Uploaded by Tan Pey Gen

lp 5.22 ug

advertisement
sdf
LinkProof User Guide
Software Version 5.22
Document ID: 8261
July, 2008
LinkProof User Guide
2
Doc. No.: 8261
LinkProof User Guide
Important Notice
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2006 - 2007. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The user guide is provided to Radware customers for the sole purpose of obtaining information
with respect to the installation and management and operation of the LinkProof product, and may
not be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof
without the prior written consent of Radware.
Copyright Notices
This product contains code developed by the OpenSSL Project
This product includes software developed by the OpenSSL Project. For use in the OpenSSL
Toolkit. (http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the
public domain and distributed with the following license:
@version 3.0 (December 2000)
Optimised ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE AUTHORS OR CONTRIBUTORS BE* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
This product contains code developed by the OpenBSD Project
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1.
Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
Doc. No.: 8261
3
LinkProof User Guide
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. Neither the name of the University nor the names of its contributors may be used to
endorse or promote products derived from this software without specific prior written
permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes software developed by Markus Friedl
This product includes software developed by Theo de Raadt
This product includes software developed by Niels Provos
This product includes software developed by Dug Song
This product includes software developed by Aaron Campbell
This product includes software developed by Damien Miller
This product includes software developed by Kevin Steves
This product includes software developed by Daniel Kouril
This product includes software developed by Wesley Griffin
This product includes software developed by Per Allansson
This product includes software developed by Nils Nordman
This product includes software developed by Simon Wilkinson
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
4
Doc. No.: 8261
LinkProof User Guide
Safety Instructions
CAUTION
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures
that involve opening panels or changing components must be performed by qualified service
personnel only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
SERVICING
Do not perform any servicing other than that contained in the operating instructions unless
you are qualified to do so. There are no serviceable parts inside the unit.
HIGH VOLTAGE
Any adjustment, maintenance, and repair of the opened instrument under voltage should be
avoided as much as possible and, when inevitable, should be carried out only by a skilled
person who is aware of the hazard involved.
Capacitors inside the instrument may still be charged even if the instrument has been
disconnected from its source of supply.
GROUNDING
Before connecting this device to the power line, the protective earth terminals of this device
must be connected to the protective conductor of the (mains) power cord. The mains plug
shall only be inserted in a socket outlet provided with a protective earth contact.
Do not use an extension cord (power cable) without a protective conductor (grounding).
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 +
A1:1997 + A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used
for replacement. The use of repaired fuses and the short-circuiting of fuse holders must be
avoided. Whenever it is likely that the protection offered by fuses has been impaired, the
instrument must be made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power
source matches the requirements of the instrument. Refer to the Specifications for
information about the correct power rating for the device.
TRADEMARKS
LinkProof and APSolute Insite are trade names of Radware Ltd. This document contains
trademarks registered by their respective companies.
SPECIFICATION CHANGES
Specifications are subject to change without notice.
Doc. No.: 8261
5
LinkProof User Guide
Note:
This equipment has been tested and found to comply with the limits for a
Class A digital device pursuant to Part 15 of the FCC Rules and EN55022 Class
A, EN 50082-1 For CE MARK Compliance. These limits are designed to provide
reasonable protection against harmful interference when the equipment is
operated in a commercial environment. This equipment generates, uses and
can radiate radio frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to
radio communications. Operation of this equipment in a residential area is
likely to cause harmful interference in which case the user will be required to
correct the interference at his own expense.
Special Notice for North American Users
For North American power connection, select a power supply cord that is UL Listed and CSA
Certified 3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [5 A],
with a minimum length of 1.5m [six feet] but no longer than 4.5m...For European
connection, select a power supply cord that is internationally harmonized and marked
"<HAR>", 3 - conductor, 0,75 mm2 minimum mm2 wire, rated 300 V, with a PVC insulated
jacket. The cord must have a molded on plug cap rated 250 V, 3 A.".
RESTRICT AREA ACCESS
The DC powered equipment should only be installed in a Restricted Access Area.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For North
America, equipment must be installed in accordance to the US National Electrical Code,
Articles 110-16, 110-17, and 110-18 and the Canadian Electrical Code, Section 12.
INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must
be UL certified type DP-1 or DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring.
DC POWER CONNECTION
1. The equipment shall be connected directly to the DC Supply System earthing electric
conductor.
2. All equipment in the immediate vicinity shall be earthed in the same way, and shall not
be earthed elsewhere.The DC supply system is to be local, i.e. within the same premises
as the equipment.
3. There shall be no disconnect device between the earthed circuit conductor of the DC
source (return) and the point of connection of the earthing electrode conductor
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery
type, then an explosion may occur. This is the case for some Lithium batteries and the
following is applicable:
•
If the battery is placed in an Operator Access Area, there is a marking close to the
battery or a statement in both the operating and service instructions.
• If the battery is placed elsewhere in the equipment, there is a marking close to the
battery or a statement in the service instructions.
This marking or statement includes the following text warning:
CAUTION
6
Doc. No.: 8261
LinkProof User Guide
RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Caution - To Reduce the Risk of Electrical Shock and Fire
1.
This equipment is designed to permit connection between the earthed conductor of the
DC supply circuit and the earthing conductor equipment. See Installation Instructions.
2.
All servicing should be undertaken only by qualified service personnel. There are not
user serviceable parts inside the unit.
3.
DO NOT plug in, turn on or attempt to operate an obviously damaged unit.
4.
Ensure that the chassis ventilation openings in the unit are NOT BLOCKED.
5.
Replace a blown fuse ONLY with the same type and rating as is marked on the safety
label adjacent to the power inlet, housing the fuse.
6.
Do not operate the device in a location where the maximum ambient temperature
exceeds 400 C / 1040 F.
7.
Be sure to unplug the power supply cord from the wall socket BEFORE attempting to
remove and/or check the main power fuse.
Attention: Pour Reduire Les Risques d'Electrocution et d'Incendie
1.
Toutes les operations d'entretien seront effectuees UNIQUEMENT par du personnel
d'entretien qualifie. Aucun composant ne peut etre entretenu ou remplace par
l'utilisateur.
2.
NE PAS connecter, mettre sous tension ou essayer d'utiliser un ensemble qui est
defectueux de maniere evidente.
3.
Assurez vous que les ouvertures de ventilation du chassis NE SONT PAS OBSTRUEES.
4.
Remplacez un fusible qui a saute, SEULEMENT par un fusible du meme type et de meme
capacite, comme indique sur l'etiquette de securite proche de l'entree de l'alimentation
qui contient le fusible.
5.
NE PAS UTILISER l'equipement dans des locaux dont la temperature maximale depasse
40×C.
6.
Assurez vous que le cordon d'alimentation a ete deconnecte AVANT d'essayer de
l'enlever et / ou verifier le fusible de l'alimentation generale.
Massnahmen zum Schutz vor elektrischem Schock und Feuer
1.
Alle Wartungsarbeiten sollten ausschliesslich von geschultem Wartungspersonal
durchgefuehrt werden. Keine im Geraet befindlichen Teile duerfen vom Benutzer
gewartet werden.
2.
Offensichtlich defekte oder beschaedigte Geraete duerfen nicht angeschlossen,
eingeschaltet oder in Betrieb genommen werden.
3.
Stellen Sie sicher, dass die Belueftungsschlitze am Geraet nicht blockiert sind.
4.
Ersetzen Sie eine defekte Sicherung ausschliesslich mit Sicherungen laut
Sicherheitsbeschriftung.
5.
Betreiben Sie das Geraet nicht in Raeumen mit Temperaturen ueber 40C.
6.
Trennen Sie das Netzkabel von der Steckdose bevor Sie die Hauptsicherung pruefen
oder austauschen.
About This Guide
The Linkproof User Guide is intended for system administrators and network installers who
are responsible for maintaining and configuring the network.
Doc. No.: 8261
7
LinkProof User Guide
This user guide is designed to provide you with an in depth knowledge of SecureFlow that
will enable you to incorporate and configure LinkProof in to your network. Each chapter
provides feature overviews, step by step configuration instructions as well as configuration
examples where appropriate
— Chapter 1 - Introduction and Overview: This chapter provides an explanation
of how LinkProof is used to improve the quality of service and to optimize utilization of the
existing resources as well as providing a explanation of LinkProofs capabilities and a brief
description of its main characteristics.
— Chapter 2 - Device Management: This chapter provides information about the
LinkProof management and maintenance processes. This chapter describes the management
interfaces and methods by which LinkProof devices are accessed, configured and operated.
— Chapter 3 - Routing: This chapter provides theoretical explanations about switching
and routing in general, describes how LinkProof participates in the processes of switching and
routing, and presents several aspects of the practical implementation of LinkProof.
— Chapter 4 - Basic Application Switching: This chapter introduces the farm
management concept and guides you through the farm related features. It also provides you
with the examples of common configurations of the application switching and load balancing
schemes.
— Chapter 5 - Advanced Features: This chapter presents LinkProof advanced
capabilities and provides common configuration examples of the described features.
— Chapter 6 - Redundancy: This chapter introduces the redundancy concept and
provides examples of common LinkProof redundancy configurations.
— Chapter 7 - Security: provides a general overview of the Synapps Security modules
and the sub modules within as well as an explanation of the signatures data base and Radware
Security update service (SUS). Also provided in this chapter is an explanation of the tuning
process.
— Chapter 8 - Bandwidth Management : This chapter presents the capabilities of the
Bandwidth Management module including BWM classes, BWM Policies as well as providing
some example configurations.
— Chapter 9 - Health Monitoring : This chapter describes the LinkProof Health
Monitoring module included in the Radware SynApps architecture.
— Chapter 10 - Application Switching Platforms : This chapter provides an
explanation of Radwares Application Swithching Platforms as well as an explanation of Device
Management also a list of specifications and Serial Cable Pin Assignment and a trouble
shooting section.
— Appendix A - Glossary: The glossary provides explanations of terms and concepts
used in network configurations.
— Appendix B - Loopback Interfaces : This appendix defines how different operating
systems differ when performing loopback aliases.
— Appendix C - Regular Expressions: This appendix provides an overview of the basic
syntax of regular expressions used in LinkProof modules.
— Index: •
Document Conventions
This guide uses the following documentation conventions:
•
8
Command paths in the GUI are presented as: File > Save As.
Doc. No.: 8261
LinkProof User Guide
•
•
•
Windows systems use a two-button mouse. To drag and drop an object, click and hold
the left mouse button on the object, drag the object to the target location, then release
the button.
Screen displays can differ slightly from those included in this guide, depending on the
system you use. For example, Microsoft Windows screens are different from X-Windows
screens.
Various icons are used through the document to indicate the following:
Note: Important information that requires additional attention.
Tip: A recommendation, or an optimum way to perform an action.
Configuration Guidelines: General description of the configuration
process.
To Statement: Detailed operating instructions that explain the step by
step configuration process.
Example: An example configuration of an actual scenario.
Doc. No.: 8261
9
LinkProof User Guide
10
Doc. No.: 8261
Table of Contents
Important Notice ......................................................................... 3
Copyright Notices ....................................................................... 3
Safety Instructions ...................................................................... 5
About This Guide ........................................................................ 7
Document Conventions .............................................................. 8
Chapter 1 - Introduction .................................................... 19
Introducing LinkProof ............................................................... 19
LinkProof Overview .....................................................................
LinkProof Main Concepts ............................................................
The Role of LinkProof in the Network .........................................
LinkProof Products ......................................................................
19
20
22
22
LinkProof Modules Overview .................................................... 22
LinkProof Modules ...................................................................... 22
Management Tools ..................................................................... 24
Chapter 2 - Device Management...................................... 25
Configuring Device IP Host Parameters ................................... 25
Device IP Host Parameters Introduction ..................................... 25
Erasing the Configuration file ...................................................... 28
Device Configuration Options ................................................... 28
Management Interfaces ..............................................................
Configuring SNMP ......................................................................
Telnet and SSH ...........................................................................
Ping Physical Port Permissions ..................................................
APSolute Insite ...........................................................................
Command Line Interface .............................................................
Web Based Management ...........................................................
29
29
41
43
43
43
45
Device Security ........................................................................ 45
Bandwidth Management Access ................................................. 46
Users Table ................................................................................. 46
RADIUS Authentication ............................................................... 47
Version Management and Device Upgrading ........................... 48
Introducing Upgrades ..................................................................
Software Version Update ............................................................
Saving and Restoring Configuration Files ...................................
Upgrading Licenses ....................................................................
Upgrading Boot Versions ............................................................
Resetting Devices .......................................................................
49
49
52
53
55
56
Device Tuning ......................................................................... 56
LinkProof User Guide
Tuning Tables Introduction .......................................................... 56
Tuning Memory Check ................................................................ 65
Device Notifications ................................................................. 65
Notifications - General ................................................................. 65
E-mail Notification ....................................................................... 66
Utilities ..................................................................................... 66
DNS Client .................................................................................. 67
Chapter 3 - Basic Switching & Routing ............................ 69
Port Settings ............................................................................ 69
Port Mirroring ..............................................................................
Port Trunking ...............................................................................
Port Rules ...................................................................................
Port Load Balancing Status .........................................................
69
70
72
72
Virtual LAN .............................................................................. 72
What is a Virtual LAN? ...............................................................
LinkProof VLAN Types ................................................................
Bridging ......................................................................................
VLAN Configuration ....................................................................
Redundancy ................................................................................
72
72
73
74
76
VLAN Tagging ......................................................................... 76
VLAN Tagging Support ............................................................... 76
Using VLAN Tagging ................................................................... 76
VLAN Tagging Enhancements .................................................... 78
IP Addressing & Routing ......................................................... 78
IP Addressing ..............................................................................
Routing ........................................................................................
Routing Information Protocol .......................................................
Open Shortest Path First .............................................................
79
79
80
82
Chapter 4 - Basic Application Switching ......................... 83
LinkProof Multihoming Overview ............................................. 83
Cluster Support ........................................................................ 86
Farm Management .................................................................. 88
Farm Concept .............................................................................
Farm Load Balancing ..................................................................
Router Farm Load Balancing ......................................................
Firewall Farm Load Balancing .....................................................
Default Farm ...............................................................................
Farm Connectivity Checks ..........................................................
88
89
94
95
99
99
Server Management .............................................................. 100
Servers Overview ...................................................................... 100
Farm Servers ............................................................................ 101
12
Doc. No.: 8261
LinkProof User Guide
Server Parameters .................................................................... 101
Physical Servers ........................................................................ 103
Network Address Translation ................................................ 105
Network Address Translation (SmartNAT) - Introduction ..........
Dynamic NAT ............................................................................
Static NAT .................................................................................
No NAT ......................................................................................
Basic NAT .................................................................................
One IP Support ..........................................................................
Static Port Address Translation .................................................
106
107
108
109
110
111
112
Proximity ................................................................................ 115
Proximity Introduction ................................................................ 116
Proximity Configuration ............................................................. 116
DNS ....................................................................................... 118
DNS Introduction .......................................................................
Mapping URLs to local IP Addresses ........................................
DNS Response Parameters ......................................................
DNS for Local Users ..................................................................
DNS Redundancy ......................................................................
DNS Client .................................................................................
118
119
120
120
122
122
Basic Load Balancing ............................................................ 123
Simple Router Load Balancing Configuration ...........................
Simple Router Load Balancing Configuration with VLAN ..........
One-leg (lollipop) Configuration .................................................
Sandwich Configuration ............................................................
Single Device Installation ..........................................................
123
127
131
136
143
Flow Management ................................................................. 146
Flow Concept ............................................................................ 146
Flow Policies ............................................................................. 147
Typical Flow Configurations ...................................................... 148
VPN Load Balancing ............................................................. 154
Multicast Dispatch ..................................................................... 156
Clear Client Table ...................................................................... 157
Client Table Overwrite ............................................................... 158
Client Table ........................................................................... 159
Client Table Management ......................................................... 159
Client Table Global Parameters ................................................ 163
Client Table Views ..................................................................... 166
Chapter 5 - Advanced Features ...................................... 169
Content Load Balancing ........................................................ 169
Content Load Balancing Overview ............................................ 169
Content Load Balancing Configuration ...................................... 171
Content Rule Configuration Example ........................................ 174
Doc. No.: 8261
13
LinkProof User Guide
Virtual Tunneling .................................................................... 179
Virtual Tunneling Introduction ................................................... 179
Virtual Tunneling Terms ............................................................ 181
Virtual Tunneling Configuration ................................................. 181
Integrated VPN Gateway ....................................................... 188
Integrated VPN Gateway Introduction ....................................... 189
IPSec ......................................................................................... 189
Configuring VPN Gateways ...................................................... 191
Cost Based Load Balancing .................................................. 194
Data Compression ................................................................. 196
Data Compression Overview .................................................... 196
Chapter 6 - Redundancy .................................................. 203
LinkProof Redundancy .......................................................... 203
Introducing LinkProof Redundancy ...........................................
Active / Backup Setup ...............................................................
Interface Grouping ....................................................................
Mirroring ....................................................................................
203
204
205
206
Proprietary ARP Redundancy ............................................... 207
Proprietary ARP ........................................................................ 207
Backup Fake ARP ..................................................................... 208
Advanced Forwarding ............................................................... 213
VRRP Redundancy ............................................................... 213
Introducing VRRP .....................................................................
VRRP Redundancy Notes .........................................................
VRRP nxn Redundancy ............................................................
Direct Server Connection with VRRP ........................................
213
215
219
219
Chapter 7 - Security ......................................................... 231
Security Overview ................................................................. 231
Security Introduction ................................................................. 231
Security Modules ....................................................................... 232
Configuring Security Modules ................................................... 234
Configuring Security Policies .................................................... 235
Enabling Protection and Setting up General Security Parameters 235
Defining Connectivity ................................................................ 239
Intrusions ............................................................................... 241
Introduction to Intrusions ...........................................................
Intrusion Prevention Profiles .....................................................
How to use the Intrusion Prevention Module ............................
Creating a New User Defined Intrusion Prevention Profile .......
241
246
246
255
DoS/DDoS ............................................................................. 258
Introduction to DoS/DDoS ......................................................... 258
DoS Shield Profiles ................................................................... 259
14
Doc. No.: 8261
LinkProof User Guide
Application Security Profiles ...................................................... 270
SYN Flood Protection ............................................................ 275
Introduction to SYN Flood Protection ........................................
Before Setting Up SYN Flood Protection ..................................
SYN Flood Protection General Settings ....................................
Creating Custom SYN Attacks ..................................................
SYN Flood Reporting ................................................................
275
277
278
280
283
Protocol Anomalies ................................................................ 283
Introduction to Protocol Anomalies ............................................ 284
How to Use the Anomalies Module ........................................... 284
Stateful Inspection ..................................................................... 290
Anti-Scanning ........................................................................ 293
Introduction to Anti-Scanning .................................................... 293
How to Use the Anti-Scanning Module ...................................... 293
Managing Signatures Database ............................................ 299
Application Security Signature File Update ...............................
Manual Update ..........................................................................
Downloading and Updating .......................................................
Scheduled Downloading and Updating .....................................
299
299
301
301
Security Tuning ...................................................................... 305
Tuning Introduction ....................................................................
Security Tuning .........................................................................
Session Table Tuning ................................................................
SYN Table Tuning .....................................................................
305
306
308
309
Security Events ...................................................................... 310
Events and Event Reporting ...................................................... 311
Reporting Channels ................................................................... 311
Security Reports .................................................................... 314
Security Reports Overview ........................................................
Security Reports Main Window .................................................
Generating Attack Reports ........................................................
Attack Logs ................................................................................
Executive Reports .....................................................................
Dashboard .................................................................................
314
316
320
325
330
331
Chapter 8 - Bandwidth Management .............................. 335
Bandwidth Management Overview ....................................... 335
Bandwidth Management Policies .......................................... 336
What is Bandwidth Management Policy? .................................. 337
Bandwidth Management Classification Criteria ......................... 337
Bandwidth Management Rules ................................................. 338
BWM Classes ........................................................................ 340
Services ..................................................................................... 341
Networks ................................................................................... 343
Doc. No.: 8261
15
LinkProof User Guide
Port Groups ............................................................................... 344
VLAN Tag Groups ..................................................................... 344
BWM Example Configuration ................................................ 344
Protocol Discovery ................................................................. 348
What is Protocol Discovery? ..................................................... 348
Protocol Discovery Policies ....................................................... 349
Interface Classification .......................................................... 349
Port Bandwidth .......................................................................... 350
Interface Classification .............................................................. 350
Chapter 9 - Health Monitoring ....................................... 353
Health Monitoring - Introduction ............................................ 353
Module ......................................................................................
Checked Element ......................................................................
Health Check .............................................................................
Method ......................................................................................
Binding and Groups ..................................................................
353
354
354
354
354
Health Check Configuration ................................................... 355
Global Configuration .................................................................
Global Parameters Setup ..........................................................
Health Checks Database ..........................................................
Bindings and Groups .................................................................
Regular Health Check ...............................................................
Group Health Check ..................................................................
Farm Health Check ...................................................................
355
355
356
359
360
362
363
Health Check Methods .......................................................... 364
Predefined Methods .................................................................. 364
User Defined Methods .............................................................. 372
Chapter 10 - Application Switching Platforms .............. 375
Introduction to Intelligent Application Switches ..................... 375
Application Switch 1 ..................................................................
Application Switch 2 ..................................................................
Application Switch 3 ..................................................................
Application Switch 4 .................................................................
Compact Application Switch ......................................................
375
376
376
377
377
Getting Started ...................................................................... 377
Application Switches Physical Description ................................ 378
Compact Application Switch ...................................................... 384
Device Installation ..................................................................... 385
Device Interfaces ................................................................... 387
Boot Level Commands .......................................................... 390
CLI Installation Wizard .......................................................... 392
16
Doc. No.: 8261
LinkProof User Guide
Application Recovery Procedure ........................................... 396
Specifications ........................................................................ 397
Specification Table .................................................................... 398
Serial Cable Pin Assignment ..................................................... 400
Trouble Shooting for AS1 & AS2. .......................................... 400
Appendix A – Glossary.................................................... 403
Commonly Used Terms ......................................................... 403
List of Abbreviations .............................................................. 404
Appendix B – Loopback Interfaces ................................ 407
AIX ......................................................................................... 408
HP-UX ................................................................................... 408
Linux ...................................................................................... 409
Solaris .................................................................................... 410
Windows NT .......................................................................... 410
Appendix C – Regular Expressions ............................... 413
Appendix D – Index .......................................................... 415
Doc. No.: 8261
17
LinkProof User Guide
18
Doc. No.: 8261
LinkProof User Guide
Chapter 1 - Introduction
This chapter provides an introduction to LinkProof and explains how LinkProof is used to
improve the quality of service and to optimize utilization of the existing resources as well as
providing a explanation of LinkProofs capabilities and a brief description of its main
characteristics.
This chapter includes the following sections:
•
•
Introducing LinkProof, page 19
LinkProof Modules Overview, page 22
Introducing LinkProof
This section provides a general introduction to LinkProof and explains the main concepts and
capabilities of LinkProof and its role in the network.
This section includes the following topics:
•
•
•
•
LinkProof Overview, page 19
LinkProof Main Concepts, page 20
The Role of LinkProof in the Network, page 22
LinkProof Products, page 22
LinkProof Overview
LinkProof by Radware is an intelligent application switch that manages all links across multihomed networks, enabling full link availability, highest link performance and complete link
security for uninterrupted user access to web-enabled applications and cost effective
connectivity at main offices and data centers.
LinkProof eliminates link bottlenecks and failures from enterprise multi-homed networks, for
fault tolerant connectivity and continuous user access to IP applications, web-enabled
databases, online services, corporate web-sites and e-commerce. By intelligently routing
traffic and moderating bandwidth levels across all enterprise links, LinkProof maximizes link
utilization, driving application performance, economically scaling link capacities and
controlling connectivity service costs. Securing all enterprise entry points and cleansing all
link traffic, LinkProof delivers Denial of Service Protection and Intrusion Prevention to
protect distributed applications, resources and users.
Multi-homing Overview
The term "multi-homing" generally refers to a network that utilizes multiple connections to
the Internet, usually through multiple ISPs. Multi-homed networks are increasing in
popularity because they provide networks with better reliability and performance. Better
reliability comes from having more stable networks that are protected in case one of the
Internet links or access routers fails.
The performance gain is a result of the network's bandwidth to the Internet that is the sum
of the bandwidths available through each of the access links. It should be noted, that better
performance is only achieved if all the links are used collectively.
However a multi-homed network create various design complexities that involve addressing
schemes, routing protocols, and DNS. It also provides for some benefits that are never fully
utilized, such as:
Doc. No.: 8261
19
LinkProof User Guide
•
Even with the most sophisticated routing protocols, true load balancing will never be
achieved through the multiple links for outbound traffic. Any load balancing decisions
that a routing protocol makes will be crude at best, and can be classified as "load
sharing", but nothing more
• Some Internet resources are better accessible through one ISP rather than another.
Routing protocols may know basic proximity information, but they generally have no
knowledge of dynamic link conditions.
• For inbound traffic, for example, Internet hosts trying to access a Web server on the
multi-homed network, one ISP may provide a better path into the network than another
ISP. Again, there is no way to factor in dynamic link conditions for choosing the best
path into the network at any given time.
LinkProof eliminates all complexities of the multi-homing design, providing a single, easy to
manage "appliance" that intelligently optimizes and utilizes all Internet links.
Multi-Homed Network
LinkProof provides the following advantages for a multi-homed network:
•
LinkProof intelligently manages the IP address ranges assigned to the network from
various ISPs.
• LinkProof ensures that all ISP links are optimized by intelligently load balancing all
outgoing traffic through the available links, while at the same time managing the
address spaces used for the outgoing traffic.
• LinkProof uses Radware's patented proximity detection algorithms to choose the best
ISP for outbound traffic.
• LinkProof ensures that all ISP links are used for all incoming traffic, and no address from
a failed ISP link is ever advertised to the Internet.
• LinkProof's proximity detection can also be used to ensure that the optimal path is used
for inbound traffic.
In essence, LinkProof becomes a single, easy to administer, traffic manager for the multihomed network, eliminating the complexities of routing protocols and uncertain traffic
patterns. It also optimizes the multiple ISP connections of the multi-homed network to
ensure that all links are used to the best of their potential, thereby making the entire
network more efficient, for inbound and outbound traffic.
In addition to the multi-homing LinkProof can also load balance firewalls/VPN gateways thus
providing not only continuous, but secure connectivity.
LinkProof Main Concepts
LinkProof performs load balancing of the outgoing and incoming traffic through the access
routers and via the firewall. During this process LinkProof is responsible for the following:
•
•
•
Forwarding the traffic to a server (router or firewall) that can provide the required
service.
Selecting the most available server from the servers that provide each required service.
Ensuring that all the packets of a single request for service are forwarded to the same
server.
Farms
A farm is a group of servers that collectively provide the same service. Servers are grouped
in farms according to the type of service that they provide.
For each service you can define a farm on LinkProof. When a new request for service arrives,
LinkProof identifies the required service and selects the most available server within the
farm that provides this service. In that manner LinkProof optimizes the server operation and
improves the level of the service.
20
Doc. No.: 8261
LinkProof User Guide
Servers
The purpose of LinkProof is to load balance the traffic that must pass via routers and
firewalls in order to optimize their operation. To achieve this purpose, LinkProof works with
farms of servers. By that way, each service provided by the physical server is represented
by a logical entity on LinkProof and each logical entity participates in a farm.
Content Rules
A Content Rule is an entity that allows LinkProof to load balance between different farms of
the same type or different servers within the same farm based on HTTP content - MIME
type, URLs, cookies, and so on.
NAT
To save public IP addresses, LinkProof uses Network Address Translation (NAT), which is the
translation of an IP address used within one network to a different IP address known within
another network. NAT is typically used to translate private IP addresses into public IP
addresses. The purpose of NAT is to hide the source IP address. LinkProof incorporates the
following NAT options:
•
•
Static NAT is used to ensure delivery of specific traffic from the WAN to a particular
server on the internal network and hide server IP addresses for outgoing traffic. This
allows all ISP links to be used for all incoming traffic, and no address from a failed ISP
link to ever be advertised to the Internet.
Dynamic NAT is used to hide IP addresses of internal hosts for outbound traffic.
LinkProof will choose an IP address that is associated with the router/ISP that was
selected for this session. By choosing translated source IP addresses according to the
selected router, return delivery issues will not be encountered.
Proximity
In order to optimize outbound and inbound traffic, LinkProof can also optionally perform
proximity calculations. If an internal host wants to access a specific Web site, it is possible
that the route through one ISP is more efficient than the route through the other ISP for
that specific content. So, LinkProof performs proximity calculations through all available
ISPs to the destination. For future traffic to this destination, LinkProof will choose the best
ISP connection, according to the results derived from these proximity calculations.
Similarly, if an Internet host needs to access an internal resource then it is likely that this
Internet host can get to the multi-homed network more efficiently through one ISP versus
the other. To accomplish this, LinkProof calculates proximity from its network to all networks
with hosts trying to access internal resources.
DNS Load Balancing
To provide load balancing for inbound traffic, LinkProof can take control of particular URLs.
To achieve this, LinkProof must become the authoritative name server for a particular URL
through proper configuration in an organization's master DNS servers. This causes all DNS
queries from the Internet for the particular URL to arrive at LinkProof.
When LinkProof receives a DNS query asking it to resolve a particular URL to an IP address,
it resolves the query to the static NAT address corresponding to the best link available for
the user's request. This means different responses may be provided to different clients
requesting the same URL.
Redundancy
LinkProof redundancy mechanism enables you to define a backup LinkProof in case of
failure. Each pair of LinkProofs can function in an Active / Backup Setup. To achieve
redundancy between LinkProof devices, the following methods can be used:
•
•
Proprietary ARP
VRRP
Doc. No.: 8261
21
LinkProof User Guide
The Role of LinkProof in the Network
LinkProof is installed in the path of a user community to the Internet. LinkProof must be
defined as default gateway for both inbound and outbound traffic.
LinkProof can be installed into a network as a bridge or as a router. When installed as a
router, LinkProof supports the following protocols:
•
•
•
•
RIP
RIPII
OSPF
VRRP
LinkProof Products
LinkProof family runs on all Application Switch platforms (1, 2 and 3) providing the same
functionality with different performance. For more details on the Application Switch
platforms, please refer to Application Switching Platforms, page 375.
In addition the LinkProof family includes the following models:
•
•
LinkProof Entry Level Product: LinkProof Entry Level is a basic model of the
LinkProof running on the Application Switch I/8FE platform. It supports all functionalities
of the LinkProof family and only differs with regard to its bandwidth limitations.
LinkProof Branch Product: LinkProof Branch is a model of the LinkProof built on the
Compact Application Switch platform. It supports all functionalities of the LinkProof
family and only differs with regard to its bandwidth limitations.
LinkProof Modules Overview
This section provides a general overview of LinkProof capabilities including a general
description of the modules that LinkProof comprises of, as well as an explanation of
management tools that allow you to manage the LinkProof device.
This section includes the following topics:
•
•
LinkProof Modules, page 22
Management Tools, page 24
LinkProof Modules
In order to provide high availability, optimal performance and maximum-security levels,
LinkProof offers a solution that successfully combines powerful functional modules.
LinkProof's advanced Health Monitoring guarantees availability of the entire transaction
path.
The Traffic Redirection module works closely with the Health Monitoring module and
performs Layer 4-7 switching based on resource availability. Traffic Redirection optimizes
the usage of the routers by applying intelligent dispatching algorithms. In case of failures of
any of the network elements, Traffic Management allows the traffic to bypass faulty
elements. Thus, optimization and full utilization of the existing resources guarantee 24/7
application availability, security, provide high performance and translate into better return
on investment.
Further optimization of network resources is performed by the means of Bandwidth
Management. This module allows you to translate your business strategy and priorities into
Bandwidth Management policies. For example, you can assign high priority to mission
critical applications such as ERP and CRM, while limiting the bandwidth consumption of nonbusiness applications like KAZAA and e-donkey.
22
Doc. No.: 8261
LinkProof User Guide
The explosion in the number of application level attacks that are tunneling their way into
organizations' networks through firewalls cause severe losses by compromising the
availability and the performance of mission critical applications. The advanced Security
modules constitute an integral part of the LinkProof intelligent application switching process,
providing protection against various attacks, worms, and viruses.
Health Monitoring
The Health Monitoring module constantly checks the health of the entire transaction path.
This includes the availability of all the network elements required for the successful
transaction completion, such as routers, servers, applications, and so on.
The Health Monitoring module provides you the flexibility to create any type of a Layer 2 Layer 7 health check on any network element. Using the wide variety of predefined health
checks enables easy customizing to meet the requirements of your network.
Traffic Redirection
The Traffic Redirection module provides Layer 4 - Layer 7 switching capability. This module
performs server selection in a local farm on the basis of availability, load and content
considerations.
To select a server within a local farm, LinkProof uses various dispatch algorithms based on
traffic load of the servers and available server resources. When it is required, you can define
server persistency. In that case all the sessions with same predefined characteristics are
forwarded to the same server.
A variety of traffic settings available in the Traffic Redirection module allows you to optimize
the process according to the conditions of your network environment and to maximize
utilization of the existing resources.
With Traffic Redirection, you can add network elements without any service interruption and
in that manner achieve transparent scalability.
Bandwidth Management
The Bandwidth Management module allows administrators to have full control over their
available bandwidth. Using the Bandwidth Management module Radware devices can
classify traffic that passes through them according to pre-defined criteria and can enforce a
set of actions on that traffic.
Bandwidth Management enables you to differentiate or classify user traffic according to a
wide array of criteria and then apply to each classified packet or session the user-defined
action: either block traffic or shape traffic. For example, bandwidth management allows you
to give HTTP traffic a higher priority over SMTP traffic, which in turn may have higher
priority over FTP traffic. At the same time, the device can track the actual bandwidth used
by each application and set limits as to how much each classified traffic pattern can utilize,
see Bandwidth Management, page 335.
Security
The Security modules detect, block and prevent application attacks, thereby protecting
against viruses, worms, DoS and intrusions for immediate high capacity application security.
These modules provide secure Internet connectivity with high performance, maintaining the
legitimate traffic of end users and customers.
Using the Security modules, LinkProof performs deep packet inspection at multi-Gigabit
speed, to provide security from the network layer up to the application layer, see Security,
page 231.
The multi-layer security approach combines a set of security services for attack detection
with advanced mitigation tools, such as:
•
•
•
Application Security
DoS Shield
SYN Flood Protection
Doc. No.: 8261
23
LinkProof User Guide
Management Tools
All network elements can be managed and monitored by the network management system,
APSolute Insite that allows you to manage your network using a user friendly GUI. APSolute
Insite provides you with a comprehensive perspective in configuring the Intelligent
Application Switching (IAS) environment by managing the site through a graphical
representation.
Once the site configuration appears in a graphic form, configuration is significantly more
intuitive and relationships between IAS devices and related network elements can be
understood with ease. Connecting elements through the site map, relieves the
administrators from having to set parameters of related network elements, for example
firewalls and other security devices, more than once, when a new device is connected to the
same network elements.
