Ce guide d'informations est fourni à nos clients dans le cadre de l'installation et de l'usage des produits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celui pour lequel il a été conçu.
The OnDemand Switch may use software components licensed under the GNU General Public License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license can be viewed at: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html...
Page 5
GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets à source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande auprès de Radware. Une copie de la licence est répertoriée sur: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html Ce code est également placé...
Page 6
Der OnDemand Switch verwendet möglicherweise Software, die im Rahmen der DNU Allgemeine Öffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschließlich LinuxBios und Filo Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhältlich. Eine Kopie dieser Lizenz kann eingesehen werden unter: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html...
DefensePro User Guide Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. Alle Rechte vorbehalten. Die Verbreitung und Verwendung in Quell- und binärem Format, mit oder ohne Veränderungen, sind unter folgenden Bedingungen erlaubt: 1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss beibehalten.
Page 8
To reduce the risk of fire and electrical shock, disconnect the device from the power line before removing cover or panels. The following figure shows the caution label that is attached to Radware platforms with dual power supplies. Figure 1: Electrical Shock Hazard Label DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE The following figure is the warning for Radware platforms with dual power supplies.
Page 9
DefensePro User Guide FUSES Make sure that only fuses with the required rated current and of the specified type are used for replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided. Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be made inoperative and be secured against any unintended operation.
Page 10
DefensePro User Guide Translation of Figure 4 - Statement for Class B VCCI-certified Equipment, page This is a Class B product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a domestic environment, it may cause radio interference.
Page 11
Pour réduire les risques d'incendie et de chocs électriques, déconnectez le dispositif du bloc d'alimentation avant de retirer le couvercle ou les panneaux. La figure suivante montre l'étiquette d'avertissement apposée sur les plateformes Radware dotées de plus d'une source d'alimentation électrique.
Page 12
DefensePro User Guide Figure 6: Avertissement de sécurité pour les systèmes dotes de deux sources d'alimentation électrique (en chinois) Traduction de la Figure 6 - Avertissement de sécurité pour les systèmes dotes de deux sources d'alimentation électrique (en chinois), page Cette unité...
Page 13
DefensePro User Guide Figure 7: Déclaration pour l'équipement de classe A certifié VCCI Traduction de la Figure 7 - Déclaration pour l'équipement de classe A certifié VCCI, page Il s'agit d'un produit de classe A, basé sur la norme du Voluntary Control Council for Interference by Information Technology Equipment (VCCI).
Page 14
DefensePro User Guide Si l'équipement est fourni avec une batterie, et qu'elle est remplacée par un type de batterie incorrect, elle est susceptible d'exploser. C'est le cas pour certaines batteries au lithium, les éléments suivants sont donc applicables : • Si la batterie est placée dans une zone d'accès opérateur, une marque est indiquée sur la batterie ou une remarque est insérée, aussi bien dans les instructions d'exploitation que d'entretien.
Page 15
Servicepersonal durchgeführt werden. Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gerät vor der Entfernung der Abdeckung oder der Paneele von der Stromversorgung getrennt werden. Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit Doppelspeisung angebracht ist. Figure 9: Warnetikett Stromschlaggefahr SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FÜR SYSTEME MIT DOPPELSPEISUNG...
Page 16
DefensePro User Guide Die Einheit verfügt über mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung von Stromschlag vor Wartungsarbeiten sämtliche Stromversorgungsleitungen ab. WARTUNG Führen Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angeführt sind, es sei denn, Sie sind dafür qualifiziert. Es gibt innerhalb des Gerätes keine wartungsfähigen Teile. HOCHSPANNUNG Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geöffneten Gerät unter Spannung müssen so weit wie möglich vermieden werden.
Page 17
DefensePro User Guide Übersetzung von Figure 11 - Erklärung zu VCCI-zertifizierten Geräten der Klasse A, page Dies ist ein Produkt der Klasse A gemäß den Normen des Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Wird dieses Gerät in einem Wohnbereich benutzt, können elektromagnetische Störungen auftreten.
Page 18
DefensePro User Guide EXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD. GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN. • Denmark - "Unit is class I - mit Wechselstromkabel benutzen, dass für die Abweichungen in Dänemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in eine geerdete Wandsteckdose angeschlossen.
DefensePro User Guide Document Conventions The following describes the conventions and symbols that this guide uses: Item Description Description (French) Beschreibung (German) An example scenario Un scénario d'exemple Ein Beispielszenarium Example Possible damage to Endommagement Mögliche Schäden an equipment, software, or possible de l'équipement, Gerät, Software oder data...
Page 20
DefensePro User Guide Document ID: RDWR-DP-V0602_UG1201...
Safety Instructions ......................Document Conventions ....................Chapter 1 – Introduction..................Introducing DefensePro ....................DefensePro System Components ................Radware Security Update Service on the Web ............Typical Deployment ..................... Network Connectivity ....................Management Interfaces—APSolute Vision and Others ..........DefensePro Features ....................
Page 22
DefensePro User Guide Table of Contents Configuring Inspection Ports ..................Configuring Port Pairs ......................Managing the Status of Physical Ports ................Internal Bypass for RJ-45 Ports ..................Updating the Attack Description File ................Chapter 3 – Basic Device Configuration............... Locking and Unlocking a Device ................DefensePro Device Setup ..................
Page 23
Configuring Anti-Scanning Protection for Network Protection .......... Configuring Connection Limit Profiles for Network Protection .......... Configuring SYN Profiles for Network Protection ............. Radware-Recommended Verification Type Values ............Configuring Connection PPS Limit Profiles for Network Protection ........Configuring DNS Protection Profiles for Network Protection ..........
Page 24
Managing the Server Protection Policy ..............Configuring the Server Protection Policy ................Configuring Server Cracking Profiles for Server Protection ..........Viewing Radware-defined Server Cracking Protections ............ Configuring HTTP Flood Profiles for Server Protection ............. Configuring White Lists ..................... Configuring White Lists in Defense Pro ................
Page 25
Upgrading Device Software ..................Downloading a Device’s Log File to the APSolute Vision Client ......Updating a Radware Signature File or RSA Signature File ........Downloading a Technical Support File to the APSolute Vision Client ...... Managing DefensePro Device Configurations ............
Page 26
DefensePro User Guide Table of Contents Monitoring DefensePro ARP Table Information ..............Monitoring MPLS RD Information ..................Monitoring Device Interfaces ..................Chapter 11 – Real-Time Security Reporting ............Viewing the Security Dashboard ................Viewing Current Attack Information ................Attack Details ........................Sampled Data Dialog Box ....................
Page 27
DefensePro User Guide Table of Contents Appendix C – Troubleshooting................Diagnostic Tools ....................... Traffic Capture Tool ......................Trace-Log ......................... Diagnostic Tools Files Management ................. Diagnostics Policies ......................Technical Support File ....................Appendix D – Predefined Basic Filters ............... Appendix E – Glossary ..................Document ID: RDWR-DP-V0602_UG1201...
Page 28
DefensePro User Guide Table of Contents Document ID: RDWR-DP-V0602_UG1201...
This guide describes DefensePro 6.02 and how to use it. Unless specifically stated otherwise, the procedures described in this guide are performed using APSolute Vision™. This chapter introduces Radware’s DefensePro and provides a general explanation of its main features and modules. This chapter contains the following sections: •...
Radware APSolute Vision, or on-demand download from http://www.radware.com/content/support/securityzone/serviceinfo/default.asp. • Custom Filters—Custom filters for environment-specific threats and newly reported attacks reported to the SOC. For up-to-date security information, refer to the Radware Security Zone, available from the Radware Web site: http://www.radware.com/content/support/securityzone/serviceinfo/default.asp. Document ID: RDWR-DP-V0602_UG1201...
DefensePro also protects DMZ servers against attacks targeting Web, e-mail, VoIP and other services. This Radware deployment is at the enterprise gateway, in front of the DMZ servers, where DefensePro provides perimeter protection for the enterprise servers, users, routers and firewalls.
DefensePro User Guide Introduction Network Connectivity The following figure shows the typical network topology of DefensePro. Figure 15: Typical Network Connectivity Management Interfaces—APSolute Vision and Others APSolute Vision is the main management interface for DefensePro. Additional management interfaces for DefensePro devices include: •...
DefensePro User Guide Introduction The following table lists the DefensePro physical interfaces and supporting management interfaces: DefensePro Interfaces Protocol APSolute Vision Web Based Management Command Line Interface SNMPv1, SNMPv3 HTTP Secure Web Telnet RS-232 Note: For more information, see Administering DefensePro, page 303.
Ticket workflow management Related Documentation See the following documents for information related to DefensePro: • DefensePro Release Notes and Maintenance Release Notes • Radware Installation and Maintenance Guide • APSolute Vision Documentation • APSolute Vision Reporter Documentation • Web Based Management Help...
Initializing DefensePro using APSolute Vision, which comprises the following: — Connecting DefensePro using APSolute Vision — Adding a DefensePro device The Radware Installation and Maintenance Guide includes additional useful information on the following: • Maintenance and software upgrade • Troubleshooting •...
DefensePro User Guide Introduction APSolute Vision Reporter Documentation See the APSolute Vision Reporter online help and APSolute Vision Reporter User Guide for information about APSolute Vision Reporter and how to use it. Web Based Management Help DefensePro Web Based Management supports Help for each page. Document ID: RDWR-DP-V0602_UG1201...
This chapter describes what to do before you configure DefensePro with security policies. The Radware Installation and Maintenance Guide covers the information and procedures related to the physical specifications and basic setup of APSolute Vision server and DefensePro platforms. Read the relevant information and follow the instructions in the Radware Installation and Maintenance Guide before you perform the other tasks covered in this chapter.
— Password—The password for the user. Depending on the configuration of the server, you may be required to change your password immediately. Default: radware — Vision Server—The name or IP address of the APSolute Vision server. This parameter is displayed if you click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server that was specified previously.
Vision client session. Configuration Perspective Use the Configuration perspective to configure Radware devices. Typically, you choose the device to configure in the Configuration perspective system pane Organization tab. You can view and modify device settings in the content pane tabs, which have their own navigation panes for easier navigation through configuration tasks.
Page 40
DefensePro User Guide Getting Started Figure 16: Configuration Perspective—DefensePro System pane Organization tab— Includes the site tree, configured sites, and configured devices Button that opens Configuration button—Opens the APSolute the Configuration perspective Vision Reporter Navigation area for the tab Content area Properties pane Alerts pane—Displays the Alerts tab and the Messages tab.
Example Device selection in the Configuration perspective The following example shows the selections you would make to view or change configuration parameters for a Radware device: 1. Open the Configuration perspective by clicking at the top of the window. 2. Select the required device in the system pane by drilling down through the sites and subsites.
Page 42
DefensePro User Guide Getting Started Figure 17: Monitoring Perspective—DefensePro System pane—Includes the Organization, Monitoring button—opens Application Delivery, and Physical tabs. The Monitoring perspective Organization tabs is relevant for DefensePro. Content area Navigation area for tab Properties pane Alerts pane—Displays the Alerts tab and the Messages tab. The Alerts tab displays APSolute Vision and device alerts.
