1. Manuals
  2. Brands
  3. Andrisoft Manuals
  4. Firewall
  5. wanguard 6.2
  6. User manual

Andrisoft wanguard 6.2 User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the wanguard 6.2 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Andrisoft wanguard 6.2

Summary of Contents for Andrisoft wanguard 6.2

  • Page 2 © 2016, ANDRISOFT S.R.L. All rights reserved. All rights reserved. This document is copyrighted, and ANDRISOFT S.R.L reserves all rights. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, or by any information storage and retrieval system without permission in writing from ANDRISOFT S.R.L.

  • Page 3: Table Of Contents

    Wanguard 6.2 User Guide Table of Contents Traffic Monitoring, DDoS Detection and Mitigation with Wanguard ............. Traffic Monitoring, DDoS Detection and Mitigation with Wanguard ............. Key Features & Benefits..............................6 Software Components..............................7 Choosing a Method of Traffic Monitoring and DDoS Detection ..............
  • Page 4 Wanguard 6.2 User Guide Flow Sensor Troubleshooting........................44 Configuration » Components » SNMP Sensor Configuration » Components » SNMP Sensor ......................................SNMP Sensor Troubleshooting........................ 49 Configuration » Components » Sensor Cluster ................... Configuration » Components » Sensor Cluster ...................
  • Page 5 Wanguard 6.2 User Guide AS Graphs..................................95 Country Graphs................................95 Sensor Events.................................95 Anomaly Overview................................ 95 Reports » Components » Filters......................96 Filter Dashboard................................96 Filter Graphs.................................. 96 Filter Events................................... 97 Filtering Rules................................97 Filter Instances................................97 Reports » Dashboards ..........................Reports » Dashboards ..........................

  • Page 6: Traffic Monitoring, Ddos Detection And Mitigation With Wanguard

    Wanguard 6.2 User Guide Traffic Monitoring, DDoS Detection and Mitigation with Wanguard Traffic Monitoring, DDoS Detection and Mitigation with Wanguard Unforeseen traffic patterns affect user satisfaction and clog costly transit links. Providing reliable network services is imperative for the success of today's organizations. As the business cost of network malfunctions continues to increase, rapid identification and mitigation of threats to network performance and reliability become critical in order to meet expected SLAs and network availability requirements.

  • Page 7: Software Components

    Wanguard 6.2 User Guide Traffic Monitoring, DDoS Detection and Mitigation with Wanguard applications, ports, protocols, countries, autonomous systems, and more. REAL-TIME REPORTING – Bandwidth graphs are animated and have a short-term accuracy of just 5 seconds. ✔ HISTORICAL REPORTING – You can view reports from the last 5 seconds to the last 10 years by selecting any ✔...

  • Page 8: Choosing A Method Of Traffic Monitoring And Ddos Detection

    Wanguard 6.2 User Guide Choosing a Method of Traffic Monitoring and DDoS Detection Choosing a Method of Traffic Monitoring and DDoS Detection This chapter describes the traffic monitoring technologies supported by Wanguard Sensor. There are four Wanguard Sensor “flavors” that differ only in the way they obtain traffic information: Packet Sensor analyzes packets.

  • Page 9: Comparison Between Packet Sniffing, Flow Monitoring, And Snmp Polling

    Wanguard 6.2 User Guide Choosing a Method of Traffic Monitoring and DDoS Detection Comparison between Packet Sniffing, Flow Monitoring, and SNMP Polling Packet Sensor should be used when the speed of detecting attacks is critical or when there is a need for capturing raw packets for forensics or troubleshooting.

  • Page 10: Choosing A Method Of Ddos Mitigation

    Wanguard 6.2 User Guide Choosing a Method of DDoS Mitigation Choosing a Method of DDoS Mitigation Wanguard provides a network-level protection against volumetric Denial of Service attacks by using several complementary methods: Wanguard Sensor can be configured to announce via BGP the upstream provider(s) to stop routing ➢...

  • Page 11: Wanguard Filter Deployment Scenarios

    Wanguard 6.2 User Guide Choosing a Method of DDoS Mitigation The stateless operation of Wanguard Sensor and Wanguard Filter ensures detection and mitigation of volumetric attacks that may cripple even the most powerful stateful devices such as firewalls, Intrusion Detection Systems (IDS) or Intrusion Protection Systems (IPS).
  • Page 12 Wanguard 6.2 User Guide Choosing a Method of DDoS Mitigation In-line network bridging – The Filter runs on a server that resides in the main data path, configured as  an OSI Layer 2 Linux network bridge. Out-of-line monitoring – The Filter runs on a server outside the main data path. It receives flows from a ...

  • Page 13: Wanguard Installation

    System Requirements Wanguard 6.2 can be installed on the following 64-bit Linux distributions: Red Hat Enterprise Linux 6 or 7 (commercial), CentOS 6 or 7 (free, Red Hat-based), Debian Linux 6 “Squeeze”, 7 “Wheezy” or 8 “Jessie” (free, community-supported), Ubuntu 12, 14 or 16 (free, Debian-based).

  • Page 14: Console Hardware Requirements

    Wanguard 6.2 User Guide Wanguard Installation Console Hardware Requirements Capacity Minimum Hardware Requirements for 20 Components Architecture 64-bit x86 2.4 GHz dual-core Xeon 4 GB NICs 1 x Fast Ethernet for management HDDs 2 x 7200 RPM HDD, RAID 1, 80 GB (additional disk space may be needed for IP graphs) The Console server stores the database and centralizes all operational logs, graphs and IP accounting data.

