Académique Documents
Professionnel Documents
Culture Documents
IMPORTANT NOTICES
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2021. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes:
Copyright Radware Ltd. 2021. Tous droits réservés.
Le copyright ainsi que tout autre droit lié à la propriété intellectuelle et aux secrets industriels
contenus dans ce guide sont la propriété de Radware Ltd.
Ce guide d’informations est fourni à nos clients dans le cadre de l’installation et de l’usage des
produits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celui
pour lequel il a été conçu.
Les informations répertoriées dans ce document restent la propriété de Radware et doivent être
conservées de manière confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement préalable écrit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschränkungen ausgeliefert:
Copyright Radware Ltd. 2021. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschäftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschließlichen Zweck ausgehändigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf für keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und müssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfältigen, reproduzieren oder offen zu legen.
Copyright Notices
This product contains the third party software components included in the following table.
All such third party software components have been included in this products along with each their
respective copyright notices and license terms.
Please refer to the source code of each such software component for its respective copyright notices
and license terms.
Standard Warranty
The following standard warranty is presented in English, French, and German.
Standard Warranty
Radware offers a limited warranty for all its products (“Products”). Radware hardware products are
warranted against defects in material and workmanship for a period of one year from date of
shipment. Radware software carries a standard warranty that provides bug fixes for up to 90 days
after date of purchase. Should a Product unit fail anytime during the said period(s), Radware will, at
its discretion, repair or replace the Product.
For hardware warranty service or repair, the product must be returned to a service facility
designated by Radware. Customer shall pay the shipping charges to Radware and Radware shall pay
the shipping charges in returning the product to the customer. Please see specific details outlined in
the Standard Warranty section of the customer’s purchase order.
Radware shall be released from all obligations under its Standard Warranty in the event that the
Product and/or the defective component has been subjected to misuse, neglect, accident or
improper installation, or if repairs or modifications were made by persons other than Radware
authorized service personnel, unless such repairs by others were made with the written consent of
Radware.
EXCEPT AS SET FORTH ABOVE, ALL RADWARE PRODUCTS (HARDWARE AND SOFTWARE) ARE
PROVIDED BY “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED.
Garantie standard
Radware octroie une garantie limitée pour l’ensemble de ses produits (“Produits”). Le matériel
informatique (hardware) Radware est garanti contre tout défaut matériel et de fabrication pendant
une durée d’un an à compter de la date d’expédition. Les logiciels (software) Radware sont fournis
avec une garantie standard consistant en la fourniture de correctifs des dysfonctionnements du
logiciels (bugs) pendant une durée maximum de 90 jours à compter de la date d’achat. Dans
l’hypothèse où un Produit présenterait un défaut pendant ladite (lesdites) période(s), Radware
procédera, à sa discrétion, à la réparation ou à l’échange du Produit.
S’agissant de la garantie d’échange ou de réparation du matériel informatique, le Produit doit être
retourné chez un réparateur désigné par Radware. Le Client aura à sa charge les frais d’envoi du
Produit à Radware et Radware supportera les frais de retour du Produit au client. Veuillez consulter
les conditions spécifiques décrites dans la partie “Garantie Standard” du bon de commande client.
Radware est libérée de toutes obligations liées à la Garantie Standard dans l’hypothèse où le Produit
et/ou le composant défectueux a fait l’objet d’un mauvais usage, d’une négligence, d’un accident ou
d’une installation non conforme, ou si les réparations ou les modifications qu’il a subi ont été
effectuées par d’autres personnes que le personnel de maintenance autorisé par Radware, sauf si
Radware a donné son consentement écrit à ce que de telles réparations soient effectuées par ces
personnes.
SAUF DANS LES CAS PREVUS CI-DESSUS, L’ENSEMBLE DES PRODUITS RADWARE (MATERIELS ET
LOGICIELS) SONT FOURNIS “TELS QUELS” ET TOUTES GARANTIES EXPRESSES OU IMPLICITES
SONT EXCLUES, EN CE COMPRIS, MAIS SANS S’Y RESTREINDRE, LES GARANTIES IMPLICITES DE
QUALITE MARCHANDE ET D’ADÉQUATION À UNE UTILISATION PARTICULIÈRE.
Standard Garantie
Radware bietet eine begrenzte Garantie für alle seine Produkte (“Produkte”) an. Hardware Produkte
von Radware haben eine Garantie gegen Material- und Verarbeitungsfehler für einen Zeitraum von
einem Jahr ab Lieferdatum. Radware Software verfügt über eine Standard Garantie zur
Fehlerbereinigung für einen Zeitraum von bis zu 90 Tagen nach Erwerbsdatum. Sollte ein Produkt
innerhalb des angegebenen Garantiezeitraumes einen Defekt aufweisen, wird Radware das Produkt
nach eigenem Ermessen entweder reparieren oder ersetzen.
Für den Hardware Garantieservice oder die Reparatur ist das Produkt an eine von Radware
bezeichnete Serviceeinrichtung zurückzugeben. Der Kunde hat die Versandkosten für den Transport
des Produktes zu Radware zu tragen, Radware übernimmt die Kosten der Rückversendung des
Produktes an den Kunden. Genauere Angaben entnehmen Sie bitte dem Abschnitt zur Standard
Garantie im Bestellformular für Kunden.
Radware ist von sämtlichen Verpflichtungen unter seiner Standard Garantie befreit, sofern das
Produkt oder der fehlerhafte Teil zweckentfremdet genutzt, in der Pflege vernachlässigt, einem
Unfall ausgesetzt oder unsachgemäß installiert wurde oder sofern Reparaturen oder Modifikationen
von anderen Personen als durch Radware autorisierten Kundendienstmitarbeitern vorgenommen
wurden, es sei denn, diese Reparatur durch besagte andere Personen wurden mit schriftlicher
Genehmigung seitens Radware durchgeführt.
MIT AUSNAHME DES OBEN DARGESTELLTEN, SIND ALLE RADWARE PRODUKTE (HARDWARE UND
SOFTWARE) GELIEFERT “WIE GESEHEN” UND JEGLICHE AUSDRÜCKLICHEN ODER
STILLSCHWEIGENDEN GARANTIEN, EINSCHLIESSLICH ABER NICHT BEGRENZT AUF
STILLSCHWEIGENDE GEWÄHRLEISTUNG DER MARKTFÄHIGKEIT UND EIGNUNG FÜR EINEN
BESTIMMTEN ZWECK AUSGESCHLOSSEN.
Document Conventions
The following describes the conventions and symbols that this guide uses:
Example
Table of Contents
IMPORTANT NOTICES ............................................................................................. 2
Copyright Notices .......................................................................................................... 2
Standard Warranty ........................................................................................................ 4
Limitations on Warranty and Liability ............................................................................. 5
Document Conventions ................................................................................................. 6
DefenseFlow Deployments
This section describes the different DefenseFlow deployments, including:
• Behavioral Detection with Radware's Flow Collector, page 13
Figure 3: Layer 3 to Layer 7 DDoD Service with DefensePro as a Detector (DPaaD) Workflow
As illustrated in Layer 3 to Layer 7 DDoD Service with DefensePro as a Detector (DPaaD) Workflow,
page 14, the required anti-DoS services can support the following scenarios:
• Detection and Mitigation in Tier 2 — The attack is detected by the second tier DefensePro
device. There are two different deployments in this scenario:
— DefensePro Inline — The detection device is inline and can start mitigating the attack
immediately.
— DefensePro in SmarTap mode — The detection device is listening on a tap interface. After
detection, DefenseFlow can divert the traffic so it actually flows through the device for
mitigation.
• Mitigation in Tier 1 — After detection, DefenseFlow can provision mitigation and divert traffic to
mitigation devices in tier 1. There are two deployments in which mitigation devices can be
deployed in tier 1:
— Perimeter Deployment — DefensePro devices are connected directly to the peer routers.
The advantage in this deployment is that the attack traffic is mitigated on the perimeter and
does not enter the core network. The disadvantage is that this deployment mitigates only
attacks coming from outside the network.
— Scrubbing Center — DefensePro devices reside somewhere in the core network connected
to a DDoS router. The scrubbing center can mitigate attacks coming from both outside and
inside the network.
• Blocking of Traffic — Blocking of traffic is usually done on the peer routers. DefenseFlow
supports blocking either with BGP RTBH or with FlowSpec.
DefenseFlow Features
This section describes the main features of DefenseFlow, including:
• DDoS Service Provisioning, page 15
• Statistics Collection, page 18
• Attack Detection, page 19
• Attack Life-Cycle Management, page 22
• Traffic and Attack Monitoring, page 23
Network Components
DefenseFlow requires configured network components to perform detection and control operations
to provide DDoS prevention service. These include: control elements, network elements, and
mitigation devices.
Control Elements
Control elements are other devices and applications that perform control operations in the network
and are integrated into the DefenseFlow service. Typically, each deployment requires a single type of
controller. The following are examples of controllers:
• Radware Flow (xFlow) Collectors — Provides DefenseFlow with flow statistics required for
Radware's Behavioral DoS detection.
• Third-party Detectors — Provides DefenseFlow with attack detection signaling. You can
integrate DefenseFlow with any third-party detector by uploading a pluggable driver to
DefenseFlow.
Network Elements
Network elements represent the network traffic connectivity. DefenseFlow requires only the
knowledge of the switches and routers in the network that have influence over the traffic flow. These
include:
• Network Tier 1 Peers — The network entry points to the outside world. For Network
Infrastructure protection, these peers can be used for collection of statistics for detection and
blocking or diverting the traffic in case of attack.
• Network Tier 2 Peers — The protected services connection to the network. These peers can
also be used for collection of statistics, diversion and re-injection of cleaned traffic back to the
protected network.
• DDoS routers (scrubbing center routers) — These peers are the connection points to the
mitigation devices.
• Route Reflectors — These are routers that operate as route reflectors for traffic diversion.
• Route Tags — In some networks, route tags are used for clean traffic injection.
Mitigation Devices
DefenseFlow mitigation devices are either DefensePro or other third-party mitigation devices located
in the network and used to detect and/or mitigate attacks on the protected networks:
• DefensePro devices — Both DefenseFlow and DefensePro use the same Behavioral DDoS
detection algorithms, and are fully synchronized. Information sharing and DefenseFlow
mitigation provisioning capabilities enable Layer 3 to Layer 7 detection and immediate mitigation
of attack traffic.
DefenseFlow monitors the health and capacity of the DefensePro devices and manages the
provisioning of the mitigation accordingly to avoid overflow of the mitigation device.
DefenseFlow attack monitoring includes information from both DefenseFlow itself and the
DefensePro devices.
• Third-party mitigation devices — DefenseFlow can use third-party mitigation devices as
targets for attack diversions. DefenseFlow does not configure or monitor these devices.
Service Components
The service components are the protected networks and the security services attached to them. To
simplify the provisioning of security services, DefenseFlow enables security administrators to define
principle security settings and re-apply them to as many services as required. These include:
security templates, operations, criteria-based workflows, and protected objects.
Workflows
DefenseFlow workflows allow the security operator to predefine his security operation model.
DefenseFlow can provision different services and perform different operations based on defined
criteria. For every protected object, the assigned workflow defines the detections, provisioning, and
mitigation capabilities.
Workflow rules define what operations DefenseFlow should perform on detection based on enter
criteria, and to stop based on exit criteria.
Detectors
DefenseFlow can aggregate several detection sources for protection of the same service. A list of
detectors can be defined and assigned to a service.
Security Templates
A security template holds all the security settings required by DefensePro mitigation devices for
mitigating attacks on a protected network. It is a configuration file holding the security profiles and
policies, and is configured on DefensePro upon provisioning of detection and/or mitigation, along
with the network classifications on which it should be applied.
Attaching a security template to a protected object creates a security policy instance specific to that
protected object. Once created, changes to the original template do not change the attached policy.
Upon mitigation provisioning, DefenseFlow configures the security policy on the mitigating devices.
At any given time, the number of security policies configured on the mitigation devices is the
number of concurrent provisioned protected objects in the network.
During the life of the mitigation, SOC operators may tune and change the policy according to the
observed attack. The changes made by the operators are saved. Upon termination of mitigation,
DefenseFlow uploads the policy before removing it from the mitigation devices. The uploaded policy
is saved as the protected object's security policy.
A security policy for a protected object can be reset to the original template or replaced with another
template only in peacetime.
You can create new security templates from a saved security policy either on one of the protected
objects or from the APSolute Vision management system repository.
Operations
An operation lets you define a set of actions to perform as a building block for workflows (from
where to redirect, the mitigation devices to use, and so on). While provisioning a specific anti-DoS
service, or provisioning a protected object, you can use an operation as a template to specify the
various actions required for the specific protected object. Using an operation eases the configuration
and the overall actions required for a protected object.
There are two types of operations:
• Mitigation — This operation type can be defined with any subset of the following actions:
— Divert — Divert attack traffic to a mitigation device or a mitigation device group using BGP
and BGP FlowSpec rules.
— Mitigate — Configure the mitigation devices with all relevant information, including black list
and white lists. This is relevant only for DefensePro mitigation devices.
— Clean traffic injection — Configure the mitigation devices to inject the cleaned traffic back
to the protected object. This option is relevant only for DefensePro mitigation devices.
• Traffic Blocking — Traffic Blocking with a FlowSpec operation can be activated manually either
in manual mode or in user-confirmation mode.
The operation is a reusable object. The same operation can be used for as many workflows as
required. Changes to the operation affect all related Protected Objects.
Protected Objects
A protected object is the network or network addresses that requires protection.
Classification of a protected object is a set of up to 64 IP addresses or IP subnets, with or without
VLANs. The addresses can be IPv4 or IPv6 addresses. The granularity of the defined classification
defines the detection and diversion granularity:
• Behavioral DoS detection — DefenseFlow supports both IPv4 and IPv6. The learned baselines
and detection sensitivity are performed on the entire protected object. For up to five (5)
protected objects with granular mitigation and up to total of 10000 IP addresses, DefenseFlow
can perform BDoS detection per /32 host. Diversion of traffic in case of an attack diverts
according to the detected target. You can manually override the diversion granularity to a
specific IP address or a subnet within the protected object.
• DefensePro as a Detector — DefenseFlow configures a policy on the detector device per
protected object. Any action based on detection from the DefensePro device can be performed
per the detection granularity.
• Third-party Detector — Diversion of traffic is performed according to the granularity reported
by the detector. You can manually override the diversion granularity to a specific IP address or a
subnet within the protected object.
Statistics Collection
Statistics collection is used by DefenseFlow to get flow information per protected object for the
Behavioral DoS detection algorithms.
DefenseFlow requires flow statistics on the inbound traffic destined for the protected object. The
flow statistics include both byte count and packet count per the following protocols:
• TCP
• UDP
• ICMP
• Other IP traffic
Attack Detection
DefenseFlow can detect attacks on a protected object in the following ways: Behavioral DDoS
detection, DefensePro as a Detector (DPaaD), third-party detector signaling, and manual thresholds
that are both granular and for the entire protected object (for BDoS and for thresholds).
• SmarTap devices — DefensePro in SmartTap mode can be deployed only in transparent mode
(see DefensePro in SmarTap Mode, page 20). The tap port from the router copies all the traffic
towards the protected object. In case of attack detection, DefenseFlow can divert the attack
traffic towards another port of the device for mitigation.
The configuration on the router should specify the tap port to monitor the port towards the
protected object. For example, in an ASR9K router, the configuration would be as follows:
In DefensePro, there are two port pairs to use. For example, the following is the configuration on
the DefensePro device that matches the above configuration:
— Tap pair — Port 17 and its pair port 20 that should be up but not connected back to the
network. You can use a plug on the port.
— Diversion pair — In DefensePro in SmarTap Mode, page 20, these are ports 18 and 19. Port
19 should be connected to the downstream router so that the traffic does not go back
through T-0/0/2/3 and is copied again by the tap.
Note: To be able to delegate mitigation from an unmanaged device to another DefensePro device,
the policy name to be delegated must be the name of the protected object.
• Attack and Protected Object URI — These two attributes are used in DefenseFlow as links to
third-party detector management systems.
These attributes are part of the attack_start REST API call. For more information, see the
DefenseFlow REST API Guide.
DefenseFlow can facilitate tight integration of DefensePro mitigation devices with any third-party
detection system that includes basic information regarding the attack type and statistics enabling
immediate mitigation.
Manual Thresholds
DefenseFlow can use manual thresholds for defining hard peak limits. Manual thresholds detection
does not replace the behavioral detection, it complements it. However, manual thresholds can
replace BDoS, especially granular thresholds. Both manual and behavioral detections can operate
simultaneously.
Granular Detection
The ability to adjust detection method per protected object networks provides the most flexible and
targeted security solution for Radware’s customers’ networks.
The following detection methods can be used in combination with the external detector and
DefensePro as a Detector methods to create a mixed multiple detectors method for overall protected
object detection:
• BDoS detection on entire protected object networks.
• Granular BDoS detection that can detect BDoS attacks on a specific host.
• Threshold detection on entire protected object networks.
• Granular threshold detection that can detect attacks on a specific host using a given threshold.
Mitigation Selection
Based on specified criteria, DefenseFlow selects the appropriate operation and mitigation devices to
handle each attack, and also updates the BGP FlowSpec rule related to the operation. According to
the operation actions, the mitigation can be performed by a single device or by a group of devices
that can all be provisioned to mitigate the same attack.
In User Confirmation mode and Manual mode, you can choose to override the preferences
selected in the operation, and select a different operation with different mitigation device or group of
mitigation devices.
DefenseFlow asserts the availability of selected DefensePro mitigation devices according to
availability and devices capacity. A mitigation device that is not available or has reached the
configured capacity limit is not used to mitigate an attack.
Even if one mitigation device is not available, the mitigation provisioning for the attack fails. A
protected object in User Confirmation mode remains, pending confirmation.
Note: Third-party mitigation devices are not monitored and are used for mitigation even if they are
unavailable.
BGP Redirection
In addition to BGP itself, with this method you can also use BGP FlowSpec rules. DefenseFlow BGP
supports natively opening BGP peer connections and advertising announcements for both IPv4 and
IPv6. The announcements are performed automatically according to the diverted target and selected
BGP peer group, and removed once the mitigation is complete.
DefenseFlow can also add any user-defined communities per protected object configuration.
Injection
DefenseFlow also defines for DefensePro devices where and how to inject the cleaned traffic back to
the appropriate interface in order to reach the protected object, either with a GRE tunnel, a clean
route tag, or into a dedicated IP address.
This option is available only with DefensePro mitigation devices.
Attack Termination
DefenseFlow continuously monitors the state of the attack until it is sure that the protected object is
no longer under attack. Once the attack is terminated, the traffic returns to its normal path and all
configurations are removed from the mitigation devices.
Any changes made to the security policy during the attack are saved to be used in future attacks.
You can initiate termination of mitigation regardless of the attack status observed by DefenseFlow.
Attack termination for the traffic blocking operation should be performed manually.
Software Requirements
The following software is required to use DefenseFlow:
• VMware ESXi 5.x, or KVM 4.4 or above
• Radware DefenseFlow Cyber Control OVA package
• APSolute Vision version 4.40.00 or later
VMware Deployment
This procedure describes how to deploy a single node DefenseFlow using VMware.
3. In the vSphere Client user interface, select File > Deploy OVF Template.
4. In the Deploy OVF Template window, click Browse and select the DFCC OVA package.
5. Click Next.
6. In the OVF Template Details window, click Next.
7. In the End User License Agreement window, scroll down and read all of the terms and
conditions. Click Accept and Next.
8. In the Name and Location window, click Next.
9. In the Disk Format window, click Next.
10. In the Network Mapping window, select the appropriate destination networks for the source
network Management and Control, and then click Next.
11. In the Ready to Complete window, select Power on after deployment and click Finish to
complete the deployment process.
Note: You usually use different destination networks for each interface. For more details on
managing interfaces, see IP Management, page 201.
12. After the deployment process completes successfully, in the Deployment Completed Successfully
dialog box, click Close.
KVM Deployment
This procedure describes how to deploy a single node DefenseFlow using KVM.
This procedure assumes that you know how deploy an image in KVM.
<domain type='kvm'>
<name>DFC-2.7.0</name>
<memory unit='KiB'>16777216</memory>
<currentMemory unit='KiB'>16777216</currentMemory>
<vcpu placement='static'>4</vcpu>
<os>
<type arch='x86_64' machine='pc-i440fx-xenial'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='qcow2' cache='none'/>
<source file='/var/lib/libvirt/images/DFCC.qcow2'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/>
</disk>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x1'/>
</controller>
<controller type='usb' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x2'/>
</controller>
<controller type='pci' index='0' model='pci-root'/>
<interface type='bridge'>
<source bridge='virbr0'/>
<model type='virtio'/>
<driver name='vhost'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05'
function='0x0'/>
</interface>
<interface type='bridge'>
<source bridge='virbr0'/>
<model type='virtio'/>
<driver name='vhost'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06'
function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<input type='mouse' bus='ps2'/>
<input type='keyboard' bus='ps2'/>
<graphics type='vnc' port='-1' autoport='yes' listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
</graphics>
<video>
<model type='cirrus' vram='16384' heads='1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x0'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</memballoon>
</devices>
</domain>
Initial Configuration
This procedure describes the initial configuration for a single node DefenseFlow VA.
6. In the Management Network dialog box, select the management type to use and press Enter.
7. In the Management network configuration dialog box, set the required parameters and press
Enter:
— IPv4 Address — IPv4 address of the management port.
— Netmask — Network mask in quad decimal format.
— Gateway — IPv4 address of the relevant gateway.
8. After successful configuration, a confirmation message displays. Press OK and Back to return to
the main menu.
9. From the Cyber Control Host main menu, select System Management and press Enter.
Note: The following devices should have the same time and time zone defined: Radware
Collector, APSolute Vision, DefenseFlow, and the routers.
— Show Time Zone Configuration — Displays the time zone defined on the system. If it is
correct, press Enter.
— Edit Time Zone Configuration — Displays the Choose TimeZone dialog. Select the time
zone you want to change to, and press Enter.
12. When the configuration completes successfully, press Enter when a message similar to the
following displays:
13. From the System Management menu, select NTP Configuration and press Enter.
14. From the NTP configuration menu, select 2, Edit NTP configuration.
15. In the Update NTP dialog, enter up to five NTP server IP addresses, as required, and press
Enter.
16. After successful configuration, a confirmation message displays. Press OK and Back to return to
the main menu.
17. From the Cyber Control main menu, select Application Management and press Enter.
19. In the Remote APSolute Vision System Information dialog, enter the remote APSolute Vision
system management IP address and the root password, and press Enter.
20. A progress bar indicates the remote registration percentage with the message Running
remote registration process. At the end of the registration, after a message similar to
the following displays, press Enter.
Overview
DefenseFlow High Availability increases system stability, and enables service accessibility through
elimination of a single point of failure. When a component fails, DefenseFlow recovers automatically.
The following diagram illustrates the High Availability architecture:
In the DefenseFlow High Availability architecture, there are two identical DefenseFlow nodes: Active
and Standby. Both nodes communicate with each other and maintain full synchronization for both
component state and configuration. The DefenseFlow Active node is continuously accessible using
APSolute Vision for monitoring, configuration, and operation, and continuously syncs the Standby
node.
DefensePro devices serving as detectors (DPaaDs) should be configured to send their syslogs to
both DefenseFlow nodes.
Third-party detectors can transfer new attributes to DefenseFlow upon attack detection using REST
API.
DefenseFlow creates a peer from each Active/Standby node to each router, resulting in two peer
connections for each network element. Each DefenseFlow node sends announcements to the
network element, and as a result the announcements are displayed twice.
Whenever a DefenseFlow node fails, the remaining node continues to communicate with all
registered routers and third-party detectors with zero downtime.
High Availability configuration and setup is accessible via both APSolute Vision and the DefenseFlow
CLI.
Notes When installing and initializing DefenseFlow High Availability, note the following:
• Both DefenseFlow nodes must have same software version.
• The control network must be configured on the Standby node.
• Both DefenseFlow nodes must be defined with the same time zone.
Parameter Description
Active The Active DefenseFlow device IP address.
DefenseFlow
Node IP
Enable High Enables or disables High Availability. Select to enable and deselect to disable High
Availability Availability.
Default: Disabled
Standby The Standby DefenseFlow device IP address.
DefenseFlow This parameter displays when you enable High Availability.
Node IP
Enable Enables automatic failover.
Automatic This parameter displays when you enable High Availability.
Failover
Default: Enabled (when High Availability is enabled)
With automatic failover, the Active node continuously sends a heartbeat to the
Standby node. When the Standby node determines that the Active node has
failed, the Standby node assumes the role of the Active node and continues to
provide network service.
c. Wait until you receive confirmation that enabling or disabling the process has
completed.
Note: Adding a standby node can take several minutes. To view its progress, you
can execute the CLI command dfc-info:progress-list [-refresh 5], where
-refresh is the optional auto-refresh mode.
d. Verify that the nodes display in the Monitoring perspective, System > High
Availability.
• Using the CLI:
a. Add the Standby node using the security management interface IP address with the
following command: dfc-ha:add -standby-ip <IP>
b. Verify that the nodes display with the following command: dfc-info:progress-
list
3. From the Application Management menu, select DFC Shell and press Enter.
4. From the DFC shell, enter CLI commands as required at the prompt. For a list of the CLI
commands, see CLI Commands, page 296.
Upgrading DefenseFlow
This section describes how to upgrade DefenseFlow using the DefenseFlow host, and includes the
following sub-sections:
• Upgrade Prerequisites and Notes, page 42
• Upgrading a Single Node Configuration, page 42
• Upgrading a High Availability Configuration, page 45
Note: You can also update DefenseFlow from within APSolute Vision. For more information, see
Software Upgrade, page 200.
Note: APSolute Vision only supports software upgrade. For a full fresh installation, you must use
the DefenseFlow host. For more information, see Installing and Initializing DefenseFlow Virtual
Appliance (VA), page 25.
The Software Upgrade pane displays information for the currently installed DefenseFlow version
and lets you upgrade to the latest DefenseFlow version.
Note: If you have a High Availability deployment, the upgrade procedure upgrades the version
for both DefenseFlow nodes (see Upgrading a High Availability Configuration, page 45).
2. After the upgrade is completed, Radware recommends that you reboot the node to apply the
following CVEs:
— CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux
versions)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-
001.md?fbclid=IwAR3P2bbY_RM9dysAvRM1FLe5zPe-
AMlZJ688VXjQGOwLLdPPKqYgxWAwM4c
https://nvd.nist.gov/vuln/detail/CVE-2019-11479
— CVE-2019-5599: SACK Slowness (FreeBSD 12 using the RACK TCP Stack)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-
001.md?fbclid=IwAR3P2bbY_RM9dysAvRM1FLe5zPe-
AMlZJ688VXjQGOwLLdPPKqYgxWAwM4c
— CVE-2019-11478: SACK Slowness (Linux ? 4.15) or Excess Resource Usage (all
Linux versions)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-
001.md?fbclid=IwAR3P2bbY_RM9dysAvRM1FLe5zPe-
AMlZJ688VXjQGOwLLdPPKqYgxWAwM4c
https://nvd.nist.gov/vuln/detail/CVE-2019-11478
— CVE-2019-11477: SACK Panic (Linux ?= 2.6.29)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-
001.md?fbclid=IwAR3P2bbY_RM9dysAvRM1FLe5zPe-
AMlZJ688VXjQGOwLLdPPKqYgxWAwM4c
https://nvd.nist.gov/vuln/detail/CVE-2019-11477
Notes
• If the upgrade is successful, only one version of the previous containers is preserved. Older
images are removed to keep the registry clean and to release disk space.
• If there is any failure during the upgrade, automatic rollback will be performed followed by the
relevant formatted/user-friendly error message being displayed after the rollback output.
• You can run the upgrade multiple times. The actual upgrade is performed only after the first
execution. For all subsequent upgrades, the upgrade process determines whether the upgrade
process is actually required.
Note: Before performing a restore to version 3.6, ensure that you disable REST authentication.
> To remove an upgrade and restore the version from which you upgraded, run the upgrade file
with the remove option: /dfc_upgrade_host.sh remove
Notes
• The restored DefenseFlow installation will include the configuration from that restored version.
• Only new images that were installed on the system after upgrade are removed. If the same
image existed in the system prior to the upgrade, it will remain after running the removal.
• You can run the removal multiple times. For all subsequent removals, the removal process
determines what elements should be removed and removes them as required.
> In the Configuration perspective, select System > Software Upgrade and set the parameters
as required. For more information, see Software Upgrade, page 200.
5. A message displays when you have successfully confirmed the new password.
Note: The user you log in with must have OS read-write permissions.
You can connect to the system either by opening a VA console (see To perform initial
configuration, page 31) or over an SSH connection. To connect to the system by using SSH on a
Linux system, open a terminal and enter the following command:
ssh <user_name>@<dfcc_mgmt_ip>
where
Note: If you log in through SSH as root, you go directly to the DFCC shell. If you log in as
any other user with read-write permissions, you go to the Cyber Control main menu.
— <dfcc_mgmt_ip> is the IP address of the DFCC system
2. If you logged in through SSH as a user other than root, from the Cyber Control main menu,
select Drop to Host Shell and press Enter. This opens the DFCC shell.
3. Press Ctrl + D to return to the main menu.
Note: You can create the support file to be sent to Radware Technical Support using APSolute
Vision. This is the preferred method over using the Cyber Control menu. For more information, see
Support File, page 201.
If you have upgrade-related problems, create the support file from the Cyber Control menu, and not
from APSolute Vision. This is because the upgrade-related logs are part of the host, and are not
included by the support file created using APSolute Vision.
— DefenseFlow — The DefenseFlow version, build number, and status (UP or DOWN).
— Host Manager — The Host Manager version, build number and status (UP or DOWN). The
Host Manager includes system-related processes that may affect multiple applications,
including DefenseFlow.
Accessing DefenseFlow
Radware recommends that you access DefenseFlow from within APSolute Vision. For more
information about APSolute Vision, refer to the APSolute Vision User Guide.
This section includes the following topics:
• Opening DefenseFlow, page 52
• Global Management Task Buttons, page 53
Opening DefenseFlow
You open the DefenseFlow panes from the APSolute Vision sidebar menu. This includes:
• The DefenseFlow Security Operations dashboard (see To open the DefenseFlow Security
Operations dashboard, page 52)
• The DefenseFlow Security Settings perspective (see To open the DefenseFlow Security Settings
perspective, page 53)
• The DefenseFlow Configuration perspective (see To open the DefenseFlow Configuration
perspective, page 53)
Parameter Description
Upload From The location of the backup device configuration file to send.
Values: Client, Server
File Name When uploading from the client system, enter or browse to the name of
the configuration file to upload.
When uploading from the server, select the configuration to upload.
Parameter Description
Destination Where to export (back up) the device configuration file.
Values: Client, Server
• Client — Saves the configuration file as a text file on the client
system.
• Server — Opens the Save As field as a prompt for the file name to be
saved on the server.
Save As If you are exporting the file to the server, the default name is a
combination of the device name and backup date and time. You can
change the default name.
Security Operations
The DefenseFlow Security Operations dashboard displays information and statistics for the
DefenseFlow system and the operations on protected objects and activations, for both real time and
historical information.
Note: For optimal viewing of the Security Operations dashboard, Radware recommends setting
your screen resolution as follows:
• On a desktop: 1920x1024
• On a laptop: 1600x900
The dashboard includes the following tabs:
• Protected Objects, page 58
• Activations, page 96
• System, page 110
In addition to these tabs, the Security Operations pane includes the following alerts:
• Pending Actions — At the top-right of the pane, click the Pending Actions button to go
directly to the Confirm Pending Action dialog box. For more information on this dialog box, see
Confirming Pending Actions, page 61.
• System Alert — If there is an element that is down or has an error, the (Alert) icon
displays a red exclamation mark. When this occurs, click the icon and the System tab opens. A
red exclamation mark displays next to the system or systems that have a problem.
Protected Objects
The Protected Objects pane displays monitoring and report metrics that enable you to view and
track real-time and historical information on selected DefenseFlow protected objects and networks.
The Security Operations pane includes the following widgets:
• Operational Status, page 56
• AMS Traffic Statistics, page 57
• Protected Objects, page 58
• Activations, page 98
Operational Status
The Operational Status widget displays the current overall operational status for protected objects
and activations.
An activation or protected object can be counted only once. If an activation has two operations (for
example, Pending Actions and Active Operations), it will be counted only once per the following
priority: Pending, Failed, Active, Provision
Parameter Description
Pending Total number of protected objects that have pending actions.
Active Total number of protected objects that have successful active operations.
Failed Total number of protected objects that have failed.
Provision Total number of protected objects that are being provisioned for mitigation.
When you select the Protected Objects operational status display, the Protected Objects widget
displays at the bottom of the pane. The Protected Objects table includes the set of protected objects
and their related information. For more information on the Protected Objects widget, see Protected
Objects, page 58.
Parameter Description
Inbound to Incoming traffic for mitigation, in bits per second or packets per second.
Mitigation
Device
Dropped by Incoming traffic dropped by mitigation, in bits per second or packets per second.
Mitigation
Clean Traffic Clean traffic re-injected after mitigation, in bits per second or packets for second.
1. At the top right-hand side of the widget, click the clock icon.
2. Do one of the following:
— Select one of the following preset ranges (Quick Range):
Protected Objects
The Protected Objects table includes the set of protected objects and their related information:
Parameter Description
Status The status of the protected object.
Depending on the status, you can perform actions on the protected object. For
procedures for performing actions on protected objects, see Performing Actions
on Protected Objects, page 61.
Statuses include:
• Pending — There are pending actions to be performed for protected objects in
User Confirmation mode.
• Active — The operation associated with the protected object succeeded.
• Failed — The operation associated with the protected object failed.
• Provision — The protected object is being provisioned for mitigation.
• Enabled — The protected object has been enabled.
• Disabled — The protected object has been disabled.
Name The name of the protected object.
Protected The protected object networks. For multiple networks, left-click the search icon to
Networks the right of the word “Multiple” to see the list of networks.
Activations The number of activations related to the protected object.
Inbound traffic The average incoming traffic bandwidth for mitigation in Mbits per second.
(Mbits/s)
Inbound Packets The average incoming traffic to mitigation in packets per second.
(packets/s)
Dropped Traffic The average incoming traffic that was dropped in Mbits per second, and the
(Mbits/s) percentage of the total incoming traffic that was dropped.
Dropped The average incoming traffic to mitigation that was dropped in packets per
Packets second, and the percentage of the total incoming traffic packets that was
(packets/s) dropped.
Start Time The time the operations were activated for this protected object.
Duration The amount of time the protected object is active.
Workflow The workflow associated with the protected object.
Description Description of the protected object.
Actions you can perform from the Protected Objects table include:
• Changing the Display of the Protected Objects Table, page 59
• Performing Actions on Protected Objects, page 61
• Viewing Protected Objects Details, page 66
Note: Only those selected parameters that are currently visible in the Protected
Objects table are considered in the search.
• Protected Object Name
• Protected Object Description
• Protected Object Status
• Protected Object Workflow
• Protected Object Network
• Activations
• Start Time (By Day)
• Attack Destination
• Detection ID
• Source Network
• Detector Name
• Detector Type
• Source Port
• Destination Port
• Protocol
• Information
• Operation Type
• Mitigation Device/Group
• Network Element/Group
• Mitigation Status
• Operation Networks
b. In the parameter data-entry field, enter the string for which you want to search.
Note: If the data-entry fields extend past the boundaries of the Search/Filter field, to scroll
between the data-entry fields, hover the mouse over one of the data-entry fields, hold down the
Shift key, and scroll to either horizontal direction with the mouse scroll wheel.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in descending order. Select the up arrow to sort in
ascending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
To confirm actions
1. If you selected Confirm Pending, the Pending Action dialog box displays with a table of the
pending actions related to the protected object:
Parameter Description
Protected The protected object name.
Object
Parameter Description
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Detection ID The unique attack ID for the attack. This ID remains with the attack record for the
record’s entire lifetime. This attack ID is internal to DefenseFlow and not related
to any external IDs associated with the attack.
Attack The IP address of the attack destination.
Destination
Pending Action Actions you can perform on the protected object.
• Advanced Confirm — Opens the Advanced Confirm dialog box. This lets
you refine the parameters for confirming the pending action. For more
information, see Advanced Confirm Parameters, page 63.
• Ignore All — Ignore all pending actions and remove them from the pending actions
table.
— Perform one of the following actions on the individual pending action:
a. Search — Search for the protected object you want to perform the action.
b. In the Pending Action column, perform one of the actions as required (Confirm Start,
Advanced Confirm, Ignore).
c. If you are performing an Advanced Confirm, go to step 3.
Note: If the protected object is under protection, and you modify an attribute that conflicts
with the ongoing protection, the change is performed only at the next activation of the
protected object.
If you want a modification that affects an ongoing protection to take effect immediately, you
can make this modification from the Edit feature in the Full View pane. For more
information, see Table 14 - Full View Parameters — Current Detection Events and Operations
on Protected Objects, page 69.
3. If you selected Advanced Confirm , the Advanced Confirm dialog box displays with the
following parameters. Configure the parameters as described below and click Submit.
Parameter Description
Name The pending action name.
IP Address The IP address of the attacked destination as detected by the selected detection
device.
Configured The configured operation for the protected object.
Operation
Workflow The workflow associated with the protected object.
Action The action to take on the pending action:
• Ignore — Ignore a pending action and remove it from the pending actions
table.
• Confirm Start — To confirm start of a pending action. For the Confirm start
parameters, see Table 10 - Advanced Confirm — Confirm Start Parameters,
page 63
• Confirm End — To confirm ending a protection.
Parameter Description
Protected IP Select one of the following options:
Address • Activate Entire Networks — This activates the entire protected object.
• Activate Specific IP Address — This activates only a specified IP address, which
you change to any IP address or subnet as required.
Attack This parameter displays if you selected the Activate Specific IP Address
Destination IP parameter. This is the specific IP address attack target to be protected. This must
Address be within the network classification of the protected object.
Operation The operation to use for diversion and mitigation groups preferences. Select from
the list of configured operations. The fields related to the operation type display.
Parameter Description
Configured The configured operation for the protected object.
Operation
Workflow The workflow associated with the protected object.
Action The action to take on the pending action:
• Ignore — Ignore a pending action and remove it from the pending actions
table.
• Confirm Start — Confirm starting a pending action. The Confirm Start
parameters display (see starting with the next entry in this table).
• Confirm End — Confirm ending a protection.
Attack Traffic Specify the attack traffic (bits per second). You can also specify units (for
example, 100M). This is used for verifying that the mitigation devices can handle
the related attack traffic. This is also used to set the DefensePro policy bandwidth
if there is not any BDoS bandwidth ready yet.
Use Busy If selected, DefenseFlow uses the selected DefensePro devices regardless of their
Mitigation monitored capacity.
Device
BGP Community
Operation BGP The BGP community values to be sent to the diversion groups that should receive
Community them per the operation. Multiple communities can be configured separated by a
space.
In addition, well-known communities can be also defined, including: NO_EXPORT,
NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
Use Protected Whether to add the protected object’s defined community in the announcement
Object to the blocking group.
Community When you select this parameter, the Protected Object Community parameter
displays.
Advanced
Minimum IPv4 The minimum IPv4 Advertised Subnet.
Advertised Default: 32
Subnet
Minimum IPv6 The minimum IPv6 Advertised Subnet.
Advertised Default: 128
Subnet
Override IPv4 Override the IPv4 Next Hop IP address.
Next Hop
Override IPv6 Override the IPv6 Next Hop IP address.
Next Hop
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in descending order. Select the up arrow to sort in
ascending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Parameter Description
Available Protects a specific IP address or set of addresses within the protected object.
Protected Specify the specific IP address attack targets or select from the list. They must be
Networks within the network classification of the protected object.
To protect all networks in the protected object, select Select All.