DefensePro User Guide Getting Started Security Monitoring Perspective The Security Monitoring perspective is displayed only for devices that support the relevant Security module. In the Security Monitoring perspective, you can access a collection of real-time security-monitoring tools that provide visibility regarding current attacks that the DefensePro device has detected. The Properties pane displays information about the currently selected device.
Administrator Guide. APSolute Vision Sites You can organize the Radware devices that APSolute Vision manages according to sites. APSolute Vision displays the sites and managed devices in the system tab. Typically, a site is a group of devices that share properties, such as location, services, or device type. You can nest sites; that is, each site can contain subsites and devices.
DefensePro User Guide Getting Started Configuring Port Pairs You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic from the receiving port is always sent out of the device from its corresponding transmitting port. The ports are paired;...
DefensePro User Guide Getting Started Table 1: Port Pair Parameters Parameter Description Advanced Parameters Enable Interface Specifies whether the device groups the statuses of the port-pair interfaces. Grouping When the option is enabled, if one port of a port pair is disconnected, DefensePro sets the status of the paired port to disconnected also.
DefensePro devices. The file versions on APSolute Vision and on the DefensePro devices should be identical; Radware recommends synchronizing regular updates of the file at regular intervals on APSolute Vision and on the individual devices.
Page 48
DefensePro User Guide Getting Started 2. Do one of the following: — To update the Attack Description file from Radware, select the Radware.com radio button. — To update the files from the APSolute Vision client host: a. Select the Client radio button.
APSolute Vision server, using WBM, or using CLI. Note: Only one APSolute Vision server should manage any one Radware device. For more information, see the APSolute Vision Administrator Guide. While the device is locked: •...
DefensePro User Guide Basic Device Configuration DefensePro Device Setup You can configure the following setup parameters for a selected DefensePro device: • Configuring DefensePro Global Parameters, page 50 • Configuring Date and Time Synchronization, page 51 • Configuring Daylight Saving, page 52 •...
DefensePro User Guide Basic Device Configuration Table 2: DefensePro Global Parameters Parameter Description Version Information Software Version (Read-only) The version of the product software on the device. Hardware Version (Read-only) The version of device hardware. Configuring Date and Time Synchronization DefensePro uses Network Time Protocol (NTP) to synchronize time and date.
DefensePro User Guide Basic Device Configuration Configuring Daylight Saving DefensePro supports daylight savings time. You can configure the daylight savings time start and end dates and times. During daylight savings time, the device automatically adds one hour to the system clock. The device also indicates whether it is on standard time or daylight saving time. Note: When the system clock is manually configured, the system time is changed only when daylight saving time starts or ends.
Page 53
DefensePro User Guide Basic Device Configuration Table 5: Access Protocol Parameters Parameter Description Web Access Enable Web Access Enables access to the Web server. Default: disabled L4 Port The port to which WBM is assigned. Default: 80 Web Help URL The location (path) of the Web help files.
DefensePro User Guide Basic Device Configuration Table 5: Access Protocol Parameters Parameter Description Session Timeout The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates. Values: 1–120 Default: 5 Note:...
The device software license allows you to activate advanced software functionality. Throughput License ID Manages the device throughput license ID and must be provided to Radware when requesting a new throughput license. Throughput License Key Manages the device throughput level license. Configuring E-mail Settings You can configure the device to send information messages via e-mail to device users.
DefensePro User Guide Basic Device Configuration To configure DefensePro e-mail settings 1. In the Configuration perspective Setup tab navigation pane, select Email Settings. 2. Configure the parameters; and then, click (Submit) to submit the changes. Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail address and notification severity level for each user.
Page 57
Basic Device Configuration To configure RADIUS authentication for device management 1. In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication. 2. Configure RADIUS authentication parameters for the managed Radware device, and then, click (Submit) to submit the changes.
Note: Instead of configuring each individual device, Radware recommends configuring the APSolute Vision server to convey the syslog messages from all devices. For more information about configuring syslog reporting on the APSolute Vision server, see the APSolute Vision Administrator Guide.
Page 59
DefensePro User Guide Basic Device Configuration Table 10: Syslog Parameters Parameter Description Facility The type of device of the sender. This is sent with syslog messages. You can use this parameter to do the following: • Distinguish between different devices •...
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an HTTPS session, the DefensePro device uses a certificate for identification. By default, the device has self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates. Document ID: RDWR-DP-V0602_UG1201...
Page 61
Key Size The key size, in bytes. Larger key sizes offer an increased level of security. Radware recommends that certificates have a key size of 1024 bits or more. Using a certificate of this size makes it extremely difficult to forge a digital signature or decode an encrypted message.
Page 62
Since Private Keys are the most sensitive parts of PKI data they must be protected by a passphrase. The passphrase should be at least four characters and Radware recommends using stronger passphrases than that based on letters, numbers and signs.
Page 63
Keys and certificates are exported to PEM format. Note: The Radware key is created without a Radware password at system startup, thus it can be exported without a Radware password. Document ID: RDWR-DP-V0602_UG1201...
DefensePro User Guide Basic Device Configuration To export a certificate or key 1. In the Configuration perspective Setup tab navigation pane, select Certificates. 2. Click the Export button below the table. 3. Configure export certificate parameters, and click OK to start the export. Table 14: Export Certificate Parameters Parameter Description...
Page 65
To be compatible, both cluster members must be of the same platform, software version, software license, throughput license, and Radware signature file. One member of the cluster is the primary; the other member of the cluster is the secondary.
Page 66
DefensePro User Guide Basic Device Configuration • Reboot • Shut down • Change the device name • Change the device time • Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management. Notes >> You can initiate a baseline synchronization if a cluster member is passive, using CLI or Web Based Management.
Page 67
DefensePro User Guide Basic Device Configuration The following table describes the icon elements that APSolute Vision displays in the system pane for DefensePro high-availability clusters. Table 16: Icons Elements in the System Pane High-Availability Clusters Icon Element Description Active device Synchronizing Unavailable The following table describes some icons that APSolute Vision can displays in the system pane for...
Page 68
DefensePro User Guide Basic Device Configuration To configure the settings for a high-availability cluster 1. In the Configuration perspective Setup tab navigation pane, select High Availability. 2. Configure the parameters; and then, click (Submit) to submit the changes. APSolute Vision names the cluster Cluster_<IP address of primary device>...
Page 69
DefensePro User Guide Basic Device Configuration Table 18: High Availability Parameters Parameter Description Use Idle Line Specifies whether the devices switch states due to an idle line detected on Detection the active device. Default: Disabled Note: If an idle line is detected on both cluster members, there is no switchover.
Page 70
DefensePro User Guide Basic Device Configuration Configuring a High-Availability Cluster in the System Tab In the Configuration perspective system pane, you can configure the basic parameters of a cluster (Cluster Name, Primary Device, and Associated Management Ports). Note: Before you can configure a cluster, the devices must be locked. To create a DefensePro high-availability cluster from the system pane 1.
DefensePro User Guide Basic Device Configuration To change the associated management ports of a DefensePro high-availability cluster from the system pane 1. In the Configuration perspective system pane, select the cluster node and click Edit Cluster. 2. Configure the parameters; and then click OK. Note: You cannot change the value if the currently specified management port is being used by the cluster.
DefensePro User Guide Basic Device Configuration • Configuring the Device Event Scheduler, page 91 • Configuring Tunneling Inspection, page 92 Configuring Advanced Settings The advanced settings comprise the following parameters: • Accept Weak SSL Ciphers • Enable Overload Mechanism • SRP Management Host IP Address The Overload Mechanism—that is, the overload-protection mechanism—identifies and reports overload conditions, and acts to reduce operations with high resource consumption.
SRP Management Host IP The IP address to which the device sends Statistics Reporting Address Protocol (SRP) data. SRP is a private Radware protocol for efficient transmission of statistical data from the device to the APSolute Vision server. Enter the APSolute Vision server IP address.
Page 74
DefensePro User Guide Basic Device Configuration To configure dynamic protocols 1. In the Configuration perspective Advanced Parameters tab navigation pane, select Dynamic Protocols. 2. Configure the parameters; and then, click (Submit) to submit the changes. Table 21: Dynamic Protocol Parameters Parameter Description Enable FTP...
Configuring Tuning Parameters You can adjusting tuning parameters to use memory resources more efficiently, to conserve memory resources. Caution: Radware strongly recommends that you perform any device tuning only after consulting with Radware Technical Support. This section contains the following: •...
Page 76
(Submit) to submit the changes. You can reboot immediately or at a later time. Changes will not take effect until after reboot. Note: Radware recommends performing a memory check before rebooting the device. Table 22: Device Tuning Parameters Parameter Description IP Fragmentation Table The maximum number of IP fragments that the device stores.
Page 77
DefensePro User Guide Basic Device Configuration Table 22: Device Tuning Parameters Parameter Description SIP Call Table The maximum number of SIP calls the device can track. Values: 16–256,000 Default: 1024 TCP Segmentation Table The maximum number of TCP Segments. This parameter is used when SIP Protocol is enabled and SIP is running over TCP.
Page 78
DefensePro User Guide Basic Device Configuration Table 23: Security Tuning Parameters Parameter Description Max. Number of DNS Policies The maximum number of configurable DNS Flood Protection policies. Values: 1–100 Default: 10 Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device Pairs stores for anti-scanning purposes.
Page 79
DefensePro User Guide Basic Device Configuration Table 23: Security Tuning Parameters Parameter Description Max. Number of Entries in The maximum number of entries for reports on active concurrent Counters Report Tracking Signatures attacks. Values: 100–64,000 Default: 20,000 Max. Number of Entries in The maximum number of entries for concurrent active Server Counters Server Cracking Cracking protections.
Page 80
DefensePro User Guide Basic Device Configuration Table 23: Security Tuning Parameters Parameter Description Max. Number of Source IPs in The maximum number of hosts that the Suspend Table is able to Suspend Table block simultaneously. This value affects the abilities of other defenses, such as, anti- scanning, server cracking, and SYN protection.
Page 81
DefensePro User Guide Basic Device Configuration Table 24: SYN Protection Tuning Parameters Parameter Description SYN Protection Signature The number of entries in the table that stores active triggers— Detection Entries that is, the destination IPs/ports from which the device identifies an ongoing attack.
Page 82
(Submit) to submit the changes. You can reboot immediately or at a later time. Changes will not take effect until after reboot. Note: Radware recommends performing a memory check before rebooting the device. Table 26: Classifier Tuning Parameters Parameter Description Max.
Page 83
(Submit) to submit the changes. You can reboot immediately or at a later time. Changes will not take effect until after reboot. Note: Radware recommends performing a memory check before rebooting the device. Table 27: BWM Tuning Parameters Parameter Description Policy Table The number of policy entries in the table.
DefensePro User Guide Basic Device Configuration Table 27: BWM Tuning Parameters Parameter Description BW per Traffic Flow sessions The number of traffic flows for which the device can provide tracking bandwidth or limit the number of sessions. Values: 16–400,000 Default: 2048 Destination Table Displays the number of destination address entries in the table.
Page 85
DefensePro User Guide Basic Device Configuration Table 29: Security Reporting Parameters Parameter Description Basic Parameters Report Interval The frequency, in seconds, the reports are sent though the reporting channels. Values: 1–65,535 Default: 5 Maximal Number of Alerts per The maximum number of attack events that can appear in Report each report (sent within the reporting interval).
