condition No It can include the following events: AttackStart,
to handle the operation. AttackTermination, ProvisionEnd, ProvisionStart. It can also
include conditions with the following variables:
AttackBandwidth(bits per second) and operators >, <, >=,
<=; AttackRate(packets per second) and operators >, <,
>=, <=; AttackDestination and operators =, !=, in, not in;
AttackProtocol and operators =, !=. time and operators >,
<, >=, <=, =, !=date and operators >, <, >=, <=, =,
!=month and operators >, <, >=, <=, =, !=day and
operators >, <, >=, <=, =, != where sunday is smallest
and saturday is biggestFor example: (AttackProtocol = TCP
OR AttackDestination not in 3.3.3.0/28) AND
(AttackBandwidth <5m OR AttackRate <3k AND (day =
Sunday AND month >January) SourcePort, DestinationPort
>, <, >=, <=, =, !=. For example: SourcePort >
34Fragment =,!=. For example: Fragment = true
Default: AttackStart
exit-criteria Exit criteria. Criteria configures the condition to No It can include the following events: AttackStart,
handle the operation. AttackTermination, ProvisionEnd, ProvisionStart. It can also
include conditions with the following variables:
AttackBandwidth(bits per second) and operators >, <, >=,
<=; AttackRate(packets per second) and operators >, <,
>=, <=; AttackDestination and operators =, !=, in, not in;
AttackProtocol and operators =, !=. time and operators >,
<, >=, <=, =, !=date and operators >, <, >=, <=, =,
!=month and operators >, <, >=, <=, =, !=day and
operators >, <, >=, <=, =, != where sunday is smallest
and saturday is biggestFor example: (AttackProtocol = TCP
OR AttackDestination not in 3.3.3.0/28) AND
(AttackBandwidth <5m OR AttackRate <3k AND (day =
Sunday AND month >January) SourcePort, DestinationPort
>, <, >=, <=, =, !=. For example: SourcePort >
34Fragment =,!=. For example: Fragment = true
Default: AttackTermination

CLI Commands
Table 234: dfc-workflow-rule Arguments (cont.)

enter-mode Enter action mode. No {AUTOMATIC|USER_CONFIRMATION}
Default: AUTOMATIC
exit-mode Exit action mode. No {AUTOMATIC|USER_CONFIRMATION}
Default: AUTOMATIC
mode Action mode. Yes {AUTOMATIC|USER_CONFIRMATION}
Default: AUTOMATIC
workflow Workflow name. No when Text
generating a
list, this filters
the list by the
workflow
name.

APPENDIX B – ALERTS TABLE
This appendix includes a list of the DefenseFlow alerts you may see in the APSolute Vision Alerts
table, or at a syslog server to which alerts are sent (for more information, see Syslog Alerts,
page 204).
Alerts
The following table includes the DefenseFlow-specific message that may display in the application.

Alerts Table
DefenseFlow Alerts
Table 235: DefenseFlow Alerts
Alert Code Severity Text When

APSolute Vision
DFC00428 WARNING Expected DefenseFlow IP {LOCAL} to be registered in Vision, but actual is {ACTUAL}.
Assuming split brain, this node is now in dormant mode.
DFC00429 INFO DefenseFlow IP registered in Vision match local DefenseFlow node, turning off dormant
mode.
DFC00517 WARNING DefenseFlow and Vision machine {IP} are not time synced. Time in Vision server is
{VISION_TIME} and DefenseFlow time is {DEFENSE_FLOW_TIME}.
DFC00525 INFO DefenseFlow and Vision machine {IP} time sync is OK.
Control Element
DFC00100 WARNING Control element {CE_NAME}: operational status is now down.
DFC00101 INFO Control element {CE_NAME}: operational status is now up.
DFC00102 INFO Control element {CE_NAME}: is now enabled.
DFC00103 INFO Control element {CE_NAME}: is now disabled.
DFC01374 INFO Genie Control Element {NAME} {ROLE} instance {IP} health status changed to
{NEW_STATUS}.
DFC01375 WARNING Unable to fetch health status for Genie control element {NAME}.
High Availability
DFC00388 INFO Failover is complete. The node {NODE} is now active.
DFC00389 INFO Failover is complete. The node {NODE} is now standby.
DFC00391 WARNING DefenseFlow active node {ACTIVE} has not been available for {SECONDS} seconds.
Initiating failover.
DFC00404 WARNING The session with the DefenseFlow standby node is down. Check the DefenseFlow standby
node {STANDBY} is up and running, and the communication between the active and standby
nodes is functioning properly.
DFC00405 WARNING The session with the DefenseFlow standby node {STANDBY} is back to normal.
DFC00414 INFO Standby {IP} is already configured as standby for this node.

Alerts Table
Table 235: DefenseFlow Alerts (cont.)

DFC00432 INFO High availability election initiated.
DFC00454 INFO High availability selected the local node {NODE} as the active node.
DFC00455 INFO High availability selected the local node {NODE} as the standby node.
DFC01269 WARNING The active node time is {TIME_ACTIVE} and the standby node time is {TIME_STANDBY}.
The times must be synced using an NTP to ensure stability of the high availability.
Network Element
DFC00028 WARNING Update of custom operations RESTs failed. See the DefenseFlow logs for more details. Operation
DFC00030 WARNING Unable to handle protection of protected object {NAME} by custom operation {OPERATION} Operation
URL {URL}.
DFC00200 WARNING Network element {NE_NAME}: operational status is now down. Operation
DFC00201 INFO Network element {NE_NAME}: operational status is now up. Operation
DFC00202 INFO Network element {NE_NAME}: is now enabled. Operation
DFC00203 INFO Network element {NE_NAME}: is now disabled. Operation
DFC00205 WARNING Network element {NE_NAME}: diversion control element is down. Operation
DFC00336 WARNING Operation {OPERATION} cannot be performed for network element {NE}. BGP FlowSpec Operation
support is not configured for network element {NE}.
DFC00669 ERROR Update of injections failed. See the DefenseFlow logs for more details.
DFC00107 ERROR Unable to create a BGP peer for network element {NE_NAME}. The DefenseFlow local
address does not match the network element IP {NE_IP} address family. To enable the peer,
configure the control interface IP address.
DFC00348 INFO Protection of protected object {PO_NAME} by operation {OPERATION} has started for
networks.
DFC01363 INFO The BigSwitch device {NAME} status changed from {OLD_OPER_STATUS} to
{NEW_OPER_STATUS}.
Mitigation
DFC00278 WARNING Unable to export policy from mitigation device {MITIGATION_NAME}. Delegation will use the
operation template instead.
DFC00321 WARNING Unable to update mitigation device {NAME}. Field {FIELD} contains invalid characters.