Maximum number of protected IP addresses: 1024
2. Click Activate.
1. Click the (Details) widget at the left end of the protected object row.
2. The following parameters display:
Parameter Description
Show By Detection Events
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Detection ID The unique attack ID for the attack operation. This ID remains with the attack
record for the record’s entire lifetime.
Attack The IP address of the attacked destination as detected by the selected detection
Destination device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
In Grace Period The attack grace period status.
Values: Yes, No
Start Time Start time of the attack.
Duration Duration of the attack.
Detector Name/ The name and type of the detecting device.
Type
Attack Traffic The last reported total amount of incoming traffic reported by the detection
(Mbits/s) device, in Mbits per second.
Attack Packet The last reported number of incoming packets per second reported the detection
Rate (packets/ device.
s)
Protocol The protocol of the incoming traffic.
Information Details about the attack.
Source Network The source network IP addresses and ranges (CIDRs).
Source Port The source port.
Parameter Description
Destination Port The destination port.
Show By Operations
Mitigation The status of the operation.
Status
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Operation ID The operation ID for the attack operation.
Start/Stop The action to perform on the operation based on the status.
1. Click the (Full View) widget at the left end of the protected object row.
The following parameters display:
Parameter Description
Protected Object Full View
Status The status of the protected object.
Protected The IP address of the attacked destination as detected by the selected detection
Networks device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
Activations The number of activations for the protected object.
Incoming Traffic The average incoming traffic for mitigation in Mbits per second.
(Mbits/s)
Dropped Traffic The average incoming traffic that was dropped in Mbits per second, and the
(Mbits/s) percentage of the total incoming traffic that was dropped.
Incoming The average incoming traffic to mitigation in packets per second.
Packets
(packets/s)
Dropped Packet The average incoming traffic to mitigation that was dropped in packets per
Rate (packets/ second, and the percentage of the total incoming traffic packets that was
s) dropped.
Parameter Description
Start Time Time when the protected object became active.
Duration The amount of time the protected object is active.
AMS Traffic Statistics
The AMS Traffic Statistics graph displays the current or historical traffic statistics based on which
display you have selected (see Current, Historical, Log below in this table).
Inbound to Incoming traffic for mitigation, in bits per second or packets per second.
Mitigation
Device
Dropped by Incoming traffic dropped by mitigation, in bits per second or packets per second.
Mitigation
Clean Traffic Clean traffic re-injected after mitigation, in bits per second or packets for second.
Current, Historical, Log — The list of current and historical attacks and operations, and the attack
event log. Click the respective button for each of these lists.
• For the current attack and operation lists, see Full View Parameters — Current Detection Events
and Operations on Protected Objects, page 69
• For the historical attack and operation lists, see Full View Parameters — Historical Detection
Events and Operations for Protected Objects, page 80
• For the protected object event log, see Full View Parameters — Log, page 89
2. The following are navigational actions you can perform in the Full View pane:
— To exit the Full View pane, click the button at the top left edge of the pane.
— To expand the Protected Objects widget display, click the button. The Protect
Object widget expands and the AMS Traffic Statistics widget is hidden.
— To compress the Protect Objects widget, click the button and the AMS Traffic
Statistics widget displays.
— To change the time range for the AMS Traffic Statistics widget, click the clock icon. For
more information, see To change the time range in the graph display, page 57.
Full View Parameters — Current Detection Events and Operations on Protected Objects
The following are the parameters for the Full View Current Detection Events and Operations for
protected objects.
Table 14: Full View Parameters — Current Detection Events and Operations on Protected
Objects
Parameter Description
Current Detection Events — List of current detection events
In the Search field above the table, enter a string to search for a current detection event.
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Action Type The last action value received from the mitigation device for the protected object.
Note: This parameter is only supported starting with version 4.2. If an event
existed before upgrading to version 4.2, the event does not display a value.
Values:
• Forward — DefensePro continues to process the traffic and eventually forwards
the packet to its destination.
• Drop — DefensePro discards the packet.
• Source Reset — DefensePro sends a TCP-Reset packet to the packet source IP
address.
• Dest Reset — DefensePro sends a TCP-Reset packet to the destination IP
address and port.
• Source Dest Reset — DefensePro sends a TCP-Reset packet to both the packet
source IP and the packet destination IP address.
• Proxy
• Challenge — DefensePro challenges the packet.
• Quarantine — DefensePro adds the destination to the Web quarantine.
• Drop and Quarantine — DefensePro discards the traffic and adds the
destination to the Web quarantine.
• HTTP 200 OK — DefensePro sends a 200 OK response using a predefined page
and leaves the server-side connection open.
• HTTP 200 OK Dest Rest — DefensePro sends a 200 OK response using a
predefined page and sends a TCP-Reset packet to the server side to close the
connection.
• HTTP 403 Forbidden — DefensePro sends a 403 Forbidden response using a
predefined page and leaves the server-side connection open.
• HTTP 403 Forbidden Reset Dest — DefensePro sends a 403 Forbidden response
using a predefined page and sends a TCP-Reset packet to the server side to
close the connection.
• External Event — External event from an external detector.
Note: No detailed information is received when the mitigation device is an
external detector. In this case, the Information field displays as N/A.
Attack The IP address of the attacked destination as detected by the selected detection
Destination device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
Start Time Start time of the attack.
Duration Duration of the attack.
Detector Name/ The detector name and type.
Type
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Information
Click the icon to see the attack details of the detection event.
When the attack details of the detection event display, you can click the icon
to see the attack description.
Note: During the import of a security policy, DefensePro does not override the
attacks in the SYN profile.
Detection Event Traffic Display
Graphically displays the detection event legitimate and total traffic over time for
Behavioral DoS (BDoS) or DNS Flood attacks, as appropriate.
Select the type of traffic to display:
• IPv4 or IPv6 — IP traffic type (for BDoS or DNS Flood attacks, as appropriate).
• bps or pps — Bits per second/packets per second (for BDoS attacks).
• Inbound or Outbound — Inbound/outbound traffic (for BDoS attacks).
BDoS TCP example:
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Information Additional Attack Attributes
(continued) Additional attack attributes for BDoS, DNS Flood, SYN Flood, Anti-Scanning,
Intrusions, Traffic Filters, Out-of-State (Anomalies), DoS Shield, Geolocation,
EAAF-ERT, and HTTPS Flood Protection attacks.
• Risk — The predefined attack severity level.
Values: High, Medium, Low, Info
• Radware ID — The DefensePro Attack-Protection identifier issued by the
device.
• Direction (In/Out) — The direction of the attack, inbound or outbound.
Values: in, out
• Action Type — The last action value received from the mitigation device for the
protected object. See the Action parameter described in this table.
• Attack ID — Unique ID of the attack.
• Physical Port — The port on the device at which the attack packets arrived. In
cases when the DefensePro mitigation device cannot report a specific value,
the field displays 0 (zero) or Multiple.
• Total Packet Count — The number of identified attack packets from the
beginning of the attack.
• VLAN — The VLAN tag value or Context Group in the policy that handled the
attack. The value N/A or 0 (zero) in this field indicates that the VLAN tag or
Context Group is not available.
• MPLS RD — The Multi-protocol Label Switching Route Distinguisher in the
policy that handled the attack. The value N/A or 0 (zero) in this field indicates
that the MPLS RD is not available.
• Source Port — The Layer 4 source port of the attack.
• Packet Type — The detection event packet type.
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Information Characteristics
(continued) BDoS attacks:
• State — The state of the protection process.
Values:
— Footprints Analysis — Behavioral DoS Protection has detected an attack
and is currently determining an attack footprint.
— Blocking — Behavioral DoS Protection is blocking the attack based on the
attack footprint created. Through a closed feedback loop operation, the
Behavioral DoS Protection optimizes the footprint rule, achieving the
narrowest effective mitigation rule.
— Non-attack — Nothing was blocked because the traffic was not an attack —
no footprint was detected or the blocking strictness level was not met.
— footprint analysis — BDoS protection has detected an attack and is
currently generating an attack footprint.
— footprint-applied — BDoS protection is blocking the attack based on the
generated footprint. Through a closed-feedback loop operation, BDoS
protection optimizes the footprint rule, achieving the narrowest effective
mitigation rule.
• Flow Label — (IPv6 only) The flow label that the attack uses or used.
• TCP Sequence Number — The TCP sequence number that the attack uses or
used.
• ToS — The ToS that the attack uses or used.
• TTL — The TTL that the attack uses or used.
The following parameters are only relevant when the State is burst-footprint-
blocking:
• Burst Occurring Now — Values: Yes, No
• Current Burst Number — The number of bursts since start of the attack.
• Average Burst Duration — The average duration, in hh:mm:ss format, of the
bursts.
• Average Time Between Bursts — The average time, in hh:mm:ss format,
between separate bursts.
• Average Burst Rate — The average rate, in Kbps, of the bursts.
• Max. burst Rate — The rate, in Kbps, of the biggest burst in this attack.
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Information Characteristics (continued)
(continued) DNS Flood attacks:
• TTL — The TTL that the attack uses or used.
• DNS Query — The DNS query that the attack uses or used.
• DNS An Query Count — The DNS An query count that the attack uses or used.
• DNS ID — The DNS ID that the attack uses or used.
• DNS Query Count — The DNS query count that the attack uses or used.
• L4 Checksum — The L4 checksum that the attack uses or used.
• State — The state of the protection process.
Values:
— Normal
— Real-Time Signature Analysis
— Blocking
— Real-Time Signature Challenge
— Real-Time Signature Rate Limit
— Collective Challenge
— Collective Rate Limit
— Collective Challenge
— Collective Rate Limit
— Anomaly
— Real-Time Signature Challenge
— Collective Challenge
— Collective Rate Limit
— Strictness Anomaly
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Information Characteristics (continued)
(continued) SYN Flood attacks:
• Attack Rate (pps) — The average rate of spoofed SYNs and data connection
attempts per second, calculated every 10 seconds.
• Attack Duration (Hour:Min:Sec) — The duration, in hh:mm:ss format, of the
attack on the protected port.
• Activation Threshold — The configured attack trigger threshold, in half
connections per second.
• TCP Challenge — The Authentication Method that identified the attack:
Transparent Proxy or Safe-Reset.
• TCP Auth. List (%) — The current utilization, in percent, of the TCP
Authentication table.
• HTTP Challenge — The HTTP Authentication Method that identified the attack:
302-Redirect or JavaScript.
• HTTP Auth. List (%) — The current utilization, in percent, of the HTTP
Authentication table.
Anti-Scanning attacks:
• Avg. Time Between Probes (sec) — The average time, in seconds, between
scan events.
• Number of Probes — The number of scan events from the time the attack
started.
• Action Reason — Values:
— Configuration—The action is (or was) according to the value in the Action
field in the Anti-Scanning profile.
— Footprint-accuracy-level—There is (or was) insufficient data for a
footprint, because the Include in the Footprint More than Source IP
Address and Protocol option is enabled in the Anti-Scanning profile.
— Multiple-probed-ports—Port scans are (or were) monitored only (not
blocked), because the Monitor but Do Not Block Port Scans option is
enabled in the Anti-Scanning profile.
• Blocking Duration (sec) — The blocking duration, in seconds, of the attacker
source IP address.
• Estimated Release Time — The estimated release time of attacker in local
time.
Intrusions or DoS Shield attacks, as appropriate:
• Current Packet Rate [Packet/Sec] — The current packet rate.
• Average Packet Rate [Packet/Sec] — The average packet rate.
• Attack Duration — The duration of the attack.
• Protected Host — The protected host.
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Information Characteristics (continued)
(continued) Traffic Filter attacks:
• Filter Name — The name of the Traffic Filter that matched the traffic.
• Filter ID — The Radware ID of the Traffic Filter that matched the traffic.
Note: The ID is a hyperlink to the configuration of the Traffic Filter.
• Attack Rate (pps) — The rate, in packets/second, of packets that match or
matched the Traffic Filter.
HTTP Flood Protection attacks:
• Detection Method — The method that the module used to detect the attack,
for example: By Rate of HTTPS Requests.
• Mitigation Method — The method that the module used to mitigate the attack,
for example: Rate-Limit Suspected Attackers.
• Authentication Method — The Authentication Method that the module used, for
example: 302 Redirect.
• Total Suspect Sources — The total number of suspect sources, from the start
of the attack.
• Total Req. Challenged — The total number of requests challenged, from the
start of the attack.
• Total Sources Challenged — The total number of sources challenged, from the
start of the attack.
• Total Sources Authenticated — The total number of sources authenticated,
from the start of the attack.
• Total Attackers Sources — The total number of attacker sources, from the start
of the attack.
• Auth List Util. — The utilization, in percent, of the Authentication List, from the
start of the attack.
• Req. Per Sec — Requests per second.
• Transitory Baseline Value
• Transitory Attack Edge Value
• Long Term Trend Baseline
• Long Term Trend Attack Edge
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Information Real-Time Signature
(continued) The latest real-time BDoS. DNS Flood, or Anti-Scanning signature for the
detection event (if relevant to the operation), including the operation’s signature
parameters and their values, the boolean relationship between the parameters,
and, if there are multiple signatures for the same operation, the number of
signatures.
For example:
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Detection ID The detection control element.
In Grace Period The attack grace period status.
Values: Yes, No
Attack Traffic The last reported total amount of incoming traffic in Mbits per second.
Attack Packet The last reported number of incoming packets per second.
Rate
Filter
Click the (Filter) icon to display the operations related to the attack in the
Current Operations table.
View Additional
Parameters
Click the icon at the left end of the protected object row to see parameters
that are not displayed in the table.
Max Volume Maximum volume in packets per second.
(packet/s)
Max Volume Maximum volume in Mbits per second.
(Mbits/s)
Attack Packet Attack packet rate, packets per second.
Rate (packets/
s)
Attack Traffic Maximum attack traffic, megabits per second.
(Mbits/s)
Detection Name The detection control element.
Protocol The protocol of the incoming traffic.
Operations — List of current operations
In the Search field above the table, enter a string to search for a current operation:
Mitigation The status of the operation.
Status
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Operation ID The operation ID for the attack operation.
Start/Stop The pending action waiting for confirmation.
Values:
Table 14: Full View Parameters — Current Detection Events and Operations on Protected Objects
(cont.)
Parameter Description
Mitigation The mitigation device or group name.
Device/Group
Network The network elements or network element group for the protection.
Element/Group
Capture
To see Packet Capture details for the protected object, click the (Capture)
widget. The Packet Viewer dialog box displays.
For a description of the Packer Viewer parameters, see Packet Viewer, page 90.
Edit
To edit operation details for the protected object, click the (Edit) button. The
Operation Details dialog box displays.
After you edit any of the details, click Apply.
For a description of the Operation Details parameters, see Table 15 - Edit
Operation Details Parameters, page 80.
View Additional
Parameters
Click the icon at the left end of the protected object row to see parameters
that are not displayed in the table.
User Action The enter activation mode.
Mode Values: Automatic, Manual, User Confirmation
Enter User The enter activation mode.
Action Mode Values: Automatic, Manual, User Confirmation
Mitigation The mitigation device or group name.
Device/Group
Exit Criteria The workflow exit criteria associated with the operation.
Enter Criteria The workflow enter criteria associated with the operation.
Workflow The workflow associated with the protected object.
Start Time Start time of the attack.
Policy Name The policy name for this protection activation.
Row Description
Operation Details of the operation, including:
• Description — Description of the operation.
• Operation Type — The type of operation. Values: Mitigation, Traffic Blocking,
Custom
• Diversion Protocol — The diversion protocol. Values: BGP, BGP FlowSpec
Mitigation Group Details of the mitigation devices with the mitigation group associated with the
operation, including:
• Name — Mitigation of the mitigation device name.
• Operational Status — The operational status of the mitigation device.
• CPU Utilization — Percent of the CPU utilization of the mitigation device.
• BW Utilization (GBPS) — Percent of the bandwidth utilization of the mitigation
device.
• Policies Utilization — Percent of the policies table utilization of the mitigation
device.
• Filter List Utilization — Percent of filter list utilization of the mitigation device.
• Managed — Whether the mitigation device is managed.
Values: true, false
• Platform Name — Platform name of the mitigation device.
• Geo Feed Status — The status of the Geolocation Feed on the DefensePro
mitigation device (active, inactive).
• Update Time — Last monitored update time.
• Last Error — The last device access error that was issued.
Allowlist/ If you want to associate a blocklist and/or allowlist to the operation, select them
Blocklist from the drop-down lists.
Geolocation If you want to temporarily override the current geoblocking settings for this
operation for the duration of the protection, select a geolocation or Geolocation
feed group to block or allow, then select the override action:
• Block — Block the selected geolocation or Geolocation feed group.
• Allow — Allow the selected geolocation or Geolocation feed group (default).
DNS Allowlist If you want to associate a DNS allowlist to the operation, select one from the
drop-down list, or click the Upload icon to upload a file with a DNS allowlist
not on the list.
If you want to see the contents of a DNS allowlist, select one from the drop-down
Full View Parameters — Historical Detection Events and Operations for Protected Objects
The following are the full view Historical Detection Events and Operations for protected objects.
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects
Parameter Description
Detection Events — List of historical detection events on the protected object.
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
Action Type The last action value received from the mitigation device for the protected object.
Note: This parameter is only supported starting with version 4.2. If an event
existed before upgrading to version 4.2, the event does not display a value.
Values:
• Forward — DefensePro continues to process the traffic and eventually forwards
the packet to its destination.
• Drop — DefensePro discards the packet.
• Source Reset — DefensePro sends a TCP-Reset packet to the packet source IP
address.
• Dest Reset — DefensePro sends a TCP-Reset packet to the destination IP
address and port.
• Source Dest Reset — DefensePro sends a TCP-Reset packet to both the packet
source IP and the packet destination IP address.
• Proxy
• Challenge — DefensePro challenges the packet.
• Quarantine — DefensePro adds the destination to the Web quarantine.
• Drop and Quarantine — DefensePro discards the traffic and adds the
destination to the Web quarantine.
• HTTP 200 OK — DefensePro sends a 200 OK response using a predefined page
and leaves the server-side connection open.
• HTTP 200 OK Dest Rest — DefensePro sends a 200 OK response using a
predefined page and sends a TCP-Reset packet to the server side to close the
connection.
• HTTP 403 Forbidden — DefensePro sends a 403 Forbidden response using a
predefined page and leaves the server-side connection open.
• HTTP 403 Forbidden Reset Dest — DefensePro sends a 403 Forbidden response
using a predefined page and sends a TCP-Reset packet to the server side to
close the connection.
• External Event — External event from an external detector.
Note: No detailed information is received when the mitigation device is an
external detector. In this case, the Information field displays as N/A.
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Detection ID The detection control element.
Attack The IP address of the attacked destination as detected by the selected detection
Destination device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
Start Time Start time of the attack.
Duration Duration of the attack.
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Information
Click the icon to see the attack details of the detection event.
When the attack details of the detection event display, you can click the icon
to see the attack description.
Note: During the import of a security policy, DefensePro does not override the
attacks in the SYN profile.
Detection Event Traffic Display
Graphically displays the detection event legitimate and total traffic over time for
Behavioral DoS (BDoS) or DNS Flood attacks, as appropriate.
Select the type of traffic to display:
• IPv4 or IPv6 — IP traffic type (for BDoS or DNS Flood attacks, as appropriate).
• bps or pps — Bits per second/packets per second (for BDoS attacks).
• Inbound or Outbound — Inbound/outbound traffic (for BDoS attacks).
BDoS TCP example:
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Information Additional Attack Attributes
(continued) Additional attack attributes for BDoS, DNS Flood, SYN Flood, Anti-Scanning,
Intrusions, Traffic Filters, Out-of-State (Anomalies), DoS Shield, Geolocation,
EAAF-ERT, and HTTPS Flood Protection attacks.
• Risk — The predefined attack severity level.
Values: High, Medium, Low, Info
• Radware ID — The DefensePro Attack-Protection identifier issued by the
device.
• Direction (In/Out) — The direction of the attack, inbound or outbound.
Values: in, out
• Action Type — The last action value received from the mitigation device for the
protected object. See the Action parameter described in this table.
• Attack ID — Unique ID of the attack.
• Physical Port — The port on the device at which the attack packets arrived. In
cases when the DefensePro mitigation device cannot report a specific value,
the field displays 0 (zero) or Multiple.
• Total Packet Count — The number of identified attack packets from the
beginning of the attack.
• VLAN — The VLAN tag value or Context Group in the policy that handled the
attack. The value N/A or 0 (zero) in this field indicates that the VLAN tag or
Context Group is not available.
• MPLS RD — The Multi-protocol Label Switching Route Distinguisher in the
policy that handled the attack. The value N/A or 0 (zero) in this field indicates
that the MPLS RD is not available.
• Source Port — The Layer 4 source port of the attack.
• Packet Type — The detection event packet type.
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Information Characteristics
(continued) BDoS attacks:
• State — The state of the protection process.
Values:
— Footprints Analysis — Behavioral DoS Protection has detected an attack
and is currently determining an attack footprint.
— Blocking — Behavioral DoS Protection is blocking the attack based on the
attack footprint created. Through a closed feedback loop operation, the
Behavioral DoS Protection optimizes the footprint rule, achieving the
narrowest effective mitigation rule.
— Non-attack — Nothing was blocked because the traffic was not an attack —
no footprint was detected or the blocking strictness level was not met.
— footprint analysis — BDoS protection has detected an attack and is
currently generating an attack footprint.
— footprint-applied — BDoS protection is blocking the attack based on the
generated footprint. Through a closed-feedback loop operation, BDoS
protection optimizes the footprint rule, achieving the narrowest effective
mitigation rule.
• Flow Label — (IPv6 only) The flow label that the attack uses or used.
• TCP Sequence Number — The TCP sequence number that the attack uses or
used.
• ToS — The ToS that the attack uses or used.
• TTL — The TTL that the attack uses or used.
The following parameters are only relevant when the State is burst-footprint-
blocking:
• Burst Occurring Now — Values: Yes, No
• Current Burst Number — The number of bursts since start of the attack.
• Average Burst Duration — The average duration, in hh:mm:ss format, of the
bursts.
• Average Time Between Bursts — The average time, in hh:mm:ss format,
between separate bursts.
• Average Burst Rate — The average rate, in Kbps, of the bursts.
• Max. burst Rate — The rate, in Kbps, of the biggest burst in this attack.
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Information Characteristics (continued)
(continued) DNS Flood attacks:
• TTL — The TTL that the attack uses or used.
• DNS Query — The DNS query that the attack uses or used.
• DNS An Query Count — The DNS An query count that the attack uses or used.
• DNS ID — The DNS ID that the attack uses or used.
• DNS Query Count — The DNS query count that the attack uses or used.
• L4 Checksum — The L4 checksum that the attack uses or used.
• State — The state of the protection process.
Values:
— Normal
— Real-Time Signature Analysis
— Blocking
— Real-Time Signature Challenge
— Real-Time Signature Rate Limit
— Collective Challenge
— Collective Rate Limit
— Collective Challenge
— Collective Rate Limit
— Anomaly
— Real-Time Signature Challenge
— Collective Challenge
— Collective Rate Limit
— Strictness Anomaly
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Information Characteristics (continued)
(continued) SYN Flood attacks:
• Attack Rate (pps) — The average rate of spoofed SYNs and data connection
attempts per second, calculated every 10 seconds.
• Attack Duration (Hour:Min:Sec) — The duration, in hh:mm:ss format, of the
attack on the protected port.
• Activation Threshold — The configured attack trigger threshold, in half
connections per second.
• TCP Challenge — The Authentication Method that identified the attack:
Transparent Proxy or Safe-Reset.
• TCP Auth. List (%) — The current utilization, in percent, of the TCP
Authentication table.
• HTTP Challenge — The HTTP Authentication Method that identified the attack:
302-Redirect or JavaScript.
• HTTP Auth. List (%) — The current utilization, in percent, of the HTTP
Authentication table.
Anti-Scanning attacks:
• Avg. Time Between Probes (sec) — The average time, in seconds, between
scan events.
• Number of Probes — The number of scan events from the time the attack
started.
• Action Reason — Values:
— Configuration—The action is (or was) according to the value in the Action
field in the Anti-Scanning profile.
— Footprint-accuracy-level—There is (or was) insufficient data for a
footprint, because the Include in the Footprint More than Source IP
Address and Protocol option is enabled in the Anti-Scanning profile.
— Multiple-probed-ports—Port scans are (or were) monitored only (not
blocked), because the Monitor but Do Not Block Port Scans option is
enabled in the Anti-Scanning profile.
• Blocking Duration (sec) — The blocking duration, in seconds, of the attacker
source IP address.
• Estimated Release Time — The estimated release time of attacker in local
time.
Intrusions or DoS Shield attacks, as appropriate:
• Current Packet Rate [Packet/Sec] — The current packet rate.
• Average Packet Rate [Packet/Sec] — The average packet rate.
• Attack Duration — The duration of the attack.
• Protected Host — The protected host.
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Information Characteristics (continued)
(continued) Traffic Filter attacks:
• Filter Name — The name of the Traffic Filter that matched the traffic.
• Filter ID — The Radware ID of the Traffic Filter that matched the traffic.
Note: The ID is a hyperlink to the configuration of the Traffic Filter.
• Attack Rate (pps) — The rate, in packets/second, of packets that match or
matched the Traffic Filter.
HTTP Flood Protection attacks:
• Detection Method — The method that the module used to detect the attack,
for example: By Rate of HTTPS Requests.
• Mitigation Method — The method that the module used to mitigate the attack,
for example: Rate-Limit Suspected Attackers.
• Authentication Method — The Authentication Method that the module used, for
example: 302 Redirect.
• Total Suspect Sources — The total number of suspect sources, from the start
of the attack.
• Total Req. Challenged — The total number of requests challenged, from the
start of the attack.
• Total Sources Challenged — The total number of sources challenged, from the
start of the attack.
• Total Sources Authenticated — The total number of sources authenticated,
from the start of the attack.
• Total Attackers Sources — The total number of attacker sources, from the start
of the attack.
• Auth List Util. — The utilization, in percent, of the Authentication List, from the
start of the attack.
• Req. Per Sec — Requests per second.
• Transitory Baseline Value
• Transitory Attack Edge Value
• Long Term Trend Baseline
• Long Term Trend Attack Edge
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Information Real-Time Signature
(continued) The latest real-time BDoS. DNS Flood, or Anti-Scanning signature for the
detection event (if relevant to the operation), including the operation’s signature
parameters and their values, the boolean relationship between the parameters,
and, if there are multiple signatures for the same operation, the number of
signatures.
For example:
Table 16: Full View Parameters — Historical Detection Events and Operations for Protected
Objects (cont.)
Parameter Description
Detector Name/ The detector name and type.
Type
Attack Traffic The last reported total amount of incoming traffic in Mbits per second.
(Mbits/s)
Attack Packet The last reported number of incoming packets per second.
Rate
View Additional
Parameters
Click the icon at the left end of the protected object row to see additional
parameters.
Source Port Source port of the packet.
DefensePro The operational status of the DefensePro mitigation device.
Event Status
End Time End time of the attack.
Detection Name The detection control element.
Protocol The protocol of the incoming traffic.
Maximum Maximum attack packet rate, packets per second.
Attack Packet
Rate (packets/
s)
Maximum Maximum attack traffic, megabits per second.
Attack Traffic
(Mbits/s)
Attack Packet Attack packet rate, packets per second.
Rate (Packets/s)
Operations — List of historical operations on the protected object.
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Operation ID The operation ID for the attack operation.
Name The name of the operation
Type The type of operation.
Operation The IP address of the attacked destination as detected by the selected detection
Networks device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
Start Time Start time of the operation.
Policy The policy used by the operation.
Duration The duration of the operation.
BGP FlowSpec The FlowSpec rule used by the operation.
Parameter Description
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
You can manually add a log. Click Add Log, enter free text in the Add New Log field in the dialog
box, and click Add Log.
Timestamp Attack start time.
Event Type Type of event.
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Event Detailed description of the event.
Description
Detection ID The unique attack ID for the attack. This ID remains with the attack record for the
record’s entire lifetime.
Operation ID The operation ID for the attack operation.
User Username for user-generated event.
• For system-initiated logs, the username is system.
• For user-created logs, the username is the user’s username (for example:
Operator).
Packet Viewer
This section describes the Packet Viewer parameters and functionality for both protected objects and
activations.
Widget Description
Packet Capture Note: The Real-time Packet Capture feature requires DefensePro 200/400
running version 8.17.2 or later, DefensePro 20/60 running version 8.18.x or
later, or DefensePro 110/220 running version 8.20 or later.
Dropped packets are highlighted in red, passed packets are highlighted in green.
The following fields display for each attack:
• Capture Settings — These fields include the Mitigation Device/Group drop-
down list and the Capture Filter. The filter is a regular expression that filters
which packets are displayed in the Packet Display table. For more details on
the capture filter regular expressions you can define, see Table 19 - Packet
Capture Filter Regular Expression Parameters, page 93.
— Mitigation Device/Group — Select from which DefensePro device or device
group the packets are captured. The default is the device or group that is
referred to specifically by the attack information.
— Capture Filter — Regular expression to display the packet capture
information from the selected DefensePro device or group of DefensePro
devices. The default device is the device or group that is referred to
specifically by the attack information. From the drop-down list, you can
choose one of the last 10 previous inputs for the filter.
Widget Description
Packet Capture • Display Settings — These fields include the Match Filter and Display Filter.
(continued) The filters are regular expressions that filter the packets that are displayed in
the Packet Display table. For more details on the regular expressions you can
define, see Table 20 - Match Filter and Display Filter Regular Expression
Parameters, page 93.
— Match Filter — Highlights the packets that match the filter. From the drop-
down list, you can choose one of the last 10 previous inputs for the filter.
— Display Filter — Displays all those packets that match the filter. From the
drop-down list, you can choose one of the last 10 previous inputs for the
filter.
• Legend for the color-codes for packets that match the capture and display
filters:
Widget Description
Packet Capture • Display actions — Do one of the following:
(continued)
— Click to begin the packet capture display. The packets display one
at one time based on the filters that you defined.
Table 20: Match Filter and Display Filter Regular Expression Parameters
Table 20: Match Filter and Display Filter Regular Expression Parameters (cont.)
Table 20: Match Filter and Display Filter Regular Expression Parameters (cont.)
Activations
The Activations pane displays monitoring and report metrics that enable you to view and track real-
time and historical information on selected DefenseFlow activations and networks.
Operational Status
The Operational Status widget displays the current overall operational status for activations.
An activation can be counted only once. If an activation has two operations (for example, Pending
Actions and Active Operations), it will be counted only once per the following priority: Pending,
Failed, Active, Provision
Note: Because a protected object may have multiple activations related to it, the total number of
activations may be greater than the total number of protected objects.
Parameter Description
Pending Total number of activations that have pending actions.
Active Total number of activations that have successful active operations.
Failed Total number of activations that have failed operations.
Provision Total number of activations that are being provisioned for mitigation.
Parameter Description
Inbound to Incoming traffic for mitigation, in bits per second or packets per second.
Mitigation
Device
Dropped by Incoming traffic dropped by mitigation, in bits per second or packets per second.
Mitigation
Clean Traffic Clean traffic re-injected after mitigation, in bits per second or packets for second.
1. At the top right-hand side of the widget, click the clock icon.
2. Do one of the following:
— Select one of the following preset ranges (Quick Range):
• 15m — The last 15 minutes
• 30m — The last 30 minutes
• 1H — The last hour
• 3H — The last three hours
• 6H — The last six hours
• 12H — The last 12 hours
• 24H — The last 24 hours
Default: 15m
— Specify a specific time range (Time Range):
a. Select a specific calendar date for the time range start date (From).
b. Select a specific calendar date for the time range end date (To).
3. Click Apply to apply the configuration.
Activations
The Activations table includes the set of activations for protected objects and their related
information:
Parameter Description
Overall A colored indicator to the left of the Activation ID that indicates the overall attack
Activations operation status. It is related to the protection Status, as described here and as
Status described later in this table.
Overall status indicators include:
• Orange — A pending action is required
• Green — The activation has successful active operations
• Red — The activation failed
• Blue — This is a provisioned activation
• Yellow — The activation is not protected and needs attention
Activation ID The unique attack ID for the activation. This ID remains with the attack record for
the record’s entire lifetime. This attack ID is internal to DefenseFlow and not
related to any external IDs associated with the activation.
Protected The protected object associated with the activation.
Object Name
Source Network The attack operation geolocation source network IP addresses and ranges
(CIDRs).
Up to three CIDRs are displayed. If there are more than three CIDRs for an
attack, the total number of CIDRs is displayed within parentheses (round
brackets).
To view the list of source CIDRs, click the (Edit) icon to the right of the
displayed CIDRs. From the Networks dialog box, you can:
• View the full list of source CIDRs.
• Click the Destination tab and
— Change the protection statuses of any of the destination CIDRs.
— Add a new network to protect in the CIDR field and click Add.
After making any changes, click Submit.
Destination The attack operation geolocation destination network IP addresses and ranges
Network (CIDRs).
Up to three CIDRs are displayed. If there are more than three CIDRs for an
attack, the total number of CIDRs is displayed within parentheses (round
brackets).
To view the list of destination CIDRs, click the (Edit) icon to the right of the
displayed CIDRs. From the Networks dialog box, you can:
• Change the protection statuses of any of the destination CIDRs.
• Add a new network to protect in the CIDR field and click Add.
• Click the Source tab and view the full list of the source CIDRs.
After making any changes, click Submit.
Parameter Description
Attack Traffic Number of bytes per seconds (BPS) for the activation.
Displays for an historic attack the maximum BPS that was reported since the start
of the attack until termination of the attack.
The BPS volume is graphically represented as a percentage interval on the BPS
volume gauge per the defined volume range.
The following are the default BPS gauge representations and their associated
volume ranges:
• 0%-25% — 0m < value < 50m
• 25%-50% — 50m < value < 250m
• 50%-75% — 250m < value < 500m
• 75%-100% — value < 500m
You can change the volume range for the gauge using the CLI command dfc-
core-configuration.
For example, if you want to change the top limit of the PPS volume range for 75%
of the gauge from 500m to 70m, run the following CLI command:
dfc-core:configuration-set -name
dfc.attack.dashboard.volume.bps.level075 -value 70m
Attack Packet Number of packets per seconds (PPS) for the attack operation.
Rate Displays for an historic attack the maximum BPS that was reported since the start
of the attack until termination of the attack.
The PPS rate is graphically represented as a percentage interval on the PPS rate
gauge per the defined rate range.
The following are the default PPS gauge representations and their associated rate
ranges:
• 0%-25% — 0k < value < 100k
• 25%-50% — 100k < value < 500k
• 50%-75% — 500k < value < 1m
• 75%-100% — 1m < value
You can change the rate range for the gauge using the CLI command dfc-core-
configuration.
For example, if you want to change the top limit of the PPS rate range for 50% of
the gauge from 500k to 400k, run the following CLI command:
dfc-core:configuration-set -name
dfc.attack.dashboard.volume.pps.level050 -value 400k
Protocol Protocols used by the attack operation.
Detection The detection control element.
Parameter Description
Status An icon indicating of the status of the attack operation. To view the status icon
description, hover over the status icon.
Note: The overall attack operation status is represented by a color indicator to
the left of the Attack ID.
Statuses:
• (Protection has terminated) — All protections have been activated and the
attack has ended.
Actions you can perform from the Protected Objects table include:
• Changing the Display of the Activations Table, page 102
• Viewing Activations Details, page 102
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in descending order. Select the up arrow to sort in
ascending order.
3. Click the heading to reset the column sorting.
Parameter Description
Activation Full View
Protected The protected object associated with the activation.
Object Name
Source The attack operation geolocation represented by the geolocation flag, and the
Networks source network IP addresses and ranges (CIDRs).
Up to three CIDRs are displayed. If there are more than three CIDRs for an
attack, the total number of CIDRs is displayed within parentheses (round
brackets).
To view the list of source CIDRs, click the (Edit) icon to the right of the
displayed CIDRs. From the Networks dialog box, you can:
• View the full list of source CIDRs.
• Click the Destination tab and
— Change the protection statuses of any of the destination CIDRs.
— Add a new network to protect in the CIDR field and click Add.
After making any changes, click Submit.
Destination The attack operation geolocation represented by the geolocation flag, and the
Networks destination network IP addresses and ranges (CIDRs).
Up to three CIDRs are displayed. If there are more than three CIDRs for an
attack, the total number of CIDRs is displayed within parentheses (round
brackets).
To view the list of destination CIDRs, click the (Edit) icon to the right of the
displayed CIDRs. From the Networks dialog box, you can:
• Change the protection statuses of any of the destination CIDRs.
• Add a new network to protect in the CIDR field and click Add.
• Click the Source tab and view the full list of the source CIDRs.
After making any changes, click Submit.
Attack Traffic Number of bytes (Mbits) per seconds for the attack operation.
Displays for an historic attack the maximum BW that was reported since the start
of the attack until termination of the attack.
The BW volume is graphically represented as a percentage interval on the BW
volume gauge per the defined volume range.
The following are the default BPS gauge representations and their associated
volume ranges:
• 0%-25% — 0m < value < 50m
• 25%-50% — 50m < value < 250m
• 50%-75% — 250m < value < 500m
• 75%-100% — value < 500m
You can change the volume range for the gauge using the CLI command dfc-
core-configuration.
For example, if you want to change the top limit of the PPS volume range for 75%
of the gauge from 500m to 70m, run the following CLI command:
dfc-core:configuration-set -name
dfc.attack.dashboard.volume.bps.level075 -value 70m
Parameter Description
Attack Packet Number of packets per seconds (PPS) for the attack operation.
Rate Displays for an historic attack the maximum BPS that was reported since the start
of the attack until termination of the attack.
The PPS rate is graphically represented as a percentage interval on the PPS rate
gauge per the defined rate range.
The following are the default PPS gauge representations and their associated rate
ranges:
• 0%-25% — 0k < value < 100k
• 25%-50% — 100k < value < 500k
• 50%-75% — 500k < value < 1m
• 75%-100% — 1m < value
You can change the rate range for the gauge using the CLI command dfc-core-
configuration.
For example, if you want to change the top limit of the PPS rate range for 50% of
the gauge from 500k to 400k, run the following CLI command:
dfc-core:configuration-set -name
dfc.attack.dashboard.volume.pps.level050 -value 400k
Protocol Protocols used by the attack operation.
Detection The detection control element.
Status An icon indicating of the status of the attack operation. To view the status icon
description, hover over the status icon.
Note: The overall attack operation status is represented by a color indicator to
the left of the Attack ID. Earlier in this table, see the description of this
indicator and its relationship to the attack operation statuses.
Statuses:
• (Protection has terminated) — All protections have been activated and the
attack has ended.
Parameter Description
Protection Manually start or stop a protection operation for the attack based on the current
status of the protection.
Click one of the following buttons as relevant:
• CONFIRM ALL — Confirm starting or stopping multiple protection operations
for a given attack ID.
• CONFIRM START — Confirm starting a single protection operation for a given
attack ID.
• CONFIRM STOP — Confirm stopping a single protection operation for a given
attack ID.
• START — Start a single protection operation for a given attack ID.
• STOP — Stop a single protection operation for a given attack ID.
• STOP ALL — Stop all protections for multiple operations for a given attack ID.
Notes:
• While a protection operation is in process, you can hover over the Protection
button to view the protection status and to see more details of the operation
by clicking the Details link.
• You can only manually stop a manually activated protection on a protected
object, even if the attack has terminated.
Start Time Time when the activation became active.
End Time Time when the activation ended.
AMS Traffic Statistics
The AMS Traffic Statistics graph displays the current or historical traffic statistics based on which
display you have selected (see Current, Historical, Log below in this table).
By default, the total data for all devices is displayed. You can filter the statistics to only display the
data for an individual device:
1. Click Select.
2. Select one of the following:
— TOTAL (all devices) — The graph displays the total data for all devices.
— individual device name — The graph displays the data only for the selected device.
Inbound to Incoming traffic for mitigation, in bits per second or packets per second.