  • Page 15: Flow Sensor Hardware Requirements

    Wanguard 6.2 User Guide Wanguard Installation Flow Sensor Hardware Requirements Capacity Minimum Hardware Requirements for 15,000 flows/s Architecture 64-bit x86 2.0 GHz dual-core Xeon 8 GB NICs 1 x Fast Ethernet for management HDDs 2 x 7200 RPM HDD, RAID 1, 60 GB Flow Sensor does not have a limit on the number of interfaces it can monitor or a limit of how many flows per second it can process.

  • Page 16: Packet Filter Hardware Requirements

    Wanguard 6.2 User Guide Wanguard Installation Packet Filter Hardware Requirements Packet Sniffing Capacity 1 Gbit/s – 1,400,000 packets/s 10 Gbit/s – 14,000,000 packets/s Architecture 64-bit x86 64-bit x86 2.4 GHz Xeon 3.2 GHz quad-core Xeon (e.g. Intel X5672) 2 GB...

  • Page 17: Filter Cluster Hardware Requirements

    The download link is listed in the email containing the trial license key. The latest software installation instructions are listed on the Andrisoft website. The trial license key activates all features for 30 days. You can install the trial license key on any number of servers.

  • Page 18: Licensing Procedure

    Flow Sensors. Flow Sensor does not have a limit on the number of interfaces it can monitor. If you want to monitor many routers having a single interface, contact <sales@andrisoft.com>. You will need as many Sensor licenses as the number of interfaces (ports) listened by Packet Sensors.

  • Page 19: Basic Concepts Of Wanguard Console

    Wanguard 6.2 User Guide Basic Concepts of Wanguard Console Basic Concepts of Wanguard Console Please read this chapter to understand the basic premises required to operate the software properly. The next chapters cover the configuration of the software, while the last 5 chapters cover the reporting features.

  • Page 20: Configuration » General Settings » Graphs & Storage

    Wanguard 6.2 User Guide Configuration » General Settings » Graphs & Storage Configuration » General Settings » Graphs & Storage A very important initial step in configuring Wanguard is to make sure that the server(s) the software runs on have enough resources to process and store IP graphs, flows and packet dumps. Storage-related settings can be tuned by editing Configuration »...
  • Page 21 Wanguard 6.2 User Guide Configuration » General Settings » Graphs & Storage granularity IP graphs. Decoders represent internal functions that differentiate and classify the underlying protocols of each packet and flow. Each enabled decoder increases the size of IP graph, top and accounting data, and causes a small performance penalty on Packet Sensor and Packet Filter.

  • Page 22: Sensor And Applications Graph Troubleshooting

    Console server can handle it. The storage requirements for each subnet are listed in the IP Zone, and the current disk usage in Configuration » General Settings » Data Retention. The internal program used for saving IP graph data is /opt/andrisoft/bin/genrrds_ip. If it is overloading ✔...

  • Page 23: Configuration » General Settings » Anomaly Detection

    Wanguard 6.2 User Guide Configuration » General Settings » Anomaly Detection Configuration » General Settings » Anomaly Detection The global settings for the anomaly detection engine can be edited in Configuration » General Settings » Anomalies. The detection of anomalies also needs to be enabled individually, for each subnet defined in the IP Zone (details on page 34).

  • Page 24: Configuration » General Settings » Custom Decoders

    Wanguard 6.2 User Guide Configuration » General Settings » Custom Decoders Configuration » General Settings » Custom Decoders Decoders represent internal functions that differentiate and classify the underlying protocols of each packet and flow. The predefined decoders are listed in the “Graphs & Storage” chapter on page 20. If you do not need to define custom decoders, you may safely skip this section.

  • Page 25: Configuration » General Settings » Mitigation Options

    Wanguard 6.2 User Guide Configuration » General Settings » Mitigation Options Configuration » General Settings » Mitigation Options To configure and fine-tune some advanced features of Wanguard Filter, go to Configuration » General Settings » Mitigation Options. All configuration options listed below are relevant only for the decoder selected in the Mitigation Options for Decoder field located on the top bar.
  • Page 26 Wanguard 6.2 User Guide Configuration » General Settings » Mitigation Options Packet Rate-limit Hash – You can apply the packet rate-limiting globally, to a single object (Src. IP, Src. ● Port, Dst. IP or Dst. Port) or any combination of objects. If the rate-limiting should be connection- oriented, select all objects.

  • Page 27: Configuration » Network & Policy » Response

    Wanguard 6.2 User Guide Configuration » Network & Policy » Response Configuration » Network & Policy » Response Responses provide a unique and powerful way to automate the reaction to traffic anomalies detected by Sensors, and to filtering rules identified by Filters. If you do not plan to use this feature, you may skip this chapter. To add a new Response, go to Configuration »...

  • Page 28: Conditional & Dynamic Parameter List

    Filter instance that created the filtering rule, on the Filter server. When using a custom script, make sure it can be accessed and executed by the “andrisoft” account (e.g. by saving it in /tmp or /opt/andrisoft/bin).
  • Page 29 Wanguard 6.2 User Guide Configuration » Network & Policy » Response Expiration Delay (seconds) String {expiration} The number of seconds between the last time the anomaly is detected and the time the anomaly is expired. Captured Packets Number {captured_pkts} The number of packets captured by the Response.
  • Page 30 Wanguard 6.2 User Guide Configuration » Network & Policy » Response Threshold Type [absolute, String {threshold_type} Threshold-based anomalies can be percentage] defined as “absolute” values or as a “percentage” of the total traffic received by Sensor. Anomaly Decoder (Protocol) String...
  • Page 31 Wanguard 6.2 User Guide Configuration » Network & Policy » Response String {anomaly_log_100} The first 100 packets or flows of the abnormal traffic. String The first 500 packets or flows of the {anomaly_log_500} abnormal traffic. String {anomaly_log_1000} The first 1000 packets or flows of the abnormal traffic.
  • Page 32 Wanguard 6.2 User Guide Configuration » Network & Policy » Response FILTER PARAMETERS Filter Name String {filter} The Filter that detected the filtering rule. Filter ID Number {filter_id} The internal ID of the Filter that detected the filtering rule. Filter Type [Packet Filter, Flow...
  • Page 33 Wanguard 6.2 User Guide Configuration » Network & Policy » Response Filtering Rule Peak Bits/s Number* {filtering_rule_max_bps} The maximum bits/s throughput of the traffic matched by the filtering rule. Filtering Rule Unit/s Number* {filtering_rule_unit} It is {filtering_rule_pps} for packets/s thresholds and {filtering_rule_bps} for bits/s thresholds.