Alerts Table

DFC00400 WARNING Mitigation device {MITIGATION_NAME}: operational status is now down.
DFC00401 INFO Mitigation device {MITIGATION_NAME}: operational status is now up.
DFC00506 INFO Mitigation device {MITIGATION_NAME}: is now enabled.
DFC00507 INFO Mitigation device {MITIGATION_NAME}: is now disabled.
DFC00539 INFO Updated the security policy {NAME} for protected object {PO_NAME} on mitigation device
{MITIGATION_NAME} for networks {NETWORKS}.
DFC00540 WARNING Unable to update the security policy {NAME} for protected object {PO_NAME} on mitigation
device {MITIGATION_NAME} for networks {NETWORKS}.
DFC00624 ERROR Update of blacklists/whitelists failed. See the DefenseFlow logs for more details.
DFC00678 ERROR Update of signatures failed. See the DefenseFlow logs for more details.
DFC00679 INFO Signatures profile {PROFILE} created on mitigation device {MITIGATION_NAME} for
protected object {NAME}.
DFC00680 ERROR Failed to create signatures profile {PROFILE} on mitigation device {MITIGATION_NAME} for
DFC00689 INFO IP {IP} attack signature created on mitigation device {MITIGATION_NAME} for protected
object {NAME}.
DFC00690 ERROR Failed to create IP {IP} attack signature on mitigation device {MITIGATION_NAME} for
DFC00691 INFO IP {IP} attack signature removed from mitigation device {MITIGATION_NAME} for protected
object {NAME}.
DFC00692 ERROR Failed to remove IP {IP} attack signature from mitigation device {MITIGATION_NAME} for
DFC00695 INFO Signatures profile {PROFILE} deleted on mitigation device {MITIGATION_NAME} for
DFC00696 ERROR Failed to remove signatures profile {PROFILE} on mitigation device {MITIGATION_NAME} for
DFC01112 ERROR Protected object: {PROTECTED_OBJECT_NAME} unable to add the blacklist/whitelist filter
{FILTER} on mitigation device {MITIGATION_NAME}.

Alerts Table

DFC01113 ERROR Protected object: {PROTECTED_OBJECT_NAME} unable to remove the blacklist/whitelist
filter {FILTER} on mitigation device {MITIGATION_NAME}.
DFC01130 ERROR Update of DNS white list filter failed. See the DefenseFlow logs for more details.
DFC01131 ERROR Protected object: {PROTECTED_OBJECT_NAME} unable to import DNS White list
{WHITELIST_NAME} on mitigation device {MITIGATION_NAME}.
DFC01133 INFO Protected object: {PROTECTED_OBJECT_NAME} DNS White list {WHITELIST_NAME} on
mitigation device {MITIGATION_NAME} successfully imported.
DFC01149 WARNING Unable to export DNS white list from mitigation device {MITIGATION_NAME}. Delegation will
use the operation DNS white list if exists.
DFC01217 ERROR Unable to start packet capture on mitigation device {MITIGATION_NAME}.
DFC01369 WARNING One or more mitigation devices for protected object {PROTECTED_OBJECT} and operation
{OPERATION} not available\n{PROBLEMS_LIST}
BGP
DFC00358 INFO Initiate BGP FlowSpec start for protected objects {PO_NAMES} on peer {PEER_NAME} with
destination {DESTINATION}.
DFC00359 INFO Initiate BGP FlowSpec stop for protected objects {PO_NAMES} on peer {PEER_NAME} with
destination {DESTINATION}.
DFC00406 INFO The BGP service on {SERVER} is available.
DFC00407 WARNING The BGP service on {SERVER} is not available.
DFC00600 INFO Added new BGP peer with IP address {IP}.
DFC00601 INFO BGP peer with IP address {IP} changed its state to ESTABLISHED.
DFC00602 WARNING BGP peer with IP address {IP} changed its state to ACTIVE.
DFC00983 ERROR Update BGP announcements failed.
DFC00985 ERROR Update of BGP peers failed. See the DefenseFlow logs for more details.
DFC00987 ERROR Unable to check internal BGP service status.
DFC00988 ERROR Internal BGP service is not running or has failures.
DFC00989 INFO Internal BGP service is back to normal.
DFC00993 ERROR BGP service failed to load, because Python was not found on the computer.

Alerts Table

DFC01323 WARNING BGP FlowSpec announcement failed because system level BGP FlowSpec announcements
maximum limit of {LIMIT} has reached.
Protected Object
DFC00009 ERROR Unable to handle policy for protected object {PROTECTED_OBJECT}. Policy is: {POLICY}.
Check the policy syntax is valid.
DFC00177 WARNING Protected object {NAME} shares networks with the following protected objects with the same
precedence level: {COLLIDING}
DFC00179 WARNING Unable to set policy precedence for protected object {NAME}. Make sure the protected object
template contains the variable {precedence}. Policy will be created without precedence.
DFC00263 WARNING Missing protected object(s) for the following statistics counter(s): {COUNTERS}. For each of
the above, this means a profile in Radware collector has no matching protected object in
DefenseFlow.
DFC00281 INFO Security policy {NAME} for protected object {PO_NAME} removed from mitigation device
DFC00431 WARNING Announcement for protected object {NAME} NLRI {NLRI} to next hop {NEXT_HOP} not
announced due to failure in mitigation of this protected object or failure for overlapping
networks of other protected objects.
DFC00508 INFO Protected object {PO_NAME}: activation threshold was crossed: attack started for metric
{METRIC} counter value is {VALUE}.
DFC00509 INFO Protected object {PO_NAME}: termination threshold was crossed: attack ended for metric
{METRIC} counter value is {VALUE}.
DFC00658 ERROR Update of policies failed. See the DefenseFlow logs for more details.
DFC00673 WARNING Operation {OPERATION} for protected object {NAME} is configured to handle source IP
blocking, but the attack details do not include source IP. Protection is created without source
IP dynamic black list.
DFC00684 WARNING Operation {OPERATION} for protected object {NAME} is configured to handle source IP
signatures, but the attack details do not include source IP. Protection is created without
source IP signature blocking.
DFC00701 INFO Protected object {PO_NAME}: attack started on network {NETWORK} protocol {PROTOCOL}
external ID {EXTERNAL_ID} bandwidth {VOLUME}(bps) detection source type {SOURCE}
detection source name {SOURCE_NAME}{ALERT_INFO} source network
{SOURCE_NETWORK}.