In addition to APSolute Insite that allows you to manage the entire network, you can control
a single LinkProof device using:
•
•
24
Web Based Management (WBM), using HTTP or HTTPS.
Command Line Interface (CLI), using Telnet, SSH, or Console access.
Doc. No.: 8261
LinkProof User Guide
Chapter 2 - Device Management
This chapter provides an explanation of the LinkProof management and maintenance
processes. This chapter describes the management interfaces and methods by which
LinkProof devices are accessed, configured and operated.
The maintenance procedures presented here include information about upgrading and
tuning of LinkProof devices. Also provided in this chapter is an explanation of system
notifications regarding possible system failures.
This chapter includes the following sections:
•
•
•
•
•
•
•
Configuring Device IP Host Parameters, page 25
Device Configuration Options, page 28
Device Security, page 45
Version Management and Device Upgrading, page 48
Device Tuning, page 56
Device Notifications, page 65
Utilities, page 66
Configuring Device IP Host Parameters
This section explains how to establish connection with the device as well as how to erase the
configuration file.
This section includes the following topics:
•
•
Device IP Host Parameters Introduction, page 25
Erasing the Configuration file, page 28
Device IP Host Parameters Introduction
The Device IP host parameters enables you to establish communication with the device via:
•
•
•
•
•
Web Based Management
SNMP (Simple Network Management Protocol)
Network Management Station (NMS).
Telnet
SSH Client
To manually configure the Devices IP host parameters for the first time:
To manually configure the Devices IP host parameters in the Application Switch I and
Application Switch II platforms:
1.
Connect the serial console to the device. Open a terminal emulation program with the
following parameters:
Bits per second:
19200
Data bits:
8
Parity:
None
Stop bits:
1
Flow Control:
None
Doc. No.: 8261
25
LinkProof User Guide
2. Ensure that the ASCII terminal is connected to the device.
3. Turn on the power to the device. After the Boot process is complete the following startup menu appears: Select the @ symbol to access the Startup Configuration window as
shown below in Table 1 on page 26.
Table 1: Startup Configuration
#
Description
Enable
0
IP Address
1
IP subnet mask
2
Port number
3
Default router IP address
4
RIP version
(0,1,2) [0]
5
Enable OSPF
(y/n) [n]
6
OSPF area ID
7
User Name
8
User Password
9
Enable Web Access
(y/n) [n]
10
Enable Secure Web Access
(y/n) [n]
11
Enable Telnet Access
(y/n) [n]
12
Enable SSH Access
(y/n) [n]
13
SNMP Configuration
Table 2: SNMP Startup Configuration
#
Description
Enable
0
Supported SNMP versions
[1 2 3]
1
Community
[Public]
2
SNMP Root User
3
Privacy Protocol
4
Privacy Password
5
Authentication Protocol
6
Authentication Password
7
NMS IP Address
8
Configuration File Name
(NONE/DES)
[NONE]
(NONE/SHA/
MD50 [NONE]
4. Enter the number of the parameter for which you require to define the information.
26
Doc. No.: 8261
LinkProof User Guide
5.
Enter the parameters configuration and click Enter. The value of the parameter is
displayed on the screen.
If you do not require to access this command line, the Startup Configuration window is
automatically displayed.
Startup Configuration Parameter List
The following list defines the parameters in the Startup Configuration window:
—
IP Address: The IP address of the interface is the only mandatory parameter. This
address is used to access the device.
—
IP Subnet Mask: The IP subnet mask address of the device. The default value of
this parameter is the mask of the IP address class.
—
Port Number: Device port number to which the IP interface is defined. The default
value is 1.
—
Default Router IP Address: The IP Address of the router through which the NMS
can be reached. The default value for this parameter is 0.0.0.0, which means that
no default router is configured.
—
RIP Version: The RIP version used by the network router. The default value for this
parameter is: disable.
—
OSPF Enable: This parameter enables or disables the OSPF protocol. The default
value is: disable.
—
OSPF Area ID: When the OSPF protocol is enabled, you can enter an area ID other
than the default value. Enter an ID in the form of an IP address. The default value is
0.0.0.0.
—
User Name: A user name which is added to the Users Table. The default user name
is ‘radware’.
—
User Password: The password used to access the device remotely using WBM,
Telnet or SSH. The default password is ‘radware’.
—
Web Access: Indicates whether Web access to the device is enabled. The default is
No.
—
Secure Web Access: Indicates whether Secure Web access to the device is
enabled. The default is No
—
Telnet Access: Indicates whether Telnet access to the device is enabled. The
default is No.
—
SSH Access: Indicates whether Web access to the device is enabled. The default is
No
—
SNMP Configuration: Enters the SNMP Configuration sub menu.
SNMP Startup Configuration Parameter List
The following list defines the SNMP Startup Configuration:
•
•
•
•
•
•
Supported SNMP Versions: Indicates which versions of the SNMP protocol are
supported by the device. Default value 1&2&3. possible values: 1 or 2 or 3 or 1,2 or 1,3
or 2,3
Community Name: Device Community name. Enter the selected community name.
The default community name is public.
SNMP Root User: Defines the use for SNMPv3. default value is "radware"
Privacy Protocol: Indicates whether to enable privacy or disable. Possible values:
NONE or DES. Default value is "NONE" .
Privacy Password: Defines the password for the SNMPv3 User. Default – no password.
Authentication Protocol: Defines whether to use authentication and the
authentication protocol. Must be use in conjunction with privacy. Default value – "None".
Possible values "NONE" / "SHA" / "MD5.
Doc. No.: 8261
27
LinkProof User Guide
•
•
•
Authentication Password: Defines the password for the SNMPv3 authentication.
Default – no password.
NMS IP address: The required NMS IP address. Enter a value if you require to limit the
device to a single specified NMS. The default value is 0.0.0.0 (any NMS).
Configuration file name: The name of the file, in a format required by the server,
which contains the configuration. Select this parameter when you require to download a
configuration file as NMS. The file must be located on the NMS, and the NMS must be
located on a TFTP server. When you exit the Startup Configuration window, the device
loads the configuration file from the NMS, resets and starts operating with the new
configuration. The default value is: no name.
Notes:
i
The device enters a default value for the incomplete parameters, with the
exception of the IP Address, which is mandatory. A validity check of all the
parameters is then performed.
ii
An initial default configuration is provided. When a device boots up for the
first time, if the Start-Up is not used for 30 seconds, and a bootup server is
not found within another 30 seconds, default settings are assigned to the
device. The initial default configuration consists of a private IP Address
(192.168.1.1), a subnet mask (255.255.255.0) port 1, an NMS IP Address
(0.0.0.0, allowing any station to manage the device using SNMP), community
string of public, Telnet, SSH, SSL and WBM are enabled with a default user of
radware with password radware.
Erasing the Configuration file
You may require to erase the configuration in order to restore the factory default.
To erase the configuration file:
1. Reboot the device and hit any key to stop the auto-boot process.
CPU: RadWare BOOMER - MPC740/750
DRAM size: 128M
Flash size: 16M
BSP version: 5.33
Creation date: Jan 30 2005, 12:49:26
Press any key to stop auto-boot...
2. In order the erase the configuration file, press "q0" and press enter and then "q1".
3. Press "@" to reboot the device.
Device Configuration Options
This section describes the management interfaces and methods for the LinkProof device
configuration and permissions.
This section includes the following topics:
•
•
28
Management Interfaces, page 29
Configuring SNMP, page 29
Doc. No.: 8261
LinkProof User Guide
•
•
•
•
•
Telnet and SSH, page 41
Ping Physical Port Permissions, page 43
APSolute Insite, page 43
Command Line Interface, page 43
Web Based Management, page 45
Management Interfaces
APSolute Insite is the main management interface for all Radware products. Additional
management interfaces that allow you to configure and operate Radware devices include:
• Web Based Management (WBM)
• Command Line Interface (CLI)
You can connect a LinkProof device to the management interfaces through the network
physical interface or through the serial port. LinkProof supports the following port types:
• In the network connection: SNMP, HTTP, HTTPS, Telnet, SSH.
• In the serial port connection: RS-232 up to 115 Kbps (default is 19.2 Kbps).
The following table lists the LinkProof physical interfaces and the supporting management
interfaces:
Port
SNMP
V1, V3
APSolute Insite
Web Based
Management
Command Line
Interface
+
HTTP
+
Secure Web:
+
Telnet
+
SSH
+
RS-232
+
Configuring SNMP
The Simple Network Management Protocol (SNMP) is an application layer protocol that
facilitates the exchange of management information between network devices. SNMP is a
part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. Radware
devices work with SNMPv1, SNMPv2 and SNMPv3.
Network management systems contain two primary elements: managers and agents. The
Manager is the console through which the network administrator performs network
management functions. Agents are the entities that interface to the actual device being
managed allowing changing or retrieving objects in the device.These objects are arranged in
what is referred to as management information base (MIB). SNMP is the protocol that allows
managers and agents to communicate for the purpose of accessing these objects.
This section explains how to configure SNMP on LinkProof. Configuration examples for SNMP
versions 1, 2 and 3 are included.
SNMPv3 is composed of 2 layers of communication between the manager and the agent:
•
•
User Security Model (USM), which provides Secure Communication, including message
integrity and privacy.
View-Based Access Control Model (VACM), which provides granular access permissions.
For example, a user can have write access to limited portions or the MIB, and read
access to wider portions.
Doc. No.: 8261
29
LinkProof User Guide
Note:
By default, APSolute Insite connects to the LinkProof device using SNMPv1.
To connect to device using SNMPv3:
1. From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the
map.
2. Double-click the LinkProof icon. The Connect LP to Device window appears.
3. In the Connect LP to Device window, type the Device IP Address and select the
SNMPv3 check box. The SNMPv3 pane opens.
4. Set the Authentication and Privacy parameters as defined in the Users Table, see
Defining SNMP Users, page 30.
5. Click Ok. The LinkProof device is connected using SNMPv3.
To view the SNMP parameters:
1. From the main window, select General > Device Permissions. The Device
Permissions window appears.
2. From the Device Permissions window, click the SNMP tab. The SNMP pane appears,
displaying the current permissions.
Defining SNMP Users
With SNMPv3 user-based management each user can have different permissions based on
the user name and connection method.
You can create a new user by cloning the definitions of one of the existing users.
In the User Based Security Model window, you can define users who can connect to the
device and you can store the access parameters for each SNMP user. define a new SNMP
user:
1. From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2. In the Device Permissions window, click the SNMP tab. The SNMP pane appears,
displaying the current permissions.
3. From the SNMP pane, click Users. The User Based Security Model window appears.
4. From the User Based Security Model window, click Add, and set the following
parameters according to the explanations provided:
Clone From User:
Select the existing user from which you want
to clone the definitions.
User Name:
Type the name of the new user, up to 18
characters.
Type the protocol to be used during the
authentication process.
Authentication Protocol:
Authentication Password:
30
Default: None, meaning using clear text
during the session. Possible values are MD5
and SHA.
Type the password to be used during the
authentication process.
Doc. No.: 8261
LinkProof User Guide
Type the algorithm to be used for encryption.
User Privacy Protocol:
Privacy Password:
Default: None, which means that the data is
not encrypted. Possible value is DES.
Type the password required to use privacy.
Notes:
5.
i
Privacy is only supported in conjunction with authentication.
ii
The User Name parameter is also called Security Name.
Click Ok to apply the Setup and exit the window. A new user is defined for access to
SNMP.
Note:
The Configuration file of the device that contains SNMPv3 users with
authentication can only be used by the specific device that the users
configured. When exporting the configuration file to another device, the
passwords need to be re-entered, since passwords (of SNMPv3 users) cannot
be exported from one device to another. Therefore there must be at least one
user in the device‘s user table (to be able to change the password) in case the
configuration file is uploaded to another device. Note that this is according to
SNMPv3 RFC.
SNMP - VACM Edit Security to Group
SNMPv3 permissions are defined for groups of users. In cases that there is a need to grant
to the same user different permissions based on the connection method, it is possible to
associate the same user to more than one group. For example, if user A connects to a
Radware device using SNMPv3 with authentication and privacy, the user gets Read-Write
permissions, while if the same user A connects to a Radware device with authentication and
without privacy (data is not encrypted), then this user gets Read-Only permissions.
You can associate users with groups listed in the VACM Edit Security to Group window.
Access rights are defined for groups of users.
To configure VACM Edit Security to Group:
1.
From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2.
In the Device Permissions window, select the SNMP tab. The SNMP pane appears.
3.
In the SNMP pane, click Add. The VACM Edit Security Name to Group window appears.
4.
In the VACM Edit Security Name to Group window, set the following parameters
according to the explanations provided:
Table 3:
Security Model:
Security Name:
Doc. No.: 8261
Select the SNMP version to be associated with
this group.
Possible values: SNMPv1, SNMPv2 or User
Based (SNMPv3).
Select a relevant security name, that is the
name as defined in the Users Table.
31
LinkProof User Guide
Table 3:
Group Name:
Select a name from a list of all the available
group names.
5. Click Ok to save the Setup and to exit the window.
VACM - MIB View
The View Table defines subnets of the MIB tree. Those views are used to allow Read - Write
access based on the MIB tree. The same Family View Name can be used for multiple entries
to allow maximum flexibility; each entry can include or exclude parts of the entire MIB tree.
For example, you can grant Read access to all MIBs starting with 1.3.6.1 but not to MIBs
that start with 1.3.6.1.2 and yet, to give access to MIBs that start with 1.3.6.1.2.1 and
1.3.6.1.5.
To set the parameters of the VACM MIB Tree:
1. From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2. In the Device Permissions window, select the SNMP tab. The SNMP pane appears.
3. In SNMP pane, click Access. The VACM Group Access window appears.
4. In the VACM Group Access window, click View. The VACM MIB View window appears.
5. In the VACM MIB View window, set the following parameters according to the
explanations provided:
Family View Name:
Type the name of this entry as explained above.
Family Subtree:
Type the object ID of the MIB subtree.
Type:
Define whether the object of this entry is included or
excluded in the MIB view.
6. Click Update to apply the Setup and click Ok to exit the window.
SNMP - Access
The Access Table binds the groups, views and security models. This is the table that grants
permissions to the groups, based on the SNMP version.
You can define the access rights for each group and Security Model in the VACM Group
Access window. Range of objects which can be accessed for a read, write or notify action is
specified through the Read View Name, Write View Name and the Notify View Name
parameters and depends on the defined Security Model. The Read, Write, and Notify
permissions are configured for Family View names, which are defined in the VACM - MIB
View window, see VACM - MIB View, page 32.
To set the parameters of the SNMP Access Table:
1. From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2. From the Device Permissions window, select the SNMP tab. The SNMP pane appears.
3. In the SNMP pane, click Access. The VACM Group Access window appears.
4. In the VACM Group Access window, click Add. The VACM Edit Group Access window
appears.
32
Doc. No.: 8261
LinkProof User Guide
5.
In the VACM Edit Group Access window, set the following parameters according to the
explanations provided:
Group Name:
Type the name of your group.
Select the SNMP version that represents the required
Security Model.
Security Model:
The security models are predefined sets of
permissions that can be used by the groups. These
sets are defined according to the SNMP versions. By
selecting the SNMP version for this parameter, you
determine the permissions set to be used.
Possible values: SNMPv1, SNMPv2 or User Based
(SNMPv3).
Select the security level:
• No Authentication: No authentication or privacy
are required.
Security Level:
•
Auth Not Private: Authentication is required, but
Privacy is not required
•
Auth Private: Both authentication and privacy are
required
Default: No Authentication.
Read View Name:
Select an item from a list of all the available views
that are configured in the VACM - MIB View window
and provide the Read access to the Object IDs
specified in the selected view.
Write View Name:
Select an item from a list of all the available views
that are configured in the VACM - MIB View window
and provide the Write access to the Object IDs
specified in the selected view.
Notify View Name:
Select an item from a list of all the available views
that are configured in the VACM - MIB View window
and provide the Notify access to the Object IDs
specified in the selected view.
6.
Click Ok to save the Setup and exit from the window.
SNMP - Target Address
In SNMP v3, this table contains transport addresses to be used in the generation of traps. If
the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for
reception of notifications.
For SNMP version 1 and 2 this table is used to restrict the range of addresses from which
SNMP requests are accepted. If the Transport Tag of an entry in the community table is not
empty it must be included in one or more entries in the Target Address Table.
To add a new SNMP Target Address:
1.
From the main window select Device > Device Permissions. The Device Permissions
window appears.
2.
In Device Permissions window, select SNMP. The SNMP pane appears.
3.
In the SNMP pane, click Targets. The Target Address window appears.
4.
In the Target Address window, click Add. The Edit Target Address window appears.
Doc. No.: 8261
33
LinkProof User Guide
5. In the Edit Target Address window, set the following parameters according to the
explanations provided:
Name:
Type the name of this entry.
Target Address:
Type the IP address of the management station that
is used:
• To provide access to the specified IP address
only
•
To send SNMP traps to that IP address.
Type the number of the Target Port. The TCP port to
be used: 161 for SNMP Access and 162 for SNMP
Traps.
Target Port:
Default:162.
A list of tags separated by spaces. This tag must be
the same tag as the Community Transport Tag in the
Community Table.
Tag List:
Default: v3Traps.
The name of the entry in the Parameters Table to be
used when sending the SNMP Traps.
Parameters:
6. Click Ok to save the Setup and to exit the window.
Tip:
The SNMP Target Address window also allows you to access the SNMP Target
Parameters window, see SNMP - Target Parameters, page 34.
SNMP - Target Parameters
The Target Parameters table contains parameters to be used in generating a message.
Entries in this table are referenced in the Target Address table.
To set the Target Parameters:
1. From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2. In the Device Permissions window, click SNMP. The SNMP pane appears.
3. From the SNMP pane, click Targets. The Target Address window appears.
4. In the Target Address window, click Parameters.The Target Parameters window
appears.
5. In the Target Parameters window, click Add. The Edit Target window appears.
6. In the Edit Target Parameters window, set the following parameters according to the
explanations provided:
Name:
Name of the new parameter for the Target
Address.
Message Processing
Model:
Select the model from: SNMP Ver 1;
SNMPVer 2c; SNMP Ver 3
Security Model:
34
Select the security model as explained in
Security Model:, page 33.
Possible values: SNMP Ver 1; SNMP Ver 2c;
User Based.
Doc. No.: 8261
LinkProof User Guide
Security Name:
Type the security name of the user.
Select the security level:
• No Authentication: No authentication or
privacy are required.
Security Level:
•
Auth Not Private: Authentication is
required, but Privacy is not required
•
Auth Private: Both authentication and
privacy are required
Default: No Authentication.
7.
Click Ok to save the Setup and click Ok to exit the Target Parameters and Target
Address windows.
SNMP - Community Table
The purpose of the community table is to allow backwards compatibility with SNMPv1 and
SNMPv2. The Community Table maps community strings to users. Once a user is connected
to Radware device with SNMPv1 or SNMPv2, the device checks the Community String sent
in the SNMP packet. Based on the Community String, the device maps the Community Sting
to a pre-defined user, which belongs to a group, with certain access rights. Therefore, when
working with SNMPv1 or SNMPv2, users, groups, and access must be defined as well.
Note:
The SNMP Community Table is used only for SNMP v1 and v2.
To configure the SNMP Community Table:
1.
From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2.
In the Device Permissions window, select SNMP. The SNMP pane appears.
3.
In the SNMP pane, click Community. The Community window appears.
4.
in the Community window, click Add and set the following parameters according to the
explanations provided:
Index:
Type a descriptive name for this entry.
Community Name:
Type the string for community.
Security Name:
Type the user name associated with the community
string.
Community
Transport Tag:
Doc. No.: 8261
This string specifies a set of target addresses from
which the SNMP agent accepts SNMP requests and
to which traps may be sent. The target addresses
identified by this tag are defined in the Target
Address Table, see SNMP - Target Address,
page 33.
If this string is empty, addresses are not checked
when an SNMP request is received or when a trap is
sent. If this string is not empty, the transport tag must
be contained in the value of the Tag List parameter of
at least one entry in the Target Address Table.
35
LinkProof User Guide
5. Click Ok to save the Setup and to exit the window.
SNMP - Notify Table
Using the SNMP Notify Table you can select management targets that receive notifications
including the type of notification to be sent to each selected management target. The Tag
parameter contains a string that is used to select entries in the Target Address table, see
SNMP - Target Address, page 33. An entry in the Target Address table whose tag list
contains the tag of one or more entries of the notification table, is selected for reception of
notifications.
To set the notifications for the target Address:
1. From the main window, select Device > Device Permissions and from the Device
Permissions window, click SNMP. The SNMP pane appears.
2. In SNMP pane, click Targets. The Target Address window appears.
3. In the Target Address window, click Notify. The Notify Table window appears.
4. In the Notify Table window, click Add. The Edit Notify Table appears.
5. In the Edit Notify Table window, set the following parameters according to the
explanations provided:
Name:
Type the name of the entry.
Tag:
This string selects one or more entries in the Target
Address table. All entries in this table whose tag list
contains this tag are selected for reception of notifications.
Type:
Select the type of notification, for example trap.
6. Click Ok to apply the Setup and click Ok twice again to exit the Notify Table window and
the Target Address window.
Example:
Privacy
SNMPv3 Access To the Device With Authentication and
The following example shows how to configure a Radware device to allow access using only
SNMPv3, MD5 as the authentication protocol and DES as the privacy protocol. Since the
user with limited access privileges cannot create a user with unlimited access, the first user
must be created via the CLI or WBM.
Configuration:
1. From Web Based Management, select Security > SNMP > User Table and create a
new entry by configuring the following parameters according to the explanations
provided:
User Name:
administrator
Authentication Protocol:
MD5
Authentication Password:
password
Privacy Protocol:
DES
Privacy Password:
password
2. Open APSolute Insite.
36
Doc. No.: 8261
LinkProof User Guide
3.
From the LinkProof main toolbar, click Add and select LinkProof. The LinkProof icon
appears on the map.
4.
Double-click the LinkProof icon. The Connect LP to Device window appears.
5.
In the Connect LP to Device window, type the Device IP Address and select the SNMPv3
check box. The SNMPv3 pane opens.
6.
The pre-configured User Name for SNMPv3 is "radware". When connecting using this
User Name, neither Authentication nor Privacy are required.
7.
Click Ok. The device is connected using SNMPv3.
8.
From the main menu, select Device > Device Permissions. The Device Permissions
window appears.
9.
In the Device Permissions window, click SNMP. The SNMP pane appears containing the
following configuration options: Targets, Views, Users, Community, Access.
10. In the SNMP pane, click Access. The VACM Group Access window appears.
11. in the VACM Group Access window, click Add, and set the following parameters
according to the explanations provided:
Group Name:
admin
Security Model:
USM
Security Level:
AuthPrivate
Read View Name:
iso
Write View Name:
iso
Notify View Name:
iso
12. Click Ok and Ok again.
13. To associate the user administrator with the admin group, from the SNMP pane, click
Add. The VACM - Edit Security Name To Group window appears.
14. In the VACM - Edit Security Name to Group window, set the following parameters
according to the explanations provided:
Security Model:
USM
Security Name:
administrator
Group Name:
admin
15. Click Ok and Ok again to close all the windows.
16. Reconnect to the device using SNMPv3, User Name "admin" and Password "password"
both for Authentication and Privacy protocols.
—
To create additional users with the same access rights, open the Users window, and
add a new user. The new user can be cloned from the existing logged in user, or
from a different user, see Defining SNMP Users, page 30.
—
To associate a new user with a group, from the SNMP window, click Add and
associate the new user with its group.
—
To restrict SNMPv1 and SNMPv2 access to the device, remove the "public"
community entry from the Community window, see SNMP - Community Table,
page 35.
Doc. No.: 8261
37
LinkProof User Guide
Example:Configuring Read-Only Permissions for SNMPv1 and Full
Access for SNMPv3
This example shows how to allow SNMPv1 access to the device by adding an entry in the
Community Table using the configuration of the example on SNMPv3 Access To the Device
With Authentication and Privacy, page 36.
Configuration:
1. From the LinkProof main toolbar, click + and select LinkProof. The LinkProof icon
appears on the map.
2. Double-click the LinkProof icon. The Connect LP to Device window appears.
3. In the Connect LP to Device window, type the Device IP Address and select the SNMPv3
check box. The SNMPv3 pane opens.
4. Define SNMPv3 parameters as explained in the previous example, see SNMPv3 Access
To the Device With Authentication and Privacy, page 36.
5. Click Ok. The device is connected using SNMPv3.
6. From the main menu, select Device > Device Permissions. The Device Permissions
window appears.
7. In the Device Permissions window, click SNMP. The SNMP pane appears, containing the
following configuration options: Targets, Views, Users, Community, Access. These
options are explained throughout this configuration example.
8. In the SNMP pane, click Community. The Community window appears.
9. In the Community window, click Add, and set the following parameters according to the
explanations provided:
Index:
SNMPv1 Access
Community Name:
password
Security Name:
administrator
10. Click Ok and Ok again to close the Community window.
11. In the SNMP window, click Access. The VACM Group Access window appears.
12. In the VACM Group Access window, click Add, and set the following parameters
according to the explanations provided:
Group Name:
admins
Security Model:
SNMPv1
Security Level:
No Authentication
Read View Name:
iso
Write View Name:
None
Notify View Name:
iso
13. Click Ok and Ok again to return to the SNMP window.
14. To create a VACM entry for User Administrator and Security Module SNMPv1, from the
SNMP window, click Add. The VACM Edit Security To Group dialog box appears.
38
Doc. No.: 8261
LinkProof User Guide
When the SNMPv1 session is initiated to the device with the community name "password",
the device associates the user name "administrator" with the Group "admins" based on the
information from the VACM Edit Security To Group window. According to the settings of the
VACM Group Access window, only Read permissions are set for the User Administrator in
SNMPv1.
Note:
APSolute Insite supports only SNMPv3 and SNMPv1.
Example:Changing the Default Community Name When Using SNMPv1
and SNMPv2
According to the default configuration of the device, the default Community Name is
"public". This example shows how to change the default Community Name from "public"
to any other name.
Configuration:
1.
From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the
map.
2.
Double-click the LinkProof icon. The Connect LP to Device window appears.
3.
In the Connect LP to Device window, type the Device IP Address, use the default Device
Community Name and click Ok. The device is connected using SNMPv1.
4.
From the main menu, select Device > Device Permissions. The Device Permissions
window appears.
5.
In the Device Permissions window, select SNMP. The SNMP pane appears.
6.
In the SNMP pane, click Community. The Community window appears.
7.
To add a new entry to the Community table, from the Community window, click Add.
The Edit Community window appears.
8.
In the Edit Community window, set the following parameters for the new entry
according to the explanations provided:
Index:
a descriptive text
Community Name:
new_community
Security Name:
public
9.
Click Ok and return to the main map.
10. Right-click the device icon and click Connect. The Connect LP to Device window
appears.
11. In the Connect LP to Device window, type the new Community Name and click Ok.
12. Repeat steps 4-8, and this time delete the old public entry from the Community Table.
Example: Allowing SNMPv1 and SNMPv2 Access to Predefined
Management Stations
This example shows how to restrict management access to a Radware device for SNMPv1
and SNMPv2, allowing only the predefined Network Management Stations to access the
device.
Doc. No.: 8261
39
LinkProof User Guide
Configuration:
1. From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the
map.
2. Double-click the LinkProof icon. The Connect LP to Device window appears.
3. In the Connect LP to Device window, type the Device IP Address, use the default Device
Community Name and click Ok. The device is connected using SNMPv1.
4. From the main menu, select Device > Device Permissions. The Device Permissions
window appears.
5. In the Device Permissions window, click the SNMP tab. The SNMP pane appears.
6. In the SNMP pane, click Community. The Community window appears.
7. In the Community window, select the required entry and click Edit. The Edit Community
window appears.
8. In the Edit Community window, in the Community Transport Tag text box, type "nms",
click Ok and Ok again to return to the SNMP window.
9. In the SNMP window, click Targets. The Target Address window appears.
10. In the Target Address window, click Notify. The Notify window appears.
11. From the Notify window, click Add. The Edit Notify Table window appears.
12. In the Edit Notify Table window, set the following parameters according to the
explanations provided:
Name:
Type a descriptive name.
NMS
Tag:
Note:
The value must be the same as the
Community Transport Tag in the Community
Table.
13. Click Ok and return to the Target window.
14. In the Target window, click Add to add a new entry to the table by setting the following
parameters according to the explanations provided:
Name:
Type a descriptive name.
Target Address:
Type the IP address of the NMS.
Target port:
161
Tag List:
nms
Parameters:
public-v1
15. Click Ok to close the Target window.
Example: Sending Secured SNMP Traps to Specific Users
The following example shows how to configure a Radware device to send SNMP traps using
secure channel over SNMPv3. This example is based on the example on SNMPv3 Access To
the Device With Authentication and Privacy, page 36.
Configuration:
1. From the main toolbar, click + and select LinkProof. The LinkProof icon appears on the
map.
40
Doc. No.: 8261
LinkProof User Guide
2.
Double-click the LinkProof icon. The Connect LP to Device window appears.
3.
In the Connect LP to Device window, type the Device IP Address and select the
SNMPv3 check box. The SNMPv3 pane opens.
4.
In the User Name text box, type: administrator.
5.
Click Ok. The device is connected using SNMPv3.
6.
From the main menu, select Device > Device Permissions. The Device Permissions
window appears.
7.
In the Device Permissions window, select SNMP. The SNMP pane appears containing the
following configuration options: Targets, Views, Users, Community, Access.
8.
In the SNMP pane, click Target. The Target Address window appears.
9.
In the Target Address window, click Parameters. The Target Parameters window
appears.
10. In the Target Parameters window, click Add. The Edit Target Parameters window
appears.
11. In the Edit Target Parameters window, set the following parameters according to the
explanations provided:
Name:
Secure Traps
Message Processing
Model:
SNMP Ver 3
Security Model:
User Based
Security Name:
Administrator
Security Level:
Auth Private
12. Click Ok twice, and return to the Target Address window.
13. In the Target Address window, click Add and set the following parameters according to
the explanations provided:
Name:
Admins_NMS
Target Address:
10.204.100.18
Target Port:
162
Tag List:
V3Traps
Parameters:
Secure Traps
14. Click Ok to apply the Setup and Ok again to close all windows.
15. From the main menu, click Options > Events & Traps. The Traps and Events window
appears.
16. Using an interface other that APSolute Insite (CLI or WBM), connect to the device. The
Traps and Events window displays SNMP traps that the device sends using SNMPv3 with
Authentication and Privacy.
Telnet and SSH
Radware products support both Telnet and SSH management access.
Telnet is enabled from Device > Management Application >Telnet
SSH is enabled from Device > Management Application >SSH
Doc. No.: 8261
41
LinkProof User Guide
You can specify the TCP port for Telnet management and SSH.
Note:
LinkProof supports up to two simultaneous Telnet or SSH sessions.
Time-outs are added for logging into CLI through Telnet and SSH. After establishing a CLI
session with the device, user name and password must be inserted within 30 seconds. If 3
incorrect logins are entered, the terminal is locked for 10 minutes and no further logins are
accepted from that IP address. Once a login is successful and fully completed, the CLI
session closes after 5 minutes of idle time. not sure if this info here or on page 41
Enabling Management Applications on Specific Physical Ports
The Enabling Telnet and Web Based Management on Specific Port feature makes it possible
to launch configuration tools such as SNMP based applications, Telnet and Web Based
Management, only through those physical ports which are defined by the user. In the same
manner, it is also possible to disable launching Telnet or WBM through specific ports.
To enable web managed ports:
1. From the main window, select Device > Device Permissions > Management
Settings. The Management Settings tab appears, showing the current device in the
Device drop-down list.
2. From the Device drop-down list, select the device.
3. From the Management Ports dropdown list, select the required management application.
Management applications are: SNMP; Telnet; SSH; Web; SSL
Default: SNMP; Enable All.
4. To select the specific physical ports for the application, check the ports you wish to
enable or disable or check Enable All or Disable All.
5. Click Apply to save the Setup. The window remains open.
6. To configure ports for another web management application, from the Management
Ports parameter select the application and the active ports, as in steps 2 and 3.
7. Click Apply to save the Setup and Ok to exit the window.
42
Doc. No.: 8261
LinkProof User Guide
Enabling Management Application on Non-Standard TCP UDP Ports
Management Applications can be configured to use non standard ports. For example on port
8081 which is not the standard HTTP Port.
Ping Physical Port Permissions
LinkProof allows you to define which physical interfaces can be pinged. When a ping is sent
to an interface for which ping is not allowed, the packet is discarded. By default, all
interfaces of the device allow ping.
To define the ports to be pinged
1.
From the main toolbar, click the Panel View icon. The Front Panel view appears.
2.
Right-click the port you wish to ping and from the drop-down menu that appears, check
the Ping Port State option.
APSolute Insite
APSolute Insite is the main management interface for all Radware devices. This application
allows the system administrator to configure, modify and manage all types of Radware
devices in an enterprise network. Rather than focusing on a single device, APSolute Insite
presents the entire network configuration in a graphical format, with settings and
configuration options organized in a logically related manner.
Notes:
i
For further information regarding APSolute Insite, refer to the APSolute Insite
User Guide.
ii
For an explanation of how to access statistics about device performance, and
how to work with statistical graphs, refer to the APSolute Insite User Guide.
Command Line Interface
Access to the Command Line Interface (CLI) requires a serial cable and a terminal emulation
application. Although each product has a slightly different list of commands, the majority of
the available options are the same:
bwm
Policy management and classification
classes
Configures traffic attributes used for
classification
device
Device Settings
healthmonitoring
Advanced Health Monitoring
help
Displays help for the specified command
login
Login into the device
logout
Logout of the device
LinkProof
LinkProof parameters
manage
Device management configuration
Doc. No.: 8261
43
LinkProof User Guide
net
Network configuration
ping
Sends echo requests
reboot
Reboot the device
redundancy
Redundancy settings
security
Security settings
services
General networking services
statistics
Device statistics configuration
system
System parameters
CLI Supported Capabilities
Radware's Command Line Interface can be used through console access, Telnet, or SSH. CLI
provides the following capabilities:
•
Consistent, logically structured and intuitive command syntax.
•
A system config command to view the current configuration of the device, formatted
as CLI command lines.
•
Pasting the output of system config, or part of it, to the CLI of another device, using
the system config set command. This option can be used for easy configuration
replication.
Help and command completion keys.
Command line editing keys.
Command history.
Configurable prompt.
Configurable banner for Telnet and SSH.
Ping: Ping other hosts on the network to test availability of the other hosts.
Traceroute: Use the command trace-route <destination IP addr>. Output format:
•
•
•
•
•
•
•
DP#trace-route www.radware.com
trace-route to host 209.218.228.203:
1:
50ms
50ms
50ms 212.150.43.130
2:
50ms
50ms
50ms 80.74.101.129
3:
50ms
50ms
50ms 192.116.214.2
4:
*
5:
50ms
*
50ms
*
50ms 80.74.96.40
•
Telnet client: to initiate a telnet session to remote hosts. Use the CLI command
telnet <IP address>.