Page 86
DefensePro User Guide Basic Device Configuration Table 29: Security Reporting Parameters Parameter Description Packet Reporting and Packet Trace Enable Packet Reporting Specifies whether the DefensePro device sends sampled attack packets along with the attack event. Default: Enabled Maximum Packets per Report The maximum number of packets that the device can send within the Report Interval.
DefensePro User Guide Basic Device Configuration Table 29: Security Reporting Parameters Parameter Description Agent IP Address The IP address of the netForensics agent. L4 Port The port used for netForensics reporting. Values: 1–65,535 Default: 555 Data Reporting Destinations Destination IP Address The target addresses for data reporting.
DefensePro User Guide Basic Device Configuration Table 30: Out of Path Parameters Parameter Description SSH User Name The name of the SSH user. SSH Password The password of the SSH user. Verify SSH Password Verification of password for the SSH user. Router Interface for The router interface that is being monitored, and traffic from it will be Receiving Traffic...
Page 89
Full Layer 4—An entry exists in the Session Table for each source IP, source port, destination IP, and destination port combination of packets passing through the device. This is the default mode for the Session Table. Radware recommends that you always use this option. •...
DefensePro User Guide Basic Device Configuration Table 31: Session Table Parameters Parameter Description Session Table Full Action The action that the device takes when the Session Table is at full capacity. Values: • Allow new traffic—The device bypasses new sessions until the till session table has room for new entries.
DefensePro User Guide Basic Device Configuration Table 32: Suspend Table Parameters Parameter Description Minimal Aging Timeout The time, in seconds, for which the DefensePro suspends first-time offending source IP addresses. Default: 10 Maximal Aging Timeout The maximal time, in seconds, for which the DefensePro suspends a specific source.
DefensePro User Guide Basic Device Configuration Table 33: Scheduled Event Parameters Parameter Description Task Name The name of the schedule. Frequency How often the event occurs. Values: daily, once, weekly Default: once Time The time on the designated day in the format HHMM. When multiple days are selected, the value is the same for all the configured days.
The default Radware user is configured in SNMPv1. Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and authentication details must match one of the users configured on the device. The following topics describe the procedures to configure SNMP on a selected device: •...
DefensePro User Guide Basic Device Configuration Table 34: SNMP User Parameters Parameter Description User Name The user name, also known as a security name. The name can be up to 18 characters. Authentication Protocol Protocol used during authentication process. Values: •...
DefensePro User Guide Basic Device Configuration Table 35: SNMP Community Parameters Parameter Description Index A descriptive name for this entry. This name cannot be modified after creation. Default: public Community Name The community string. Default: public Security Name The security name identifies the SNMP community used when the notification is generated.
DefensePro User Guide Basic Device Configuration Table 36: SNMP Group Parameters Parameter Description Group Name The name of the SNMP group. Security Model The SNMP version that represents the required security model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions.
DefensePro User Guide Basic Device Configuration Table 37: SNMP Access Parameters Parameter Description Security Level The security level required for access. Values: • No Authentication—No authentication or privacy are required. • Authentication & No Privacy—Authentication is required, but privacy is not required. •...
DefensePro User Guide Basic Device Configuration Configuring SNMP View Settings You can define subsets of the MIB tree for use in the Access Table. Different entries may have the same name. The union of all entries with the same name defines the subset of the MIB tree and can be referenced in the Access Table through its name.
DefensePro User Guide Basic Device Configuration Table 40: SNMP Target Parameters Parameter Description Name Name of the target parameters entry. Message Processing Specifies which version of SNMP to use when generating SNMP notifications. Model Values: SNMPv1, SNMPv2c, SNMPv3 Default: SNMPv1 Security Model Select the SNMP version that represents the required Security Model.
DefensePro User Guide Basic Device Configuration Table 41: SNMP Target Address Parameters Parameter Description Name Name of the target address entry. IP Address and L4 Port The IP address of the management station (APSolute Vision server) [IP-port number] and TCP port to be used as the target of SNMP traps. The format of the values is , where must be...
DefensePro User Guide Basic Device Configuration Table 42: Device User Parameters Parameter Description Minimal Severity for The minimum severity level of traps sent to this user. Sending Traps Values: • None—The user receives no traps. • Info—The user receives traps with severity info or higher. •...
DefensePro User Guide Basic Device Configuration Table 43: Port Permission Parameters Parameter Description Port (Read-only) The name of the physical port. SNMP Access When selected, allows access to the port using SNMP. Telnet Access When selected, allows access to the port using Telnet. SSH Access When selected, allows access to the port using SSH.
Chapter 4 – Device Network Configuration You can perform the following networking configuration tasks for managed devices: • Configuring Device IP Interfaces, page 103 • Managing IP Routing, page 104 • Configuring Ports, page 107 • Configuring the Basic Network Parameters—IP Version Mode and IP Fragmentation, page 112 •...
DefensePro User Guide Device Network Configuration Table 44: IP Interface Parameters Parameter Description VLAN Tag The VLAN tag to be associated with this IP Interface. When multiple VLANs are associated with the same switch port, the switch must identify to which VLAN to direct incoming traffic from that specific port.
DefensePro User Guide Device Network Configuration Parameter Description Enable Proxy ARP When enabled, a network host answers ARP queries for the network address that is not configured on the receiving interface. Proxying ARP requests on behalf of another host effectively directs all LAN traffic destined for that host to the proxying host.
DefensePro User Guide Device Network Configuration Table 45: ICMP Interface Settings Parameter Description Maximum The maximum time, in seconds, between multicast Router Advertisements from the interface. Values: minimum specified interval–1800 Lifetime The maximum time, in seconds, that the advertised addresses are considered valid.
DefensePro User Guide Device Network Configuration Table 46: ARP Parameters Parameter Description MAC Address The station’s MAC address. Type Entry type. Values: • Other—Not Dynamic or Static. • Invalid—Invalidates ARP entry and effectively deletes it. • Dynamic—Entry is learned from ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table.
The algorithm for assigning frames to a conversation depends on the application environment. Radware devices can define conversations on Layer 2, 3, or 4 information, or on combined layers.
Page 109
DefensePro User Guide Device Network Configuration Using link aggregation, depending on the platform, you can define up to seven trunks. Up to eight physical links can be aggregated into one trunk. In DefensePro, all trunk configurations are static. To provide optimal distribution for different scenarios, the load sharing algorithm allows decisions based on source or destination (or both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4 address (TCP/UDP port numbers).
DefensePro device) to a dedicated sniffer port. This allows collecting packet data during an attack and sending the data to Radware’s Security Operation Center (SOC) to develop an attack signature. DefensePro supports traffic-rate port mirroring also. DefensePro devices can perform traffic-rate port mirroring when the device is under attack.
Page 111
DefensePro User Guide Device Network Configuration To configure port mirroring 1. In the Configuration perspective Networking tab navigation pane, select Port Configuration > Port Mirroring. 2. Do one of the following: — To add a pair of ports to mirror traffic, click the (Add) button.
DefensePro User Guide Device Network Configuration Table 51: Port Mirroring Advanced Parameters Parameter Description Traffic Threshold Units The units in which the threshold is measured. Values: • PPS—Packets per second • Kbps—Kilobits per second Threshold Interval How long, in seconds, mirroring continues after the traffic rate falls below the specified threshold.
DefensePro User Guide Device Network Configuration Configuring the Basic Networking Parameters To configure the Basic Networking parameters 1. In the Configuration perspective Networking tab navigation pane, select Basic. 2. Configure the parameters; and then, click (Submit) to submit the changes. Table 52: Basic Networking Parameters Parameter Description...
DefensePro User Guide Device Network Configuration Table 52: Basic Networking Parameters Parameter Description IP Fragmentation Enable IP Fragmentation When selected, enables IP fragmentation. Default: Enabled Queuing Limit The percentage of IP packets the device allocates for out-of-sequence fragmented IP datagrams. Values: 0–100 Default: 25 Aging Time...
Page 115
DefensePro User Guide Device Network Configuration Table 53: Port Pair Parameters Parameter Description Port Pairs Source Port The user-defined source port for received traffic. Destination Port The user-defined destination port for transmitted traffic. Operation The operation mode assigned to a pair of ports. Values: •...
Chapter 5 – Security Configuration A security policy in an organization is a set of rules and regulations that defines what constitutes a secure network and how it reacts to security violations. You implement a security policy for your organization by using the global security settings, network-protection policy, and server-protection policy.
DefensePro User Guide Security Configuration • Scanning and worm-propagation protection—Provides zero-day protection against self- propagating worms, horizontal and vertical TCP and UDP scanning, and ping sweeps. • Connection limit—Protects against session-based attacks, such as half-open SYN attacks, request attacks, and connection attacks. •...
DefensePro User Guide Security Configuration • Managing Global Packet Anomaly Protection, page 134 • Managing Global Packet Anomaly Protection, page 134 Configuring Global Signature Protection Signature Protection is enabled by default for all models that support it. Note: Signature protection (IPS) is not available in DefensePro x412-BP models. To configure Signature Protection 1.
Page 120
DoS Shield protection uses signatures from the Radware Signatures database. This database is continuously updated and protects against all known threats. Radware Signature profiles include all DoS Shield signatures as part of the signature database and Radware predefined profiles that already include DoS Shield protection. To create a profile that includes DoS Shield protection, you configure a profile with the Threat Type attribute set to Floods.
DefensePro User Guide Security Configuration Table 55: DoS Shield Parameters Parameter Description Enable DoS Shield Specifies whether the DoS Shield feature is enabled. Note: If the protection is disabled, enable it before configuring the protection profiles. Sampling Time How often, in seconds, DoS Shield compares the predefined thresholds for each dormant attack to the current value of packet counters matching the attack.
Page 122
The BDoS module screens all traffic at low traffic rates (below 100K PPS) and only a portion of the traffic at higher rates (above 100K PPS). Default: Enabled Note: For best performance, Radware recommends that the parameter be Enabled. Document ID: RDWR-DP-V0602_UG1201...
Page 123
DefensePro User Guide Security Configuration Table 56: BDoS Protection Global Parameters Parameter Description Footprint Strictness When DefensePro detects a new attack, the Behavioral DoS module generates an attack footprint to block the attack traffic. If DefensePro is unable to generate a footprint that meets the footprint-strictness condition, the device issues a notification for the attack but does not block it.
Page 124
DefensePro User Guide Security Configuration Table 56: BDoS Protection Global Parameters Parameter Description Duration of Non-attack The time, in seconds, at which the degree of attack falls below and Traffic in Anomaly or Non- stays below the hard-coded threshold in the Anomaly state or the Strictness State Non-strictness state.
Page 125
DefensePro User Guide Security Configuration Table 58: BDoS Footprint Bypass Parameters Parameter Description Bypass Status The bypass option. Values: • Bypass—The Behavioral DoS module bypasses all possible values of the selected Bypass Field when generating a footprint. • Accept—The Behavioral DoS module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.
Page 126
DefensePro User Guide Security Configuration To configure early blocking for BDoS 1. In the Configuration perspective Security Settings tab navigation pane, select BDoS Protection > Early Blocking. 2. To modify a protection type for early blocking, double-click the row. 3. Configure the parameters; and then, click OK. Table 59: Early Blocking Parameters Parameter Description...