Alerts Table

DFC00703 INFO Protected object {PO_NAME}: attack ended on network {NETWORK} protocol {PROTOCOL}
external ID {EXTERNAL_ID} detection source {SOURCE} detection source name
{SOURCE_NAME} source network {SOURCE_NETWORK}.
DFC00704 INFO Mitigation device {NAME} instance1 status is now up
DFC00705 WARNING Mitigation device {NAME} instance1 status changed to from {OLD_OPER_STATUS} to
{NEW_OPER_STATUS}
DFC00712 INFO Provisioned a security policy {NAME} for protected object {PO_NAME} on mitigation device
{MITIGATION_NAME}.
DFC00713 ERROR Protected object {PO_NAME}: failed to provision security policy {POLICY} on mitigation
device {MITIGATION_NAME}.
DFC00719 INFO Exported a security policy {NAME} for protected object {PO_NAME} from mitigation device
{MITIGATION_NAME} to the database and removed it from mitigation device
{MITIGATION_NAME}.
DFC00720 ERROR Protected object {PO_NAME}: failed to export a security policy from mitigation device
{MITIGATION_NAME} to the database and/or failed to remove it from mitigation device
{MITIGATION_NAME}.
DFC00724 INFO Protected object {PO_NAME}: has pending confirmation approval to start protection for User manually
networks {NETWORKS}. deactivated a
configured action
for a protected
object (manual
stop).
DFC00725 INFO Protected object {PO_NAME}: confirmed pending action. User manually
activated or
deactivated a
configured action
for a protected
object, and its state
changed to manual.

Alerts Table

DFC00728 INFO Protected object {PO_NAME}: action mode was changed to manual. DefenseFlow
configured routing
to a GRE tunnel on
a specific
DefensePro as part
of mitigation.
DFC00729 INFO Protected object {PO_NAME}: is now disabled. DefenseFlow
configured routing
to a DDOS router
on a specific
DefensePro as part
of mitigation.
DFC00730 INFO Protected object {PO_NAME}: is now enabled. DefenseFlow
removed a
configured routing
to a GRE tunnel on
a specific
DefensePro as part
of mitigation.
DFC00731 INFO Clean traffic leaving mitigation device {MITIGATION_NAME} to protected object {PO_NAME}
will use GRE tunnel. Routes: {ROUTES}.
DFC00732 INFO Clean traffic leaving mitigation device {MITIGATION_NAME} to protected object {PO_NAME}
will be routed to injection IP. Routes: {ROUTES}.
DFC00733 INFO Removed clean traffic tunneling on mitigation device {MITIGATION_NAME} for protected
object {PO_NAME}. Routes: {ROUTES}.
DFC00734 INFO Removed clean traffic routing on mitigation device {MITIGATION_NAME} for protected object
{PO_NAME}. Routes: {ROUTES}.
DFC00735 ERROR Failed to provision clean traffic tunneling on mitigation device {MITIGATION_NAME} to
protected object {PO_NAME}. Routes: {ROUTES}.
DFC00736 ERROR Failed to provision clean traffic routing on mitigation device {MITIGATION_NAME} to
DFC00737 ERROR Failed to remove clean traffic routing on mitigation device {MITIGATION_NAME} to protected
object {PO_NAME}. Routes: {ROUTES}.

Alerts Table

DFC00738 ERROR Failed to remove clean traffic tunneling on mitigation device {MITIGATION_NAME} to
DFC00741 INFO Protected object {NAME}: has pending confirmation approval to terminate protection for Protected object
networks {NETWORKS}. goes down.
DFC00746 WARNING No mitigation devices available for protection of protected object {NAME} through network Protected object
elements {PEERS}. Make sure the operation mitigation group contains mitigation devices. If goes down.
the operation's use connectivity is configured, ensure the connections from the network
element to the mitigation devices are configured.
DFC00747 WARNING No network elements available for protection of protected object {NAME}. Make sure the Protected object
diversion group in the operation contains network elements. If "use connectivity" is goes down.
configured for the operation, verify the connectivity is well configured, or alternatively
uncheck the "use connectivity" for the operation.
DFC00749 ERROR Failed adding static route for IP address {IP} through gateway {GATEWAY}.
DFC00995 ERROR Handling the protected object {NAME} protection has failed. See the DefenseFlow logs for
more details.
DFC01021 ERROR Unable to divert traffic of protected object {PO_NAME} network {NETWORK} to mitigation
device {MITIGATION}. The IPv{VERSION} diversion address of the mitigation device is
empty.
DFC01027 ERROR Unable to handle clean traffic injection for network {NETWORK} of protected object
{PO_NAME}. No tunnel with matching IP version on mitigation device {MITIGATION} is
located on the protected object network elements.
DFC01028 ERROR Unable to handle clean traffic injection for network {NETWORK} of protected object
{PO_NAME}. No injection IP address with matching IP version is located on mitigation device
{MITIGATION}.
DFC01033 INFO Mitigation device {NAME} status is now up
DFC01034 WARNING Mitigation device {NAME} status changed to from {OLD_OPER_STATUS} to
{NEW_OPER_STATUS}
DFC01050 WARNING Unable to activate protection for {PO_NAME}. Some mitigation devices in the mitigation
group {MITIGATION_GROUP} are unable to handle the protection: {DEVICES}
DFC01051 WARNING Unable to activate protection for {PO_NAME}. Mitigation group {MITIGATION_GROUP} is
empty.

Alerts Table

DFC01055 INFO Protected object {PO_NAME}: ignored pending action.
DFC01073 WARNING The amount of granular IPs collected has exceeded the limit {AMOUNT}. Detection will not be
performed for the additional IPs.
DFC01125 INFO Blocking source IPs for protection of protected object {PROTECTED_OBJECT_NAME} with
operation {OPERATION} were added: {DYNAMIC_BLACK_LIST_SOURCES}
DFC01126 INFO Signatures sources for protection of protected object {PROTECTED_OBJECT_NAME} with
operation {OPERATION} were added: {SIGNATURES_SOURCES}
DFC01127 INFO Blocking source IPs for protection of protected object {PROTECTED_OBJECT_NAME} with
operation {OPERATION} were removed: {DYNAMIC_BLACK_LIST_SOURCES}
DFC01128 INFO Signatures sources for protection of protected object {PROTECTED_OBJECT_NAME} with
operation {OPERATION} were removed: {SIGNATURES_SOURCES}
DFC01315 WARNING Unable to handle protection of protected object {NAME} by custom operation {OPERATION}
URL {URL}, caused due to: {ERROR}
DFC01329 ERROR Protected object {PROTECTED_OBJECT_NAME} is unable to import Geolocation feed profile
{PROFILE} on mitigation device {MITIGATION_NAME).
DFC01330 INFO Protected object {PROTECTED_OBJECT_NAME} Geolocation feed profile {PROFILE} on
mitigation device {MITIGATION_NAME} was successfully imported.
System
DFC00091 WARNING The DefenseFlow subscription license is about to expire at the date: {DATE}. Contact
Radware to renew the license.
DFC00742 WARNING CPU utilization {CURRENT}% is high (above the threshold of {LIMIT}%). Protected object
goes down.
DFC00743 WARNING Memory utilization {CURRENT}% is high (above the threshold of {LIMIT}%). Protected object
goes down.
DFC00744 INFO CPU utilization {CURRENT}% is back to normal (below the threshold of {LIMIT}%). Protected object
goes down.
DFC00745 INFO Memory utilization {CURRENT}% is back to normal (below the threshold of {LIMIT}%). Protected object
goes down.
DFC00776 INFO Protected object {PO_NAME}: activation threshold was crossed: attack started for protocol
{PROTOCOL} type {TRAFFIC_UNIT} IP {IP}.