  • Page 34: Configuration » Network & Policy » Ip Zone

    Wanguard 6.2 User Guide Configuration » Network & Policy » IP Zone Configuration » Network & Policy » IP Zone IP Zones are hierarchical, tree-like data structures from which Sensor(s) extract per-subnet settings and learn the monitored network's boundaries. You must add all your IP blocks to the IP Zone(s) listed in Configuration » Network & Policy. You can add prefixes (IP blocks/subnets/ranges) using the Console web interface, or from the CLI by executing the command “php...

  • Page 35: Anomaly Detection Settings & Threshold Templates

    Wanguard 6.2 User Guide Configuration » Network & Policy » IP Zone Anomaly Detection Settings & Threshold Templates Define traffic threshold rules by adding them to the Thresholds panel from the IP Zone Configuration window. To ease the addition of identical thresholds for multiple prefixes, add them to a Threshold Template instead, by clicking Configuration »...
  • Page 36 Wanguard 6.2 User Guide Configuration » Network & Policy » IP Zone packets/s thresholds of around 10k/s per destination should not generate false positives while catching all significant UDP floods. UDP is also used frequently for flooding. The OTHER decoder matches all non-TCP, non-UDP and non-ICMP traffic. You can configure thresholds ✔...

  • Page 37: Configuration » Servers

    Hardware Key – Read-only string used for licensing purposes. The hardware key field is updated by the ● WANsupervisor service on installation or when the hardware, IP or hostname changes. When the string changes, ask sales@andrisoft.com to register your hardware key. Monitored Network Interfaces (optional) – The WANsupervisor service can monitor packets/s, bits/s, ●...

  • Page 38: Configuration » Components » Packet Sensor

    Wanguard 6.2 User Guide Configuration » Components » Packet Sensor Configuration » Components » Packet Sensor In switched networks, only the packets for a specific device reach the device's network card. If the server running the Packet Sensor is not deployed in-line (in the main data path), a network TAP, or a switch/router that offers a “monitoring port”...
  • Page 39 Wanguard 6.2 User Guide Configuration » Components » Packet Sensor Sensor License – The license used by the Packet Sensor. Wanguard provides all features; WanSight does ● not provide traffic anomaly detection and reaction. Top Generator – Allows generation of traffic tops: ●...

  • Page 40: Packet Sensor Optimization Steps For Intel 82599

    Wanguard 6.2 User Guide Configuration » Components » Packet Sensor Packet Sensor Optimization Steps for Intel 82599 To distribute the packet-processing tasks of the Packet Sensor over multiple CPU cores when using an adapter with the Intel 82599 chipset (Intel X520, Intel X540, HP X560, etc.): Follow the documentation and optimization guides provided by the network adapter vendor.

  • Page 41: Packet Sensor Troubleshooting

    The event log error “License key not compatible with the existing server” can be fixed by sending the ✔ string from Configuration » Servers » [Packet Sensor server] » Hardware Key to sales@andrisoft.com . Make sure that the sniffing interface is up: ✔...

  • Page 42: Configuration » Components » Flow Sensor

    Wanguard 6.2 User Guide Configuration » Components » Flow Sensor Configuration » Components » Flow Sensor Many routers and switches can collect IP traffic statistics and periodically export them as flow records to a Flow Sensor. Because the flow protocol already performs pre-aggregation of traffic data, the flow data sent to Flow Sensor is much smaller than the monitored traffic, and this makes the Flow Sensor a good option for monitoring remote or high-traffic networks.
  • Page 43 Wanguard 6.2 User Guide Configuration » Components » Flow Sensor Time Settings – The time offset between the time zone (TZ) of the Flow Sensor server and the flow ● exporter. Running NTP on both devices to keep their clocks synchronized is a critical requirement for Flow Sensor.

  • Page 44: Flow Sensor Troubleshooting

    The event log error “License key not compatible with the existing server” can be fixed by sending the ✔ string from Configuration » Servers » [Flow Sensor server] » Hardware Key to sales@andrisoft.com . Ensure that the server is receiving flow packets on the configured Listener IP:Port: ✔...
  • Page 45 Wanguard 6.2 User Guide Configuration » Components » Flow Sensor When you define interfaces with the Traffic Direction parameter set to “Auto”, make sure that the IP ✔ Zone you have selected for the Flow Sensor contains all your IP blocks.
  • Page 46 Wanguard 6.2 User Guide Configuration » Components » Flow Sensor interface. To troubleshoot Sensor graph or IP graph issues, follow the Graphs Troubleshooting guide from page 22. ✔ Make sure you are running the latest version of the software. ✔...

  • Page 47: Configuration » Components » Snmp Sensor

    Wanguard 6.2 User Guide Configuration » Components » SNMP Sensor Configuration » Components » SNMP Sensor SNMP Sensor monitors the bandwidth usage of routers and switches on a port-by-port basis. SNMP Sensor queries devices (e.g. routers, switches, servers) for the traffic counters of each port with small data packets. These are triggering reply packets from the device.
  • Page 48 Wanguard 6.2 User Guide Configuration » Components » SNMP Sensor The default value is 2. Discovery – Activates or deactivates interface discovery: ● Monitor all interfaces – Select to add all interfaces automatically to the SNMP Sensor. The interface ○...