Mitigation
Device
Dropped by Incoming traffic dropped by mitigation, in bits per second or packets per second.
Mitigation
Clean Traffic Clean traffic re-injected after mitigation, in bits per second or packets for second.
Current, Historical, Log — The list of current and historical attacks and operations, and the attack
event log. Click the respective button for each of these lists.
• For the current attack and operation lists, see Full View Parameters — Detection Events and
Operations for Activations, page 106
• For the historical attack and operation lists, see Full View Parameters — Historical Attacks and
Operations for Activations, page 108
• For the protected object event log, see Full View Parameters — Log, page 109
3. The following are navigational actions you can perform in the Full View pane:
— To exit the Full View pane, click the button at the top left edge of the pane.
— To expand the Protected Objects widget display, click the button. The Protect
Object widget expands and the AMS Traffic Statistics widget is hidden.
— To compress the Protect Objects widget, click the button and the AMS Traffic
Statistics widget displays.
Full View Parameters — Detection Events and Operations for Activations
The following are the parameters for the Full View Detection Events and Operations for activations.
Table 25: Full View Parameters — Current Detection Events and Operations on Activations
Parameter Description
Current Detection Events — List of current detection events
In the Search field above the table, enter a string to search for a current detection event.
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Detection ID The detection control element.
Attack The IP address of the attacked destination as detected by the selected detection
Destination device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
In Grace Period The attack grace period status.
Values: Yes, No
Start Time Start time of the attack.
Duration Duration of the attack.
Detector Name/ The detector name and type.
Type
Attack Traffic The last reported total amount of incoming traffic in Mbits per second.
Attack Packet The last reported number of incoming packets per second.
Rate
Protocol The protocol associated with the operation.
Information Details about the attack.
Filter
Click the (Filter) icon to display the operations related to the activation in
the Current Operations table.
View Additional
Parameters
Click the icon at the left end of the protected object row to see parameters
that are not displayed in the table.
Operations — List of current operations on the activation.
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
Operations — List of current operations
In the Search field above the table, enter a string to search for a current operation.
Mitigation The status of the operation.
Status
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Table 25: Full View Parameters — Current Detection Events and Operations on Activations
Parameter Description
Operation ID The operation ID for the attack operation.
Operation The operation name and type.
Name/Type
Operation The IP address that is part of the protection operation. For multiple networks,
Networks left-click the search icon to the right of the word “Multiple” to see the list of
networks.
Mitigation The mitigation device or group name.
Device/Group
Network The network elements or network element group for the protection.
Element/Group
Start/Stop The pending action waiting for confirmation.
Values:
For a description of the Packer Viewer parameters, see Packet Viewer, page 90.
Edit
To edit operation details for the activation, click the (Edit) button. The
Operation Details dialog box displays.
After you edit any of the details, click Apply.
For a description of the Operation Details parameters, see Table 26 - Edit
Operation Details Parameters, page 108.
View Additional
Parameters
Click the icon at the left end of the protected object row to see parameters
that are not displayed in the table.
Row Description
Operation Details of the operation, including:
• Description — Description of the operation.
• Operation Type — The type of operation. Values: Mitigation, Traffic Blocking,
Custom
• Diversion Protocol — The diversion protocol. Values: BGP, BGP FlowSpec
Mitigation Group Details of the mitigation devices with the mitigation group associated with the
operation, including:
• Name — Mitigation of the mitigation device name.
• Operational Status — The operational status of the mitigation device.
• CPU Utilization — Percent of the CPU utilization of the mitigation device.
• BW Utilization (GBPS) — Percent of the bandwidth utilization of the mitigation
device.
• Policies Utilization — Percent of the policies table utilization of the mitigation
device.
• Filter List Utilization — Percent of filter list utilization of the mitigation device.
• Managed — Whether the mitigation device is managed.
Values: true, false
• Platform Name — Platform name of the mitigation device.
• Geo Feed Status — The status of the Geolocation Feed on the DefensePro
mitigation device (active, inactive).
• Update Time — Last monitored update time.
• Last Error — The last device access error that was issued.
Filter List If you want to associate a blocklist and/or allowlist to the operation, select them
from the drop-down lists.
Geolocation If you want to temporarily override the current geoblocking settings for this
operation for the duration of the protection, select a geolocation or Geolocation
feed group to block or allow, then select the override action:
• Block — Block the selected geolocation or Geolocation feed group.
• Allow — Allow the selected geolocation or Geolocation feed group (default).
DNS Protection If you want to associate a DNS allowlist to the operation, select one from the
drop-down list, or click the Upload icon to upload a file with a DNS allowlist
not on the list.
If you want to see the contents of a DNS allowlist, select one from the drop-down
The following are the full view Historical Attacks and Operations for activations.
Table 27: Full View Parameters — Historical Attacks and Operations for Activations
Parameter Description
Attack History Table — List of historical activations.
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Detection ID The detection control element.
Attack The IP address of the attacked destination as detected by the selected detection
Destination device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
Start Time Start time of the attack.
Duration Duration of the attack.
Detector Name/ The detector name and type.
Type
Protocol The protocol associated with the operation.
Attack Traffic The last reported total amount of incoming traffic in Mbits per second.
Attack Packet The last reported number of incoming packets per second.
Rate
View Additional
Parameters
Click the icon at the left end of the activation row to see additional
parameters:
• End Time
• Maximum Reported Attack BW
• Maximum Reported Attack PPS
Operation History Table — List of historical operations for the activations.
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Operation ID The operation ID for the attack operation.
Name The name of the operation
Type The type of operation.
Operation The IP address of the attacked destination as detected by the selected detection
Networks device. For multiple networks, left-click the search icon to the right of the word
“Multiple” to see the list of networks.
Start Time Start time of the operation.
Policy The policy used by the operation.
Duration The duration of the operation.
BGP FlowSpec The FlowSpec rule used by the operation.
Parameter Description
In the Search field above the table, enter a string to search or filter the number of table entries.
The string applies to all fields.
You can manually add a log. Click Add Log, enter free text in the Add New Log field in the dialog
box, and click Add Log.
Timestamp Attack start time.
Event Type Type of event.
Activation ID The unique activation ID for the detection events and operations. This ID remains
with the activation record for the record’s entire lifetime.
Event Detailed description of the event.
Description
Detection ID The unique attack ID for the attack. This ID remains with the attack record for the
record’s entire lifetime. This attack ID is internal to DefenseFlow and not related
to any external IDs associated with the attack.
Operation ID The operation ID for the attack operation.
User Username for user-generated event.
• For system-initiated logs, the username is system.
• For user-created logs, the username is the user’s username (for example:
Operator).
System
The System pane displays system monitoring and report metrics. These metrics enable you to view
and track real-time and historical information on selected system elements.
Statistics are displayed for the following systems:
• DefenseFlow, page 110
• DefensePro, page 113
• Routers, page 114
DefenseFlow
The DefenseFlow statistics include the following:
• High Availability, page 111
• General Information, page 112
• System Utilization Details, page 112
• Background Processes, page 112
High Availability
The High Availability widget displays the status of High Availability nodes.
Node Description
Active IP The IP address of the active node.
address Indicates the operational status of the Active Node (Up or Down), and the Node
Role. If there is only one node, the node role is Standalone.
Standby IP The IP address of the standby node, if available.
address Indicates the operational status of the Standby Node (Up or Down), and the Node
Role.
APSolute Vision supports high availability for a DefenseFlow-instance pair that is associated with the
APSolute Vision server by allowing a seamless automatic failover from the active DefenseFlow
instance to the standby instance.
All APSolute Vision DefenseFlow functionality relates to the active instance only.
Upon a DefenseFlow failover, APSolute Vision will maintain all data of the failed DefenseFlow
instance to avoid any data loss or discrepancies due to the failover.
The signaling between the DefenseFlow instances and APSolute Vision is done through the
defenseflow system user, by default.
For more information on configuring High Availability, see High Availability, page 203.
General Information
The General Information widget displays DefenseFlow general system information.
Parameter Description
Build Currently installed DefenseFlow software build.
Version Currently installed DefenseFlow software version.
Uptime Time since the last reboot of the system in the format hh:mm:ss (hours:
minutes, seconds).
Parameter Description
Container System Utilization Statistics
Note: When containers other than Host are up, a "-" (hyphen) displays for the Disk Space
Utilization for those containers. If a service or container is down, "N/A" displays for all the
utilization values for that container.
Container Name Name of the container monitored by DefenseFlow.
CPU Utilization Percentage of CPU currently being utilized by the container.
Memory Percentage of memory currently being utilized by the container.
Utilization
Disk Space Percentage of disk space currently being utilized by the container.
Utilization
Update Time Last monitored update time.
1. At the top right of the System Utilization Details widget, click the icon.
2. Set the alert limit percentages as required.
3. Click Save.
Background Processes
The Background Process widget displays the statuses of background processes running in
DefenseFlow to help you determine if an unsynchronized task is completed or still running.
Parameter Description
Process Description of the background process and sub-processes.
Description
Error Message Error message related to the status update.
Parameter Description
Update Time Date and time of the status update for the background process.
DefensePro
This DefensePro Device Status table displays statistics for the configured DefensePro mitigation
device.
Parameter Description
Operation The operational status of the mitigation device.
Status
Name The name of the mitigation device.
CPU Utilization Percent of the CPU utilization of the mitigation device.
BW Utilization Percent of the bandwidth utilization of the mitigation device.
(Gbps) Value: percentage_utilized (bandwidth_utilized/total_bandwidth)
Example
5.0% (3.00/60.00)
In this example, 5.0% of the total bandwidth (60.00 Gbps) is utilized (3.00
Gbps).
Policies Percent of the policies table utilization of the mitigation device.
Utilization
Filter Lists Percent of the filter list utilization of the mitigation device.
Utilization
Managed Whether the mitigation device is managed.
Values: true, false
Parameter Description
Geo Feed Status Geolocation Feed status:
• Active — The Geolocation Feed on the DefensePro mitigation device is active.
• Inactive — The Geolocation Feed on the DefensePro mitigation device is
inactive.
Default: Active
Last Error The last device access error that was issued.
Examples
A Authentication error
B Unable to connect to the mitigation device
Update Time Last monitored update time.
Routers
The Routers tab includes the following sets of statistics:
• BGP Peers, page 114
• Announcements, page 116
• BGP FlowSpec, page 117
BGP Peers
The BGP Peers table displays the statistics for BGP peers.
Parameter Description
Peering State Peering state of the BGP peer.
Values:
• Active — The router did not receive agreement for peer establishment.
• Established — Peering is established and routing begins.
Peer Name The name of the network element.
IP Address The IP address of the BGP peer.
Last The last connectivity time of the BGP peer.
Connectivity
Time
Local Router ID The DefenseFlow BGP peer ID.
The local peer ID in an HA installation is the IPv4 address of the HA Node control
interface.
Local IP Address The local IP address of the DefenseFlow device used to communicate with the
BGP peer. This is the control interface IP address.
In a High Availability (HA) installation, you can use this to distinguish between the
connections opened by the Active and the Standby HA nodes. As a result, in such
an installation there are two node entries per single network element.
The local IP address in an HA installation is the IPv4 address of the HA Node
control interface.
Local AS The local Autonomous System number.
Peer AS The peer Autonomous System number.
Announcements Number of BGP active announcements.
Withdrawals Number of withdrawals.
BGP FlowSpec The FlowSpec state of the BGP peer.
State
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in descending order. Select the up arrow to sort in
ascending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Announcements
The Announcements table displays the statistics of the currently active BGP announcements.
Note: In a High Availability (HA) installation, per announcement, there are two entries representing
the two HA nodes.
Parameter Description
Protected The name of the protected object for which that the announcement was sent.
Object
Note: If the protected object is under protection, and you modify an attribute
that conflicts with the ongoing protection, the change is performed only at the
next activation of the protected object.
Operation Name The operation of the protected object for which that the announcement was sent.
Note: If the protected object is under protection, and you modify an attribute
that conflicts with the ongoing protection, the change is performed only at the
next activation of the protected object.
Status The status of the announcement.
Local IP Address The local IP address of the protected object for which that the announcement was
sent.
Peer Name The name of network element to which the announcement was sent.
Peer IP Address The IP address of the DefenseFlow BGP peer.
Network The destination network of the BGP announcement.
Next Hop The next hop address used for the BGP announcement.
Communities The BGP communities in the announcement.
AS Path The Autonomous System number of network element’s BGP peer.
Update Time The time the announcement was sent.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in descending order. Select the up arrow to sort in
ascending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
BGP FlowSpec
The BGP FlowSpec table displays the statistics of currently advertised FlowSpec rules.
Parameter Description
Protected The protected object name.
Object
Operation Name The operation associated with the protected object.
Rule Name The rule associated with the protected object.
Destinations The destination prefixes to block as defined in the FlowSpec rule.
Source The source prefix to block as defined in the FlowSpec rule.
Peers The IP address to block as defined in the FlowSpec rule.
Parameter Description
Communities The community to block as defined in the FlowSpec rule.
Source Port The source port to block as defined in the FlowSpec rule.
Destination Port The destination port to block as defined in the FlowSpec rule.
Port The port to block as defined in the FlowSpec rule.
Protocol The protocol to block as defined in the FlowSpec rule.
ICMP Type The ICMP type to block as defined in the FlowSpec rule.
ICMP Code The ICMP code to block as defined in the FlowSpec rule.
TCP Flags The TCP flag to block as defined in the FlowSpec rule.
Packet Length The packet length to block as defined in the FlowSpec rule.
DSCP The DSCP to block as defined in the FlowSpec rule.
Fragment The fragment to block as defined in the FlowSpec rule.
Route Tag Name The name of the route tag to which to redirect as defined in the FlowSpec rule.
Route Tag Route The route tag route to which to redirect as defined in the FlowSpec rule.
Redirection for The mitigation redirection status (enabled or disabled) for the FlowSpec rule.
Mitigation
Redirect The device to which to redirect for mitigation as defined in the FlowSpec rule.
Mitigation Next
Hop
Block The blocking status (enabled or disabled) for the FlowSpec rule.
Rate Limit The rate limit to block as defined in the Flow rule.
(Bytes/s)
Set DSCP The update setting for DSCP header in the FlowSpec rule.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in descending order. Select the up arrow to sort in
ascending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Security Settings
The Security Settings perspective lets you configure protected objects, including their associated
workflows, detections, operations, and mitigations.
Protected Objects
Protected objects are the services you use DefenseFlow to protect.
Use the Protected Objects pane to view, configure, or delete protected objects. The initial view
displays existing objects and lets you search for a specific protected objects.
Parameter Description
Basic Settings
Basic Settings includes General, Protected Networks, and Mitigation parameters.
General • Name — Name of the protected object.
Maximum number of characters: 255
• Description — Description of the protected object.
Maximum number of characters: 255
• Status — Select whether the protected object is enabled or disabled.
Default: Enabled
Protected List of protected networks and their associated edge networks or route tags.
Networks Maximum number of network entries:
• 10,000 for protected objects with an external detector
• 500 for protected objects with Radware’s collector
Note: The total number of networks for all protected objects together is
limited to 250,000.
Click the (Add) button and configure the protected network parameters:
• Use Any Network Address — All networks are protected. By default, it is
disabled. When you deselect it, the Network Address text box displays.
• Network Address — List of IPv4 or IPv6 network addresses with a subnet IP
address separated by a comma (“,”). Examples: 10.10.10.0/24, 11.11.11.0/
24
• Clean Traffic Injection — When you select this option, the protected network
types display (Edge Network and Route Tag). Select one of the options:
— Edge Network — This is the element associated with the protected
networks. In a single-entry multiple network, addresses should all be
associated with the same edge network.
— Route Tag — This option displays when you select the Protected
Network Type as Route Tag, The route tag associated with the protected
networks. Select from the list of configured route tags (see Route Tags,
page 217).
Parameter Description
Mitigations The mitigation parameters for the protected object, including:
• Update from Security Policy Templates — Select this option if you want to
update the security policy from an existing security policy template or add a
new template.
Note: If this check box is not selected, the Security Policy Template
text box and (Add) button are grayed out and the security policy used is
the one defined using template from the Security Policy Templates pane
(see Security Policy Templates, page 155).
• Security Policy Template — Do one of the following:
— Select the security template from the Security Template drop-down list
and edit it if required by clicking the (Edit) button.
For an existing template:
• If it is a GUI type template, the Edit Security Policy Template dialog
box displays with the various security policy sections and parameters.
For more information on configuring these parameters, see Security
Policy Templates, page 155).
• If it is a Text template, the Edit Security Policy Template dialog box
displays with the Description and Template (the policy text) fields.
The policy text includes DefensePro traffic filters.
— Click the (Add) button and configure a new security template from the
Security Policy Templates pane (see Security Policy Templates, page 155)
• Peak Traffic Bandwidth (bits/sec) — Peak traffic value to use, in bits per
second, in case of activation when no attack information is available.
• Policy Priority — The precedence that this security policy has in relation to
other security policies, where precedence High gets the highest priority, and
precedence None gets the lowest priority. This is relevant for overlapping
protected objects if more than one policy is configured on the DefensePro
device.
Values: None, Low, Medium, High
Default: None
Each of the policy precedence values represent a range of DefensePro priority
values:
— None — For granular mitigation, 8001 – 16000; for non-granular
mitigation, 1 – 8000
— Low — For granular mitigation, 24001 – 32000; for non-granular
mitigation, 16001 – 24000
— Medium — For granular mitigation, 40001 – 48000; for non-granular
mitigation, 32001 – 40000
— High — For granular mitigation, 56001 – 63999; for non-granular
mitigation, 48001 – 56000
Based on the DefenseFlow precedence you selected, DefenseFlow assigns to
the policy the next available priority number in the precedence range. If the
assigned priority number is the same as for the existing policy in DefensePro,
DefensePro adds 10 to the policy’s priority number so that the policy is
executed as expected.
Parameter Description
Mitigations This is a continuation of the mitigation parameters for the protected object:
(continued) • Geolocation — If you want this security policy to override the geolocation
operation, select the geolocation from the Geolocation drop-down list and
edit it if required by clicking the (Edit) button, or click the (Add) button
and configure a new geolocation (see Geolocations, page 184).
Select the override action:
— Block — Block the selected geolocation or Geolocation feed group
(default).
— Allow — Allow the selected geolocation or Geolocation feed group
(default).
• Show/Edit Related Security Policy — Show and/or edit the security policy
associated to the protected object.
Click the (Edit) button. The Show/Edit Security Policy dialog box
displays the Security Policy text box, which you can edit as needed. The
policy text includes DefensePro traffic filters.
You can resize the text box as required by dragging the icon at the bottom
right-hand corner of the scroll bar.
Maximum number of characters: 1,000,000
Parameter Description
Workflow The workflow associated with the protected object.
Do one of the following:
this workflow. You can edit it if required by clicking the (Edit) button,
or click the (Add) button and configure a new detection (see
Detections, page 137).
— Provisioning — Select from the list of existing operations to be performed
upon provisioning of the protected object associated with this workflow.
You can edit it if required by clicking the (Edit) button, or click the
(Add) button and configure a new operation (see Operations, page 141).
• Select an existing workflow and update it as required:
— Select Workflow — Select from a list of existing workflows and edit it if
Parameter Description
Workflow Rules
The set of criteria-based operation rules for the workflow.
Rules
1. Click the (Add) button to add a workflow rule.
2. Set the parameters for the criteria-based operation rules.
The enter and exit criteria comprise a set of conditions with AND or OR
operators. You can define the same criteria with multiple operations.
DefenseFlow performs all operations that meet the operation’s criteria.
— Enter Criteria — The enter criteria for the workflow. DefenseFlow starts the
operation if the criteria are met on detection.
For a description and examples of the possible criteria, see Table 113 -
Workflow Rule Conditions: Events, page 254.
You build the enter criteria by selecting events/conditions and operators
from the Enter Criteria drop-down list. After selecting an event/condition,
if you want to add and AND or OR condition:
a. After the event/condition, type a space, the word AND or OR as
appropriate, then another space.
b. Select the next event/condition.
— Enter Criteria User Action Mode — Select the user action mode for the
enter criteria from the drop-down list. Values:
• Automatic — DefenseFlow performs the chosen operation based on the
enter criteria.
• User Confirmation — When the enter criteria are met, the operator is
prompted to confirm activating the defined operation or to choose
another operation.
— Exit Criteria — The exit criteria for the workflow. DefenseFlow stops the
operation if the criteria are met.
For a description and examples of the possible criteria, see Table 113 -
Workflow Rule Conditions: Events, page 254.
You build the exit criteria by selecting events/conditions and operators
from the Exit Criteria drop-down list. After selecting an event/condition, if
you want to add and AND or OR condition:
a. After the event/condition, type a space, the word AND or OR as
appropriate, then another space.
b. Select the next event/condition.
— Exit Criteria User Action Mode — Select the user action mode for the exit
criteria from the drop-down list. Values:
• Automatic — DefenseFlow performs the chosen operation based on the
exit criteria.
• User Confirmation — When the exit criteria are met, the operator is
prompted to confirm activating the defined operation or to choose
another operation.
— Operation — Operation for this workflow rule. This is an operation that is
configured using the Operations pane (see Operations, page 141).
— Operation Type (read-only) — The type of operation as defined for the
operation you selected.
3. To delete a workflow rule, select the rule and click the (Delete) button.
Parameter Description
Threshold Detections
FlowDetector The FlowDetector thresholds for the protected object. This is relevant only if
Thresholds DefenseFlow uses Radware DefenseFlow FlowDetector to analyze and use the
network metadata that Layer 3-4 actual sessions flows from the control plane. For
more information, see the latest Radware DefenseFlow FlowDetector User Guide.
Using FlowDetector thresholds is optional and can be used in addition to other
detections. Each activation threshold can be configured regardless of other
thresholds. An attack is reported when traffic exceeds the activation thresholds.
Thresholds are specified in megabits per second (Mbps) and packets per second
(pps), respectively. You can specify units for the value. For example: 50m, 10k
All thresholds apply to both IPv4 and IPv6 traffic.
Values:
• TCP Activation — Manually set the Mbps and/or pps for this threshold.
• UDP Activation — Manually set the Mbps and/or pps for this threshold.
• ICMP Activation — Manually set the Mbps and/or pps for this threshold.
• Total Activation — Manually set the Mbps and/or pps for this threshold.
Advanced Settings
Diversion Diversion settings for the protected object.
Settings
Click the (Edit) button. The Diversion Settings dialog box displays with the
following parameters:
• BGP Community — The BGP community values to be sent to the diversion
groups that should receive them per the operation. Multiple communities can
be configured separated by a space.
In addition, well-known communities can be also defined, including:
NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
• Primary Next Hop IPv4 — The primary IPv4 next hop that is used instead of
the operation next hop.
• Secondary Next Hop IPv4 — The secondary IPv4 next hop that is used instead
of the operation next hop.
• Primary Next Hop IPv6 — The primary IPv6 next hop that is used instead of
the operation next hop.
• Secondary Next Hop IPv6 — The secondary IPv6 next hop that is used instead
of the operation next hop.
• AS Path — The AS-Paths to be used as part of the protected object’s BGP
advertisements.
You can specify multiple AS-Paths delimited by a space or a comma.
Examples:
— 100 200 300 400 600 400 500
— 400, 500
• IPv4 NLRI — When configured, the IPv4 NLRI (Network Layer Reachability
Information) DefenseFlow uses in its BGP advertisements and withdrawals.
• IPv6 NLRI — When configured, the IPv6 NLRI (Network Layer Reachability
Information) DefenseFlow uses in its BGP advertisements and withdrawals.
Parameter Description
Override Default Select this option if you want this security policy to override the default number of
Attack seconds for the attack termination grace period.
Termination Type in the override value, in seconds.
Grace Period
Override If you want this security policy to override the workflow action mode, select the
Workflow Action mode to override from the Workflow Action Mode drop-down list:
Mode • Automatic — DefenseFlow performs the chosen operation based on the defined
criteria.
• Manual — The operator initiates the operation regardless of any detection.
• User Confirmation — When the operation criteria are met, the operator is
prompted to confirm activating the defined operation or to choose another
operation.
Granular Enables Granular DefensePro Detection. This lets you divert a more specific CIDR
DefensePro block within the Protected Object’s defined set of protected networks.
Detector When selected, the following parameters display:
• Granular Protection Prefix IPv4 — The IPv4 CIDR block that is diverted
when the Granular Protection Threshold is reached.
• Granular Protection Prefix IPv6 — The IPv6 CIDR block that is diverted
when the Granular Protection Threshold is reached.
• Granular Protection Threshold — The number of destination IP addresses
on the same CIDR block before the entire diverted prefix size is diverted.
Values: 1-2147483647
Notes:
• Granular DefensePro Detection is performed when there is a match to the
Workflow rule associated with the Protected Object, and if you have defined a
threshold, when the threshold is met.
• Granular DefensePro detection only works when the following Operations
parameters (see Operations, page 141) are configured with the following
values:
— Divert Entire Protected Object Network — Unselected
— Minimum IPv4 Advertised Subnet — 32
— Minimum IPv4 Advertised Subnet — 128
— Granular Mitigation — Unselected
If you activate Granular DefensePro Detection for an existing Protected
Object, if any of these parameters are not set to the required values, you will
receive an error message indicating this.
If you activate Granular DefensePro Detection with creating a new Protected
Object, if the Granular Protection prefix that you set is smaller than the prefix
set for the Protected Object, you will receive an error messages indicating
this.
• Sample syslogs, as well as Occurred syslogs that include Sample syslogs, are
not included in the Volume and Rate values on the Security Operations
dashboard.
• For this feature, there is no attack termination grace period. Once you receive
a Term syslog for an ongoing Sample, the attack ends.
• Granular DefensePro Detection only works with the regular BGP protocol and
not with the BGP FlowSpec protocol.
Parameter Description
Granular • Granular DefensePro Detector configuration.
DefensePro There are two configuration options for Granular DefensePro protection:
Detector
— Diverting multiple attacks — For this option only enable Granular
DefensePro Detection and do not set any of the Granular DefensePro
Detection parameters:
a. If a Start, Sample, or Ongoing syslog for the first attack is issued for
one of the protected network addresses, /32 diversion is performed
on the Protected Object’s defined set of protected network addresses.
b. When subsequent attack IP addresses are detected, /24 diversion is
performed on the entire set of protected network addresses.
c. On the Security Operations dashboard, the first attack is listed as /32
diversion, and all subsequent attacks are listed individually as /24.
— Diverting multiple attacks with a threshold for the number of
attacks — For this option you set the Granular DefensePro Detection
parameters (see Example below):
a. When the number of attacks on IP addresses remains below the
Granular Protection Threshold that you defined, /32 diversion is
performed.
b. When the number of attacks reaches the threshold that you defined,
diversion is performed according to the Granulation Protection
Prefix you defined (IPv4 or IPv6, as appropriate).
Example:
A Protected Object is defined as 4.4.0.0/16. The Granular
Protection Threshold is set to 3. The Granular Protection Prefix
IPv4 size is set to /24.
• If for the first attack IP address 4.4.4.2 is under attack, /32
diversion occurs.
• If for the second attack IP address 4.4.4.3 is under attack, /32
diversion occurs.
• If for the third attack IP address 4.4.4.4 is under attack, the
threshold is met, and /24 diversion occurs.
c. On the Security Operations dashboard, all individual attacks before
and including when the threshold are met are displayed.
search for the protected object by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the protected object you want to duplicate, select the protected object and
3. Edit the parameters for the new protected object, and then click Submit to save your changes.
A new protected object is created.
— When you find the protected object you want to edit, click the (Expand Row) button to
open the protected object.
3. Edit the parameters for the protected object, and then click Submit to save your changes.
table, search for the protected objects by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the protected objects you want to enable/disable, do one of the following:
• To enable disabled protected objects, select the protected objects and click the
(Enable) button to enable them.
• To disable enabled protected objects, select the protected objects and click the
(Disable) button to disable them.
A message displays indicating that the protected objects have been enabled or disabled, as
appropriate.
3. In the Confirmation dialog box, click Confirm to delete the protected objects.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Workflows
A workflow is a predefined set of criteria-based security operations that DefenseFlow can perform for
a service on provisioning and upon attack.
Use the Workflows pane to view, configure, or delete workflow configurations. The initial view
displays existing workflows and lets you search for a workflow.
To add a workflow
1. From the Security Settings perspective, select Workflows.
Note: DefenseFlow has predefined workflows that can be used as is, modified, or referenced
for the creation of new workflows, as described in the following table:
Workflow Description
AlwaysOnMitigat Provision mitigation (with no diversion) upon provisioning of the protected object
eOnly on a device that is either in-line with the traffic or the diversion is performed
manually.
BGPFlowSpecBlo Upon attack detection, activate a BGP FlowSpec rule to block the traffic to the
ck protected object on the routers.
BlackHoleDivert Divert traffic from a Tier1 network element group to a black-hole address upon
attack detection.
OutOfPathDivert Upon attack detection, configure mitigation and injection on the mitigation
MitigateInject devices and divert the traffic to them from a Tier1 network element group.
SmartTapDetecti Provision a policy on the device connected in tap mode for detecting attacks on
on the protected object.
SmartTapDivertI Upon attack detection, divert the traffic to the mitigation device and configure
nject clean traffic injection on the mitigation device.
Parameter Description
Name Name of the workflow.
Maximum number of characters: 255
Description Description of the workflow.
Maximum number of characters: 255
Detection Select a detection method to associate with this workflow using one of the
following options:
• Select a detection method to associate with this workflow. This is a group of
detections that was configured using the Detection pane (see Detections,
page 137).
• Add a new detection method to associate with this workflow. For a description
of how to add a detection method, see Detections, page 137.
Provisioning Select an operation to be performed upon provisioning of a protected object
associated with this workflow using one of the following options:
• Select a operation to associate with this workflow. This is an operation that
was configured using the Operation pane (see Operations, page 141).
• Add a new operation to associate with this workflow. For a description of how
to add an operation, see Operations, page 141.
Parameter Description
Workflow Rules The set of criteria-based operation rules for the workflow.
For a description and examples of the possible criteria, see Table 113 -
Workflow Rule Conditions: Events, page 254.
For a description and examples of the possible criteria, see Table 113 -
Workflow Rule Conditions: Events, page 254.
Parameter Description
Enter and Exit The following are the set of possible workflow rule events and conditions you can
Criteria select to build the Enter and Exit Criteria:
• AttackStart — The start of attack condition is implicit in enter criteria. It is
required only if it is the only condition.
• AttackTermination — The termination of attack condition cannot be combined
with any other condition (that is, you cannot have an AttackTermination
condition AND an attackx condition).
• ProvisionStart — Performs an operation on provisioning of a protected object
in addition to the operation defined in the Provisioning parameter. This can
be used if multiple operations on provisioning are required.
• ProvisionEnd — Performs an operation when removing a service.
• ActiveOperationsChange — This event is triggered when an event is activated
or at the termination of an operation.
Note: This event is triggered by a protection, regardless of the detection
status. For example, the event is triggered whether the operation was
activated manually or automatically due to syslog detection.
• TimeTriggerEnabled — Event based on the absolute and relative time. For
example, you can define the entry criteria to be activated from between
08:00 and 09:00, or the exit criteria to be activated only after 30 minutes
have passed from the operation termination.
Example 1 (Enter Criteria): TimeTriggerEnabled AND (TIME>=17:00 OR
TIME <= 09:00)
Example 2 (Exit Criteria): TimeTriggerEnabled AND TIME > 09:00 AND
TIME < 17:00
• OperationTerminated — Event to terminate an operation when another
operation is terminated.
Example: OperationTerminate and Operation = AnotherOperation
• AttackDestination — Condition based on the attacked destination. Supported
operators: =, !=, in, not in
Example: AttackDestination in 1.2.3.0/24
• AttackSource — Condition based on the attack destination IP address.
Supported operators: =, !=, in, not in
Example: AttackSource 5.5.5.0/24
• AttackPrefix — Condition based on the attack destination prefix. Supported
operators: =, <, >
Example: AttackPrefix = 32
• AttackBandwidth — Condition based on the size of an attack, in bits per
second. Supported operators: <, >, <=, >=
This condition is only available during an attack, unlike the TrafficBandwidth,
which can also be used in peacetime. This condition can be used to defend
against attack escalation.
Note: If the exit criteria only includes AttackBandwidth, the rule is
matched and the operation is triggered down if the attack bandwidth
decreases to a value less than the configured value before the attack is
terminated. If the attack is terminated when the attack bandwidth is
greater than the configured value, DefenseFlow does not match the rule.
Example: AttackBandwidth > 2G
Parameter Description
Enter and Exit The following is a continuation of the set of possible workflow rule events and
Criteria conditions you can select to build the Enter and Exit Criteria.
(continued) • AttackRate — Condition based on packets per second. Supported operators: <,
>, <=, >=
Example: AttackRate >1000 AND AttackBandwidth < 5m
Note: If granular detection is enabled, you should not set the AttackRate
as either the Enter or Exit Criteria. Because granular detection only handles
sampled events and ignores ongoing events, the workflow is ignored even
if the workflow conditions are met.
Therefore, only set the AttackRate as the Enter or Exit Criteria when granular
detection is disabled.
The following are the Traffic workflow rule events and conditions:
• TrafficBandwidth — Condition based on the traffic bandwidth, in bits per
second. It does not require combining with an AttackStart condition.
Supported operators: <, >, <=, >=
This condition is used in FlowDetector and DPaaD deployments. In these
deployments, the detection elements constantly update DefenseFlow with the
current traffic bandwidth. As a result, this condition can be used even in
peacetime, unlike the AttackBandwidth condition, which is only available
during an attack.
Value values:
— n — bps (bits per second)
— nK — Kbps (kilobits per second)
— nM — Mbps (megabits per second)
— nG — Gbps (gigabits per second)
— nT — Tbps (terabits per second)
Example: TrafficBandwidth > 100 (meaning 100 bps)
Example: TrafficBandwidth > 2G (meaning 2 gbps)
Note: If granular detection is enabled, you should not set the
TrafficBandwidth as either the Enter or Exit Criteria. Because granular
detection only handles sampled events and ignores ongoing events, the
workflow is ignored even if the workflow conditions are met.
• TrafficRate — Condition based on the traffic bandwidth, in packets per second.
It does not require combining with an AttackStart condition. Supported
operators: <, >, <=, >=
Value values:
— n — pps (packets per second)
— nK — Kpps (kilopackets per second)
— nM — Mbps (megapackets per second)
— nG — Gpps (gigapackets per second)
— nT — Tpps (terapackets per second)
Example: TrafficRate > 100 (100 pps)
Note: If granular detection is enabled, you should not set the TrafficRate
as either the Enter or Exit Criteria. Because granular detection only handles
sampled events and ignores ongoing events, the workflow is ignored even
if the workflow conditions are met.
Example: TrafficRate > 2G (2 giga pps)
Parameter Description
Enter and Exit The following is a continuation of the set of possible workflow rule events and
Criteria conditions you can select to build the Enter and Exit Criteria.
(continued) • AttackProtocol — Condition based on the attack protocol. Supported
operators: =, !=
Example 1: Protocol =
Example 2: (Protocol = OR AttackDestination not in 3.3.3.0/28) AND
AttackBandwidth < 5m
• DetectorName — Condition based on the detector name. Supported operators:
=, !=
Example: DetectorName = MyExternalDetectorControlElement
• Fragment — Condition based on whether a packet is fragmented. Supported
operators: =,!=
Example 1: Fragment = true
Example 2: Fragment != true
• tcpflags — Condition based on TCP flags. Supported operators: =,!=
Example 1: tcpflags = syn
Example 2: tcpflags = syn-ack
• BGPListenerCommunities includes — Condition based on the BGP Listener
Community.
Example: BgpListenerCommunities include 111:222
Note: Do not use in Exit Criteria.
Note: DefenseFlow can be configured to establish BGP connections with
routers over port 179 to send BGP announcements and BGP FlowSpec
rules. Sending a large number of BGP announcements from the routers to
DefenseFlow might cause slow response time in DefenseFlow. Unless you
are using the BGP Listener feature, routers connected to DefenseFlow
should be configured not to send BGP announcements to DefenseFlow.
• ActiveOperations include — This condition is based on the set of the current
active operations and activated networks.
Example: ActiveOperations include ScrubbingOperation
• ActiveOperationsSameDestination includes — Use this condition to check if an
operation is active for the specific network that is triggered, and to decide
whether to start or stop an existing protection based on another operation
that is on that same network.
Example: ActiveOperationsSameDestination include ScrubbingOperation
• ActiveOperationsCopyCat includes — Use this condition if you want to
automatically trigger OPER2 according to OPER1, as illustrated in the
following example:
Example: If OPER1 should automatically trigger OPER2 and use the same
network, use the following criteria in both the Enter Criteria and Exit
criteria fields:
ActiveOperationsChange AND ActiveOperationsCopycat include OPER1
Example: ActiveOperationsCopyCat include ScrubbingOperation
• ProtectionActivePeriod — Time-based termination of protection. Supported
operators: <,>
Example 1: If a black hole operation is activated, and you want to terminate
if after two hours, use the following exit criteria:
ProtectionActivePeriod > "2 hours"
Parameter Description
Enter and Exit The following is a continuation of the set of possible workflow rule events and
Criteria conditions you can select to build the Enter and Exit Criteria.
(continued) • Time — Condition based on the time in HH:MM format. Supported operators:
=, !=, <, >, <=, >=
Example 1: time >= 14:00
Example 2: time != 16:00
• Date — Condition based on the date in YYYY-MM-DD format. Supported
operators: =, !=, <, >, <=, >=
Example 1: date >= 2017-05-21
Example 2: date = 2019-05-05
• Month — Condition based on the month name. Supported operators: =, !=, <,
>, <=, >=
Example 1: month >= January
Example 2: month != December
• Day — Condition based on the day name, where Sunday is the smallest, and
Saturday is the greatest. Supported operators: =, !=, <, >, <=, >=
Example 1: day >= Tuesday
Example 2: day != Monday
• SourcePort — Condition based on the source port. Supported operators: =, !=,
<, >, <=, >=
Example 1: SourcePort > 34
• DestinationPort — Condition based on the destination port. Supported
operators: =, !=, <, >, <=, >=
Example 1: DestinationPort > 34
• DefenseProUp — Condition based on whether DefensePro mitigation devices
are up. Can be a single mitigation device, multiple mitigation devices, a single
mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProUp = dp1
Example 2 (multiple mitigation devices): DefenseProUp in dp1, dp2, dp3
Example 3 (single mitigation group): DefenseProUp include dp_group1
Example 4 (multiple mitigation devices): DefenseProUp include
dp_group1, dp_group2, dp_group3
• DefenseProDown — Condition based on whether DefensePro mitigation
devices are down. Can be a single mitigation device, multiple mitigation
devices, a single mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProDown = dp1
Example 2 (multiple mitigation devices): DefenseProDown in dp1, dp2,
dp3
Example 3 (single mitigation group): DefenseProDown include
dp_group1
Example 4 (multiple mitigation devices): DefenseProDown include
dp_group1, dp_group2, dp_group3
Parameter Description
Enter and Exit The following is a continuation of the set of possible workflow rule events and
Criteria conditions you can select to build the Enter and Exit Criteria.
(continued) The following advanced conditions that do not display on the drop-down menus
but you can enter as free text:
• AttackAdditionalDetails — Condition based on the actual syslog message
regular expression matching.
Example: AttackStart and AttackAdditionalDetails match ".*host:.*"
• OperationEnterSuccess — Condition based on the successful completion of
either enter criteria or exit criteria. This is usually used in multiple-tiers
protection.
Example: OperationEnterSuccess=operation1
— When you find the workflow you want to duplicate, select the workflow and click the
(Duplicate) button to open the workflow.
3. Edit the parameters for the new workflow, and then click Submit to save your changes. A new
workflow is created.
To edit a workflow
1. From the Security Settings perspective, select Workflows.
2. Do the following:
— If you do not immediately see the workflow that you want to edit in the table, search for the
— When you find the workflow you want to edit, click the (Expand Row) button to open the
workflow.