The blocking duration is calculated as the time between scanning events multiplied by the Attack Trigger value. Radware recommends using this option only in exceptional circumstances, when one scan attempt in 20 minutes is considered a security threat.
DefensePro User Guide Security Configuration Table 61: Global Anti-Scanning Settings Parameter Description Enable High Port Specifies whether the Anti-Scanning Protection emphasizes inspecting Response scans aimed at ports greater than 1024 (that is, usually unassigned ports). Values: • Enabled—The Anti-Scanning Protection emphasizes inspecting scans aimed at ports greater than 1024.
DefensePro User Guide Security Configuration Table 62: SYN Flood Protection Settings Parameters Parameter Description Basic Parameters Enable SYN Flood Protection Specifies whether SYN Flood Protection is enabled on the device. Default: Enabled Note: Changing the setting of this parameter requires a reboot to take effect.
Page 130
DefensePro User Guide Security Configuration Parameter Description Startup Mode The behavior of the device after startup. Out-of-State Protection cannot be applied to existing traffic; therefore, the device can either drop existing traffic and apply Out-of-State Protection to all new traffic, or suspend Out-of-State Protection for a period of time, which is used to learn traffic and sessions.
DefensePro User Guide Security Configuration Configuring Global HTTP Flood Protection The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then, using fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and identifies the malicious sources.
DefensePro User Guide Security Configuration Configuring Global SIP Cracking Protection SIP Cracking protection, which provides VoIP protection similar to FTP, POP3, and server-based crack protections, is designed to detect and mitigate the following types of threats: • Brute-force and dictionary attacks—On registrar and proxies SIP servers. •...
DefensePro User Guide Security Configuration Table 65: SIP Cracking Parameters Parameter Description Tracking Type The data that the SIP Cracking feature monitors. Values: SIP-URI, Source IP, Both Application Code for Reset The SIP error code that is sent back to the source IP address. Values: •...
DefensePro User Guide Security Configuration To configure fraud protection 1. In the Configuration perspective Security Settings tab navigation pane, select Fraud Protection. 2. Configure the parameters; and then, click (Submit) to submit the changes. Table 66: Fraud Protection Parameters Parameter Description General Settings Enable Fraud Protection...
Page 135
Table 67: Packet Anomaly Protection Parameters Parameter Description (Read-only) The ID number for the anomaly protection. The ID is a APSolute Vision Radware ID that appears in the trap sent to Security logs. Protection Name (Read-only) The name of the packet-anomaly protection. Document ID: RDWR-DP-V0602_UG1201...
Page 136
DefensePro User Guide Security Configuration Table 67: Packet Anomaly Protection Parameters Parameter Description Action The action that the device takes when the packet anomaly is detected. The action is only for the specified anomaly. Values: • Drop—The device discards the anomalous packets. •...
Page 137
DefensePro User Guide Security Configuration Table 68: Default Configuration of Packet Anomaly Types Anomaly Type Description Inconsistent IPv6 Headers Inconsistent IPv6 headers. ID: 107 Default Action: Drop Default Risk: Info Note: All DefensePro platforms support this anomaly type. IPv6 hop limit is not be greater than 1. IPv6 Hop Limit Reached ID: 108 Default Action: Report...
DefensePro User Guide Security Configuration Table 68: Default Configuration of Packet Anomaly Types Anomaly Type Description Source Address same as The source IP address and the destination IP address in the packet Dest. Address (Land header are the same. This is referred to as a LAND, Land, or LanD Attack) attack.
Page 139
DefensePro User Guide Security Configuration To enable DNS Flood Protection and configure global settings 1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood Protection. 2. Configure the parameters; and then, click (Submit) to submit the changes. Table 69: DNS Flood Protection Global Parameters Parameter Description...
Page 140
DefensePro User Guide Security Configuration Table 69: DNS Flood Protection Global Parameters Parameter Description Mitigation Actions When the protection is enabled and the device detects that a DNS-flood attack has started, the device implements the Mitigation Actions in escalating order—in the order that they appear in the group box.
Page 141
DefensePro User Guide Security Configuration Table 69: DNS Flood Protection Global Parameters Parameter Description Duration of Non-attack The time, in seconds, at which the degree of attack falls below and Traffic in Anomaly or Non- stays below the hard-coded threshold in the Anomaly state or the Strictness State Non-strictness state.
Page 142
DefensePro User Guide Security Configuration Table 71: DNS Footprint Bypass Parameters Parameter Description Footprint Bypass (Read-only) The selected DNS query type for which you are configuring Controller footprint bypass. Bypass Field (Read-only) The selected Bypass Field to configure. Bypass Status The bypass option.
Page 143
DefensePro User Guide Security Configuration The thresholds that you can configure for the protection to change from the Analysis state to the Blocking state are Packet-header fields or Packet-header-field values: • The Packet-header fields threshold is the anomalously distributed packet-header fields that the DefensePro device must detect to generate a footprint and start early blocking prior to the default 10 seconds.
DefensePro User Guide Security Configuration Selecting Packet Header Fields for Early Blocking of DNS Traffic You can select specific packet header fields be included in the set of specific packet headers that the DefensePro device must detect to generate a footprint and start early blocking. To select packet header fields for early blocking 1.
DefensePro User Guide Security Configuration Table 75: Denial of Service Protections Protection Description SYN Protection Prevents SYN flood attacks using SYN cookies. Connection PPS Limit Protects against DoS attacks that use a high PPS rate in a certain connection. DoS Shield Protects against known flood attacks and flood attack tools that cause a denial of service effect.
Page 146
DefensePro User Guide Security Configuration 3. Configure the network-protection rule parameters; and then, click OK. 4. To activate your configuration changes on the device, click Activate Latest Changes. Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 246.
Page 147
DefensePro User Guide Security Configuration Parameter Description MPLS RD Group The MPLS route distinguisher (RD) class that the rule uses. The device dynamically associates the MPLS tag value with configured MPLS RD values installed between P and PE routers in the provider’s MPLS backbone.
Page 148
DefensePro User Guide Security Configuration Parameter Description Web Quarantine Specifies whether the device quarantines all outbound Web traffic from internal hosts in the destination segment in the network policy after (This parameter is matching a signature configured with Web-quarantine option enabled available only in devices (Network Protection tab >...
Policies configured with Source = Any and Destination = Any inspect only In-Outbound attacks. Radware provides you with a set of predefined signature profiles for field installation, such as Corporate Gateway, DMZ and LAN protections, Carrier links protections, and so on. Radware profiles are continuously updated along with the weekly signature database maintained by the Radware SOC.
Page 150
DefensePro User Guide Security Configuration Table 77: Implications of Policy Directions Policy Direction Policy Action Packet Signature Direction Direction Inbound Outbound Inbound or Outbound From To One way Ex to in Inspect Ignore Inspect In to ex Ignore Inspect Ignore From To Two way Ex to in...
Page 151
DefensePro User Guide Security Configuration 3. To add a rule: a. In the rules table, right-click and select, Add New Signature Profile. b. Enter a profile name, and select an attribute and its value. Click OK. The new rule is displayed in the rule table. You can now add more attributes to the rule, and add more values to existing rule attributes.
Page 152
DefensePro User Guide Security Configuration The Signatures table provides you with filters that allow viewing Radware and user-defined signatures. You can define filtering criteria, so that all signatures that match the criteria are displayed in the Signatures table. You can also add user-defined signatures.
Page 153
DefensePro User Guide Security Configuration Table 79: Signature Parameters Parameter Description Signature Name The name of the signature, up to 29 characters. Signature ID (Read-only) The ID assigned to the signature by the system. Enabled Specifies whether the signature can be used in protection profiles. Tracking Time The time, in milliseconds, for measuring the Active Threshold.
Page 154
DefensePro User Guide Security Configuration Table 79: Signature Parameters Parameter Description Suspend Action Specifies which session traffic the device suspends for the duration of the attack. Values: • None—The suspend action is disabled for this attack. • Source IP—All traffic from the IP address identified as the source of this attack, is suspended.
Page 155
DefensePro User Guide Security Configuration Table 79: Signature Parameters Parameter Description Exclude Destination IP The destination IP address or network whose packets the device does not Address inspect. Default: None Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port.
Page 156
DefensePro User Guide Security Configuration Parameter Description Protocol The protocol used. Values: • ICMP • ICMPv6 • • Non IP • • Default: IP Source Application Port For UDP and TCP traffic only. Select from the list of predefined Application Port Groups. Destination Application For UDP and TCP traffic only.
Page 157
DefensePro User Guide Security Configuration Parameter Description OMPC Parameters Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define rules for pattern lookups. The OMPC rules look for a fixed size pattern of up to four bytes that uses fixed offset masking.
Page 158
DefensePro User Guide Security Configuration Parameter Description OMPC Mask The mask for the OMPC data. Values: A combination of hexadecimal numbers (0–9, a–f). The value is defined by the OMPC Length parameter. The OMPC Mask definition contains eight symbols. When the OMPC Length value is less than four bytes, complete it with zeros.
Page 159
DefensePro User Guide Security Configuration Parameter Description Content Data Encoding Application Security can search for data in languages other than English, for case-sensitive or case-insensitive data, and hexadecimal strings. Values: • Not Applicable • Case Insensitive • Case Sensitive • •...
Page 160
Each signature is assigned with attributes in different types. The Radware Security Operation Center (SOC) assigns the attributes when creating the signature creation as a way to describe the signature in attribute types.
Page 161
DefensePro User Guide Security Configuration Attributes are derived from the Signatures database and are added dynamically with any update. For information about attribute types and their system values, see Table 81 - Content Types, page 161. To configure Signature Protection attributes 1.
Page 162
DefensePro User Guide Security Configuration Attribute Type Description Risk The attack’s severity. For example, attacks that impact on the network are very severe and are defined as high risk attacks. The parameter is mandatory. There can be only a single value for the parameter. Values: Info, Low, Medium, High Services The protocol that is vulnerable to this exploit.
Page 163
DefensePro User Guide Security Configuration To change the Match Method for Complexity, Confidence, and Risk attribute types 1. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Attributes > Attribute Type Properties. 2. Double-click the attribute type. 3.
Page 164
DefensePro User Guide Security Configuration Table 83: Quarantine Action Parameters Parameter Description Network Protection Policy The name of the Network Protection Rule. Action The action that the device takes on outbound Web traffic from the quarantined internal hosts. Values: • Quarantine Warning—The device returns the default message or the specified, Custom HTML Page.
Page 165
DefensePro User Guide Security Configuration Table 83: Quarantine Action Parameters Parameter Description Aging (Hours) The number of hours that the device quarantines all Web traffic from the internal hosts in a protected network segment after matching a signature. Values: • 0–168—That is one week.
Page 166
DefensePro User Guide Security Configuration Table 84: Set Custom Page Parameters Parameter Description Policy Name (Read-only) The name of the Network Protection Rule. Export From The source type of the custom code for the quarantine-warning page. Values: • File • Text Default: File File Name...
Page 167
DefensePro User Guide Security Configuration Configuring Quarantined Sources To configure quarantined sources 1. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Web Quarantine > Quarantined Sources. 2. Do one of the following: — To add an entry, click the (Add) button.