  • Page 49: Snmp Sensor Troubleshooting

    The event log error “License key not compatible with the existing server” can be fixed by sending the ✔ string from Configuration » Servers » [SNMP Sensor server] » Hardware Key to sales@andrisoft.com . Verify if the Console can reach the device by clicking the <OIDs and Tests> button from the SNMP ✔...

  • Page 50: Configuration » Components » Sensor Cluster

    Wanguard 6.2 User Guide Configuration » Components » Sensor Cluster Configuration » Components » Sensor Cluster Sensor Cluster aggregates traffic data provided by Packet Sensors and Flow Sensors into a single anomaly detection domain and/or IP graphing domain. To add a Sensor Cluster, click the <+> button found on the title bar of the Configuration » Components panel.

  • Page 51: Configuration » Components » Quagga / Exabgp Connector

    Wanguard 6.2 User Guide Configuration » Components » Quagga / ExaBGP Connector Configuration » Components » Quagga / ExaBGP Connector Wanguard Sensor and Wanguard Filter can send and withdraw BGP announcements (advertisements, routing updates) automatically using Response actions (detailed on page 27), in the following cases: To protect your network by announcing DDoSed destinations to the upstream provider(s) using a special ...
  • Page 52 Wanguard 6.2 User Guide Configuration » Components » Quagga / ExaBGP Connector The Quagga Connector Configuration window contains the following fields: BGP Connector Name – A short name or description for the BGP Connector. ● Device Group – Optional description used within Console to group up components (e.g. by location or ●...
  • Page 53 Wanguard 6.2 User Guide Configuration » Components » Quagga / ExaBGP Connector The ExaBGP Connector Configuration window contains the following fields: BGP Connector Name – A short name or description for the BGP Connector. ● Device Group – Optional description used within Console to group up components (e.g. by location or ●...

  • Page 54: Bgp Connector Troubleshooting

    Wanguard 6.2 User Guide Configuration » Components » Quagga / ExaBGP Connector Operations Tools » <Black Hole> or <Divert Traffic>. If you encounter errors, follow the troubleshooting guide below: BGP Connector Troubleshooting Ensure that you have correctly configured the BGP Connector. Each configuration field is described in ✔...

  • Page 55: Configuration » Components » Packet Filter

    Wanguard 6.2 User Guide Configuration » Components » Packet Filter Configuration » Components » Packet Filter The functionality of Wanguard Filter is described in the “Choosing a Method of DDoS Mitigation” chapter on page 10. If you do not plan to use Packet Filter(s) you can safely skip this chapter.
  • Page 56 Wanguard 6.2 User Guide Configuration » Components » Packet Filter parameter to a BGP Connector configured to reroute traffic. Other parameters must be set as in the Inline filtering mode. Out-of-line monitoring – Packet Filter runs on a server that receives a copy of packets from a ○...
  • Page 57 Wanguard 6.2 User Guide Configuration » Components » Packet Filter filtering rule. Packet Filter can do software-based packet filtering and packet rate limiting using the Netfilter framework provided by the Linux kernel. The software-based packet filter is very flexible, and since Packet Filter does not use the connection tracking mechanism specific to stateful firewalls, it is very fast as well.
  • Page 58 Wanguard 6.2 User Guide Configuration » Components » Packet Filter Rules Timeout – When set to 0, filtering rules remain active for as long as the anomaly is active. Enter a ● non-zero value for the filtering rules to expire only after the entered amount of seconds.

  • Page 59: Packet Filter Troubleshooting

    The event log error “License key not compatible with the existing server” can be fixed by sending the ✔ string from Configuration » Servers » [Packet Filter server] » Hardware Key to sales@andrisoft.com . Make sure you are running the latest version of the software.

  • Page 60: Configuration » Components » Flow Filter

    Wanguard 6.2 User Guide Configuration » Components » Flow Filter Configuration » Components » Flow Filter The functionality of Wanguard Filter is described in the “Choosing a Method of DDoS Mitigation” chapter on page 10. If you do not plan to use Flow Filter(s) you can safely skip this chapter.
  • Page 61 Wanguard 6.2 User Guide Configuration » Components » Flow Filter Layer2/3 - Out-of-line filtering – To run Flow Filter in this mode, set the Traffic Diversion parameter ○ to a BGP Connector configured to reroute traffic. Other parameters must be set as in the Inline filtering mode.
  • Page 62 Wanguard 6.2 User Guide Configuration » Components » Flow Filter Click the options button on the right to be able to configure the following Software Firewall parameters: Netfilter Chain – set to FORWARD if the server forwards traffic or INPUT if it does not.
  • Page 63 Wanguard 6.2 User Guide Configuration » Components » Flow Filter Operator – Operators for strings and numbers: equal, non-equal. Operators for numbers: less than, ○ greater than. Rule Value – A user-defined value that should match. ○ FW Policy – When FW Policy is Permit and Operator is equal, the Flow Filter explicitly allows the ○...