• SSH client: to initiate a telnet session to remote hosts. Use the CLI command ssh <IP
address>.
• DNS Client: uses configured DNS servers to query IP addresses of a hostname. Use the
command services dns nslookup <hostname>.
Make sure to enable DNS and set DNS servers appropriately, using the services dns client
commands. The DNS client also enables using host names rather than IP addresses in
commands such as trace-route, ping, telnet, and so on. The DNS client is configurable also
from APSolute Insite.
Notes:
i
44
For description of the DNS Client, refer to DNS Client, page 67.
Doc. No.: 8261
LinkProof User Guide
ii
For more information concerning CLI commands, refer to the Radware CLI
Reference Manual.
Web Based Management
Each Radware device can be managed using a web-based interface enabled from the Access
pane of the Setup window. Web access can also be confined to SSL; administrator can
specify the TCP port for the Web Based Management and the secure Web Based
Management (WBM).
Web Based Management graphical user interface (GUI) does not require any installation on
a client, and is designed for easy and fast single device management.
When using Web Based Management, On-line help is also available from the Radware
corporate Web site. However, you can specify a custom location for the help files
Web Based Management is supported using the following Internet browsers:
•
•
Internet Explorer version 6 (when using Windows operating systems)
Mozilla when using Linux operating systems.
.
Note:
In WBM, Online Help is available by clicking on the? Help icon that appears in
every screen.
Web Based Management Features
•
•
•
HTTP Summary Page: Using the Device Monitoring summary page, you can get a
quick view of the farm and server health. The summary page also provides a launching
point from which to 'drill down' to more specific health and configuration information.
You can configure an interval during which the page is refreshed (any number of
seconds between 10 to 3600). The Device Monitoring window is accessible from the
WBM Device menu.
HTTP Button to Switch Between Active and Backup Device: Using the Web-based
interface, you can switch between the active device and the associated backup device.
This functionality is also accessed from the Device Monitoring window.
Secure Web Based Management: An HTTPS session. By default, the device has selfsigned Radware SSL certificates. However, you can specify your own self-signed SSL
certificate.
To create a new SSL certificate:
1.
From the Services menu, select SSL > Certificates.
2.
Click Create. The Create Self Signed Certificate window appears.
3.
Fill in the relevant parameters and then click Ok.
Note:
SSL Keys and certificates are not exported as part of the configuration.
Device Security
This section describes the interfaces and methods related to device security.
Doc. No.: 8261
45
LinkProof User Guide
All Radware devices are equipped with a variety of security features and settings that help
prevent unauthorized access and tampering with units. In addition to the predefined
security, you can use the BWM and Intrusion license to upgrade the security level for your
network.
This section includes the following topics:
•
•
•
Bandwidth Management Access, page 46
Users Table, page 46
RADIUS Authentication, page 47
Bandwidth Management Access
Radware devices also provide a packet-filtering database, which can be configured to control
access to the unit and through the unit, based on a variety of factors, such as protocol, port,
and source or destination addresses.
To access Bandwidth Management Configuration:
From the main window, select APSolute OS > BWManagement.
Management Ports
Access to any of the devices can be limited to specified physical interfaces. Interfaces
connected to insecure segments of a network can be configured to discard some or all kinds
of management traffic directed at the device itself. Administrators may wish to allow certain
types of management traffic to a Radware device, such as SSH, while denying others (such
as SNMP or Telnet). If an intruder attempts to access the device through a disabled port, the
Radware unit does not allow access and generates syslog and CLI traps as notification.
To access Port Management Configuration:
From the main menu select; Device > Device Permissions > Management
Settings.
Users Table
You can create a list of personnel authorized to access the device. Entries in this table allow
access to the Radware device through any enabled access method (Web, Telnet, SSH,
SWBM). When Trace Status is enabled, users can receive e-mail notifications of changes
made to the device.
To set the Users Table:
1. From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2. In the Device Permissions window, click Users Table > Add. The Edit Device Users
window appears.
3. In the Edit Device Users window, set the following parameters according to the
explanations provided:
46
Device Name:
Select the device name.
User Name:
Type the name of the user.
Doc. No.: 8261
LinkProof User Guide
Password:
Type the password for the user.
E-mail:
Type the e-mail address of the user.
Define the minimum severity level of traps that are sent
to this user.
Values: None (the user receives no traps); Info; Warning;
Error; Fatal (the user receives traps with severity info or
higher).
Notification:
Default: None
Enable this option to notify users of configuration
changes made in the device. For more information see
Configuration Trace, page 66.
Trace Status:
Values: Administrator; Operator.
Default: Operator.
4.
Click Ok to apply the Setup and exit the window. The new device permission is listed in
the Users Table.
Note:
User and Password can be up to 19 characters.
RADIUS Authentication
With RADIUS Authentication, you can use RADIUS servers to determine whether a certain
user may or may not gain access to DP management, using CLI, Telnet, SSH or Web Based
Management. You can also select whether to use the User Table when RADIUS servers are
not available.
Radware devices provide additional security by authenticating the users who access the
device for management purposes. Before a management session starts, the Radware device
can authenticate the user with a RADIUS server.
To set the RADIUS Authentication:
1.
From the main window, select Device > Device Permissions. The Device Permissions
window appears.
2.
In the Management Permissions window, click RADIUS. The RADIUS pane appears.
3.
In the RADIUS pane, set the following parameters according to the explanations
provided:
Define the Authentication method.
Authentication
Method:
Main RADIUS IP
Address:
Doc. No.: 8261
Values: Local Users Table; RADIUS: RADIUS &
Local Users Table.
Note:
The last option means that RADIUS servers
are used but when unavailable, the Local
Users Table is used.
Define the IP address of the primary server.
47
LinkProof User Guide
Main RADIUS Port:
The access port number of the primary RADIUS
server.
Values: 1645;1812. Default: 1645.
Main RADIUS
Secret:
Type the authentication password for the primary
RADIUS server.
Backup RADIUS IP
Address:
Define the backup IP address of the RADIUS server.
Backup RADIUS
Port:
Define the backup access port number of the primary
RADIUS server.
Values: 1645;1812. Default:1645.
Backup RADIUS
Secret:
Type the authentication password for the backup
RADIUS server.
RADIUS Timeout:
Define the length of time the device waits for a reply
from the RADIUS server before a retry, or (if the
RADIUS Retries value is exceeded) before the
device acknowledges that the server is offline.
Default: 5.
Define the number of connection retries to the
RADIUS server, when the RADIUS server does not
respond to the first connection attempt.
RADIUS Retries:
Note:
Once the RADIUS Retries value to the main
RADIUS server is exceeded, and if all
connection attempts have failed (RADIUS
Timeout), then the backup RADIUS server
will be used.
Default: 3.
4. Click Apply and Ok to apply the Setup and to exit the window.
Notes:
i
The RADIUS Authentication feature is available for CLI, Telnet, SSH and Web
Based Management and Secure Web but not for APSolute Insite.
ii
Radware devices must have access to the Radius Server and must allow
Radware device access.
Version Management and Device Upgrading
This section describes the interfaces and methods for LP device upgrading and includes the
following topics:
•
•
•
•
•
•
48
Introducing Upgrades, page 49
Software Version Update, page 49
Saving and Restoring Configuration Files, page 52
Upgrading Licenses, page 53
Upgrading Boot Versions, page 55
Resetting Devices, page 56
Doc. No.: 8261
LinkProof User Guide
Introducing Upgrades
You can upgrade all Radware devices to newer versions with a straightforward FLASH
process. Depending on the maintenance contract, you may be eligible for new versions with
new features or only for the maintenance versions.
Performing the LP device upgrade involves two steps:
• Save the current device configuration.
• Upgrade the device software.
Radware releases the updated versions of LP software that can be uploaded to your device.
You can upgrade a device using one of these methods:
• APSolute Insite
• Web Based Management
A Device Upgrade enables the new features and functions on the device without altering the
existing configuration. In exceptional circumstances, new firmware versions are
incompatible with legacy configuration files from earlier firmware versions. This most often
occurs when users attempt to upgrade from very old firmware to the most recently available
version.
New firmware versions require a password. This password can be obtained from the
Radware corporate Web Site. You must obtain this password before you load the upgrade
file onto the Radware device. If you do not supply the correct password during the upgrade
process, you cannot proceed. In case of a maintenance-only upgrade, the password is not
required.
The password is based on the firmware version file and on the Base Mac Address of the LP
unit.
Notes:
i
Before upgrading to a newer software version, it is recommended to save the
existing configuration file.
ii
Before performing the upgrade process refer to the “Upgrading Notes” from
MRN and RN.
Software Version Update
For product versions prior to the ones listed in Table 4 on page 49 a single software version
was loaded on Application Switch I, Application Switch 2 or Compact Application Switch. The
software was burnt in duplicate on the internal flash.
Table 4: Product Version
Product
Version
DP
2.10
CSD
4.10
FP
3.21
LinkProof
4.21
WSD
8.10
Doc. No.: 8261
49
LinkProof User Guide
From these versions forward and for all Application Switch III product versions, the way in
which flash memory space is managed was changed to a File System mechanism. This
allows for the following:
•
•
•
•
•
Use of compact flash in Application Switch 2 and Application Switch 3.
More flexible memory management
Prevent boot version changes caused by different memory allocation requirements
(main reason for boot version changes).
Security upgrades
Two different software versions in the memory (only one may be active) - with the
possibility to change active version by toggling between the two.
To display list of software versions loaded on the device:
—
From the Command Line Interface use command
—
system file-system software
—
From Web-based management click File menu > Software List option.
—
From APSolute Insite, in the device Setup (double-click the device icon), click
Device Updates > Downloads table.
To change active software version:
—
From the command line interface use command system file-system config actappl set X, where X is the application index as displayed previously.
—
From Web-based management click File menu and choose the Software List
option. Select the inactive version (Active Field has value False) and change the
Active Parameter to True and click Set to record your preferences. You will be
prompted to reboot the device.
Note:
Each software version has its own configuration file.
Flash Memory Management
Table 5 on page 50 shows the Flash Memory for the Application Switches
Table 5: Flash Memory Management
50
Switch
Internal Flash
Compact Flash
AS1
2 Application Software
versions
Not available
AS2
Backup Application version
2 Application Software
versions
AS3
Backup Application version
2 Application Software
versions
CAS
2 Application Software
versions
Not available
Doc. No.: 8261
LinkProof User Guide
On AS2 and AS3 a copy of an application software version is loaded in the internal flash for
backup purposes. On the internal flash only IP host parameters are saved to allow
communication with the device in case of compact flash problems.
Note:
Do not power up or reboot Application Switch 2 or Application Switch 3 when
the compact flash card is not inserted.
Software Version Update
You can download a new software version by using either WBM or via APSolute Insite.For
versions using File Systems mechanism the firm ware file is in TAR format, while for
previous versions it appears in binary (BIN) format.
Note:
Before initiating software version update on Application Switch 3 or
Application Switch II running file system version, ensure that a back-up
application is installed in the internal flash * see Backup Version Update,
page 52.
To upgrade the software version via Web Based Management:
1.
From the File menu select Software Upgrade. The Update Device Software window
appears.
2.
In the Update Device Software window, set the following parameters according to the
explanations provided:
Password:
Enter the case-sensitive password you have
obtained from Radware corporate Web Site
for this upgrade: http://www.radware.com/
content/support/pwordgen/default.asp
Software Version:
Specify the actual version to be loaded using
X.XX.XX format.
File:
Select the appropriate firmware file.
Select the Enable New Version check box to
apply the recent upgrade.
Enable New Version:
3.
Note:
The device operates according to
the new version after the software
download process is complete,
otherwise the device operates
according to the previous version.
To accept your preferences, click Set. You will be prompted to reset the device.
Note:
Doc. No.: 8261
When upgrading from a minor version or bug fix version AB,CD,EF to version
AB,CX,XX a password is not required, for example when upgrading from
8.21.05 to 8.23.12 a password is not required.
51
LinkProof User Guide
To update software version via APSolute Insite:
1. From the main window, double-click the device icon. The Device Setup window appears.
2. In the Setup pane, click Device Upgrades. The Device Upgrades dialog box appears.
3. From the Device Upgrades dialog box, in the File Name text box, type the name of the
file, OR click Browse to find the desired file.
4. In the Password text box, type the password received with the new software version.
Note:
The password is case sensitive
5. In the New Version text box, type the software version number as specified in the new
software documentation.
Note:
If the Enable New Version check box is selected (default) the device
operates according to the new version after the software download process is
complete, otherwise the device operates according to the previous version.
6. Click Set. The status of the upload is displayed in the Progress Status bar. You are
prompted to restart the device.
Backup Version Update
On Application Switch 2, the backup application version (internal flash) is updated
automatically when a new application version that includes a new boot version is
downloaded to the device.
On Application Switch 3 it is not necessary to update backup application version when there
is a new boot version - compact flash and internal flash have separate boot memories.
If however you wish to manually update the backup application version or install it, it is
possible via the CLI command: system file-system files copy-to-flash x, where x is
the index of the new application you want to use (existing applications and their indexes are
displayed by: system file-system config act-appl command).
Saving and Restoring Configuration Files
It is recommended to save existing configurations on each Radware device. If a change to
the configuration results in problems, administrators can restore a previous configurations
to the unit. Files are stored locally on the desktop or laptop running APSolute Insite in a
binary format. You can perform this procedure also from WBM.
Notes:
i
When downloading a configuration file using WBM, the configuration can not
be downloaded to a device that was configured to use only to SNMPv3.
ii
When downloading a configuration file using CWI and SNMPv3, the
configuration can not be downloaded to a device that supports only SNMPv1.
iii The Configuration file of the device, that contains SNMPv3 users with
authentication, can only be used by the specific device that the users
configured. When exporting the configuration file to another device, the
52
Doc. No.: 8261
LinkProof User Guide
passwords need to be re-entered, since passwords (of SNMPv3 users) can not
be exported from one device to another. Therefore there must be at least one
user in the user table (to be able to change the password) in case the
configuration file is uploaded to another device. Note that this is relevant for
SNMPv3 RFC.
To save an existing configuration:
1.
From the main window, select Device > Configuration File > Download.
2.
Click the Browse button and navigate to the file you wish to save.
3.
Select the required configuration file and click Ok. The current configuration is saved.
To restore an existing configuration file:
1.
From the main window, select Device > Configuration File > Upload.
2.
Click the Browse button and navigate to the file to restore.
3.
Select the required configuration file and click Ok. The selected configuration is
restored.
4.
After the restored configuration has been applied to the Radware device, reboot the
unit.
The downloaded configuration file appears in BER format. If you wish to view the BER
format file, you must convert it to ASCII format. However, the configuration file that is being
uploaded to the device, must be in BER format.
To convert a BER file to ASCII format:
1.
From the main window, select Device > Configuration File > Edit. The Edit window
opens.
2.
From the Edit window, select Convert from BER to ASCII.
3.
Click the Browse button and navigate to the BER file you wish to convert to ASCII.
4.
Select the required configuration file and click Ok. The file format is converted to ASCII.
Upgrading Licenses
You can upgrade the software capabilities of LinkProof by means of the licensing mechanism; for
example to add BWM and IPS support.
Note:
For more information regarding obtaining licenses, please contact the
Radware Technical Support.
The Licensing Mechanism
In order to change license, you need to insert a new license code. The license provided to
you, is a one-time license, meaning that once this license is changed, the old license code
cannot be re-used. For example, if a license that includes the BWM and IPS activation key
was given to you on a trial basis and not purchased, Radware provides you with another
license, without the BWM and IPS activation key, the old license cannot be reused.
Doc. No.: 8261
53
LinkProof User Guide
Each license is based on the MAC address of the device and on a license ID that is changed
every time a new license is inserted.
To obtain a license upgrade, you need to send the MAC address and the current license ID of
the device.
To perform a license downgrade, you have to send the MAC address and the current license
ID of the device. Once you receive and insert the new license, a screen capture of the
License Upgrade window or the output of system license get CLI command must be
sent to Radware to prove that you are using the new license. After that, Radware ensures
that the old license cannot be reused.
To upgrade a software license:
1. From the main window, double-click the device icon. The LinkProof Setup window
appears.
2. In the Setup pane, click Device Upgrades. The Device Upgrades window appears.
3. In the Device Upgrades window, click Licence Upgrade. The Licence Upgrade pane
appears, displaying the current license in the New Licence Code text box.
4. In the New Licence Code text box, type your new license code.
Note:
The license code is case sensitive.
5. Click Ok. An Information box prompts you to reset the device in order to validate the
license.
6. Click Ok to perform the reset. The reset may take a few minutes. A success message is
displayed on completion.
Upgrading Hardware Licenses
Note:
For Application Switch 3, you can add support for 10 Gigabit Ethernet Port by
means of the hardware licensing mechanism. This feature is only available for
Application Switch 3.
To upgrade a hardware license:
1. From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2. In the Setup pane, click Device Upgrades. The Device Upgrades window appears.
3. In the Device Upgrades window, select Hardware Licence. The Licence Upgrade pane
appears displaying the current license in the New Licence Code text box.
4. In the New Licence Code text box, type your new license code.
Note:
The license code is case sensitive.
5. Click Ok. The Information box prompts you to reset the device in order to validate the
license.
54
Doc. No.: 8261
LinkProof User Guide
6.
Click Ok to perform the reset. The reset may take a few minutes. A success message is
displayed on completion.
Upgrading Licenses Using CLI
The following procedure enables you to upgrade your software and hardware licenses using
the command line interface.
To upgrade a software license using CLI:
1.
In the command line interface, type system license get.
2.
Click Enter. The current license code is displayed.
3.
Type system license set <new license code>.
4.
Click Enter. The license updated message is displayed in the command line.
Note:
5.
To implement the upgrade, the device must be reset.
Type reboot in order to reset the device, then type yes to confirm the reset.
To upgrade a hardware license using CLI:
1.
In the command line interface, type: system hardware license
2.
Click Enter. The current license code is displayed.
3.
Type: system hardware license set <new license code>
4.
Click Enter. A license updated message is displayed in the command line.
Note:
5.
To implement the upgrade, the device must be reset.
Type reboot in order to reset the device, then type yes to confirm the reset.
Upgrading Licenses Using WBM
You can perform license upgrades using Web Based Management.
To upgrade a license using WBM:
1.
From the Device menu, select License Upgrade. The License Upgrade window appears.
2.
From the License Upgrade window, in the Insert your License Code text box, type
the code of the new license and click Set.
Upgrading Boot Versions
It may become necessary to upgrade a device's Boot Code to support new firmware. To
support new firmware, you may need to upgrade a device's Boot Code. For information
regarding upgrading boot versions, refer to Boot Version Update, page 389.
Doc. No.: 8261
55
LinkProof User Guide
Resetting Devices
You can reset the device at any time.
To reset the device:
1. From the main window, click Device.
2. From the Device drop-down menu, select Reboot.
3. Select the device you wish to reboot, then click Ok.
Device Tuning
This section describes the interfaces and methods for LP device tuning, and includes the
following topics:
•
•
Tuning Tables Introduction, page 56
Tuning Memory Check, page 65
Tuning Tables Introduction
The Tuning Tables store information about sessions passing through the device and their
sizes which are correlated to the actual amount of sessions. Some of the tables store
information for every source-destination address pair of traffic going through the device,
Layer-3 information. These pairs require an entry for each combination. Some of the tables
need to keep information about Layer-4 sessions, which means that every combination of
source-address, source-port, destination address and destination port requires its own entry
in the table.
Note:
Layer-4 tables are usually larger than Layer-3 tables. For example, a typical
TCP client, using HTTP, opens several TCP sessions to the same destination
address.
Each tuning table has its own Free-Up mechanism, which is responsible for clearing the
tables of old entries that are no longer required, and ensuring that all detected attacks are
reported properly so that the attack can be logged. The Free-Up Frequency for each table
determines how often the device clears unnecessary entries from the table and stores
information about newly detected security events in a dedicated internal alerts buffer. The
alerts are then distributed to the logfile, SNMP management station, and syslog server, as
required by the configuration. The alerts buffer ensures that the device is not overloaded
with alerts distribution
For LinkProof you can determine the maximum number of entries allowed in the following
Device Tuning tables:
• Advanced Settings, page 57
• Virtual Tunneling Settings, page 62
• SYN Flood Protection Settings, page 63
• Session Table Settings, page 64
You can also define the security parameters for your previously defined security policy. The
values in the fields are synchronized and any changes are implemented after the device
reset.
56
Doc. No.: 8261
LinkProof User Guide
To view the Device Tuning Tables from APSolute Insite:
1.
Double-click on the LinkProof icon. The Setup window appears.
2.
In the Setup window, select Global. The Global pane opens. Check the services group
which you want to tune on the device and click Edit Settings. The device tuning
settings table for the selected category opens.
Note:
It is strongly advised that Device Tuning only be carried out after consulting
with the Radware Technical Support.
Tuning Tables On-Line
You may view a list of values for LinkProof Tuning tables by logging on to the Radware
Website>Support > Documentation > Product (LinkProof) > Document Type (Tuning
Table).
Advanced Settings
You can tune the Advanced Settings tables according to your needs. Table 6 on page 57
provides descriptions of the Advanced Settings tables and provides their tuning parameters.
Table 6: Advanced Tuning Parameters
Table
Bridge
Forwarding
Table
IP Forwarding
Table
ARP
Forwarding
Table
Doc. No.: 8261
Description
Platform
Default
Max
The maximum amount
of entries in the Bridge
Forwarding Table.
AS1
1,024
32,767
AS2
1,024
32,767
The Bridge Forwarding
Table contains the
bridging ports per
destination MAC
address.
AS3
1,024
32,767
CAS
256
32,767
The maximum amount
of entries in the IP
Forwarding Table.
AS1
4,096
256,000
AS2
8,192
512,000
The IP Forwarding
Table contains the
destination MAC
address and port per
destination IP address.
AS3
8,192
512,000
CAS
2,048
256,000
The maximum amount
of entries in the ARP
Forwarding Table.
AS1
1,024
32,767
AS2
1,024
32,767
The ARP Forwarding
Table contains the
destination MAC
address per destination
IP
AS3
1,024
32,767
CAS
1,024
32,767
57
LinkProof User Guide
Table 6: Advanced Tuning Parameters
Table
Client Table
Extension
Client Table
Routing Table
58
Description
Platform
Default
Max
The maximum amount
of entries in the Client
Table Extensions.
AS1
8,192
NA
AS2
16,384
NA
Client Extension Table
size = (max number of
farms in a flow, as
configured on the
device)
AS3
16,384
NA
CAS
8,192
NA
The maximum amount
of entries in the Client
Table.
AS1
8,192
NA
AS2
16,384
NA
When setting the Client
table size you must also
configure Client
Extension Table size.
The relationship
between the two table
sizes is as follows:
AS3
16,384
NA
CAS
8,192
NA
The maximum amount
of entries in the Routing
Table.
AS1
512
32,767
AS2
512
32,767
The Routing Table
stores information about
the destinations and
how they can be
reached. By default, all
networks directly
attached to AppDirector
are registered in this
table. Other entries to
the table can either be
statically configured or
dynamically created
through the routing
protocol.
AS3
512
32,767
CAS
32
32,767
Client Extension Table
size = (max number of
farms in a flow, as
configured on the
device) *Client Table
size. For example, in
case SecureFlow load
balances routers only,
the Client Table
Extension size should
be the same as the
Client Table Size
Doc. No.: 8261
LinkProof User Guide
Table 6: Advanced Tuning Parameters
Table
Description
Platform
Default
Max
AS1
512
8,192
AS2
512
8,192
Static NAT
The maximum number
of Static NAT address
that can be configured
on the device. Static
NAT is used to ensure
delivery of specific
traffic to a particular
server on the internal
network.
AS3
512
8,192
CAS
128
8,192
The maximum number
of No NAT addresses
that can be configured
on the device.
AS1
512
20,000
AS2
512
20,000
AS3
512
20,000
CAS
64
20,000
AS1
NA
NA
AS2
NA
NA
AS3
NA
NA
CAS
NA
NA
AS1
1,024
1,000,00
0
AS2
1,024
1,000,00
0
AS3
1,024
1,000,00
0
CAS
64
512
No NAT
No NAT enables a
simple configuration
where internal hosts
have IP addresses that
belong to a range of one
of the farm servers.
Traffic from these hosts
should not be translated
if the traffic is forwarded
to this farm server.
The maximum number
of Basic NAT addresses
that can be configured
on the device
Basic NAT
Fragmentatio
n Table
Doc. No.: 8261
Basic NAT enables a
one-to-one NAT
mapping for occasional
users, based on local IP
ranges and destination
applications.
The maximum amount
of entries in the
Fragmentation table.
59
LinkProof User Guide
Table 6: Advanced Tuning Parameters
Table
Flow Policies
FW Tracking
Table
Farm
Persistency
Table
60
Description
Platform
Default
Max
The maximum number
of entries in the Flow
Policies table.
AS1
16
5,000
AS2
16
5,000
A flow policy defines the
criteria used to select a
specific flow for a
specific type of traffic.
When a new session
arrives to the
SecureFlow, the device
scans through the flow
policies list looking for a
match. Once a match is
found the packet is
redirected according to
the flow attached to this
policy.
AS3
16
5,000
CAS
16
5,000
The number of current
entries in the Firewall
Tracking Table. This
table ensures that for
inbound traffic received
via a certain Firewall,
the related outbound
traffic is sent via the
same Firewall.
AS1
128
4,096
AS2
128
4,096
AS3
128
4,096
CAS
128
4,096
The maximum number
of entries in the Farm
Persistency Table.
AS1
8,192
50,000
AS2
8,192
140,000
SecureFlow allows you
to determine when a
new server will be
selected for each farm,
by allowing persistency
mode configuration per
farm.The default
persistency mode is
Layer 3. Persistency per
farm can be kept
according to any
session identification
parameter or
combination of them
that is less than the
Client Table mode (for
example source IP or
destination IP if Client
Table mode is Layer3)
or according to Client
Table mode.
AS3
16,384
320,000
CAS
16,384
170,000
Doc. No.: 8261
LinkProof User Guide
Table 6: Advanced Tuning Parameters
Table
SYN
Protection
Triggers Table
Delayed Bind
Table
Description
Platform
Default
The maximum number
of entries in the SYN
ProtectioN Triggers
Table.
AS1
NA
AS2
NA
NA
AS3
NA
NA
CAS
NA
NA
The maximum number
of entries in the Delayed
Bind table.
AS1
64
13,658
AS2
64
32,768
Delayed Binding is a
process in which the
device alters fields such
as the sequence
number of the TCP
stream from the client to
the destination server.
The subsequent
session fetches the
information that was
requested in the original
session, and only when
that information is
gathered, it is returned
to the client via the
original session.
AS3
64
32,768
CAS
64
32,768
SYN Protection Triggers
Counts incomplete TCP
sessions for detecting
SYN Floods from the
Session Table.
Max
To set the LinkProof Advanced Tuning Parameters:
1.
Double click on the Linkproof icon. The Setup window appears.
2.
In the Setup window, select Global. The Global pane appears.
3.
From the Global pane, select Advanced Settings and then click Edit Settings. The
LinkProof Advanced Settings window appears.
4.
From the LinkProof Advanced Settings window, set the parameters as described in
Table 6 on page 57.
Note:
Doc. No.: 8261
It is strongly advised that device tuning only be carried out after consulting
with the Radware Technical Support.
61
LinkProof User Guide
Virtual Tunneling Settings
Virtual Tunneling tables are used to define the Virtual Tunneling tuning parameters are
presented in Table 7 on page 62.
Table 7: Virtual Tunneling Settings
Table
Local Service
Table
Remote
Service Table
Tunnels per
Remote
Service
Local Station
Table
Remote
Station Table
Note:
Description
The maximum entries in
the Local Service Table.
The maximum entries in
the Remote Service
Table.
The maximum entries in
the Tunnels per Remote
Service Table.
The maximum entries in
the Local Station table.
The maximum entries in
the Remote Station
Table.
Platform
Default
Max
AS1
4
8
AS2
4
8
AS3
4
8
CAS
4
8
AS1
12
32
AS2
12
32
AS3
12
32
CAS
12
32
AS1
12
100
AS2
12
100
AS3
12
100
CAS
12
100
AS1
24
32
AS2
24
32
AS3
24
32
CAS
24
32
AS1
250
1,024
AS2
250
1,024
AS3
250
1,024
CAS
250
1,024
In order to view LP Virtual Tunneling Tuning parameters you must first enable
the Virtual Tunneling Admins Status
To enable Virtual Tunneling Admin Status:
1. From the main window, select APSolute OS > Traffic Redirection > Virtual
Tunneling. The Virtual Tunneling pane appears.
2. In the Virtual Tunneling pane, enable Virtual Tunneling Admin Status.
62
Doc. No.: 8261
LinkProof User Guide
Note:
It is strongly advised that device tuning only be carried out after consulting
with the Radware Technical Support.
To set the Virtual Tunneling Tuning Parameters:
1.
Double click on the LinkProof icon. The Setup window appears.
2.
In the Setup window, select Global. The Global pane appears.
3.
In the Global pane, select Virtual Tunneling Settings and then click Edit Settings.
The Virtual Tunneling Settings window appears.
4.
From the Virtual Tunneling Settings window, set the parameters as described in Table 7
on page 62.
SYN Flood Protection Settings
SYN tables are used to define the SYN Flood protection. SYN Flood protection tuning
parameters are presented in Table 8 on page 63.
Table 8: SYN Flood Tuning Parameters
Table
Description
SYN Protection Table
The current number of entries in the SYN
Protection Table that stores data regarding the
delayed binding process. An entry in the table
exists from the time the client completes the
handshake until the handshake is complete.
SYN Protection Requests
Table
The current number of entries in SYN Protection
Requests Table that stores the ACK or data packet
that the client sends, until the handshake with the
server is complete and the packet is sent to the
server.
Note: The Request table and the Syn Protection
table must be about the same size. The triggers
table should be much smaller.
SYN Protection Triggers
Table
SYN Protection Policies
Table
Session Table L3 SYN
Flood Reports
Doc. No.: 8261
The current number of entries in SYN Protection
Triggers Table that stores the active triggers - the
destination IPs/ports on which the devices
identifies an ongoing attack.
The current number of entries in the SYN
Protection Policies Table, which stores policies
that control the Syn Protection behavior for
different types of traffic. For each traffic type the
user can configure whether to:
• Always apply SYN protection.
•
Apply SYN protection only when an attack is
detected.
•
Never apply SYN protection.
Currently the parameter is not used.
63
LinkProof User Guide
Table 8: SYN Flood Tuning Parameters
Table
Description
Session Table SYN
Triggers Creation
The current number of entries in the Session Table
SYN Triggers Creation table that counts
incomplete TCP sessions for detecting SYN
Floods from the Session Table.
To set the LinkProof SYN Flood parameters:
1. Double click on the LinkProof icon. The Setup windows appears.
2. In the Setup window, select Global. The Global pane appears.
3. In the Global pane, select SYN Flood Settings and then click Edit Settings. The SYN
Flood Protections Settings window appears.
4. In the SYN Flood Protection Settings window, set the parameters as described in Table 8
on page 63.
Note:
It is strongly advised that device tuning only be carried out after consulting
with the Radware Technical Support.
Session Table Settings
The Session Table tuning parameters are presented in Table 9, “Session Table Tuning
parameters,” on page 64.
Table 9: Session Table Tuning parameters
Name
Session Table
Session Passive Protocol
Description
The Session Table keeps track of sessions that
were not recorded in the Client Table
The maximum amount of entries in the Session
table.
The maximum amount of Session Passive
Protocol table.
Records passive protocols port commands, so that
all related sessions.
To set the Session Table Tuning parameters:
1. Double click on the LinkProof icon. The Setup window appears.
2. In the Setup window, select Global. The Global pane appears.
3. In the Global pane, select Session Table Settings and then click Edit Settings. The
Session Table Settings window appears.
4. In the Session Table Settings window, set the parameters as described in Table 9 on
page 64.
64
Doc. No.: 8261
LinkProof User Guide
Note:
It is strongly advised that device tuning only be carried out after consulting
with the Radware Technical Support.
Tuning Memory Check
The Device Tuning Table enables you to pre-check whether the configured values will not
cause memory allocation problems. For every value you update in a LinkProof table, the
device can check whether sufficient memory is available. This is done automatically when
you update tuning values in APSolute Insite. However, following the tuning changes, you can
perform a manual check using Web Based Management or CLI.
In Web Based Management, select: Services >Tuning > Memory Check.
In CLI, use the command: system tune test-after-reset-values.
Device Notifications
This section describes the LinkProof Notifications feature which distributes warning
messages about failures and problems in network elements. Notification distribution
methods and configuration are described.
This section includes the following topics:
•
•
Notifications - General, page 65
E-mail Notification, page 66
Notifications - General
Most administrators prefer to receive a warning message about a network or server outage. To help
minimize the impact of failure in devices such as firewalls, routers or application servers, all
Radware devices provide a choice of notification methods:
CLI Traps, Syslog, E-mail.
To send traps by CLI, Telnet and SSH, the command is:
manage terminal traps-outputs set-on
For console only: manage terminal traps-outputs set normal
CLI Traps
When connected to any Radware product through a serial cable, the device generates traps when
events occur. For example, if a Next Hop Router fails, LinkProof generates the following error:
10-01-2003 08:35:42 WARNING NextHopRouter 10.10.10.10
Is Not Responding to Ping.
Send Traps To All CLI Users
This option enables you to configure whether traps will be sent only to the serial terminal or
also to SSH and Telnet clients.
Syslog
Event traps can also be mirrored to a syslog server. On LinkProof, as on all Radware
products, you can configure the appropriate information, using the Options > Preferences
> Traps and SMTP option. Any traps generated by the Radware device will be mirrored to
the specified syslog server.
Doc. No.: 8261
65
LinkProof User Guide
The current Radware syslog mechanism enables you to define the status and the event log
server address. You can also define additional notification criteria such as Facility and
Severity, which are expressed by numerical values. Facility indicates the type of device of
the sender, while Severity indicates the importance or impact of the reported event.
The user defined Facility value is used when the device sends Syslog messages. The default
value is 21, meaning “Local Use 6", which is the value used by previous LinkProof versions.
The Severity value is determined dynamically by the device for each message that is sent.
E-mail Notification
You can configure the device to send e-mail messages to users listed in the device's User
Table. For each user, you can set the level of SNMP Traps notification the user receives. This
is done in the Users table; each user is assigned a level of severity and receives traps
according to that severity or higher.
The severity levels are: Info, Warning, Error and Fatal, see Users Table, page 46. When
assigned the severity level of Error, the user receives e-mail traps of events with severity
levels of Error and Fatal. This configuration applies both for SNMP traps and for SMTP email
notifications. SMTP notifications are enabled globally for the device.
In addition to the SNMP traps, another method of notification has been added to the device.
Using the Send E-mail on Errors option, you can configure traps to be sent by e-mail to
predefined users with different levels of severity.
To configure E-mail Notifications:
From the main window, select; Options > Preferences > Traps and SMTP.
Configuration Trace
LinkProof is able to monitor any configuration changes on the device, and report those
changes by sending out e-mail notifications. Every time the value of a configuration variable
changes, information about all the variables in the same MIB entry is reported to users.