Alerts Table

DFC00777 INFO Protected object {PO_NAME}: termination threshold was crossed: attack ended for protocol
{PROTOCOL} type {TRAFFIC_UNIT} IP {IP}.
DFC00782 WARNING Protected object {PO_NAME}: learned fewer than {SAMPLES} traffic samples in all protocols,
activating anyway.
DFC00784 ERROR Protected object {PO_NAME}: received no traffic at all since creation. The protected object
will be disabled.
DFC00980 INFO Protected object {PO_NAME}: operation {OPERATION} initiate traffic diversion on peer
{PEER_NAME} with destinations {DESTINATIONS} to mitigation device
{MITIGATION_NAME}.
DFC00982 INFO Protected object {PO_NAME}: operation {OPERATION} initiate stop of traffic diversion of
traffic on peer {PEER_NAME} with destinations {DESTINATIONS} to mitigation device
{MITIGATION_NAME}.
DFC01210 INFO DefenseFlow started.
DFC01276 WARNING {NAME} - Disk utilization {CURRENT}% is high (above the threshold of {LIMIT}%) • NAME –
Container name
• CURRENT –
Current
utilization
• LIMIT –
Threshold
utilization
DFC01277 INFO {NAME} - Disk utilization back to normal at {CURRENT}% (below the threshold of
{LIMIT}%)
DFC01284 INFO Geolocation files successfully imported.
DFC01288 ERROR Geolocation files failed imported.
DFC01289 ERROR Unable to get system utilization for container {NAME}.
DFC01296 INFO Container {NAME} has {ACTION} action at {TIME}.
DFC01313 WARNING The number of CPU cores ({CORES}) and memory size ({MEMORY} GB) is less than the
required {REQ_CORES} CPU cores and {REQ_MEMORY} GB memory for version 3.6.0.0.

Alerts Table

DFC01321 WARNING Geolocation feed loading group {GROUPS} was imported with Geolocation feed countries
because the Geolocation feed does not exist on the current node.
DFC01322 WARNING Deleted {COUNTRY} from the Geolocation feed group {NAME} because this country does not
exist in the new Geolocation feed.
DFC01326 INFO Do not delete Geolocation feed country {COUNTRY} because this country is assigned to
{TYPE} {NAME}.
DFC01331 ERROR Update of the Geolocation feed failed. Refer to the DefenseFlow logs for more details
Workflow
DFC00360 INFO Workflow {WORKFLOW} event {EVENT} triggered up operation {OPERATION} for protected
object {PO_NAME}. Criteria {CRITERIA} fulfilled by protocol {PROTOCOL} bandwidth
{BANDWIDTH} bps rate {RATE} pps destination {DESTINATION}.
DFC00361 INFO Workflow {WORKFLOW} event {EVENT} triggered down operation {OPERATION} for
protected object {PO_NAME}. Criteria {CRITERIA} fulfilled by protocol {PROTOCOL}
bandwidth {BANDWIDTH} bps rate {RATE} pps destination {DESTINATION}.
DFC01352 WARNING Using this operator is invalid with criteria {CRITERIA}.
DFC01353 WARNING Postgres configuration file pg_hba.conf is missing from the filesystem; it will be restored from
the original file.
DFC01354 WARNING Postgres configuration file pg_hba.conf is missing from the filesystem; it will be restored from
the backup file.
DFC01356 WARNING Postgres configuration file pg_hba.conf is missing from the filesystem and cannot be
restored; a backup of the original files could not be found.

APPENDIX C – REST API
The REST API documentation for DefenseFlow version 4.2 is located at the following link:
http://webhelp.radware.com/DefenseFlow/REST/4_20_00/index.html

APPENDIX D – COMMUNICATIONS
PORTS
The following table lists the DefenseFlow communication ports and describes how they are used in
DefenseFlow.
In the Usage column, the communications direction is indicated as follows:
• Source --> Destination — One-directional from the source to the destination.

• Source <--> Destination — Bi-directional between the two sources.
Table 236: DefenseFlow Communications Ports
Port Protocol Usage

22 SSH (TCP) • Customer --> DefenseFlow
• DefenseFlow --> DefensePro
• DefenseFlow --> APSolute Vision
123 NTP (UDP) • DefenseFlow <--> NTP Server
161 SNMP (UDP) • Customer <--> DefenseFlow
162 SNMP Traps (UDP) • DefenseFlow --> SNMP Listener
Note: . This port is used only when you enable SNMP in
DefenseFlow.
179 BGP (TCP) • DefenseFlow <--> Router
443 HTTPS (TCP) • DefenseFlow <--> APSolute Vision
514 Syslog (UDP, TCP) • External Detector --> DefenseFlow
• DefensePro --> DefenseFlow
4443 Host manager Web • External --> Host manager
5432 PostgreSQL (TCP) • DefenseFlow HA nodes sync
9101 Real time packet • DefensePro --> DefenseFlow
capture (TCP)
Spring REST HTTPS • DefenseFlow Active <--> DefenseFlow Standby
• APSolute Vision --> DefenseFlow
9300 Elasticsearch • Elasticsearch cluster HA
cluster (TCP)

APPENDIX E – RBAC —
DEFENSEFLOW/APSOLUTE VISION
MAPPING
The following table maps the DefenseFlow RBAC roles to their respective APSolute Vision roles.
Table 237: DefenseFlow/APSolute Vision RBAC Mapping
DefenseFlow APSolute Vision APSolute Vision

RBAC Role RBAC Role — Full RBAC Role — Short
Name Name
Administrator System SYS_ADMIN Full access to all DefenseFlow
Administrator menus, including full Security
Operations dashboard access.
Operator Security SEC_ADMIN Full control of the DefenseFlow
Administrator Network and Security Settings
menus.
Full access to the Security
Operations dashboard.
Read-only access to:
• System > Global Settings
• System > Licensing
• System > Software Update
• System > IP Management
• System > HA
• System > TACACS+ Settings
Note: The APSolute Vision
DEV_ADMIN role is not supported
by DefenseFlow.
Viewer Vision Reporter REPORTER Read-only access to all DefenseFlow
menus, including Ongoing
Protections, Monitoring, and the
Security Operations dashboard.