3. Edit the parameters for the workflow, and then click Submit to save your changes.
To delete workflows
You can delete one or multiple workflows.
— When you find the workflows you want to delete, select the workflows and click the
(Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the workflows.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Detections
Detections should be used to define groups of detection methods and sources to be aggregated as
detectors for the same service.
Use the Detections pane to view, configure, or delete detection configurations. The initial view
displays existing detections and lets you search for a detection.
Parameter Description
General Parameters
Name Name of the detection group.
Maximum number of characters: 255
Description Description of the detection group.
Maximum number of characters: 255
Detectors
Parameter Description
Type The following is a continuation of the detection types you can select to this
(continued) detection group:
• DefensePro as a Detector (continued)
Filtering strings in attack alerts from DefensePro
If required, you can ignore syslog attack alerts based on a specified regular
expression (using the CLI only). This feature is disabled by default.
— From the CLI, enable this feature using the following command:
dfc-core:configuration-set -name
dfc.attack.detection.ignore.regular.expression.enabled
-value true
— Define the regular expression as required using the following command.
Syslog attack alerts that include this expression are ignored.
dfc-core:configuration-set -name
dfc.attack.detection.ignore.regular.expression.pattern
-value .*"Behavioral-DoS".*
— To disable the feature, enter the following command:
dfc-core:configuration-set -name
dfc.attack.detection.ignore.regular.expression.enabled
-value false
• Threshold Detector — Use manually-configured thresholds based on flow
statistics. This checks limits for an entire network. You can only select one
threshold detector.
• Granular Threshold Detector — This checks limits for the top 100 networks of
the protected object. It should be used for residential protected objects.
• Granular BDoS Detector — This checks attacks per each IP address in the
networks, limited to 5000 networks per the entire DefenseFlow system. This
should be used for servers with static IP addresses that you want to protect.
• FlowDetector — Use Radware DefenseFlow FlowDetector to analyze and use
the network metadata that Layer 3-4 actual sessions flows from the control
plane.
Control Element Based on the detection Type you selected, select a telemetry source for
detection, either a control element you have defined (flow statistics source or
external detector), or a DefensePro device.
search for the detection group by typing a string in the search field.
To clear the filter and perform a new search, duplicate and/or modify the search text.
— When you find the detection group you want to duplicate, select detection and click the
(Duplicate) button to open the detection group.
3. Edit the parameters for the new detection group, and then click Submit to save your changes. A
new detection group is created.
— When you find the detection group you want to edit, click the (Expand Row) button to
open the detection group.
3. Edit the parameters for the detection group, and then click Submit to save your changes.
search for the detection groups by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the detection groups you want to delete, select the detection groups and click
3. In the Confirmation dialog box, click Confirm to delete the detection group.
field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the detection group you are searching for, click the (Expand Row) button
to open the detection group
3. Locate the detection type you want to delete from the group, and click the (Delete) button
for that detection type.
4. In the Confirmation dialog box, click Confirm to delete the detection type.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Operations
An operation is a set of actions to be performed on provisioning, attack detection, or manually. It is
the building block for a security operation workflow.
Use the Operations pane to view, configure, or delete operations. The initial view displays existing
operations and lets you search for a specific operation.
To add an operation
1. From the Security Settings perspective, select Operations.
3. Configure the operation as described in the following tables and click Submit.
Notes
— DefenseFlow has predefined operations that can be used as is, modified, or referenced for
the creation of new operations. Some of these operations are used by the predefined
workflows (see Workflows, page 129). The following are the predefined operations:
Workflow Description
AlwaysOnMitigat Provision mitigation on a group of DefensePro devices.
eOnly
OutOfPathDivert Provision mitigation and injection on a group of mitigation devices and divert the
MitigateInject traffic to them from a Tier1 network element group.
SmarTapDetecti Provision mitigation on a group of DefensePro devices connected in tap mode.
on
SmarTapDivertI Provision injection on the DefensePro tap devices.
nject
BlackHoleDivert Divert traffic from a Tier1 network element group to a BGP black-hole address.
BgpFlowSpecBlo Block traffic with a FlowSpec block operation on a Tier1 network element group.
ck
— After submitting the configuration, in the table entry for this operation, parameters that
have a defined value or are enabled are indicated by a icon, and parameters that do not
have a defined value or are disabled are indicated by a icon.
— To move between the different sections of the operation, you can either click the name of
the section in Operations Sections menu, or scroll down to the relevant section.
Parameter Description
Name Name of the operation.
Note: The operation name cannot contain the & (ampersand), <, > (angle
brackets), or " (double quote) characters.
Description Description of the operation.
Parameter Description
Diversion Toggle this button to enable or disable diversion of the operation per the set
Enable/Disable parameters.
Toggle Button Default: Disabled (Gray)
Diversion The diversion protocol to use. Toggle between the following values:
Protocol • BGP — Use the standard BGP protocol.
• BGP FlowSpec — Use the BGP FlowSpec protocol.
Default: BGP
Parameter Description
BGP FlowSpec The BGP FlowSpec rule to use for the diversion protocol. Select from the list of
Diversion BGP FlowSpec rules you have defined (see BGP FlowSpec Rules, page 188), or
(This parameter click the (Add) button to open the Add New BGP FlowSpec Rule pane to create
is only is a new BGP FlowSpec rule or group.
available if the
Diversion
Protocol is set
to BGP
FlowSpec.)
Diversion Select which diversion actions to take.
Actions • Use Mitigation Device/Network Element Connectivity — Assigns mitigation
devices per network element in a diversion group according to the configured
connectivity.
• Divert Entire Protected Object Network — Divert all the protected object
networks even if a single IP address is attacked.
Include the Select this if the BGP Community of the protected object is included in the
Protected operation.
Object BGP
Community
Operation BGP The BGP community values to be sent to the diversion groups that should receive
Community them per the operation. In addition to the protected object’s communities,
multiple communities can be configured separated by a space.
In addition, well-known communities can be also selected, including: No Export,
No Export Subconfed, No Advertise, No Peer
AS Path The AS paths to be used as part of the operation’s BGP advertisements.
You can specify multiple AS paths delimited by a space or a comma.
Examples
A 100 200 300 400 600 400 500
B 400, 500
Include the Merge the AS paths for the relevant protected object, if defined (see Table 37 -
protected object Protected Object Parameters, page 120) with the operation’s AS paths.
AS Path
Example
If the operation’s AS paths are 100, 200, 300, and the relevant protected
object’s AS paths are 200, 300, 400, the merged AS paths are 100, 200, 300,
200, 300, 400.
Use the For BGP diversions only, divert to the next hop of the operation’s relevant
Protected protected object, if defined (see Table 37 - Protected Object Parameters,
Object Next Hop page 120).
Select the Primary or Secondary next hop.
Minimum IPv4 The minimum IPv4 advertised subnet.
Advertised Values:
Subnet
Default: 32
Parameter Description
Minimum IPv6 The minimum IPv6 advertised subnet.
Advertised Values:
Subnet
Default: 128
Parameter Description
Security Select this button to enable or disable security protections for the operation per
Protections the set parameters.
Enable/Disable Default: Disabled (Gray)
Toggle Button
Security Policy The security template used to perform mitigation.
Template Do one of the following:
• Select the security template from the Security Template drop-down list and
edit it if required by clicking the (Edit) button.
— If it is a GUI type template, the Edit Security Policy Template dialog box
displays with the various security policy sections and parameters. For
more information on configuring these parameters, see Security Policy
Templates, page 155).
— If it is a Text template, the Edit Security Policy Template dialog box
displays with the Description and Template (the policy text) fields. The
policy text includes DefensePro traffic filters.
• Click the (Add) button and configure a new security template from the
Security Policy Templates pane (see Security Policy Templates, page 155)
Granular Select if granular mitigation is to be performed.
Mitigation If you do not select this option, the operation is performed on the entire protected
object and not based on any granular detection settings. For more information on
granular detection settings, see Detections, page 137.
Default: Enabled
Allowlist The allowlist to be included when performing mitigation. Select from the
configured allowlists (see Allowlist and Blocklist Groups, page 182), or click the
(Add) button to open the Add New Allowlist pane to create a new allowlist rule
or group.
The allowlist is only used if the mitigation action is selected.
Default: No list is defined
Blocklist The blocklist to be included when performing mitigation. Select from the
configured blocklists (see Allowlist and Blocklist Groups, page 182), or click the
(Add) button to open the Add New Blocklist pane to create a new blocklist rule
or group.
The blocklist is only used if the mitigation action is selected.
Default: No list is defined
Parameter Description
Geolocation The geolocation to either allow or block when performing mitigation.
1. Select Allow or Block.
2. Select from configured list of geolocations to allow or block (for more
information, see Geolocations, page 184), or click the (Add) button to
open the Add New Geolocation pane to create a new geolocation.
The geolocation setting is only used if the mitigation action is selected.
Default: All geolocations are blocked
DNS Allowlist The DNS allowlist to be used as the allowlist to be enforced by DefensePro when
performing mitigation. DefenseFlow blocks incoming DNS requests that do not
match the allowlist.
Select from the configured list of DNS allowlists (see DNS Allowlist Files,
page 186)
The DNS allowlist is only used if the mitigation action is selected.
Default: No list is defined
Advanced Mitigation Settings
Delegate from This parameter is relevant only if the detection method for the protected object is
Detector DPaaD.
Select this if delegation is to be performed from the detector device to the
mitigation devices group that performs the mitigation. Selecting this copies the
policy and baselines from the detector DefensePro to the selected mitigation
device.
In a DPaaD deployment, DefenseFlow may trigger a single alert that may
represent a Layer 7 event, such as signature matching. DefenseFlow can identify
this new alert type (an occur event) and act upon it. By default, this feature is
disabled. To enable it, use the following CLI command:
configuration-set -name
dfc.attack.detection.defensepro.occur.enabled -value true
Submit and Select this if you want to automatically provision the detector DefensePro
Reuse baseline based on previous learning periods.
DefensePro Default: Disabled
Baselines
Block Source IP Select this if you want to block all incoming traffic from a specific source IP
Address Using address towards a specific protected object.
L3 BlockList Default: Disabled
Parameter Description
Block Source IP When AppWall is deployed behind a CDN, the Layer 4 source address does not
Address Using identify the real source IP address of the sender. To block the sender, a Layer 7
L7 Signature signature must be provisioned in DefensePro. This signature contains the real
source IP address as part of the XFF HTTP header field.
When enabled, select the response type from the list of Layer 7 signatures.
Values:
• HTTP_DROP
• HTTP_200_OK
• HTTP_200_OK_REST_DEST
• HTTP_403_FORBIDDEN
• HTTP_403_FORBIDDEN_REST_DEST
Default: Disabled
Parameter Description
Clean Traffic Toggle this button to enable or disable clean traffic return for the operation per
Return Enable/ the set parameters. When enabled, DefenseFlow configures the DefensePro
Disable Toggle mitigation devices with the clean traffic injection configuration. Not relevant for
Button third-party mitigation devices.
Default: Disabled (Gray)
Parameter Description
BGP FlowSpec Toggle this button to enable or disable BGP FlowSpec for the operation per the set
Enable/Disable parameters.
Toggle Button Default: Disabled (Gray)
BGP FlowSpec The BGP FlowSpec rule to use for BGP FlowSpec mitigation. Select from a list of
Mitigation BGP FlowSpec Rules you have defined (see BGP FlowSpec Rules, page 188), or
(This parameter click the (Add) button to open the Add New BGP FlowSpec Rule pane to create
is only is a new BGP FlowSpec rule.
available if the
Diversion
Protocol is set
to BGP
FlowSpec.)
Include the Select if the BGP Community of the protected object is included in the operation.
Protected
Object BGP
Community
Operation BGP The BGP community values to be sent to the diversion groups that should receive
Community them per the operation. In addition to the protected object’s communities,
multiple communities can be configured separated by a space.
In addition, well-known communities can be also defined, including: No Export,
No Export Subconfed, No Advertise, No Peer
Parameter Description
You can customize your own operation using any type of programming language. DefenseFlow
ensures that the new customized operation is activated when the rule criteria is met in the workflow
engine.
Each custom operation is associated with a Web service. You can use your own Web server for the
implementation.
For easy implementation, you can use and modify a ready-made example stub that implements a
customized operation that sends an e-mail with all the operation-received arguments. For more
details on using this stub, contact Radware Technical Support.
Note: Radware recommends deploying the Web server on a dedicated external VM and not on
the DefenseFlow VM.
Custom Toggle this button to enable or disable custom operations for the operation per
Operations the set parameters.
Enable/Disable Default: Disabled (Gray)
Toggle Button
Custom Type Select the custom operation you want define.
Parameters Values:
• External Custom Operation — Displays the custom operation parameters with
which you can customize your own operation using any type of programming
language. For a description of these parameters, see the External Custom
Operation Parameters later in this table.
• DefensePro ACLs — Select this operation type if you are using DefensePro
Access Control Lists for mitigation.
Displays the Mitigation Group parameter (for a description of this
parameter, see Table 43 - Operations Mitigation Parameters, page 144).
• BigSwitch Routing — Select this operation type if you are using BigSwitch
routing as your diversion control element (see Table 76 - Network Elements
Parameters, page 213).
Displays the Diversion Group parameter (for a description of this parameter,
see Table 43 - Operations Mitigation Parameters, page 144).
Default: External Custom Operation
Parameter Description
External Custom Operation Parameters
Custom URL URL of the remote server where the custom operation resides.
When you set the custom URL, DefenseFlow performs a callback to the remote
server using the /protection_stop and /protection_start suffixes as
required.
Examples
A For HTTP: If the URL configuration is http://10.183.159.159:5000/rest,
DefenseFlow performs a callback to http://10.183.159.159:5000/rest/
protection_start/ when the operation is activated (Entry Criteria), and
http://10.183.159.159:5000/rest/protection_stop/ when the
operation is deactivated (Exit Criteria).
B For HTTPS: If the URL configuration is https://10.183.159.159:443/
rest, DefenseFlow performs a callback to https://10.183.159.159:443/
rest/protection_start/ when the operation is activated (Entry Criteria),
and https://10.183.159.159:443/rest/protection_stop/ when the
operation is deactivated (Exit Criteria).
For the custom operations callback definition details, see Table 47 - Custom
Operations Callback Definition, page 149.
Note: You can also define a custom operation through the DefenseFlow REST
API (see the POST /config/Operations/add REST API call in the REST API
Guide at http://webhelp.radware.com/DefenseFlow/REST/4_00_00/
index.html).
Remote server (optional) Remote server username.
authentication
user
Remote server (optional) Remote server password.
authentication
password
Confirm Remote (optional) Remote server password confirmation.
server
authentication
password
Parameter Description
Router Group The route name for this mitigation. Select one of the routes that you defined for
mitigation devices. For more information on configuring routes, see The
Mitigation Devices pane lets you monitor the status of mitigation devices.,
page 267.
Parameter Description
Mitigation Group The name of the mitigation device or mitigation device group that performs
mitigation. Select from the configured list of mitigation groups (see Mitigation
Devices Groups, page 222).
Mitigation Route The route name for this mitigation. Select one of the routes that you defined for
Name mitigation devices. For more information on configuring routes, see The
Mitigation Devices pane lets you monitor the status of mitigation devices.,
page 267.
Operation Type (Read-only) The type of operation based on the operation types that you enabled/
configured.
Values:
• Report Only — Only Basic parameters have been enabled/configured. No other
operation types have been enabled.
• Diversion
• Mitigation
• Clean Traffic Return
• Diversion and Mitigation
• Diversion, Mitigation, and Clean Traffic Return
• Mitigation, and Clean Traffic Return
• Diversion, and Clean Traffic Return
• FlowSpec Traffic Block — If you enable FlowSpec traffic blocking parameters,
you cannot enable the other types of operations.
• Custom Operation — If you enable Custom Operation parameters, you cannot
enable the other types of operations.
Default: Report Only
— When you find the operation you want to duplicate, select the operation and click the
(Duplicate) button to open the operation.
3. Edit the parameters for the new operation, and then click Submit to save your changes. A new
operation is created.
To edit an operation
1. From the Security Settings perspective, select Operations.
2. Do the following:
— If you do not immediately see the operation that you want to edit in the table, search for the
— When you find the operation you want to edit, click the (Expand Row) button to open the
operation.
3. Edit the parameters for the operation, and then click Submit to save your changes.
To delete operations
You can one or multiple operations.
1. From the Security Settings perspective, select Operations.
2. Do the following:
— If you do not immediately see the operations that you want to delete in the table, search for
— When you find the operations you want to delete, select the operations and click the
(Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the operations.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Mitigations
Upon mitigation provisioning, DefenseFlow configures the security policy on the mitigating devices.
At any given time, the number of security policies configured on the mitigation devices is the
number of concurrent provisioned protected objects in the network.
During the life of the mitigation, SOC operators may tune and change the policy according to the
observed attack. The changes made by the operators are saved. Upon termination of mitigation,
DefenseFlow uploads the policy before removing it from the mitigation devices. The uploaded policy
is saved as the protected object's security policy.
A security policy for a protected object can be reset to the original template or replaced with another
template only in peacetime.
You configure mitigation from the Mitigations tabs on the Security Settings perspective:
Note: Basic is a predefined security template that you can use to create new templates. You
cannot edit the Basic security template itself.
3. Configure the security template and click Submit.
Parameter Description
General
The General section includes the following parameters.
Parameter Description
Name Name of the security policy template.
Maximum number of characters: 255
Description Description of the security policy template.
Maximum number of characters: 255
Type Type of security policy template.
(This field is Values:
available • GUI — Displays the Protection Sections that let you configure the various
starting with security policy template fields.
version 4.2)
• Text — Only displays the Template Origin and Policy Name fields.
Template Origin Origin of the security policy template.
(This field Values:
displays if you • Protected Object — Creates a template from an existing policy of a protected
select the Type object.
as Text)
• Vision Template — Creates a template from an existing policy in the APSolute
Vision security templates repository.
Default: Vision Template
Policy Name The name of the protected object or APSolute Vision template to associate with
(This field the security policy template.
displays if you
select the Type
as Text)
BDoS Protection
The BDoS Protection section includes the following parameters.
BDoS Basic View — Displays only the basic BDoS Protection parameters
Action The action that the profile takes when it encounters malicious scanning.
Values: Block and Report, Report Only
Default: Block and Report
Parameter Description
Footprint When the Behavioral DoS profile detects a new attack, the module generates an
Strictness attack footprint to block the attack traffic. If the Behavioral DoS profile is unable
to generate a footprint that meets the footprint-strictness condition, the profile
issues a notification for the attack but does not block it. The higher the strictness,
the more accurate the footprint. However, higher strictness increases the
probability that the profile cannot generate a footprint.
Values:
• High — Requires at least two Boolean AND conditions and no Boolean OR
condition in the footprint. This level lowers the probability for false positives
but increases the probability for false negatives (that is, increases the
probability of not identifying attack traffic).
• Medium — Comprises the following:
— At least one Boolean AND condition in the top-level expression.
— No OR condition in the top-level expression.
— Up to two Boolean OR conditions in a nested expression.
Examples:
— A AND B
— (A OR B OR C) AND D
[where “(A OR B OR C)” is a nested expression]
• Low — Allows any footprint suggested by the Behavioral DoS module. This
level achieves the best attack blocking but increases the probability of false
positives.
Default: Low
Note: DefenseFlow always considers the Checksum field and the Sequence
Number fields as High Footprint Strictness fields. Therefore, a footprint with
only a checksum or sequence number is always considered as High Footprint
Strictness.
Advanced View — Displays only the advanced BDoS Protection parameters.
Advanced View — General
Transparent Values:
Optimization • Enabled — DefenseFlow does not mitigate new BDoS attacks until the final
footprint is generated. Some network environments are more sensitive to
dropping packets (for example, VoIP). Enabling the Transparent Optimization
option minimizes the probability that DefenseFlow drops legitimate traffic.
• Disabled — DefenseFlow starts mitigating new BDoS attacks as soon as an
initial footprint is generated.
Default: Disabled
Notes:
• It may take several seconds (and multiple BDoS closed-feedback iterations)
for the final footprint to be generated.
• Packets can be sampled even when Transparent Optimization is selected.
Values in packets that are sampled before the final footprint is generated may
not match the final footprint.
Parameter Description
Packet Specifies whether the profile sends sampled attack packets to APSolute Vision for
Reporting offline analysis.
Default: Enabled
Notes:
• When this feature is enabled, for the packet-reporting to take effect, the
global setting must be enabled in DefensePro.
• Packets can be sampled even when Transparent Optimization is selected.
Values in packets that are sampled before the final footprint is generated may
not match the final footprint.
Flood Protection Select the network-flood protection types to apply.
Settings Values:
• SYN Flood
• TCP ACK + FIN Flood
• TCP RST Flood
• TCP SYN+ACK Flood
• TCP Fragmentation Flood
• UDP Flood
• UDP Fragmentation Flood
• ICMP Flood
• IGMP Flood
Parameter Description
Baseline Related For each traffic type, specify the quota — the maximum expected percentage of
Values incoming and outgoing traffic out of the total traffic.
Radware recommends that you initially leave these fields empty, so that the
default values will automatically be used. To view default values after creating the
profile, double-click the entry in the table. You can then adjust quota values
based on your network performance.
Caution: After you enter quota values and click Submit, DefenseFlow
calculates the required minimum value for each type. (The calculation uses
various parameters, which include Inbound Traffic and Outbound Traffic.)
If you enter a value that is less than the required minimum, the actual value
automatically changes to the required minimum. There is no alert message for
this automatic action, however the user interface does show the actual values.
Note: The total quota values may exceed 100%, because each value
represents the maximum volume per protocol.
• Inbound
— TCP (%)
— UDP
— Fragmented UDP
— ICMP
— IGMP
• Outbound
— TCP (%)
— UDP
— Fragmented UDP
— ICMP
— IGMP
Burst-Attack • Burst Attack Protection — Specifies whether Burst-Attack Protection is
Protection enabled.
Enabling and configuring Burst-Attack Protection lets DefenseFlow identify
repeated bursts of malicious traffic with the same footprint as belonging to
the same attack. Pauses between bursts sometimes last hours, and some
burst attack last days. Using Burst-Attack Protection, DefenseFlow does not
need to regenerate the attack footprint every time a new burst occurs.
Rather, DefenseFlow can identify a new burst in an attack and mitigate the
attack immediately.
Default: Enabled
Caution: When Burst-Attack Protection is enabled, the BDoS profile may
block some legitimate traffic if that traffic matches the BDoS footprint —
even between bursts.
• Maximum Interval Between Bursts — The time, in minutes, without any burst,
that causes the BDoS profile to consider the attack to be terminated.
Values: 10 – 10,080 (seven days)
Default: 30
Parameter Description
Overblocking • Overblocking Prevention — Specifies whether the BDoS profile prevents
Settings blocking too much legitimate traffic. Overblocking is a situation where the
BDoS profile has created a signature that meets all required criteria (blocking
the suspicious traffic and matching the specified strictness level), but the
profile is blocking too much legitimate traffic.
When Overblocking Prevention is enabled, and DefenseFlow identifies an
overblocking situation, the profile returns to footprint analysis state to refresh
the generated footprint. If BDoS protection started blocking the attack but
stopped three times after identifying an overblocking situation, the profile
enters the over-blocking-footprint state. This state remains for 10 minutes,
after which, BDoS protection generates and implements a new footprint.
Default: Disabled
Caution: When Overblocking Prevention is enabled, if the profile
repeatedly enters the over-blocking-footprint state, the BDoS profile may
still block traffic (possibly legitimate), especially when Transparent
Optimization is enabled.
• Overblocking Prevention Threshold — The percentage of the traffic rate — after
beginning the blocking of the attack traffic — below the recent baseline that is
considered as overblocking.
The recent baseline is separate from the normal baseline. The recent baseline
is based on recent, peacetime traffic, whereas the normal baseline is learned
over a much longer period.
Values: 1 – 100
Default: 25
Advanced View — Advanced
UDP Packet Rate To what extent the BDoS engine considers the UDP PPS-rate values (baseline and
Detection current), during the initial learning period.
Sensitivity Values:
• Ignore or Disable
• Low
• Medium
• High
Default: Low
Parameter Description
Learning The percentage of the specified bandwidth, below which, DefenseFlow suppresses
Suppression BDoS-baseline learning. The specified bandwidth refers to the Outbound Traffic
Threshold and Inbound Traffic parameters specified in the Bandwidth Parameters tab
above. DefenseFlow calculates the threshold per Protection policy and specified
Direction (Network Protection tab, Network Protection Policy > Direction).
For One Way policies, the Learning Suppression Threshold considers the inbound
bandwidth. DefenseFlow treats Two Way policies as two policies, so the Learning
Suppression Threshold calculates the bandwidth for each policy (inbound/
outbound).
The Learning Suppression Threshold feature helps preserve a good BDoS-
baseline value in scenarios where, at times, DefenseFlow handles very little
traffic.
There are two typical scenarios where, at times, DefenseFlow handles very little
traffic:
• Out-of-path deployments — In an out-of-path deployment, when traffic is
diverted through DefenseFlow for mitigation. During an attack, the traffic is
diverted and routed through DefenseFlow. During peacetime, no traffic
passes through DefenseFlow (except for maintenance messages). When no
traffic is diverted to DefenseFlow, the BDoS learning must be suppressed to
prevent extremely low values affecting the baseline and ultimately increasing
the susceptibility to false positives.
• Environments where traffic rates change dramatically throughout the day.
Values:
• 0 — The BDoS profile uses no Learning Suppression Threshold.
• 1 – 50
Default: 0
Note: Using the DefenseFlow CLI, you can view the Protection policies with a
BDoS profile and the runtime status of the DNS Learning Suppression feature
per Protection policy. For more information, see the DefenseFlow User Guide.
BDoS Rate Limit Specifies whether/how the profile limits the rate of traffic — only a fall-back
measure — when BDoS protection fails to generate the real-time signature.
The rate-limit applies to each flood protection type separately. (The flood
protection types are selected in the BDoS Profile Flood Protection Settings tab.)
Traffic below the rate-limit threshold bypasses the BDoS module. (Traffic that
bypasses the BDoS module may be handled by other DefenseFlow modules.
Traffic above the rate-limit threshold is dropped.)
Having a BDoS Rate Limit insures the uptime of the network that the Protection
policy protects during volumetric attacks. Note however, that when implementing
the BDoS Rate Limit, legitimate traffic may also be dropped.
Values:
• Enabled
• Disabled — While in the Anomaly state or Non-strictness state, the traffic
bypasses the BDoS module.
• Limit to Normal Edge — While in the Anomaly state or Non-strictness state,
the profile limits the traffic rate according to the current Normal baseline.
• Limit to Suspect Edge — While in the Anomaly state or Non-strictness state,
the profile limits the traffic rate according to the current Suspect baseline.
Default: Disabled
Parameter Description
User-Defined While in the Anomaly state or Non-strictness state, the profile limits the traffic
Rate Limit rate according to the user-defined rate.
Rate Limit Units The user-defined rate type.
Values: Kbps, Mbps, Gbps
DNS Flood Protection
The DNS Flood Protection section includes the following parameters.
Basic View — Displays only the basic DNS Flood Protection parameters
Profile Action The action that the profile takes on HTTPS traffic during an attack.
Values: Block and Report, Report Only
Default: Block and Report
Footprint When the DNS Flood Protection profile detects a new attack, the profile generates
Strictness an attack footprint to block the attack traffic. If the profile is unable to generate a
footprint that meets the footprint-strictness condition, the profile issues a
notification for the attack but does not block it. The higher the strictness, the
more accurate the footprint. However, higher strictness increases the probability
that the profile cannot generate a footprint.
Values:
• High — Requires at least two Boolean AND conditions and no Boolean OR
condition in the footprint. This level lowers the probability for false positives
but increases the probability for false negatives (that is, increases the
probability of not identifying attack traffic).
• Medium — Comprises the following:
— At least one Boolean AND condition in the top-level expression.
— No OR condition in the top-level expression.
— Up to two Boolean OR conditions in a nested expression.
Examples:
— A AND B
— (A OR B OR C) AND D
[where “(A OR B OR C)” is a nested expression]
• Low — Allows any footprint suggested by the DNS Flood Protection profile. This
level achieves the best attack blocking but increases the probability of false
positives.
Default: Low
Note: The DNS Flood Protection profile always considers the Checksum field
and the Sequence Number fields as High Footprint Strictness fields.
Therefore, a footprint with only a checksum or sequence number is always
considered as High Footprint Strictness.
Max Allowed The maximum allowed rate of DNS queries per second, when the Manual Triggers
QPS option is not enabled (that is, when the Use Manual Triggers checkbox is
cleared in the Manual Triggers tab).
Values: 0 – 4,000,000
Default: 0
Caution: If the Max Allowed QPS is lower than the DNS baseline, the profile
drops every packet that matches the real-time signature.
Parameter Description
Expected DNS The expected rate, in queries per second, of DNS queries.
Query Rate
Caution: After you change the Expected DNS Query Rate and click Submit,
the quota settings automatically change to the default values appropriate for
the query rate. There is no alert message for this automatic action, however
the user interface does show the actual values.
Advanced View — Displays only the advanced DNS Flood Protection parameters.
Packet Specifies whether the profile sends sampled attack packets to APSolute Vision for
Reporting offline analysis.
Default: Enabled
Notes:
• When this feature is enabled, for the packet-reporting to take effect, the
global setting must be enabled in DefensePro.
• Packets can be sampled even when Enable Transparent Optimization is
selected. Values in packets that are sampled before the final footprint is
generated may not match the final footprint.
Flood Protection For each DNS query type to protect, specify the quota — the maximum expected
Settings percentage of DNS traffic out of the total DNS traffic — and select the checkbox in
Baseline Related the row.
Values Radware recommends that you initially leave these fields empty so that the
default values will automatically be used. To view default values after creating the
profile, double-click the entry in the table. You can then adjust quota values
based on your network performance.
Caution: After you enter quota values and click Submit, DefenseFlow
calculates the required minimum value for each type. (The calculation uses
various parameters, which include Expected DNS Query Rate.) If you enter a
value that is less than the required minimum, the actual value automatically
changes to the required minimum. There is no alert message for this automatic
action, however the user interface does show the actual values.
Note: The total quota values may exceed 100%, because each value
represents the maximum volume per query type.
• A Query
• MX Query
• PTR Query
• AAAA Query
• Text Query
• SOA Query
• NAPTR Query
• SRV Query
• Other Queries
Other Rate Signature Rate-Limit Target — The maximum level of DNS traffic, in percent,
Settings relative to the DNS baseline, that the profile allows during a DNS-flood attack.
This is relevant to the traffic that matches the real-time signature.
Parameter Description
Manual Triggers Manual Triggers
• Enabled/Disabled — When enabled, displays the manual triggers that specify
whether the profile uses user-defined DNS QPS thresholds instead of the
learned baselines.
Default: Disabled
• Activation Threshold — The number of total queries per second, per protected
destination network — after the specified Activation Period — above which,
DefenseFlow considers there to be an ongoing attack.
When DefenseFlow detects an attack, it starts challenging all sources.
DefenseFlow continues the challenges unless the specified Max QPS (see
below) is reached. Above the specified Max QPS, DefenseFlow limits the rate
of total QPS towards the protected network.
Values: 0 – 4,000,000
Default: 0
• Activation Period — The number of consecutive seconds that the DNS traffic
exceeds the Activation Threshold that determines when DefenseFlow
considers an attack to be in progress.
Values: 1 – 30
Default: 3
• Termination Threshold — The maximum number of queries per second — after
the specified Termination Period — that causes DefenseFlow to consider the
attack to have ended.
Values: 0 – 4,000,000
Default: 0
Note: The Termination Threshold must be less than or equal to the
Activation Threshold.
• Termination Period — The time, in seconds, that the DNS traffic is continuously
below the Termination Threshold, which causes DefenseFlow to consider
the attack to have ended.
Values: 1 – 30
Default: 3
• Max QPS — The maximum allowed rate of DNS queries per second.
Values: 0 – 4,000,000
Default: 0
• Escalation Period — The time, in seconds, that DefenseFlow waits before
escalating to the next enabled Mitigation Action.
Values: 0 – 30
Default: 3
Parameter Description
Advanced View — Advanced
Learning The percentage of the specified Expected DNS Query Rate below which,
Suppression DefenseFlow suppresses DNS-baseline learning. DefenseFlow calculates the
Threshold threshold per Network Protection policy, per IP version (IPv4 or IPv6).
Example: Consider a Protection policy, Policy1. Policy1 has a DNS profile with the
Expected DNS Query Rate value 1000, and the DNS Learning Suppression
Threshold is 5(%). The baseline for Policy1 will not change (that is, learning is
suppressed) if the traffic rate drops below 50 QPS.
The Learning Suppression Threshold feature helps preserve a good DNS-baseline
value in scenarios where, at times, DefenseFlow handles very little traffic.
There are two typical scenarios where, at times, DefenseFlow handles very little
traffic:
• Out-of-path deployments — In an out-of-path deployment, when traffic is
diverted through DefenseFlow for mitigation. During an attack, the traffic is
diverted and routed through DefenseFlow. During peacetime, no traffic
passes through DefenseFlow (except for maintenance messages). When no
traffic is diverted to DefenseFlow, the DNS learning must be suppressed to
prevent extremely low values affecting the baseline and ultimately increasing
the susceptibility to false positives.
• Environments where traffic rates change dramatically throughout the day.
Values:
• 0 — Specifies that the DNS-baseline learning is always active.
• 1 – 100
Default: 0
Out-of-State Protection
The Out-of-State Protection section includes the following parameters.
Profile Action The action that the profile takes when it encounters out-of-state packets.
Values: Block and Report, Report Only
Default: Block and Report
Activation The rate, in PPS, of out-of-state packets above which the profile considers the
Threshold packets to be part of a flood attack. When DefenseFlow detects an attack, it
issues an appropriate alert and drops the out-of-state packets that exceed the
threshold. Packets that do not exceed the threshold bypass the DefenseFlow
device.
Values: 1 – 250,000
Default: 5000
Termination The rate, in PPS, of out-of-state packets below which the profile considers the
Threshold flood attack to have stopped; and DefenseFlow resumes normal operation.
Values: 0 – 249,999
Default: 4000
Parameter Description
Allow SYN-ACK Values:
• Enabled — DefenseFlow opens a session and processes a SYN-ACK packet
even when DefenseFlow has identified no SYN packet for the session. This
option supports asymmetric environments, when the first packet that
DefenseFlow receives is the SYN-ACK.
• Disabled — When DefenseFlow receives a SYN-ACK packet and has identified
no SYN packet for the session, DefenseFlow passes through the SYN-ACK
packet (unprocessed) if the packet is below the specified activation threshold,
and DefenseFlow drops the packet if it is above the specified activation
threshold.
Default: Enabled
Risk Level The risk — for reporting purposes — assigned to the attack that the profile detects.
Values: Info, Low, Medium, High
Default: Low
Packet Specifies whether the profile reports out-of-state packets.
Reporting Default: Disabled
Caution: When this feature is enabled here, for the packet-reporting to take
effect, the global setting must be enabled in DefensePro. In addition, a change
to this parameter takes effect only after you click Update Policies to activate
your configuration changes.
Signature Protection
The Signature Protection section includes the following parameters.
Profile The name of the signature profile.
Parameter Description
SYN Flood Protection
The SYN Flood Protection section includes the following parameters.
Basic View — Displays only the basic SYN Flood Protection parameters.
Protection Name Assign SYN Flood protections to the security policy.
1. From the Available list, select the SYN Flood protections for this security
policy (to assign all available SYN Flood protections, select Select All).
2. Click the icon to move the selected protections to the Selected list.
Parameter Description
Spoofed SYN Attack Protection
(These parameters are available only when the Tracking Method is Spoofed SYN Attack
Protection.)
DefenseFlow’s Spoofed SYN Attack Protection handles attacks that use multiple, spoofed, source
subnets and/or CIDRs.
Spoofed-SYN–flood attacks are not the “usual/typical” SYN-flood attack. Spoofed-SYN–flood
attacks are slow-rate SYN-flood attacks, sourcing from multiple subnets (/22 – /24) to multiple
destination subnets (/22 – /24). A spoofed-SYN–flood attack resembles a highly distributed scan
attack, originating from many source subnets to many destination subnets. These attacks are also
called carpet-bombing attacks.
If you observe a drastic increase in the number of incomplete three-way TCP handshakes, over
various protocols (such as DNS, HTTP, HTTPS, C-LDAP, and so on) — where the source of the SYN
packets is distributed across a wide range of subnets, you may be facing a spoofed-SYN–flood
attack, where your system is the reflector. As the reflector, your system generates a flood of SYN-
ACK–packets towards the spoofed destination.
Destination Values:
Ports • All Traffic Matching Policy Regardless of Destination Port — The profile tracks
all traffic that matches the destination IP addresses of the Protection policy,
regardless of the destination port.
• Traffic Matching Destination Ports Included in SYN Protections in Profile — The
profile tracks traffic whose destination port is included in the Application
Port Group configured for one of the SYN Flood Protections in the SYN Flood
Protection profile.
Default: All Traffic Matching Policy Regardless of Destination Port
Activation Mode Values:
• Continuous — The profile applies the authentication methods configured in the
profile immediately. The profile authenticates all SYN packets received by the
associated Protection policy.
• Threshold-Based — The profile applies the authentication methods configured
in the profile after reaching the configured Activation Threshold value (of
SYN packets per second). The profile authenticates all subsequent SYN
packets received by the associated Protection policy.
Default: Threshold-Based
Network Level Authentication
Use TCP Reset Specifies whether DefenseFlow uses the TCP-Reset method for HTTP, HTTPS,
for Supported SMTP, and custom-protocol traffic rather than the default Authentication Method:
Protocols Safe Reset.
(This option is Radware recommends enabling the Use TCP Reset for Supported Protocols
available only option in symmetric and ingress-only environments that include HTTP, HTTPS,
when the and SMTP traffic.
Authentication Default: Disabled
Method is Safe
Reset.) Note: Using the Safe-Reset method, when DefenseFlow receives a SYN
packet, DefenseFlow responds with an ACK packet with an invalid Sequence
Number field as a cookie. If the client responds with RST and the cookie,
DefenseFlow discards the RST packet, and adds the source IP address to the
TCP Authentication Table. The next SYN packet from the same source
(normally, a retransmit of the previous SYN packet) passes through
DefenseFlow, and the session is approved for the server. DefenseFlow saves
the source IP address for a specified time.
Parameter Description
Authentication The authentication method that DefenseFlow uses at the transport layer.
Method When DefenseFlow is installed in an ingress-only topology, select the Safe Reset
option.
Values:
• Transparent Proxy — When DefenseFlow receives a SYN packet, DefenseFlow
replies with a SYN ACK packet with a cookie in the Sequence Number field. If
the response is an ACK packet that contains the cookie, DefenseFlow
considers the session to be legitimate. Then, DefenseFlow opens a connection
with the destination and acts as transparent proxy between the source and
the destination.
• Safe Reset — When DefenseFlow receives a SYN packet, DefenseFlow
responds with an ACK packet with an invalid Sequence Number field as a
cookie. If the client responds with the RST packet with the cookie and
retransmits the original SYN packet within the specified time range
(Minimum Allowed SYN Retransmission Time and Maximum Allowed
SYN Retransmission Time), DefenseFlow discards the RST packet, and
adds the source IP address to the TCP Authentication Table. The next SYN
packet from the same source passes through DefenseFlow, and the session is
approved for the server. DefenseFlow saves the source IP address for a
specified time.
Default: Safe Reset
Notes:
• If you select Transparent Proxy, Use HTTP Authentication, and Use SSL
Mitigation, DefenseFlow uses the TCP-Reset method for HTTP, HTTPS, SMTP,
and custom-protocol traffic rather than the Transparent-Proxy method.