DefensePro User Guide Security Configuration Configuring BDoS Profiles for Network Protection When you configure Behavioral DoS profiles, you need to configure the bandwidth and quota settings. Setting the bandwidth and quota values properly and accurately is important, because initial baselines and attack detection sensitivity are based on these values. Recommended settings for policies that include Behavioral DoS profiles are as follows: •...
Page 169
Quota Settings Radware recommends that you initially leave these fields empty so that the default values will automatically be used. To view default values after creating the profile, double-click the entry in the table. You can then adjust quota values based on your network performance.
DefensePro User Guide Security Configuration Table 87: BDoS Profile Parameters Parameter Description Advanced Parameters Level Of Regularization The packet-rate detection sensitivity—that is, to what extent the BDoS engine considers the PPS-rate values (baseline and current). This parameter is relevant only for only for BDoS UDP protection. Values: •...
Page 171
DefensePro User Guide Security Configuration Anti-Scanning profiles defend against the following threats: • TCP Horizontal Scanning • TCP Vertical Scanning • TCP stealth scans • UDP Horizontal Scanning • UDP Vertical Scanning • Ping Sweep Note: In some cases, you may find that network elements legally perform scanning as part of their normal operation.
Page 172
DefensePro User Guide Security Configuration Table 88: Anti-Scanning Profile Parameters Parameter Description Rule Name The name of the new profile. Enable TCP Protection Protects against horizontal and vertical TCP scans, including worm propagation activity, over TCP. Enable UDP Protection Protects against horizontal and vertical UDP scans, including worm propagation activity, over UDP.
DefensePro User Guide Security Configuration Configuring Anti-Scanning Trusted Ports You can configure a list of Layer 4 ports on which scanning is allowed. That is, when Anti-Scanning is enabled, there is no blocking of scans that target these ports. By default, DefensePro ignores port 113 activity.
Page 174
DefensePro User Guide Security Configuration To configure a Connection Limit profile 1. In the Configuration perspective Network Protection tab navigation pane, select Connection Limit Profiles. 2. To add or modify a profile, do one of the following: — To add a profile, click the (Add) button.
Page 175
DefensePro User Guide Security Configuration Configuring Connection Limit Protections Configure Connection Limit protections to add to Connection Limit profiles for network protection. To configure a Connection Limit protection 1. In the Configuration perspective Network Protection tab navigation pane, select Connection Limit Profiles >...
Page 176
DefensePro User Guide Security Configuration Table 90: Connection Limit Protection Parameters Parameter Description Packet Report Enables logging a copy of the filtered packet. Default: Disabled Risk The risk assigned to this attack for reporting purposes. Values: High, Info, Low, Medium Default: Medium Suspend Action Specifies which session traffic the device suspends for the attack...
DefensePro User Guide Security Configuration Configuring SYN Profiles for Network Protection SYN Profiles defend against SYN flood attacks. During a SYN flood attack, the attacker sends a volume of TCP SYN packets requesting new TCP connections without completing the TCP handshake, or completing the TCP handshake, but not requesting data.
Page 178
Note: Predefined SYN Protections are available for the most common applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are predefined by Radware. You can change the thresholds for these attacks. Protection ID (Read-only) The ID number assigned to the protection.
The risk level assigned to this attack for reporting purposes. Values: Info, Low, Medium, High Default: Low Source Type (Read-only) Specifies whether the SYN protection is a predefined (static) or user-defined (user) protection. Radware-Recommended Verification Type Values Protocol Destination Port Verification Type FTP_CNTL HTTP...
Page 180
DefensePro User Guide Security Configuration Table 93: SYN Flood Protection Profile Parameters Parameter Description Profile Name (Read-only) The name of the profile. Authentication Method The Authentication Method that the device uses at the Transport Layer. When the device is installed in and ingress-only topology, select the Safe- Reset method.
Page 181
DefensePro User Guide Security Configuration Safe-Reset method. To decrypt and re-encrypt the SSL packets during the challenge process, DefensePro uses the SSL engine of a specified Alteon device. DefensePro allows traffic from validated clients to pass through the DefensePro device to the protected server. The DefensePro SSL Mitigation mechanism works as follows: 1.
DefensePro User Guide Security Configuration Table 94: SSL Mitigation Policy Parameters Parameter Description Network Policy Name The name of the existing Network Protection Rule in the APSolute Vision server. State Specifies whether the policy is active. Values: active, inactive Default: active Configuring Connection PPS Limit Profiles for Network Protection Connection PPS Limit profiles defend against attacks that flood established TCP connections (not necessarily many connections) with a high PPS rate of legitimate or non-legitimate packets.
Page 183
DefensePro User Guide Security Configuration Table 95: Connection PPS Limit Profile Parameters Parameter Description Profile Name (Read-only) The name of the Connection PPS Limit profile. Connection PPS Limit Lists the connection PPS limit protection name and ID for each Protection Table protection to be applied for the selected profile.
DefensePro User Guide Security Configuration Table 96: Connection PPS Limit Protection Parameters Parameter Description Tracking Type On what the protection tracks the PPS rate. Value: Per Connection Activation Threshold The PPS threshold on a single connection that activates the protection after the specified Activation Period. Values: 1–max integer Default: 10,000 Drop Threshold...
Page 185
The name of the profile. Queries’ Protections and Quotas Radware recommends that you initially leave these fields empty so that the default values will automatically be used. To view default values after creating the profile, double-click the entry in the table.
Page 186
DefensePro User Guide Security Configuration Table 97: DNS Protection Profile Parameters Parameter Description Activation Threshold The minimum number of queries per second—after the specified Activation Period—on a single connection that causes the device to consider there to be an attack. When the device detects an attack, it issues an appropriate alert and drops the DNS packets that exceed the threshold.
DefensePro User Guide Security Configuration Table 97: DNS Protection Profile Parameters Parameter Description Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective >...
DefensePro User Guide Security Configuration Configuring the Server Protection Policy The Server Protection policy defines the protected servers in your network, and the actions to be taken when an attack on a protected server is detected. Caution: When you configure the policy, APSolute Vision stores your configuration changes, but it does not download your configuration changes to the device.
Server Cracking profiles defend the applications in your network against server flooding, authorization hacking, vulnerability scanning, and application floods. Each Protection protects against one specific cracking activity. You configure Server Cracking profiles with Radware-defined protections. Each DefensePro device supports up to 20 Server Cracking profiles. Document ID: RDWR-DP-V0602_UG1201...
Page 190
DefensePro User Guide Security Configuration DefensePro can protect against the following server-cracking types: • Authorization Hacking—Many Web servers and other server applications lack protection for their password lists. Highly sophisticated, readily available password-cracking tools automatically send large numbers of possible passwords in a short period of time leading to Web-page alterations, customer-data theft, and unauthorized use of Web servers or other application resources such as mail and FTP.
Viewing Radware-defined Server Cracking Protections You can view the read-only Radware-defined Server Cracking protections. To view Radware-defined Server Cracking protections In the Configuration perspective Server Protection tab navigation pane, select Server Cracking Profiles > Server Cracking Protections. The Server Cracking Protections table is displayed with the read-only Radware-defined Server Cracking protections.
DefensePro User Guide Security Configuration Table 100: Radware-defined Server Cracking Protections Parameter Description Sensitivity The detection sensitivity of module. The sensitivity level defines thresholds for the number and frequency of server-side error messages. These messages are tracked for attack detection. High sensitivity specifies that the device needs few cracking attempts to trigger the protection.
Page 193
DefensePro User Guide Security Configuration Before you configure an HTTP Flood profile, ensure that HTTP mitigation is enabled and the global parameters are configured. For more information, see Configuring Global HTTP Flood Protection, page 131. To configure an HTTP Flood profile 1.
Page 194
DefensePro User Guide Security Configuration Table 101: HTTP Flood Profile Parameters Parameter Description Other Request-type The maximum number of requests that are not GET or POST (for example, Request-Rate Trigger HEAD, PUT, and so on) allowed, per server per second. Values: •...
DefensePro User Guide Security Configuration Table 101: HTTP Flood Profile Parameters Parameter Description Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective >...
Page 196
DefensePro User Guide Security Configuration You can configure a White List rule from a specified source Network class or source IP address to bypass (that is, be exempt from) specific protection modules—for example, Server Cracking. When you specify specific protection modules in a White List rule, the device uses only the source Network class or explicit source IP address.
Page 197
DefensePro User Guide Security Configuration Table 102: White List Rule Parameters Parameter Description Bypass SYN Protection When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses SYN Protection inspection. Default: Enabled Bypass Anti Scanning When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Anti-Scanning inspection.
DefensePro User Guide Security Configuration Table 102: White List Rule Parameters Parameter Description Physical Ports The Physical Port class or physical port that the rule uses. Values: • A Physical Port class displayed in the Classes tab • The physical ports on the device •...
Page 199
DefensePro User Guide Security Configuration You enable or disable the Packet Trace feature for all the Black List rules on the device. Notes >> When this feature is enabled, for the feature to take effect, the global setting must be enabled (Configuration perspective >...
Page 200
DefensePro User Guide Security Configuration Table 103: Black List Rule Parameters Parameter Description Classification Source Network The source of the packets that the rule uses. Values: • A Network class displayed in the Classes tab • An IP address • None •...
Page 201
DefensePro User Guide Security Configuration Table 103: Black List Rule Parameters Parameter Description Protocol The protocol of the traffic that the policy inspects. Values: • • • ICMP • ICMPv6 • IGMP • SCTP • • Default: Any Direction The direction to which the rule relates. Values: •...
DefensePro User Guide Security Configuration Managing the ACL Policy The Access Control List (ACL) module is a stateful firewall that enables you to configure a flexible and focused stateful access-control policy. You can modify and view the active ACL policy. You can also view ACL report summaries and the ACL log analysis.
Page 203
DefensePro User Guide Security Configuration To configure global ACL settings 1. In the Configuration perspective ACL tab navigation pane, select ACL Policy > Global Settings. 2. Configure the parameters; and then, click (Submit) to submit the changes. Table 104: Global ACL Parameters Parameter Description Global Settings...
Page 204
DefensePro User Guide Security Configuration Table 104: Global ACL Parameters Parameter Description TCP Mid Flow Mode Specifies what the device does with out-of-state packets. Values: Drop, Allow Default: Drop TCP Reset Validation Mode Specifies the action that the device takes when RST packet validation fails (that is, the packet sequence number is not within the permitted range).
DefensePro User Guide Security Configuration Table 104: Global ACL Parameters Parameter Description Max Number of Report The maximum number of detailed reports that the device generates Traps per second. Values: 1–100 Default: 10 Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port.
Page 206
DefensePro User Guide Security Configuration Table 105: ACL Rule Parameters Parameter Description Identification Rule Name The name of the rule up to 50 characters. Rule Index The index number for the rule. DefensePro examines policy rules according to the ascending order of index numbers. Values: 1–max integer Enabled When selected, the rule is active.
Page 207
DefensePro User Guide Security Configuration Table 105: ACL Rule Parameters Parameter Description Physical Port Group The Physical Port class or physical port that the rule uses. Values: • A Physical Port class displayed in the Classes tab • The physical ports on the device •...