  • Page 64: Configuration » Components » Filter Cluster

    Wanguard 6.2 User Guide Configuration » Components » Filter Cluster Configuration » Components » Filter Cluster The functionality of Wanguard Filter is described in the “Choosing a Method of DDoS Mitigation” chapter on page 10. If you do not plan to use Filter Cluster(s) you can safely skip this chapter.
  • Page 65 Wanguard 6.2 User Guide Configuration » Components » Filter Cluster parameter to a BGP Connector configured to reroute traffic. Other parameters must be set as in the Inline filtering mode. Out-of-line monitoring – Filter Cluster runs on a server that receives a copy of packets from a ○...
  • Page 66 Wanguard 6.2 User Guide Configuration » Components » Filter Cluster matched by it is blocked. The remaining traffic is passed. Filtering rules drop matched traffic. Valid traffic is rate-limited – Filter Cluster detects, reports and ○ applies filtering rules and rate-limits the remaining traffic. If the filtering rule is not whitelisted, the traffic matched by it is blocked.
  • Page 67 Wanguard 6.2 User Guide Configuration » Components » Filter Cluster block port 53 UDP traffic towards your DNS server, making it partially unreachable from the Internet. In this case, configure a proper whitelist rule (Rule Type: Dst Port UDP, Operator: equal, Rule Value: 53) and review Configuration »...

  • Page 68: Configuration » Schedulers » Scheduled Reports

    Wanguard 6.2 User Guide Configuration » Schedulers » Scheduled Reports Configuration » Schedulers » Scheduled Reports One of the greatest strengths of the Console is the ease in which it can generate complex Reports. Most reports created by clicking items from the Reports Region can be printed, exported as PDFs or sent by email.

  • Page 69: Configuration » Schedulers » Event Reporting

    Wanguard 6.2 User Guide Configuration » Schedulers » Event Reporting Configuration » Schedulers » Event Reporting Events are short text messages that describe the change of an operational status. They are generated by Wanguard components and logged by Console. You can list events in Reports » Components » [Component Name] » [Component Type] Event sub-tab. To search, sort or filter event messages, click the small down arrow that appears when hovering over the Event column header.

  • Page 70: Configuration » General Settings » Outgoing Email

    Wanguard 6.2 User Guide Configuration » General Settings » Outgoing Email Configuration » General Settings » Outgoing Email Console sends notification emails using the settings from Configuration » General Settings » Outgoing Email. Email configuration options: From Email – The email address you would like to appear as the sender.

  • Page 71: Configuration » General Settings » User Management

    Wanguard 6.2 User Guide Configuration » General Settings » User Management Configuration » General Settings » User Management To add, modify or delete Console user accounts click Configuration » General Settings » User Management. Each Console user must be assigned to one role (access level): Administrator –...

  • Page 72: Configuration » General Settings » User Authentication

    Wanguard 6.2 User Guide Configuration » General Settings » User Authentication Configuration » General Settings » User Authentication To configure remote authentication mechanisms and login window settings click Configuration » General Settings » User Authentication. Persistent Sessions enable cookie-based authentication for Console users that select the Remember option in the login screen.
  • Page 73 Wanguard 6.2 User Guide Configuration » General Settings » User Authentication RADIUS Protocol – Protocol used for authentication purposes: ● PAP (Password Authentication Protocol) – provides a simple method for the peer to establish its ○ identity using a 2-way handshake CHAP (Challenge-Handshake Authentication Protocol) –...

  • Page 74: Reports » Tools

    Wanguard 6.2 User Guide Reports » Tools Reports » Tools Reports » Tools contains links to the Anomalies, BGP Operations, Firewall Rules, Flow Collectors and Packet Tracers tabs. Reports » Tools » Anomalies It provides live and historical data related to DoS, DDoS, and other traffic anomalies.
  • Page 75 Wanguard 6.2 User Guide Reports » Tools The color of the severity indicates the link's severity: 0-25% blue, 25%-50% yellow, 50%-75% orange, 75%-100% red. The link's severity is the ratio between the abnormal traffic and the overall traffic of the link (Sensor or interface) for pkt/s thresholds, or the ratio between the abnormal traffic and the link capacity for bits/s thresholds.

  • Page 76: Anomaly Archive

    Wanguard 6.2 User Guide Reports » Tools Filter Which Filter detected the filtering rule. Click it to open a new tab with Filter-specific data. Filtering Rule The filtering rule that isolates the malicious traffic. The possible filtering rules are listed in Configuration »...

  • Page 77: Anomaly Overview

    Wanguard 6.2 User Guide Reports » Tools The <Expire Anomalies> button from the top toolbar clears active anomalies by manipulating the database. Anomaly Overview Shows trends and summarizations of traffic anomalies detected by the selected Sensors, using the selected decoders, for the selected time-frame.

  • Page 78: Reports » Tools » Bgp Operations

    Wanguard 6.2 User Guide Reports » Tools Reports » Tools » BGP Operations Reports » Tools displays the number of BGP announcements (routing updates) that are active. The number is red when there is at least one active BGP announcement sent through a BGP Connector configured for mitigation (black hole filtering), or blue when all active BGP announcements were sent through BGP Connectors configured for traffic diversion.

  • Page 79: Bgp Announcement Archive

    Wanguard 6.2 User Guide Reports » Tools FlowSpec Contains a detailed BGP FlowSpec rule. Comments Contains user comments about the BGP announcement. Actions It contains a link for the manual removal of the BGP announcement and a link for adding/modifying user comments.

  • Page 80: Reports » Tools » Firewall Rules

    Wanguard 6.2 User Guide Reports » Tools Reports » Tools » Firewall Rules Reports » Tools displays the number of firewall rules with the match count increased in the last 5 seconds. The Firewall Rules tab lists all firewall rules managed by Wanguard and provides a quick and easy way for Console users to define their own rules.

  • Page 81: Filtering Rules

    Wanguard 6.2 User Guide Reports » Tools Firewall Policy – Select the Software Firewall policy applied for the matched packets: ● Drop – blocks packets and makes the connection appear to be to an unoccupied IP address ◦ Reject – blocks packets and sends an ICMP packet indicating the port is unavailable ◦...