• If you select Transparent Proxy and Use HTTP Authentication (without
Use SSL Mitigation), DefenseFlow performs the HTTP Authentication before
performing the Transparent-Proxy actions.
Parameter Description
Application Level Authentication
HTTP Specifies whether DefenseFlow authenticates the transport layer of HTTP traffic
Authentication using SYN cookies and then authenticates the HTTP application layer using the
Method specified HTTP Authentication Method.
Values:
• Disabled — DefenseFlow handles HTTP traffic using the specified TCP
Authentication Method.
• Redirect — DefensePro authenticates HTTP traffic using a 302-redirect
response code.
• JavaScript — DefensePro authenticates HTTP traffic using a JavaScript object,
which DefensePro generates.
Default: Disable
Notes:
• Some attack tools are capable of handling 302-redirect responses. The 302-
Redirect HTTP Authentication Method is not effective against attacks that use
those tools. The JavaScript HTTP Authentication Method requires an engine
on the client side that supports JavaScript, and therefore, the JavaScript
option is considered stronger. However, the JavaScript option has some
limitations, which are relevant in certain scenarios.
• Limitations when using the JavaScript HTTP Authentication Method:
— If the browser does not support JavaScript calls, the browser will not
answer the challenge.
— When the protected server is accessed as a sub-page through another
(main) page only using JavaScript, the user session will fail (that is, the
browser will not answer the challenge).
Use SSL Specifies whether DefensePro sends traffic to the specified SSL-decryption-and-
Mitigation encryption component and uses the SSL Mitigation mechanism.
(This parameter SSL Mitigation works with HTTP Authentication. If you select the Use SSL
is available only Mitigation checkbox, DefensePro selects the Use HTTP Authentication checkbox
when the HTTP automatically.
Authentication
Method is
enabled)
Traffic Filters
The Traffic Filters section includes the following parameters.
Basic and Advanced Views — Display the Action parameter the basic Traffic Filter table. The
Advanced view displays more parameters in the Traffic Filters table.
Action The action that the profile takes when it detects traffic matching a Traffic Filter
configuration.
Values: Block and Report, Report Only
Default: Block and Report
Parameter Description
Traffic Filters List
You can configure the Traffic Filters List parameters.
Click the (Add) button to add a new Filters list with the following parameters:
Filter Threshold
Filter Name The name of the Traffic Filter.
Maximum characters: 29
Apply Traffic Values:
Filter To • Matching Traffic — Apply the filter to traffic that matches all the parameters in
the Filter Criteria.
• Non-Matching Traffic — Apply the filter to traffic that does not match all the
parameters in the Filter Criteria.
Default: Matching Traffic
IPv4 Source The IPv4 prefix length that specifies the subnet size for tracking source
Prefix Length addresses.
Values: 1 – 32
Default: 32
IPv6 Source The IPv6 prefix length that specifies the subnet size for tracking source
Prefix Length addresses.
Values: 1 – 128
Default: 128
IPv4 Destination The IPv4 prefix length that specifies the subnet size for tracking destination
Prefix Length addresses.
Values: 1 – 32
Default: 32
IPv6 Destination The IPv6 prefix length that specifies the subnet size for tracking destination
Prefix Length addresses.
Values: 1 – 128
Default: 128
Basic Filter
Source Network The IP address or predefined Network class object that defines the source of the
packets to match to the Traffic Filter.
Values:
• As in Policy — The filter matches only source networks that match the
Protection policy.
• A discrete IP address.
• A Network class displayed in the Classes tab.
Default: As in Policy
Caution: If you specify a Network class, the class can represent up to 50
discrete IP addresses.
Parameter Description
Destination The IP address or predefined Network class object that defines the destination of
Network the packets that the policy applies to.
Values:
• As in Policy — The filter matches only destination networks that match the
Protection policy.
• A discrete IP address.
• A Network class displayed in the Classes tab.
Default: As in Policy
Caution: If you specify a Network class, the class can represent up to 50
discrete IP addresses.
Protocol The protocol that defines the packets that the Traffic Filter applies to.
Values:
• Any Supported Protocol — The filter matches any of the protocols in the
Protocol drop-down list.
• TCP
• UDP
• ICMP
• IGMP
• ICMPv6
• Other Protocol(s) — The filter matches the protocol number or numbers
specified in the Other Protocol Number(s) text box.
Default: Any Supported Protocol
Caution: When you select GRE — or when you specify 47 in the Other
Protocol Number(s) text box, the GRE Traffic parameter in the Tunnel
Inspection configuration must be Inspect the Outer Headers in
DefensePro.
Caution: When you select IP-in-IP — or when you specify 4 and/or 41 in the
Other Protocol Number(s) text box, the IP-in-IP Traffic parameter in the
Tunnel Inspection configuration must be Inspect the Outer Headers in
DefensePro.
Caution: If Protocol is Any Supported Protocol and a checkbox for TCP
Flags is selected, the effective value for Protocol is TCP.
Note: In DefensePro version 8.24, if Any Supported Protocol is selected, the
filter matches any of the protocols in the following list, and also matches the
GRE and IP-in-IP protocols (even though they are not listed).
Parameter Description
Other Protocol The IANA-assigned number or numbers that identify the protocol or protocols that
Number(s) define the packets that the Traffic Filter applies to.
(This parameter Values:
is available only • 0 – 255
when the value
for the • A list of comma-separated values in the range 0 – 255
Protocol • A range of values 0 – 255, in the format a-b
parameter is
Other Caution: When the selected Protocol value is Other Protocol(s), for the
Protocol(s).) Traffic Filter to apply, the Report Action for Packet Anomaly Unsupported L4
Protocol (ID 110) must be Process.
Caution: If you specify 47 in the Other Protocol Number(s) text box, the
GRE Traffic parameter in the Tunnel Inspection configuration must be
Inspect the Outer Headers in DefensePro.
Caution: If you specify 4 and/or 41 in the Other Protocol Number(s) text
box, the IP-in-IP Traffic parameter in the Tunnel Inspection configuration
must be Inspect the Outer Headers in DefensePro
Note: You can enter a list with a combination of numbers and ranges.
Example: 1-20,47,48,58-62
Source Port The port or predefined Application Port Group class object that defines the source
(This parameter of the packets that the Traffic Filter applies to.
is available only Values:
when the value • Any — The filter matches any source application port.
for the
Protocol • A specific application-port number.
parameter is • A list of comma-separated application-port numbers.
Any Supported
• An Application Port Group class displayed in the Classes tab.
Protocol, TCP,
or UDP.) Default: Any
Maximum characters: 255
Destination Port The port or predefined Application Port Group class object that defines the
(This parameter destination of the packets that the Traffic Filter applies to.
is available only Values:
when the value • Any — The filter matches any destination application port.
for the
Protocol • A specific application-port number.
parameter is • A list of comma-separated application-port numbers.
Any Supported
• An Application Port Group class displayed in the Classes tab.
Protocol, TCP,
or UDP.) Default: Any
Maximum characters: 255
Parameter Description
Packet Size The size, in bytes, of the packets that the Traffic Filter applies to.
(Bytes) Values:
• None
• 64 – 1542
• A list of comma-separated values in the range 64 – 1542
• A range of values 64 – 1542, in the format a-b
Default: None
Maximum characters: 255
Caution: You can specify up to a total of 50 packet-size values.
Notes:
• You can enter a list with a combination of specific packet sizes and packet-
size ranges. Example: 64-80,90,92,101-130
• The Packet Size value does not account for the CRC.
Advanced Filter
(The checkboxes for TCP flags are available only when the value for the Protocol parameter is Any
Supported Protocol or TCP.)
TCP Flags - SYN Select the TCP flags to match toward the Traffic Filter.
TCP Flags - ACK DefenseFlow combines multiple values using a Boolean OR operator.
TCP Flags - RST Default: None
TCP Flags - Caution: If you select a TCP flag, you cannot specify a value for the Fragment
SYN+ACK Offset or Fragment ID parameter.
TCP Flags -
FIN+ACK
TCP Flags -
PSH+ACK
Time to Live The time-to-live (TTL) value in the packet header.
(TTL) Values:
• None
• A specific value
• A list of comma-separated values
• A range of values, in the format a-b
Default: None
Maximum characters: 255
Caution: You can specify up to 50 TTL values, in the comma-separated list or
in the range.
Note: You can enter a list with a combination of values and ranges. Example:
6-10,12,13,15-64
Parameter Description
TCP Sequence The TCP-sequence value in the packet header.
Number Values:
(This parameter • Any
is available only
when the value • A specific value
for the • A list of comma-separated values
Protocol
• A range of values, in the format a-b
parameter is
Any Supported Default: None
Protocol or Maximum characters: 255
TCP.)
Caution: You can specify up to a total of 50 TCP-sequence values, in the
comma-separated list or in the range.
Caution: If you specify a value for this parameter, you cannot specify a value
for the Fragment Offset or Fragment ID parameter.
Note: You can enter a list with a combination of values and ranges. Example:
6-10,12,13,15-64
Context Tag The context tag in the packet header.
Values:
• None
• A context-tag value
• A list of comma-separated context-tag values
• A Context Group class displayed in the Classes tab
Caution: You can specify up to 50 tags, in the comma-separated list or in the
class.
Type of Service The type-of-service (ToS) value or Differentiated Services Code Point (DSCP)
(ToS) - DSCP value in the packet header.
Values:
• None
• A specific value
• A list of comma-separated values
• A range of values, in the format a-b
Default: None
Maximum characters: 255
Caution: You can specify up to a total of 50 ToS/DSCP values, in the comma-
separated list or in the range.
Note: You can enter a list with a combination of values and ranges. Example:
8-14,24,26,32-38
Parameter Description
Fragment Offset The fragment offset value in the packet header.
Values:
• None
• A specific value
• A list of comma-separated values
• A range of values, in the format a-b
Default: None
Maximum characters: 255
Caution: You can specify up to a total of 50 fragment-offset values, in the
comma-separated list or in the range.
Caution: If you specify a value for this parameter, you cannot select a TCP flag
or specify a value for the TCP Sequence Number parameter.
Note: You can enter a list with a combination of values and ranges. Example:
0-8,16,32,64-100
Fragment ID The fragment identifier value in the packet header.
Values:
• None
• A specific value
• A list of comma-separated values
• A range of values, in the format a-b
Default: None
Maximum characters: 255
Caution: You can specify up to a total of 50 fragment-ID values, in the
comma-separated list or in the range.
Caution: If you specify a value for this parameter, you cannot select a TCP flag
or specify a value for the TCP Sequence Number parameter.
Note: You can enter a list with a combination of values and ranges. Example:
0-3,5,7,9-20
Regular The regular expression that the filter tries to match to the contents of the packet
Expression payload. This field supports only text represented by the specified regular
expression — anywhere in the packet payload.
Maximum characters: 252
Caution: Configuring a regular expression in this field may reduce
performance.
Filter Action
Threshold Units Values: Packets per Second, Kbits per Second,
Default: Packets per Second
Threshold The rate, in the specified units, at which DefenseFlow triggers the Traffic Filter.
Values:
• 0 — The filter blocks all traffic.
• For Packets per Second: 1 – 200,000,000
• For Kilobits per Second: 1 – 156,250,000
Parameter Description
Tracking Mode The traffic, matching the specified criteria, that the Traffic Filter tracks, counts,
and acts upon.
Options:
• All — The Traffic Filter applies the specified Filter Action on all the traffic
above the specified Threshold.
• Per Source — The Traffic Filter applies the specified Filter Action on the traffic
above the specified Threshold, per source. The source can be a discrete IP
address or a subnet, according to the specified Source Prefix Length. For
example, if the specified Source Prefix Length for IPv4 is 32, per source is
per discrete source IPv4 address.
• Per Destination — The Traffic Filter applies the specified Filter Action on the
traffic, above the specified Threshold, per destination. The destination can
be a discrete IP address or a subnet, according to the specified Destination
Prefix Length. For example, if the specified Destination Prefix Length for
IPv4 is 32, per destination is per discrete destination IPv4 address.
You may select this option in a Traffic Filter for HTTP-flood protection.
• Per Source and Destination Pair — The Traffic Filter applies the specified Filter
Action on the traffic, above the specified Threshold, per source-and-
destination pair. Each source and destination can be a discrete IP address or a
subnet, according to the specified Source Prefix Length and Destination
Prefix Length. For example, if the specified Source Prefix Length for IPv4
is 32, the per source part of the source-and-destination pair is per discrete
source IPv4 address.
• Track Returning Traffic from Destination and Suspend Corresponding
Sources — The Traffic Filter tracks the traffic that matches the specified
Regular Expression, per destination IP address, from the specified
Destination Port — and when the traffic rate is above the specified
Threshold, the filter places the corresponding source IP address into the
Suspend Table, and drops all subsequent packets from that IP address, until
the aging period expires.
When you select this option:
— You must enter a Regular Expression.
— The Destination Port field must not be Any.
Caution: Except for the All option, specifying any of these options may reduce
performance.
Packet Specifies whether the profile sends sampled attack packets to APSolute Vision for
Reporting offline analysis.
Default: Disabled
Note: When this feature is enabled, for the packet-reporting to take effect, the
global setting must be enabled in DefensePro.
2. Do the following:
Note: Basic is a predefined security policy template that you can use to create new templates.
You cannot edit the Basic security template itself.
— If you do not immediately see the security policy template that you want to duplicate in the
table, search for the security policy template by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the security policy template you want to duplicate, select the security policy
template and click the (Duplicate) button to open the security policy template.
3. Edit the parameters for the new security policy template, and then click Submit to save your
changes. A new security policy template is created.
Note: Basic is a predefined security policy template that you can use to create new templates.
You cannot edit the Basic security template itself.
— If you do not immediately see the security policy template that you want to edit in the table,
search for the security policy template by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the security policy template you want to edit, click the (Expand Row)
button to open the security policy template.
3. Edit the parameters for the security policy template, and then click Submit to save your
changes.
table, search for the security policy templates by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the security policy templates you want to delete, select the security policy
3. In the Confirmation dialog box, click Confirm to delete the security policy templates.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Access Lists
You can define the following types of access lists:
• Blocklists and allowlists, and groups of these lists, for a single mitigation device or a group of
mitigation devices. You define these lists and groups in from the Access Lists pane.
• Geolocation feed groups that include a list of geolocations that you can assign to a protected
object to block or allow only a set of geographic locations.
• DNS Subdomains Allowlists that DefenseFlow can automatically delegate from the CPE
DefensePro to a scrubbing center.
The Access Lists pane includes the following types of lists and groups:
• Allowlists and Blocklist Rules, page 180
• Allowlist and Blocklist Groups, page 182
• Geolocations, page 184
• DNS Allowlist Files, page 186
Parameter Description
Name Name of the allowlist or blocklist rule.
Description Description of the allowlist or blocklist rule.
Addresses The IPv4 and/or IPv6 addresses that are allowed or blocked. The IP addresses
can include source and destination port ranges and protocols.
Examples:
• 192.168.66.0/24
• 172.31.15.12
• 10.1.1.1 src port 12-44 protocol 5
• 10.1.1.0/24 src port 12 dst port 12-13 protocol tcp
• 3001:e12::/32
• 2001:cdba:0000:0000:0000:0000:3257:9652
Note: The protocol numbers used by DefenseFlow are mapped to the
following protocols:
• 0 — Any
• 1 — TCP
• 2 — UDP
• 3 — ICMP
• 4 — IGMP
• 5 — SCTP
• 7 — ICMPv6
— If you do not immediately see the allowlist or blocklist that you want to duplicate in the
table, search for the allowlist or blocklist by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the allowlist or blocklist you want to duplicate, select the allowlist or blocklist
rule and click the (Duplicate) button to open the allowlist or blocklist rule.
3. Edit the parameters for the new allowlist or blocklist, and then click Submit to save your
changes. A new allowlist or blocklist rule is created.
search for the allowlist or blocklist by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the allowlist or blocklist you want to edit, click the (Expand Row) button
to open the allowlist or blocklist.
3. Edit the parameters for the allowlist or blocklist, and then click Submit to save your changes.
search for the allowlists or blocklists by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the allowlists or blocklists you want to delete, select the allowlists or
3. In the Confirmation dialog box, click Confirm to delete the allowlist or blocklist rules.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Parameter Description
Name Name of the allowlist or blocklist group.
Description Description of the allowlist or blocklist group.
Rule List Select defined allowlists or blocklists for inclusion in the group by moving them
with the directional arrows from the Available list to the Selected list.
After selecting the rules for this group, the Rule Count parameter displays the
number of rules you have set for the group.
the table, search for the allowlist or blocklist group by typing a string in the search
field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the allowlist or blocklist group you want to duplicate, select the allowlist or
blocklist group click the (Duplicate) button to open the allowlist or blocklist group.
3. Edit the parameters for the new allowlist or blocklist group, and then click Submit to save your
changes. A new allowlist or blocklist is created.
table, search for the allowlist or blocklist group by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the allowlist or blocklist group you want to edit, click the (Expand Row)
button to open the allowlist or blocklist group.
3. Edit the parameters for the allowlist or blocklist group, and then click Submit to save your
changes.
table, search for the allowlist or blocklist groups by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the allowlist or blocklist groups you want to delete, select the allowlist or
3. In the Confirmation dialog box, click Confirm to delete the allowlist or blocklist groups.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Geolocations
This procedure describes how to view, create, and edit a DefenseFlow Geolocation feed group that
can be used for geoblocking in a protected object. In the protected object, you can use a single
geolocation from your Geolocation feed or you can use a Geolocation feed group that you define.
This feature requires that the DefensePro device used for mitigation be version 8.21 or later.
For more information on how Geolocation feed groups are assigned in protected objects, see
Protected Objects, page 119.
The Geolocation functionality requires a Geolocation subscription. To identify the geolocation that
traffic originates from, the Geolocation feature uses the Geolocation feed from the Geolocation
subscription. APSolute Vision manages the Geolocation subscription and the Geolocation feed.
Before you can configure a Geolocation feed group, you must configure and run a Geolocation Feed
task in APSolute Vision that targets the DefensePro device used for mitigation. If the DefensePro
device has a valid Geolocation subscription and a user-defined scheduled task of type Geolocation
Feed, the task uploads the feed to the Geolocation database on the DefensePro device.
For information on how to configure the scheduled task, refer to the APSolute Vision User Guide.
Parameter Description
Name Name of the Geolocation feed group.
Description Description of the Geolocation feed group.
Geolocation List You can group multiple geolocations (countries) together from your Geolocation
feed into a Geolocation feed group.
When defining geoblocking for a protected object, you can use a single
geolocation from your Geolocation feed or you can use a Geolocation feed group
that you define.
To add geolocations to the Geolocation group, select defined geolocations by
moving them with the directional arrows from the Available list to the Selected
list.
— When you find the geolocation you want to edit, click the (Expand Row) button to open
the geolocation.
3. Edit the parameters for the geolocation, and then click Submit to save your changes.
table, search for the geolocation feed group by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the geolocation feed group you want to duplicate, select the geolocation feed
group and click the (Duplicate) button to open the geolocation feed group.
3. Edit the parameters for the new geolocation feed group, and then click Submit to save your
changes. A new geolocation feed group is created.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Parameter Description
DNS Allowlist Import the file with the DNS allowlist:
File Parameters 1. Click Browse to find the DNS allowlist file you want to import.
2. Click Import to import the file.
Note: The DNS allowlist file should contain text only.
The file contains lines of code in the following format:
<FQDN>, <mode>
where mode is:
• m (manual)
• a (automatic)
Examples
A www.example1.com, a
B www.example2.com, m
search for the DNS allowlist file by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the DNS allowlist file you want to export, select the DNS allowlist file and click
the (Export) button to export the DNS allowlist file. The DNS allowlist file is downloaded
to your local computer.
3. In the Confirmation dialog box, click Close to delete the DNS allowlist file.
search for the DNS allowlist files by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the DNS allowlists files you want to delete, select the DNS allowlist files and
3. In the Confirmation dialog box, click Confirm to delete the DNS allowlist files.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
BGP FlowSpec
The BGP FlowSpec node includes the following sub-nodes:
Parameter Description
Name Name of the BGP FlowSpec rule.
Description Description of the BGP FlowSpec rule.
Parameter Description
Destination The destination prefix to match.
Prefix Values:
• Attacked IP — The actual destination IP addresses are inherited from the
protected object’s networks or IP addresses under attack or manually
activated.
• Entire Networks — The actual destination IP addresses are inherited from the
protected object that uses this rule for its various operations or manual
actions.
• Specific Prefix — The Prefix to Block field displays, letting you define a set of
IP prefixes for the destination prefix.
Default: Attacked IP
Source Prefix Defines one or more IPv4 or IPv6 source prefixes, each IP prefix separated by a
space.
Values: IPv4 or IPv6 address in the format n1.n2.n3.n4/5
Maximum number of networks: 100
Prefix to Block Defines one or more IPv4 or IPv6 destination prefixes, each IP prefix separated
(This field by a space.
displays only if Values: IPv4 or IPv6 address in the format n1.n2.n3.n4/5
you have Maximum number of networks: 100
selected
Specific prefix
as the
Destination
Prefix.)
Port Defines a set of operation/value pairs that match the source or destination /UDP
ports.
Values:
• A single value
• A complex condition using the < (Less Than), > (Greater Than), = (Equal), &
(AND), space (OR) operators.
Parameter Description
Source Port Defines a set of operation/value pairs that match the source /UDP packets.
Values:
• A single value
• A complex condition using the < (Less Than), > (Greater Than), = (Equal), &
(AND), space (OR) operators.
Examples
A [gre]
B [tcp udp]
C [3]
D [1-3 8-9]
ICMP Type Defines a set of operation/value pairs that match the type field of an ICMP
packet.
Values:
• echo-reply • router-advertisement
• echo-request • router-solicit
• info-reply • source-quench
• info-request • time-exceeded
• mask-reply • timestamp
• mask-request • timestamp-reply
• parameter-problem • unreachable
• redirect
The value can be:
• A single value
• A set of values surrounded by brackets ([]) and separated by a space.
Parameter Description
ICMP Code Defines a set of operation/value pairs that match the code field of an ICMP
packet.
Values:
• communication-prohibited-by- • redirect-for-host
filtering • redirect-for-network
• destination-host-prohibited • redirect-for-tos-and-host
• destination-host-unknown • redirect-for-tos-and-net
• destination-network-unknown • required-option-missing
• fragmentation-needed • source-host-isolated
• host-precedence-violation • source-route-failed
• ip-header-bad • ttl-eq-zero-during-reassembly
• network-unreachable • ttl-eq-zero-during-transit
• network-unreachable-for-tos
• port-unreachable
The value can be:
• A single value
• A set of values surrounded by brackets ([]) and separated by a space.
TCP Flag Defines the set of operation/value pairs used as a bit-mask to match TCP flags.
Values: fin, syn, rst, push, ack, urgent
The value can be:
• A single value
• A set of values surrounded by brackets ([]) and separated by a space.
Parameter Description
DSCP Defines the set of operation/value pairs to match the 6-bit DSCP field.
Values:
• A single value
• A complex condition using the < (Less Than), > (Greater Than), = (Equal), &
(AND), space (OR) operators.
search for the BGP FlowSpec rule by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the BGP FlowSpec rule you want to duplicate, select the BGP FlowSpec rule
and click the (Duplicate) button to open the BGP FlowSpec rule.
3. Edit the parameters for the BGP FlowSpec rule, and then click Submit to save your changes. A
new BGP FlowSpec rule is created.
— When you find the BGP rule you want to edit, click the (Expand Row) button to open the
BGP rule.
3. Edit the parameters for the BGP rule, and then click Submit to save your changes.
— When you find the BGP rules you want to delete, select the BGP rule and click the
(Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the BGP rules.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
2. From the drop-down menu, select which columns to hide. The selected column is hidden from
the table and the column name in the drop-down menu is grayed out.
3. To redisplay a column, from the drop-down menu, select the grayed-out column name. The
column displays and the menu item reverts to blue.
4. To restore the default column display, in the drop-down menu click the icon.
Note: When you activate an operation with a BGP FlowSpec rule, you can update that rule before
the activation, but for a FlowSpec rule within a BGP group, you can only update the rule after the
activation.
Parameter Description
Name The name of the BGP FlowSpec.
Description Description of the BGP FlowSpec group.
Rule List Select BGP FlowSpec rules to be included in the BGP FlowSpec group.
1. From the Available BGP FlowSpec rules, highlight the rule you want to be
part of the group.
2. For each rule, click the > button to move it to the Selected list.
— When you find the BGP group you want to edit, click the (Expand Row) button to open
the BGP group.
3. Edit the parameters for the BGP group, and then click Submit to save your changes.
table, search for the BGP FlowSpec group by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the BGP FlowSpec group you want to duplicate, select the BGP FlowSpec
group and click the (Duplicate) button to open the BGP FlowSpec group.
3. Edit the parameters for the new BGP FlowSpec group, and then click Submit to save your
changes. A new BGP FlowSpec group is created.
search for the BGP FlowSpec groups by typing a string in the search field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the BGP FlowSpec groups you want to delete, select the BGP FlowSpec
3. In the Confirmation dialog box, click Confirm to delete the BGP FlowSpec groups.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Parameter Description
Name The name of the BGP FlowSpec Strictness profile.
Description Description of the BGP FlowSpec Strictness profile.
Minimum The minimum number of BGP FlowSpec attributes required by DefenseFlow to
Number of trigger a new protection for a specific attack event.
Attributes Values: 1 – 6
Associated The associated DefensePro protections that are required to trigger a new
DefensePro protection.
Protections Includes: All (all DefensePro protections), Allowlist/Blocklist, BDoS, SYN, DNS,
Traffic Filters, OOS, DDoS-Shield
Mandatory BGP Select BGP FlowSpec attributes to be included in the BGP FlowSpec Strictness
FlowSpec profile that are required to trigger a new protection for an operation.
Attributes 1. From the Available attributes, highlight the attribute you want to be part of
the strictness profile.
2. For each attribute, click the > button to move it to the Selected list.
Note: For the Mandatory Attributes Available and Selected values to
display, you must first set the dfc.bgp.flowspec.populate values to true:
• dfc.bgp.flowspec.populate.destination.port
• dfc.bgp.flowspec.populate.fragment
• dfc.bgp.flowspec.populate.protocol
• dfc.bgp.flowspec.populate.source.network
• dfc.bgp.flowspec.populate.source.port
• dfc.bgp.flowspec.populate.tcp.flags
field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the BGP FlowSpec strictness profile you want to duplicate, select the BGP
FlowSpec strictness profile and click the (Duplicate) button to open the BGP FlowSpec
strictness profile.
3. Edit the parameters for the new BGP FlowSpec strictness profile, and then click Submit to save
your changes. A new BGP FlowSpec strictness profile is created.
field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the BGP FlowSpec Strictness profile you want to edit, click the (Expand
Row) button to open the BGP FlowSpec Strictness profile.
3. Edit the parameters for the BGP FlowSpec Strictness profile, and then click Submit to save your
changes.
field.
To clear the filter and perform a new search, delete and/or modify the search text.
— When you find the BGP FlowSpec Strictness profiles you want to delete, select the BGP
FlowSpec Strictness profiles and click the (Delete) button to delete them.
3. In the Confirmation dialog box, click Confirm to delete the FlowSpec Strictness profiles.
To sort columns
1. Click the heading for a column you want to sort.
2. Select the down arrow to sort the column in ascending order. Select the up arrow to sort in
descending order.
3. Click the heading to reset the column sorting.
4. To restore the default column display, in the drop-down menu click the icon.
Configuring DefenseFlow
The Configuration perspective is used to view and configure the system, network, and security
settings for the device.
This section includes the following topics:
• System, page 198
• Network, page 207
• Security Settings, page 224
System
The System perspective lets you view and enter new licensing information, and to configure
DefenseFlow IP interfaces in addition to the configured interface to APSolute Vision.
This section includes the following topics:
• Global Settings, page 199
• Licensing, page 199
• Software Upgrade, page 200
• Support File, page 201
• IP Management, page 201
• High Availability, page 203
• Syslog Alerts, page 204
• TACACS+ Settings, page 206
Global Settings
The Global Settings pane displays the DefenseFlow global settings that are applicable to all
DefenseFlow operations.
Parameter Description
Attack termination The attack termination grace period, in seconds.
grace period Attack termination is the time since a detector specified an attack as
terminated and until DefenseFlow considers the attack as actually
terminated. The grace period prevents hysteresis in protections due to
multiple starts and stops of attacks.
Default: 3600
Automatic Action Mode The global user action mode for workflows and protected objects.
• When enabled, the workflow and protected object user action mode is
set to Automatic.
• When disabled, all workflow and protected object user actions that are
set to Automatic are set to User Confirmation instead.
For more information on workflow user actions, see Table 112 - Workflow
Parameters, page 252. For more information on protected object user
actions, see Table 116 - Protected Object Parameters, page 259.
Default: Enabled
Blocklist or Allowlist When blocklist or allowlists are defined for operations, determines which
Precedence in list type takes precedence globally on DefensePro devices.
DefensePro For more information on blocklists and allowlists, see Filters, page 233.
Values: Blocklist Takes Precedence, Allowlist Takes Precedence
Default: Blocklist Takes Precedence
2. Click Submit.
Licensing
The Licensing pane displays the current licenses installed for DefenseFlow and any BDoS capacity
available.
Parameter Description
Base MAC Address (Read-only) The base MAC address for license generation displays.
Parameter Description
License String If required, enter the new license string as provided by Radware.
Installed Licenses
DefenseFlow Cyber (Read-only) The current DefenseFlow state. DefenseFlow is Enabled after
Control (View Only) proper license installation.
Behavioral DoS (Read only) The current BDoS per protected object capacity, if any.
Capacity (View Only)
Max Allowed Protected The maximum number of protected objects related to this DefenseFlow
Objects license.
License Expiration Date The license expiration date for non-perpetual licenses. If the license has
expired, you will need to renew the license key in order to use
DefenseFlow.
2. Click Submit.
Software Upgrade
The Software Upgrade pane displays information for the currently installed DefenseFlow version and
lets you upgrade to the latest DefenseFlow version. If you have a High Availability deployment, the
upgrade procedure upgrades the version for both DefenseFlow nodes.
Note: APSolute Vision only supports software upgrade. For a full fresh installation, you must use
the DefenseFlow host. For more information, see Installing and Initializing DefenseFlow Virtual
Appliance (VA), page 25.
Parameter Description
Current Software (Read-only) The current version of the software that is installed, including
Version the build number.
Example 3.3.0.0-473
Previous Software (Read-only) The version of the software that was installed before the
Version current version.
Example 3.3.0.0-464
Parameter Description
Last Upgrade Time (Read-only) The date and time when the last upgrade was performed.
Support File
This procedure explains how to prepare a DefenseFlow support file to be sent to Radware Technical
Support.
Note: Creating the support file to be sent to Radware Technical Support using APSolute Vision is the
preferred method over using the Cyber Control menu.
If you have upgrade-related problems, create the support file from the Cyber Control menu, and not
from APSolute Vision. This is because the upgrade-related logs are part of the host, and are not
included by the support file created using APSolute Vision. For more information, see Generating a
Technical Support File, page 48.
IP Management
The IP Management pane lets you configure DefenseFlow network interfaces to be used for
accessing the DefenseFlow control elements, network elements, and mitigation devices.
Note: The initial configuration is defined when DefenseFlow is installed and initially set up.
This section includes the following topics:
• Network Interfaces, page 202
• Interfaces Associations, page 203
Network Interfaces
The Network Interfaces pane lets you configure network interfaces.
Parameter Description
Enable Interface Search for enabled or disabled network interfaces.
Interface Name String to search for in the network interface name.
IPv4 Address IPv4 address for the network interface to search for.
IPv6 Address IPv6 address for the network interface to search for.
To clear the filter and perform a new search, click Clear next to the (Search) button.
3. Configure the parameters for the network interface, and then click Submit to save your
changes:
Parameter Description
Enable Interface Select to enable the network interface.
Interface Name (read-only) Interface name.
You can define additional interfaces using the VMware console. After defining the
additional interface, you can associate it to a network (see Interfaces
Associations, page 203).
Mode The mode for setting the network interface IP address.
Values:
• DHCP — The IP address is set automatically using DHCP. With this mode, the
IP address cannot be manually overridden. The supported DHCP mode is
infinite lease.
• STATIC — You can override the IP address that was set using DHCP. This is the
recommended setting.
Default: DHCP
IP Version 4
IPv4 Address IPv4 address.
IPv4 Mask IPv4 mask.
IPv4 Gateway IPv4 gateway.
IP Version 6
Parameter Description
IPv6 Address IPv6 address.
IPv6 Mask IPv6 mask.
IPv6 Gateway IPv6 gateway.
Interfaces Associations
The Interfaces Associations pane lets you configure interface associations.
Parameter Description
Network String to search for in the network name.
Interface String to search for in the associated interface name.
To clear the filter and perform a new search, click Clear next to the (Search) button.
3. Configure the parameters for the interface association, and then click Submit to save your
changes:
Parameter Description
Network (read-only) The network to which to associate an interface.
Interface The interface to associate to the network.
You can define additional interfaces using the VMware console. After defining the
additional interface, you can associate it to a network.
High Availability
Use the High Availability pane to configure or modify High Availability settings. You can also
configure these settings using the CLI. For information on how to install and initialize DefenseFlow
High Availability, see Installing and Initializing DefenseFlow High Availability, page 39
Parameter Description
Active The Active DefenseFlow device IP address.
DefenseFlow
Node IP
Enable High Enables or disables High Availability. Select to enable High Availability, and
Availability deselect to disable High Availability.
Default: Disabled
Standby The Standby DefenseFlow device IP address.
DefenseFlow This parameter displays when you enable High Availability.
Node IP
Enable Enables automatic failover.
Automatic This parameter displays when you enable High Availability.
Failover
Default: Enabled (when High Availability is enabled)
With automatic failover, the Active node continuously sends a heartbeat to the
Standby node. When the Standby node determines that the Active node has
failed, the Standby node assumes the role of the Active node and continues to
provide network service.
3. Wait until you receive confirmation that enabling or disabling the process has completed.
Note: Adding a standby node can take several minutes. To view its progress, you can execute
the CLI command dfc-info:progress-list [-refresh 5], where -refresh is the
optional auto-refresh mode.
4. Verify that the nodes display as configured in the Monitoring perspective, System > High
Availability.
Syslog Alerts
This pane displays the syslog servers that receive DefenseFlow syslog alerts. For a list of
DefenseFlow syslog alerts, see Appendix - Alerts Table, page 373.
• Search for the syslog alert by typing a string in one of the syslog alert search fields and
Parameter Description
Syslog String to search for in the syslog server destination IP address.
Destination IP
Port String to search for in the syslog server port number.
Severity Syslog alert severity to search for.
Values:
• DEBUG
• ERROR
• FATAL
• INFO
• WARNING
Description String to search for in the syslog server descriptions.
Update Time The syslog alert update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the syslog alert, and then click Submit to save your changes:
Parameter Description
IP Syslog server destination IP address to which syslog alerts are sent.
Port Syslog server port number to which syslog alerts are sent.
Severity Syslog alert severity.
Values:
• DEBUG
• ERROR
• FATAL
• INFO
• WARNING
Description Syslog server description.
Note: -port is optional. If no specific port is specified, port 514 is the default.
3. To disable the feature, enter the following command:
dfc-core:configuration-set -name
dfc.audit.log.send.syslog.server.enabled -value true
TACACS+ Settings
When you access DefenseFlow via APSolute Vision or the REST API, TACACS+ authentication and
authorization is handled by APSolute Vision.
The TACACS+ Settings feature lets you configure TACACS+ authentication settings for your primary
and secondary TACACS+ servers for access to the DefenseFlow CLI via SSH.
When enabled, CLI user access credentials and permissions are determined by the TACACS+ server.
CLI user permissions are determined by the TACACS+ server priv_level parameter according to the
following values:
• 0-14 — CLI user access is read-only
• 15 — CLI user access is read-write
The name of a TACACS+ authenticated user is included in the audit log for any activities that user
performs.
Parameter Description
Enable Enables TACACS+ authentication. When you enable TACACS+ authentication,
TACACS+ user access credentials and permissions to DefenseFlow through SSH or
DefenseFlow CLI are set based on the settings in the TACACS+ server.
If TACACS+ is disabled or unreachable, only the root, radware, radwareread,
or locally-added users can be used.
If either primary or secondary TACACS+ servers are unreachable, user access
credentials and permissions are determined by the local DefenseFlow user table.
Default: Disabled (When TACACS+ authentication is disabled, the local
DefenseFlow user table determines access credentials and permissions.)
Primary Set the following parameters for your primary TACACS+ server:
TACACS+ • Server IP Address — The primary server IP address.
Server
• Server Listening Port — The primary server listening port.
Tab
• Server Secret Key — The primary server secret key.
• Confirm Server Secret Key — Confirmation of the primary server secret key.
Parameter Description
Secondary Set the following parameters for your secondary TACACS+ server:
TACACS+ • Server IP Address — The secondary server IP address.
Server
• Server Listening Port — The secondary server listening port.
Tab
• Server Secret Key — The secondary server secret key.
• Confirm Server Secret Key — Confirmation of the secondary server secret key.
Shared Set the following parameters that are shared by the TACACS+ servers:
Parameters • Service Name — Service shared by the TACACS+ servers.
Tab The string cannot be a value reserved by the TACACS+ server.
Recommended value: dfc
Network
Use the Network pane to view or edit various control, network, and mitigation elements and devices.
This section includes the following topics:
• BGP, page 207
• Control Elements, page 208
• Network Elements, page 212
• Network Elements Groups, page 216
• Route Tags, page 217
• Mitigation, page 218
BGP
Use the BGP pane to configure DefenseFlow global BGP parameters.
Notes
• BGP is a dynamic routing protocol that announces and distributes routing information between
routers.
• DefenseFlow can work as a BGP speaker, supporting announcements to multiple BGP peers in
IPv4 and IPv6 for diversion purposes. The global parameters are relevant only if DefenseFlow
BGP is enabled (default). To configure this support, see To add network interfaces for
announcements to multiple BGP peers, page 208.
Note: Changing the global BGP configuration causes all existing BGP peers to restart.
1. In the Configuration perspective, select Network > BGP.
2. Configure the BGP parameters and click Submit.
Parameter Description
DefenseFlow DefenseFlow BGP router ID
Router ID Default: the control interface IP address
Hold Time The BGP hold time, in seconds.
Default: 180
Local AS The local Autonomous System number.
Default: 65001
Control Elements
Use the Control Elements pane to search for, configure, or delete control elements. The initial view
displays existing control elements and lets you search for a specific network element.
• Highlight the control element and click the (Edit control element) button.
• Type a string in the (Search) field, and in the control element you want to edit,
Parameter Description
Enable Control Enables or disables the control element.
Element Default: Enabled
Name Control element logical name.
Description Description of the control element.
Parameter Description
Type Type of control element.
Values:
• External Detector — For External Detector parameters, see Table 70 - Control
Element External Detector Access Information Parameters, page 209.
• Radware Collector — For Radware Collector parameters, see Table 71 - Control
Element Radware Collector Access Information Parameters, page 210.
• FlowDetector — For FlowDetector parameters, see Table 72 - Control Element
FlowDetector Access Information Parameters, page 211.
• Radware AppWall — For Radware AppWall parameters, see Table 73 - Radware
AppWall Access Information Parameters, page 211.
• BGP-Listener — For BGP-Listener parameters, see Table 74 - BGP-Listener
Access Information Parameters, page 212.
Parameter Description
Control Element The source IP address of the external detector.
Management The management IP address should be the source IP address of the syslog
Address messages received from the external detector (NetFlow Detector, AppWall, or
other).
Protocol Protocol used by the external detector for sending detection signals.
Values: TCP, UDP
Default: UDP
DefenseFlow L4 Layer 4 port for receiving detection signals from the external detector.
Port Values: 0 – 65535
Table 70: Control Element External Detector Access Information Parameters (cont.)
Parameter Description
Attach Driver Select which driver to use for the control element.