DefensePro User Guide Security Configuration Viewing Active ACL Policy Rules You can view the active rules in the ACL policy configured on the device. To view the active ACL rule configuration In the Configuration perspective Classes tab navigation pane, select ACL Policies > Active Policy.
Chapter 6 – Bandwidth Management This chapter describes the Bandwidth Management module. This chapter contains the following sections: • Bandwidth Management Overview, page 209 • Managing Bandwidth Management Global Settings, page 210 • Bandwidth Management Policies, page 212 • Port Bandwidth, page 220 Bandwidth Management Overview The Bandwidth Management module includes a feature set that enables you to gain full control over their available bandwidth.
DefensePro User Guide Bandwidth Management Classification Mode The BWM module supports the following classification modes: • Policies—The device classifies each packet or session by matching it to policies configured by the user. • Diffserv—The device classifies packets only by the Differentiated Services Code Point (DSCP) value.
Page 211
DefensePro User Guide Bandwidth Management Table 106: BWM Global Settings Parameter Description Application Classification The type of application classification. The process of session classification considers either of the following: • Each packet of the session is classified until the number of Max Packets for Session Classification is reached.
DefensePro User Guide Bandwidth Management Table 106: BWM Global Settings Parameter Description Policy Statistics Reporting Period The time, in seconds, that the device monitors policy statistics. Values: 1–999999999 Default: 60 Forward Reporting to Management Specifies whether the device sends BWM statistics to the System APSolute Vision.
Bandwidth Management Classification Criteria You can use an object (for example, a network object) that you have already configured or you can add an IP address manually. Radware recommends that you work with objects that you have already configured. A policy includes the following traffic classification criteria: •...
DefensePro User Guide Bandwidth Management Example If you have the following rule: — Source: IP_A — Destination: IP_B — Service: HTTP — Direction: One Way only traffic with a source IP, IP_A and a destination IP IP_B with source port X and destination port 80 would be classified.
DefensePro User Guide Bandwidth Management Policy Index The policy order or index is a number that determines the order of the policy in the entire policy database. When the classifier receives a packet, it tries to find a policy that matches the packet. The classifier searches the policy database starting with policy #1, in descending order.
Page 216
DefensePro User Guide Bandwidth Management Table 107: BWM Rule Parameters Parameter Description Identification Name The user-defined name of the policy. Values: 1–100,000 Note: This value is read-only after creation. Index The index number of the policy. Description A description of the policy. Enable Policy Specifies whether the policy is enabled.
Page 217
DefensePro User Guide Bandwidth Management Table 107: BWM Rule Parameters Parameter Description VLAN Tag Group The VLAN Tag class that the rule uses. Values: • A VLAN Tag class displayed in the Classes tab • None Default: None Service Type The type of Service (filter).
Page 218
DefensePro User Guide Bandwidth Management Table 107: BWM Rule Parameters Parameter Description Per Traffic Flow Traffic Flow Identification The type of traffic flow that this policy manages. Values: • None • Client—Source IP • Session—Source IP and port • Connection—Source IP and destination IP •...
Page 219
DefensePro User Guide Bandwidth Management Table 107: BWM Rule Parameters Parameter Description Advanced Maximum Concurrent The maximum number of concurrent sessions allowed for a client IP Sessions address. Default: 0 Note: This option is not available if the Traffic Flow Identifier is set to Session or Full L4 Session.
DefensePro User Guide Bandwidth Management Table 108: Active BWM Rule Parameters Parameter Description VLAN Tag Group The VLAN Tag class that the rule uses. Service Type The type of Service (filter). Note: For more information, see Managing Services for Traffic Filtering, page 229.
Chapter 7 – Managing Classes Classes define groups of elements of the same type of entity. You can configure classes based on the following: • Networks—to classify traffic in a network-protection rule or a bandwidth management rule. • Application ports—to define or modify applications based on Layer 4 destination ports. •...
Page 222
DefensePro User Guide Managing Classes To configure a network class 1. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > Networks. 2. To add or modify a network class, do one of the following: — To add a class, click the (Add) button.
DefensePro User Guide Managing Classes Configuring Application Classes Application classes are groups of Layer-4 ports for UDP and TCP traffic. Each class is identified by its unique name, and you can define multiple Layer-4 ports in a single class. You cannot modify the predefined application classes for standard applications;...
DefensePro User Guide Managing Classes Configuring Physical Port Classes You can define network segments using definitions of physical ports. Use physical port classes to classify traffic according to physical ports in security policy rules and bandwidth management rules. To configure a physical port class 1.
DefensePro User Guide Managing Classes Table 111: VLAN Tag Group Class Parameters Parameter Description VLAN Tags Group Name The name of the VLAN group. Group Mode The VLAN mode. Values: • Discrete—An individual VLAN tag, as defined in the interface parameters of the device.
DefensePro User Guide Managing Classes Viewing Active Class Configurations You can view the active class configurations that are configured on the device. This section contains the following topics: • Viewing the Active Network Class Configuration, page 226 • Viewing the Active Application Class Configuration, page 226 •...
DefensePro User Guide Managing Classes Viewing the Active VLAN Tag Class Configuration You can view the active VLAN tag classes that are configured on the device. To view the active VLAN tag class configuration In the Configuration perspective Classes tab navigation pane, select Active Configuration > VLAN Tags.
Page 228
DefensePro User Guide Managing Classes To configure MPLS RD groups 1. In the Configuration perspective Classes tab navigation pane, select MPLS RD. 2. Do one of the following: — To add an MPLS RD group, click the (Add) button. — To edit an MPLS RD group, double-click the group name.
Chapter 8 – Managing Services for Traffic Filtering The ACL and BWM modules can use Services to filter traffic. Services classify traffic based on Layer- 3–7 criteria. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters).
Page 230
DefensePro User Guide Managing Services for Traffic Filtering You can choose from the following types of configurable content: • • Hostname • HTTP header field • Cookie • mail domain • Mail to • Mail from • Mail subject • File type •...
Page 231
DefensePro User Guide Managing Services for Traffic Filtering Table 113: Basic Filter Parameters Parameter Description Name (Read-only) The name of the filter. Protocol Values: • • • • ICMP • NonIP • ICMPV6 • SCTP Default: IP Source App. Port The Layer-4 source port or source-port range for TCP, UDP, or SCTP traffic.
Page 232
DefensePro User Guide Managing Services for Traffic Filtering Table 113: Basic Filter Parameters Parameter Description Destination App. Port The Layer-4 destination port or source-port range for TCP, UDP, or SCTP traffic. Values: • Values in the range 0–65,535 • Value ranges (for example, 30–400) •...
Page 233
DefensePro User Guide Managing Services for Traffic Filtering Table 113: Basic Filter Parameters Parameter Description OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts to find. The value must be defined according to the OMPC Length parameter.
Page 234
DefensePro User Guide Managing Services for Traffic Filtering Table 113: Basic Filter Parameters Parameter Description Content Type Specifies the specific content type to search for. Values: • None • URL—A URL in the HTTP request URI. • Text—Text anywhere in the packet. •...
DefensePro User Guide Managing Services for Traffic Filtering Table 113: Basic Filter Parameters Parameter Description Content End Offset Specifies the location in the packet at which the checking of content ends. Values: 0–1499 Default: None Content Data Refers to search for content within the packet. Content Coding The encoding type of the content to search for (as specified in the Content field).
DefensePro User Guide Managing Services for Traffic Filtering Example The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3).
DefensePro User Guide Managing Services for Traffic Filtering Caution: If you modify the configuration of a filter that is used in an existing and enabled policy, you need to activate the latest changes (Classes > Update Policies > Set). To configure an OR Group filter 1.
Page 238
DefensePro User Guide Managing Services for Traffic Filtering To view active OR Groups Select Classes > View Active > Services > OR Groups. The Active OR Groups Table pane is displayed. Note: To view the configuration of the filter (read-only), select the link of the relevant filter.
Upgrading Device Software, page 241 • Downloading a Device’s Log File to the APSolute Vision Client, page 242 • Updating a Radware Signature File or RSA Signature File, page 243 • Downloading a Technical Support File to the APSolute Vision Client, page 244 •...
DefensePro User Guide Managing Device Operations and Maintenance Shutting Down a DefensePro Device You can activate a device shutdown from APSolute Vision. Note: This feature applies only to OnDemand Switch platforms. To shut down a DefensePro device 1. In the Monitoring perspective system pane, right-click the device name and select Shutdown. 2.
The software version file must be located on the APSolute Vision client system. APSolute Vision automatically transfers it to the APSolute Vision server and uploads it to the device. New software versions require a password, which can be obtained from the Radware corporate Web site. For a maintenance-only upgrade, the password is not required.
DefensePro User Guide Managing Device Operations and Maintenance To update the device software version 1. In the Monitoring perspective system pane, right-click the device name and select Manage Software Versions. 2. Configure software upgrade parameters, and click OK. 3. When the device upgrade is complete, reboot the device. Table 115: Software Upgrade Parameters Parameter Description...
Updating a Radware Signature File or RSA Signature File You can upload an updated Radware signature file or RSA signature file to a DefensePro device. You can upload an updated Radware signature file to a DefensePro device from the following sources: •...
Vision Client For debugging purposes, a DefensePro device can generate a TAR file containing the technical information that Radware Technical Support requires. The file includes output of various CLI commands; for example, a printout of the Client table. You can download a DefensePro device’s technical support file to the APSolute Vision client system and send it to Radware Support.
DefensePro User Guide Managing Device Operations and Maintenance The commands are printed within each section—in the order of implementation. At the end of the file, the device prints the signature of the configuration file. This signature is used to verify the authenticity of the file and that it has not been corrupted. The signature is validated each time the configuration file is uploaded to the device.
DefensePro User Guide Managing Device Operations and Maintenance To restore a device’s configuration 1. In the Monitoring perspective system pane, right-click the device name and select Import Configuration File to Device. 2. Configure upload parameters, and click OK. 3. When the upload completes, reboot the device. Table 120: Device Configuration File Upload Parameters Parameter Description...
DefensePro User Guide Managing Device Operations and Maintenance Checking Device Memory Availability You can check whether a DefensePro device has enough memory before you change any tuning parameters, including NAT tuning. To check device memory availability In the Monitoring perspective system pane, right-click the device name and select Check Available Memory.
DefensePro User Guide Managing Device Operations and Maintenance Enabling and Disabling Interfaces You can enable and disable interfaces from the Monitoring perspective. In DefensePro, you can enable and disable device ports and trunks. To enable an interface 1. In the Monitoring perspective system pane, select the relevant device. 2.
Back up a device configuration • Reboot a device • Update the Radware signature file onto a DefensePro device from Radware.com or the proxy server • Update RSA signature file onto a DefensePro device from Radware.com or the proxy server Note: You can perform the operations manually, from the Monitoring perspective.
• Update RSA Signature Files for a Device, page 253 • Update Radware Signature Files for a Device, page 254 Device Configuration Backup Parameters Note: By default you can save up to five (5) configuration files per device on the APSolute Vision server.
Page 251
DefensePro User Guide Managing Device Operations and Maintenance Parameter Description Enabled When selected, the task is performed according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database. Schedule Frequency The frequency at which the task is performed. Select a frequency, then configure the related time and day/date parameters.