Configuration reports are enabled for each user in the following table; see Table , “Users
Table,” on page 46.
Note:
LinkProof optimizes the mailing process by gathering reports and sending
them in a single notification message once the buffer is full or once a timeout
of 60 seconds expires.
The notification message contains the following details:
•
•
•
•
•
Name of the MIB variable that was changed
New value of the variable
Time of configuration change
Configuration tool that was used (APSolute Insite,Telnet, SSH, WBM).
User name, when applicable.
Utilities
This section describes additional device-related LinkProof utilities. This section includes the
following topics:
•
66
DNS Client, page 67
Doc. No.: 8261
LinkProof User Guide
DNS Client
You can configure LinkProof to operate as DNS client. When the DNS client is disabled, IP
addresses cannot be resolved. When the DNS client is enabled, IP addresses can be
resolved in the following ways:
•
•
Using the configured DNS servers to which DNS client sends queries about IP addresses
of a hostname.
Using the pre-defined static table that includes hostnames and IP addresses.
To display the DNS table:
1.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, select DNS. The DNS pane appears.
3.
To enable the DNS client, select the Client DNS checkbox.
4.
In the DNS Primary Address text box, type the address of the primary DNS server that
is used to query IP addresses of hostnames.
5.
In the DNS Alternate Address text box, type the address of the backup DNS server that
is used to query IP addresses of hostnames in case the primary server is not in service.
6.
To display the dynamic DNS table in the CLI, type the following command:
7.
services dns nslookup <hostname>
8.
The DNS table is displayed.
To define the static DNS table:
1.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, select DNS . The DNS pane appears.
3.
To enable the DNS client, select the Client DNS checkbox.
4.
From the DNS pane, select the Static DNS option. The Static DNS Table window
appears.
5.
In the Static DNS Table window, set the following parameters according to the
explanations provided:
Host Name:
The URL name for which you want to set the IP
address.
IP Address:
The IP address of the URL.
6.
Click Add to apply. The new client is listed in the Static DNS Table.
7.
Click Ok to apply the Setup and exit.
Doc. No.: 8261
67
LinkProof User Guide
68
Doc. No.: 8261
LinkProof User Guide
Chapter 3 - Basic Switching & Routing
This chapter explains switching and routing in general and describes how LinkProof
participates in this processes as well as presenting several aspects of the practical
implementation of LinkProof.
This chapter includes the following sections:
•
•
•
•
Port Settings, page 69
Virtual LAN, page 72
VLAN Tagging, page 76
IP Addressing & Routing, page 78
Port Settings
This section provides information about LinkProof features which assist with traffic and port
management.
This section includes the following topics:
•
•
•
•
Port
Port
Port
Port
Mirroring, page 69
Trunking, page 70
Rules, page 72
Load Balancing Status, page 72
Port Mirroring
Port Mirroring enables the LinkProof device to duplicate traffic from one physical port on the
device to another physical port on the same device. This is useful, for example when an
Intrusion Detection System (IDS) device is connected to one of the ports on the LinkProof
device. You can configure port mirroring for received traffic only, for transmitted traffic only,
or for both. You can also decide whether to duplicate the received broadcast packets.
To configure Port Mirroring:
1.
From the main window double-click on the LinkProof device icon. the Setup window
appears.
2.
In the Setup window, select Networking > Port Mirroring. The Port Mirroring Table
window appears listing the current Input and Output Ports. You can set up the mirroring
options for each port.
3.
In the Port Mirroring Table window, select the port to configure and click Edit. The Edit
Port Mirroring window appears.
4.
In the Edit Port Mirroring window, choose the Receive/Transmit mode for the port
you selected: Receive only; Transmit only or Both.
5.
To receive a broadcast packet, select Receive Broadcast.
6.
Click Add to apply the Setup and click Ok to exit the window.
Doc. No.: 8261
69
LinkProof User Guide
Notes: The following notes regarding Port Mirroring apply to all Application
Switching Platforms:
i
It is possible to copy traffic from one Input Port to multiple Output Ports, or
from many Input Port s to one Output Port.
ii
The Input Port, from which traffic is mirrored, must be an interface with a
configured IP address, or an interface, which is part of a VLAN (Regular or
Switched) with a configured IP address.
iii The Output Port, to which the traffic is mirrored, cannot have an IP address,
or be part of a VLAN (Regular or Switched) with a configured IP address.
iv When mirroring traffic from a port which is a part of Switched VLAN, traffic
between hosts on this VLAN is switched by the ASICs of the device. This type
of traffic is not mirrored.
v When mirroring traffic is received on a port which is a part of Switched VLAN,
and the mirrored port is configured to mirror Received Broadcast packets,
then these packets are mirrored from all ports on the Switched VLAN.
vi Traffic generated by the device itself such as Connectivity checks or
management traffic, is not mirrored.
vii Regular VLAN traffic with destination multicast MAC is not always mirrored.
Port Trunking
Port Trunking (also known as Link Aggregration) is a method of increasing bandwidth by
combining physical network links into a single logical link. Link aggregation increases the
capacity and availability of the communications channel between devices - both switches
and end stations - by using the Fast Ethernet and Gigabit Ethernet technology.
Multiple parallel physical links between two devices can be grouped together to form a
single logical link. Link aggregation also provides load balancing where processing and
communications activities are distributed across several links in a trunk, to prevent single
link overloading. Treating multiple LAN connections as one aggregated link, ensures the
following advantages:
• Higher link availability
• Increased link capacity
• Improvements in existing hardware
Upgrading to higher-capacity link technology is not necessary.
Radware devices support port trunking according to the IEEE 802.3ad standard for link
aggregation. Link Aggregation is supported on the following:
• Links using the IEEE 802.3 MAC
• Point-to-point links
• Links operating in full duplex mode
Aggregation is permitted only among links with same speed and direction. On Radware
devices, bandwidth increments are provided in units of 100Mbps and 1Gbps respectively.
MAC Client traffic can be distributed across multiple links. To guarantee the correct ordering
of frames at the receiving-end station, all frames belonging to one conversation must be
transmitted through the same physical link. The algorithm for assigning frames to a
conversation depends on the application environment. Radware devices can define
conversations upon Layer 2, 3 or 4 information, or on combined layers. The failure or
replacement of a single link within a Link Aggregation Group does not cause failure from the
perspective of a MAC client.
70
Doc. No.: 8261
LinkProof User Guide
Radware port trunking function allows you to define up to eight trunks. Up to eight physical
links can be aggregated into one trunk. All trunk configuration is Static.
Notes: Trunks cannot be a part of switch VLAN for AS4. Port Trunking
Limitations:
i
ii
A port belonging to a trunk may not be copied to another port (copy port.
A trunk cannot be mirrored.
iii Ports that are part of a trunk cannot be used in port rules; the entire trunk
however can be used in port rules.
To configure Link Aggregation:
1.
In the main window, right-click the device icon and select SetUp. The SetUp window
appears.
2.
In the SetUp window, click Networking > Link Aggregation. The Link Aggregation
window appears.
3.
In the Link Aggregation window, define the trunk’s algorithm for Layer 2, Layer 3, and
Layer 4 according to the explanations provided:
Ignore:
Ignore the headers of that layer.
Source Address:
Consider packet’s source only.
Destination Address:
Consider packet’s destination only.
Both Addresses:
Consider packet’s source and destination.
Note:
The same algorithm must be applied on the other switch participating in the
trunk.
4.
To associate ports with trunks, select a trunk from the list of trunks and click Edit. The
Edit Link Aggregation window appears.
5.
In the Edit Link Aggregation window, select the ports that you want to associate with the
trunk and click OK.
6.
To apply a new trunk definition to your device, add a new interface using the new trunk.
In the SetUp window, click Add. The Interface window appears. Set the parameters
according to the explanations provided:
If Num:
Select a trunk from the dropdown list, for
example, T-1.
IP Address:
Trunk’s IP address.
Network Mask:
Trunk’s network mask.
Broadcast Type:
The broadcast address can be:
• ONEFILL: full of ones.
•
7.
ZEROFILL: full of zeros.
Click Ok. A new trunk appears in the Interface table.
Doc. No.: 8261
71
LinkProof User Guide
Port Rules
Port Rules enables the LinkProof device to ensure that traffic received from a specific
physical port on the device exits only via another specific physical port on the same device
and vice-versa. This is useful for simplified configuration process, without flow definitions,
when LinkProof needs to load balance both router and firewall servers.
To configure Port Rules:
For security reasons the Port Rules feature is configured via CLI only, using the
command: lp port-rules set <inport> <outport>
Port Load Balancing Status
You can configure for each physical port on the device whether the traffic incoming through
this port should be load balanced or not. When the load balancing status is enabled, the
traffic coming through this port is load balanced or routed according to flow policies and
destination address. When the load balancing status is disabled, the traffic coming through
this port is always routed.
Port Load Balancing Status may be configured via WBM or CLI
•
•
Via Web Based Management: From the LinkProof menu, select LinkProof > Global
Configuration > Port LB Status.
Via CLI: lp global port-lb-status command.
Virtual LAN
This section explains the concept of Virtual LANs, their functionality, and how to configure
them in conjunction with LinkProof.
This section includes the following topics:
•
•
•
•
What is a Virtual LAN?, page 72
LinkProof VLAN Types, page 72
VLAN Configuration, page 74
Redundancy, page 76
What is a Virtual LAN?
A Virtual LAN (VLAN) is a group of devices that share the same broadcast domain within a
switched network. Broadcast domains describe the extent that a network propagates a
broadcast frame generated by a device.
Some switches may be configured to support single or multiple VLANs. When a switch
supports multiple VLANs, the broadcast domains are not shared between the VLANs.
•
•
•
The device learns the Layer 2 addresses on every VLAN port.
Known unicast frames are forwarded to the relevant port.
Unknown unicast frames and broadcast frames are forwarded to all ports.
LinkProof VLAN Types
LinkProof VLAN provides bridging functionality among ports assigned to the same VLAN.
LinkProof supports the following types of VLAN: Regular VLAN and Switched VLAN.
72
Doc. No.: 8261
LinkProof User Guide
Regular VLAN
A Regular type VLAN can be described as an IP Bridge (a software bridge) between multiple
ports that incorporate all the traffic redirection of the passing traffic at all layers (Layer 2Layer 7). Two Protocols can be used with Regular VLANs:
IP Protocol: The VLAN must be assigned an IP address. All of the traffic between the ports
is intercepted transparently by the LinkProof application. Packets that need intelligent
intervention are checked and modified by LinkProof and then forwarded to the relevant port.
Other packets are simply switched by LinkProof as if they were on the same wire.
Other Protocol: A VLAN with the protocol "Other" cannot be assigned an IP address. This
type of VLAN is used to bridge the non-IP traffic through LinkProof. Note that this option can
be defined also with the Switched type VLAN (Switched VLAN protocol) for wire-speed
performance.
Switched VLAN
Switched VLAN provides wire-speed VLAN capabilities implemented through the hardware
switch fabric of the LinkProof device. Depending on the Protocol defined for the Switched
VLAN, frames are treated accordingly:
Switched VLAN Protocol: Frames arriving at VLAN port are switched according to Layer 2
information. LinkProof application does not intercept any traffic.
IP Protocol: Frames arriving at VLAN port are switched according to Layer 2 information,
except for frames with Layer 2 address same as LinkProof port Layer 2 address. Frames with
LinkProof Layer 2 destination are processed by the LinkProof application and then forwarded
accordingly.
Bridging
Once a VLAN is defined, LinkProof performs bridging among interfaces assigned to the same
VLAN. Bridging within a VLAN means that LinkProof learns the MAC addresses of frames
arriving from each physical interface, and maintains a list of MAC addresses per interface.
When a frame arrives from one interface, LinkProof looks for the frame destination
addresses within its address list according to the following conditions:
•
•
•
If the destination address is listed in the same interface of the source address, LinkProof
discards the frame.
If the destination address is listed in another interface, LinkProof forwards the frame to
the relevant interface.
If the address is not listed in any interface, LinkProof broadcast the frame to all
interfaces participating the VLAN.
Note:
LinkProof enables users to modify the Address lists by registering additional
MAC addresses per interface. This is done from the Bridge Setup menu.
To add a MAC address to a port:
1.
Double-click the LinkProof device icon. The Setup window appears.
2.
In the Setup window, click Networking > VLAN. The Virtual LAN window appears.
3.
From the Virtual LAN window, select Bridge Setup and select the port to which you
wish to add a MAC address and click Add. The Edit Global Forwarding Table appears.
4.
From the Edit Global Forwarding Table, type the relevant MAC address and click Ok.
Doc. No.: 8261
73
LinkProof User Guide
VLAN Configuration
In the Transparent LinkProof Configuration using VLAN example, LinkProof is configured
with two VLANs: Network side VLAN (with address 100003) and User side VLAN (address
100005). Both VLANs are defined as Switched type, to gain wire-speed throughput.
To enable LinkProof to perform Traffic Redirection policies on traffic destined to the Internet,
VLAN protocol is set to IP. This requires clients to configure LinkProof as their default router.
Internet
Users
Router
10.1.1.20
Port 1
Network Side
Virtual Address
10.1.1.100
LinkProof
IP VLAN Interface
10.1.1.10
Port 2
Server Side
Server
10.1.1.1
Figure 1 -
Server
10.1.1.2
Transparent LinkProof Configuration using VLAN
Table 10: VLAN Definitions in LinkProof
Interface Number
Protocol
VLAN Type
100003
IP
Switched
100005
IP
Switched
To create a VLAN:
1. From the Setup window, select Networking > VLAN. The Virtual LAN window appears.
2. In the Virtual LAN window, select Setup and connect a physical port on the device to
the VLAN you are creating, in the Assign Port to VLAN pane, select the checkboxes of
the ports you want to assign to VLAN.
74
Doc. No.: 8261
LinkProof User Guide
3.
Set the remaining parameters according to the explanations provided:
Interface Number:
Type the interface number of the VLAN, to be
automatically assigned by the management station.
Select the required VLAN type:
Type:
Regular: The device acts as a bridge.
Switched VLAN: The Switched type is a Layer 2
VLAN. Switched VLAN can be stand-alone or part of
a Regular VLAN.
Select the required VLAN protocol.
Protocol:
4.
Note:
You can choose IP or swVLAN only when
the VLAN type is Switched. Otherwise, the
protocol is IP or other.
Click Add. The new VLAN appears in the VLAN Table.
To configure VLAN parameters:
1.
From the Setup window, select Networking > VLAN. The Virtual LAN window appears.
2.
In the Virtual LAN window, click Parameters. Set the following parameters according to
the explanations provided:
802.1q Environment
(check box):
VLAN Tag Handling:
Enables or disables VLAN tagging.
The handling method of VLAN Tagging (enabled
only if the 802.1q Environment checkbox is
selected). The possibilities are:
• Overwrite: The device performs VLAN
Tagging of outgoing traffic in accordance with
IP Interface configuration. The device sets tags
for packets according to the following
parameters: destination IP of the packet if it is
on the same local subnet with the device, OR
MAC address of the firewall that is configured
on the device and through which the packet is
sent.
•
Auto Config Aging
Time:
Ethernet Type:
(for user defined
VLANs)
Ethernet Type Mask:
(for user defined VLANs)
Doc. No.: 8261
Retain: The device preserves existing VLAN
Tags on the incoming traffic that passes
through the device. Traffic generated by the
device is tagged according to IP Interface
configuration.
Define the ports refresh time when using VLAN
Auto configuration.
Define the Ethernet type for user-defined VLANs.
With this parameter, you can configure the VLAN
to forward other types of protocols.
Define the mask on Ethernet type for user defined
VLANs.
75
LinkProof User Guide
Bridge Address:
•
Type the MAC Address used by the device.
Bridge Type:
•
Define the types of bridging the device can
perform.
•
Indicate how long unused entries are to remain
in the Forwarding Table (in seconds). The
counter is reset each time the entry is used.
When Aging Time period expires, the entries
are deleted from table.
•
Minimum value: 10 seconds.
Bridge Forwarding
Table Aging Time:
3. Click Apply to save the configuration and click Ok to close the window.
Tip:
From the Bridge Setup tab, you can monitor, add to and edit the bridge
forwarding nodes. See "IP Addressing & Routing" on page 3-78.
Redundancy
When working with VLANs, two LinkProofs can be configured in an Active / Backup
redundancy Setup.
For more information about LinkProof Redundancy settings, see Redundancy, page 203.
VLAN Tagging
This section explains VLAN Tagging support, how VLAN tags are used in configurations with
LinkProof and about VLAn Tagging enhancements.
This section includes the following topics:
•
•
•
VLAN Tagging Support, page 76
Using VLAN Tagging, page 76
VLAN Tagging Enhancements, page 78
VLAN Tagging Support
VLAN Tagging is an IEEE standard (802.1q) for supporting multiple VLANs associated with
the same switch port. Each VLAN is tagged with a unique identifier to allow the identification
of different VLANs traffic on the same physical port.
VLAN Tagging provides an indication in the Layer 2 header by which a switch decides
through which port to connect to the VLAN on another switch. When two VLANs are
configured across two different switches, usually there is a connection between each of the
VLANs on one switch, to the corresponding VLAN on a second switch. This is done by a
single cable connecting the two switches. The ports that inter-connect the switches, for
example port 10 on each, belong to all of the VLANs on that switch. In this case, the switch
needs to know to which VLAN to send traffic coming from port 10, as this port belongs to all
the VLANs.
Using VLAN Tagging
VLAN Tagging (802.1q) support can be used with LinkProof, where LinkProof is connected to
multiple VLANs on the same switch, and different servers are assigned to different VLANs.
76
Doc. No.: 8261
LinkProof User Guide
The VLAN tagging support is based on the local subnet to which the traffic is sent, or on the
destination MAC of the packet. Therefore, LinkProof cannot tag packets by the destination
subnet if it is not local to the LinkProof. The switch connected to the LinkProof must be
configured consistently with the LinkProof tagging configuration.
Each IP interface can have a VLAN tag associated with it.
LinkProof recognizes an IP interface as a physical port/IP address combination.
Note:
LinkProof determines the tag that is used according to the destination IP of
the packet after LinkProof has made all the required modifications to the
packet. For example, when using Local Triangulation, LinkProof forwards
packets to servers with destination IP of the farm, hence these packets are
tagged according to the tag in the configuration of the IP interface associated
with the farm IP.
Using LinkProof with VLAN tagging, all packets that are sent to a destination MAC address of
a Next Hop Router (whose IP address is on a local subnet that is associated with a tagconfigured IP interface), carry the VLAN tag, regardless of the destination IP address of the
packet. In addition, all packets sent to any destination host on a tag-configured IP interface
carry the VLAN tag. This includes:
•
All Health Check packets from the LinkProof to the Next Hop Routers, including Full Path
Health Monitoring.
• ARP requests and responses from the LinkProof to the Next Hop Routers.
• Unicast ARPs between redundant LinkProofs.
• Gratuitous ARPs, as part of the redundancy mechanism.
If an IP interface does not have a VLAN tag configured, then the packets are sent without a
tag (standard Layer 2 MAC header).
Configurable VLAN ID values range from 1 to 4063. LinkProof automatically sets the 802.1p
portion of the tag (the first 3 bits) to 000.
In VLAN Tagging Configuration, page 78, Tag 101 is associated to IP interface 10.1.1.10 and
tag 102 is associated to IP Interface 20.1.1.10.
LinkProo
10.1.1.10
Tag 101
20.1.1.10
Tag 102
Servers
Servers
10.1.1.x
Doc. No.: 8261
20.1.1.x
77
LinkProof User Guide
Figure 2 -
VLAN Tagging Configuration
P1: 10.1.1.10
Tag: 101
P1: 20.1.1.10
Tag: 102
All traffic to 10.1.1.x servers is tagged with the VLAN tag 101, while all traffic to 20.1.1x
servers is tagged with the VLAN tag 102.
Note:
VLAN tagging is supported for AS1 and AS2 platforms.
To set a VLAN tag for an IP Interface:
1. Double-click the LinkProof device icon. The Setup window appears.
2. In Setup window, select an existing interface and click Edit, or click Add. The Interface
window appears, see Setting Up Interface IP Addresses, page 79.
3. In the Interface window, set the VLAN Tag parameter as required. Value of 0 indicates
that no tag is used.
4. Click Ok to apply changes and to exit all windows.
VLAN Tagging Enhancements
In addition to configuring which VLAN Tags should be set according to destination local
subnet or according to the Next Hop Router (NHR) you may also retain the existing VLAN
Tags on the incoming traffic that passes through the device.
In APSolute Insite, users can configure this feature using the VLAN Parameters window. In
Web Based Management, users can configure this feature using the VLAN Tagging window
from the Device menu.
Users can also configure this feature using the CLI command: net vlan-tag-handling
1. Set 802.1q Environment to Enable.
2. Set VLAN Tag Handling to Retain (the default value is Overwrite).
Note:
If a packet arrives without a VLAN tag, LinkProof sets a tag according to the
destination local subnet
Additional Features:
•
•
You may configure the same VLAN Tag on multiple interfaces.
You may configure a VLAN Tag on a VLAN interface.
IP Addressing & Routing
This section explains the configuration of VLAN addressing and routing, and includes the
following topics:
•
•
78
IP Addressing, page 79
Routing, page 79
Doc. No.: 8261
LinkProof User Guide
•
•
Routing Information Protocol, page 80
Open Shortest Path First, page 82
IP Addressing
IP addresses are actually 32-bit binary numbers (for example,
11000000101010000000000100010100). Each 32-bit IP address consists of two subaddresses, one identifying the network and the other identifying the host to the network,
with an imaginary boundary separating the two.
The location of the boundary between the network and host portions of an IP address is
determined through the use of a subnet mask. A subnet mask is another 32-bit binary
number that acts like a filter when it is applied to the 32-bit IP address. By comparing a
subnet mask with an IP address, systems determine which portion of the IP address relates
to the network, and which portion relates to the host. Anywhere the subnet mask has a bit
set to "1", the underlying bit in the IP address is part of the network address. Anywhere the
subnet mask is set to "0", the related bit in the IP address is part of the host address.
Setting Up Interface IP Addresses
LinkProof performs routing between all the defined IP interfaces. Using the main Setup
window, you can define the IP addresses for LinkProof interfaces, assigning an IP address
and IP Network Mask for each defined interface.
Routing
Routing is LinkProofs ability to forward IP packets to their destination using an IP routing
table. The IP Routing Table stores information about the destinations and how they can be
reached. By default, all networks directly attached to LinkProof are registered in the IP
Routing Table. Other entries to the table can either be statically configured or dynamically
created through the routing protocol.
•
•
•
•
•
When LinkProof forwards an IP packet, the IP Routing Table is used to determine the
next-hop IP address and the next-hop interface.
For a direct delivery (the destination is a neighboring node), the next-hop MAC address
is the destination MAC address for the IP packet.
For an indirect delivery (the destination is not a neighboring node), the next-hop MAC
address is the address of an IP router according to the IP Routing Table.
The destination IP address does not change on the path from source to destination; the
destination MAC (Layer 2 information) is manipulated to move a packet across
networks.
The MAC of the destination host is applied once the packet arrives on the destination
network.
Setting up the Routing Table
LinkProof supports IP routing compliant with RFC1812 router requirements. Dynamic
addition and deletion of IP interfaces is supported. This ensures that extremely low latency
is maintained.
The IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP
routing protocol, intended to replace RIP in bigger or more complex networks. OSPF and its
MIB are supported as specified in RFC 1583 and RFC 1850, with some limitations.
The LinkProof Routing Table allows you to configure routing and to define the default
gateway.
To configure routing:
1.
Double-click the LinkProof device icon. The Setup window appears.
Doc. No.: 8261
79
LinkProof User Guide
2. In the Setup window, click Networking > Routing Table. The Routing Table window
appears.
3. In the Routing Table window, click Add. The Edit Physical Route window appears.
4. In the Edit Physical Route window, set the following parameters according to the
explanations provided:
Destination IP
Address:
Type the destination network to which the route is
defined.
Network Mask:
Type the network mask of the destination subnet.
Next Hop:
Type the IP address of the next hop towards that
destination subnet. The next hop must reside on a subnet
which is local to the device.
If Num:
Type the interface Index number for the local interface or
VLAN through which the next hop of this route is reached.
Metric:
Define the number of hops to the destination network.
Type:
Define the type of remote routing:
• Remote (Forwards packets)
•
Reject (Discards packets)
•
Local (Read-only)
5. Click Ok to apply the Setup and to exit the window.
To configure a default gateway:
1. Follow steps 1-3 as explained in configure routing:, page 79
2. In the Edit Physical Route window (see step 3 above), type the relevant values for the
Next Hop parameter and for the If Num parameter. For the Destination IP Address
and Network Mask parameters use default values (0.0.0.0).
3. Click Ok to apply the Setup and to exit all windows.
Note:
You can set a backup default gateway for LinkProof.
Routing Information Protocol
Routing Information Protocol (RIP) is a commonly-used protocol for managing router
information within a self-contained network such as a corporate local area network or an
interconnected group of such LANs. RIP is classified by the Internet Engineering Task Force
(IETF) as one of several internal gateway protocols (Interior Gateway Protocol). RIP is
intended for small homogeneous networks.
Using RIP, a gateway host (with a router) sends its entire routing table, which lists all the
other hosts that it recognizes to its closest neighbor host every 30 seconds. The neighbor
host then passes the information on to its next available neighbor and so on until all hosts
within the network have the same knowledge of routing paths, this is known as network
convergence. RIP uses a hop count as means to determine network distance. Other
protocols use more sophisticated algorithms including timing. Each host with a router in the
network uses the routing table information to determine the next host to route a packet to a
specified destination.
LinkProof supports RIP version 1 and RIP version 2.
80
Doc. No.: 8261
LinkProof User Guide
The RIP protocol is configured from the LinkProof RIP Parameters window.
To view the LinkProof RIP Parameters window:
1.
From the Setup window, select Networking > RIP. The RIP Parameters window
appears, which contains the following protocol options:
Leak OSPF Routes:
(checkbox)
Controls redistribution of routes from OSPF to
RIP. When this parameter is enabled, all routes
learned through OSPF are advertised into RIP.
Leak Static Routes:
(checkbox)
Controls redistribution of routes from static routes
to RIP. When this parameter is enabled, you
define all the static routes in the Routing Table.
2.
Select the RIP parameter and click Edit. The RIP Parameters window appears.
3.
From the RIP Parameters window, set the following parameters according to the
explanations provided:
IP Address:
Type the IP address of the current interface.
Define the type of RIP to be sent:
Outgoing RIP:
RIP version 1: Sending RIP updates compliant with
RFC 1058.
RIP version 2: Multicasting RIP-2 updates.
Do Not Send: No RIP updates are sent.
Define the type of RIP to be received:
Incoming RIP:
RIP 1: Accepting RIP 1.
RIP 2: Accepting RIP 2.
Do Not Receive: No RIP updates are accepted.
Default Metric:
Metric for the default route entry in RIP updates
originated on this interface. 0 (Zero) indicates that no
default route must be originated; in this case, a
default route through another router may be
propagated.
Virtual Distance:
Define the virtual number of hops assigned to the
interface. This enables fine-tuning of the RIP routing
algorithm.
Status:
Define the status of the RIP in the router.
Enable this option to minimize network traffic when
LinkProof is the only router on the network.
Note:
Auto Send:
4.
When this parameter is enabled, this device
advertises RIP messages with the default
metric only. This allows some stations to
learn the default router address. If the device
detects another RIP message, Auto Send is
disabled.
Click Ok to apply the configuration and to exit all windows.
Doc. No.: 8261
81
LinkProof User Guide
Open Shortest Path First
Open Shortest Path First (OSPF) is an interior gateway routing protocol developed for IP
networks and based on the shortest path first or link-state algorithm.
Routers use link-state algorithms to send routing information to all nodes in a network by
calculating the shortest path to each node based on a topography of the Internet
constructed by each node.
After sending the routing information, each router sends the portion of the routing table
(keeping track of routers to particular network destinations) that describes the state of its
own links, as well as sending the complete routing structure (topography).
Shortest path first algorithms allow performing more frequent updates.
Note:
Shortest path first algorithms require a lot of CPU power and memory.
With the OSPF, you can build a more stable network, since fast convergence prevents such
problems as routing loops and Count-to-Infinity (when routers continuously increment the
hop count to a particular network).
The OSPF protocol is configured from the LinkProof OSPF window.
To view the OSPF window:
1. Double-click the LinkProof device icon. The Setup window appears.
2. In the Setup window, click Networking > OSPF. The OSPF window appears.
82
Doc. No.: 8261
LinkProof User Guide
Chapter 4 - Basic Application Switching
This chapter introduces farm management and guides you through farm related features. It
also provides you with the examples of common configurations of the application switching
and load balancing schemes.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•
•
•
LinkProof Multihoming Overview, page 83
Cluster Support, page 86
Farm Management, page 88
Server Management, page 100
Network Address Translation, page 105
Proximity, page 115
DNS, page 118
Basic Load Balancing, page 123
Flow Management, page 146
VPN Load Balancing, page 154
Client Table, page 159
LinkProof Multihoming Overview
LinkProof Multihoming Overview explains how LinkProof manages all links across multihomed networks.
LinkProof is an intelligent application switch that manages all links across multi-homed
networks, enabling full link availability, highest link performance and complete link security
for uninterrupted user access to web-enabled applications, which provides cost effective
connectivity at main offices and data centers.
Load balancing of outbound and inbound traffic needs to be addressed individually as each
type poses a different set of difficulties, therefore LinkProof customizes its implantation for
each type of traffic as a solution to this issue.
Outbound Traffic
Outbound traffic is traffic initiated from the local network to a remote destination over the
WAN.
LinkProof load balances outbound traffic based on availability and performance of the
available links while managing the IP address ranges assigned to the network from various
ISPs.
Doc. No.: 8261
83
LinkProof User Guide
NHR 1
100.1.1.20
NAT:100.1.1.2
LinkProof
Via NHR1
100.1.1.1
200.1.1.1
Local Network
10.1.1.x
NAT:
Via NHR2
Figure 3 -
NHR 2
200.1.1.20
Multihoming Outbound Traffic
Multihoming Outbound Traffic, page 84 displays a scenario where a user on the local
network (IP 1.1.1.80, for example) sends an outbound HTTP request to the Internet. The
traffic is processed as follows:
1. The new user session reaches LinkProof and activates load balancing mechanism.
2. LinkProof classifies traffic according to configured routing policies (flow policies) to
select the group of WAN links (Router farm) that will be used for this traffic.
3. LinkProof selects an outbound link for this traffic from the Router farm chosen in step 2,
based on:
—
link availability measured according to user defined criteria (health checks)
—
link metrics measured according to user defined criteria (traffic amount, proximity,
cost)
4. Once load balancing decision is reached this is recorded in LinkProof tables (Client
Table) for use on the rest of the session traffic.
5. Before forwarding the traffic to the selected link, the source IP address and TCP/UDP
port are replaced by NAT address allocated by the selected ISP and a new TCP/UDP port
(for example src=10.1.180 is replaced by src=200.1.1.21)
6. The reply from the Internet Web server will arrive via the same link because it is
answering to the NAT IP (dst=200.1.1.21).
7. LinkProof translates the destination IP from the NAT IP (200.1.1.21) to the user IP
(10.1.1.80) and forwards the reply to the user.
8. LinkProof ensures that following packets from the user belonging to the same session
will use the same WAN link to ensure persistency (as recorded in the Client Table).
Inbound Traffic
Inbound traffic is traffic initiated from an external user to a service provided by the local
network, such as a Web server.
LinkProof load balances inbound traffic based on availability and performance of the
available links and provides the external user access via the best performing link. This is
implemented by configuring the LinkProof as an authoritative name server. When the
external client makes a DNS request, the LinkProof responds with the IP address allocated
to the internal service by the best available WAN link (ISP).
84
Doc. No.: 8261
LinkProof User Guide
NHR 1
NAT:100.1.1.2
100.1.1.20
For 10.1.1.50
Via NHR1
100.1.1.10
200.1.1.10
www.radware.com
10.1.1.50
Figure 4 -
NAT:
For 10.1.1.50
NHR 2
Via NHR2
200.1.1.20
Multihoming Inbound Traffic
Multihoming Inbound Traffic, page 85 shows a scenario where an external user sends a
request to www.radware.com that is hosted by internal server 10.1.1.50 represented
externally by 100.1.1.21 via ISP1 and 200.1.1.21 via ISP2. The traffic is processed as
follows:
1.
The external user sends DNS query that is forwarded by DNS servers to LinkProof.
2.
If this is a domain name for which LinkProof is authoritative server, LinkProof classifies
traffic according to configured routing policies (flow policies) to select the group of WAN
links (Router farm) that will be used for this traffic.
3.
LinkProof selects an inbound link for this traffic from the Router farm chosen in step 2,
based on:
—
link availability measured according to user defined criteria (health checks)
—
link metrics measured according to user defined criteria (traffic amount, proximity,
cost)
4.
Once load balancing decision is reached this is recorded in LinkProof tables (Client
Table) for use on the rest of the session traffic.
5.
A DNS response is sent back to the external user with the IP that represents the internal
server via the selected link (ISP), for example 100.1.1.21.
6.
The external user sends HTTP request to 100.1.1.21. LinkProof replaces the destination
IP address with the internal server address (10.1.1.50 in our case).
7.
The reply from the internal server will be forwarded via the same link the request
arrived, to ensure persistency, after the source IP (10.1.1.50) is replaced by the NAT IP
(100.1.1.21).
Multihoming Configuration Summary
The following configuration guidelines details the steps required to configure a basic multihoming solution in LinkProof.
To configure multihoming
1.
Configure networking definitions (IP interfaces, VLANs, routing) -
Doc. No.: 8261
85
LinkProof User Guide
2. Configure WAN link load balancing:
—
Add a Router Farm, configure farms, page 89
—
Add Logical Router Servers, configure farm servers, page 102
—
Define health checks, Health Check, page 6
—
Define flows and flow policies - if routing policies are required, configure a Flow
Policy:, page 148
3. Configure outbound NAT called Dynamic NAT in LinkProof to define for each Router
(WAN link) the NAT addresses to be used when forwarding, Dynamic NAT, page 107.
4. Configure inbound traffic load balancing (if required):
a.
b.
Configure Static NAT to define for each internal server that must be available for
access from the external network the IP address that will represent it via each
Router (WAN link), Static NAT, page 108.
Map the URLs for which LinkProof is authoritative server to the internal server IP
addresses, Mapping URLs to local IP Addresses, page 119.
Cluster Support
In some configurations the routers or firewalls that are load balanced by LinkProof are
actually a cluster of servers. Examples of such configurations are:
•
•
•
VRRP or HSRP router or firewall clusters
Private firewall clusters
WOC devices between LinkProof and the NHR (this is not a cluster, but the behavior of
the MAC addresses is the same).
Note:
This feature is currently only supported in WBM and CLI.
Potential issues when not using Cluster Support
In these configurations, while outside traffic coming to a LinkProof server that is connected
to a cluster is correctly forwarded to the MAC address that was received as a result of an
ARP to that server's IP address, traffic coming from the cluster usually has as its source MAC
the address of the physical server in the cluster that forwarded the traffic and not the
cluster server’s address, thus potentially causing the traffic to be incorrectly redirected.