Parameter Description
Attach Driver Select which driver to use for the control element.
Table 71: Control Element Radware Collector Access Information Parameters (cont.)
Parameter Description
Management The Management Access parameters include:
Access • Management protocol — Management protocol of the control element.
Values: HTTPS, HTTP, SSH
Default: HTTPS
• IP address — IP address of the control element.
• IP Port — Port number of the control element
• URI — URI to use when the management protocol is HTTP or HTTPS.
Note: This parameter is not used for the Radware collector. If you using
the Radware collector, leave this parameter empty.
Parameter Description
Attach Driver Select the FlowDetector driver to use for the control element.
Click the (Add) button and select the driver from the drop-down list.
Admin User The Admin User parameters include:
• User Name — User name to log in to the control element. Default: admin
• Password — Login password. Default: radware
Management The Management Access parameters include:
Access • IP address — IP address of the control element.
• IP Port — Port number of the control element. Default: 10007
Parameter Description
Tunnels The IP addresses representing the external public IP address of the Web Server
that is located behind the AppWall device.
Note: By default, Use any network address in the Security Settings >
Protected Objects > Protected Network pane is selected. If you are using
AppWall as the external detector, Radware recommends that Use any
network address remain selected. If you choose to deselect it, for the
AppWall detector to work properly you must ensure that the protected network
is the same IP address as the AppWall tunnel address.
To add a tunnel:
Parameter Description
Protocol Protocol used by Radware AppWall for sending detection signals.
Values: TCP, UDP
Default: UDP
DefenseFlow L4 Layer 4 port for receiving detection signals from Radware AppWall.
Port Values: 0 – 65535
Attach Driver Select which driver to use for the control element.
Parameter Description
Communities One or more BGP communities, separated by a space.
With this parameter, you indicate which exact BGP communities will be analyzed
by the control element to activate or deactivate a protection.
DefenseFlow is triggered upon attack detection from various sources such as
NetFlow Detector, AppWall, and DefensePro. An MSSP can provide security
services to its customers and let these customers activate or deactivate their
protection using BGP announcements.
The BGP-Listener control element listens to BGP announcements and activates
attack protection on a protected object assigned to the network. It also listens to
withdrawal messages that terminate the attack protection of the protected
network.
3. Click (Delete).
4. Click Yes to delete the selected control element.
Network Elements
Use the Network Elements pane to search for, configure, or delete network elements. The initial view
displays existing network elements and lets you search for a specific network element.
Parameter Description
Status Search for network elements set to Disabled or Enabled.
Name Network element name to search for.
Description String to search for in the network element descriptions.
Control The diversion control to search for.
Values: Name of a control element name that will enable the diversion, BGP, None
Update Time The network element update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the network element, and then click Submit to save your
changes:
Parameter Description
Enable Network Enables or disables the network element.
Element Default: Enabled
Name Name of the network element.
Description Description of the network element.
Statistics Control element for statistics collection.
Collection
Note: This parameter is relevant only in deployments where DefenseFlow is
Control
the detector.
Values:
• Name of a control element that collects the statistics from this network
element
• None
Default: None
Parameter Description
Control Type of diversion control.
Note: This field is relevant only when DefenseFlow is set to initiate diversion of
traffic from this network element.
Values:
• Name of a control element that will enable the diversion
• BGP — This opens the BGP Configuration and Advanced Settings tabs. See
BGP Configuration in this table.
• BigSwitch — Select this option if you use the BigSwitch network server in your
solution topology. This opens the Management Settings tab. See
Management Settings in this table.
• None
Default: None
Network Groups You can group multiple network elements together for common detection and
diversion actions within a protected object’s configuration. A network element can
be placed in one or more network element groups. Select one of the defined
network groups by moving it from the Available list to the Selected list.
For more information on placing network elements into a group, see Network
Elements Groups, page 216.
BGP Configure the BGP parameters for the network element:
Configuration • Support BGP FlowSpec — Should be selected for network elements that
(This tab only support FlowSpec and should be used for BGP FlowSpec rules, and blocking
displays when traffic based on those rules.
BGP is selected • BGP Peer Address — The IP address used by the network element for BGP
in the peering. You can enter either an IPv4 or IPv6 address.
Diversion
Control field) • MD5 Key — The MD5 secret of the network element.
• Confirm MD5 Key — Enter the MD5 secret of the network element again.
• 4 Bytes Support — Specifies whether AS numbers encoded as a 4-byte entity
are supported.
• DefenseFlow Router ID — The BGP router ID of the network element. The
default is the Router ID defined per the global BGP parameters (see BGP,
page 207).
• Local AS — The local Autonomous System number DefenseFlow uses for the
network element’s BGP peer.
• Peer AS — The Autonomous System number of network element’s BGP peer.
• Hold Time — The BGP hold time of the network element, in seconds.
• Route Refresh — Enables/disables the BGP Route Refresh option.
Values: Enabled, Disabled
Default: Enabled
• Graceful Restart — Enables/disables the BGP Graceful Restart option.
Values: Enabled, Disabled
Default: Enabled
• Graceful Restart Time — The BGP Graceful Restart time in seconds.
• Diversion Connectivity — This specifies network elements that have
connectivity (tunnels) from this network element for diversion purposes. Click
the (Add) button to add a network:
— Destination Network Element — Select the network element.
Parameter Description
Advanced In the Network field, select the BGP network for the network element.
Settings
(This tab only
displays when
BGP is selected
in the
Diversion
Control field)
Management When you want to use your BigSwitch network server as you diversion control
Settings element, provide the values for the following BigSwitch parameters defined for
(This tab only that server:
displays when • Network Element Management IP Address — BigSwitch Network Element
BigSwitch is Management IP address.
selected in the • BigSwitch Policy Name — BigSwitch policy name.
Diversion
Control field) • BigSwitch Port — BigSwitch port.
• BigSwitch User — BigSwitch username.
• BigSwitch Password — BigSwitch password.
• Confirm BigSwitch Password — Confirmation of BigSwitch password.
• Enable Health Check — Receive an alert through SNMP, syslog, or e-mail when
the BigSwitch BSN status changes from DOWN to UP, or UP to DOWN.
Default: Enabled
• BigSwitch Hello Interval — This parameter is only available when Enable
Health Check is selected. Sets how often a hello packet is sent to the
BigSwitch network device/element.
Values: 30 – 1800 seconds
Default: 60
• BigSwitch Hold Time — This parameter is only available when Enable Health
Check is selected. Sets how long to wait for a response from the BigSwitch
network device/element. If the BigSwitch BSN status changes after the Hold
Time is finished, an alert is sent. The Hold Time value must be at least three
times greater than the Hello Interval value.
Values: 90 – 5400 seconds
Default: 180
3. Click (Delete).
4. Click Yes to delete the selected network element.
• Highlight the network element group and click the (Edit) button.
• Search for the network element group by typing a string in one of the network element
Parameter Description
Group Name Name of the network element group for which to search.
Description String to search for in the network element group descriptions.
Update Time The control element update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the network element group, and then click Submit to save your
changes:
Parameter Description
Name Name of the network element group.
Description Description of the network element group.
Available List of configured network elements that are available to put into the network
element group.
Selected List of selected network elements that are currently in the group.
3. Click (Delete).
Route Tags
Route tags can be used as a clean traffic injection method and for BGP FlowSpec diversion.
Use the Route Tags pane to search for, configure, or delete route tags for clean traffic injection. The
initial view displays the existing route tags and lets you search for a specific route tag.
Parameter Description
Name Name of the route tag for which to search.
Description String to search for in the route tag descriptions.
Route Target String to search for in the route targets.
Update Time The route tag update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the route tag, and then click Submit to save your changes:
Parameter Description
Name Name of the route tag.
Description Description of the route tag.
Route Target (Optional) Route target of the route tag.
Define the route target of the route tag if you are using a BGP FlowSpec rule for
traffic redirection. This identifies the route tag you select in the FlowSpec rule for
VFR redirection.
Values: The route in one of the following formats:
• ASN:ID (for example, 65000:100)
• ASNL:ID (for example, 65001L:200)
• IP:ID (for example, 1.2.3.4:300)
3. Click (Delete).
4. Click Yes to delete the route tag.
Mitigation
The Mitigation node lets you configure and monitor mitigation devices and mitigation device groups.
It includes the following panes:
• Mitigation Devices, page 218
• Mitigation Devices Groups, page 222
• Health Monitoring, page 223
Mitigation Devices
Use the Mitigation Devices pane to search for, configure, or delete mitigation devices. The initial view
displays existing mitigation devices and lets you search for a specific mitigation device.
Note: When you set the mitigation device to be DefensePro, you first must ensure that the
DefensePro device has been added using APSolute Vision. If you are adding it just now using this
procedure, after adding it to APSolute Vision, wait approximately a minute, and then set it as the
mitigation device for DefenseFlow, after which the DefenseFlow-device icon in the APSolute Vision
device pane includes two triangles — . For more information on adding a DefensePro device using
APSolute Vision, refer to the APSolute Vision User Guide.
• Highlight the mitigation device and click the (Edit Mitigation) icon for that device.
• Set a filter to search for the mitigation device:
a. Type a string in the Filter table by: field. All mitigation devices that include the
string in any of its parameters display:
Parameter Description
Admin Status Filter for mitigation devices set to Disabled or Enabled.
Type Type of the mitigation devices for which to filter.
Values: DefensePro, Third Party
Parameter Description
Name Name of the mitigation devices for which to filter.
Description String to filter for in the mitigation device descriptions.
Update Time The mitigation device update time to filter for.
b. Locate the mitigation device you want to edit and click the (Edit Mitigation) icon
for that device.
c. To clear the filter, clear the text in the Filter table by: field.
3. Configure the parameters for the mitigation device, and then click Submit to save your
changes:
Parameter Description
Enabled Enable or disable the mitigation device.
Default: Enabled
Type The type of mitigation device.
Values: DefensePro, Third Party
Default: DefensePro
Note: If you use DefensePro as the mitigation device, DefensePro health
monitoring must be set to enabled. For more information, see Health
Monitoring, page 223.
Name Names of the mitigation devices.
For DefensePro mitigation devices, it is a list of the available devices that are
configured in the APSolute Vision management system.
For third-party mitigation devices, it is an free text field.
Description Description of the mitigation device. For DefensePro mitigation devices, it is as
configured in the APSolute Vision management system, which you can edit.
Version (Read-only) Software version of the DefensePro mitigation device as configured in
the APSolute Vision management system.
Management IP (Read-only) IP address of the DefensePro mitigation device as configured in the
APSolute Vision management system.
Managed Device Select if this device is managed by DefenseFlow.
Default: Not selected
Parameter Description
Diversion and Set the diversion and injection parameters:
Injection Tab • Route Name — Select or configure a route configuration to be used with this
mitigation device:
— Select a route configuration to which the mitigation device diverts traffic.
The configuration for the route you selected is displayed in the remaining
parameters in the Diversion and Injection tab.
The Default route is the route you defined when you first configured this
mitigation device.
— To add a new route for this mitigation device:
a. Click Add Route Name....
b. Set the route name, and click Add.
c. Set the remaining parameters in the Diversion and Injection tab.
— To delete a route:
a. Select a route name.
b. Click Delete Route Name.
Note: By default, this feature is disabled. When disabled, the only choice
for a route configuration are the set of parameters you set when you first
configure the mitigation device.
To enable this feature, do the following:
— Upgrade the DefenseFlow device driver to the version provided to you by
Radware Technical Support. For more information on how to upgrade the
DefenseFlow device driver, see the APSolute Vision User Guide.
— From the DefenseFlow CLI, run the following command: dfc-
core:configuration-set -name
dfc.mitigation.route.name.enabled -value true
• Diversion address IPv4 — IPv4 address of the mitigation device to be used as
the destination for diverted traffic.
• Diversion address IPv6 — IPv6 address of the mitigation device to be used as
the destination for diverted traffic.
Parameter Description
Diversion and • Clean traffic injection — Clean traffic injection is relevant only for DefensePro
Injection Tab devices. Set the clean traffic injection options and click Submit:
(continued) — Fixed Injection Points — To add the IPv4 and IPv6 route addresses to be
used for injection to all protected objects, click Add Injection IP:
•
First IPv4 Injection Point Address — The first IPv4 injection point
address.
• Second IPv4 Injection Point Address — The backup IPv4 injection point
address.
• First IPv6 Injection Point Address — The first IPv6 injection point
address.
• Second IPv6 Injection Point Address — The backup IPv6 injection point
address.
— Tunnels Table — You can add a tunnel or edit and existing tunnel that are
used for clean traffic injection:
• To add a tunnel, click Add Tunnel, and configure the tunnel
parameters:
• Protected Network Type — Values: Remote Network, Route Tag
• Remote Network/Route Tag — If you selected Remote Network
as the Protected Network Type, select a remote network for this
tunnel. If you selected Route Tag as the Protected Network
Type, select a Route Tag for this tunnel.
• Tunnel Address — The tunnel IP address.
• Tunnel Description — Tunnel text description.
• To edit an existing tunnel, do one of the following:
• Highlight the tunnel and click the (Edit) icon for that tunnel.
• Type a string in the Filter table by: field. All tunnels that include
the string in any of its parameters display. Locate the tunnel you
want to edit and click the (Edit) icon for that tunnel.
Physical A list of network elements to which the mitigation device is directly connected. A
Connectivity Tab mitigation device can be connected to multiple network elements. Select from the
defined network elements by moving it from the Available list to the Selected
list.
When you connect network elements to a mitigation device, this connects the
mitigation device to the peers in the operation diversion group as represented by
the network element, if in the operation the Use Connectivity parameter is
enabled.
Mitigation A list of mitigation groups to which the mitigation device should be part of. A
Devices Groups mitigation device can be part of multiple mitigation groups. Select from the
Tab defined mitigation device groups by moving it from the Available list to the
Selected list.
3. Click (Delete).
• Highlight the mitigation device group and click the (Edit) button.
• Search for the mitigation device group by typing a string in one of the mitigation device
Parameter Description
Group Name The name of the mitigation device groups to search for.
Description String to search for in the mitigation device group descriptions.
Cluster IPv4 Cluster IPv4 address to search for.
Address
Cluster IPv6 Cluster IPv6 address to search for.
Address
Update Time The mitigation devices group update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the mitigation device group, and then click Submit to save your
changes:
Parameter Description
Name Name of the mitigation device group.
Description Description of the mitigation device group.
Cluster IPv4 Cluster IPv4 address of the mitigation device to use as the destination of diverted
Address traffic. If not defined, DefenseFlow uses the diversion target address from the
mitigation devices themselves.
Cluster IPv6 Cluster IPv6 address of the mitigation device to use as the destination of diverted
Address traffic. If not defined, DefenseFlow uses the diversion target address from the
mitigation devices themselves.
Available List of available DefensePro devices that can be put into this group.
Selected List of DefensePro devices that are currently in this group.
3. Click (Delete).
4. Click Yes to delete the selected mitigation device group.
Health Monitoring
Use the Health Monitoring pane to configure global health monitoring parameters for the DefensePro
mitigation devices. Third-party mitigation devices are not monitored.
Parameter Description
Enable health Enables DefensePro health monitoring.
monitoring Default: Enabled
Note: Radware recommends that health monitoring should remain enabled to
ensure DefensePro mitigation service availability. If you disable health
monitoring, the DefensePro mitigation devices are no longer monitored and
updates to them are not reflected in DefenseFlow.
Health The health monitoring interval.
monitoring Default: 10 seconds
interval
Health Number of health monitoring retries. After these retries, the status is changed to
monitoring DOWN.
retries Default: 3
Mitigation Devices Capacity Upper Bounds
Max Allowed The maximum allowed CPU utilization for mitigation devices. If the CPU utilization
CPU Utilization is greater than the maximum allowed, the device is considered BUSY.
for mitigation Default: 80%
device
Max Allowed BW The maximum allowed bandwidth utilization for mitigation devices. If bandwidth
Utilization for utilization is greater than the maximum allowed, the device is considered BUSY.
mitigation Default: 80%
device
Parameter Description
Max allowed Maximum protected object policies utilization for mitigation devices. If the
protected object protected object policies utilization is greater than the maximum allowed, the
policies device is considered BUSY.
utilization for Default 90%
mitigation
device
Max allowed Maximum allowed filter list policies utilization for mitigation devices. If the filter
filter list policies list policies utilization is greater than the maximum allowed, the device is
utilization for considered BUSY.
mitigation Default 80%
device
Security Settings
Use the Security Settings node to view or edit protected objects and various detection and
mitigation elements related to them.
The perspective includes the following tabs:
• Network Elements Parameters, page 3115
• BGP FlowSpec, page 225
• Filters, page 233
• Geolocation Feed Group, page 235
• DNS AllowList, page 236
• Operations, page 237
• Detection, page 248
• Workflows, page 251
• Protected Objects, page 258
Security Templates
Security templates are the security configurations to provision on DefensePro devices for the
protected object. To support multiple DefensePro versions, each template can include multiple
template instances per DefensePro version.
Use the Security Templates pane to view, configure, or delete security templates. The initial view
displays existing security templates and lets you search for a security template.
Note: Basic is a predefined security template that you can use to create new templates. You
cannot edit the Basic security template itself.
3. Configure the security template and click Submit.
Parameter Description
Name Name of the security template.
Description Description of the security template.
Template Origin Origin of the security template.
Values:
• Protected Object — Creates a template from an existing policy of a protected
object.
• Vision Template — Creates a template from an existing policy in the APSolute
Vision security templates repository.
Policy Name The security policy name from which to create the template.
Note: Basic is a predefined security template that you can use to create new templates.
You cannot edit the Basic security template itself.
— Search for the security template by typing a string in one of the security template search
Parameter Description
Name The name of the security template to search for.
Description String to search for in the security template description.
Creation Date The creation date to search for.
To clear the filter and perform a new search, click Clear next to the (Search) button.
3. Configure the parameters for the security template, and then click Submit to save your
changes:
Parameter Description
Name (Read-only) Name of the security template.
Template Edit the security template as required.
BGP FlowSpec
The BGP FlowSpec node includes the following sub-nodes:
• BGP FlowSpec Rules, page 226
• Highlight the BGP FlowSpec rule and click the (Edit) button.
• Search for the BGP FlowSpec rule by typing a string in one of the BGP FlowSpec rules
Parameter Description
Name The name of the BGP FlowSpec rule to search for.
Description String to search for in the BGP FlowSpec rule description.
FlowSpec The strictness profile associated with the BGP FlowSpec rule to search for.
Strictness
Profile
Redirect to VRF The route tag (VRF) to search for.
Redirect to Search for a rule based on whether redirect to mitigation is Enabled or
Mitigation Disabled.
Block Search for a rule based on whether blocking is Enabled or Disabled.
Rate Limit The rate limit, in bytes per second, to search for.
(bytes per
second)
Set DSCP The DSCP to search for.
Update Time The BGP FlowSpec rule update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the BGP FlowSpec rule, and then click Submit to save your
changes:
Parameter Description
Name Name of the BGP FlowSpec rule.
Description Description of the BGP FlowSpec rule.
Destination The destination prefix to match.
Prefix Values:
• Attacked IP — The actual destination IP addresses are inherited from the
protected object’s networks or IP addresses under attack or manually
activated.
• Entire Networks — The actual destination IP addresses are inherited from the
protected object that uses this rule for its various operations or manual
actions.
• Specific prefix — The Prefix to Block field displays, letting you define a set of
IP prefixes for the destination prefix.
Default: Attacked IP
Prefix to Block Defines one or more IPv4 or IPv6 destination prefixes, each IP prefix separated
(This field by a space.
displays only if Values: IPv4 or IPv6 address in the format n1.n2.n3.n4/5
you have Maximum number of networks: 100
selected
Specific prefix
as the
Destination
Prefix.)
Source Prefix Defines one or more IPv4 or IPv6 source prefixes, each IP prefix separated by a
space.
Values: IPv4 or, IPv6 address in the format n1.n2.n3.n4/5
Maximum number of networks: 100
Port Defines a set of operation/value pairs that match the source or destination /UDP
ports.
Values:
• A single value
• A complex condition using the < (Less Than), > (Greater Than), = (Equal), &
(AND), space (OR) operators.
Parameter Description
Source Port Defines a set of operation/value pairs that match the source /UDP packets.
Values:
• A single value
• A complex condition using the < (Less Than), > (Greater Than), = (Equal), &
(AND), space (OR) operators.
Examples
A [gre]
B [tcp udp]
C [3]
D [1-3 8-9]
ICMP Type Defines a set of operation/value pairs that match the type field of an ICMP
packet.
Values:
• echo-reply • router-advertisement
• echo-request • router-solicit
• info-reply • source-quench
• info-request • time-exceeded
• mask-reply • timestamp
• mask-request • timestamp-reply
• parameter-problem • unreachable
• redirect
The value can be:
• A single value
• A set of values surrounded by brackets ([]) and separated by a space.
Parameter Description
ICMP Code Defines a set of operation/value pairs that match the code field of an ICMP
packet.
Values:
• communication-prohibited-by- • redirect-for-host
filtering • redirect-for-network
• destination-host-prohibited • redirect-for-tos-and-host
• destination-host-unknown • redirect-for-tos-and-net
• destination-network-unknown • required-option-missing
• fragmentation-needed • source-host-isolated
• host-precedence-violation • source-route-failed
• ip-header-bad • ttl-eq-zero-during-reassembly
• network-unreachable • ttl-eq-zero-during-transit
• network-unreachable-for-tos
• port-unreachable
The value can be:
• A single value
• A set of values surrounded by brackets ([]) and separated by a space.
Flag Defines the set of operation/value pairs used as a bit-mask to match TCP flags.
Values: fin, syn, rst, push, ack, urgent
The value can be:
• A single value
• A set of values surrounded by brackets ([]) and separated by a space.
Parameter Description
DSCP Defines the set of operation/value pairs to match the 6-bit DSCP field.
Values:
• A single value
• A complex condition using the < (Less Than), > (Greater Than), = (Equal), &
(AND), space (OR) operators.
Note: When you activate an operation with a BGP FlowSpec rule, you can update that rule before
the activation, but for a FlowSpec rule within a BGP group, you can only update the rule after the
activation.
• Highlight the BGP FlowSpec group and click the (Edit) button.
• Search for the BGP FlowSpec group by typing a string in one of the BGP FlowSpec group
Parameter Description
Name The name of the BGP FlowSpec group to search for.
Description String to search for in the BGP FlowSpec group description.
Update Time The BGP FlowSpec group update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the BGP FlowSpec group, and then click Submit to save your
changes:
Parameter Description
Name The name of the BGP FlowSpec.
Description Description of the BGP FlowSpec group.
Available/ Select BGP FlowSpec rules to be included in the BGP FlowSpec group.
Selected 1. From the Available BGP FlowSpec rules, highlight the rule you want to be
part of the group.
2. For each rule, click the > button to move it to the Selected list.
• Highlight the BGP FlowSpec strictness profile and click the (Edit) button.
• Search for the BGP FlowSpec strictness profile by typing a string in one of the BGP
FlowSpec strictness profile search fields and clicking the (Search) button:
Parameter Description
Auto-populate The auto-populate profile name of the BGP FlowSpec Strictness profile to search
Profile Name for.
Profile String to search for in the BGP FlowSpec Strictness profile description.
Description
Minimum Search for the minimum number of BGP FlowSpec attributes required by
Number of DefenseFlow to trigger a new protection for a specific attack event.
Attributes Values: 1 – 6
Update Time The BGP FlowSpec Strictness profile update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the BGP FlowSpec Strictness profile, and then click Submit to save
your changes:
Parameter Description
Auto-populate The name of the BGP FlowSpec Strictness profile.
Profile Name
Profile Description of the BGP FlowSpec Strictness profile.
Description
Minimum The minimum number of BGP FlowSpec attributes required by DefenseFlow to
Number of trigger a new protection for a specific attack event.
Attributes Values: 1 – 6
ASSOCIATED The associated DefensePro protections that are required to trigger a new
DEFENSEPRO protection.
PROTECTIONS Includes: ALL (all DefensePro protections), Blocklist/Allowlist, BDoS, SYN, DNS,
Traffic Filters, OOS, DDoS Shield
Parameter Description
Mandatory Select BGP FlowSpec attributes to be included in the BGP FlowSpec Strictness
Attributes profile that are required to trigger a new protection for an operation.
Available/ 1. From the Available attributes, highlight the attribute you want to be part of
Selected the strictness profile.
2. For each attribute, click the > button to move it to the Selected list.
Note: For the Mandatory Attributes Available and Selected values to
display, you must first set the dfc.bgp.flowspec.populate values to true:
• dfc.bgp.flowspec.populate.destination.port
• dfc.bgp.flowspec.populate.fragment
• dfc.bgp.flowspec.populate.protocol
• dfc.bgp.flowspec.populate.source.network
• dfc.bgp.flowspec.populate.source.port
• dfc.bgp.flowspec.populate.tcp.flags
Filters
You can define blocklists and allowlists (filter lists), and groups of lists (filter groups), for a single
mitigation device or a group of mitigation devices. You define these filter lists and filter groups in the
Filters node. For more information on how filter lists and filter groups are applied to blocklists and
allowlists, see Operations, page 237.
You can also define Geolocation feed groups that include a list of geolocations that you can assign to
a protected object to block or allow only a set of geographic locations.
The Filters node includes the following sub-nodes:
• Filter Lists, page 233
• Filter Groups, page 234
• Geolocation Feed Group, page 235
Filter Lists
This procedure describes how to view, create, and edit filter lists.
Parameter Description
Name The name of the filter list to search for.
Description String to search for in the filter list description.
Addresses IP addresses in the filters to search for.
Update Time The filter list update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the filter list, and then click Submit to save your changes:
Parameter Description
Name Name of the filter list.
Description Description of the filter list.
Addresses The IPv4 and/or IPv6 addresses that are filtered. The IP addresses can include
source and destination port ranges and protocols.
Examples:
• 192.168.66.0/24
• 172.31.15.12
• 10.1.1.1 src port 12-44 protocol 5
• 10.1.1.0/24 src port 12 dst port 12-13 protocol tcp
• 3001:e12::/32
• 2001:cdba:0000:0000:0000:0000:3257:9652
Note: The protocol numbers used by DefenseFlow are mapped to the
following protocols:
• 0 — Any
• 1 — TCP
• 2 — UDP
• 3 — ICMP
• 4 — IGMP
• 5 — SCTP
• 7 — ICMPv6
Filter Groups
This procedure describes how to view, create, and edit filter list groups.
Parameter Description
Group Name The name of the filter group to search for.
Description String to search for in the filter group description.
Update Time The filter group update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the filter group, and then click Submit to save your changes:
Parameter Description
Name Name of the filter group.
Description Description of the filter group.
Filter Groups You can group multiple filter lists together for common filtering. A filter list can
be placed in one or more filter groups. Select one of the defined filter lists by
moving it from the Available list to the Selected list.
For more information on filter lists, see Filter Lists, page 233.
• Highlight the Geolocation feed group and click the (Edit) button.
• Search for the Geolocation feed group by typing a string in one of the Geolocation feed
Parameter Description
Group Name The name of the Geolocation feed group to search for.
Description String to search for in the Geolocation feed group description.
Update Time The Geolocation feed group update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the Geolocation feed group, and then click Submit to save your
changes:
Parameter Description
Name Name of the Geolocation feed group.
Description Description of the Geolocation feed group.
Geolocations You can group multiple geolocations together from your Geolocation feed into a
Geolocation feed group.
When defining geoblocking for a protected object, you can use a single
geolocation from your Geolocation feed or you can use a Geolocation feed group
that you define.
To add a geolocation to the Geolocation group, select one of the defined
geolocations by moving it from the Available list to the Selected list.
For more information on how Geolocation feed groups are used in protected
objects, see Protected Objects, page 258.
DNS AllowList
DefenseFlow can automatically delegate a DNS Subdomains Allowlist from the CPE DefensePro to a
scrubbing center. Upon attack, a syslog signal from the tier-2 mitigation device (DPaaD or CPE DP) is
sent to DefensePro. As a result, DefenseFlow exports the current policy from the DPaaD along with
its associated DNS allowlist, and imports the policy into the scrubbing center mitigation device. Once
the attack is diverted by DefenseFlow to the scrubbing center, the scrubbing center already has the
DNS allowlist deployed in order to clean the traffic and block the DNS attack.
Parameter Description
File Name The name of the DNS allowlist to search for.
Update Time The DNS allowlist update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the DNS allowlist, and then click Submit to save your changes:
Parameter Description
DNS Allowlist File with the DNS allowlist.
File 1. Click Browse to find the DNS allowlist file you want to import.
2. Click Import to import the file.
Note: The DNS allowlist file should contain text only.
The file contains lines of code in the following format:
<FQDN>, <mode>
where mode is:
• m (manual)
• a (automatic)
Examples
A www.example1.com, a
B www.example2.com, m
Operations
An operation is a set of actions to be performed on provisioning, attack detection, or manually. It is
the building block for a security operation workflow.
Use the Operations pane to view, configure, or delete operations. The initial view displays existing
operations and lets you search for a specific operation.
To configure an operation
1. In the Configuration perspective, select Security Settings > Operations.
2. To add or edit an operation, do one of the following:
Parameter Description
Name The name of the operation to search for.
Description String to search for in the operation description.
Operation Type The operation type to search for.
Values: Mitigation, Traffic Blocking, Custom
Diversion The diversion protocol to search for.
Protocol Values: BGP, BGP FlowSpec
Use Mitigation Use connectivity setting to search for.
Device/Network Values: Enabled, Disabled
Element
Connectivity
Update Time The operation update time to search for.
Mitigation Group The mitigation group name to search for.
L7 Signature The Layer 7 signature HTTP response type to search for.
HTTP Response
Type
Blocking Group The blocking group name to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the operation, and then click Submit to save your changes:
Note: DefenseFlow has predefined operations that can be used as is, modified, or referenced
for the creation of new operations. Some of these operations are used by the predefined
workflows (see Workflows, page 251). The following are the predefined operations:
Workflow Description
AlwaysOnMitigat Provision mitigation on a group of DefensePro devices.
eOnly
OutOfPathDivert Provision mitigation and injection on a group of mitigation devices and divert the
MitigateInject traffic to them from a Tier1 network element group.
SmarTapDetecti Provision mitigation on a group of DefensePro devices connected in tap mode.
on
SmarTapDivertI Provision injection on the DefensePro tap devices.
nject
BlackHoleDivert Divert traffic from a Tier1 network element group to a BGP black-hole address.
BgpFlowSpecBlo Block traffic with a FlowSpec block operation on a Tier1 network element group.
ck
Parameter Description
Name Name of the operation.
Note: The operation name cannot contain the & (ampersand), <, > (angle
brackets), or " (double quote) characters.
Description Description of the operation.
Operation Type The type of operation.
Values:
• Mitigation — Displays the mitigation parameters. See Table 105 - Operations
Mitigation Parameters, page 239.
• Traffic Blocking — Displays the traffic blocking parameters. See Table 106 -
Operations Traffic Blocking Parameters, page 243.
• Custom — Displays the custom operation parameters. Displays the Custom
Type parameter from which you select the type of custom operation to
define.
Default: Mitigation
Custom Type If you selected the Custom operation type, this drop-down list displays. Select
the custom operation you want define.
Values:
• External Custom Operation — Displays the custom operation parameters with
which you can customize your own operation using any type of programming
language. For a description of these parameters, see Table 107 - External
Custom Operations Parameters, page 244.
• BigSwitch Routing — Select this operation type if you are using BigSwitch
routing as your diversion control element (see Table 2230 - Network
Elements Parameters, page 3115).
Displays the Diversion Group parameter (for a description of this parameter,
see Table 105 - Operations Mitigation Parameters, page 239).
• DefensePro ACLs — Select this operation type if you are using DefensePro
Access Control Lists for mitigation.
Displays the Mitigation Group parameter (for a description of this
parameter, see Table 105 - Operations Mitigation Parameters, page 239).
Default: Mitigation
Parameter Description
Actions Mitigation actions to be performed by the operation. You can select multiple
actions.
Values:
• Divert — DefenseFlow initiates traffic diversion.
• Mitigate — DefenseFlow configures the DefensePro mitigation devices with the
security policy. Not relevant for third-party mitigation devices.
• Inject Clean Traffic — DefenseFlow configures the DefensePro mitigation
devices with the clean traffic injection configuration. Not relevant for third-
party mitigation devices.
Default: All actions are not selected (meaning report only)
Parameter Description
Diversion
Diversion Group The network element diversion group from which the diversion of traffic is
initiated. With BGP diversion, these groups receive the BGP announcements.
Note: This is relevant only if DefenseFlow is configured to initiate the diversion
(Divert action), or mitigation (Mitigate action) and the Use Connectivity
diversion action are selected.
Do one of the following:
• Select the network element or network element group from the set of
available groups defined in DefenseFlow.
• To use and edit one of the network element groups, select the network
element group click the (Edit) button. This opens the Add Network
Elements Group pane. For more information, see Network Elements Groups,
page 216.
• To add and use a new network element group, click the (Add) button. This
opens the Add Network Elements Group pane. For more information, see
Network Elements Groups, page 216.
Diversion The diversion protocol to use.
Protocol Values:
• BGP — Use the standard BGP protocol.
• BGP FlowSpec — Use the BGP FlowSpec protocol.
Default: BGP
BGP FlowSpec The BGP FlowSpec rule to use for the diversion protocol. Select for a list of BGP
(This parameter FlowSpec Rules you have defined (see BGP FlowSpec Rules, page 226).
is only is
available if the
Diversion
Protocol is set
to BGP
FlowSpec.)
Diversion Diversion actions to take.
Options • Use Mitigation Device/Network Element Connectivity — Assigns mitigation
devices per network element in a diversion group according to the configured
connectivity.
• Divert Entire Protected Object Network — Divert all the protected object
networks even if a single IP address is attacked.
• Use the Protected Object Next Hop — For BGP diversions only, divert to the
next hop of the operation’s relevant protected object, if defined (see Table
116 - Protected Object Parameters, page 259). Select the Primary or
Secondary next hop.
Default: Use Connectivity
BGP Community
Include the Whether the BGP Community of the protected object is included in the operation.
Protected
Object BGP
Community
Parameter Description
Operation BGP The BGP community values to be sent to the diversion groups that should receive
Community them per the operation. In addition to the protected object’s communities,
multiple communities can be configured separated by a space.
In addition, well-known communities can be also defined, including: NO_EXPORT,
NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
AS Path The AS-Paths to be used as part of the operation’s BGP advertisements.
You can specify multiple AS-Paths delimited by a space or a comma.
Examples
A 100 200 300 400 600 400 500
B 400, 500
Include the Merge the AS-Paths for the relevant protected object, if defined (see Table 116 -
protected object Protected Object Parameters, page 259) with the operation’s AS-Paths.
AS Path
Example
If the operation’s AS-Paths are 100, 200, 300, and the relevant protected
object’s AS-Paths are 200, 300, 400, the merged AS-Paths are 100, 200, 300,
200, 300, 400.
Advanced
Minimum IPv4 The minimum IPv4 advertised subnet.
Advertised Values:
Subnet
Default: 32
Minimum IPv6 The minimum IPv6 advertised subnet.
Advertised Values:
Subnet
Default: 128
Mitigation
Security The security template used to perform mitigation. Select from the configured list
Template
of security templates or click the (Add) button to open the Add Template
pane. For more information, see Security Templates, page 224.
Geolocations The geolocation or Geolocation feed group to either allow or block when
performing mitigation. Select from the list a geolocation or Geolocation feed
group to allow or block (for more information, see Geolocation Feed Group,
page 235).
The geolocation setting is only used if the mitigation action is selected.
Default: No geolocation or Geolocation feed group is selected and all geolocations
are allowed
Blocklist The filter list or filter list group to be used as the bloc list to be included when
performing mitigation. Select from the configured list of filter lists or filter list
groups (see Filters, page 233).
The blocklist is only used if the mitigation action is selected.
Default: No list is defined
Parameter Description
Allowlist The filter list or filter list group to be used as the allowlist to be included when
performing mitigation. Select from the configured list of filter lists or filter list
groups (see Filters, page 233).
The allowlist is only used if the mitigation action is selected.
Default: No list is defined
DNS Allowlist The DNS allowlist to be used as the allowlist to be enforced by DefensePro when
performing mitigation. DefenseFlow blocks incoming DNS requests that do not
match the allowlist.
Select from the configured list of DNS allowlists (see DNS AllowList, page 236).
The DNS allowlist is only used if the mitigation action is selected.
Default: No list is defined
Mitigation Group The name of the mitigation device or mitigation device group that performs
mitigation. Select from the configured list of mitigation groups (see Mitigation
Devices Groups, page 222).
Delegate from This parameter is relevant only if the detection method for the protected object is
Detector DPaaD.
Select this if delegation is to be performed from the detector device to the
mitigation devices group that performs the mitigation. Selecting this copies the
policy and baselines from the detector DefensePro to the selected mitigation
device.
In a DPaaD deployment, DefenseFlow may trigger a single alert that may
represent a Layer 7 event, such as signature matching. DefenseFlow can identify
this new alert type (an occur event) and act upon it. By default, this feature is
disabled. To enable it, use the following CLI command:
configuration-set -name
dfc.attack.detection.defensepro.occur.enabled -value true
Granular Select if granular mitigation is to be performed.
Mitigation If you do not select this option, the operation is performed on the entire protected
object and not based on any granular detection settings. For more information on
granular detection settings, see Detection, page 248.
Default: Enabled
Save and Reuse Select this if you want to automatically provision the detector DefensePro
DefensePro baseline based on previous learning periods.
Baselines Default: Disabled
Block Source IP Select this if you want to block all incoming traffic from a specific source IP
Address using address towards a specific protected object.
L3 Block List Default: Disabled
Parameter Description
Block Source IP When AppWall is deployed behind a CDN, the Layer 4 source address does not
Address using identify the real source IP address of the sender. To block the sender, a Layer 7
L7 Signature signature must be provisioned in DefensePro. This signature contains the real
source IP address as part of the XFF HTTP header field.
When enabled, select the response type from the list of Layer 7 signature HTTP
response types.
Values:
• HTTP_DROP
• HTTP_200_OK
• HTTP_200_OK_REST_DEST
• HTTP_403_FORBIDDEN
• HTTP_403_FORBIDDEN_REST_DEST
Default: Disabled
Mitigation Route The route name for this mitigation. Select one of the routes that you defined for
Name mitigation devices. For more information on configuring routes, see Mitigation
Devices, page 218.
Parameter Description
Blocking
Blocking Group The network elements group that performs the traffic blocking.
Select from the list of configured network elements groups (see Network
Elements Groups, page 216).
BGP FlowSpec The BGP FlowSpec rule to use for the diversion protocol. Select from a list of BGP
FlowSpec Rules you have defined (see BGP FlowSpec Rules, page 226).
BGP Community
Include the Whether the BGP Community of the protected object is included in the operation.
Protected
Object BGP
Community
Operation BGP The BGP community values to be sent to the diversion groups that should receive
Community them per the operation. in addition to the protected object’s communities,
multiple communities can be configured separated by a space.
In addition, well-known communities can be also defined, including: NO_EXPORT,
NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
Parameter Description
You can customize your own operation using any type of programming language. DefenseFlow
ensures that the new customized operation is activated when the rule criteria is met in the workflow
engine.
Each custom operation is associated with a Web service. You can use your own Web server for the
implementation.
For easy implementation, you can use and modify a ready-made example stub that implements a
customized operation that sends an e-mail with all the operation-received arguments. For more
details on using this stub, contact Radware Technical Support.
Note: Radware recommends deploying the Web server on a dedicated external VM and not on
the DefenseFlow VM.
Custom URL URL of the remote server where the custom operation resides.
When you set the custom URL, DefenseFlow performs a callback to the remote
server using the /protection_stop and /protection_start suffixes as
required.