APPENDIX F – ADJUSTING SYSTEM
SETTINGS
This appendix describes how to adjust various system settings. It includes:
• Physical CPU and RAM, page 388
• KVM Disk Size, page 389
• Increasing Memory and CPU Limits, page 393
Physical CPU and RAM
Note: Before performing these procedures, ensure that the server has sufficient physical CPU and
RAM.
To increase the number of vCPUs

1. Log in to the KVM server.
2. From the KVM CLI, open the file for the relevant VM:
# virsh edit <vm name>
3. In the line of code that includes the string "vcpu placement", increase the value to the number
of vCPUs that you want:
<vcpu placement='static'>new_value</vcpu>
4. Save the file.
5. Shut down the VM:
# virsh shutdown <vm name>
6. Start up the VM:
# virsh start <vm name>
To increase the maximum memory that can be allocated to a VM

1. From the DefenseFlow console, run the following command:
# virsh setmaxmem <vm name> <size> --config
2. Log in to the VM and run the following command:
poweroff
3. After the VM is powered off, set the actual memory with the following command:
# virsh setmem <vm name> <size> --config
4. Start the VM:
# virsh start <vm name>

Adjusting System Settings
KVM Disk Size

This procedure describes how to change the KVM disk size for the DefenseFlow device.
To increase the KVM disk size

1. Download the DefenseFlow config and support files.
2. From the console, verify your disk size with the following command:
lsblk
For example:
3. Shut down DefenseFlow.

4. After starting up, add extra space to the VHD with the following command:
qemu-img resize FILE_NAME.qcow2 +XG
For example:
5. Add the NBD driver:
6. Connect the VHD to Linux on your local working station with the following command:
sudo qemu-nbd -c /dev/nbdX FILE_NAME.qcow2
For example:
7. To increase the relevant partition sizes used, run the following command:
sudo gparted /dev/nbdX &

The following screen displays:
8. Move the linux-swap partition to the end of the partition list.

9. Select linux-swap, and right-click it.
10. On the menu, click Resize/Move, or click in the partition and resize/move.
11. Drag this partition to the end of the list. The following dialog box displays:

12. When the button is available, click Resize/Move.
13. Highlight the second partition on the list.

14. Right-click on it and click Resize/Move or click in the partition and resize/move.

15. Increase the KVM size as required:
16. When the button is available, click Resize/Move.
17. Click the check mark icon to apply the changes:

18. Disconnect the VHD from your local Linux system using the following command:
sudo qemu-nbd -d /dev/nbdX
For example:
19. Start the DefenseFlow device and verify the disk size change from the console:
Increasing Memory and CPU Limits
To verify memory and CPU limits

1. Log in to the DefenseFlow device as the root user.
2. Open the /opt/rdwr/virt-platform/docker-compose.yml file.
Note: The following are the default values in the docker-compose.yml file:
— NGINX_CPU=2
— NGINX_RAM=2G
— HOST_MANAGER_CPU=.5
— HOST_MANAGER_RAM=500M
— POSTGRES_CPU=6
— POSTGRES_RAM=12G
— DFC_CPU=8
— DFC_RAM=12G
— POLICY_EDITOR_CPU=2
— POLICY_EDITOR_RAM=2G

— ELASTICSEARCH_CPU=2
— ELASTICSEARCH_RAM=16G
— SNMPD_CPU=.5
— SNMPD_RAM=1G
To override the Docker containers' default resource limit values

1. Log in to the DefenseFlow device as the root user.
2. Edit the containers_resources_env file in the /root directory:
a. Uncomment the environment variables:
• #New values for scale
• #export NGINX_CPU=2
• #export NGINX_RAM=2G
• #export HOST_MANAGER_CPU=.5
• #export HOST_MANAGER_RAM=500M
• #export POSTGRES_CPU=7
• #export POSTGRES_RAM=18G
• #export DFC_CPU=12
• #export DFC_RAM=18G
• #export POLICY_EDITOR_CPU=2
• #export POLICY_EDITOR_RAM=2G
• #export ELASTICSEARCH_CPU=3
• #export ELASTICSEARCH_RAM=20G
• #export SNMPD_CPU=.5
• #export SNMPD_RAM=1G
b. Save the changes.
3. Run the command allup for the changes to take effect.
4. Run the command docker ps to Verify that all containers are up.
Note: In HA mode, to avoid failover,