This problem is illustrated in the following figure:
86
Doc. No.: 8261
LinkProof User Guide
In this example, two NHRs are defined on the LinkProof device: NHRA, which is a cluster,
and NHRB. LinkProof recognizes MAC A as the MAC address of NHRA (it was discovered via
ARP messages to IP A), but when traffic comes from NHRA, its source MAC is either MAC11,
MAC 22, or MAC 33, depending on which physical router processed this traffic.
Resolution of cluster traffic issues with Cluster Support
The Cluster Support feature enables you to configure traffic going through clusters. This is
done by associating the MAC address of an NHR cluster server to recognize traffic from a
physical server within one of its clusters. This is done by creating an entry in the Cluster
Servers Table that includes the NHR cluster IP address, and either an additional IP or MAC
address associated with the cluster server.
In the example in the above figure, using the Cluster Support feature you can configure
MAC 11, MAC 22, and MAC 33 to be associated with server NHRA, enabling the device to
recognize traffic with these MAC addresses as traffic from server NHRA. When LinkProof
forwards traffic to the cluster server, it uses the destination MAC address address that was
discovered via an ARP to the logical server IP address (MAC A in the example). However,
traffic coming from the cluster will be allocated to the cluster server if the source MAC or its
IP is statically configured as belonging to this server.
To add a new Cluster Servers table entry using WBM:
1.
From the LinkProof menu, select LinkProof > Servers > Cluster Servers Table. The
Clusters Servers Table window appears.
2.
Click Create. The Clusters Servers Table Create window appears.
3.
For each NHR cluster server address, set either an additional IP or MAC address, but not
both.
4.
Click Set.
To add a new Cluster Servers table entry using CLI:
From the CLI window type the following command: lp servers cluster-servers
To configure a cluster server using an IP address, the MAC address must be set to
000000000000. To configure a cluster server using a MAC address, the IP address must be
set to 0.0.0.0.
Doc. No.: 8261
87
LinkProof User Guide
Notes:
i
In many cases you may not be required to load balance traffic to the cluster,
but rather to perform NAT on the traffic to and from the cluster. In this case
the cluster needs to be configured as a LinkProof server (NHR or firewall).
ii
The LinkProof server IP should be the Virtual IP of the cluster or, in the case of
WOC devices, the IP of the router beyond the WOC device.
iii For HSRP clusters, where the Virtual IP cannot be the IP of any of the cluster
servers, you can configure the IPs of the cluster servers so that their MAC
address will be discovered via ARP. This allows you to replace a server in a
cluster without changing the LinkProof configuration (if the new server has
the same IP as the old one).
iv For VRRP clusters where the Virtual IP is usually the IP of one of the cluster
servers, you can statically configure the MAC addresses of the cluster servers.
v For WOC devices, you need to statically configure the MAC address of the
WOC device.
Farm Management
This section explains how LinkProof incorporates Farm Management in to the network
configuration.
This section includes the following topics:
•
•
•
•
•
•
Farm Concept, page 88
Farm Load Balancing, page 89
Router Farm Load Balancing, page 94
Firewall Farm Load Balancing, page 95
Default Farm, page 99
Farm Connectivity Checks, page 99
Farm Concept
LinkProof works with server farms rather than with individual servers. Utilizing multiple
servers organized in a farm eliminates downtime, accelerates the service response time and
improves the overall performance.
A LinkProof farm is a group of networks servers that provide the same service. Servers
contained in a server farm can belong to different vendors, or have a different capacity. The
differences between the servers within a farm are transparent to the users. Providing all the
servers within a group provide the same service managed by the LinkProof device, this
group can be defined as a LinkProof server farm.
When a new packet arrives that must be redirected to a certain farm, LinkProof selects the
best server (according to user-defined criteria) from the servers available. In this manner
LinkProof optimizes the server operation and improves the overall quality of service.
A Farm definition includes traffic redirection functions such as load balancing scheme for
client-server persistency, connectivity check methods and more.
LinkProof supports the following types of farms (services):
•
•
88
Routers (access routers to the WAN)
Firewalls /VPN gateways
Doc. No.: 8261
LinkProof User Guide
A Farm definition includes traffic redirection functions such as load balancing scheme for
client-server persistency, connectivity check methods and more.
To configure farms
1.
From the main window, double-click the LinkProof device icon. The Connect LP to
Device window appears.
2.
In the Connect LP to Device window, type the device's IP address and click Ok.
3.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
4.
In the Traffic Redirection window, click the Farms tab. The Farms pane appears.
5.
From the Farms pane, click Add. The Edit LinkProof Farms window appears, where you
can set the parameters of the farm.
Farm Load Balancing
Load balancing between servers of a farm is determined by a number of parameters. The
most important parameters are Dispatch Method, that defines how to select a server from
the farm, and Persistency, that defines when to select a new server. These parameters,
together with the Client Aging Time, are required for all the different types of farms
supported by LinkProof. Additional parameters are relevant for each specific type of farm,
and are explained within the relevant sections.
To configure farm load balancing
1.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, click Farms. The Farms pane appears.
3.
From the Farms pane, select an existing farm or click Add to create a new farm. The
Edit LinkProof Farms window appears.
4.
From the Edit LinkProof Farms window, select Traffic Settings. Configure the load
balancing parameters according to your requirements.
Dispatch Methods
LinkProof receives requests for service from clients and decides to which server to direct
each request. During this process, LinkProof finds the best server to provide the requested
service. The Dispatch Method defines the criteria by which LinkProof selects the best server
in the farm. Dispatch Methods are defined only for new sessions. Existing sessions are
handled by the Client Table.
You can define the Dispatch Method during the process of LinkProof Farm configuration,
according to farm characteristics and users' needs.Criteria may vary for different
applications. For example, the number of users is a significant factor for a Web farm, while
the amount of traffic can be more important for an FTP farm. The following Dispatch
Methods are available on LinkProof:
•
•
•
•
•
•
•
Cyclic, page 90
Fewest Number of Users, page 90
Fewest Number of Local Users, page 90
Least Amount of Traffic, page 90
Least Amount of Local Traffic, page 90
Least Number of Bytes, page 90
Least Number of Local Bytes, page 91
Doc. No.: 8261
89
LinkProof User Guide
•
•
•
•
•
Response Time, page 91
Hashing, page 91
NT-1 and NT-2, page 91
Private-1 and Private-2, page 92
Customized Hash, page 93
Cyclic
When the Cyclic Dispatch Method is defined, LinkProof forwards the traffic dynamically to
each sever in a round-robin fashion.
Fewest Number of Users
With the Fewest Number of Users Dispatch Method, LinkProof directs new requests for
service to the server with the least number of sessions at that given time.
Fewest Number of Local Users
The Fewest Number of Local Users Dispatch Method can be used when the same servers
participate in multiple farms. When this method is selected, LinkProof looks for the server
with fewest number of users only, within the farm that is currently addressed by the client.
Traffic of other farms is not considered.
For example, Server 1 & Server 2 can provide service A and service B. These servers are
used as part of Farm A to provide service A and as part of Farm B to provide service B. When
the client's request for service A is sent to Farm A, which uses this Dispatch Method,
LinkProof looks for a server with the fewest number of requests for service A. The requests
for service B that exist on the same servers are not considered by LinkProof.
Note:
The session number is defined by the active Client Table entries to this server.
Least Amount of Traffic
With the Least Amount of Traffic Dispatch Method, LinkProof directs new requests for service
to the server with the least amount of traffic at that given time. The amount of traffic is
defined as packets per second (pps) from LinkProof to the server and from the server to
LinkProof, as is recorded in LinkProof's Client Table for all traffic forwarded to that server.
Least Amount of Local Traffic
The Least Amount of Local Traffic Dispatch Method can be used when same servers
participate in multiple farms. When this Method is selected, LinkProof looks for the server
with least amount of traffic only within the farm that is currently addressed by the client.
Traffic of other farms is not considered.
For example: Server 1 and Server 2 provide service A and service B. These servers are used
as part of Farm A to provide service A and as part of Farm B to provide service B. When the
client's request for service A is sent to Farm A, which uses this Dispatch Method, LinkProof
considers only the traffic that is related to service A. The traffic that is related to service B
on the same servers is not considered by LinkProof. LinkProof looks for a server with the
least amount of traffic related to service A, and forwards client's request to this server.
Least Number of Bytes
With the Least Number of Bytes Dispatch Method, LinkProof directs new requests for service
to the server with the least amount of traffic in bytes at that given time. The amount of
traffic is defined as bytes from LinkProof to the server and from the server to LinkProof, as is
recorded in LinkProof's Client Table for all traffic forwarded to that server.
90
Doc. No.: 8261
LinkProof User Guide
Least Number of Local Bytes
The Least Number of Local Bytes Dispatch Method can be used when same servers
participate in multiple farms. When this Method is selected, LinkProof looks for the server
with least amount of traffic only within the farm that is currently addressed by the client.
Traffic of other farms is not considered.
For example: Server 1 and Server 2 provide service A and service B. These servers are used
as part of Farm A to provide service A and as part of Farm B to provide service B. When the
client's request for service A is sent to Farm A, which uses this Dispatch Method, LinkProof
considers only the traffic that is related to service A. The traffic that is related to service B
on the same servers is not considered by LinkProof. LinkProof looks for a server with the
least amount of traffic related to service A, and forwards client's request to this server.
Response Time
The Response Time Dispatch Method allows LinkProof to select the fastest server in the
farm. When this Method is used, the load balancing process is based on choosing the least
loaded server as calculated by the Response Level as measured by the Health Monitoring
module. The Health Monitoring module enables users to track the round trip time of health
checks. The device keeps a Response Level indicator for each check. The Response Level is
the average ratio between the actual response time and the configured Time-out. This
average is calculated over a number of samples as defined in the Response Level Samples
parameter. A value of 0 in the Response Level Samples parameter disables the parameter;
any other value between 1-9 defines the samples number. The Response Level Samples
parameter can be used in the health checks in which the Measure Response Time parameter
is enabled.
Response Time Dispatch Method Configuration Guidelines:
1.
Set health checks for servers in the farm. During the Health Checks settings, enable the
Measure Response Time parameter for each health check.
2.
Enable the Health Monitoring module for this farm, see Health Monitoring, page 353.
3.
Set the Dispatch Method in the farm to Response Time.
4.
Set the Response Level Samples parameter.
Hashing
When the Hashing Dispatch Method is applied, LinkProof selects a server for a session using
a Hash function. This is a static method where the server is chosen for a session purely by
the session information. The input for the hash function is source and destination IP
addresses. Source and destination ports can also be taken into consideration if the Port
Hashing parameter is enabled and Client Table mode is Full Layer 4, see page Port Hashing,
page 165. This method is symmetric, which means that it provides the same output when
the source and destination addresses are switched, for example, a packet from A to B will
result in the same Hash output (i.e., server) as the reply packet from B to A.
NT-1 and NT-2
When the NT-1 or the NT-2 Dispatch Method is selected, LinkProof queries the farm servers
for Windows NT SNMP statistics. LinkProof forwards the farm's clients to the least busy
server according to the servers' reported statistics.
You can select from a list of statistics. The parameters are considered according to the
weights that you define in the first Windows NT weights scheme for the NT-1, and second
Windows NT weights scheme for the NT-2.
To configure NT-1 and NT-2 Dispatch Methods:
1.
From the Farm Traffic Settings tab (Farm Load Balancing, page 89), set the Dispatch
Method of the farm to NT-1 or NT-2.
Doc. No.: 8261
91
LinkProof User Guide
a.
b.
Click Load Balancing. The LinkProof Load Balancing Algorithms window appears.
In the LinkProof Load Balancing Algorithms window, select Windows NT. The
Windows NT pane appears.
c.
In the Windows NT pane, set the following parameters according to the explanations
provided:
Parameter
Description
Scheme:
The scheme to be used, either NT-1 or NT-2.
Check Period:
The time interval between queries for the
frequently updated parameters (number of
open sessions, amount of traffic).
Open Sessions Weight:
The relational weight for considering the
number of active sessions on the server.
Incoming Traffic Weight:
The relational weight for considering the
amount of traffic coming to the server.
Outgoing Traffic Weight:
The relational weight for considering the
amount of traffic going out of the server.
Regular Check Period:
The time interval between queries for other
less dynamic parameters (average response
time, limits on users and TCP connections).
Response Weight:
The relational weight for considering the
average response time of the server.
User Limit Weight:
The relational weight for considering the limit
on the number of logged in users on the
server.
TCP Limit Weight:
The relational weight for considering the limit
of TCP connections to the server.
Retries:
Defines how many unanswered requests for
a variable cause to this variable to be ignored
in the load balancing decision.
NT Community:
The community name to use when
addressing the server.
d.
Click Ok to apply the configuration.
Private-1 and Private-2
When the Private-1 or the Private-2 Dispatch Method is selected, LinkProof queries the
farm's servers for private SNMP parameters according to a predefined private weights
scheme. The ratios of sessions on the servers is balanced according to the statistics.
You need to define which MIB variables are queried and to set the private weights scheme.
The parameters are considered according to the weights that you define in the first private
weights scheme for the Private-1 and second private weights scheme for the Private-2.
To configure Private-1 and Private-2 Dispatch Methods:
1. From the Farm Traffic Settings pane, set the Dispatch Method of the farm to Private-1 or
Private-2.
2. In the Traffic Settings pane, click Load Balancing. The Load Balancing Algorithms
window appears.
3. In the LinkProof Load Balancing Algorithms dialog box, click the Private Parameters
tab. The Private Parameters pane appears.
92
Doc. No.: 8261
LinkProof User Guide
4.
In the Private Parameters pane, set the following parameters according to the
explanations provided:
Scheme:
The scheme to be used: Private1 or Private2.
Special Check Period:
The time interval between queries for the
requested parameters.
Retries:
Defines how many unanswered requests for
a variable cause this variable to be ignored in
the load balancing decision.
Community:
The community name for addressing the
server.
Var1 Object ID:
The SNMP ID of the first private variable to
check.
Var1 Mode:
Whether to measure the percentage
available or the percentage utilized of the first
parameter.
• Ascending: The value of the variable
specified in Var1 Object ID represents the
percentage still available.·
•
Descending: The value of the variable
specified in Var1 Object ID represents the
percentage currently utilized.
Weight (for Var1Mode):
The relational weight for considering the
value of the first parameter.
Var2 Object ID:
The SNMP ID of the second private variable
to check.
Var2 Mode:
Whether to measure the percentage
available or the percentage utilized of the
second parameter:
• Ascending: The value of the variable
specified in Var2 Object ID represents the
percentage still available.
•
Weight (for Var2 Mode):
5.
Descending: The value of the variable
specified in Var2 Object ID represents the
percentage currently utilized.
The relational weight for considering the
value of the second.
Click Ok. Your preferences are recorded.
Customized Hash
This is another variant of the hashing dispatch method that offers a different server
distribution. This method allows you to define the bits in the source and destination IP to be
input for the hash function. The mask used for this method can be configured using WBM
(LinkProof > Global Configuration > Tweaks) or CLI as follows:
lp global customized-hash-mask
The mask default is 0.0.0.255.
Persistency
Session persistency means making sure that all traffic, which is related to a single
application session, arrives to the same server.
Doc. No.: 8261
93
LinkProof User Guide
LinkProof allows you to determine when a new server will be selected for each farm, by
allowing persistency mode configuration per farm. The default persistency mode is Layer 3.
Persistency per farm can be kept according to any session identification parameter or
combination of them that is less than the Client Table mode (for example source IP or
destination IP if Client Table mode is Layer3) or according to Client Table mode.
Note:
Client Table mode cannot be changed if Persistency for any of the device
farms is on a higher level than the new Client Table mode. For example, if
Client Table mode is set to Full Layer4 and Persistency for any of the farms is
set as to Half Layer4, Client Table mode cannot be changed to Layer3
Client Aging Time
The Client Table tracks the sessions load balanced by the device to efficiently handle the
flow of traffic between the clients and the servers, see Client Table Global Parameters,
page 163. The Client Aging Time parameter indicates the interval of time (in seconds)
between the moment a Client Table entry becomes inactive and until this entry is removed
from the Client Table. An entry is active as long as there is continuous traffic between the
client and the server.
For example: when the Aging Time value is 100 seconds, this would mean that if no traffic is
identified by an entry for 100 seconds, then the entry is removed from the Client Table.
Every time an incoming packet or an outgoing packet is identified by a Client Table entry,
the Client Aging Time for this entry is reset.
The default value for the Client Aging Time is 60 seconds.
Maximum Client Table Aging Time
The maximum Client Table Aging time is the maximum value that the aging time can be set.
This is the time from when the last packet entry has been identified by by the LP device, to
the time when the entry is removed from the client table.
Router Farm Load Balancing
The following router load balancing specific parameters are available in router farm Traffic
Settings:
•
•
Packet Translation
Basic NAT fallback
Packet Translation
This parameter defines whether LinkProof must perform any address translation on packets
that are forwarded to the farm, or received from the farm (on their way back to the source).
The options are:
•
•
•
•
•
94
None: No address translation required
NAT: Network address translation is required on packets going to router farm and
received from farm. This option is the most common for router farm.
Transform HTTP Requests - SSL: Enabling the SSL tag allows LinkProof to identify
the origin of the traffic, whether HTTP or HTTPS.
NAT & Virtual Tunneling: Regular or Virtual Tunneling network address translation is
required on packets going to router farm and received from farm.
VPN: Traffic to/from this farm must be encrypted/decrypted according to VPN rules
configured.If traffic forwarded to this farm does not match any VPN Rule, then the traffic
is forwarded to the selected farm without any packet translation.
Doc. No.: 8261
LinkProof User Guide
Note:
This option is available only on LinkProof Branch devices with VPN license.
Basic NAT Fallback
If the LinkProof is configured to perform Network Address Translation for this farm using
Basic NAT, it can occur that all NAT IP addresses available for basic NAT have been allocated
for the moment. You have the option to define what action should LinkProof take in such a
case - the options are to use Dynamic NAT IP, local IP or discard packets.
Router Tracking Table
The Router Tracking Table is used by the device in order to make sure that traffic destined to
the device is always returned via the correct Router, via which it arrived.
For every session that arrives from one of the Routers with destination IP of the device, an
entry is added to the Router Tracking Table, with identification of the session (source IP and
source port) indication the Router the session arrived through. When the device sends a
reply packet, the Router Tracking table is used to get the router through which the reply
packet should be sent.
Other than traffic with destination IP of the device, there are other types of traffic for which
entries are kept in the Router Tracking Table. This is required for traffic with TTL lower or
equal than 1, for which the device should generate an ICMP error.
No entries are added to the Router Tracking Table for traffic with source IP that belongs to
the router, the device immediately knows to which router such traffic is to be sent.
Router Tracking Table Aging
You can set how long an entry should remain in the Firewall Tracking Table when no traffic is
matched to it.
To configure router tracking tables:
1.
From the main window, double-click the LinkProof device icon.The Setup window
appears.
2.
In the Setup window, select Global > Advanced Settings > Edit Settings. The
Advanced Settings window appears.
3.
In Advanced Settings window change the Router Tracking Table Aging Time and Router
Tracking Table Size (in the tuning area of the window) if required.
4.
Click Ok to save settings.
Firewall Farm Load Balancing
A firewall is basically a filtering application capable of stopping unwanted traffic to and from
your network.
The firewall's goal is to inspect and control all the traffic between the local network and the
Internet. The traffic must be handled in such a way that all potentially "dangerous" traffic be
detected and dropped and if necessary logged. What traffic is "dangerous" for the local
network is determined by the security policy adopted for the site.
A single firewall is a single point of failure and can become capacity bottleneck, causing an
interruption in service when the firewall is busy or down.
Organizations encounter numerous problems when installing multiple firewalls. First,
different client groups must be configured, which is a time-consuming procedure.
Furthermore, multiple points of failure are created with the addition of each firewall. Since
Doc. No.: 8261
95
LinkProof User Guide
the traffic load is not dynamically shared between units, the firewalls are not used optimally.
Finally, to achieve fault tolerance and redundancy between firewalls, hot standby, or idle
units must be deployed on the network.
Since the firewall's task is to separate between networks, firewall servers have at least 2
legs - one connected to the internal network and one connected to the external network
(Internet).
To provide scalability and reliability the trick is in load balancing the traffic on inbound and
outbound paths through these firewalls.
Note:
Firewall farms can be used to load balance firewall devices and any other
devices that separate between trusted and un-trusted networks and have at
least 2 separate physical interfaces (one for each subnet), such as VPN
gateways.
The following firewall load balancing specific parameters are available from the Firewall
Farm Traffic Settings:
•
•
Packet Translation, page 96
Basic NAT Fallback, page 96
Packet Translation
This parameter defines whether any address translation must be performed by LinkProof on
packets that are forwarded to the farm, or received from the farm (on their way back to the
source). The options include:
•
•
•
None: No address translation required
NAT: Network address translation on packet is required when firewalls do not perform
NAT by themselves.
VIP: Translation to a Virtual Address is required when working with proxy firewalls or to
provide access to internal servers via firewalls that perform NAT
Basic NAT Fallback
If the LinkProof is configured to perform Network Address Translation for this farm using
Basic NAT, it may occur that all NAT IP addresses available for basic NAT have been allocated
for the moment. You have the option to define what action should LinkProof take in such a
case - the options are to use Dynamic NAT IP, local IP or discard packets.
Load Balancing for Firewalls
LinkProof can load balance all types of firewalls, including:
•
•
Proxy Firewalls, page 96
Transparent NAT Firewalls, page 97
Proxy Firewalls
To load balance proxy firewalls LinkProof must provide a single IP address that will represent
the firewall farm to the clients. This IP address is called Virtual IP (VIP) and this is the
address that will be configured as proxy address in the client workstations. Clients will send
traffic to the VIP and LinkProof, once it has selected a firewall, replaces packet destination IP
96
Doc. No.: 8261
LinkProof User Guide
to the firewall's IP. On the traffic returning from the proxy firewall to the client, LinkProof
replaces the packet's source IP address (that is the firewall server address) to the VIP
address - see Proxy Firewall Configuration, page 97.
Server 1 IP
CIP->VIP
CIP->SIP1
Client
LinkProof
CIP<-SIP1
Client IP (CIP)
Virtual IP (VIP)
CIP<-VIP
Server 2 IP
Figure 5 -
Proxy Firewall Configuration
To configure proxy firewall farms:
1.
From the Farm Traffic Settings pane, set the Packet Translation parameter to VIP.
2.
Click Ok to return to the Traffic Redirection window.
3.
In the Traffic Redirection window, select VIP. The VIP pane appears.
4.
In the VIP pane, click Add. The Edit Virtual IP Address window appears.
5.
In the Edit Virtual IP Address window, enter a Virtual IP address.
6.
Click Add to define the firewall server IPs that will be mapped to this VIP. The Edit
Mapped IP window appears.
7.
From the Edit Mapped IP window, select one of the firewall servers in this farm from the
Server Address drop-down list. When VIP is used for representing a proxy farm the
same server IP address must be entered in the NAT Address field as well.
8.
Click Ok to apply your preferences and return to Edit Virtual IP Address window.
9.
Repeat this procedure (steps 6. though 8.) for all firewall servers in the farm.
Transparent NAT Firewalls
In many cases the firewalls perform NAT for internal clients. In such cases if it is required to
load balance outbound traffic only, there is no need for LinkProof to perform any translations
on the packets.
However if inbound load balancing to internal servers is required the internal servers via a
single public IP need to be represented. To implement such configurations the VIP
mechanism is required on the farm defined for inbound traffic load balancing (the external
leg of the firewall servers). The VIP will represent the public IP for the internal server.
Destination IP address on incoming traffic to the internal server (VIP address) is replaced
with the Static NAT address provided by the firewall server selected for this internal server.
Doc. No.: 8261
97
LinkProof User Guide
The source IP address on reply traffic from the internal servers is changed by the firewall
server to the NAT address and by the LinkProof to the VIP address - see Inbound LB Firewall
Farm Configuration, page 98.
Server 1 IP
NAT IP for internal server (NIP1)
CIP->VIP
CIP<-NIP1
Client
CIP->LIP
LinkProof
CIP->NIP1
CIP<-LIP
Internal
Virtual IP (VIP)
Client IP (CIP)
CIP<-VIP
Server 2 IP
NAT IP for internal server (NIP2)
Figure 6 -
Inbound LB Firewall Farm Configuration
To configure inbound LB with transparent firewall farms:
1. From the Farm Traffic Settings pane, set the Packet Translation parameter to VIP.
2. Click Ok to return to LinkProof Traffic Redirection window.
3. In the Traffic Redirection window, select the VIP tab. The VIP pane appears.
4. In the VIP pane, click Add. The Edit Virtual IP Address window appears.
5. In the Edit Virtual IP Address window, enter a Virtual IP address. Virtual IP Address
must be a public Address supplied by the ISP.
6. Click Add to define the firewall server IPs that will be mapped to this VIP. The Edit
Mapped IP window appears.
7. From the Edit Mapped IP window, select one of the firewall servers from this farm from
the Server Address drop-down menu. For the NAT Address field enter the Static NAT IP
provided for the internal server by this firewall server.
8. Click Ok to apply parameters and return to the Edit Virtual IP Address window.
9. Repeat this procedure (steps 4. through 8.) for all internal servers.
Translating Outbound Traffic to Virtual Addresses
If the internal servers can also initiate outbound sessions, source address translation to VIP
can be performed on these sessions if the Translate Outbound Traffic to Virtual Address
parameter is enabled.
98
Doc. No.: 8261
LinkProof User Guide
To configure translate outbound traffic to a virtual address:
1.
From the main window, double-click the LinkProof device icon.The Setup window
appears.
2.
In the Setup window, select Global. The Global pane appears.
3.
From the Global pane, select the Advanced Settings option and click Edit Settings.
The Advanced Settings window appears.
4.
In the LinkProof Advanced Settings window, check the Translate Outbound Traffic to
Virtual Address box to enable the feature.
5.
Click Ok. Your preferences are recorded.
Default Farm
A default farm is automatically created for each server IP address configured on the
LinkProof. The default farm has the following purposes:
•
To allow the device to select an edge (end of flow) farm according to the routing table.
When the traffic does not match any configured flow, the device searches the routing
table for the default gateway. If the default gateway is a server configured on the
device, LinkProof forwards traffic to the default farm that was configured for this server,
otherwise the traffic is forwarded to the default gateway without any farm being
selected.
• When traffic arrives from a logical server that belongs to a farm that is not configured in
any flow.
The first time an IP is configured as belonging to a farm the device automatically configures
this farm as the default farm for the server IP. The farm that is automatically configured as
default farm for a server IP can be changed.
Farm Connectivity Checks
In order to load balance traffic that arrives to LinkProof farm, the state of the servers in this
farm must be checked. LinkProof periodically checks the health of the servers. A successful
check indicates that the service is available on this server. Failure to establish a successful
connection means that LinkProof considers the server unavailable for this service or farm.
When a failure occurs, LinkProof continues to check for the server's availability and
generates a syslog/e-mail/SNMP/CLI trap that the server is “Not In Service.”
LinkProof can be configured to monitor the status of servers in its farms to ensure they are
available and can handle the request. During the farm connectivity checks, the farm is
considered as one entity and therefore each server within the farm is checked in the same
way.
You can perform a health check of the servers using one of these methods:
• Basic - Ping
• Advanced - Health Monitoring Module, refer to Chapter 10.
LinkProof performs pinging by sending an ICMP echo request to the server. If a server is
available, this server sends an ICMP echo reply. If a Ping operation fails, this means that the
server is down.
Notes:
i
Doc. No.: 8261
When the basic Farm Connectivity Checks (ping) are used, the status of
servers in the farm is affected by these checks only.
99
LinkProof User Guide
ii
Using the basic Farm Connectivity Checks (ping), LinkProof does not resume
checks on farms where subnet of farm IP does not correspond to any of the
configured LinkProof IP interfaces. This applies, for example, after Interface
Grouping was triggered and released
Table 11 on page 100 describes the Connectivity Checks configuration parameters.
Table 11: Connectivity Methods
Parameter
Description
Connectivity Interval:
How often LinkProof polls the servers (in seconds)
Connectivity Retries:
Default value: 10
The number of polling attempts that are made before
a server is considered inactive.
Default value: 5
Identify Server By Name
This parameter allows to determine logical server health status according to the status of all
the physical server interfaces. For example: when one side of the firewall is not in service,
LinkProof considers all other firewalls with the same name to be out of service as well. This
flag can be used either when using LinkProof connectivity checks, or when using the Health
Monitoring module.
Server Management
This section explains Server Management and includes the following topics:
•
•
•
•
Servers Overview, page 100
Farm Servers, page 101
Server Parameters, page 101
Physical Servers, page 103
Servers Overview
Farm servers are logical entities that are associated with application services provided by
physical servers that run these applications.
The process of adding and configuring servers in the LinkProof farm consists of two main
stages:
• Adding physical servers
• Setting up farm servers
Adding physical servers means adding the hardware elements to the network and defining
them as servers. This is done using APSolute Insite after the actual installation of the
physical server is performed.
For each service provided by a physical server, you can define a farm server and attach it to
the farm that provides this service. Configuring farm servers means organizing the servers
the way you use their services.
A physical server that provides multiple services may participate in multiple farms. In each
farm this physical server is represented by a unique farm server that provides one specific
service. Each service is associated with a farm, and you can define its own load balancing
scheme and customized health checks. By that way, in case one of the services provided by
a physical server is not available, other services can still be used.
100
Doc. No.: 8261
LinkProof User Guide
To enable tracking of all the farm servers associated with the specific physical server, farm
servers are organized in groups, identified by the server name. All farm servers with the
same server name are considered by LinkProof as running on the same physical server.
Farm server parameters are configured per farm and per server and control the process of
providing a particular service.
Physical server configuration is performed for each Server Name, and applies to all farm
servers on the same LinkProof with the same name, implying they all run on the same
machine.
Farm Servers
Farm (logical) servers represent applications residing on the physical server. Each
application provides a particular service.
LinkProof supports different farm server types, according to farm types: routers and
firewalls.
The name of the farm server identifies the actual physical server that provides the service.
The Server Name parameter is configured when the physical server is added to the APSolute
Insite map.
The IP address of the farm server must also be defined. A physical server can have a few IP
addresses, so different farm servers that are operating on the same physical server can
have different IP addresses.
The same Server Name and Server Address can be used in different farms (but same type of
farms)
LinkProof periodically sends ARP to all Logical Servers that have IP address. The user can
disable this mechanism using the ARP to Logical Servers parameter, and set the interval
between ARPs (in seconds) using the Time between ARPs parameter.
To configure ARP paramaters:
1.
From the main window, double-click the LinkProof device icon. The Setup window
appears.
2.
In the Setup window, click Networking > ARP Table. The ARP Table window appears.
3.
In the ARP Table window, change the ARP parameters as desired.
4.
Click Ok. Your preferences are recorded.
Farm server configuration sets parameters that define server's behavior within a specified
farm.
Server Parameters
Server Weight
The weight of the server in a farm is the server's priority, and importance. You can define a
particular server in a farm to have more weight than other servers. This means that more
traffic is forwarded to this server as opposed to other servers.
Server weights operate as ratios. For example, when the Dispatch Method is set to Least
Number of Users, the weights determine the ratio of the number of users between the
servers. If the Least Amount of Traffic method is used, the weights determine the ratio of
the amount of traffic between the servers. The weight ranges from 1 to 100. A server with
weight 2 receives twice the amount of traffic as a server with weight 1. The default weight is
1.
Doc. No.: 8261
101
LinkProof User Guide
Note:
Server Weight is not supported when the Cyclic Dispatch Method is selected in
the farm
Connection Limit
Connection Limit is the maximum number of users that can be directed to a server for a
service provided by the farm. The number of users depends on the Sessions Mode, because
it is determined by the number of active entries in the Client Table for sessions destined to
the specific server.
Default value: 0, which means that the mechanism for the selected server is disabled.
Note:
There is no user number limit for the Connection Limit parameter.
Bandwidth Limit
Bandwidth Limit is the maximum amount of bandwidth in Kbps allowed for this application
server. If traffic through that server exceeds the configured limit for any given second,
LinkProof drops excess packets. Default value: No Limit.
The limit is measured in Kbps, so 1Mbps is represented with a bandwidth limit of 1000. A
value of 0 means that there is no bandwidth limit.
Admin Status
Admin Status is the user defined management status of the server that you can change at
any stage of server's configuration or operation. The following options are available:
•
•
Enabled: The server is active and ready to reply new requests for service.
Disabled: The server is not active. When setting the Admin Status to Disabled,
LinkProof removes all the entries relevant to this server from the Client Table, stops
sending new requests for service to this server and disconnects all the connected
clients.
Operation Mode
A farm server can be configured to have one of the following operational modes:
•
•
Regular: The server's health is checked, as long as it is available the server is eligible
for receiving client requests. This is the default operation mode.
Backup: The server's health is checked, but the server does not receive any client
requests. The server becomes eligible for client requests when all the servers in the
Regular mode have failed.
To configure farm servers
1. From the main window, select a LinkProof device and click Traffic Redirection. The
LinkProof Traffic Redirection window appears.
2. From the LinkProof Traffic Redirection window, click Farms. The Farms pane appears.
3. From the Farms pane, click Add/Edit. The Edit LinkProof Farm window appears.
4. From the Edit LinkProof Farm window, click Add. The LinkProof Farm Server window
appears.
102
Doc. No.: 8261
LinkProof User Guide
5.
From the LinkProof Farm Server window, set the parameters of the server according to
your requirements.
6.
Click Ok. Your preferences are recorded.
ARP to Logical Server
LinkProof periodically sends ARP to all Logical Servers that have IP address. You can disable
this mechanism using the ARP to Logical Servers parameter, and set the interval between
Arms (in seconds) using the Time between Arms parameter.
To configure ARP parameters:
1.
From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2.
From the LinkProof Setup window, click Networking > ARP Table. The ARP Table
window appears.
3.
From the ARP Table window, change the ARP parameters according to your
requirements.
4.
Click Ok. Your preferences are recorded.
Identifying NHR (Router) by Port
In certain cases both firewall legs, although connected to separate physical ports have the
same MAC address. So that LinkProof to correctly identify the logical firewall server this
parameter should be enabled.
To enable Identifying by Port:
1.
From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2.
In the LinkProof window, select Global tab. The Global pane appears.
3.
In the Global pane, select Advanced Settings > Edit Settings. The LinkProof
Advanced Settings window appears.
4.
In the LinkProof Advanced Settings window enable the Identifying NHR by Port
parameter.
5.
Click Ok. Your preferences are recorded.
Physical Servers
Physical servers are hardware units configured to operate as an integral part of the network.
Before setting up a physical server, you must connect the server to the LinkProof device on
the hardware level.
Once hardware connections are completed, you can start adding physical servers to the
APSolute Insite map. The parameters of the physical server are defined globally and are
applied to all the farm servers that use the physical server.
Doc. No.: 8261
103
LinkProof User Guide
Table 12 on page 104 describes physical servers' Setup parameters.