  • Page 82: Reports » Tools » Flow Collectors

    Wanguard 6.2 User Guide Reports » Tools Reports » Tools » Flow Collectors Reports » Tools contains a link to Flow Collectors if there is at least one Flow Sensor in use. The number of active Flow Collectors is displayed within the panel.
  • Page 83 Wanguard 6.2 User Guide Reports » Tools Console server and remote Flow Sensor servers are not automatically adjusted. Flow Filtering Expression – Here you can enter a filtering expression for flows. Click the light bulb icon ● on the right to open a window that shows you the correct syntax. Frequently-used flow filters can be saved there and reused at a later time.

  • Page 84: Reports » Tools » Packet Tracers

    Wanguard 6.2 User Guide Reports » Tools Reports » Tools » Packet Tracers Reports » Tools contains a link to Packet Tracers when there is at least one Packet Sensor or Packet Filter in use. The number of active packet traces is displayed within the panel.

  • Page 85: Packet Trace Archive

    Wanguard 6.2 User Guide Reports » Tools interested in. Comments – This field may contain comments about the packet trace. ● All active Packet Traces are listed in a table having the following format: Description [BPF] – The description and BPF expression of the trace.

  • Page 86: Reports » Components

    Wanguard 6.2 User Guide Reports » Components Reports » Components Reports » Components contains links to the Overview, Device Group, Sensor and Filter tabs. The Overview tab provides a real-time view on the status of all active Wanguard components and servers.

  • Page 87: Servers

    Wanguard 6.2 User Guide Reports » Components Servers The table displays the following data for each server that runs software components of Wanguard: Status A green check mark indicates that the server is connected to Console. When a red “X” is displayed, start the WANsupervisor service and make sure that the clocks are synchronized between the server and the Console server.

  • Page 88: Packet Sensors

    Wanguard 6.2 User Guide Reports » Components Inbound Bits/s Inbound bits/second throughput and the usage percent. Outbound Bits/s Outbound bits/second throughput and the usage percent. Received Pkts/s Packet/s reported by the associated Sensors. IPs (Int.) IP addresses (from to the IP Zone) that send or receive traffic.

  • Page 89: Flow Sensors

    Wanguard 6.2 User Guide Reports » Components Server Which server runs the Packet Sensor. Click to open a new tab with data specific to the server. Administrators and operators can right-click to open the Server Configuration window. Flow Sensors The table is displayed while there is at least one active Flow Sensor.

  • Page 90: Snmp Sensors

    Wanguard 6.2 User Guide Reports » Components SNMP Sensors The table is displayed while there is at least one active SNMP Sensor. Status A green check mark indicates that the SNMP Sensor is connected to Console. If you see a red “X”...

  • Page 91: Filter Clusters, Packet Filters, And Flow Filters

    Wanguard 6.2 User Guide Reports » Components Filter Clusters, Packet Filters, and Flow Filters The tables are displayed while there is at least one active Filter Cluster, Packet Filter or Flow Filter. Status A green check mark indicates that the Filter is connected to Console. If you see a red “X”...

  • Page 92: Reports » Components » Sensors

    Wanguard 6.2 User Guide Reports » Components Reports » Components » Sensors Click on a Sensor name anywhere in Console to open a tab that contains Sensor-specific information. The tab includes a few sub-tabs, located at the lower side of the window. All sub-tabs share the following common toolbar fields: Sensors –...

  • Page 93: Sensor Tops

    Wanguard 6.2 User Guide Reports » Components Flow Sensor or a network connectivity issue with the flow exporter. Unknown Frames – For Packet Sensors, it represents the rate of packets not passing IP validation. ◦ For Flow Sensors, it represents the rate of invalidated flows.

  • Page 94: Flow Records

    Wanguard 6.2 User Guide Reports » Components when the Top Generator parameter from the Sensor configuration is set to “Basic”. External IPs – External IPs that send or receive the most traffic for the selected decoder. Available ◦ when the Top Generator parameter from the Sensor configuration is set to “Extended” or “Full”.

  • Page 95: As Graphs

    Wanguard 6.2 User Guide Reports » Components AS Graphs Flow Sensors and Packet Sensors can generate traffic and bandwidth histograms for autonomous systems. This feature is enabled for Packet Sensors that have the Top Generator parameter set to “Full”, and for Flow Sensors that have the Top Generator parameter set to “Full”...

  • Page 96: Reports » Components » Filters

    Wanguard 6.2 User Guide Reports » Components Reports » Components » Filters Click on a Filter name anywhere in Console to open a tab that contains Filter-specific information. The tab includes few sub-tabs, located at the lower side of the window. All sub-tabs share the following common toolbar fields: Filters –...

  • Page 97: Filter Events

    Wanguard 6.2 User Guide Reports » Components Total Excepted Rules – Whitelisted filtering rules. ◦ Graphs Size – Select a predefined dimension or enter a custom one in a “<X> x <Y>” format, where <X> ● and <Y> are the X-axis and Y-axis pixels.

  • Page 98: Reports » Dashboards

    Wanguard 6.2 User Guide Reports » Dashboards Reports » Dashboards Wouldn't it be nice to see all the relevant data in a single tab? Dashboards allow you to group data from any report according to your needs. Any dashboard can be configured to refresh itself at intervals ranging from 5 seconds to 15 minutes.

  • Page 99: Reports » Ip Addresses & Groups

    Wanguard 6.2 User Guide Reports » IP Addresses & Groups Reports » IP Addresses & Groups This chapter describes how to generate detailed traffic reports for any IP address, block or group included in Configuration » Network & Policy » [IP Zone].

  • Page 100: Ip Accounting

    Wanguard 6.2 User Guide Reports » IP Addresses & Groups Graph Legend – Select the detail of the graph legend. ● Consolidation – If you are interested in spikes, choose the MAXIMUM aggregation type. If you are ● interested in average values, choose the AVERAGE aggregation type. If you are interested in low values, choose the MINIMUM aggregation type.