Page 252
DefensePro User Guide Managing Device Operations and Maintenance Parameter Description Schedule Frequency The frequency at which the task is performed. Select a frequency, then configure the related time and day/date parameters. Values: • Once—The task is performed one time only at the specified date and time.
Page 253
DefensePro User Guide Managing Device Operations and Maintenance Parameter Description Schedule Frequency The frequency at which the task is performed. Select a frequency, then configure the related time and day/date parameters. Values: • Once—The task is performed one time only at the specified date and time.
Page 254
Devices The RSA signature files for DefensePro devices in the Selected Devices list will be updated. The list of available devices contains only the device with Fraud Protection enabled. Update Radware Signature Files for a Device Parameter Description Basic Parameters Name A unique name for the task.
Page 255
DefensePro User Guide Managing Device Operations and Maintenance Parameter Description Schedule Frequency The frequency at which the task is performed. Select a frequency, then configure the related time and day/date parameters. Values: • Once—The task is performed one time only at the specified date and time.
Page 256
DefensePro User Guide Managing Device Operations and Maintenance Document ID: RDWR-DP-V0602_UG1201...
Chapter 10 – Monitoring DefensePro Devices and Interfaces APSolute Vision’s online monitoring can serve as part of a Network Operating Center (NOC) that monitors and analyzes the network and connected devices for changes in conditions that may impact network performance. The following topics describe: •...
Page 258
MAC address of the first port on the device. Signature Update Radware Signature File The version of the Radware Signature File installed on the device. Version RSA Signatures Last When RSA is enabled, this parameter can display the timestamp of the Update last update of RSA signatures, received from Radware.com and...
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Monitoring DefensePro High Availability You can view the status of parameters related to the high availability of a selected DefensePro device. Note: When you issue the Switch Over command on the cluster node in the Monitoring perspective, the active device switches over.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Monitoring the DefensePro Suspend Table When DefensePro detects an attack, some protections, such as anti-scan, server cracking, and connection limit, add the source IP of the attacker to the Suspend table. All traffic from the attacker to the protected server is then handled according to the Suspend Action for a defined time period.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Parameter Description Last 5 sec. Average Average utilization of resources in the last 5 seconds. Utilization Last 60 sec. Average Average utilization of resources in the last 60 seconds. Utilization Accelerator Utilization Accelerator Type The name of the accelerator.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Parameter Description DNS Authentication Table Table Size The number of source addresses that the table can hold. Table Utilization Percent of the table that is currently utilized. Aging Time The aging time, in minutes, for the table. Clear Table Click Clear Table to clear the contents of the table.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Parameter Description Number of SNMP Error “Generic The total number of SNMP PDUs generated by the SNMP Error” Received protocol entity for which the value of the error-status field is ‘genErr’. Number of SNMP 'GET' Responses The total number of SNMP Get-Response PDUs Sent generated by the SNMP protocol entity.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Parameter Description Direction The direction of the policy. Values: • Inbound • Outbound HW Entries The number of DME hardware entries that the policy uses. Sub-Policies The number of DME sub-policy entries that the policy uses. Monitoring DefensePro Syslog Information You can view information relating to the syslog mechanism.
Page 265
DefensePro User Guide Monitoring DefensePro Devices and Interfaces The number of entries that match configured session table filters is displayed. The following information is displayed in the Filtered Session Table: Parameter Description Source IP The source IP address within the defined subnet. Destination IP The destination IP address within the defined subnet.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Table 123: DefensePro Session Table Filter Parameters Parameter Description Destination IP Mask The destination IP address used to define the subnet that you want to present in the Session Table. Select IPv4 or IPv6; and then, enter the mask. Source L4 Port The session source Layer 4 port.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Parameter Description Router Statistics Number of IP Packets The number of input datagrams for which this entity was not Forwarded their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination.
Page 268
DefensePro User Guide Monitoring DefensePro Devices and Interfaces To display the last-second BWM statistics for a selected DefensePro device 1. In the Monitoring perspective, select the BWM Statistics tab in the content pane. 2. Select Policy Statistics (Last Second). The Policy Statistics (Last Second) table is displayed. 3.
Page 269
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Displaying the Last-Period BWM Statistics for a Selected DefensePro Device To display the last-second BWM statistics for a selected DefensePro device, the Enable Policy Statistics Monitoring checkbox must be selected (Configuration perspective > BWM > Global Settings >...
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Table 125: DefensePro BWM Last-Period Statistics Parameters Parameter Description Outbound Matched Bandwidth The volume of outbound traffic, in Kilobits, in the last specified period that matched the policy. Outbound Sent Bandwidth The volume of outbound sent traffic, in Kilobits, in the last specified period.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Monitoring DefensePro ARP Table Information You can view the device’s ARP table, which contains both static and dynamic entries. You can change an entry type from dynamic to static. Note: The ARP table is not automatically refreshed periodically. The information is loaded when you select to display the ARP Table pane, and when you manually refresh the display.
DefensePro User Guide Monitoring DefensePro Devices and Interfaces 3. Configure MPLS RD parameters and click OK. Table 126: MPLS RD Parameters Parameter Description MPLS RD The MPLS RD name. Type Describes the MPLS RD format. Values: • 2 Bytes : 4 Bytes—AS (16 bit): Number (32 bit) •...
Page 273
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Table 127: L2 Interface Statistics Parameter Description Statistics Incoming Bytes The number of incoming octets (bytes) through the interface including framing characters. Incoming Unicast Packets The number of packets delivered by this sub-layer to a higher sub- layer, which were not addressed to a multicast or broadcast address at this sub-layer.
Page 274
DefensePro User Guide Monitoring DefensePro Devices and Interfaces Document ID: RDWR-DP-V0602_UG1201...
Chapter 11 – Real-Time Security Reporting You can use the Security Monitoring perspective to observe and analyze the attacks that the device detected and the countermeasures that the device implemented. APSolute Vision displays real-time network traffic and statistical parameters. The DefensePro device calculates a traffic baseline, and uses this to identify abnormalities in traffic levels.
Page 276
DefensePro User Guide Real-Time Security Reporting Use the Security Dashboard to analyze activity and security events in the network, identify security trends, and analyze risk. You can view Dashboard information for individual DefensePro devices, all devices in a site, or all devices in the network.
DefensePro User Guide Real-Time Security Reporting 3. To select the ports for which to display data: a. Click Select Ports. Data is displayed for ports in the Selected Ports list. b. Move ports to and from the Selected Ports list, as required. 4.
Page 278
DefensePro User Guide Real-Time Security Reporting Table 129: Current Attacks Summary Information Parameter Description Start Time The date and time of the attack start. Category The threat type to which this attack belongs—for example, Intrusions, DoS, Anti Scanning, and so on. Status The last-reported status of the attack.
Page 279
DefensePro User Guide Real-Time Security Reporting Table 129: Current Attacks Summary Information Parameter Description Device IP The IP address of the attacked device. Protocol The transmission protocol used to send the attack. Values: • • • ICMP • Source L4 Port The Layer 4 source port of the attack.
DefensePro User Guide Real-Time Security Reporting >> The file is created only if packet reporting is enabled in the protection configuration for the profile that was violated. Attack Details An Attack Information window is displayed when you double-click an attack in the Security Dashboard or in the Current Attacks table.
Page 281
DefensePro User Guide Real-Time Security Reporting BDoS Attack Details Parameter Description Global Attack Characteristics The attack characteristics comprise the following parameters: • Source L4 Port • Fragmentation Flag—A value of 0 indicates that • Protocol fragmentation is allowed, 1 • Physical Port indicates that fragmentation is not allowed.
Page 282
DefensePro User Guide Real-Time Security Reporting Parameter Description Attack Info The attack information comprises the following parameters: • Packet Size Anomaly Region—Displays the statistical region of the attack packets. The formula for the packet-size baseline for a policy is {(AnomalyBandwidth/AnomalyPPS)/(NormalBandwidth/NormalPPS) Values: —...
Page 283
DefensePro User Guide Real-Time Security Reporting DoS Attack Details Parameter Description Global Attack Characteristics The attack characteristics comprise the following parameters: • Protocol • Physical Port • Packet Count • VLAN • MPLS RD • Device IP Note: Some fields can display multiple values, when relevant and available.
Page 284
DefensePro User Guide Real-Time Security Reporting Parameter Description Attack Info Displays protection action information, blocking details and scan statistics. The attack information comprises the following parameters: • Action—The protection Action taken. • Action Reason—Describes the difference between the configured action and the actual action. •...
Page 285
DefensePro User Guide Real-Time Security Reporting Parameter Description Attack Info Displays protection action information, blocking details and attack statistics. The attack information comprises the following parameters: • Blocking Duration—The blocking duration, in seconds, of the attacker source IP address. • Estimated Release Time—The estimated release time of attacker in local time.
Page 286
DefensePro User Guide Real-Time Security Reporting Parameter Description Attack Info The information is displayed when the protection action is blocking mode. The attack information comprises the following parameters: • Average Attack Rate—The average rate of spoofed SYNs and data connection attempts per second, calculated every 10 seconds.
Page 287
DefensePro User Guide Real-Time Security Reporting Parameter Description Attack Info The attack information comprises the following parameters: • Protection State—The state of the protection process: — Characterization—The protection module is analyzing the attack footprint. — Mitigation—The protection module is mitigating the attack according to the profile configuration.
Page 288
DefensePro User Guide Real-Time Security Reporting Parameter Description Blocked Users Source IP address The source IP addresses mitigated as attackers. Up to 40 different IP addresses can be viewed. Note: When the HTTP flood attack is widely distributed, meaning more than 1000 source IP addresses, the system does not use any source IP addresses in the blocking rule.
Page 289
DefensePro User Guide Real-Time Security Reporting DNS Flood Attack Details Parameter Description Global Attack Characteristics The attack characteristics comprise the following parameters: • Source L4 Port • IP ID Number • Protocol • Destination IP • Physical Port • DNS ID •...
DefensePro User Guide Real-Time Security Reporting Parameter Description Attack Description The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server. Sampled Data Dialog Box The Sampled Data dialog box contains a table with data on sampled attack packets. Each row in the table displays the data for one sampled attack packet.
Page 291
Available Port Pairs list. Note: Port pairs can be selected for each direction; however, Radware recommends that you select a port pair in one direction only, and display traffic for both directions, if required. If you select port pairs in both directions, and traffic for both directions, the graph will display the same traffic twice.
Move the port pairs for which you want to display data to the Selected Port Pairs list. Note: Port pairs can be selected for each direction; however, Radware recommends that you select a port pair in one direction only, and display traffic for both directions, if required.
DefensePro User Guide Real-Time Security Reporting Monitoring Attack Sources—Geographical Map Attacks can originate from different locations around the world, for example, Web site attacks. Web site administrators can track these attacks to see from which countries they originate. You can generate a Top Attack Sources report for an individual device. This report displays a geographical map of the world with indicators marking the country from which attacks originated, based on their source IP address.
DefensePro User Guide Real-Time Security Reporting Displaying Attack Status Information You can display summary status information for attacks for each configured and enabled policy rule for protection. When there is an attack that violates a network-policy rule, the table displays an icon indicating the status of the attack in the corresponding row for the relevant attack traffic.