1. Disable Automatic Failover or delete the HA.
2. Follow this procedure.
3. If you deleted the HA, recreate the HA.

RADWARE LTD. END USER LICENSE
AGREEMENT
By accepting this End User License Agreement (this “License Agreement”) you agree to be contacted
by Radware Ltd.'s (“Radware”) sales personnel.
If you would like to receive license rights different from the rights granted below or if you wish to
acquire warranty or support services beyond the scope provided herein (if any), please contact
Radware's sales team.
THIS LICENSE AGREEMENT GOVERNS YOUR USE OF ANY SOFTWARE DEVELOPED AND/OR
DISTRIBUTED BY RADWARE AND ANY UPGRADES, MODIFIED VERSIONS, UPDATES, ADDITIONS,
AND COPIES OF THE SOFTWARE FURNISHED TO YOU DURING THE TERM OF THE LICENSE
GRANTED HEREIN (THE “SOFTWARE”). THIS LICENSE AGREEMENT APPLIES REGARDLESS OF
WHETHER THE SOFTWARE IS DELIVERED TO YOU AS AN EMBEDDED COMPONENT OF A RADWARE
PRODUCT (“PRODUCT”), OR WHETHER IT IS DELIVERED AS A STANDALONE SOFTWARE PRODUCT.
FOR THE AVOIDANCE OF DOUBT IT IS HEREBY CLARIFIED THAT THIS LICENSE AGREEMENT
APPLIES TO PLUG-INS, CONNECTORS, EXTENSIONS AND SIMILAR SOFTWARE COMPONENTS
DEVELOPED BY RADWARE THAT CONNECT OR INTEGRATE A RADWARE PRODUCT WITH THE
PRODUCT OF A THIRD PARTY (COLLECTIVELY, “CONNECTORS”) FOR PROVISIONING,
DECOMMISSIONING, MANAGING, CONFIGURING OR MONITORING RADWARE PRODUCTS. THE
APPLICABILITY OF THIS LICENSE AGREEMENT TO CONNECTORS IS REGARDLESS OF WHETHER
SUCH CONNECTORS ARE DISTRIBUTED TO YOU BY RADWARE OR BY A THIRD PARTY PRODUCT
VENDOR. IN CASE A CONNECTOR IS DISTRIBUTED TO YOU BY A THIRD PARTY PRODUCT VENDOR
PURSUANT TO THE TERMS OF AN AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT
VENDOR, THEN, AS BETWEEN RADWARE AND YOURSELF, TO THE EXTENT THERE IS ANY
DISCREPANCY OR INCONSISTENCY BETWEEN THE TERMS OF THIS LICENSE AGREEMENT AND THE
TERMS OF THE AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT VENDOR, THE TERMS
OF THIS LICENSE AGREEMENT WILL GOVERN AND PREVAIL. PLEASE READ THE TERMS AND
CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE OPENING THE PACKAGE
CONTAINING RADWARE'S PRODUCT, OR BEFORE DOWNLOADING, INSTALLING, COPYING OR
OTHERWISE USING RADWARE'S STANDALONE SOFTWARE (AS APPLICABLE). THE SOFTWARE IS
LICENSED (NOT SOLD). BY OPENING THE PACKAGE CONTAINING RADWARE'S PRODUCT, OR BY
DOWNLOADING, INSTALLING, COPYING OR USING THE SOFTWARE (AS APPLICABLE), YOU
CONFIRM THAT YOU HAVE READ AND UNDERSTAND THIS LICENSE AGREEMENT AND YOU AGREE
TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT. FURTHERMORE, YOU HEREBY WAIVE
ANY CLAIM OR RIGHT THAT YOU MAY HAVE TO ASSERT THAT YOUR ACCEPTANCE AS STATED
HEREINABOVE IS NOT THE EQUIVALENT OF, OR DEEMED AS, A VALID SIGNATURE TO THIS LICENSE
AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS OF THIS LICENSE
AGREEMENT, YOU SHOULD PROMPTLY RETURN THE UNOPENED PRODUCT PACKAGE OR YOU
SHOULD NOT DOWNLOAD, INSTALL, COPY OR OTHERWISE USE THE SOFTWARE (AS APPLICABLE).
THIS LICENSE AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE SOFTWARE
BETWEEN YOU AND RADWARE, AND SUPERSEDES ANY AND ALL PRIOR PROPOSALS,
REPRESENTATIONS, OR UNDERSTANDINGS BETWEEN THE PARTIES. “YOU” MEANS THE NATURAL
PERSON OR THE ENTITY THAT IS AGREEING TO BE BOUND BY THIS LICENSE AGREEMENT, THEIR
EMPLOYEES AND THIRD PARTY CONTRACTORS. YOU SHALL BE LIABLE FOR ANY FAILURE BY SUCH
EMPLOYEES AND THIRD PARTY CONTRACTORS TO COMPLY WITH THE TERMS OF THIS LICENSE
AGREEMENT.
1. License Grant. Subject to the terms of this Agreement, Radware hereby grants to you, and you
accept, a limited, nonexclusive, nontransferable license to install and use the Software in
machine-readable, object code form only and solely for your internal business purposes
(“Commercial License”). If the Software is distributed to you with a software development kit
(the “SDK”), then, solely with regard to the SDK, the Commercial License above also includes a
limited, nonexclusive, nontransferable license to install and use the SDK solely on computers
within your organization, and solely for your internal development of an integration or
interoperation of the Software and/or other Radware Products with software or hardware
products owned, licensed and/or controlled by you (the “SDK Purpose”). To the extent an SDK is

Radware Ltd. End User License Agreement
distributed to you together with code samples in source code format (the “Code Samples”) that
are meant to illustrate and teach you how to configure, monitor and/or control the Software
and/or any other Radware Products, the Commercial License above further includes a limited,
nonexclusive, nontransferable license to copy and modify the Code Samples and create
derivative works based thereon solely for the SDK Purpose and solely on computers within your
organization. The SDK shall be considered part of the term “Software” for all purposes of this
License Agreement. You agree that you will not sell, assign, license, sublicense, transfer, pledge,
lease, rent or share your rights under this License Agreement nor will you distribute copies of
the Software or any parts thereof. Rights not specifically granted herein, are specifically
prohibited.
2. Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for evaluation purposes, as indicated in your purchase order or sales
receipt, on the website from which you download the Software, as inferred from any time-
limited evaluation license keys that you are provided with to activate the Software, or otherwise,
then You may use the Software only for internal evaluation purposes (“Evaluation Use”) for a
maximum of 30 days or such other duration as may specified by Radware in writing at its sole
discretion (the “Evaluation Period”). The evaluation copy of the Software contains a feature that
will automatically disable it after expiration of the Evaluation Period. You agree not to disable,
destroy, or remove this feature of the Software, and any attempt to do so will be a material
breach of this License Agreement. During or at the end of the evaluation period, you may
contact Radware sales team to purchase a Commercial License to continue using the Software
pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial
License, you agree to stop using the Software and to delete the evaluation copy received
hereunder from all computers under your possession or control at the end of the Evaluation
Period. In any event, your continued use of the Software beyond the Evaluation Period (if
possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to
the terms of this License Agreement, and you agree to pay Radware any amounts due for any
applicable license fees at Radware's then-current list prices.
3. Lab/Development License. Notwithstanding anything to the contrary in this License
Agreement, if the Software is provided to you for use in your lab or for development
purposes, as indicated in your purchase order, sales receipt, the part number description for the
Software, the Web page from which you download the Software, or otherwise, then You may use
the Software only in your lab and only in connection with Radware Products that you purchased
or will purchase (in case of a lab license) or for internal testing and development purposes (in
case of a development license) but not for any production use purposes.
4. Subscription Software. If you licensed the Software on a subscription basis, your rights to use
the Software are limited to the subscription period. You have the option to extend your
subscription. If you extend your subscription, you may continue using the Software until the end
of your extended subscription period. If you do not extend your subscription, after the expiration
of your subscription, you are legally obligated to discontinue your use of the Software and
completely remove the Software from your system.
5. Feedback. Any feedback concerning the Software including, without limitation, identifying
potential errors and improvements, recommended changes or suggestions (“Feedback”),
provided by you to Radware will be owned exclusively by Radware and considered Radware's
confidential information. By providing Feedback to Radware, you hereby assign to Radware all of
your right, title and interest in any such Feedback, including all intellectual property rights
therein. With regard to any rights in such Feedback that cannot, under applicable law, be
assigned to Radware, you hereby irrevocably waives such rights in favor of Radware and grants
Radware under such rights in the Feedback, a worldwide, perpetual royalty-free, irrevocable,
sub-licensable and non-exclusive license, to use, reproduce, disclose, sublicense, modify, make,
have made, distribute, sell, offer for sale, display, perform, create derivative works of and
otherwise exploit the Feedback without restriction. The provisions of this Section 5 will survive
the termination or expiration of this Agreement.
6. Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt or create
any derivative works based on the Software; or (b) sublicense or transfer the Software, or
include the Software or any portion thereof in any product; or (b) reverse assemble,
disassemble, decompile, reverse engineer or otherwise attempt to derive source code (or the