Table 12: Physical Server Parameters
Parameter
Server Name
Recovery Time
Description
The physical server name. The Server name defines
the name of the farm servers group that are
associated with this physical server. Adding a new
server to a farm using a Server Name that was
already defined in another farm, implies that it is the
same physical server.
The period of time, in seconds, during which no data
is sent to the physical server since the server
recovers from a failure. When a server's operational
status is changed from inactive to active (dynamically
or administratively), the server is not eligible to
receive clients for this period of time.
Recovery Time applies to all servers in all farms that
share the same Server Name. Once this time is
reached, the server becomes eligible for receiving
clients requests.
Default is 0. When this value is set, the server is
eligible immediately after changing operational status
from inactive to active.
The maximum number of Client Table entries that can
run simultaneously on the physical server. This
depends on farm’s Sessions Mode. When the limit is
reached, new requests for service are no longer
directed to this server. All open sessions are
continued.
Connection Limit
When the Connection Limit parameter is configured
to 0 (default), this mechanism is disabled for this
physical server and there is no user number limit.
When configuring Connection Limit for the physical
server, ensure that Connection Limit in the farm
servers with the same Server name is lower or equal
to Connection Limit in the physical server. The total
number of active sessions that run simultaneously on
the farm servers must not be higher than the
Connection Limit value defined on the physical
server.
The maximum traffic (in kbps) that can be received
from the router.
In Kbps Limit
When the limit is reached, new requests for service
are no longer directed to this router. All open
sessions are continued.
The maximum traffic (in kbps) that can be sent to the
router.
Out Kbps Limit
104
When the limit is reached, new requests for service
are no longer directed to this router. All open
sessions are continued, unless the Discard Flag is
enabled.
Doc. No.: 8261
LinkProof User Guide
Table 12: Physical Server Parameters
Parameter
Description
The maximum traffic (in kbps) that can be sent and
received from the router.
Kbps Limit
Discard Flag
Warm-up Time
When the limit is reached, new requests for service
are no longer directed to this router. All open
sessions are continued, unless the Discard Flag is
enabled.
This flag defines device behavior when outbound or
total bandwidth limits are reached for routers. If flag is
Disabled, new sessions will not be allocated to this
server, but existing sessions traffic will not be
dropped. If flag is enabled, traffic will be dropped
when bandwidth limit is exceeded.
The time, in seconds, after the server is up, during
which clients are slowly sent to this physical server in
increasing rate, so that the server can reach its
capacity gradually. LinkProof internally raises the
weight of the server for this period of time, at the end
of which the server's weight is the pre-configured
weight, see Server Weight, page 101.
If the Warm-up Time parameter is set to 0 (default),
the server performs activation at full weight upon a
change in operational status from “inactive" to
"active” and after waiting the Recovery Time.
Note: This option is not applicable for the farm
servers in which the load balancing decision is made
using the Cyclic Dispatch Method.
IP Address
The IP addresses of the server. For each farm server
associated with this physical server, you define an IP
address.
LinkProof supports multiple billing models for the
Cost feature. For each Router user can defined the
billing model used, the options being:
Billing Mode
Inbound bandwidth
Outbound bandwidth
Total bandwidth (Inbound+Outbound)
Max (Inbound, Outbound) – maximum between
Inbound and Outbound bandwidth.
ToS
This field contains the ToS value for this Router.
Value ranges differ between the different ToS types:
0-15 for ToS Type, 0-7 for Precedence Type. A value
of 255 may be given if no ToS is required for this
Router.
Network Address Translation
This section explains NAT capabilities, which enables the source IP address to be hidden.
NAT enables translation of an IP address used within one network to a different IP address
known within another network.
Doc. No.: 8261
105
LinkProof User Guide
This section includes the following topics:
•
•
•
•
•
•
•
Network Address Translation (SmartNAT) - Introduction, page 106
Dynamic NAT, page 107
Static NAT, page 108
No NAT, page 109
Basic NAT, page 110
One IP Support, page 111
Static Port Address Translation, page 112
Network Address Translation (SmartNAT) - Introduction
The main complication in a multi-homed network is managing the IP addressing scheme for
the different providers. There are two common possibilities that can be deployed with
regard to the IP scheme that the internal network uses:
•
A single IP network number is assigned to the internal network. This will require
communication and cooperation between the two ISPs in order to advertise proper
routes for this single IP network to the rest of the Internet. Also, care must be taken to
ensure that both links are used for incoming traffic. If only a single ISP is used to deliver
inbound traffic to the network, then part of the motivation and benefits of multi-homing
go unrealized.
• Each ISP assigns the internal network a different IP address range. Therefore, two IP
address ranges will be active at the same time for the internal network.
However there is an issue of what range to use for outbound traffic. If Range1 (assigned to
the network by ISP1) is used and the link to ISP1 fails, there is no way for the response
traffic to return to the network, since the world knows Range1 to be accessible only through
ISP1. Furthermore, if only Range1 is used, the ISP2 link will never be used for inbound
traffic, again since the world knows Range1 as accessible through ISP1. Also, there is the
issue of what IP addresses to advertise to the world for inbound traffic. For example, if the
network has a Web server that needs to be accessed from the world, which IP range would
the Web server belong to? If it belongs to only one of the ranges, the Web server is
inaccessible if the ISP responsible for that range loses its link to the network. If addresses
from both ranges are advertised, then DNS fail over and resiliency become additional factors
that need to be addressed.
For intelligent address management of traffic, LinkProof utilizes an algorithm called
SmartNAT.
To alleviate the outbound traffic problem, LinkProof will perform "smart" dynamic NAT. With
this feature, LinkProof will have addresses from both ISPs' address ranges available for
translation. Then, when a router is selected to carry an outbound session, LinkProof will
choose an IP address that is associated with that router/ISP. Therefore if LinkProof chooses
Router1 as the router to deliver a session to the Internet, it will use an IP address of ISP1 as
the translated source address. Likewise, if it chooses Router2 as the router to deliver a
session to the Internet, it will use a source IP address of ISP2. By choosing translated
source IP addresses according to the chosen router, return delivery issues will not be
encountered.
SmartNAT not only encompasses dynamic IP address allocation and translation, but it also
includes, for LinkProof, the ability to statically map internal resources to external IP
addresses. Individual internal resources, such as servers, are mapped to multiple outside IP
addresses (one from each ISP). Statically mapped IP addresses are used for inbound traffic,
from the most available ISP link.
The static mapping of SmartNAT also compensates transparently for ISP link failure. If an
ISP link is down, only available IP addresses are used for inbound traffic. By making an
inside resource available through all available ISPs, uptime is guaranteed for that internal
resource. Permanent access to the resource is available through the most available ISP link.
106
Doc. No.: 8261
LinkProof User Guide
Notes:
i
LinkProof performs NAT when forwarding to farms for which NAT has been
enabled (security and firewall farms only). NAT will be performed only for IPs
that are found in the Smart NAT tables.
ii
LinkProof can perform a single Network Address Translation per session.
To configure NAT:
Configuring NAT involves the following stages:
1.
Change the NAT Tuning parameters.
2.
Configure the NAT Addresses.
To Change the NAT Tuning Parameters:
1.
From the main window, double-click the LinkProof icon. The Setup window appears.
2.
In the Setup window, select Global. The Global pane appears.
3.
In the Global pane, select Advanced Settings>Edit Settings. The Advanced Settings
window appears.
4.
In the Advanced Settings window, set the following parameters according to the
explanations provided:
Parameter
Description
Static NAT:
Specify the number of IP addresses to be
used by Static NAT.Range: >0-8,192. Default:
512
Basic NAT:
Specify the number of IP addresses to be
used by Basic NAT.Range: >0-128. Default:
512.
No NAT:
Specify the number of IP addresses to be
used by No NAT.Range: >0-20,000. Default:
512.
5.
Click Ok to exit all windows.
6.
Restart the device to apply the tuning parameter changes.
Dynamic NAT
The Dynamic NAT feature enables LinkProof to hide various network elements located
behind LinkProof. Using this feature, LinkProof replaces the original source IP and source
port of a packet that is with the configured NAT IP and a dynamically allocated port before
forwarding the request to the farm.
The network elements whose addresses are NATed can be servers or other local hosts. You
can set different NAT addresses for different ranges of Intercepted Addresses.
For example, traffic from subnet A is NATed using IP address 10.1.1.1 and traffic from
subnet B is NATed using IP address 10.1.1.3
Doc. No.: 8261
107
LinkProof User Guide
To configure Dynamic NAT:
1. From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2. In the Traffic Redirection window, select the NAT tab. The NAT pane appears.
3. In the NAT pane, select Dynamic NAT from the drop-down list and set the following
parameters according to the explanations provided:
Parameter
Description
From Local Address:
The range of IP addresses of the local server.
To Local Address:
The range of IP addresses of the local server.
Server Address:
The IP address of the farm server. These
NAT addresses are used when traffic from
local addresses is sent to this farm server.
The NAT IP address to be used.
Dynamic NAT IP:
The IP address of the LP Interface can be
used for NHRs on the same subnet.
Note:
NAT Redundancy Mode:
This mode cannot be used with a
range of IP addresses for Dynamic
NAT per NHR.
Whether the NAT address is regular or
backup.The Active mode is for the active
device and the Backup mode is for the
backup device.
4. Click Add >Apply>Ok. Your preferences are recorded.
Static NAT
Static NAT is used to ensure delivery of specific traffic to a particular server on the internal
network. For example, LinkProof uses Static NAT, meaning predefined addresses mapped to
a single internal host, to load balance traffic to this host among multiple transparent traffic
connections. This ensures that the return traffic uses the same path. Multiple Static NAT
addresses are assigned to the internal server, one for each farm server address range.
Note:
Static NAT addresses cannot be part of the Dynamic NAT IP pool.
To configure Static NAT
1. From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2. In the Traffic Redirection window, select NAT. The NAT pane appears.
3. In the NAT pane, select Static NAT from the drop-down list. The Static NAT pane
appears.
108
Doc. No.: 8261
NAT IP for internal server (NIP1)
LinkProof User Guide
4.
In the Static NAT pane, set the following parameters according to the explanations
provided:
Parameter
Description
From Local Address:
The range of local IP addresses.
To Local Addresses:
The range of local IP addresses.
Server Addresses:
The IP addresses of the farm server. These
NAT addresses will be used when traffic form
local addresses is sent to this farm server.
From Static NAT:
The range of NAT addresses to be used
when forwarding to the server addresses
above.
To Static NAT:
The range of NAT addresses to be used
when forwarding to the server addresses
above.
Redundancy Mode:
The redundancy mode can be either Backup
or Active. The Active mode is for the active
device and the Backup mode is for the
backup device.
5.
Click Apply and Ok. Your preferences are recorded.
Exclude Static NAT For Local Network
Traffic from local host for which Static NAT is configured undergoes NAT when forwarded to
a farm for which NAT is enabled. Traffic to local network is not translated. In certain cases,
mainly for security purposes, it is required that traffic to local network from the local host is
translated using Static NAT.
To allow this configuration the Exclude Static NAT for Local Network flag should be disabled
(it is enabled by default).
Enable Ping to multiple Static NATs
A flag allows enabling or disabling simultaneous ping functionality to multiple Static NAT
addresses belonging to the same Internet host.
No NAT
No NAT enables a simple configuration where internal hosts have IP addresses that belong
to a range of one of the farm servers.
Traffic to/from these hosts should not be translated if the traffic is forwarded to this farm
server.
If you do not configure any NAT address for a host via a farm server, that farm server will
not be used by inbound traffic to that host if the host IP resolution is provided via DNS. In
order to use a farm server for traffic from the host when NAT is not required, use the No
NAT configuration.
To configure No NAT:
1.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, select NAT. The NAT pane appears.
Doc. No.: 8261
109
LinkProof User Guide
3. In the NAT pane, select No NAT from the drop-down list and set the following
parameters according to the explanations provided:
Parameter
Description
From Local Address:
The range of local IP addresses.
To Local Address:
The range of local IP addresses.
Port Number:
This is the destination port for which traffic is
not NATed. For example, all traffic to
destination port 80 is not NATed. Destination
port 0 refers to all the ports.
Server Address:
The IP address of the farm server. These
NAT addresses will be used when traffic from
local addresses is sent to this farm server.
4. Click Add >Apply > Ok. Your preferences are recorded.
Basic NAT
Basic NAT enables a one-to-one NAT mapping for occasional users, based on local IP ranges
and destination applications. A pool of NAT addresses for each server is configured per
range of local IP addresses and destination port. Whenever a client with an IP address
within the range initiates a session to any host with the relevant application port, a NAT
address is allocated to this session, and is used for all further sessions for the client with this
application on this destination host. Basic NAT is useful for any application which requires
that source ports not be translated, and therefore cannot be used when the client's IP is
translated using Dynamic NAT.
Typically the configured local IP range includes more hosts than the IP addresses allocated
for Basic NAT for the same IP range. The latter indicates that any traffic from one of the
hosts in the local IP range will be NATed using one of the Basic NAT addresses configured for
this local IP range. This enables the use of a pool of Static NAT addresses, for a (larger)
range of local IP addresses.
The destination port can be configured to a specific application port, or to "All ports".
You can also configure how the LinkProof should behave if all Basic NAT addresses for the
specified IP range and application are occupied.
To configure Basic NAT :
1. From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2. In the Traffic Redirection window, select the NAT tab. The NAT pane appears.
3. In the NAT pane select Basic NAT from the NAT drop-down list. The Basic NAT pane
appears.
4. In the Basic NAT pane, set the following parameters according to the explanations
provided:
110
Parameter
Description
From Local Address:
The range of local IP addresses
To Local Address:
The range of local IP addresses.
Doc. No.: 8261
LinkProof User Guide
Port Number:
This is the destination port for which traffic is
NATed. For example, enter "80",all traffic to
destination port 80 is NATed. Destination port
0 refers to all the ports.
Server Address:
The IP address of the farm server.These NAT
addresses will be used when traffic from local
addresses is sent to this farm server.
From NAT Address:
The range of NAT addresses.
To NAT Address:
The range of NAT addresses.
Redundancy Mode:
The redundancy mode can be either Backup
or regular. The Active mode is for the active
device and the Backup mode is for the
backup device.
5.
Click Add > Ok. Your preferences are recorded.
One IP Support
This feature is designed to reduce the number of public IP addresses used for LinkProof
configurations. When One IP is enabled the user can define Dynamic SmartNAT and IP
addresses which are identical to the devices' IP addresses.
LinkProof registers all incoming and outgoing traffic to distinguish between management
traffic / Health Monitoring / Proximity and forwarded traffic. It is possible to use One IP
enabled on several IP interfaces and disabled on others.
When One IP is used, the LinkProof device uses the Interface addresses to perform Dynamic
SmartNAT and hide the LAN segment behind the LinkProof.
Incoming Traffic for Public Services
When not using One IP configurations for incoming traffic, then Web services are configured
for internal servers using Static NAT. Using One IP configuration Static Port Address
Translation (SPAT) is described in the next section.
Smart NAT using One IP configuration
LinkProof uses a set of predefined IP addresses in order to maintain connectivity as well as
functionality.
Each router connected to the LinkProof needs 2 IP addresses (this is a regular configuration
(non-VLAN Bridge).
One IP is used for the router's internal Interface and another is used for the LinkProof
Interfaces themselves.
As a configuration example LinkProof uses 2 IP addresses per Router in a regular
configuration. Therefore in we have 5 Routers we need 5 x 2 IP addresses = 10 Available
addresses.In most LinkProof configurations the IP addresses used for the above
configuration are public IP addresses.
When using LinkProof with SmartNAT configurations it is required to assign private
addresses (as stated in RFC 1918) for the internal LAN segments behind the LinkProof
device additional IP Public addresses.
To configure Smart NAT with One IP using WBM:
1.
From the Router menu, select Router > IP Router > Interface Parameters. The IP
Router Interface Parameters window appears.
Doc. No.: 8261
111
LinkProof User Guide
2. Click Create. The Interface Parameters Create window appears.
3. From the One IP (Router Interface Only) field select Enable or Disable.
4. Click Set
To configure Smart NAT with One IP using CLI:
1. Enter net ip-interface set <IP Address> -oi <enable or disable>
2. Select Enable or Disable (by default 1IP option is disabled).
You are required to configure Dynamic NAT(DNAT) using the SmartNAT configuration. See
Dynamic NAT for an explanation on how to configure DNAT.
Static Port Address Translation
Static Port Address Translation (Static PAT or SPAT) allows one-to-one mapping between
local and global addresses. With Static PAT multiple internal hosts can share a single IP
address for communication thus saving public IP address usage.
Static PAT is actually a subset of NAT (RFC 2663) but usually referred to as Static PAT when
discussing Port Forwarding.
Static PAT allows you to configure static mapping of UDP or TCP ports of Linkproof’s IP
interface to the internal hosts' ports.
Static PAT Example, page 112 shows an example of Static PAT, in which a client initiates a
connection from the Internet towards the Web Server.
.
Figure 7 -
Static PAT Example
The Static Port Address Translation follows is as follows:
112
Doc. No.: 8261
LinkProof User Guide
Client to Web Server:
Destination IP
Destination
Port
Destination IP
Destination
Port
IP B (Public)
80 (HTTP).
Forward to IP
8080
(Internal) Private
Action on
Web Server
Replay to Client
IP
Web Server to Client:
Destination IP
Destination
Port
Destination IP
Destination
Port
Action on
WebServer
Client IP
(Public)
8080
IP B (Public)
80 (HTTP).
Continue
Session
The LinkProof device SPAT process of translates the source IP to the destination IP as well as
from destination ports to other destination ports. Multiple internal hosts can be configured
and also share a single IP address on different ports.
Static PAT and DNAT Port Table
The Limit for highest possible port for SPAT (and DNAT) is called PAT & DNAT Port table. The
default is 60534.
This limit affects the SPAT port configured manually as well as Dynamic NAT allocated ports.
Note:
The configuration is done using device tuning in WBM.
To configure Static PAT using APSolute Insite:
1.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, select the NAT tab. The NAT pane appears.
3.
In the NAT pane select Static NAT from the NAT drop-down list. The Static NAT pane
appears.
4.
In the Static NAT pane, set the following parameters:
Parameter
Description
Server IP or Physical Port
The Server or Port address.
Local Address
The IP Address of the internal server.
The application port (TCP or UDP) to which
the packet is sent to on the Local IP address.
Local Port
Note:
This parameter is not available if
ICMP or IPSec protocols were
selected.
TCP, UDP or ICMP.
Protocol
Doc. No.: 8261
Note:
If the selected router has OneIP
activated, then ICMP is not
available.
113
LinkProof User Guide
Entry Name (optional):
the user ID of Static PAT.
External Address:
The external IP Address.
External Port:
Redundancy Mode:
The destination application port (TCP or
UDP) for the received packet that is sent to
the Local IP/Internal Port.
Note:
This parameter is not available if
ICMP or IPSec protocols were
selected.
The redundancy mode can be either Backup
or Regular. The Regular (Active) mode is for
the active device and the Backup mode is for
the backup device.
5. Click Add > Ok.
To configure Static PAT using WBM:
1. From the LinkProof menu, select Smart NAT > Static PAT Table. The Static PAT Table
window appears.
2. Click Create. The Static PAT Table Create window appears. Enter the following
parameters and click Set.
Parameter
Description
Internal IP
The Internal IP of the Server (Internal IP in
Static PAT Example, page 112).
Internal Port
The Internal port used by the server (8080 in
Static PAT Example, page 112).
Protocol
The protocol type (TCP, UDP or ICMP)
Server IP
The IP of the External Router (IP A in Static
PAT Example, page 112).
External IP
The IP of the External LinkProof Interface (IP
B in Static PAT Example, page 112).
External Port
The external port that the LinkProof device
listens to (80 in Static PAT Example,
page 112).
Static PAT Mode
Backup and Main is used for Mirroring
purposes and is defined in accordance with
Smart NAT redundancy settings.
Static PAT Name
Name used for identifying the PAT rule.
To configure Static PAT using CLI
Type in the command: lp smartnat static-pat add <Internal IP>
<Internal Port> <Protocol Type> <Router IP> <External IP>
<External Port> command.
Static PAT Example, page 112 shows an example in which the following CLI is used:
114
Doc. No.: 8261
LinkProof User Guide
lp smartnat static-pat add 10.204.1.1 9090 tcp 10.204.1.1 192.168.1.1
Management IP Considerations
By default (if enabled) LinkProof enables management access to the device in the following
protocols:
• Telnet - TCP Port 23
• SSH - TCP port 22
• Web - TCP Port 80
• SSL - TCP Port 443
• FTP - TCP Port 21
• SNMP - TCP Port 161
When using 1IP configurations the LinkProof IP address for management (its own IP) will be
used for SPAT. This might create a conflict with the above services should they also be used
for internal servers. If you try to use any ports in conflict with the above ports, then the
following error message is generated (using WBM or CLI):
"Can not bind port 80: Port is bound to device WEB service (UDP or TCP). Change service
port first"
Please refer to Services, page 341 for more information on how to change the selected port
/ service.
•
•
•
SPAT is supported with TCP, UDP and ICMP
SPAT with 1IP is supported on TCP & UDP only.
By design SPAT is limited to 1 server behind the SPAT device using a single port for a
single service. Only a single public service with port 80 HTTP (i.e) can be exposed per
public IP address. In this way an organization using PAT and a single IP cannot run more
than one of the same type of public service behind a PAT (for example two public web
servers using the default port 80).
•
VPN (IPSec) Pass-through with SPAT: In order to configure VPN traffic
pass-through together with SPAT, you need to define a SPAT entry with UDP port 500
(IKE). The device will allow AH, ESP protocols to undergo SPAT and pass through the
device as well.
To resolve conflicting IPs, SmartNAT methods have been set according to priority and
are set as follows:
1-NoNAT
•
2-SNAT
3-SPAT
4-DNAT
So for example if the user has configured an IP to be used in 1IP and SPAT and the
same IP appears in a SNAT range.
Where inbound traffic is involved the SNAT range will take precedence over SPAT.
Outbound traffic for this session will only use SNAT.
Proximity
This section explains of LinkProof’s ability to detect network proximity and includes the
following topics:
•
•
Proximity Introduction, page 116
Proximity Configuration, page 116
Doc. No.: 8261
115
LinkProof User Guide
Proximity Introduction
In today's Internet environment, providing quality content is only part of the issue.
Delivering content to clients as quickly as possible is a critical factor for successful ecommerce initiatives. Delivering content along the path with the least latency can reduce
download times. The importance of even a small increase in performance will contribute to
user satisfaction, and can have significant impacts on user loyalty, enjoyment, and
commerce.
Radware offers both dynamic and static (administratively configurable) proximity
mechanisms to meet Inter- and Intranet needs. The dynamic proximity detection
mechanism measures the network proximity (both latency and hop count) between the
client's mouse "click" all the way to the content located on the provider's web servers. Only
through such accurate measurement can content providers be sure that their users are
receiving the quality of service necessary to compete in the fast paced Internet arena. In
addition, by minimizing the hops and latency between the end users and the content,
Radware's redirection mechanisms will reduce the traffic on the Internet backbones.
Radware's Internet Traffic Management solutions deliver content to end users from the
closest site or WAN link by utilizing this proximity detection mechanism in either global or
multi-homed Internet environments.
In order to get accurate network proximity results, LinkProof uses several different
proximity check methods capable of passing through any router and firewall.
When an internal client attempts to reach a server on the Internet, it first approaches
LinkProof, and a proximity check is performed through each of the routers. The results
determine which one provides the best path to the server. When another client from the
same network approaches the same server at a later time, the best link is already known,
and the client is immediately forwarded via that router.
Conversely, when an outside client wishes to contact an internal server, LinkProof checks the
proximity through each of the links, and responds to the client with the NAT IP address of
the router best suited to handle the traffic.
The proximity probes are a combination of IP, TCP, and application layer probes (such as TCP
ACK's and ICMP Echo requests) to ensure accurate measurements.
The type of checks used for proximity is configurable to allow users more control of the
device and generate maximum performance from the links.
Notes:
i
LinkProof can perform proximity checks via up to 10 routers
ii
In the dynamic proximity table only the best 3 routers are recorded for each
checked subnet
Proximity Configuration
Proximity Mode
You can determine whether to use proximity data and when:
•
•
•
•
116
No Proximity: Proximity data is ignored. The dynamic auto learning mechanism is off.
Static Proximity: LinkProof forwards traffic using the best router according to a static
proximity table configured by the user. The dynamic auto learning mechanism is off.
Full Proximity Inbound: LinkProof forwards traffic using the best router according to
the static proximity table, and will use dynamic auto learning to choose the best router
only for inbound traffic, for subnets that are not defined as static entries.
Full Proximity Outbound: LinkProof forwards traffic using the best router according to
the static proximity table, and will use dynamic auto learning to choose the best router
only for outbound traffic, for subnets that are not defined as static entries.
Doc. No.: 8261
LinkProof User Guide
•
Full Proximity Both: LinkProof forwards traffic using the best router according to the
static proximity table, and will use dynamic auto learning to choose the best router for
all traffic, for subnets that are not defined as static entries.
Proximity Checks
LinkProof enables the user to select the checks used for inbound and outbound proximity
calculations. The device uses a proprietary proximity checks schemes in order to find
dynamically the best Router for a destination subnet. In some cases, different
IDS (Intrusion Detection Systems) might consider the proximity check packets as attacks on
devices located behind the IDS.
LinkProof enables the user to configure for each proximity test whether it should be used for
Inbound Proximity, Outbound Proximity, Both, or None.
•
•
Basic: This is a basic ping test typically used to check inbound traffic.
Advanced: This test simulates standard applications (using UDP traffic) and is useful
for both inbound and outbound proximity checks. However, on occasion IDS devices
may consider such proximity check packets as an attack.
• Server Side: This test simulates a client of an application (sends TCP SYN packets)
hence it is outbound traffic oriented.
• Client Side: This test simulates the server side of an application (sends TCP ACK
packets), hence it is inbound traffic oriented.
You can also define the following parameters for all proximity checks:
•
•
Check Retries: Defines the number of retries that are performed when the checked
destination doesn't respond to the first attempt.
Check Interval: Defines the time interval between consecutive retries in seconds.
Proximity Aging Period
Proximity Aging Period defines the amount of time in minutes that a dynamic auto-learned
entry will be kept in the database. When this time is about to expire, LinkProof may refresh
the information of that entry by re-executing the proximity checks.
Weights (Hops, Latency, Load)
You can define the emphasis that the device should put on the hops parameter and on the
latency parameter when making a load balancing decision. In addition you can define the
weight the router load should take in the load balancing definition together with the
proximity parameters. The router load is calculated according to the dispatch method used,
for example, the number of clients when using the least amount of users.
Note:
The load weight is relevant only when the Farm Dispatch Method is set to
Least Amount of Traffic, Least Number of Bytes or Least Number of Users.
Main & Backup DNS Addresses
To prevent the inefficient learning of requests that arrive from the local DNS server,
LinkProof can be configured to ignore requests from specific addresses in the dynamic
proximity mechanism. The addresses of the primary and backup local DNS servers can be
configured.
Note:
Doc. No.: 8261
If the company's DNS server are placed at the Internet provider, the main and
backup DNS server should belong to different ISPs. Only 2 such DNS servers
(main and backup) can be configured.
117
LinkProof User Guide
Proximity Subnet Mask
By default LP performs proximity checks for each class C subnet. This can be changed using
this parameter. When this parameter is changed the dynamic proximity database and
statistics are cleared.
Using Grouping Decisions inside Proximity
If this parameter is set to Disabled (default is Enabled) it allows the load balancing
mechanism to consider routers which were defined as backup to decide whether there is
proximity data for a specific destination via this router.
This functionality is required when some of your WAN links are restricted (for example
domestic access only).
To configure Proximity:
1. From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2. In the Traffic Redirection window, click Proximity. The Proximity pane appears.
3. In the Proximity pane, set the parameters accordingly.
DNS
This section explains the concept of DNS space for URLs in multi-homed networks and how
this is incorporated in your network in conjunction with LinkProof.
This section includes the following topics:
•
•
•
•
•
•
DNS Introduction, page 118
Mapping URLs to local IP Addresses, page 119
DNS Response Parameters, page 120
DNS for Local Users, page 120
DNS Redundancy, page 122
DNS Client, page 122
DNS Introduction
One of the main complications of the multi-homed network is which IP address to use in the
DNS space for a particular URL. To solve this problem and at the same time provide load
balancing for inbound traffic, LinkProof can take control of particular URLs. To achieve this,
LinkProof must become the authoritative name server for a particular URL through proper
configuration in an organization's master DNS servers. This causes all DNS queries from the
Internet for the particular URL to arrive at LinkProof.
At the same time, multiple static NAT addresses are assigned to LinkProof, all mapped to the
IP address of the server hosting the particular URL. Each static NAT address comes from one
of the address ranges associated with each link. When LinkProof receives a DNS query
asking it to resolve a particular URL to an IP address, it resolves the query to the static NAT
address corresponding to the best link available for the user's request. This means different
responses may be provided to different clients requesting the same URL.
118
Doc. No.: 8261
LinkProof User Guide
Notes:
i
LinkProof operates as authoritative server for A records only. If Linkproof
receives queries for other types of records the device will answer that the
record type is not supported. The device will answer with Authoritative
Answer 0, which specifies that the responding name server is not an authority
for the domain name in question. Return code is set to 0 No error meaning
that the request was completed successfully.
ii
The device will answer a DNS query only if the URL specified in the query is
configured on the device. If the URL is not configured then the device will not
answer
iii When answering a DNS query the device will select only those links with
Static NAT or No NAT defined for the local IP mapped to the requested URL.
Mapping URLs to local IP Addresses
In order to allow LinkProof to provide load balancing of inbound traffic to internal servers,
you must configure the following:
•
Host to Local IP Mapping: The URLs supported and the local IP addresses for
•
the servers on which the URLs reside. LinkProof can map explicit host names to a local
IP address (Host to Local IP) or dynamic host names - wildcard URLs (Dynamic Host to
Local IP). The dynamic host names allow the user to set a single definition for many
similar URLs that are hosted on the same server.To help increase performance by
employing more efficient search, you can define whether LinkProof should search for a
URL in one of the mapping tables only or in both, using the URL to IP Search Mode
parameter.
Static NAT or No NAT: For the servers local IP addresses via all available routers
To configure Host to Local IP Mapping:
1.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, click the DNS Settings tab. The DNS Settings pane
appears.
3.
In the DNS Settings pane, select Name to Local IP or Both in URL to IP Search Mode
parameter and click Name to Local IP. The Name to Local IP window appears.
4.
In the Name to Local IP window, set the required parameters (Host URL and Local IP)
and click Add. Repeat for all existing URLs.
5.
Click Ok. Your preferences are recorded.
To configure Dynamic Host to Local IP mapping:
1.
From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears.
3.
In the DNS Settings pane, select Dynamic Host Name to Local IP or Both in the URL
to IP Search Mode parameter and click Dynamic Host Name to Local IP. The Dynamic
Host Name to Local IP window appears.
Doc. No.: 8261
119
LinkProof User Guide
4. In the Dynamic Host Name to Local IP window, set the required parameters (Variable
Host Name and Local IP) and click Add. Repeat for all existing URLs.
5. Click Ok. Your preferences are recorded.
DNS Response Parameters
DNS Response parameters include the following:
•
•
•
•
•
Response TTL: This parameter defines the “time to live” of the DNS responses that are
cached by clients. A high value means less DNS traffic, but the router from whose range
the response IP was selected might become unavailable during this period. A low value
provides higher availability of the internal server.The default setting is 0, which means
the response is not cached.
Two Records in DNS Reply: This parameter allows LinkProof to answer with two A
records (the Static IPs of the internal server via the two best routers) or with one A
record when disabled.
DNS Response Mode:This parameter allows customers to choose whether device will
answer DNS queries according to SmartNAT status or not.
In configurations where NAT is performed by the device positioned in front of LinkProof
(access routers or firewall) the SmartNAT is disabled which means the device will
answer DNS queries with the internal servers local IP address. However, to be able to
perform inbound load balancing, LinkProof must be able to answer DNS queries with
public IP addresses (static NAT).
LinkProof can answer DNS queries according to the following criteria:
— According to SmartNAT mode (static NAT address if SmartNAT enabled, local IP
address otherwise) - default
—
Always NAT IP address (static NAT address)
—
Always Local IP address.
To Configure DNS Response Parameters:
1. From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2. In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears.
3. In the DNS Settings pane, set the parameters as desired.
4. Click Apply to save settings.
DNS for Local Users
This feature provides a solution that allows you to provide DNS resolution for internal
servers while using the same DNS server for both internal and external users.
The problem with this configuration is that internal users need the host name to be resolved
to the local IP address of the server, while external clients need the external IP for the
server, but the DNS server cannot distinguish between internal and external users.
The solution implemented in LinkProof depends on whether the DNS server is located
internally or externally.
External DNS server configuration
When the DNS server is located outside the company network the DNS for local user
functionality behaves as follows:
•
120
The LinkProof is the authoritative DNS for the internal servers and resolves host name
to public IP address (static NAT).
Doc. No.: 8261
LinkProof User Guide
•
•
•
•
User, whether external or internal, queries the DNS server for host name resolution.
DNS server requests LinkProof for address resolution and receives public IP address. It
sends response to users.
The response to internal users passes via LinkProof. LinkProof will intercept the DNS
response with internal server resolution and replace public IP with local IP address. Thus
internal users will be able to communicate with internal servers directly, via the local
network.
External clients receive the public IP from the DNS server and will be able to access the
servers.
Internal DNS server configuration
When the DNS server is located inside the company network the DNS for local user
functionality behaves as follows:
•
The DNS server is the authoritative DNS for the internal servers and resolves host name
to local IP address. Alternatively LinkProof can be an authoritative DNS. In this case
DNS Response Mode should be set to Always Local IP address.
• User, whether external or internal, queries the DNS server for host name resolution.
• DNS server answers with local IP address.
• Response to external users passes via LinkProof. LinkProof intercepts the DNS response
and replaces the local IP with a public IP address. Thus external users will be able to
communicate with servers.
• Internal users receive the local IP from the DNS server and are able to communicate
with internal servers directly, via the local network.
LinkProof can provide DNS for “Local Users” functionality for the following types of DNS
messages:
• A record reply
• MX record reply
• PTR query and reply
• A record inverse queries and replies
The DNS for “Local Users” functionality is activated via the DNS Server Location parameter.
By default this parameter is set to Not Relevant, meaning that this feature is not enabled. To
activate this feature, set this parameter to either Internal or External, depending on where
your DNS server is located.
For increased performance it is recommended to configure the DNS servers for which this
functionality is provided.
To Configure DNS for Local Clients:
1.
From the main window, select APSolute OS >Traffic Redirection. The Traffic
Redirection window appears.
2.
In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears.
3.
In the DNS Settings pane, set the DNS Server Location to the desired value.
4.
Click Apply to save settings
5.
Configure DNS Servers (optional):
6.
Click DNS Server. The DNS Servers window appears.
7.
In the DNS Servers window, enter the DNS Server IP address and click Add. Repeat
for all your DNS servers.