Page 295
DefensePro User Guide Real-Time Security Reporting Table 134: Filter Parameters for the Statistics Graph and Last Sample Statistics Table Parameter Description Rule The network policy rule. The list only displays rules configured with a BDoS profile. Direction The direction of the traffic that the Statistics Graph and Last Sample Statistics table display.
DefensePro User Guide Real-Time Security Reporting Table 136: Statistics Graph Legend Line Description Normal Edge The statistically calculated baseline traffic rate. dashed green) Suspected Edge The traffic rate that indicates a change in traffic that might be an attack. dashed orange) Attack Edge The traffic rate that indicates an attack.
Page 297
DefensePro User Guide Real-Time Security Reporting Table 138: Filter Parameters for the Statistics Graph and Last Sample Statistics Table Parameter Description Rule The network policy rule. The list only displays rules configured with a DNS profile. Direction The direction of the traffic that the Statistics Graph and Last Sample Statistics table display.
DefensePro User Guide Real-Time Security Reporting Table 140: Statistics Graph Legend Line Description The statistically calculated baseline traffic rate. Normal Edge dashed green) The traffic rate that indicates a change in traffic that might be an Suspected Edge attack. dashed orange) The traffic rate that indicates an attack.
DefensePro User Guide Real-Time Security Reporting Monitoring Continuous Learning Statistics You can generate and display normal HTTP traffic baselines based on continuous traffic statistics. Continuous learning statistics are based on recent traffic, irrespective of time of day, or day of the week.
DefensePro User Guide Real-Time Security Reporting Table 143: HTTP Report Display Settings Parameter Description Server IP The IP address of the protected Web server for which to display HTTP traffic statistics. Display Last The last number of hours for which the graph displays information. Values: 1, 2, 3, 6, 12, 24 Default: 1 hour Monitoring Hour-Specific Learning Statistics...
Page 301
DefensePro User Guide Real-Time Security Reporting The HTTP Request Size Distribution graph x-axis values are request sizes in 10-byte increments. The y-axis values are percentages of requests. The probability reflects the level of usage of each Request size for the protected Web server. In the graph, the blue bars represent normal probability distribution, and the orange bars represent real-time probability (short-term probability) as calculated in intervals of a few seconds.
You can also use CLI to debug. When debugging is required, DefensePro generates a separate file, delivered in text format, aggregating all the CLI commands needed by Radware Technical Support. The file also includes the output of various CLI commands, such as printouts of the Client table, ARP table, and so on.
DefensePro User Guide Administering DefensePro You can download this file using APSolute Vision and send it to Radware Technical Support (see Downloading a Device’s Configuration File, page 245). CLI Session Time-Out You can define the period of time the connection with the device via the console remains open despite the session’s inactivity with the Session Time-out parameter.
The Web Based Management user interface is an easy and fast single device manager, which does not require any installation on a client. When using Web Based Management, on-line help is available from the Radware corporate Web site, or you can specify a custom location for help files.
HTTPS. To provide customers with the capability to develop enhanced application monitoring, customized application delivery network management applications and advanced automation tools, Radware provides Web Service interfaces on DefensePro with APSolute API, an open standards-based SOAP (XML) API.
DefensePro User Guide Administering DefensePro 2. Configuring and monitoring the devices via SOAP commands that mirror Radware's SNMP MIB: The following type of commands are available: — For scalar MIB parameter, retrieve (get) the value and change (set) the value.
Page 308
DefensePro User Guide Administering DefensePro Document ID: RDWR-DP-V0602_UG1201...
Appendix A – Behavioral DoS Advanced Settings This appendix describes Footprint Bypass types according to protocol. For more information, see Configuring BDoS Footprint Bypass, page 124. TCP Protocols Bypass Type Description Sequence Number Sequence number value from the relevant TCP packet header. ID Number ID Number from the IP packet header.
Page 310
DefensePro User Guide Behavioral DoS Advanced Settings ICMP Bypass Type Description Source IP Source IP address of the generated attack. Source IP IPv6 Source IPv6 address of the generated attack. Type of Service value from the IP packet header. Packet Size Size of the packet in bytes, including data-link header.
Page 311
DefensePro User Guide Behavioral DoS Advanced Settings Bypass Type Description Sequence Number Sequence number value from the TCP packet header. ID Number ID Number from the IP packet header. ID Number IPv6 ID Number from the IP packet header. Source Port Source port of the generated attack.
Page 312
DefensePro User Guide Behavioral DoS Advanced Settings TCP Fragmentation Bypass Type Description Destination Port Destination TCP port of the attack. Destination IP Destination IP address of the attack. Destination IP IPv6 Destination IPv6 address of the attack. Fragment TCP Fragmentation fragmented packet. Time-To-Live value in the IP packet header.
Note: This solution is deprecated. DefensePro in conjunction with Radware’s AppXcel, can inspect SSL encrypted sessions and protect SSL tunnels from attacks. When a session is encrypted using SSL, an IPS/IDS device based on signature matching cannot inspect the secured traffic. DefensePro passively inspects SSL encrypted sessions.
DefensePro User Guide Configuring SSL-Based Protection with AppXcel Destination Port 3, then for traffic in the opposite direction, the Source Port is 3 while the Destination Port must be defined (1 or 2). To configure SSL inspection 1. In the Configuration perspective Networking tab navigation pane, select SSL Inspection. 2.
Appendix C – Troubleshooting If the device does not operate as expected, you can diagnose the system or provide Radware Technical Support with relevant information. For troubleshooting hardware-related issues, see the Radware Installation and Maintenance Guide. This appendix contains the following sections: •...
DefensePro User Guide Troubleshooting To configure the Capture Tool using Web Based Management 1. Select Services > Diagnostics > Capture > Parameters. The Capture Tool Configuration pane is displayed. 2. Configure the parameters; and then, click Set. Capture Tool Configuration Parameters Parameter Description Status...
Page 317
DefensePro User Guide Troubleshooting This section contains the following topics: • Trace-Log Tool Configuration, page 317 • Diagnostics Trace-Log Message Format, page 317 • Trace-Log Modules, page 318 Trace-Log Tool Configuration To configure the Trace-Log tool using Web Based Management 1.
Page 318
DefensePro User Guide Troubleshooting Diagnostics Trace-Log Message Format Parameters Parameter Description Date Specifies whether the date that the message was generated is included in the Trace-Log message. Time Specifies whether the time that the message was generated is included in the Trace-Log message.
DefensePro User Guide Troubleshooting Column Description Severity The lowest severity of the events that the Trace-Log includes for this module. Values: • Emergency • Alert • Critical • Error • Warning • Notice • Info • Debug 2. Click the relevant link. The Trace-Log Modules Update pane is displayed. 3.
DefensePro User Guide Troubleshooting To download or delete Trace-Log data using Web Based Management 1. Select Services > Diagnostics > Files. The Diagnostic Tools Files Management pane is displayed. The pane contains two tables, Files On RAM Drive and Files On Main Flash. Each table comprises the following columns: Parameter Description...
Page 321
DefensePro User Guide Troubleshooting Diagnostics Policies Parameters Parameter Description Destination The destination IP address or predefined class object whose packets the policy classifies (that is, captures). Default: any—The diagnostics tool classifies (that is, captures) packets with any destination address. Source The source IP address or predefined class object whose packets the policy classifies (that is, captures).
Radware Technical Support to help diagnose problems. Using the CLI, the technical-support file includes the following: • The data that Radware Technical Support typically needs to diagnose a problem with a DefensePro device—The data comprises the collected output from various CLI commands. •...
Page 323
DefensePro User Guide Troubleshooting To generate and download the technical-support file using Web Based Management 1. Select File > Support. The Download Tech Support Info File pane is displayed. 2. Click Set. A File Download dialog box opens. 3. Click Open or Save and specify the required information. Document ID: RDWR-DP-V0602_UG1201...
Page 324
DefensePro User Guide Troubleshooting Document ID: RDWR-DP-V0602_UG1201...
Appendix D – Predefined Basic Filters The following table lists predefined basic filters that DefensePro supports. The list may vary depending on the product version. You can view the entire list of basic filters and their properties in the Modify Basic Filter Table pane (using Web Based Management, Classes > Modify Services > Basic Filters).
Page 326
DefensePro User Guide Predefined Basic Filters Table 148: Predefined Basic Filters Name Description Protocol OMPC Offset OMPC Mask Routine e0000000 Priority e0000000 Immediate e0000000 Flash e0000000 ToS Flash Override e0000000 CRITIC/ECP e0000000 Internetwork Control e0000000 Network Control e0000000 aim-aol-any AIM/AOL Instant Messenger ffff0000 aol-msg AOL Instant...
Page 329
DefensePro User Guide Predefined Basic Filters Table 148: Predefined Basic Filters Name Description Protocol OMPC Offset OMPC Mask hdc1 High Drop Class 1 fc000000 hdc2 High Drop Class 2 fc000000 hdc3 High Drop Class 3 fc000000 hdc4 High Drop Class 4 fc000000 http World Wide Web HTTP...
Page 330
DefensePro User Guide Predefined Basic Filters Table 148: Predefined Basic Filters Name Description Protocol OMPC Offset OMPC Mask kazaa_request_file_1 Kazaa_Request_File ffffffff kazaa_request_file_2 Kazaa_Request_File ffff0000 kazaa_udp_packet_0 Kazaa_UDP_Packet ffffffff kazaa_udp_packet_1 Kazaa_UDP_Packet ffff0000 ldap LDAP ldaps LDAPS ldc1 Low Drop Class 1 fc000000 ldc2 Low Drop Class 2 fc000000...
Radware-specific, but all are used in the Radware documentation. A Radware glossary is intended to be a list of specialized words with their definitions that are used in the Radware technical environment. Some of the words belong to the public domain, and some are Radware-specific, but all are used in the Radware documentation, whether hardcopy or online.
Page 336
An intrusion is an attempted or successful access to system resources in any unauthorized manner. Intrusion Detection Radware’s Intrusion Detection System (IDS) applies the latest security or System (IDS) attack expertise to filter out potentially destructive/malicious events from a much larger amount of legitimate activity.
Page 337
Radware’s Server Cracking Protection is a behavioral server-based Protection technology that detects and prevents both known and unknown application scans and brute-force attacks. This behavioral protection is part of Radware’s DefensePro Full Spectrum Protection Technology. The technology includes: • An adaptive behavioral network-based protection that mitigates network DoS and DDoS attacks •...
Page 338
DefensePro User Guide Glossary Term Definition Server, Reporting A reporting server is the component responsible for running the required services to display reports to the end user. It may contain a Web server and provide services for both Eclipse and Web interfaces. Service A feature that provides protection against a set of attacks.
Page 339
DefensePro User Guide Glossary Term Definition SYN flood A SYN attack/flood is a type of DoS (Denial of Service) attack. SYN flood attacks are performed by sending a SYN packet without completing the TCP three-way handshake, referred as single packet attack. Alternatively, the TCP three-way handshake can be completed, but no data packets are sent afterwards.
Need help?
Do you have a question about the DefensePro 6.02 and is the answer not in the manual?
Questions and answers