underlying ideas, algorithms, structure or organization) from the Software, in whole or in part,
except and only to the extent: (i) applicable law expressly permits any such action despite this
limitation, in which case you agree to provide Radware at least ninety (90) days advance written
notice of your belief that such action is warranted and permitted and to provide Radware with an
opportunity to evaluate if the law's requirements necessitate such action, or (ii) required to
debug changes to any third party LGPL-libraries linked to by the Software; or (c) create,
develop, license, install, use, or deploy any software or services to circumvent, enable, modify
or provide access, permissions or rights which violate the technical restrictions of the Software;
(d) in the event the Software is provided as an embedded or bundled component of another
Radware Product, you shall not use the Software other than as part of the combined Product and
for the purposes for which the combined Product is intended; (e) remove any copyright notices,
identification or any other proprietary notices from the Software (including any notices of Third
Party Software (as defined below); or (f) copy the Software onto any public or distributed
network or use the Software to operate in or as a time-sharing, outsourcing, service bureau,
application service provider, or managed service provider environment. Notwithstanding the
foregoing, if you provide hosting or cloud computing services to your customers, you are entitled
to use and include the Software in your IT infrastructure on which you provide your services.
Lastly, if you acquire Software under Radware's Global Elastic License (GEL) model, you commit
to use any such Software only as an Alteon VA on COTS server or on GEL-dedicated hardware
platforms as indicated in the part description of such hardware (be it hardware originally
purchased as GEL-dedicated or later upgraded to be GEL-dedicated). Use of Software under a
GEL model on a non-GEL-dedicated hardware platform is prohibited. If you deploy GEL model
Software on a virtual platform, you can do so without the virtual platform being GEL-dedicated.
It is hereby clarified that the prohibitions on modifying, or creating derivative works based on,
any Software provided by Radware, apply whether the Software is provided in a machine or in a
human readable form. Human readable Software to which this prohibition applies includes
(without limitation) “Radware AppShape++ Script Files” that contain “Special License Terms”. It
is acknowledged that examples provided in a human readable form may be modified by a user.
7. Intellectual Property Rights. You acknowledge and agree that this License Agreement does
not convey to you any interest in the Software except for the limited right to use the Software,
and that all right, title, and interest in and to the Software, including any and all associated
intellectual property rights, are and shall remain with Radware or its third party licensors. You
further acknowledge and agree that the Software is a proprietary product of Radware and/or its
licensors and is protected under applicable copyright law.
8. No Warranty. The Software, and any and all accompanying software, files, libraries, data and
materials, are distributed and provided “AS IS” by Radware or by its third party licensors (as
applicable) and with no warranty of any kind, whether express or implied, including, without
limitation, any non-infringement warranty or warranty of merchantability or fitness for a
particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or
makes any representation regarding the title in the Software, the use of, or the results of the
use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the
operation of the Software will be uninterrupted or error-free, or that the use of any passwords,
license keys and/or encryption features will be effective in preventing the unintentional
disclosure of information contained in any file. You acknowledge that good data processing
procedure dictates that any program, including the Software, must be thoroughly tested with
non-critical data before there is any reliance on it, and you hereby assume the entire risk of all
use of the copies of the Software covered by this License. Radware does not make any
representation or warranty, nor does Radware assume any responsibility or liability or provide
any license or technical maintenance and support for any operating systems, databases,
migration tools or any other software component provided by a third party supplier and with
which the Software is meant to interoperate.
This disclaimer of warranty constitutes an essential and material part of this License.
In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable
under any warranty provision, Radware shall be released from all such obligations in the event
that the Software shall have been subject to misuse, neglect, accident or improper installation,
or if repairs or modifications were made by persons other than by Radware's authorized service
personnel.

9. Limitation of Liability. Except to the extent expressly prohibited by applicable statutes, in no

event shall Radware, or its principals, shareholders, officers, employees, affiliates, licensors,
contractors, subsidiaries, or parent organizations (together, the “Radware Parties”), be liable for
any direct, indirect, incidental, consequential, special, or punitive damages whatsoever relating
to the use of, or the inability to use, the Software, or to your relationship with, Radware or any
of the Radware Parties (including, without limitation, loss or disclosure of data or information,
and/or loss of profit, revenue, business opportunity or business advantage, and/or business
interruption), whether based upon a claim or action of contract, warranty, negligence, strict
liability, contribution, indemnity, or any other legal theory or cause of action, even if advised of
the possibility of such damages. If any Radware Party is found to be liable to You or to any third-
party under any applicable law despite the explicit disclaimers and limitations under these
terms, then any liability of such Radware Party, will be limited exclusively to refund of any
license or registration or subscription fees paid by you to Radware.
10. Third Party Software. The Software includes software portions developed and owned by third
parties (the “Third Party Software”). Third Party Software shall be deemed part of the Software
for all intents and purposes of this License Agreement; provided, however, that in the event that
a Third Party Software is a software for which the source code is made available under an open
source software license agreement, then, to the extent there is any discrepancy or inconsistency
between the terms of this License Agreement and the terms of any such open source license
agreement (including, for example, license rights in the open source license agreement that are
broader than the license rights set forth in Section 1 above and/or no limitation in the open
source license agreement on the actions set forth in Section 6 above), the terms of any such
open source license agreement will govern and prevail. The terms of open source license
agreements and copyright notices under which Third Party Software is being licensed to
Radware or a link thereto, are included with the Software documentation or in the header or
readme files of the Software. Third Party licensors and suppliers retain all right, title and interest
in and to the Third Party Software and all copies thereof, including all copyright and other
intellectual property associated therewith. In addition to the use limitations applicable to Third
Party Software pursuant to Section 6 above, you agree and undertake not to use the Third Party
Software as a general SQL server, as a stand-alone application or with applications other than
the Software under this License Agreement.
11. Term and Termination. This License Agreement is effective upon the first to occur of your
opening the package of the Product, purchasing, downloading, installing, copying or using the
Software or any portion thereof, and shall continue until terminated. However, sections 5-15
shall survive any termination of this License Agreement. The Licenses granted under this License
Agreement are not transferable and will terminate upon: (i) termination of this License
Agreement, or (ii) transfer of the Software, or (iii) in the event the Software is provided as an
embedded or bundled component of another Radware Product, when the Software is unbundled
from such Product or otherwise used other than as part of such Product. If the Software is
licensed on subscription basis, this Agreement will automatically terminate upon the termination
of your subscription period if it is not extended.
12. Export. The Software or any part thereof may be subject to export or import controls under
applicable export/import control laws and regulations including such laws and regulations of the
United States and/or Israel. You agree to comply with such laws and regulations, and, agree not
to knowingly export, re-export, import or re-import, or transfer products without first obtaining
all required Government authorizations or licenses therefor. Furthermore, You hereby covenant
and agree to ensure that your use of the Software is in compliance with all other foreign,
federal, state, and local laws and regulations, including without limitation all laws and
regulations relating to privacy rights, and data protection. You shall have in place a privacy
policy and obtain all of the permissions, authorizations and consents required by applicable law
for use of cookies and processing of users' data (including without limitation pursuant to
Directives 95/46/EC, 2002/58/EC and 2009/136/EC of the EU if applicable) for the purpose of
provision of any services.
13. US Government. To the extent you are the U.S. government or any agency or instrumentality
thereof, you acknowledge and agree that the Software is a “commercial computer software” and
“commercial computer software documentation” pursuant to applicable regulations and your use
of the Software is subject to the terms of this License Agreement.