8.
Click Ok. Your preferences are recorded.
Doc. No.: 8261
121
LinkProof User Guide
Configuration Notes:
The DNS for “Local Users” functionality is resource consuming, since the device has to scan
all DNS responses. It should not be enabled if not required.
DNS for “Local Users” functionality is not required in the following cases:
•
•
Different DNS servers provide host name resolution for internal and external users.
Communication between internal users and internal servers always passes via LinkProof
(both ways).
DNS Redundancy
Virtual DNS IP address must be configured for LinkProof redundant configuration in order to
allow DNS requests to be handled smoothly and transparently by the redundant device
when the main device is down.
A virtual DNS address should be configured for each provider (router). The same address is
configured on both devices.
To configure DNS Redundancy
1. From the main window, select APSolute OS > Traffic Redirection. The Traffic
Redirection window appears.
2. In the Traffic Redirection window, click DNS Settings. The DNS Settings pane appears.
3. In the DNS Settings pane, set the following parameters according to the explanations
provided:
Parameter
Description
DNS IP Address:
Virtual IP address
DNS Mode:
Regular in the main device, Backup in the backup
device
4. Click Add.
5. Repeat for each virtual IP
6. Click Apply to save settings.
DNS Client
In certain cases the LinkProof must resolve external host names. For this purpose DNS
servers (main and backup) need to be configured.
In addition static DNS can be configured.
To DNS Client Configure the DNS Client:
1. In the main window, click Traffic Redirection. The Traffic Redirection window appears.
2. In the Traffic Redirection window, click the DNS Settings tab. The DNS Settings pane
appears.
3. In the DNS Settings pane, select Clients DNS.
4. Configure main and backup DNS servers.
5. Click Ok. Your preferences are recorded.
122
Doc. No.: 8261
LinkProof User Guide
Basic Load Balancing
This section provides some Basic Load Balancing configuration examples, which can be
implemented without using Flow definitions.
This section includes the following configurations:
Simple Router Load Balancing Configuration, page 123.
Simple Router Load Balancing Configuration with VLAN, page 127
One-leg (lollipop) Configuration, page 131
Sandwich Configuration, page 136
Single Device Installation, page 143
•
•
•
•
•
Simple Router Load Balancing Configuration
The example in Simple Router Load Balancing Configuration, page 123 illustrates the
configuration of simple router load balancing.
Router 1
Router 2
NAT:100.1.1.2
NAT:200.1.1.2
For 10.1.1.30
For 10.1.1.30
Via Router 1
Via Router 2
Interface
100.1.1.1
200.1.1.1
LinkProof
Interface
10.1.1.10
Internal
Local Network
10.1.1.30
10.1.1.x
Figure 8 -
Simple Router Load Balancing Configuration
To configure simple Router Load Balancing:
1.
During initial installation, configure the IP address for the device, for this example
10.1.1.10 for interface 1.
2.
Define additional interfaces:
Doc. No.: 8261
123
LinkProof User Guide
a.
b.
From the main window, double-click the LinkProof device icon. The Connect LP to
Device window appears.
In the Connect LP to Device window, type the device‘s IP address: 10.1.1.10 and
click Ok.
c.
Double-click the LinkProof icon again. The Setup window appears.
d.
In the LinkProof Setup window, click Add. The Edit Interface window appears.
e.
In the Edit Interface window, set the following parameters according to the
explanations provided:
IF Num
F-2
F-2
IP Address
100.1.1.10
200.1.1.10
Network Mask
255.255.255.0
255.255.255.0
f.
Click Ok. The LinkProof Setup window remains open.
3. Define at least one of the routers as a default gateway to the Internet (it is
recommended to define all the routers in the Routing Table):
a.
b.
c.
In the Setup window select Networking > Routing Table. The Routing Table
window appears.
In the Routing Table window, click Add. The Edit Route window appears.
In the Edit Route window, set the following parameters according to the
explanations provided:
Parameter
Description
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
100.1.1.20
IF Number:
F-2
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.
Next Hop:
200.1.1.20
IF Number:
F2
d.
Click Ok. Your preferences are recorded.
4. Add two Routers:
124
a.
b.
From the main toolbar, click Add then from the drop-down menu select a Router.
Double-click the Router icon that appears on the map. The Router window appears.
c.
in the Router window, set the following parameters according to the explanations
provided:
Parameter
Description
Router Name:
Router 1
IP Address:
100.1.1.20
Doc. No.: 8261
LinkProof User Guide
d.
Add another router. Set the following parameters according to the explanations
provided:
Parameter
Description
Router Name:
Router 2
IP Address:
200.1.1.20
e.
5.
Click Ok. Your preferences are recorded.
Add a farm to the LinkProof:
a.
b.
From the main window, click Traffic Redirection. The Traffic Redirection window
appears.
In the Traffic Redirection window, click the Farms tab. The Farms pane appears.
c.
In the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
In the Edit LinkProof Farms window, select Farm Type Router and define the farm
name, for example: Routers_Farm.
e.
In the Edit LinkProof Farms window, click Traffic Settings and set the following
parameters according to the explanations provided:
Parameter
Description
Dispatch Method:
As required
Persistency Mode:
As required
Packet Translation:
NAT
6.
Add two farm servers.
a.
b.
In the Farm Servers pane, click Add. The LinkProof Farm Router Server window
appears.
In the LinkProof Farm Router Server window, click Traffic Settings and set the
following parameters according to the explanations required:
Parameter
Description
Server Name:
Router 1
Server Address:
100.1.1.20
c.
Repeat this procedure for the second farms server. Set the following parameters
according to the explanations provided:
Parameter
Description
Server Name:
Router 2
Server Address:
200.1.1.20
d.
7.
Click Ok. Your preferences are recorded.
Set Connectivity Checks:
a.
b.
Doc. No.: 8261
in the Setup window, click Global > Connectivity Settings > Edit Settings. The
Connectivity Settings window appears.
In the Connectivity Settings window, enable the Connectivity Check status. It is
recommended to use the Health Monitoring option. If Health Monitoring Connectivity
Checks was selected for the farms then configure health checks for the farm
servers, see Health Monitoring, page 353.
125
LinkProof User Guide
8. It is recommended to ensure that remote side of the router is operational. If Ping
Connectivity Check was selected, use Full Path Health Monitoring to configure checks for
the other side of the routers. This is done by implementing the following steps:
a.
b.
c.
From the main window, double-click the Firewal 1 icon. The Router window
appears.
In the Router window, click Advanced Settings. the Advanced Settings pane
appears.
In the Advanced Settings pane, set the following parameters according to the
explanations provided:
Parameter
Description
Device Name:
Select LinkProof 1
IP Address:
Select the internal interface of router
100.1.1.20
d.
Click Full Path Health Monitor. The Full Path Health Monitor window appears.
e.
From the Full Path Health Monitor window, set the following parameter according to
the explanation provided:
Parameter
Description
Check Address:
Add the Router ip (100.1.1.20)
f.
Repeat the above procedure for Router 2.
9. Configure NAT (Dynamic & Static) for the two routers:
a.
b.
From Local
Address:
10.1.1.0
10.1.1.0
To Local Address:
10.1.1.255
10.1.1.255
Router IP:
100.1.1.20
200.1.1.20
Dynamic NAT IP:
100.1.1.22
200.1.1.22
c.
After each entry, click Add to save your settings.
d.
From the NAT field, select Static NAT to add NAT addresses for inbound traffic by
adding the following NAT entries:
From Local
Address:
10.1.1.30
10.1.1.30
To Local Address:
10.1.1.30
10.1.1.30
Router IP:
100.1.1.20
200.1.1.20
From Static NAT:
100.1.1.21
200.1.1.21
To Static NAT:
100.1.1.21
200.1.1.21
e.
126
From the LinkProof Traffic Redirection window, click the NAT tab. The NAT pane
appears.
In the NAT field select Dynamic NAT to add NAT addresses for outbound traffic by
adding the following NAT entries:
After each entry, click Add to save your settings.
Doc. No.: 8261
LinkProof User Guide
10. Map the URL of the Internal server to the servers local IP:
a.
b.
In the Traffic Redirection window, click the DNS tab. The DNS pane appears.
In the DNS pane, click Name to Local IP. The Name to Local IP window appears.
c.
From the Name to Local IP window, enter www.site.com as the Host URL parameter
and 10.1.1.30 for the local IP parameter.
d.
Click Add to save the entry. Click Ok. Your preferences are recorded.
Simple Router Load Balancing Configuration with VLAN
The example shown in Simple Router Configuration with VLAN, page 127, illustrates a
configuration similar to the previous one, but in a VLAN environment.
Router 1
Router 2
NAT:100.1.1.2
NAT:200.1.1.2
For 10.1.1.30
For 10.1.1.30
Via Router 1
Via Router 2
Interface
LinkProof
Interface
Interface 3
200.1.1.1
100.1.1.1
Internal
Local Network
10.1.1.30
Figure 9 -
10.1.1.x
Simple Router Configuration with VLAN
To configure Router Load Balancing with VLAN:
1.
During initial installation, configure the IP address for the device, for this example
10.1.1.10 for interface 1.
2.
Define VLAN:
To operate the load balancing in a VLAN network topology you must use a “Regular”
VLAN type. A regular IP VLAN is automatically defined on the LinkProof (100001). You
need only to assign the relevant ports to it.
Doc. No.: 8261
127
LinkProof User Guide
a.
b.
From the main window, double-click the LinkProof device icon. The Connect LP to
Device window appears.
In the Connect LP to Device window, type the device‘s IP address: 10.1.1.10 and
click Ok.
c.
Double-click the LinkProof device icon again. The Setup window appears.
d.
In the LinkProof Setup window, select Networking > VLAN. The Virtual LAN
window appears.
e.
From the Virtual VLAN window, select VLAN number 100001 (Regular IP) and in the
Assign port to VLAN area, select F-1.
f.
Click Update to apply the changes and then click Ok to return to the LinkProof Setup window.
3. Assign an IP Interface to VLAN:
a.
b.
From the Setup window, select IP address 10.1.1.10 for F1 and click Edit. The Edit
Interface window appears.
In the Edit Interface window, set the following parameter according to the
explanation provided:
Parameter
Description
IF Number:
select 100001 value
c.
Click Ok to return to the LinkProof Setup window.
4. Define an additional interface:
a.
b.
In the Setup window, click Add. The Edit Interface window appears.
In the Edit Interface window, set the following parameters according to the
explanations provided:
Parameter
Description
IF Number:
F-3
IP Address:
200.1.1.10
Network Mask:
255.255.255.0
c.
Click Ok. The Setup window remains open.
5. Define at least one of the Routers as the default gateway to the Internet. It is
recommended to define all the routers in the Routing Table:
a.
b.
c.
128
In the Setup window, select Networking > Routing Table. The Routing Table
window appears.
In the Routing Table window, click Add. The Edit Route window appears.
In the Edit Route window, set the following parameters according to the
explanations provided:
Parameter
Description
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
100.1.1.20
IF Number:
100001
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Doc. No.: 8261
LinkProof User Guide
Next Hop:
20.1.1.20
IF Number:
F-3
d.
6.
Click Ok. Your preferences are recorded.
Add two Routers:
a.
b.
From the main toolbar, click Add and from the drop-down menu, select Router.
Double-click the Router icon that appears on the map. The Router window appears.
In the Router window, set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Router 1
IP Address:
100.1.1.20
c.
For the second Router, set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Router 2 (for example)
IP Address:
200.1.1.20
d.
7.
Click Ok. Your preferences are recorded.
Add a farm to LinkProof:
a.
b.
From the main window, click Traffic Redirection. The Traffic Redirection window
appears.
In the Traffic Redirection window, click Farms. The Farms pane appears.
c.
In the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
In the Edit LinkProof Farms window, for Farm Type select Firewall and define the
farm name, for example: Router Farm.
e.
In the Edit LinkProof Farms window, click Traffic Settings and set the following
parameters according to the explanations provided:
Parameter
Description
Dispatch Method:
As required
Persistency Mode:
As required
Packet Translation:
NAT
8.
Add two Farm Servers:
a.
b.
From the Farm Servers pane, click Add. The LinkProof Farm Router Server window
appears.
In the LinkProof Farm Router Server window, set the following parameters according
to the explanations provided:
Parameter
Description
Server Name:
Router 1
Doc. No.: 8261
129
LinkProof User Guide
Server Address:
c.
100.1.1.20
Repeat the procedure for the second farm servers by setting the following
parameters according to the explanations provided:
Parameter
Description
Server Name:
Router 2
Server Address:
200.1.1.20
d.
Click Ok. Your preferences are recorded.
9. Configure Connectivity Checks.
a.
b.
From the Setup window, select Global > Connectivity Settings > Edit Settings.
The Connectivity Settings window appears.
In the Connectivity Settings window, enable the Connectivity Check status. It is
recommended to use the Health Monitoring option. If Health Monitoring Connectivity
Checks was selected for the farms then configure health checks for the farm
servers, see Health Monitoring, page 353.
10. It is recommended to ensure that remote side of the router is operational. If Ping Only
Connectivity Check was selected, use Full Path Health Monitoring to configure checks for
the other side of the routers. This is done by implementing the following steps:
a.
b.
c.
From the main window, double-click the Firewal 1 icon. The Router window
appears.
In the Router window, click Advanced Settings. The Advanced Settings pane
appears.
In the Advanced Settings pane, set the following parameters according to the
explanations provided:
Parameter
Description
Device Name:
Select LinkProof 1
IP Address:
Select the internal interface of router
100.1.1.20
d.
Click Full Path Health Monitor. The Full Path Health Monitor window appears.
e.
In the Full Path Health Monitor window, set the following parameter according to the
explanation provided:
Parameter
Description
Check Address:
Add the Router ip (100.1.1.20)
f.
Repeat the above procedure for Router 2.
11. Configure NAT:
130
a.
b.
From the Traffic Redirection window, click NAT. The NAT pane appears.
In the NAT pane, check the SmartNAT checkbox to enable NAT functionality.
c.
In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by
adding the following NAT entries for Router 2 (traffic sent via Router 1 does not
require NAT):
Parameter
Description
From Local Address:
10.1.1.0
Doc. No.: 8261
LinkProof User Guide
To Local Address:
10.1.1.255
Router IP:
100.1.1.20
Dynamic NAT IP:
100.1.1.22
d.
After each entry, click Add to save your settings.
e.
From the NAT field, select Static NAT to add NAT addresses for inbound traffic by
adding the following NAT entry for Router 2:
Parameter
Description
From Local Address:
100.1.1.30
To Local Address:
100.1.1.30
Router IP:
200.1.1.20
From Static NAT:
200.1.1.21
To Static NAT:
200.1.1.21
f.
After each entry, click Add to save your settings.
g.
From the NAT field, select No NAT to define a No NAT entry for inbound traffic via
Router 1 by adding the following entry:
Parameter
Description
From Local Address:
100.1.1.30
To Local Address:
100.1.1.30
Router IP:
200.1.1.20
12. Map the URL of the internal server to the servers local IP:
a.
b.
In the Traffic Redirection window, click DNS. The DNS pane appears.
In the DNS pane, click Name to Local IP. The Name to Local IP window appears.
c.
In the Name to Local IP window, enter www.site.com as the Host URL parameter
and 10.1.1.30 for the local IP parameter.
13. Click Add to save the entry. Click Ok. Your preferences are recorded.
One-leg (lollipop) Configuration
The example shown in Simple One-leg (lollipop) Firewall Configuration, page 132, illustrates
a simple configuration that does not require to change the network configuration.
Doc. No.: 8261
131
LinkProof User Guide
NAT: 200.1.1.21
fOR 100.1.1.30
Via Router 2
Router 2
Router 1
100.1.1.20
200.1.1.2
Interface 2
Interface 1
200.1.1.10
100.1.1.10
LinkProof
Internal
Local Network
100.1.1.3
100.1.1.x
Figure 10 -
Simple One-leg (lollipop) Firewall Configuration
To configure a One-leg Configuration:
1. During initial installation, configure the IP address for the device, for this example
100.1.1.10 for interface 1 via Command Line Interface.
2. Define additional interfaces:
a.
b.
From the main window, double-click the LinkProof icon. The Connect LP to Device
window appears.
In the Connect LP to Device window, type the device‘s IP address: 100.1.1.10 and
click Ok.
c.
Double-click the LinkProof device icon again. The Setup window appears.
d.
In the Setup window, click Add. The Edit Interface window appears.
e.
In the Edit Interface window, set the following parameters according to the
explanations provided:
IF Num
F-2
IP Address
200.1.1.10
Network Mask
255.255.255.0
f.
Click Ok. The LinkProof Setup window remains open.
3. Define at least one of the routers as a default gateway to the Internet (it is
recommended to define all the routers in the Routing Table):
132
Doc. No.: 8261
LinkProof User Guide
a.
b.
c.
From the Setup window, select Networking > Routing Table. The Routing Table
window appears.
In the Routing Table window, click Add. The Edit Route window appears.
In the Edit Route window, set the following parameters according to the
explanations provided:
Parameter
Description
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
100.1.1.20
IF Number:
F-2
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.
Next Hop:
200.1.1.20
IF Number:
F2
d.
4.
Click Ok. Your preferences are recorded.
Add two Routers:
a.
b.
c.
From the LinkProof toolbar, click Add and from the drop-down menu, select a
Router.
Double-click the Router icon that appears on the map. The Router window appears.
In the Router window, set the following parameters according to the explanations
provided:
Parameter
Description
Router Name:
Router 1
IP Address:
100.1.1.20
d.
Add another router. Set the following parameters according to the explanations
provided:
Parameter
Description
Router Name:
Router 2
IP Address:
200.1.1.20
e.
5.
Click Ok. Your preferences are recorded.
Add a farm to the LinkProof:
a.
b.
From the main window, select APSolute OS > Traffic Redirection. The LinkProof
Traffic Redirection window appears.
From the LinkProof Traffic Redirection window, click Farms. The Farms pane
appears.
c.
In the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
In the Edit LinkProof Farms window, select Farm Type Router and define the farm
name, for example: Routers_Farm.
Doc. No.: 8261
133
LinkProof User Guide
e.
In the Edit LinkProof Farms window, click Traffic Settings and set the following
parameters according to the explanations provided:
Parameter
Description
Dispatch Method:
As required
Persistency Mode:
As required
Packet Translation:
NAT
6. Add two farm servers.
a.
b.
From the Farm Servers pane, click Add. The LinkProof Farm Router Server window
appears.
In the LinkProof Farm Router Server window, click Traffic Settings and set the
following parameters according to the explanations provided:
Parameter
Description
Server Name:
Router 1
Server Address:
100.1.1.20
c.
Repeat this procedure for the second farms server. Set the following parameters
according to the explanations provided:
Parameter
Description
Server Name:
Router 2
Server Address:
200.1.1.20
d.
Click Ok. Your preferences are recorded.
7. Set Connectivity Checks:
a.
b.
From the LinkProof Traffic Redirection window, click Connectivity Checks. The
Connectivity Checks pane appears.
In the Connectivity Checks pane, enable the Connectivity Check status. It is
recommended to use the Health Monitoring option. If Health Monitoring Connectivity
Checks was selected for the farms then configure health checks for the farm
servers, see Health Monitoring, page 353.
8. It is recommended to ensure that remote side of the router is operational. If Ping Only
Connectivity Check was selected, use Full Path Health Monitoring to configure checks for
the other side of the routers. This is done by implementing the following steps:
a.
b.
c.
134
From the main window, double-click the Firewal 1 icon. The Router window
appears.
In the Router window, click Advanced Settings. The Advanced Settings pane
appears.
In the Advanced Settings pane, set the following parameters according to the
explanations provided:
Parameter
Description
Device Name:
Select LinkProof 1
IP Address:
Select the internal interface of router
100.1.1.20
Doc. No.: 8261
LinkProof User Guide
d.
Click Full Path Health Monitor. The Full Path Health Monitor window appears.
e.
In the Full Path Health Monitor window, set the following parameter according to the
explanation provided:
Parameter
Description
Check Address:
Add the Router ip (100.1.1.20)
f.
9.
Repeat the above procedure for Router 2.
Configure NAT:
a.
b.
From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears.
In the NAT pane, check the SmartNAT checkbox to enable NAT functionality.
c.
In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by
adding the following NAT entries for Router 2 (traffic sent via Router 1 does not
require NAT):
Parameter
Description
From Local Address:
10.1.1.0
To Local Address:
10.1.1.255
Router IP:
100.1.1.20
Dynamic NAT IP:
100.1.1.22
d.
After each entry, click Add to save your settings.
e.
From the NAT field, select Static NAT to add NAT addresses for inbound traffic by
adding the following NAT entry for Router 2:
Parameter
Description
From Local Address:
100.1.1.30
To Local Address:
100.1.1.30
Router IP:
200.1.1.20
From Static NAT:
200.1.1.21
To Static NAT:
200.1.1.21
f.
After each entry, click Add to save your settings.
g.
From the NAT field, select No NAT to define a No NAT entry for inbound traffic via
Router 1 by adding the following entry:
Parameter
Description
From Local Address:
100.1.1.30
To Local Address:
100.1.1.30
Router IP:
200.1.1.20
10. Map the URL of the Internal server to the servers local IP:
a.
b.
Doc. No.: 8261
From the LinkProof Traffic Redirection window, click DNS. The DNS pane appears.
In the DNS pane, click Name to Local IP. The Name to Local IP window appears.
135
LinkProof User Guide
c.
In the Name to Local IP window, enter www.site.com as the Host URL parameter
and 10.1.1.30 for the local IP parameter.
11. Click Add to save the entry. Click Ok. Your preferences are recorded.
Sandwich Configuration
This configuration is typical when router load balancing as well as firewall load balancing (for
both inbound and outbound traffic) is required. This configuration uses one LinkProof and
one FireProof device to load balance inbound and outbound traffic.
When static NAT is used on the firewalls, a virtual IP address is created on the external
LinkProof to ensure that different NAT addresses, on different firewalls, for a single internal
host, are seen as a single public address. This provides load balancing and high availability
between the NAT addresses.
NAT:
For 30.1.1.11
VIP
For Router 1
NAT:
For 30.1.1.11
VIP
For Router 2
100.1.1.2
Interface 2
200.1.1.2
100.1.1.1
200.1.1.1
LinkProof
30.1.1.10
NAT:
for
30.1.1.1
30.1.1.2
NAT:
For 10.1.1.30
Firewall 2
Firewall 1
20.1.1.2
20.1.1.1
20.1.1.1
FireProof
10.1.1.1
10.1.1.30
136
Local Network
10.1.1.x
Doc. No.: 8261
LinkProof User Guide
Figure 11 -
LinkProof Sandwich Configuration
To Configure FireProof:
1.
During initial installation, configure the IP address for the device, for this example
10.1.1.10 for interface 1.
2.
Define additional interfaces:
a.
b.
From the main window, double-click the FireProof icon. The Connect FP to Device
window appears.
From the FireProof Connect to Device window, type the device‘s IP address:
10.1.1.10 and click Ok.
c.
Double-click the FireProof icon again. The FireProof Setup window appears.
d.
In the FireProof Setup window, click Add. The Edit Interface window appears.
e.
In the Edit Interface window, set the following parameters according to the
explanations provided:
Parameter
Description
IF Number:
F-2
IP Address:
20.1.1.10
Network Mask:
255.255.255.0
f.
3.
Click Ok. The FireProof Setup window remains open.
Define at least one of the Firewalls as the default gateway to the Internet, it is
recommended to define all firewalls in the routing table:
a.
b.
c.
From the FireProof Setup window, select Networking > Routing Table. The
Routing Table window appears.
In the Routing Table window, click Add. The Edit Route window appears.
In the Edit Route window, set the following parameters according to the
explanations provided:
Parameter
Description
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
20.1.1.1
IF Number:
F-2
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
20.1.1.2
IF Number:
F-2
d.
4.
Click Ok. Your preferences are recorded.
Add two Firewalls:
a.
b.
Doc. No.: 8261
From the main toolbar, click Add and from the drop-down menu, select a Firewall.
Double-click the Firewall icon that appears on the map. The Firewall window
appears.
137
LinkProof User Guide
c.
In the Firewall window, set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Firewall 1
IP Address:
20.1.1.1
d.
Add another firewall. Set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Firewall 2
IP Address:
20.1.1.2
e.
Click Ok. Your preferences are recorded.
5. Add a Farm to FireProof:
a.
b.
From the main window, select APSolute OS > Traffic Redirection. The FireProof
Traffic Redirection window appears.
In the FireProof Traffic Redirection window, click Farms. The Farms pane appears.
c.
In the Farms pane, click Add. The Edit FireProof Farms window appears.
d.
In the Edit FireProof Farms window, for Farm Type select Firewall and define the
farm name, for example: Internal Firewall.
e.
In the Edit FireProof Farms window, click Traffic Settings and set the following
parameters according to the explanations provided:
Parameter
Description
Dispatch Method:
as required
Persistency Mode:
as required
Packet Translation:
Disable
6. Add two farm servers:
a.
b.
Parameter
Description
Server Name:
Firewall 1
Server Address:
20.1.1.1
c.
138
From the Farm Servers tab, click Add. The Farm Firewall Server window appears.
In the Farm Firewall Server window, set the following parameters according to the
explanations provided:
Repeat the procedure for the second farm by setting the following parameters
according to the explanations provided:
Parameter
Description
Server Name:
Firewall 2
Server Address:
20.1.1.2
Doc. No.: 8261
LinkProof User Guide
d.
7.
Click Ok. Your preferences are recorded.
Configure connectivity checks for load balanced firewall servers as well as the remote
side of firewalls.
To configure LinkProof:
1.
During initial installation, configure the IP address for the device, for this example
10.1.1.10 for interface 1.
2.
Define additional interfaces:
a.
b.
From the main window, double-click the LinkProof device icon. The Connect LP to
Device window appears.
In the Connect LP to Device window, type the device‘s IP address: 100.1.1.10 and
click Ok.
c.
Double-click the LinkProof device icon again. The Setup window appears.
d.
In the Setup window, click Add. The Edit Interface window appears.
e.
In the Edit Interface window, set the following parameters according to the
explanations provided:
Parameter
Description
IF Number:
F-2
IP Address:
100.1.1.10
Network Mask:
255.255.255.0
IF Number:
F-2
IP Address:
200.1.1.10
Network Mask:
255.255.255.0
f.
3.
Click Ok. The LinkProof Setup window remains open.
Define the Router as the default gateway to the Internet. It is recommended to define
all the routers in the Routing Table:
a.
b.
c.
From the LinkProof Setup window, select Networking > Routing Table. The
Routing Table window appears.
In the Routing Table window, click Add. The Edit Route window appears.
In the Edit Route window, set the following parameters according to the
explanations provided:
Parameter
Description
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
100.1.1.20
IF Number:
F-2
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
200.1.1.20
Doc. No.: 8261
139
LinkProof User Guide
IF Number:
d.
F-2
Click Ok. Your preferences are recorded.
4. Add two Routers:
a.
b.
From the main toolbar, click Add and from the drop-down menu, select a router.
Double-click the Router icon that appears on the map. The Router window appears.
c.
From the Router window, set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Router 1
IP Address:
100.1.1.20
d.
Add another router. Set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Router 2
IP Address:
200.1.1.20
e.
Click Ok. Your preferences are recorded.
5. Add 2 farms to LinkProof:
FM1: External Firewall to load balance inbound traffic via the firewalls.
FM2: Router Farm to load balance outbound and inbound traffic via the routers.
a.
b.
140
From the main window, select APSolute OS > Traffic Redirection. The LinkProof
Traffic Redirection window appears.
In the LinkProof Traffic Redirection window, click Farms. The Farms pane appears.
c.
From the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
From the Edit LinkProof Farms window, for Farm Type select Firewall and define
the farm name, for example: Internal Firewall.
e.
In the Edit LinkProof Farms window, click Traffic Settings and set the parameters
as required:
f.
Add the farm servers. From the Farm Servers pane, click Add. The LinkProof Farm
Firewall Server window appears.
g.
In the LinkProof Farm Firewall Server window, select servers as specified in step “h”
below.
h.
In the LinkProof Farm Firewall Server window, click Traffic Settings and set the
parameters as required.
i.
Repeat this procedure for all farms. For each farm define servers and load balancing
parameters according to the explanations provided:
Farm Name:
External Firewall
Router Farm
Server Name:
Firewall 1
Router 1
Server Address:
30.1.1.1
100.1.1.20
Server Name:
Firewall 2
Router 2
Server Address:
30.1.1.2
200.1.1.20
Doc. No.: 8261
LinkProof User Guide
Dispatch Method:
Any
Any
Persistency:
Any
Any
Packet Translation:
VIP
NAT
j.
Click Ok. Your preferences are recorded.
6.
Configure connectivity checks for load balanced firewall servers as well as the remote
side of firewalls, see Simple Router Load Balancing Configuration with VLAN, page 127
7.
Define a Virtual IP Address to load balance inbound traffic to the internal server
10.1.1.30:
a.
b.
From the LinkProof Traffic Redirection window, click the VIP tab. The VIP pane
appears.
For the VIP Address parameter, set a virtual IP address that will be the public
address representing the internal server (10.1.1.30) for example 30.1.1.11
c.
Click Add. The Edit Mapped IP window appears.
d.
From the Edit Mapped IP window, set the following parameters according to the
explanations provided:
Parameter
Description
Firewall:
30.1.1.1
NAT Address:
30.1.1.30
e.
Click Ok to return to the Edit Virtual IP Addresses window.
f.
Click Add again to define a Mapped IP for Firewall 2. Set the following parameters
according to the explanations provided:
Parameter
Description
Firewall:
30.1.1.2
NAT Address:
30.1.1.31
g.
Click Ok to return to the Edit Virtual IP Addresses window.
h.
Click OK. Your preferences are recorded.
8.
Configure NAT:
a.
b.
From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears.
In the NAT pane, check the SmartNAT checkbox to enable NAT functionality.
c.
In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by
adding the following NAT entries:
From Local
Address:
10.1.1.0
10.1.1.0
To Local Address:
10.1.1.255
10.1.1.255
Router IP:
100.1.1.20
200.1.1.22
Dynamic NAT IP:
100.1.1.22
200.1.1.22
d.
Doc. No.: 8261
After each entry, click Add to save your settings.
141
LinkProof User Guide
e.
From the NAT field, select Static NAT to add NAT addresses for inbound traffic by
adding the following NAT entries:
From Local
Address:
30.1.1.11
To Local Address:
30.1.1.11
Router IP:
100.1.1.20
From Static NAT:
100.1.1.21
200.1.1.21
To Static NAT:
100.1.1.21
200.1.1.21
f.
After each entry, click Add to save your settings.
g.
From the NAT field, select No NAT to define a No NAT entry for inbound traffic via
Router 1 by adding the following entry:
Parameter
Description
From Local Address:
100.1.1.30
To Local Address:
100.1.1.30
Router IP:
200.1.1.20
h.
After each entry, click Add to save your settings.
9. Map the URL of the internal server to the servers local IP:
a.
b.
From the LinkProof Traffic Redirection window, click DNS. The DNS pane appears.
In the DNS pane, click Name to Local IP. The Name to Local IP window appears.
c.
From the Name to Local IP window, enter www.site.com as the Host URL parameter
and 10.1.1.30 for the local IP parameter.
10. Click Add to save the entry. Click Ok. Your preferences are recorded.
142
Doc. No.: 8261
LinkProof User Guide
Single Device Installation
The same functionality as in the previous example can be achieved with a single LinkProof
device using the Port Rules functionality.
Router 1
Local Network
10.1.1.x
LinkProof
Interface
Interface 4
10.1.1.10
200.1.1.2
100.1.1.1
100.1.1.2
200.1.1.2
Interface
30.1.1.1
Interface
20.1.1.10
Firewall 1
Router 2
30.1.1.1
20.1.1.
External
Internal
30.1.1.2
20.1.1.2
Firewall 2
Figure 12 -
Single Device Installation
In this configuration two separate farms must be configured, one on the internal interfaces
of the firewalls for outbound load balancing and one on the external interfaces of the
firewalls for inbound load balancing.
To configure LinkProof in a single device installation:
1.
During initial installation configure an IP for the device, for this example: 10.1.1.10 in
interface 1.
2.
Define the interfaces for ports 2,3, and 4:
a.
b.
c.
From the main window, double-click the LinkProof icon. The LinkProof Connect to
Device window appears.
From the LinkProof Connect to Device window, type the device‘s IP address:
10.1.1.10 and click Ok.
Double-click the LinkProof icon again. The LinkProof Setup window appears.
d.
From the LinkProof Setup window, click Add. The Edit Interface window appears.
e.
From the Edit Interface window, set the following parameters according to the
explanations provided:
Parameter
Description
IF Number:
F-2
Doc. No.: 8261
143
LinkProof User Guide
IP Address:
20.1.1.10
Network Mask:
255.255.255.0
IF Number:
F-3
IP Address:
30.1.1.10
Network Mask:
255.255.255.0
IF Number:
F-4
IP Address:
40.1.1.10
Network Mask:
255.255.255.0
f.
Click Ok. The LinkProof Setup window remains open.
3. Using Command Line Interface, configure Port Rules:
LP port-rules set 1 2
LP port-rules set 3 4
4. Add two Firewalls:
a.
b.
c.
From the LinkProof toolbar, click Add and from the drop-down menu, select a
Firewall.
Double-click the Firewall icon that appears on the map. The Firewall window
appears.
From the Firewall window, set the following parameters according to the
explanations provided:
Parameter
Description
FW Name:
Firewall 1
IP Address:
20.1.1.1
IP Address:
30.1.1.1
d.
Add another firewall. Set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Firewall 2
IP Address:
20.1.1.2
IP Address:
30.1.1.2
e.
Click Ok. Your preferences are recorded.
5. Add two Routers:
a.
b.
144
From the LinkProof toolbar, click Add and from the drop-down menu, select a
Router.
Double-click the Router icon that appears on the map. The Router window appears.
Doc. No.: 8261
LinkProof User Guide
c.
From the Router window, set the following parameters according to the explanations
provided:
Parameter
Description
Router Name:
Router 1
IP Address:
100.1.1.20
d.
Add another router by setting the following parameters according to the
explanations provided:
Parameter
Description
Router Name:
Router 2
IP Address:
200.1.1.20
e.
6.
Click Ok. Your preferences are recorded.
Add three farms to LinkProof:
a.
b.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane
appears.
c.
From the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
From the Edit LinkProof Farms window, for Farm Type select Firewall and define the
farm name, for example: Internal Firewall
e.
Add the farm servers. From the Farm Servers pane, click Add. The LinkProof Farm
Firewall Server window appears. Select servers as specified in step g.
f.
From the LinkProof Farm Firewall Server window, click the Traffic Settings tab and
set parameters as required.
g.
Repeat this procedure for all farms. For each farm define servers and load balancing
parameters as follows:
Farm Name:
Internal
Firewall
External
Firewall
Routers
Server Name:
Firewall1
Firewall1
Router1
Server
Address:
20.1.1.1
30.1.1.1
Server Name:
Firewall2
Firewall2
Router2
Server
Address:
20.1.1.2
30.1.1.2
200.1.1.20
Dispatch
Method:
any
any
any
Persistency
any
any
any
Packet
Translation:
Disable
Disable
NAT
7.