  • Page 101: Flow Records

    Wanguard 6.2 User Guide Reports » IP Addresses & Groups selected IP block or group. Selecting this option also enables the option below. Use Per-IP Data – Creates a traffic accounting report by aggregating the IP accounting data generated for ●...

  • Page 102: Reports » Servers

    Wanguard 6.2 User Guide Reports » Servers Reports » Servers Click on a server name anywhere in Console to open a tab containing server-specific information. The server tab includes a few sub-tabs, located at the lower side of the window. All sub-tabs share the following common toolbar fields: Servers –...

  • Page 103: Server Events

    Console administrators can execute CLI commands on the selected server(s) and see the output in this sub- tab. The commands are executed by the WANsupervisor service with the “andrisoft” user (non-root) privileges. To prevent the execution of CLI commands through Console, start the WANsupervisor service with the “-n” option.

  • Page 104: Appendix 1 - Ipv4 Subnet Cidr Notation

    Wanguard 6.2 User Guide Appendix 1 – IPv4 Subnet CIDR Notation Appendix 1 – IPv4 Subnet CIDR Notation Wanguard uses extensively IP addresses and IP classes with the CIDR notation. To view details about any IPv4 subnet click Help → Subnet Calculator.

  • Page 105: Appendix 2 - Configuring Netflow Data Export

    Wanguard 6.2 User Guide Appendix 2 – Configuring NetFlow Data Export Appendix 2 – Configuring NetFlow Data Export This appendix is a brief guide to setting up the NetFlow data export (NDE) on Cisco and Juniper routers or intelligent Cisco Layer 2/Layer 3/Layer 4 switches. If you have problems with the configuration, contact your network administrator or consultant.

  • Page 106: Configuring Nde On A Catos Device

    Wanguard 6.2 User Guide Appendix 2 – Configuring NetFlow Data Export The following commands break up flows into shorter segments: 1 minute for active traffic and 30 seconds for inactive traffic. Flow Sensor drops flows older than 5 minutes! router(config)# ip flow-cache timeout active 1 router(config)# ip flow-cache timeout inactive 30 In enable mode you can see current NetFlow configuration and state.

  • Page 107: Configuring Nde On A 4000 Series Switch

    Wanguard 6.2 User Guide Appendix 2 – Configuring NetFlow Data Export switch(config)# mls nde sender version 5 The following commands break up flows into shorter segments: ~1 minute for active flows and ~ 30 seconds for inactive flows. Flow Sensor drops flows older than 5 minutes!
  • Page 108 Wanguard 6.2 User Guide Appendix 2 – Configuring NetFlow Data Export interfaces { ge-0/1/0 { unit 0 { family inet { filter { input all; output all; address 192.168.1.1/24; firewall { filter all { term all { then { sample;...

  • Page 109: Appendix 3 - Bgp Black Hole Guideline For Wanguard Sensor

    Wanguard 6.2 User Guide Appendix 3 – BGP Black Hole Guideline for Wanguard Sensor Appendix 3 – BGP Black Hole Guideline for Wanguard Sensor Understanding of RTBH using Wanguard To simplify, we will start from the following scenario: an attack is detected by Wanguard Sensor (hereby referred simply as Sensor) that decides to react by using the BGP black hole approach rather than diverting traffic for scrubbing by Wanguard Filter.

  • Page 110: Black-Holing On Upstream

    Wanguard 6.2 User Guide Appendix 3 – BGP Black Hole Guideline for Wanguard Sensor Black-holing on upstream The principle of DDoS mitigation using black hole BGP advertisements is to propagate the BH-prefix from the destination of the attack closest as possible to the source. Most ISPs have defined a public community, based on which their IBRs take the decision to black hole the traffic destined to the victim by routing it to Null0.

  • Page 111: Interaction With Traffic Diversion / Wanguard Filter

    Wanguard 6.2 User Guide Appendix 3 – BGP Black Hole Guideline for Wanguard Sensor and allow customer-routes r7500(config-route-map)# match community <Wanguard-Sensor-community-name> r7500(config-route-map)# set community <ISP1-BH-Community> → e.g.222:9999 r7500(config-route-map)# exit r7500(config)# router bgp <Router-AS-number> r7500(config-router)# neighbor <IPS1-IP-address> remote-as <ISP1-AS-number> r7500(config-router)# neighbor <IPS1-IP-address> route-map IBR-ISP1-out out r7500(config-router)# neighbor <IPS2-IP-address>...

  • Page 112: Appendix 4 - Network Integration Guideline For Wanguard Filter

    Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter Appendix 4 – Network Integration Guideline for Wanguard Filter This appendix describes how to configure the network for traffic scrubbing by Wanguard Filter, starting from a couple of common deployment scenarios of the filtering server.

  • Page 113: Bgp Configuration Guideline

    Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter The following terminology is used: Divert-from router – The router from which traffic, initially intended for the victim, is diverted towards ● Filter (e.g. IBR) – this router has to receive a redirect-prefix via BGP Inject-to router –...

  • Page 114: Quagga Bgpd Configuration

    Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter router. The guidelines provided in this section apply to the BGP configuration on any router from which Filter diverts traffic. To simplify, the following examples are provided using eBGP (external BGPv4). This solution is not limited to eBGP, iBGP may be considered as well, depending on existing network setup, case in which “...
  • Page 115 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter Wanguard needs to connect to bgpd through the public IP of the server (even if the connection will be make from the server itself, using the WANsupervisor service and the WANbgp package). This is why the “-A 127.0.0.1”, used for binding bgpd to the loopback interface, must be deleted.