Examples
A For HTTP: If the URL configuration is http://10.183.159.159:5000/rest,
DefenseFlow performs a callback to http://10.183.159.159:5000/rest/
protection_start/ when the operation is activated (Entry Criteria), and
http://10.183.159.159:5000/rest/protection_stop/ when the
operation is deactivated (Exit Criteria).
B For HTTPS: If the URL configuration is https://10.183.159.159:443/
rest, DefenseFlow performs a callback to https://10.183.159.159:443/
rest/protection_start/ when the operation is activated (Entry Criteria),
and https://10.183.159.159:443/rest/protection_stop/ when the
operation is deactivated (Exit Criteria).
For the custom operations callback definition details, see Table 108 - Custom
Operations Callback Definition, page 245.
Note: You can also define a custom operation through the DefenseFlow REST
API (see the POST /config/Operations/add REST API call in the REST API
Guide at http://webhelp.radware.com/DefenseFlow/REST/3_40_00/
index.html).
Remote server (optional) Remote server username.
authentication
user
Remote server (optional) Remote server password.
authentication
password
Confirm Remote (optional) Remote server password confirmation.
server
authentication
password
Detection
Detection should be used to define groups of detection methods and sources to be aggregated as
detectors for the same service.
Use the Detection pane to view, configure, or delete detection configurations. The initial view
displays existing detections and lets you search for a detection.
To configure a detection
1. In the Configuration perspective, select Security Settings > Detection.
2. To add or edit a detection, do one of the following:
Parameter Description
Name The name of the detection to search for.
Description String to search for in the detection description.
Update Time The detection update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the detection, and then click Submit to save your changes:
Note: My Detection is a predefined detection that is used by the default workflows (see
Workflows, page 251). Its parameters are not set and you should either configure it with the
appropriate detectors or replace it in any workflow that is used for a protected object, as
required.
Parameter Description
Name Name of the detection.
Description Description of the detection.
Parameter Description
Detectors The set of detectors defined for this detection.
Parameter Description
• Type — Select the detector type.
Values:
— External Detector — Use an external source of detection signaling. You
can select multiple external detectors.
— FlowDetector — Use Radware DefenseFlow FlowDetector to analyze and
use the network metadata that Layer 3-4 actual sessions flows from the
control plane.
— Granular BDoS Detector — This checks attacks per each IP address in the
networks, limited to 5000 networks per the entire DefenseFlow system.
This should be used for servers with static IP addresses that you want to
protect.
— Granular Thresholds Detector — This checks limits for the top 100
networks of the protected object. It should be used for residential
protected objects.
— Thresholds Detector — Use manually-configured thresholds based on flow
statistics. This checks limits for an entire network. You can only select one
threshold detector.
• Type Detector — Based on the detector Type you selected, select a telemetry
source for detection, either a control element (flow statistics source or
external detector) or a DefensePro device.
Workflows
A workflow is a predefined set of criteria-based security operations that DefenseFlow can perform for
a service on provisioning and upon attack.
Use the Workflows pane to view, configure, or delete workflow configurations. The initial view
displays existing workflows and lets you search for a workflow.
To configure a workflow
1. In the Configuration perspective, select Security Settings > Workflows.
2. To add or edit a workflow, do one of the following:
Parameter Description
Name The name of the workflow to search for.
Description String to search for in the workflow description.
Parameter Description
Detection String to search for in the workflow detection method.
To view and/or edit the workflow detection associated with a workflow, select the
link in the Detection column, and the Edit Detection pane for that detection
displays. For more information on detections, see Detection, page 248.
Provisioning String to search for in the workflow operation that is performed upon provisioning
a protected object associated with this workflow.
To view and/or edit the workflow operation associated with a workflow, select the
link in the Provisioning column, and the Edit Operation pane for that detection
displays. For more information on detections, see Operations, page 237.
Update Time The workflow update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the workflow, and then click Submit to save your changes:
Note: DefenseFlow has predefined workflows that can be used as is, modified, or referenced
for the creation of new workflows, as described in the following table:
Workflow Description
AlwaysOnMitigat Provision mitigation (with no diversion) upon provisioning of the protected object
eOnly on a device that is either in-line with the traffic or the diversion is performed
manually.
BGPFlowSpecBlo Upon attack detection, activate a BGP FlowSpec rule to block the traffic to the
ck protected object on the routers.
BlackHoleDivert Divert traffic from a Tier1 network element group to a black-hole address upon
attack detection.
OutOfPathDivert Upon attack detection, configure mitigation and injection on the mitigation
MitigateInject devices and divert the traffic to them from a Tier1 network element group.
SmartTapDetecti Provision a policy on the device connected in tap mode for detecting attacks on
on the protected object.
SmartTapDivertI Upon attack detection, divert the traffic to the mitigation device and configure
nject clean traffic injection on the mitigation device.
Parameter Description
Name Name of the workflow.
Description Description of the workflow.
Detection Select a detection method to associate with this workflow. This is a group of
detections that is configured using the Detection pane (see Detection, page 248)
Provisioning Select an operation to be performed upon provisioning of a protected object
associated with this workflow. The operation is configured using Operation pane
(see Operations, page 237).
Parameter Description
Workflow Rules The set of criteria-based operation rules for the workflow.
Parameter Description
Workflow Rules The following are the set of possible workflow rule events:
• AttackStart — The start of attack condition is implicit in enter criteria. It is
required only if it is the only condition.
• AttackTermination — The termination of attack condition cannot be combined
with any other condition (that is, you cannot have an AttackTermination
condition AND an attackx condition).
• ProvisionEnd — Performs an operation when removing a service.
• ProvisionStart — Performs an operation on provisioning of a protected object
in addition to the operation defined in the Provisioning parameter. This can
be used if multiple operations on provisioning are required.
• ActiveOperationsChange — This event is triggered when an event is activated
or at the termination of an operation.
Note: This event is triggered by a protection, regardless of the detection
status. For example, the event is triggered whether the operation was
activated manually or automatically due to syslog detection.
• TimeTriggerEnabled — Event based on the absolute and relative time. For
example, you can define the entry criteria to be activated from between
08:00 and 09:00, or the exit criteria to be activated only after 30 minutes
have passed from the operation termination.
Example 1 (Enter Criteria): TimeTriggerEnabled AND (TIME>=17:00 OR
TIME <= 09:00)
Example 2 (Exit Criteria): TimeTriggerEnabled AND TIME > 09:00 AND
TIME < 17:00
• OperationTerminated — Event to terminate an operation when another
operation is terminated.
Example: OperationTerminate and Operation = AnotherOperation
Parameter Description
Workflow Rules The following are the set of possible workflow rule conditions:
• AttackDestination — Condition based on the attacked destination. Supported
operators: =, !=, in, not in
Example: AttackDestination in 1.2.3.0/24
• AttackSource — Condition based on the attack destination IP address.
Example: AttackSource 5.5.5.0/24
• AttackPrefix — Condition based on the attack destination prefix.
Example: AttackPrefix = 32
• AttackBandwidth — Condition based on the size of an attack, in bits per
second. Supported operators: >, <, >=, <=
This condition is only available during an attack, unlike the TrafficBandwidth,
which can also be used in peacetime. This condition can be used to defend
against attack escalation.
Example: AttackBandwidth > 2G
• AttackRate — Condition based on packets per second. Supported operators: >,
<, >=, <=
Example: AttackRate >1000 AND AttackBandwidth < 5m
Note: If granular detection is enabled, you should not set the AttackRate
as either the Enter or Exit Criteria. Because granular detection only handles
sampled events and ignores ongoing events, the workflow is ignored even
if the workflow conditions are met.
Therefore, only set the AttackRate as the Enter or Exit Criteria when granular
detection is disabled.
• TrafficBandwidth — Condition based on the traffic bandwidth, in bits per
second. It does not require combining with an AttackStart condition.
This condition is used in Flow Collector and DPaaD deployments. In these
deployments, the detection elements constantly update DefenseFlow with the
current traffic bandwidth. As a result, this condition can be used even in
peacetime, unlike the AttackBandwidth condition, which is only available
during an attack.
Value values:
— n — bps (bits per second)
— nK — kbps (kilobits per second)
— nM — mbps (megabits per second)
— nG — gbps (gigabits per second)
— nT — tbps (terabits per second)
Example: TrafficBandwidth > 100 (meaning 100 bps)
Example: TrafficBandwidth > 2G (meaning 2 gbps)
Note: If granular detection is enabled, you should not set the
TrafficBandwidth as either the Enter or Exit Criteria. Because granular
detection only handles sampled events and ignores ongoing events, the
workflow is ignored even if the workflow conditions are met.
Parameter Description
Workflow Rules The following is a continuation of the set of possible workflow rule conditions:
(continued) • TrafficRate — Condition based on the traffic bandwidth, in packets per second.
It does not require combining with an AttackStart condition.
Value values:
— n — pps (packets per second)
— nK — kpps (kilopackets per second)
— nM — mbps (megapackets per second)
— nG — gpps (gigapackets per second)
— nT — tpps (terapackets per second)
Example: TrafficRate > 100 (100 pps)
Note: If granular detection is enabled, you should not set the TrafficRate
as either the Enter or Exit Criteria. Because granular detection only handles
sampled events and ignores ongoing events, the workflow is ignored even
if the workflow conditions are met.
Example: TrafficRate > 2G (2 giga pps)
• AttackProtocol — Condition based on the attack protocol. Supported
operators: =, !=
Example 1: Protocol =
Example 2: (Protocol = OR AttackDestination not in 3.3.3.0/28) AND
AttackBandwidth < 5m
• DetectorName — Condition based on the detector name.
Example: DetectorName = MyExternalDetectorControlElement
• BgpListenerCommunities — Condition based on the BGP Listener Community.
Example: BgpListenerCommunities include 111:222
Note: Do not use in Exit Criteria.
Note: DefenseFlow can be configured to establish BGP connections with
routers over port 179 to send BGP announcements and BGP FlowSpec
rules. Sending a large number of BGP announcements from the routers to
DefenseFlow might cause slow response time in DefenseFlow. Unless you
are using the BGP Listener feature, routers connected to DefenseFlow
should be configured not to send BGP announcements to DefenseFlow.
• ActiveOperations — This condition is based on the set of the current active
operations and activated networks.
Example: ActiveOperations include ScrubbingOperation
• ActiveOperationsSameDestination — Use this condition to check if an
operation is active for the specific network that is triggered, and to decide
whether to start or stop an existing protection based on another operation
that is on that same network.
Example: ActiveOperationsSameDestination include ScrubbingOperation
Parameter Description
Workflow Rules The following is a continuation of the set of possible workflow rule conditions:
(continued) • ActiveOperationsCopyCat — Use this condition if you want to automatically
trigger OPER2 according to OPER1, as illustrated in the following example:
Example: If OPER1 should automatically trigger OPER2 and use the same
network, use the following criteria in both the Enter Criteria and Exit
criteria fields:
ActiveOperationsChange AND ActiveOperationsCopycat include OPER1
Example: ActiveOperationsCopyCat include ScrubbingOperation
• ProtectionActivePeriod — Time-based termination of protection.
Example 1: If a black hole operation is activated, and you want to terminate
if after two hours, use the following exit criteria:
ProtectionActivePeriod > "2 hours"
• Time — Condition based on the time in HH:MM format. Supported operators:
>, <, >=, <=, =, !=
Example 1: time >= 14:00
Example 2: time != 16:00
• Date — Condition based on the date in YYYY-MM-DD format. Supported
operators: >, <, >=, <=, =, !=
Example 1: date >= 2017-05-21
Example 2: date = 2019-05-05
• Month — Condition based on the month name. Supported operators: >, <,
>=, <=, =, !=
Example 1: month >= January
Example 2: month != December
• Day — Condition based on the day name, where Sunday is the smallest, and
Saturday is the greatest. Supported operators: >, <, >=, <=, =, !=
Example 1: day >= Tuesday
Example 2: day != Monday
• AttackAdditionalDetails — Condition based on the actual syslog message
regular expression matching.
Example: AttackStart and AttackAdditionalDetails match ".*host:.*"
• OperationEnterSuccess — Condition based on the successful completion of
either enter criteria or exit criteria. This is usually used in multiple-tiers
protection.
Example: OperationEnterSuccess=operation1
Parameter Description
Workflow Rules The following is a continuation of the set of possible workflow rule conditions:
(continued) • SourcePort — Condition based on the source port. Supported operators: >, <,
>=, <=, =, !=
Example 1: SourcePort > 34
• DestinationPort — Condition based on the destination port. Supported
operators: >, <, >=, <=, =, !=
Example 1: DestinationPort > 34
• Fragment — Condition based on whether a packet is fragmented. Supported
operators: =,!=
Example 1: Fragment = true
Example 2: Fragment != true
• tcpflags — Condition based on TCP flags. Supported operators: =,!=
Example 1: tcpflags = syn
Example 2: tcpflags = syn-ack
• DefenseProUp — Condition based on whether DefensePro mitigation devices
are up. Can be a single mitigation device, multiple mitigation devices, a single
mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProUp = dp1
Example 2 (multiple mitigation devices): DefenseProUp in dp1, dp2, dp3
Example 3 (single mitigation group): DefenseProUp include dp_group1
Example 4 (multiple mitigation devices): DefenseProUp include
dp_group1, dp_group2, dp_group3
• DefenseProDown — Condition based on whether DefensePro mitigation
devices are down. Can be a single mitigation device, multiple mitigation
devices, a single mitigation device group, or multiple mitigation groups.
Example 1 (single mitigation device): DefenseProDown = dp1
Example 2 (multiple mitigation devices): DefenseProDown in dp1, dp2,
dp3
Example 3 (single mitigation group): DefenseProDown include
dp_group1
Example 4 (multiple mitigation devices): DefenseProDown include
dp_group1, dp_group2, dp_group3
Protected Objects
Protected objects are the services you use DefenseFlow to protect.
Use the Protected Objects pane to view, configure, or delete protected objects. The initial view
displays existing objects and lets you search for a specific protected objects.
Parameter Description
Status Status of the protected object to search for.
Name Name of the protected object to search for.
Description String to search for in the protected objects description.
Update Time The protected object update time to search for.
To clear the filter and perform a new search, click Clear next to the (Search)
button.
3. Configure the parameters for the protected object, and then click Submit to save your changes:
Parameter Description
Enable Whether the protected object is enabled or disabled.
Protected Default: Enabled
Object
Name Name of the protected object.
Description Description of the protected object.
Protected List of protected networks and their associated edge networks or route tags.
Networks Tab Maximum number of network entries:
• 10,000 for protected objects with an external detector
• 500 for protected objects with Radware’s collector
Note: The total number of networks for all protected objects together is
limited to 250,000.
Click the (Add) button and configure the protected network parameters:
• Use any network address — All networks are protected. By default, it is
selected. When you deselect it, the Network Address(es) text box displays.
• Network Address(es) — List of IPv4 or IPv6 network addresses with a subnet
IP address separated by a comma (“,”). Examples: 10.10.10.0/24,
11.11.11.0/24
• Protected Network Type — Select Edge Network or Route Tag.
• Clean Traffic Injection — This option displays when you select the Protected
Network Type as Edge Network. The edge network element associated with
the protected networks. In a single-entry multiple network, addresses should
all be associated with the same edge network.
• Route Tag — This option displays when you select the Protected Network
Type as Route Tag, The route tag associated with the protected networks.
Select from the list of configured route tags (see Route Tags, page 217).
Parameter Description
Security The security policy and workflow for the protected object.
Settings Tab Values:
• Policy Precedence — The precedence that this security policy has in relation to
other security policies, where precedence 1 gets the highest priority, and
precedence None gets the lowest priority. This is relevant for overlapping
protected objects if more than one policy is configured on the DefensePro
device.
Values: 1 – 3, None
Default: None
Each of the policy precedence values represent a range of DefensePro priority
values:
— None — For granular mitigation, 8001 – 16000; for non-granular
mitigation, 1 – 8000
— 1 — For granular mitigation, 56001 – 63999; for non-granular mitigation,
48001 – 56000
— 2 — For granular mitigation, 40001 – 48000; for non-granular mitigation,
32001 – 40000
— 3 — For granular mitigation, 24001 – 32000; for non-granular mitigation,
16001 – 24000
Based on the DefenseFlow precedence you selected, DefenseFlow assigns to
the policy the next available priority number in the precedence range. If the
assigned priority number is the same as for the existing policy in DefensePro,
DefensePro adds 10 to the policy’s priority number so that the policy is
executed as expected.
• Peak Traffic Bandwidth — Peak traffic value to use, in bits per second, in case
of activation when no attack information is available.
• Workflow — The security operation workflow associated with this protected
object. Select from a list of existing workflow, or click the (Add) button
and configure a workflow. For more information, see Workflows, page 251.
Parameter Description
Security Values:
Settings Tab • Override Geolocation Operation — If you want this security policy to override
(continued) the geolocation operation, select this option.
Select the geolocation or Geolocation feed group to block or allow, then select
the override action:
— Allow — Allow the selected geolocation or Geolocation feed group
(default).
— Block — Block the selected geolocation or Geolocation feed group
(default).
For more information on defining Geolocation feed groups, see Geolocation
Feed Group, page 235.
• Override Workflow Action Mode — If you want this security policy to override
the workflow action mode, select the mode to override from the User Action
Mode drop-down list:
— Automatic — DefenseFlow performs the chosen operation based on the
defined criteria.
— Manual — The operator initiates the operation regardless of any detection.
— User Confirmation — When the operation criteria are met, the operator is
prompted to confirm activating the defined operation or to choose
another operation.
• Update Policy from Security Template — Select this option if you want to
update this security policy from an existing security template. Select the
security template from the Security Template drop-down list, or click the
(Add) button and configure a new security template (see Security
Templates, page 224).
Note: If check box this is selected, the Policy text box is grayed out, and
you cannot edit the security template from within the Protected Object, but
only from the Security Templates node (see Security Templates,
page 224).
• Override Default Attack Termination Grace Period — Select this option if you
want this security policy to override the default number of seconds for the
attack termination grace period.
• Policy — This option is only available in Edit mode. If you want to update the
Security Settings based on a different Security Template, click Update policy
from security template. The policy text displays in the Policy text box,
which you can edit as needed. The policy text includes DefensePro traffic
filters.
You can resize the text box as required by dragging the icon at the bottom
right-hand corner of the scroll bar.
Maximum number of characters: 1,000,000
Parameter Description
Global Manual The global manual thresholds for the protected object. This is relevant only if
Thresholds Tab DefenseFlow receives the traffic statistics for the protected object (with the
workflow detection that includes manual threshold protection).
Using manual thresholds is optional and can be used in addition to other
detections. Each pair of thresholds for activation and termination can be
configured regardless of other thresholds. An attack is reported when traffic
exceeds the activation thresholds and is terminated when traffic recedes from the
termination threshold.
Thresholds are specified in bits per second (bps) and packets per second (pps),
respectively. You can specify units for the value. For example: 50m, 10k
Values:
• Activation IPv4 — Manually set the bps and pps for this threshold.
• Activation IPv6 — Manually set the bps and pps for this threshold.
• UDP Activation IPv4 — Manually set the bps and pps for this threshold.
• UDP Activation IPv6 — Manually set the bps and pps for this threshold.
• ICMP Activation IPv4 — Manually set the bps and pps for this threshold.
• ICMP Activation IPv6 — Manually set the bps and pps for this threshold.
• Other IP Activation IPv4 — Manually set the bps and pps or this threshold.
• Other IP Activation IPv6 — Manually set the bps and pps or this threshold.
• Total Activation IPv4 — Manually set the bps and pps for this threshold.
• Total Activation IPv6 — Manually set the bps and pps for this threshold.
• Termination IPv4 — Manually set the bps and pps for this threshold.
• Termination IPv6 — Manually set the bps and pps for this threshold.
• UDP Termination IPv4 — Manually set the bps and pps for this threshold.
• UDP Termination IPv6 — Manually set the bps and pps for this threshold.
• ICMP Termination IPv4 — Manually set the bps and pps for this threshold.
• ICMP Termination IPv6 — Manually set the bps and pps for this threshold.
• Other IP Termination IPv4 — Manually set the bps and pps for this threshold.
• Other IP Termination IPv6 — Manually set the bps and pps for this threshold.
• Total Termination IPv4 — Manually set the bps and pps for this threshold.
• Total Termination IPv6 — Manually set the bps and pps for this threshold.
Parameter Description
Granular Manual The granular manual thresholds for the protected object. This is relevant only if
Thresholds Tab DefenseFlow receives the traffic statistics for the residential protected objects
(with the workflow detection that includes manual threshold protection).
Using granular manual thresholds is optional and can be used in addition to other
detections. Each pair of thresholds for activation and termination can be
configured regardless of other thresholds. An attack is reported when traffic
exceeds the activation thresholds and is terminated when traffic recedes from the
termination threshold.
Thresholds are specified in bits per second (bps) and packets per second (pps),
respectively. You can specify units for the value. For example: 50m, 10k
Values:
• Activation IPv4 — Manually set the bps and pps for this threshold.
• Activation IPv6 — Manually set the bps and pps for this threshold.
• UDP Activation IPv4 — Manually set the bps and pps for this threshold.
• UDP Activation IPv6 — Manually set the bps and pps for this threshold.
• ICMP Activation IPv4 — Manually set the bps and pps for this threshold.
• ICMP Activation IPv6 — Manually set the bps and pps for this threshold.
• Other IP Activation IPv4 — Manually set the bps and pps or this threshold.
• Other IP Activation IPv6 — Manually set the bps and pps or this threshold.
• Total Activation IPv4 — Manually set the bps and pps for this threshold.
• Total Activation IPv6 — Manually set the bps and pps for this threshold.
• Termination IPv4 — Manually set the bps and pps for this threshold.
• Termination IPv6 — Manually set the bps and pps for this threshold.
• UDP Termination IPv4 — Manually set the bps and pps for this threshold.
• UDP Termination IPv6 — Manually set the bps and pps for this threshold.
• ICMP Termination IPv4 — Manually set the bps and pps for this threshold.
• ICMP Termination IPv6 — Manually set the bps and pps for this threshold.
• Other IP Termination IPv4 — Manually set the bps and pps for this threshold.
• Other IP Termination IPv6 — Manually set the bps and pps for this threshold.
• Total Termination IPv4 — Manually set the bps and pps for this threshold.
• Total Termination IPv6 — Manually set the bps and pps for this threshold.
Parameter Description
FlowDetector The FlowDetector thresholds for the protected object. This is relevant only if
Thresholds Tab DefenseFlow uses Radware DefenseFlow FlowDetector to analyze and use the
network metadata that Layer 3-4 actual sessions flows from the control plane. For
more information, see the latest Radware DefenseFlow FlowDetector User Guide.
Using FlowDetector thresholds is optional and can be used in addition to other
detections. Each activation threshold can be configured regardless of other
thresholds. An attack is reported when traffic exceeds the activation thresholds.
Thresholds are specified in megabits per second (Mbps) and packets per second
(pps), respectively. You can specify units for the value. For example: 50m, 10k
All thresholds apply to both IPv4 and IPv6 traffic.
Values:
• TCP Activation — Manually set the Mbps and/or pps for this threshold.
• UDP Activation — Manually set the Mbps and/or pps for this threshold.
• ICMP Activation — Manually set the Mbps and/or pps for this threshold.
• Total Activation — Manually set the Mbps and/or pps for this threshold.
Advanced Advanced settings for the protected object.
Settings Tab Values:
• BGP Community — The BGP community values to be sent to the diversion
groups that should receive them per the operation. Multiple communities can
be configured separated by a space.
In addition, well-known communities can be also defined, including:
NO_EXPORT, NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
• Primary Next Hop IPv4 — The primary IPv4 next hop that is used instead of
the operation next hop.
• Primary Next Hop IPv6 — The primary IPv6 next hop that is used instead of
the operation next hop.
• Secondary Next Hop IPv4 — The secondary IPv4 next hop that is used instead
of the operation next hop.
• Secondary Next Hop IPv6 — The secondary IPv6 next hop that is used instead
of the operation next hop.
• IPv4 NLRI — When configured, the IPv4 NLRI (Network Layer Reachability
Information) DefenseFlow uses in its BGP advertisements and withdrawals.
• IPv6 NLRI — When configured, the IPv6 NLRI (Network Layer Reachability
Information) DefenseFlow uses in its BGP advertisements and withdrawals.
• AS Path — The AS-Paths to be used as part of the protected object’s BGP
advertisements.
You can specify multiple AS-Paths delimited by a space or a comma.
Examples:
— 100 200 300 400 600 400 500
— 400, 500
Parameter Description
Advanced • Granular DefensePro Detection — Enables Granular DefensePro Detection. This
Settings Tab lets you divert a more specific CIDR block within the Protected Object’s
defined set of protected networks.
When selected, the following parameters display:
— Granular Protection Prefix IPv4 — The IPv4 CIDR block that is diverted
when the Granular Protection Threshold is reached.
— Granular Protection Prefix IPv6 — The IPv6 CIDR block that is diverted
when the Granular Protection Threshold is reached.
— Granular Protection Threshold — The number of destination IP
addresses on the same CIDR block before the entire diverted prefix size is
diverted. Values: 1-2147483647
Notes:
— Granular DefensePro Detection is performed when there is a match to the
Workflow rule associated with the Protected Object, and if you have
defined a threshold, when the threshold is met.
— Granular DefensePro detection only works when the following Operations
parameters (see Operations, page 237) are configured with the following
values:
• Divert Entire Protected Object Network — Unselected
• Minimum IPv4 Advertised Subnet — 32
• Minimum IPv4 Advertised Subnet — 128
• Granular Mitigation — Unselected
If you activate Granular DefensePro Detection for an existing Protected
Object, if any of these parameters are not set to the required values, you
will receive an error message indicating this.
If you activate Granular DefensePro Detection with creating a new
Protected Object, if the Granular Protection prefix that you set is smaller
than the prefix set for the Protected Object, you will receive an error
messages indicating this.
— Sample syslogs, as well as Occurred syslogs that include Sample syslogs,
are not included in the Volume and Rate values on the Security
Operations dashboard.
— For this feature, there is no attack termination grace period. Once you
receive a Term syslog for an ongoing Sample, the attack ends.
— Granular DefensePro Detection only works with the regular BGP protocol
and not with the BGP FlowSpec protocol.
Parameter Description
Advanced • Granular DefensePro Detection configuration.
Settings Tab There are two configuration options for Granular DefensePro protection:
— Diverting multiple attacks — For this option only enable Granular
DefensePro Detection and do not set any of the Granular DefensePro
Detection parameters:
a. If a Start, Sample, or Ongoing syslog for the first attack is issued for
one of the protected network addresses, /32 diversion is performed
on the Protected Object’s defined set of protected network addresses.
b. When subsequent attack IP addresses are detected, /24 diversion is
performed on the entire set of protected network addresses.
c. On the Security Operations dashboard, the first attack is listed as /32
diversion, and all subsequent attacks are listed individually as /24.
— Diverting multiple attacks with a threshold for the number of
attacks — For this option you set the Granular DefensePro Detection
parameters (see Example below):
a. When the number of attacks on IP addresses remains below the
Granular Protection Threshold that you defined, /32 diversion is
performed.
b. When the number of attacks reaches the threshold that you defined,
diversion is performed according to the Granulation Protection
Prefix you defined (IPv4 or IPv6, as appropriate).
Example:
A Protected Object is defined as 4.4.0.0/16. The Granular
Protection Threshold is set to 3. The Granular Protection Prefix
IPv4 size is set to /24.
• If for the first attack IP address 4.4.4.2 is under attack, /32
diversion occurs.
• If for the second attack IP address 4.4.4.3 is under attack, /32
diversion occurs.
• If for the third attack IP address 4.4.4.4 is under attack, the
threshold is met, and /24 diversion occurs.
c. On the Security Operations dashboard, all individual attacks before
and including when the threshold are met are displayed.
Monitoring
The Monitoring perspective lets you view system information and statistics and the operation of
protected objects in real-time.
These include protected objects for:
• Operation, page 266
Operation
The Operation pane lets you manage protected objects and manually activate them using the
Protected Objects pane.
These protected objects include:
• Protected Objects, page 268
The Mitigation Devices pane lets you monitor the status of mitigation devices.
Parameter Description
Name The name of the mitigation device.
To view and/or edit a mitigation device, select the link in the Name column, and
the Edit Mitigation Device pane for that mitigation device displays. For more
information on mitigation devices, see Mitigation Devices, page 218.
Note: Any modification you make is deployed immediately on the mitigation
device.
Operational The operational status of the mitigation device.
Status
CPU Utilization Percent of the CPU utilization of the mitigation device.
BW Utilization Percent of the bandwidth utilization of the mitigation device.
(Gbps) Value: percentage_utilized (bandwidth_utilized/total_bandwidth)
Example
5.0% (3.00/60.00)
In this example, 5.0% of the total bandwidth (60.00 Gbps) is utilized (3.00
Gbps).
Policies Percent of the policies table utilization of the mitigation device.
Utilization
Filter List Percent of the filter list utilization of the mitigation device.
Utilization
Managed Whether the mitigation device is managed.
Values: true, false
Update Time Last monitored update time.
Last Error The last device access error that was issued.
Examples
A Authentication error
B Unable to connect to the mitigation device
Parameter Description
Geo Feed Status Geolocation Feed status:
• Active — The Geolocation Feed on the DefensePro mitigation device is active.
• Inactive — The Geolocation Feed on the DefensePro mitigation device is
inactive.
Default: Active
To clear the filter and perform a new search, click Clear next to the (Search) button.
Protected Objects
The Protected Objects pane lets you monitor protected objects and manually activate them.
Parameter Description
Name The name of the protected object.
To view and/or edit a protected object, select the link in the Name column, and
the Edit Protected Object pane for that protected object displays. For more
information on protected objects, see Protected Objects, page 56.
Note: If the protected object is under protection, and you modify an attribute
that conflicts with the ongoing protection, the change is performed only at the
next activation of the protected object.
If you want a modification that affects an ongoing protection to take effect
immediately, you can make this modification from the Edit feature in the Security
Operations Protected Objects Full View pane. For more information, see Table
2134 - Full View Parameters — Current Detection Events and Operations on
Protected Objects, page 18.
Detection The detection status of the protected object.
Status Values:
• Learning — DefenseFlow learns protected object baselines.
• Normal — No attack is currently detected for the protected object.
• Attacked — The protected object is under attack.
Action Status The action status of the protected object.
Values:
• Active — The configured actions are active. This means that the action
specified for the protected object is now enabled. The action can be enabled
automatically or manually.
• Not Active — The configured actions are currently not active.
Parameter Description
Pending Action The pending action waiting for confirmation for a protected object that is in User
Confirmation mode.
Values:
• Activate — An attack was detected for the protected object. The user can
confirm activation of the configured actions.
• Deactivate — The attack was terminated. The user can confirm deactivation of
the active actions.
Workflow Workflow associated with the protected object.
To view and/or edit a workflow associated with a protected object, select the link
in the Workflow column, and the Edit Workflow pane for that workflow displays.
For more information on workflows, see Workflows, page 129.
If you want a modification that affects an ongoing protection to take effect
immediately, you can make this modification from the Edit feature in the Security
Operations Protected Objects Full View pane. For more information, see Table
2134 - Full View Parameters — Current Detection Events and Operations on
Protected Objects, page 18.
To clear the filter and perform a new search, click Clear next to the (Search) button.
Note: Deactivation applies to all running protected object operations, including provisioned
operations.
4. Configure the activation parameters, as required:
— The activation parameters display only if you have selected Advanced (see step 3).
Parameter Description
Operation The operation to use for diversion and mitigation groups preferences. Select from
the list of configured operations. The fields related to the operation type display.
Attack Source This displays only if you selected a Mitigation operation. This is the specific IP
IP address attack target to be protected. This must be within the network
classification of the protected object.
The operation to use for diversion and mitigation groups preferences. Select from
the list of configured operations. The fields related to the operation type display.
Attack Specify the attack bandwidth (bits per second) (this displays only if you selected
Bandwidth a Mitigation operation). You can also specify units (for example, 100M). This is
used for verifying that the mitigation devices can handle the related attack
bandwidth. This is also used to set the DefensePro policy bandwidth if there is not
any BDoS bandwidth ready yet.
Use busy This displays only if you selected a Mitigation operation. If selected, DefenseFlow
mitigation uses the selected DefensePro devices regardless of their monitored capacity.
devices
BGP Communities
Operation BGP The BGP community values to be sent to the diversion groups that should receive
Community them per the operation. Multiple communities can be configured separated by a
space.
In addition, well-known communities can be also defined, including: NO_EXPORT,
NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
Use Protected Whether to add the protected object’s defined community in the announcement
Object to the blocking group.
Community When you select this parameter, the Protected Object Community parameter
displays.
Protected The protected object’s BGP community values to be sent to the diversion groups
Object BGP that should receive them per the operation. Multiple communities can be
Community configured separated by a space.
(This parameter In addition, well-known communities can be also defined, including: NO_EXPORT,
displays only NO_ADVERTISE, NO_EXPORT_SUBCONFED, NOPEER
when the Use
Protected
Object
Community
parameter is
selected.)
Parameter Description
The following parameters let you advertise BGP announcements following a predefined operation
prefix size. This is useful for an advertisement over the WAN or any other network where the router
restricts the advertisement for certain classes.
For example, if DefenseFlow receives an attack alert for IP address 204.1.1.3/32 and the network
allows only an advertisement of /24 or lower, you can set the DefenseFlow prefix size to 24.
Minimum IPv4 Minimum IPv4 advertised BGP announcement subnet.
Advertised Default: 32
Subnet
Minimum IPv6 Minimum IPv6 advertised BGP announcement subnet.
Advertised Default: 128
Subnet
Override IPv4 Override the IPv4 Next Hop IP address.
Next Hop
Override IPv6 Override the IPv6 Next Hop IP address.
Next Hop
Mitigation Route The route name for this mitigation. Select one of the routes that you defined for
Name mitigation devices. For more information on configuring routes, see Mitigation
Devices, page 218.
— If the operation you selected is a FlowSpec operation, the FlowSpec parameters display (for
more information on defining FlowSpec operations, and for mitigation with BGP FlowSpec
rules, see Operations, page 141):
Parameter Description
Flow Rules
(The FlowSpec rules display only if you have selected a BGP FlowSpec operation to activate the
protected object).
Destination The destination prefix to block as defined in the Flow rule.
Prefix Values:
• Attacked IP — The actual destination IP addresses are inherited from the
protected object’s networks or IP addresses under attack or manually
activated.
• Entire Networks — The actual destination IP addresses are inherited from the
protected object that uses this rule for its various operations or manual
actions.
• Specific prefix — The Prefix to Block field displays, letting you define a set of
IP prefixes for the destination prefix.
Default: Attacked IP
Prefix to Block Defines one or more IP destination prefixes, each IP prefix separated by a space.
(This field Values: IP address
displays only if Maximum number of networks: 100
you have
selected
Specific prefix
as the
Destination
Prefix.)
Parameter Description
Source Prefix The source prefix to block as defined in the Flow rule.
Port The port to block as defined in the Flow rule.
Destination Port The destination port to block as defined in the Flow rule.
Protocol The protocol to block as defined in the Flow rule.
Source Port The source port to block as defined in the Flow rule.
ICMP Type The ICMP type to block as defined in the Flow rule.
ICMP Code The ICMP code to block as defined in the Flow rule.
TCP Flag The TCP flag to block as defined in the Flow rule.
Packet Length The packet length to block as defined in the Flow rule.
DSCP The DSCP to block as defined in the Flow rule.
Fragment The fragment to block as defined in the Flow rule.
Redirect to VRF The route tag to which to redirect traffic. Select from a list of route tags for which
you have defined a route target. For more information, see Route Tags, page 217
Redirect to Enables or disables redirection to the operation’s mitigation group. The next hop
Mitigation IP addresses are inherited from the mitigation group of the protected object that
uses this rule for its various operations or manual actions.
Block Enables or disables traffic blocking (drop all matching packets).
Rate Limit The rate limit in MB/s or GB/s.
Values:
• Example for MB/s: 103M
• Example for GB/s: 1G
Set DSCP Defines how to update the DSCP header of the matching packets.
5. Click Submit.
BGP
The BGP pane lets you monitor the status of BGP peers and announcements.
These include:
• FlowSpecs, page 272
FlowSpecs
The FlowSpecs pane lets you monitor the status of currently advertised FlowSpec rules.
You can edit the advertised FlowSpec rules “on-the-fly” in real-time. When you edit a rule on-the-fly,
DefenseFlow withdraws the ongoing rule and advertises the new modified rule. This on-the-fly
modification is one-time and does not affect the regular configuration of the ongoing rule.
2. Highlight the FlowSpec announcement or search for the FlowSpec announcement by typing a
string in one of the FlowSpec announcement search fields and clicking the (Search)
button:
3. To edit the FlowSpec rule, click the (Edit) button, and click Submit:
Parameter Description
ID (Read-only) The ID to block as defined in the FlowSpec rule.
Protected (Read-only) The protected object to block as defined in the FlowSpec rule.
Object To view and/or edit a protected object associated with a FlowSpec rule, select the
link in the Name column, and the Edit Protected Object pane for that protected
object displays. For more information on protected objects, see Protected
Objects, page 58.
Note: If the protected object is under protection, and you modify an attribute
that conflicts with the ongoing protection, the change is performed only at the
next activation of the protected object.
If you want a modification that affects an ongoing protection to take effect
immediately, you can make this modification from the Edit feature in the Security
Operations Protected Objects Full View pane. For more information, see Table
2134 - Full View Parameters — Current Detection Events and Operations on
Protected Objects, page 18.
Operation (Read-only) The operation to block as defined in the FlowSpec rule.
To view and/or edit an operation associated with a FlowSpec rule, select the link
in the Operation column, and the Edit Operation pane for that operation
displays. For more information on operations, see Operations, page 141.
Note: If the protected object is under protection, and you modify an attribute
that conflicts with the ongoing protection, the change is performed only at the
next activation of the protected object.
If you want a modification that affects an ongoing protection to take effect
immediately, you can make this modification from the Edit feature in the Security
Operations Protected Objects Full View pane. For more information, see Table
2134 - Full View Parameters — Current Detection Events and Operations on
Protected Objects, page 18.
Activated Rule The activated rule name to block as defined in the FlowSpec rule.
Name To view and/or edit a FlowSpec rule, select the link in the Activated Rule Name
column, and the Edit GP FlowSpec pane for that rule displays. For more
information on BGP FlowSpec rules, see BGP FlowSpec Rules, page 188.
Note: If the protected object is under protection, and you modify an attribute
that conflicts with the ongoing protection, the change is performed only at the
next activation of the protected object.
If you want a modification that affects an ongoing protection to take effect
immediately, you can make this modification from the Edit feature in the Security
Operations Protected Objects Full View pane. For more information, see Table
2134 - Full View Parameters — Current Detection Events and Operations on
Protected Objects, page 18.
Parameter Description
Peer IP Address The IP address to block as defined in the FlowSpec rule.
(This parameter
is not available
in the Edit
pane)
Community (Read-only) The community to block as defined in the FlowSpec rule.
Destination (Read-only) The destination prefix to block as defined in the FlowSpec rule.
Source The source prefix to block as defined in the FlowSpec rule.
Port The port to block as defined in the FlowSpec rule.
Destination Port The destination port to block as defined in the FlowSpec rule.
Source Port The source port to block as defined in the FlowSpec rule.
Protocol The protocol to block as defined in the FlowSpec rule.
ICMP Type The ICMP type to block as defined in the FlowSpec rule.
ICMP Code The ICMP code to block as defined in the FlowSpec rule.
TCP Flag The TCP flag to block as defined in the FlowSpec rule.
Packet Length The packet length to block as defined in the FlowSpec rule.
DSCP The DSCP to block as defined in the FlowSpec rule.
Fragment The fragment to block as defined in the FlowSpec rule.
Route Tag Name The name of the route tag to which to redirect as defined in the FlowSpec rule.
Route Tag Route The route tag route to which to redirect as defined in the FlowSpec rule.
(This parameter
is not available
in the in the Edit
pane)
Redirect The mitigation redirection status (enabled or disabled) for the FlowSpec rule.