14. Federal Acquisition Regulation (FAR)/Data Rights Notice. Radware's commercial

computer software is created solely at private expense and is subject to Radware's commercial
license rights.
15. Governing Law. This License Agreement shall be construed and governed in accordance with
the laws of the State of Israel.
16. Miscellaneous. If a judicial determination is made that any of the provisions contained in this
License Agreement is unreasonable, illegal or otherwise unenforceable, such provision or
provisions shall be rendered void or invalid only to the extent that such judicial determination
finds such provisions to be unreasonable, illegal or otherwise unenforceable, and the remainder
of this License Agreement shall remain operative and in full force and effect. In any event a
party breaches or threatens to commit a breach of this License Agreement, the other party will,
in addition to any other remedies available to, be entitled to injunction relief. This License
Agreement constitutes the entire agreement between the parties hereto and supersedes all prior
agreements between the parties hereto with respect to the subject matter hereof. The failure of
any party hereto to require the performance of any provisions of this License Agreement shall in
no manner affect the right to enforce the same. No waiver by any party hereto of any provisions
or of any breach of any provisions of this License Agreement shall be deemed or construed
either as a further or continuing waiver of any such provisions or breach waiver or as a waiver of
any other provision or breach of any other provision of this License Agreement.
IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE YOU MUST REMOVE THE
SOFTWARE FROM ANY DEVICE OWNED BY YOU AND IMMEDIATELY CEASE USING THE
SOFTWARE.
COPYRIGHT © 2021, Radware Ltd. All Rights Reserved.

DefenseFlow User Guide 4-2-0-0

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

DefenseFlow User Guide 4-2-0-0

Transféré par

Droits d'auteur :

Formats disponibles

DefenseFlow

INSTALLATION AND USER GUIDE

Software Version 4.2.0.0

Document ID: RDWR-DF-V42000_UG2106 2

Table 1: Third-party Software Licenses

Component Version License

lz4 1.3.0 Apache License 2.0

httpcore-osgi 4.4.1 Apache License 2.0

jackson-jaxrs 1.9.13 Apache License 2.0

javassist 3.18.1-GA Apache License 2.0

jboss-modules 1.4.1.Final Apache License 2.0

resteasy-jaxrs 2.2.1.GA Apache License 2.0

resteasy-multipart-provider 2.2.0.GA Apache License 2.0

json 20080701 http://www.json.org/license.html

springframework 3.2.4.RELEASE Apache License 2.0

akka-message-java 0.0.1 Apache License 2.0

Document ID: RDWR-DF-V42000_UG2106 3

Table 1: Third-party Software Licenses

Component Version License

commons-validator 1.4.0 Apache License 2.0

commons-dbcp2 2 Apache License 2.0

cxf-rt-transports-http 3.0.3 Apache License 2.0

cxf-rt-transports-http-jetty 3.0.3 Apache License 2.0

org.apache.karaf.jdbc.command 3.0.3 Apache License 2.0

org.apache.karaf.jdbc.core 3.0.3 Apache License 2.0

org.apache.karaf.shell.console 3.0.3 Apache License 2.0

mina-core 2.0.7 Apache License 2.0

hibernate-osgi 4.3.6.Final GNU Lesser General Public License

Document ID: RDWR-DF-V42000_UG2106 4

Limitations on Warranty and Liability

Document ID: RDWR-DF-V42000_UG2106 5

Limitations on Warranty and Liability

Limitations de la Garantie et Responsabilité

Haftungs- und Gewährleistungsausschluss

Item Description Description Beschreibung

Document ID: RDWR-DF-V42000_UG2106 6

Item Description Description Beschreibung

Document ID: RDWR-DF-V42000_UG2106 7

CHAPTER 1 – OVERVIEW ...................................................................................... 12

CHAPTER 2 – INSTALLING AND INITIALIZING DEFENSEFLOW ....................... 25

Document ID: RDWR-DF-V42000_UG2106 8

CHAPTER 3 – DEFENSEFLOW CONFIGURATION .............................................. 52

APPENDIX A – CLI COMMANDS .......................................................................... 296

Document ID: RDWR-DF-V42000_UG2106 9

dfc-core ............................................................................................................................. 308

APPENDIX B – ALERTS TABLE ........................................................................... 373

APPENDIX C – REST API ..................................................................................... 385

APPENDIX D – COMMUNICATIONS PORTS........................................................ 386

APPENDIX E – RBAC — DEFENSEFLOW/APSOLUTE VISION MAPPING ......... 387

APPENDIX F – ADJUSTING SYSTEM SETTINGS................................................ 388

Document ID: RDWR-DF-V42000_UG2106 10

RADWARE LTD. END USER LICENSE AGREEMENT......................................... 395

Document ID: RDWR-DF-V42000_UG2106 11

DefenseFlow Operational Flow

Document ID: RDWR-DF-V42000_UG2106 12

• External Detector Deployment, page 13

Behavioral Detection with Radware's Flow Collector

Figure 1: Behavioral Detection with Flow Collector Workflow

External Detector Deployment

Document ID: RDWR-DF-V42000_UG2106 13

Figure 2: External Detector Workflow

Layer 3 to Layer 7 DDoS Service with DefensePro as a Detector (DPaaD)

Document ID: RDWR-DF-V42000_UG2106 14