  • Page 116: Exabgp Configuration

    Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter router bgp 65000 bgp router-id 192.168.1.100 neighbor 192.168.1.1 remote-as 1000 neighbor 192.168.1.1 description divert-from router neighbor 192.168.1.1 soft-reconfiguration inbound neighbor 192.168.1.1 route-map Wanguard-Filter-in in neighbor 192.168.1.1 route-map Wanguard-Filter-out out...

  • Page 117: Cisco Router Bgp Configuration

    Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter Start ExaBGP with a command such as: env exabgp.daemon.user=root exabgp.daemon.daemonize=true exabgp.daemon.pid=/var/run/exabgp.pid exabgp.log.destination=/var/log/exabgp.log exabgp /etc/exabgp_example.conf Verify that ExaBGP starts and functions correctly by inspecting /var/log/exabgp.log. Wanguard connects to ExaBGP using the BGP Connector component documented on page 51.
  • Page 118 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter neighbor 192.168.1.100 route-map Wanguard-Filter-in in no synchronization ip bgp community new-format ip community-list expanded Wanguard-Filter permit no-advertise ip community-list expanded Wanguard-Filter permit <Wanguard-Filter-community> route-map Wanguard-Filter-in permit 10...

  • Page 119: Understanding The Traffic Forwarding Methods

    Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter Understanding the Traffic Forwarding Methods This section provides details on the available traffic forwarding methods. A traffic forwarding method must be used to re-inject cleaned traffic from the Filter system back to network in order to reach its destination.

  • Page 120: Layer 3 Forwarding Method

    Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter While the above solution assumes one Divert-from and one Inject-to router, couple of variations may be considered starting from this option: a) Multiple Divert-from routers b) Multiple Inject-to routers...
  • Page 121 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter 2. Depending on Next-hop router role we may have following sub-options: a) Next-hop router is on dedicated device, but is not directly connected to Filter b) Next-hop router is on the same device as Diver-from/Inject-to routers In scenario 2a, a routing loop issue may occur between Divert-from/Inject-to router and Filter: Filter sends a BGP redirect announcement to Divert-from router (e.g.
  • Page 122 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter 2. Using PBR (Policy Base Routing) to override the normal routing decision from Divert-from/Inject-to router: Figure-5. Logical Diagram Layer 3 Forwarding using PBR (*same steps as per Fig.1) Warning: PBR may impact router performance –...
  • Page 123 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter r7200(config)# interface Tunnel 1 r7200(config-if)# ip address <X.X.X.X> 255.255.255.252 r7200(config-if)# ip mtu 1500 r7200(config-if)# ip tcp adjust-mss 1456 r7200(config-if)# tunnel source <Y.Y.Y.Y> → where Y.Y.Y.Y is the IP from Next-hop router r7200(config-if)# tunnel destination <Z.Z.Z.Z>...
  • Page 124 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter in order to assure normal routing between these two VRF’s, MPBGP have to be activated on “ the • router”; no MPBGP neighbor have to be defined on VRF’s definitions special policies for import/export Route-Targets(RT) have to be defined in the...
  • Page 125 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter r7200(config)#ip extcommunity-list standard VRF-Inside permit rt 65000:200 r7200(config)#route-map VRF-Inside-Import deny 10 r7200(config-route-map)#match community Wanguard-Filter → The Wanguard-Filter community has been already configured above; this will deny redirect-routes...
  • Page 126 Wanguard 6.2 User Guide Appendix 4 – Network Integration Guideline for Wanguard Filter r7200(config-router)# address-family ipv4 vrf Outside r7200(config-router-af)# no synchronization r7200(config-router-af)# redistribute connected r7200(config-router-af)# redistribute <other IGP/static if needed> r7200(config-router-af)#exit-address-family r7200(config-router)#exit r7200(config)# If too many GRE tunnels or PBR entries have to be configured/maintained, consider the VRF-Lite solution.

  • Page 127: Appendix 5 - Software Changelog

    Wanguard 6.2 User Guide Appendix 5 – Software Changelog Appendix 5 – Software Changelog Wanguard 6.2 Release date: March 23 2016 BGP FlowSpec (RFC 5575) support and ExaBGP integration. ➢ Packet Sensor and Packet Filter can run multi-threaded over multiple CPU cores.
  • Page 128 Wanguard 6.2 User Guide Appendix 5 – Software Changelog Wanguard 6.1 Release date: December 3 2015 Administrators can create custom decoders that identify flows or packets sharing a certain pattern (e.g. to ➢ differentiate and classify the underlying protocols) in Configuration » General Settings » Custom Decoders.
  • Page 129 Emails can be sent directly by Console without requiring a local MTA. New Configuration » General Settings » ➢ Outgoing Email Settings, with configurable Sender Email. Fixed sending emails to CC addresses. ➢ Corrupted Console database can be repaired with "/opt/andrisoft/bin/WANmainenance repair". ➢ 32-bit architectures are no longer supported. ➢ Console A new graphical slider for quick selection of custom time frames in Reports.
  • Page 130 Wanguard 6.2 User Guide Appendix 5 – Software Changelog Dashboards can be configured to have a unique time frame for all containing widgets. ➢ Unprivileged users can open reports for IPs included in the allowed subnets. ➢ Loading of IP Zones with thousands of IPs and subnets is around 8 times faster.
  • Page 131 Wanguard 6.2 User Guide Appendix 5 – Software Changelog The Flow Sensor Configuration window has advanced SNMP options. ➢ On Flow Sensor's Traffic Direction option. "Mixed" renamed "Auto", "Inbound" renamed "Upstream", ➢ "Outbound" renamed "Downstream". Reports » Attacks & Tools » BGP Prefixes renamed BGP Operations.

Table of Contents

Save PDF