Mitigation
Enabled
Redirect The device to which to redirect for mitigation as defined in the FlowSpec rule.
Mitigation
NextHop
(This parameter
is not available
in the in the Edit
pane)
Block The blocking status (enabled or disabled) for the FlowSpec rule.
Rate Limit The rate limit to block as defined in the Flow rule.
(bytes per
second)
Set DSCP The update setting for DSCP header in the FlowSpec rule.
Security Monitoring
When an attack is detected, DefenseFlow creates and reports a security event, which includes the
information relevant to the specific attack. The Security Monitoring perspective displays information
relevant to the specific attack along with real-time network traffic and statistical parameters. Use
the Security Monitoring perspective to observe and analyze the attacks that the device detected and
the countermeasures that the device implemented.
The following main topics describe security monitoring in APSolute Vision:
• Risk Levels, page 275
• Using the Dashboard Views for Real-Time Security Monitoring, page 276
• Viewing Real-Time Traffic Reports, page 287
• Protection Monitoring, page 289
Notes
• Your user permissions (your RBAC user definition) determine the DefenseFlow mitigation devices
and protected objects that the Security Monitoring perspective displays to you. You can view and
monitor only the attacks blocked by the DefenseFlow mitigation devices and protected objects
that are available to you.
• APSolute Vision also manages and issues alerts for new security attacks.
• DefenseFlow calculates traffic baselines, and uses the baselines to identify abnormalities in
traffic levels.
• At the time of writing, APSolute Vision collects the sampled attack data that DefenseFlow sends
to it at the rate of two samples per two minutes per attack. Please note that the rate is subject
to change without notice.
• You can use the APSolute Vision REST API to view security events from DefenseFlow mitigation
devices or DefenseFlow devices. For more information, see the APSolute Vision REST API
documentation.
• You can use the APSolute Vision CLI to export security events from DefenseFlow mitigation
devices or DefenseFlow devices.
Risk Levels
The following table describes the risk levels that DefenseFlow supports to classify security events.
Note: For some protections, the user can specify the risk level for an event. For these protections,
the descriptions in the following table are recommendations, and specifying the risk level is the
user’s responsibility.
Use a Dashboard View in the Security Monitoring perspective to analyze activity and security events
in the network, identify security trends, and analyze risks.
In DefenseFlow, you can view information a protected object, multiple protected objects, or all
configured protected objects. The dashboard monitoring display automatically refreshes providing
ongoing real-time analysis of the system.
The Dashboard View node comprises the following tabs, which display the same summary
information:
• Current Attacks Table — which is a table display (see Figure 8 - Current Attacks Table —
DefenseFlow, page 279).
• Ongoing Attacks Monitor — which includes a graphical, chart display (see Figure 9 - Ongoing
Attacks Monitor, page 282).
The Scope and other display parameters that you configure apply to the Current Attacks Table and
to the Ongoing Attacks Monitor. For more information, see Configuring the Display Parameters of a
Dashboard View, page 276.
By default, the display of the Dashboard View refreshes every 15 seconds. Administrators can
configure the refresh rate (APSolute Vision Configuration view System perspective, General
Settings > Monitoring > Polling Interval for Reports).
Parameter Description
Scope The Protected Object, ports, and policies that the dashboard displays.
By default, the Scope is Any Protected Object; Any Port; Any Policy.
That is, by default, the Security Dashboard displays all the information.
To control the scope of the information that the dashboard displays in
DefenseFlow, see the procedure To control the scope of the information
that the Dashboard View displays, page 277.
Parameter Description
Display Last How long the dashboard displays attacks after the attack terminates.
That is, the dashboard displays all attacks that are currently ongoing or
that terminated within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
• 2 Hours
• 6 Hours
• 12 Hours
• 24 Hours
Default: 10 Minutes
Top Attacks to Display The number of attacks that the Ongoing Attacks Monitor displays.
(This parameter is Values: 1 – 50
available only in the Default: 20
Ongoing Attacks
Monitor.)
Sort By Values:
(This parameter is • Top Total Packet Count — The Ongoing Attacks Monitor displays the
available only in the attacks with the highest number of packets.
Ongoing Attacks • Top Volume — The Ongoing Attacks Monitor displays the attacks with
Monitor.) the highest volume.
• Most Recent — The Ongoing Attacks Monitor displays the most recent
attacks.
• Attack Risk — The Ongoing Attacks Monitor displays the attacks
according to attack risk.
Default: Top Packet Count
To control the scope of the information that the Dashboard View displays
1. Click . Three tables open. One table has the Protected Object, one table has the Device
Name and Port columns, and the third table has the Device Name and Policy columns.
2. To toggle the sort order of the information in any of the columns, hover over the column heading
until you see an arrow, and then, click the arrow.
click (View Attack Details). For more information, see Attack Details, page 282.
• Export the information in the table to a CSV file — To do this, click (CSV). Then, you can
view the file or specify the location and file name.
• Pause the refresh of the table display — To do this, click (Pause). When the table display
is not paused, it refreshes approximately every 15 seconds.
Parameter Description
Source Type The source of the signal entry.
Values:
• DP — DefensePro
• DF — DefenseFlow
Start Time The date and time that the attack started.1
Attack Category The threat type to which this attack belongs.
Values:
• Anomalies (in DefenseFlow, detection was performed by an external
detector)
• Behavioral DoS (in DefenseFlow, detection was performed by
DefenseFlow BDoS)
Parameter Description
Status The last-reported status of the attack.1
Values:
• Started — An attack containing more than one security event has been
detected. (Some attacks contain multiple security events, such as DoS,
Scans, and so on.)
• Occurred (Signature-based attacks) — Each packet matched with
signatures was reported as an attack and dropped.
• Sampled (available only in DefenseFlow) — The last reading for each
protocol and the totals for all protocols, for a single device. This
information is only available when viewing a single device.
• Ongoing — The attack is currently taking place, that is, the time
between Started and Terminated (for attacks that contain multiple
security events, such as DoS, Scans, and so on).
• Terminated — There are no more packets matching the characteristics
of the attack, and the device reports that the attack has ended.
Risk The predefined attack severity level (see Risk Levels, page 275).
Values:
• — High
• — Medium
• — Low
• — Info
Attack Name The name of the detected attack.
Source Address The source IP address of the attack. If there are multiple IP sources for an
attack, this field displays Multiple. The multiple IP addresses are displayed
in the Attack Details window. Multiple may also refer to cases when the
mitigation device cannot report a specific value.
The Search string can be any legal IPv4 or IPv6 address, and can include a
wildcard (*).
Destination Address The destination IP address of the attack. If there are multiple IP sources
for an attack, this field displays Multiple. The multiple IP addresses are
displayed in the Attack Details window. Multiple may also refer to cases
when the mitigation device cannot report a specific value.
Policy In DefenseFlow, the name of the configured Security Policy that was set to
mitigate this attack. The default policy name is the name of the protected
object. Policies in DefenseFlow cannot be edited.
Radware ID The DefenseFlow Attack-Protection identifier issued by the device.
Direction The direction of the attack, inbound or outbound.
Values: in, out
Total Packet Count The number of identified attack packets from the beginning of the attack.
Volume For most protections, this value is the volume of the attack, in kilobits,
from when the attack started.
Protected Object The name of the protected object that was attacked.
Parameter Description
Application Protocol1 The transmission protocol used to send the attack.
Values:
• TCP
• UDP
• ICMP
• IP
MPLS RD 1 The Multi-protocol Label Switching Route Distinguisher in the policy that
handled the attack. The value N/A or 0 (zero) in this field indicates that
the MPLS RD is not available.
VLAN Tag / Context1 The VLAN tag value or Context Group in the policy that handled the attack.
The value N/A or 0 (zero) in this field indicates that the VLAN tag or
Context Group is not available.
Destination Port1 The Layer 4 destination port of the attack. If there are multiple destination
L4 ports, this field displays Multiple. In cases when the mitigation device
cannot report a specific value, the field displays 0 (zero).
Physical Port1 The port on the device at which the attack packets arrived. In cases when
the mitigation device cannot report a specific value, the field displays 0
(zero) or Multiple.
There are two Drop Intensity gauges: Packets and Bandwidth. The Packets gauge indicates the
proportion of dropped packets relative to the total packets. The Bandwidth gauge indicates the
proportion of dropped bandwidth relative to the total bandwidth (according to the license). The
gauges show the calculated ranges Low (up to 30% dropped), Medium (up to 70% dropped), and
High (more than 70% dropped).
Attack Details
APSolute Vision displays attack details for the following attacks:
• , page 283
• Intrusions Attack Details, page 285
Notes
• To display hidden columns of the Current Attacks Table, click the (Table Settings) button and
then select the relevant checkbox. Click the button again to close the Table Settings list.
In addition to viewing the details of the attack, in each Attack Details tab, you can do the following:
• View sampled data from the attack — To do this, click the (View Sampled Data) button.
For more information, see Sampled Data Tab, page 286.
• Go to the policy that handled attack — To do this, click the (Go to Policy) button.
• Export the DoS Attack Details, page 353 files related to the selected attack to a ZIP file —
To do this, click the (Export Attack Capture Files) button, and enter a file name in the file
selection dialog box.
Notes
— You can send the CAP file to a packet analyzer.
— Up to 255 bytes of packet information is saved in the CAP file. That is, DefenseFlow exports
full packets but APSolute Vision trims them to 255 bytes.
— The file is available only as long as it is displayed in the Current Attacks table.
— The file is created only if packet reporting is enabled in the protection configuration for the
profile that was violated.
— DefenseFlow exports only the last packet in a sequence that matches the filter. Furthermore,
if traffic matches a signature that consists of more than one packet, the reported packet will
not include the whole expression in the filter.
— For DoS attacks of very short duration, there might be no sampling or ongoing traps.
Consequently, for such attacks, there might be no sampled data or capture files. (For more
information, see DoS Attack Details, page 353.)
Attack Details
Parameter Description
Note: Some fields can display multiple values, when relevant and available. The values that
these field display depend on the current stage of the attack. If a field is part of the dynamic
signature (that is, a specific value or values appear in all the attack traffic), the field displays the
relevant value or values.
Protocol The protocol that the attack uses or used.
Source L4 Port The source L4 port that the attack uses or used.
Physical Port The physical port that the attack uses or used.
Packet Count The packet count of the attack.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN Tag / Context The VLAN tag value or Context Group in the policy that handled the
attack.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.
TTL The TTL that the attack uses or used.
L4 Checksum The L4 checksum that the attack uses or used.
TCP Sequence Number The TCP sequence number that the attack uses or used.
IP ID Number The IP ID number that the attack uses or used.
Fragmentation Offset The fragmentation offset that the attack uses or used.
Parameter Description
Fragmentation Flag The fragmentation flag that the attack uses or used. 0 indicates that
fragmentation is allowed. 1 indicates that fragmentation is not allowed.
Flow Label (IPv6 only) The flow label that the attack uses or used.
ToS The ToS that the attack uses or used.
Packet Size The packet size that the attack uses or used.
ICMP Message Type The ICMP message type that the attack uses or used.
(This is displayed only if
the protocol is ICMP.)
Source IP The source IP address that the attack uses or used.
Destination IP The destination IP address that the attack uses or used.
Source Ports The source ports that the attack uses or used.
Destination Ports The destination port that the attack uses or used.
DNS ID The DNS ID that the attack uses or used.
DNS Query The DNS query that the attack uses or used.
DNS Query Count The DNS query count that the attack uses or used.
Parameter Description
Packet Size Anomaly The statistical region of the attack packets.
Region The formula for the packet-size baseline for a policy is as follows:
{(AnomalyBandwidth/AnomalyPPS)/(NormalBandwidth/
NormalPPS)}
Values:
• Large Packets — The attack packets are approximately 15% larger
than the normal packet-size baseline for the policy.
• Normal Packets — The attack packets are within approximately 15%
either side of the normal packet-size baseline for the policy.
• Small Packets — The attack packets are approximately 15% smaller
than the normal packet-size baseline for the policy.
State The state of the protection process.
Values:
• footprint analysis — BDoS protection has detected an attack and is
currently generating an attack footprint.
• footprint-applied — BDoS protection is blocking the attack based on
the generated footprint. Through a closed-feedback loop operation,
BDoS protection optimizes the footprint rule, achieving the
narrowest effective mitigation rule.
• non-attack — Nothing was blocked because the traffic was not an
attack. That is, no footprint was detected or the blocking strictness
level was not met.
Parameter Description
The footprint-blocking rule generated by the Behavioral DoS Protection, which provides the
narrowest effective blocking rule against the flood attack.
Parameter Description
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time
values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black
indicates the learned normal traffic baselines. Table columns are displayed according to the
protocols: TCP (includes all flags), UDP, or ICMP.
Parameter Description
The graph displays a snapshot of the relevant traffic type for the 15-second period during which the
attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue line
represents the normal adapted traffic baseline.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Protocol The protocol that the attack uses or used.
Physical Port 1 The physical port that the attack uses or used.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Tip: To get the current traffic rate in packets or bytes per second (calculated as the average rate in
15 seconds), you can use the following CLI command on the DefenseFlow device:
dp rtm-stats get [port number]
Caution: When the Scope is Devices/Policies, the Traffic Utilization Report does not include
inbound traffic that the module blocked. This is because the module processes traffic before the
classification of a Protection policy.
Notes
• For packets received through the 1G, 10G, or 40G ports, packet-size information and counters
do not account for the CRC.
• The Traffic Utilization Report and the statistical traffic information that Protection Monitoring
provides are based on different counters. (For information on the statistical traffic information
that Protection Monitoring provides, see Protection Monitoring, page 289.)
3. For the Statistics Graph and Last Sample Statistics, set filter options for the displayed traffic
data, as required. The displayed information refreshes automatically.
Table 133: Traffic Utilization Report: Display Parameters for Graph and Table
Parameter Description
Scope The protected objects that the Traffic Utilization Report displays.
By default, the Scope is Any Protected Object.
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Scope The scope of the graph view.
(drop-down list) Values:
• Devices/Physical Ports — The graph shows traffic according to physical
ports on the specified device.
• Devices/Policies — The graph shows traffic according to Protection
policies on the specified device.
Default: Devices/Physical Ports
Units The units for the traffic rate.
Values:
• Kbps — Kilobits per second
• Packet/Sec — Packets per second
Table 134: Traffic Utilization Report: Filter Parameters for the Traffic Statistics Graph
Parameter Description
Protocol The traffic protocol to display.
Values:
• TCP — Show the statistics of the TCP traffic.
• UDP — Show the statistics of the UDP traffic.
• ICMP — Show the statistics of the ICMP traffic.
• IGMP — Show the statistics of the IGMP traffic.
• SCTP — Show the statistics of the SCTP traffic.
• Other — Show the statistics of the traffic that is not TCP, UDP, ICMP,
IGMP, or SCTP.
• All — Show total traffic statistics.
Caution: When the Scope is Devices/Policies, the Other traffic does
not include IPsec traffic.
Parameter Description
Protocol The traffic protocol.
Values:
• TCP
• UDP
• ICMP
• IGMP
• SCTP
• Other — The statistics of the traffic that is not TCP, UDP, ICMP, IGMP, or
SCTP.
• All — Total traffic statistics.
Caution: When the Scope is Devices/Policies, the Other traffic does
not include IPsec traffic.
Inbound The amount of inbound traffic for the protocol identified in the row.
Discarded Inbound The amount of discarded inbound traffic for the protocol identified in the row.
Clean The amount of clean traffic for the protocol identified in the row.
Dropped The amount of traffic dropped traffic for the protocol identified in the row.
Diverted The amount of traffic diverted traffic for the protocol identified in the row.
Discard % The percentage of discarded traffic for the protocol identified in the row.
Excluded Inbound The amount of excluded inbound traffic for the protocol identified in the row.
Protection Monitoring
Protection Monitoring provides the real-time traffic monitoring per protected object, either for the
network as a whole — if BDoS Protection is configured, or for DNS traffic — if DNS Flood Protection is
configured. The statistical traffic information that Protection Monitoring provides can help you better
understand the traffic that flows through the protected network, how the configured protection is
working, and, most importantly, how anomalous traffic is detected.
For information about displaying protection information for a selected device, see the following:
• Monitoring the Traffic Under BDoS Protection, page 290
Note: The statistical traffic information that Protection Monitoring provides and Traffic Utilization
Report are based on different counters. (For information on the Traffic Utilization Report, see
Viewing the Traffic Utilization Report, page 287.)
Caution: The BDoS Traffic Monitoring Reports interface displays the names of Protection policies
from the past year — even policies that were deleted. The interface displays no statistics from more
than 60 minutes in the past. The interface displays no statistics for deleted Protection policies.
Caution: When traffic matches multiple protected objects with Out-of-State protection, the value
that APSolute Vision displays for the total dropped traffic represents the sum of all dropped traffic for
all relevant protected objects. This is because when traffic matches multiple protected objects with
Out-of-State protection, all those protected objects count the same dropped traffic.
Note: APSolute Vision displays the Protection Monitoring graphs using averaged values, and
therefore, points on the curves might diverge from the exact values.
Note: The BDoS Traffic Monitoring reports are populated with data only if the detector type is set to
BDoS Detector. For more information on detection parameters, see Detection, page 248.
To display traffic information for a protected object that includes BDoS protection
1. In the Security Monitoring perspective, select the device to monitor.
2. Select Protection Monitoring > BDoS Traffic Monitoring Reports.
3. Configure the general parameters for the display of the BDoS Traffic Statistics graph and Last
Sample Statistics table.
Parameter Description
Scope The protected object. The list only displays policies that are configured with
a BDoS profile.
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Direction The direction of the traffic that the Statistics Graph and Last Sample
Statistics table display.
Values: Inbound
Parameter Description
Units The unit according to which the Statistics Graph and Last Sample Statistics
table display the traffic.
Values:
• Kbps — Kilobits per second
• Packets/Sec — Packets per second
Parameter Description
IP Version The IP version of the traffic that the graph displays.
Values: IPv4, IPv6
Protection Type The protection type to monitor.
Values:
• UDP
• ICMP
• TCP
• Other
Scale The scale for the presentation of the information along the Y-axis.
Values: Linear, Logarithmic
Line Description
Total Traffic The total traffic that the device sees for the specific protection type
( dark blue) and direction.
Legitimate Traffic The actual forwarded traffic rate, after the mitigation device managed
( light blue) to block the attack.
When there is no attack, the Total Traffic and Legitimate Traffic are
equal.
Normal Edge The statistically calculated baseline traffic rate.
( dashed green)
Suspected Edge The traffic rate that indicates a change in traffic that might be an
( dashed orange) attack.
Attack Edge The traffic rate that indicates an attack.
( dashed red)
Parameter Description
Traffic Type The protection type. Each specific traffic type and direction has a baseline
that the device learns automatically.
Baseline The normal traffic rate expected by the device.
Total Traffic The total traffic rate that the mitigation device sees for the specific traffic
type and direction.
Baseline Portion % An indication for the rate invariant baseline — that is, the normal percentage
of the specific traffic type to all other traffic in the same direction.
RT Portion % The actual percentage of the specific traffic type relative to all other traffic in
the same direction.
Traffic Peak Peak traffic value, in bps, to use in case of a manual action without attack
volume information available.
Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or
greater signifies an attack.
Alerts Table
DefenseFlow warnings and messages display in the Alerts Table along with APSolute Vision and
DefensePro warnings and messages at the bottom of the window.
The following information displays for the alerts:
• Ack
• Severity
• Time and Date
• Device Name
• Device IP
• Module
• Device Type
• User Name
• Message
For a full list of available DefenseFlow alerts, refer to Appendix B - Alerts Table, page 373.
Note: SNMP commands take approximately 20 seconds to run. Wait for a confirmation message
after running a command before continuing.
1. Enable SNMP by running the following command on the DefenseFlow server:
dfc-snmp:polls-edit -admin-status ENABLED
2. Prepare the client destination IP address and port to receive traps by running the following
command on the server:
dfc-snmp:trap-client-add -ip <IP> -port <port> -community <community
string>
3. Set the SNMP threshold error and CPU warning by running the following command on the
server:
dfc-snmp:trap-threshold-edit -threshold-error <threshold-error> -
threshold-warning <threshold-warning> -type CPU
4. Set the SNMP threshold error and disk warning by running the following command on the
server:
dfc-snmp:trap-threshold-edit -threshold-error <threshold-error> -
threshold-warning <threshold-warning> -type DISK
5. Show a list of all the clients by running the following command on the server:
dfc-snmp:trap-clients-list
6. Show if SNMP polls are disabled/enabled by running the following command on the server:
dfc-snmp:polls-show
7. Show the SNMPv2 community configuration by running the following command on the server:
dfc-snmp:show-configuration-v2
8. Show the SNMP table thresholds by running the following command on the server:
dfc-snmp:trap-threshold-list
Example
The following example is for a CPU error alert:
defenseflow.0.6 notification received from: 10.183.154.211 at 1/9/2019
3:54:33 PM
CLI Help
All CLI commands support the --help argument. For example:
dfc-mitigation-device:add --help
DESCRIPTION
dfc-mitigation-device:add
Add mitigation device
SYNTAX
dfc-mitigation-device:add [options]
OPTIONS
-admin-status
Admin status {ENABLED|DISABLED}
-network-element
Physically attached network elements (multiple values can be
specified: -option value1 -option value2)
-address
Mitigation device address
-bgp-asn
BGP AS number
-injection-type
Clean traffic injection type {FIXED_IPS|TUNNELS}
-name
Mitigation device name
-version
Mitigation device version
-bgp-loopback
BGP Loopback IP
-group
Mitigation devices groups names (multiple values can be
specified: -option value1 -option value2)
-injection-ip
Clean traffic single injection IP (Clean route tag) (multiple
values can be specified: -option value1 -option value2)
-password
Password
-description
Mitigation device description
--help
Display this help message
-user
User
Auto Completion
For each command, sub-command, and argument, you can display their available sub-commands, arguments, and values by typing that
command, sub-command, or argument and then pressing the <TAB> key.
dfc-protected-obj <TAB>
dfc-network-group:add - <TAB>
FIXED_IPS TUNNELS
CLI Commands
This section includes the syntax, arguments, and descriptions for each of the CLI commands.
• dfc-alert, page 300
• dfc-bgp, page 301
• dfc-control, page 307
• dfc-core, page 308
• dfc-defensepro, page 312
• dfc-detection, page 317
• dfc-dns-white-list, page 318
• dfc-filter, page 318
• dfc-ha, page 320
• dfc-info, page 322
• dfc-interfaces, page 323
• dfc-license, page 325
• dfc-mitigation-device, page 325
• dfc-mitigation-group, page 328
• dfc-mitigation-tunnel, page 328
• dfc-monitor, page 329
dfc-alert
The following commands are used with DefenseFlow alerts:
• dfc-alert:send — Sends an alert with a user-supplied message.
• dfc-alert:show — Configures alert printouts to the CLI console.
dfc-bgp
The following commands are used for DefenseFlow BGP commands:
• dfc-bgp:announcement-add — Adds a BGP announcement.
• dfc-bgp:announcement-delete — Deletes a BGP announcement.
dfc-box
The following commands are used to DefenseFlow box services:
• dfc-box:list — List box services
dfc-control
The following commands are used with DefenseFlow control elements:
• dfc-control:add — Adds a control element.
• dfc-control:delete — Deletes a control element.
• dfc-control:edit — Edits a control element.
• dfc-control:list — Lists controls elements.
• dfc-control:show — Shows a control element.
dfc-core
The following commands are used with the DefenseFlow core:
• dfc-core:configuration-dump — Dumps the configuration.
• dfc-core:configuration-export — Exports the configuration.
• dfc-core:remove-attacks-by-sequences — The command get a list of sequences from the user and delete them.
dfc-defensepro
The following commands are used with DefensePro:
• dfc-defensepro:check-dns — Check if DNS is enabled.
• dfc-defensepro:data-route-create — Create data route.
• dfc-defensepro:data-route-delete — Delete data route.
• dfc-defensepro:dynamic-run — Dynamically run a command.
• dfc-defensepro:get-status — Get DefensePro status.
• dfc-defensepro:list-templates — Lists security template files.
• dfc-defensepro:policy-delete — Deletes a policy from DefensePro.
• dfc-defensepro:policy-export — Exports a policy from DefensePro.
• dfc-defensepro:policy-to-template — Creates a template from a policy file.
Table 164: dfc-defensepro:check-dns, data-route-delete, dynamic-run, get-status, list-templates, policy Arguments (cont.)
dfc-detection
The following commands are used for DefenseFlow detection:
• dfc-detection:add — Adds a detection.
• dfc-detection:delete — Deletes a detection.
• dfc-detection:edit — Edits a detection.
• dfc-detection:list — Lists detections.
• dfc-detection-show — Shows detections.
dfc-dns-white-list
The following commands are used for DefenseFlow DNS white lists:
• dfc-dns-white-list:add — Adds a DNS white list.
• dfc-dns-white-list:delete — Deletes a DNS white list.
• dfc-dns-white-list:eport — Exports a DNS white list.
• dfc-dns-white-list:list — Lists the DNS white lists.
dfc-filter
The following commands are used for DefenseFlow filters:
• dfc-filter-group:add — Adds a filter group.
• dfc-filter-group:delete — Deletes a filter group.
• dfc-filter-group:edit — Edits a filter group.
dfc-ha
The following commands are used for DefenseFlow High Availability or APSolute Vision configuration synchronization, as appropriate:
• dfc-ha:add — Adds a High Availability node.
• dfc-ha:delete — Deletes a High Availability node.
• dfc-ha:diagnose — Diagnoses current High Availability node.
This command has no arguments.
• dfc-ha:edit — Edits the High Availability configuration.
dfc-info
The following commands are used for DefenseFlow information:
• dfc-info:actor-ping — Pings an actor
• dfc-info:actors-list — Lists actors.
• dfc-info:actors-statistics — Shows actor statistics.
• dfc-info:actors-statistics-reset — Resets actor statistics.
dfc-interfaces
The following commands are used with DefenseFlow interfaces.
• dfc-interfaces:associate-edit — Edits thenetwork interface association.
dfc-license
The following commands are used for DefenseFlow licensing.
• dfc-license:apply — Applies a license.
• dfc-license:show — Shows a license.
• dfc-license:cleanup — Removes all licenses so you can create a new valid license.
• dfc-license:mac-reset — Resets the license MAC address.
• dfc-license:validate — Validates a license.
dfc-mitigation-device
The following commands are used with DefenseFlow mitigation devices:
• dfc-mitigation-device:add — Adds a mitigation device.
Note: The mitigation device must be added in APSolute Vision before adding it through the CLI, and the mitigation device must have the
same name in both.
dfc-mitigation-group
The following commands are used with DefenseFlow mitigation groups.
• dfc-mitigation-group:add — Adds a mitigation device group.
• dfc-mitigation-group:delete — Deletes a mitigation device group.
• dfc-mitigation-group:edit — Edits a mitigation device group.
• dfc-mitigation-group:list — Lists mitigation device groups.
• dfc-mitigation-group:show — Shows a mitigation device group.
dfc-mitigation-tunnel
The following commands are used with DefenseFlow mitigation tunnels:
• dfc-mitigation-tunnel:add — Adds a mitigation device GRE tunnel.
• dfc-mitigation-tunnel:delete — Deletes a mitigation device GRE tunnel.
• dfc-mitigation-tunnel:edit — Edits a mitigation device GRE tunnel.
• dfc-mitigation-tunnel:list — Lists mitigation device GRE tunnels.
• dfc-mitigation-tunnel:show — Shows a mitigation device GRE tunnel.
dfc-monitor
The following commands are used for DefenseFlow monitoring:
• dfc-monitor:action-activate — Activates a protection.
dfc-network-connect
The following commands are used with DefenseFlow network connections:
• dfc-network-connect:add — Adds a network element connection.
• dfc-network-connect:delete — Deletes a network element connection.
• dfc-network-connect:edit — Edits a network element connection.
• dfc-network-connect:list — Lists a network element connection.
• dfc-network-connect:show — Shows a network element connection.
dfc-network-element
The following commands are used with DefenseFlow network elements:
• dfc-network-element:add — Adds a network element.
• dfc-network-element:delete — Deletes a network element.
• dfc-network-element:edit — Edits a network element.
• dfc-network-element:list — List network elements.
• dfc-network-element:show — Shows network elements.
dfc-network-group
The following commands are used with DefenseFlow network groups:
• dfc-network-group:add — Adds a network element group.
• dfc-network-group:delete — Deletes a network element group.
• dfc-network-group:edit — Edits a network element group.
• dfc-network-group:list — Lists network element groups.
• dfc-network-group:show — Shows a network element group.
dfc-operation
The following commands are used with DefenseFlow operations:
• dfc-operation:add — Adds an operation.
• dfc-operation:delete — Deletes an operation.
• dfc-operation:edit — Edits an operation.
dfc-protected-network
The following commands are used with DefenseFlow protected networks:
• dfc-protected-network:add — Adds a protected network.
• dfc-protected-network:delete — Deletes a protected network.
• dfc-protected-network:list — Lists protected objects.
• dfc-protected-network:multiple — Adds multiple networks to a protected object. Networks are specified by only one of the path arguments, or
by the networks argument.
• dfc-protected-network:show — Shows protected objects.
dfc-protected-object
The following commands are used with DefenseFlow protected objects:
• dfc-protected-object:add — Adds a protected object.
• dfc-protected-object:change-all — Change for all protected objects.
dfc-route-tag
The following commands are used for DefenseFlow route tag:
• dfc-route-tag:add — Adds a route tag.
• dfc-route-tag:delete — Deletes a route tag.
• dfc-route-tag:edit — Edits a route tag.
• dfc-route-tag:list — Lists route tags.
• dfc-route-tag:show — Shows route tags.
dfc-security-template
The following commands are used with DefenseFlow security templates:
• dfc-security-template:add — Adds a security template.
• dfc-security-template:delete — Deletes a security template.
• dfc-security-template:list — Lists security templates.
dfc-snmp
The following commands are used for DefenseFlow SNMP configuration:
• dfc-snmp:set-configuration-v2 — Sets the SNMPv2 configuration.
dfc-source-batching
The following commands are used for DefenseFlow source batching:
• dfc-source-batching:flush — Force starts protections for all source attacks that are waiting to be activated.
• dfc-source-batching:list — Lists delayed source attacks.
dfc-syslog
The following commands are used for DefenseFlow syslog operations:
• dfc-syslog:rfc-5424 — Saves syslog messages in RC 5424 format.
dfc-system
The following commands are used for DefenseFlow system operations:
• dfc-system:info — Shows system information.
• dfc-system:set-alert-level — Sets an alert level.
• dfc-system:verify-show — Verify the DefenseFlow system status.
dfc-tools
The following commands are used for DefenseFlow tools:
• dfc-tools:ping — Executes a ping.
• dfc-tools:ping6 — Executes a ping6.
• dfc-tools:traceroute — Executes a traceroute.
dfc-workflow
The following commands are used for DefenseFlow workflows:
• dfc-workflow:add — Adds a workflow.
• dfc-workflow:delete — Deletes a workflow.
• dfc-workflow:edit — Edits a workflow.
• dfc-workflow:list — Lists workflows.
• dfc-workflow:show — Shows workflows.
dfc-workflow-rule
The following commands are used for DefenseFlow workflow rules:
• dfc-workflow-rule:add — Adds a workflow rule.
• dfc-workflow-rule:delete — Deletes a workflow rule.
• dfc-workflow-rule:edit — Edits a workflow rule.
• dfc-workflow-rule:list — Lists workflow rules.
• dfc-workflow-rule:show — Shows a workflow rule.
Alerts
The following table includes the DefenseFlow-specific message that may display in the application.
DefenseFlow Alerts
Table 235: DefenseFlow Alerts
Note: Before performing these procedures, ensure that the server has sufficient physical CPU and
RAM.
6. Connect the VHD to Linux on your local working station with the following command:
sudo qemu-nbd -c /dev/nbdX FILE_NAME.qcow2
For example:
7. To increase the relevant partition sizes used, run the following command:
sudo gparted /dev/nbdX &
11. Drag this partition to the end of the list. The following dialog box displays:
18. Disconnect the VHD from your local Linux system using the following command:
sudo qemu-nbd -d /dev/nbdX
For example:
19. Start the DefenseFlow device and verify the disk size change from the console:
Note: The following are the default values in the docker-compose.yml file:
— NGINX_CPU=2
— NGINX_RAM=2G
— HOST_MANAGER_CPU=.5
— HOST_MANAGER_RAM=500M
— POSTGRES_CPU=6
— POSTGRES_RAM=12G
— DFC_CPU=8
— DFC_RAM=12G
— POLICY_EDITOR_CPU=2
— POLICY_EDITOR_RAM=2G
— ELASTICSEARCH_CPU=2
— ELASTICSEARCH_RAM=16G
— SNMPD_CPU=.5
— SNMPD_RAM=1G
distributed to you together with code samples in source code format (the “Code Samples”) that
are meant to illustrate and teach you how to configure, monitor and/or control the Software
and/or any other Radware Products, the Commercial License above further includes a limited,
nonexclusive, nontransferable license to copy and modify the Code Samples and create
derivative works based thereon solely for the SDK Purpose and solely on computers within your
organization. The SDK shall be considered part of the term “Software” for all purposes of this
License Agreement. You agree that you will not sell, assign, license, sublicense, transfer, pledge,
lease, rent or share your rights under this License Agreement nor will you distribute copies of
the Software or any parts thereof. Rights not specifically granted herein, are specifically
prohibited.
2. Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for evaluation purposes, as indicated in your purchase order or sales
receipt, on the website from which you download the Software, as inferred from any time-
limited evaluation license keys that you are provided with to activate the Software, or otherwise,
then You may use the Software only for internal evaluation purposes (“Evaluation Use”) for a
maximum of 30 days or such other duration as may specified by Radware in writing at its sole
discretion (the “Evaluation Period”). The evaluation copy of the Software contains a feature that
will automatically disable it after expiration of the Evaluation Period. You agree not to disable,
destroy, or remove this feature of the Software, and any attempt to do so will be a material
breach of this License Agreement. During or at the end of the evaluation period, you may
contact Radware sales team to purchase a Commercial License to continue using the Software
pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial
License, you agree to stop using the Software and to delete the evaluation copy received
hereunder from all computers under your possession or control at the end of the Evaluation
Period. In any event, your continued use of the Software beyond the Evaluation Period (if
possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to
the terms of this License Agreement, and you agree to pay Radware any amounts due for any
applicable license fees at Radware's then-current list prices.
3. Lab/Development License. Notwithstanding anything to the contrary in this License
Agreement, if the Software is provided to you for use in your lab or for development
purposes, as indicated in your purchase order, sales receipt, the part number description for the
Software, the Web page from which you download the Software, or otherwise, then You may use
the Software only in your lab and only in connection with Radware Products that you purchased
or will purchase (in case of a lab license) or for internal testing and development purposes (in
case of a development license) but not for any production use purposes.
4. Subscription Software. If you licensed the Software on a subscription basis, your rights to use
the Software are limited to the subscription period. You have the option to extend your
subscription. If you extend your subscription, you may continue using the Software until the end
of your extended subscription period. If you do not extend your subscription, after the expiration
of your subscription, you are legally obligated to discontinue your use of the Software and
completely remove the Software from your system.
5. Feedback. Any feedback concerning the Software including, without limitation, identifying
potential errors and improvements, recommended changes or suggestions (“Feedback”),
provided by you to Radware will be owned exclusively by Radware and considered Radware's
confidential information. By providing Feedback to Radware, you hereby assign to Radware all of
your right, title and interest in any such Feedback, including all intellectual property rights
therein. With regard to any rights in such Feedback that cannot, under applicable law, be
assigned to Radware, you hereby irrevocably waives such rights in favor of Radware and grants
Radware under such rights in the Feedback, a worldwide, perpetual royalty-free, irrevocable,
sub-licensable and non-exclusive license, to use, reproduce, disclose, sublicense, modify, make,
have made, distribute, sell, offer for sale, display, perform, create derivative works of and
otherwise exploit the Feedback without restriction. The provisions of this Section 5 will survive
the termination or expiration of this Agreement.
6. Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt or create
any derivative works based on the Software; or (b) sublicense or transfer the Software, or
include the Software or any portion thereof in any product; or (b) reverse assemble,
disassemble, decompile, reverse engineer or otherwise attempt to derive source code (or the
underlying ideas, algorithms, structure or organization) from the Software, in whole or in part,
except and only to the extent: (i) applicable law expressly permits any such action despite this
limitation, in which case you agree to provide Radware at least ninety (90) days advance written
notice of your belief that such action is warranted and permitted and to provide Radware with an
opportunity to evaluate if the law's requirements necessitate such action, or (ii) required to
debug changes to any third party LGPL-libraries linked to by the Software; or (c) create,
develop, license, install, use, or deploy any software or services to circumvent, enable, modify
or provide access, permissions or rights which violate the technical restrictions of the Software;
(d) in the event the Software is provided as an embedded or bundled component of another
Radware Product, you shall not use the Software other than as part of the combined Product and
for the purposes for which the combined Product is intended; (e) remove any copyright notices,
identification or any other proprietary notices from the Software (including any notices of Third
Party Software (as defined below); or (f) copy the Software onto any public or distributed
network or use the Software to operate in or as a time-sharing, outsourcing, service bureau,
application service provider, or managed service provider environment. Notwithstanding the
foregoing, if you provide hosting or cloud computing services to your customers, you are entitled
to use and include the Software in your IT infrastructure on which you provide your services.
Lastly, if you acquire Software under Radware's Global Elastic License (GEL) model, you commit
to use any such Software only as an Alteon VA on COTS server or on GEL-dedicated hardware
platforms as indicated in the part description of such hardware (be it hardware originally
purchased as GEL-dedicated or later upgraded to be GEL-dedicated). Use of Software under a
GEL model on a non-GEL-dedicated hardware platform is prohibited. If you deploy GEL model
Software on a virtual platform, you can do so without the virtual platform being GEL-dedicated.
It is hereby clarified that the prohibitions on modifying, or creating derivative works based on,
any Software provided by Radware, apply whether the Software is provided in a machine or in a
human readable form. Human readable Software to which this prohibition applies includes
(without limitation) “Radware AppShape++ Script Files” that contain “Special License Terms”. It
is acknowledged that examples provided in a human readable form may be modified by a user.
7. Intellectual Property Rights. You acknowledge and agree that this License Agreement does
not convey to you any interest in the Software except for the limited right to use the Software,
and that all right, title, and interest in and to the Software, including any and all associated
intellectual property rights, are and shall remain with Radware or its third party licensors. You
further acknowledge and agree that the Software is a proprietary product of Radware and/or its
licensors and is protected under applicable copyright law.
8. No Warranty. The Software, and any and all accompanying software, files, libraries, data and
materials, are distributed and provided “AS IS” by Radware or by its third party licensors (as
applicable) and with no warranty of any kind, whether express or implied, including, without
limitation, any non-infringement warranty or warranty of merchantability or fitness for a
particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or
makes any representation regarding the title in the Software, the use of, or the results of the
use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the
operation of the Software will be uninterrupted or error-free, or that the use of any passwords,
license keys and/or encryption features will be effective in preventing the unintentional
disclosure of information contained in any file. You acknowledge that good data processing
procedure dictates that any program, including the Software, must be thoroughly tested with
non-critical data before there is any reliance on it, and you hereby assume the entire risk of all
use of the copies of the Software covered by this License. Radware does not make any
representation or warranty, nor does Radware assume any responsibility or liability or provide
any license or technical maintenance and support for any operating systems, databases,
migration tools or any other software component provided by a third party supplier and with
which the Software is meant to interoperate.
This disclaimer of warranty constitutes an essential and material part of this License.
In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable
under any warranty provision, Radware shall be released from all such obligations in the event
that the Software shall have been subject to misuse, neglect, accident or improper installation,
or if repairs or modifications were made by persons other than by Radware's authorized service
personnel.