Configure Dynamic NAT for the two routers:
Doc. No.: 8261
145
LinkProof User Guide
a.
b.
From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears.
From the NAT pane, check the SmartNAT checkbox to enable NAT functionality.
c.
In the NAT field, select Dynamic NAT to add NAT addresses for outbound traffic by
adding the following NAT entries:
From Local
Address:
30.1.1.0
30.1.1.0
To Local Address:
30.1.1.255
30.1.1.255
Router IP:
100.1.1.20
200.1.1.20
Dynamic NAT IP:
100.1.1.22
200.1.1.22
d.
After each entry click Add to save your settings.
Flow Management
This section describes the flow management process for LinkProof and describes the flow
concept and flow policies and also some LinkProof configuration examples.
This section includes the following topics:
•
•
•
Flow Concept, page 146
Flow Policies, page 147
Typical Flow Configurations, page 148
Flow Concept
The Flow Management capability allows LinkProof to sequentially load balance several server
farms, each providing a different service. Basic firewall load balancing (without
differentiation between types of traffic) can be implemented without configuring Flows on
the LinkProof, but for any other configuration Flow Management is required.
Traffic flow designed for a packet involves the following process:
•
A packet arrives from the client, is examined by LinkProof, load balanced within a farm,
returned from the selected server to LinkProof, examined again and load balanced
within a different farm, and so on.
• LinkProof distinguishes between clients and servers even when the servers are using
spoofing, by looking at the source MAC.
Multiple flows can be defined on a device, for different types of traffic. To identify the traffic
for each flow the Radware classification engine is used. Policies are defined to classify traffic
and attach it to a specific flow. Any number of policies can be defined for each flow.
To configure Flow Management:
1. Configure all the farms necessary according to the type of service each has to provide.
2. From the LinkProof Traffic Redirection window, select the Flow tab. The Flow pane
appears.
3. From the Flow pane, click Add Flow. The LinkProof Traffic Flow window appears
4. From the LinkProof Traffic Flow window, configure Flow Policies as described in Flow
Policies, page 147.
146
Doc. No.: 8261
LinkProof User Guide
Default Flow
The Linkproof device automatically creates a default flow that is used for traffic that does
not match any flow policy.The default flow does not included any farm. When traffic that
must be forwarded according to default flow is detected, the device looks in the routing
table for the default gateway. If the default gateway is a farm server the default farm of this
server is selected as the farm used by the default flow. Traffic is then forwarded to one of
the servers in this farm according to the farm load balancing settings.
If the default gateway is not a farm server, then traffic is just forwarded to this default
gateway, without any load balancing.
Flow Policies
A flow policy defines the criteria used to select a specific flow for a specific type of traffic.
When a new session arrives to the LinkProof, the device scans through the flow policies list
looking for a match. Once a match is found the packet is redirected according to the flow
attached to this policy.
The device scans the policies according to their index, in ascending order, so it is important
that policies that look for a more specific traffic have a lower index (for example policy that
looks for HTTP traffic from local network must have a lower index than policy that looks for
any traffic from the local network).
The flow policies include the following elements: Traffic Classification Criteria and the
selection of the farm for this type of traffic.
The classification criteria available are:
•
•
Source and/or Destination IP Addresses: IP Address or a Network class (IP
subnets, IP ranges, or list of discrete IPs can be defined as a Network class - see
Bandwidth Management, page 335).
Application: Using the Service elements it is possible to define a required application
according to application port and/or additional data (see Bandwidth Management
chapter).
Note:
•
Although the Service classes that can be configured on the device allow for
definition of Layer 7 criteria (for Bandwidth Management purposes), when
used for traffic classification for flow management purposes any criteria that
is not found in the first packet of the session will be ignored during the
classification process.
Traffic Direction: Different flows can be applied to different traffic directions. The
matched traffic depends not only on the value of the Traffic Direction parameter (One
Way or Two Way), but also on whether the policy is searching for layer 3 or layer 4
sessions.
One Way
Two Way
Layer 3 Policy
Requests from policy
source to destination and
the related replies from
destination.
All traffic between policy
source and destination.
Layer 4 Policy
Request only from policy
source IP and port to
destination IP and port.
Requests from policy
source IP and port to
destination IP and port and
related replies from
destination.
Doc. No.: 8261
147
LinkProof User Guide
Note:
•
•
For layer 3 policy traffic from policy source addresses passes the flow farms
from left to right, while traffic from the policy destination address passes the
flow from right to left. However if the layer 3 policy sets both source and
destination addresses to "any", all request traffic will pass flow from left to
right (reply traffic will pass in the opposite direction). For layer 4 policies,
request traffic will pass the flow from left to right, reply traffic will pass the
flow from right to left.
VLAN Tag: To classify traffic according to VLAN identifier tags.
Inbound Physical Port: Classifies only traffic received on certain interfaces of the
device. For more details on the classification criteria see Bandwidth Management
Classification Criteria, page 337.
To configure a Flow Policy:
1. Via the Bandwidth Management module, define all the traffic classes you require for the
policy - source and/or destination networks, inbound physical port group, VLAN Tag
group and Services, see Bandwidth Management, page 335.
2. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
3. From the LinkProof Traffic Redirection window, click the Flows tab. The Flows pane
appears.
4. From the Flows pane, click Flow Policies. The Edit Policy window appears.
5. From the Edit Policy window, set classification criteria and select the flow to be used for
the traffic that matches this criteria.
6. Click Ok to save settings and return to the Flows pane.
Typical Flow Configurations
The following section provides configuration examples for typical LinkProof configurations
using Flow Management:
•
Flow LinkProof Example Configuration, page 148
Flow LinkProof Example Configuration
It is often required to use different WAN links for different applications and/or destinations.
In the following example there are 2 routers. Router 1 is connected to a private network and
can only connect to other corporate sites (Intranet). Router 2 is connected to the public
network and can be used as a backup for the private link (with VPN) and also for access to
the Internet.
HTTP traffic on the Intranet must use the private link as long as it is available and only use
the VPN link for backup. The other applications running on the Intranet can use both links
(load balanced).
148
Doc. No.: 8261
LinkProof User Guide
Router 2
Router 1
NAT:
For 10.1.1.30
Via Router 2
NAT:
For 10.1.1.30
Via Router 1
100.1.1.2
200.1.1.2
100.1.1.10
200.1.1.10
Interface
LinkProof
Interface
Local
Internal
10.1.1.30
Figure 13 -
10.1.1.x
Flow LinkProof Example Application
To configure Router Load Balancing per Application:
1.
During initial installation, configure IP address for the device, for example 10.1.1.10 on
Interface 1
2.
Define additional IP interfaces:
a.
b.
From the main window, double-click the LinkProof icon. The LinkProof Connect to
Device window appears.
From the LinkProof Connect to Device window, type the device's IP address:
10.1.1.10 and click Ok.
c.
Double-click the LinkProof icon again. The LinkProof Setup window appears.
d.
From the LinkProof Setup window, click Add. The Edit Interface window appears.
e.
From the Edit Interface window, set the following parameters according to the
explanations provided:
Parameter
Description
IF Num:
F-2
IP Address:
100.1.1.10
Doc. No.: 8261
149
LinkProof User Guide
Network Mask:
255.255.255.0
IF Num:
F-2
IP Address:
200.1.1.10
Network Mask:
255.255.255.0
f.
Click Ok. The LinkProof Setup window remains open.
3. Define at least one of the routers as the default gateway to the Internet, it is
recommended to define all the routers in the Routing Table:
a.
b.
c.
From the LinkProof Setup window, select Networking > Routing Table. The
Routing Table window appears.
From the Routing Table, click Add. The Edit Route window appears.
From the Edit Route window, set the following parameters according to the
explanations provided:
Parameter
Description
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
100.1.1.20
IF Number:
F-2
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
200.1.1.20
IF Number:
F-2
d.
Click Ok to apply the parameters.
1. Add two Routers:
a.
b.
Parameter
Description
FW Name:
Router 1
IP Address:
100.1.1.20
c.
150
From the LinkProof toolbar, click Add and from the drop-down menu, click Router.
Double-click the Router icon that appears on the map. The Router window appears.
From the Router window, set the following parameters according to the explanations
provided:
Add another router by setting the following parameters according to the
explanations provided:
Parameter
Description
FW Name:
Router 2
IP Address:
200.1.1.20
Doc. No.: 8261
LinkProof User Guide
d.
2.
Click Ok. Your preferences are recorded.
Add 3 farms to LinkProof:
FM1: Farm1 to load balance HTTP traffic to other corporate sites.
FM2: Farm2 to load balance non-HTTP traffic to other corporate sites.
FM3: Farm3 to load balance traffic to the internet.
a.
b.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane
appears.
c.
From the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
From the Edit LinkProof Farms window, select Farm Type Firewall and define the
farm name.
e.
Add the farm servers. From the Farm Servers pane, click Add. The LinkProof Farm
Firewall Server window appears. Select servers as specified in step f).
f.
From the LinkProof Farm Firewall Server window, click the Traffic Settings tab and
set parameters as required.
g.
Repeat this procedure for all farms. For each farm define servers and load balancing
parameters as follows:
Farm Name:
Farm1
Farm2
Farm3
Server Name:
Router1
Router1
Router1
Server
Address:
100.1.1.20
100.1.1.20
Operation
Mode:
Regular
Regular
Server Name:
Router2
Router2
Server
Address:
200.1.1.20
200.1.1.20
Operation
Mode:
Backup
Regular
Dispatch
Method:
any
any
Persistency
any
any
Packet
Translation:
NAT
NAT
h.
100.1.1.20
Regular
any
any
NAT
Click Ok. Your preferences are recorded.
3.
Configure connectivity checks for the load balanced routers.
4.
Define the required flows:
a.
b.
From the Traffic Redirection window, click Flows. The Flows pane appears.
From the Flows pane, click Add. The LinkProof Traffic Flows window appears.
c.
From the LinkProof Traffic Flows window, add 3 flows as follows.
Flow Name
Intranet1
intranet2
Intranet3
1st Farm
Farm1
Farm2
Farm3
Doc. No.: 8261
151
LinkProof User Guide
d.
From the Flows pane, highlight the flow you created and click Policies. The Flow
Policies window appears.
Note:
e.
From the Flow Policies window, click the Modify tab and click Add. The Edit Policy
window appears.
f.
From the Edit Policy window, click New Network. The Edit Network Table dialog
box appears.
g.
From the Edit Network Table dialog box, set the following parameters according to
the explanations provided:
Parameter
Description
Network Name:
Local Network
Network Mode:
IP Mask
IP Address:
10.1.1.0
IP Mask:
255.255.255.0
h.
Click Ok. Your preferences are recorded.
i.
From the Edit Network Table dialog box, click New Network again and set the
following parameters according to the explanations provided:
Parameter
Description
Network Name:
Internal Server
Network Mode:
IP Range
From Address:
10.1.1.30
To Address:
10.1.1.30
j.
Click Ok. Your preferences are recorded.
k.
Click New Network again and set the following parameters according to the
explanations provided:
Parameter
Description
Network Name:
Corporate Network
Network Mode:
IP Mask
IP Address:
20.1.1.0
IP Mask:
255.255.255.0
l.
152
You may be prompted to enable BWM and to reboot the LinkProof, if so click
Ok and follow the on-screen instructions.
Click Ok. Your preferences are recorded. Repeat by setting the following parameters
according to the explanations provided:
Parameter
Description
Network Name:
Corporate Network
Doc. No.: 8261
LinkProof User Guide
Network Mode:
IP Mask
IP Address:
30.1.1.10
IP Mask:
255.255.255.0
Network Name:
Corporate Network
Network Mode:
IP Mask
IP Address:
40.1.1.0
IP Mask:
255.255.255.0
m. From the Edit Policy window, set the following parameters for the policies required
for the three flows:
Policy
Name:
HTTPOut
HTTPIn
all-lntranet
all-lnternet
Policy
Index:
1
2
3
4
Service
Type:
Regular
Regular
None
None
Service
Name:
HTTP
HTTP
None
None
Source:
Local Network
Corporate
Network
Local Network Local Network
Destination:
Corporate
Network
Internal
Server
any
any
Direction:
Two way
Two way
Two way
One way
Flow:
Intranet1
Intranet1
Internet2
Internet
n.
5.
Click Ok and then Update Active Policies. Your preferences are recorded.
Configure NAT (Dynamic & Static) for the two routers:
a.
b.
From the LinkProof Traffic Redirection window, click NAT. The NAT pane appears.
In the NAT field select Dynamic NAT to add NAT addresses for outbound traffic by
adding the following NAT entries:
From Local
Address:
10.1.1.0
10.1.1.0
To Local Address:
10.1.1.255
10.1.1.255
Router IP:
100.1.1.20
200.1.1.20
Dynamic NAT IP:
100.1.1.22
200.1.1.22
c.
Doc. No.: 8261
After each entry, click Add to save your settings.
153
LinkProof User Guide
d.
From the NAT field, select Static NAT to add NAT addresses for inbound traffic by
adding the following NAT entries:
From Local
Address:
10.1.1.30
10.1.1.30
To Local Address:
10.1.1.30
10.1.1.30
Router IP:
100.1.1.20
200.1.1.20
From Static NAT:
100.1.1.21
200.1.1.21
To Static NAT:
100.1.1.21
200.1.1.21
6. After each entry, click Add to save your settings.
a.
b.
Map the URL of the Internal server to the servers local IP:
From the LinkProof Traffic Redirection window, click DNS. The DNS pane appears.
c.
From the DNS pane, click Name to Local IP. The Name to Local IP window
appears.
d.
From the Name to Local IP window, enter www.site.com as the Host URL parameter
and 10.1.1.30 for the local IP parameter.
e.
Click Add to save the entry. Click Ok. Your preferences are recorded.
VPN Load Balancing
When supporting advanced LinkProof & Firewall configurations there are special
considerations with regards to the way the traffic flows.
VPN Load Balancing, page 155 illustrates a network topology called a Firewall "Sandwich".
This topology refelects the inbound and outbound traffic flow as it is routed by the LinkProof
devices through Firewalls.
This section includes the following topics:
•
•
•
154
Multicast Dispatch, page 156
Clear Client Table, page 157
Client Table Overwrite, page 158
Doc. No.: 8261
LinkProof User Guide
Figure 14 -
VPN Load Balancing
VPN Load Balancing, page 155 illustrates 2 possible VPN Load Balancing scenarios:
The network session starts from the H.Q to the branch.
•
In this case traffic returning from the branch uses the same path. In case that a new
traffic session originates from the branch to the H.Q, the same VPN server tunnel must
be used as the one used previously by the traffic coming from the H.Q to the branch.
The traffic flow is as follows:
—
Router - LAN A
—
2nd LinkProof
—
VPN Gateway 1
—
1st LinkProof
—
VPN Gateway 3
—
Branch LAN
The network session starts from the branch to the H.Q.
•
In this case traffic returning from the H.Q will use same path. In case that a new traffic
session will originate from the H.Q to the branch, it should use the same VPN server
tunnel as the one used before by the traffic coming from the branch to the H.Q.
The traffic flow is as follows:
—
Branch LAN
—
VPN Gateway 3
—
1st LinkProof
—
VPN Gateway 1
—
2nd LinkProof
—
Router - LAN A
VPN Alternative Traffic Paths, page 156 illustrates 2 alternative VPN Traffic flow paths.
Doc. No.: 8261
155
LinkProof User Guide
Figure 15 -
VPN Alternative Traffic Paths
LinkProof is unable to determine which VPN Gateway the tunnel uses (The tunnel is
maintained via one VPN Gateway only). Therefore if traffic is routed back via the wrong
path, the connection is dropped by the other VPN Gateway.
To avoid this from happening, a dispatch method is available to configure a Firewall Farm
called Multicast.
Multicast Dispatch
When the network session starts from the H.Q to the branch, as illustrated in VPN
Alternative Traffic Paths, page 156, a VPN session is open along the red path.
When the Multicast Dispatch method is used, after the return packet reaches the lower
LinkProof device, a Multicast is sent with the return packet to both VPN Gateways. The
gateway that responds 1st, is the one with an already established VPN session (red path).
LinkProof forwards the traffic to the VPN Gateway and the session is not interrupted.
To configure Multicast Despatch using WBM
When creating a new Firewall Farm.
1. Select Linkproof > Farms > FW Farm Table > Create.
2. From the Dispatch Method drop-down list select Multicast.
3. Click Set.
156
Doc. No.: 8261
LinkProof User Guide
To configure Multicast Despatch using CLI
1.
lp farms firewall -farms add <farm name> -dm multicast> command.
2.
Press Enter.
Clear Client Table
Client entries are removed from a farm using the Clear client Table feature when specific
VPN Load Balancing configurations are problematic. Clear Client Table Scenarios, page 157
illustrates the 2 possible scenarios for which the Clear client Table feature is used.
Figure 16 -
Clear Client Table Scenarios
Scenario 1
In the event that switch No. 3 goes down, then LinkProof No.4 handles the session.
If Switch No.3 comes up again, LinkProof No.3 responds to the traffic again and sends the
traffic to both VPN gateways (VPN No.1 and VPN No.2), as multicast mode has been set.
The LinkProof No.3 does not have a Client Table entry any more. LinkProof No.1 however,
still sends traffic to VPN No. 1 and this in turn creates a persistency issue because LinkProof
No.3 and LinkProof No.1 have different entries in their client table.
The Solution
To solve this scenario, a new flag is added to the farm that indicates when a client entry as
part of a farm needs to be deleted when the server of that farm comes up again.This
assures persistency is maintained.
Doc. No.: 8261
157
LinkProof User Guide
Scenario 2
Another problem arises when both backup and regular servers (Firewalls) are configured. If
both servers are active, then traffic goes through the regular server.
If the regular server is not in service, all its associated Client Table entries are deleted and
traffic is sent through the backup server.
Once the regular server is up, the old sessions that are already in the Client Table are sent
through the backup server even though the regular server is up. Only new sessions are sent
through the regular server.
The Solution
To solve the second scenario, an additional value has been added to the field which provides
an option to delete farm related client entries in the event that the first regular server is up.
This assures that no session goes through the backup server if there is a regular server
available.
Each farm contains a field called Client Table Clear Condition, which has one of the
following values
To configure the Clear Client Table using WBM
1. Select LinkProof > Farms > FW Farms Table. The FW Farm Table window appears.
2. Click Create. The Farm Table Create window appears.
3. From the Clear Client Table Condition drop-down list select one of the following
parameters.
None
This is the default value. Previous functionality is
ignored.
Any Server Up
This value indicates when a server of a particular farm
goes up after having been down, and all the client
entries are deleted which are part of that farm.
1st Regular Server
Up
This value indicates when a regular server goes up and
when it is the first regular server for that farm to go up.
All the Client Table entries associated with that server
selection of that farm are deleted.
4.
Click Set.
To configure the Clear Client Table using CLI
1. Type in the following command: lp farms firewall-farms set <Farm Name> -
tc <1 default(none),Any Server Up or 1st Regular Server Up>
2. Press Enter.
Note:
The above parameters can also be set while creating the Firewall Server Farm.
Client Table Overwrite
This feature assists in dealing with the problems associated with Scenario 1, page 157.
To solve the problem a new flag was added to the farm to indicate when a client entry as
part of a farm needs to be deleted when the server of that farm comes up again.
158
Doc. No.: 8261
LinkProof User Guide
Notes: Since the 2 LinkProofs are not synchronized and do not recognize that
the server is up/down at the same time, the following persistency
issues remain until they are overwritten.
i
Persistency issues remain until the Client Table entry is deleted. The server
that recieves a packet from a different server (Firewall) is not overwritten.
ii
In the case in which the new server is of a different Farm than the Farm of
the original server, then the server selection is not overridden.
iii In the case where IP translations (NAT) of any sort are involved for the
session, then the server selection is not overridden.
To configure the Client Table Overwrite using WBM
Once a new Firewall Farm has been created.
1.
Select Linkproof > Global Configuration > Client Table > Server Selection
Override.
2.
From the Server Selection Override drop-down list select either Disable (default) or
Enable .
3.
Click Set.
To configure the Client Table Overwrite using CLI
1.
Type in the following: lp global client-table server-selectionoverride set <disable (default) or enable> .
2.
Press Enter.
Client Table
This section explains the concept of Client Table which is employed to store client session
information, which is necessary to maintain session persistency.
This section includes the following topics:
•
•
•
Client Table Management, page 159
Client Table Global Parameters, page 163
Client Table Views, page 166
Client Table Management
In order to efficiently handle the flow of traffic between the clients and the servers, Radware
devices employ the Client Table. The Client Table stores client session information, which is
necessary to maintain session persistency.
When a client first approaches the device, LinkProof then checks whether an entry for this
client already exists in the Client Table. If the appropriate entry is found, the client is
directed to the farms and servers that appear in the Client Table, In such a case, there is no
need to make a load balancing decision.
Doc. No.: 8261
159
LinkProof User Guide
If an entry does not exist, traffic is classified to identify the flow that matches this traffic. An
entry is made into the Client Table indicating the sequence of farms this traffic must pass
according to the selected flow. A server is selected for each farm in the flow, as the traffic
reaches it, according to the load balancing considerations that are defined by the Dispatch
Method (see Dispatch Methods, page 89), and is recorded in the Client Table.
Router 1
Local Network
10.1.1.x
LinkProof
Interface
Interface 4
10.1.1.10
200.1.1.2
100.1.1.1
100.1.1.2
200.1.1.2
Interface
30.1.1.1
Interface
20.1.1.10
Firewall 1
Router 2
30.1.1.1
20.1.1.
External
Internal
30.1.1.2
20.1.1.2
Firewall 2
Figure 17 -
HTTP Outbound Session Example Configuration
The following Client Table entry provided below in Table 13 on page 160 is an example of an
HTTP outbound session for the network example as shown in HTTP Outbound Session
Example Configuration, page 160.
Table 13: Client Table 1
160
Source
Address
Destination
Address
Source
Port
Destination
Port
Flow
10.1.1.2
202.2.2.2
1062
80
http flow
Farm Name
Server
Name
Idx
Type
Action
Port #
Ext Idx
fw_int_farm
fw1
1
Regular
Send to
Farm
16
fw_ext_farm
fw1
2
Regular
Send to
Farm
17
Doc. No.: 8261
LinkProof User Guide
Farm Name
Server
Name
Idx
Type
Action
Port #
Ext Idx
router_farm
router2
3
N
Send to
Farm
18
Each entry in the client table provides the following information:
•
•
•
Session parameters (source address and port, destination address and port).
Flow that matches this session.
Information regarding each farm in the selected flow:
— Server selected for each farm. If this field is empty it means that the session has
not yet reached this farm, and server selection has not yet occurred. IDX - the
index of the farm in the flow. If the session was only routed then the index value is
0.
—
Action taken for this farm or Port Number for IDS & SSL farms.The values for the
action fields are:
Select Server
A server was not yet selected for this farm.
Send to Farm
A server was selected for this farm
Skip Farm
This farm was bypassed.
Discard
Packets are dropped when they reach this
stage.
Passive Farm
A server farm was selected only for use of
NAT - traffic is not forwarded to this server.
This option can occur when a Static NAT is
performed for local traffic.
Passive Select
A passive server (see above) was not yet
selected.
Select Tunnel
A virtual tunnel was selected.
Select Tunnel PBP
A virtual tunnel was selected when Virtual
Tunneling is operating in Packet-per-packet
mode.
—
Type - Client Entry can have the following values:
Regular
No packet translation.
V
Virtual IP translation.
DN
Dynamic NAT.
SN
Static NAT.
VPN Rglr
Session is encrypted, Flow mode=Basic.
VPN Prvt
Session is encrypted, Flow mode=Combined Private&VPN
VPNVT CT
Session is encrypted, Flow mode=VT
RSN
Virtual Tunneling NAT using Static NAT
RNN
Virtual Tunneling NAT using No NAT
Doc. No.: 8261
161
LinkProof User Guide
—
Ext Idx - extension index. When type is other than Regular, this index points to
additional information regarding this session, such as address and port - used in
address translation.
When a client first approaches LinkProof, then a check is done to find out whether an entry
for this client already exists in the Client Table:
•
•
If the appropriate entry is found, the client is directed to the farms and servers that
appear in the Client Table. In that case, there is no need to make a load balancing
decision.
If an entry does not exist, traffic is classified to identify the flow that matches this
traffic. An entry is made into the Client Table indicating the sequence of farms this traffic
must pass according to the selected flow. A server is selected for each farm in the flow,
as the traffic reaches it, according to the load balancing considerations that are defined
by the Dispatch Method and is recorded in the Client Table
Note:
The farms for each client table entry are displayed in the order in which they
were configured in the flow.
Removing an Entry from the Client Table
LinkProof removes the relevant entries from the Client Table In the following cases:
•
•
•
When one of the servers within a farm becomes unavailable.
When the Aging Time of an entry expires. The Client Aging Time parameter is set per
farm, see Farm Load Balancing, page 89
When using the Remove On Session End.
To Configure the Client Table
1. From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2. From the LinkProof Setup window, click the Global tab and select Client Table
Settings and click Edit Settings. The Client Table Settings window appears.
3. From the Client Table Settings window, set the parameters accordingly.
4. Click Set. Your preferences are recorded.
Client Table Report Enhancements
Client Table current entries can be viewed via CLI only using the following commands:
• lp client table (to see client table information)
• lp client table-summary (to see summary information)
The following options are available with the lp client table CLI command, which allow
you to filter existing client entries and display only relevant entries:
•
•
•
•
•
•
•
•
•
162
-ip to print only entries with given IP address
-fl to print only entries with given flow name
-fn to print only entries with given farm name
-sn to print only entries with given server name
-vl to print only entries with forwarding type bridging
-ap to print only entries with given application port
-db to print only entries with delayed binding information
-ed to print only entries with edge farm info
-mapped to print entries including mapped information
Doc. No.: 8261
LinkProof User Guide
•
-ptr to print only entries with given packet translation type (VIP, Dynamic NAT, VPN,
etc).
Client Table Tuning Guidelines
When setting the Client table size you must also configure Client Extension Table size. The
relationship between the two table sizes is as follows:
Client Extension Table size = (max number of farms in a flow, as configured on the device)
*Client Table size.
For example, in case LinkProof load balances routers only, the Client Table Extension size
should be the same as the Client Table Size.
To configure Client Table tuning:
1.
From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2.
From the LinkProof Setup window, click Global. The Global pane appears.
3.
From the Global pane, select Client Table Settings and then click Edit Settings. The
Client Table Settings window appears.
4.
From the Client Table Settings window, edit the parameters according to your
requirements.
Client Table Global Parameters
Client Table Global Parameters applies to the LinkProof device. All the farms defined on this
device are affected by the Global Parameter settings.
Client Table Mode
For flexibility purposes LinkProof allows the Client Table to work in various modes. The
following Client Table modes are available:
• Layer 3
• Half Layer 4
• Full Layer 4
For maximum flexibility LinkProof allows to configure different persistency modes per farm.
The persistency defines when a new server is selected for the specific farm. The Client Table
Mode defines when an entry is made in the Client Table.
Layer 3 Mode
The Layer 3 mode is the default Client Table Mode, in which LinkProof maintains Layer 3
persistency. In this mode, each entry is identified by the following parameters:
• Source IP address
• Destination IP address
In Layer 3 mode all sessions between the same source and destination addresses are
represented by a single Client Table entry and will be forwarded to the same farm servers.
Half Layer 4
In this mode, each entry is identified by the following parameters:
•
•
•
Source IP address
Destination IP address
Destination port
Doc. No.: 8261
163
LinkProof User Guide
In this mode, all the sessions destined to the same address and port are represented by a
single entry in the Client Table, regardless of the Source port(s). For example, in a simple
web page retrieval, a client may open few TCP sessions with the server, using each session
to transfer different parts of the page, such as text, GIF files and so on. All of these
sessions, identified by Destination port 80 and different Source ports, constitute a single
entry in the Client Table.
This mode is the minimum mode required whenever sessions to different destination ports
must be tracked separately. For example:
•
•
When different flows are configured for different applications
When farms of proxy servers are defined on the device (VIP mechanism is used, see
Proxy Firewalls, page 96
Full Layer 4
In this mode, each entry is identified by the following parameters:
• Source IP address
• Destination IP address
• Source port
• Destination port
In this mode, a new entry is added to the Client Table for every session opened between the
client and the server. For example, in the above example of a simple page retrieval, each of
these sessions, identified by Destination port 80 and a unique Source port, such as 1234,
1235, 1236 and so on, constitute a new entry in the Client Table.
This mode is required when:
• NAT is enabled in any of the farms.
• Content-based load balancing is configured on the device.
• SYN Flood protection mechanism is enabled.
Since a new table entry is made into the Client Table for every new session, the Client Table
has many entries. You can increase the Client Table to accept more entries based on the
amount of RAM available on the LinkProof unit.
Remove Entry on Session End
The Remove Entry on Session End mode allows LinkProof to remove entries from the Client
Table before Aging Time expires. This mode is used to clear entries representing the TCP
sessions that were closed before the end of the Aging Time period.
Note:
As the Client Aging Time is configured per farm, to determine the Client Table
entry aging time LinkProof looks at the Aging Times of all the farms in this
entry's flow and selects the longest period
Tip:
Removing entries from the Client Table immediately when the TCP session is
closed, frees the memory resources for the active sessions and therefore
improves memory utilization
When Remove Entry on Session End is Enabled LinkProof behaves as follows:
•
•
164
When LinkProof detects a RST or FIN packet between the source and the destination
Linkproof marks the entry for deletion from the Client Table, as the RST/FIN packets
indicate that the session is closed.
The entry is aged in 5 seconds and subsequently removed
Doc. No.: 8261
LinkProof User Guide
Aging by Application
You can assign different applications different client lifetimes. Since applications are
identified by the ports they use, you assign application aging times by configuring aging
times for specific ports. For example, you can assign FTP longer aging times and HTTP
shorter ones.
You can configure application-aging times for applications over TCP and UDP protocols. For
applications not included in the UDP and TCP protocols (e.g., ICMP), use port 0. Any
applications for which you do not assign an aging time will age according to the Farm
configuration.
Note:
Aging per Application is available only if Client Table mode is Half Layer 4 and
up.
To configure Aging by Application:
1.
From the main window, double-click the LinkProof icon.The LinkProof Setup window
appears.
2.
From the LinkProof Setup window, click the Global tab, select the Client Table
Settings option and click Edit Settings. The Client Table Settings window appears.
3.
From the Client Table Settings window, select Aging by Port. The Application Aging
Table appears.
4.
From the Application Aging Table, set the following parameters according to the
explanations provided:
Parameter
Description
Application Port:
From the drop-down menu select the relevant
Application Port for which to set Application
Aging for.
Aging Time:
Set the Application Aging time.
Default value: 60 seconds.
5.
Click Add. Your preferences appear in the Application Aging Table.
6.
Click Ok. Your preferences are recorded.
Session Limit per Hash Entry
For maximal performance LinkProof uses a hash algorithm to search for a Client Table entry.
The hash function is applied on the session identification parameters, as determined by the
Client Table mode.
Multiple Client Table entries can be associated to the same hash entry, especially in Layer 4
modes. As having unlimited session associated to the same Hash entry causes performance
degradation this feature enables you to limit this number and maintain ideal performance.
The default value of '0' indicates no limitations.
Port Hashing
The Port Hashing parameter, when enabled, determines which source and destination ports
are to be taken into consideration.When the Hashing Dispatch Method is applied, LinkProof
selects a server for a session using a Hash function. This is a static method where the NHR
is chosen for a session purely by the session information. The input for the hash function is
source and destination IP addresses.
Doc. No.: 8261
165
LinkProof User Guide
Note:
This parameter can be enabled only when Client Table mode is Full Layer 4
Delayed Bind Time-out
Delayed Bind Time-out: The period of time (in seconds) that the device waits for completion
of TCP Handshake.
Client Table Views
On all Radware devices, the Client Table maintains Client to Server Persistency.The Client
Table is accessible using CLI and Web Based Management.
The Client Table stores information about a client’s source and destination IP and ports,
selected server, server port, NAT addresses and other product specific information
Note:
Using 64M DRAM, LinkProof supports up to 350,000 entries in the Client
Table. Using 128M DRAM, LinkProof supports up to 1,000,000 entries in the
Client Table
To access the Clients Table using WBM:
•
From the LinkProof menu, select Clients > Client Table. The Clients Table Views
window appears, which contains the following read-only parameters:
Source Address:
The IP address of the source.
Client Address:
The IP address of the client.
Destination Address:
The IP address of the destination.
Source Port:
Displays the Source Port of the client.
Destination Port:
Displays the Destination Port of the client.
To view the Client Table using WBM:
1. From the LinkProof menu, select Clients > View Filters. The Clients Table window
appears.
2. Click Create. The View Filters Create window appears, which contains the following
parameters:
166
Index:
Shows the Filter Index number currently
selected. Values 1 - 5
Source IP From:
The range of the clients’ addresses.
Destination IP From:
The range of the addresses of the servers
that provide the requested service.
Doc. No.: 8261
LinkProof User Guide
Destination Port From:
Destination port number for that protocol. For
example, for HTTP, the protocol would be
configured as TCP and the destination port
as 80. The port configuration can also allow
for a range of ports to be configured.
Next Hop Router IP:
The next hop router IP address.
Available Client types:
• any - Any Client Type
Client Types:
Note:
•
regular - Any client of the type Regular.
•
dynamicNat - Any Client receiving an
dynamic NAT address.
•
basicNat - Any Client receiving a NAT
address from Basic NAT.
•
virtualIP - Any client destined for a Virtual
IP on the device.
•
staticNAT - Any Client receiving a NAT
address from Basic NAT.
•
noNat - Any Client Matching the
configured NoNAT addresses.
•
vpn - Any Client matching VPN policy.
•
remoteNatStaticNat - Any Client
matching Virtual Tunneling Policy with
static NAT Address policy.
•
remoteNatNoNat - Any Client matching
Virtual Tunneling Policy with no NAT
Address policy.
Client types are unique to LinkProof. The CT (client type) flag is case–
sensitive, and must use the exact phrases as they appear in the above list.
3.
Set the parameters according to the explanations provided.
4.
Click Set. Your preferences are recorded.
Doc. No.: 8261
167
LinkProof User Guide
168
Doc. No.: 8261
LinkProof User Guide
Chapter 5 - Advanced Features
This chapter describes LinkProof’s advanced capabilities and provides common configuration
examples, and includes the following sections:
•
•
•
•
•
Content Load Balancing, page 169
Virtual Tunneling, page 179
Integrated VPN Gateway, page 188
Cost Based Load Balancing, page 194
Data Compression, page 196
Content Load Balancing
This section explains what content load balancing is and describes the methods for LinkProof
load balancing.
This section includes the following topics:
•
•
•
Content Load Balancing Overview, page 169
Content Load Balancing Configuration, page 171
Content Rule Configuration Example, page 174
Content Load Balancing Overview
As a result of the reliance on networked/ Web applications like ERP, CRM and even CITRIX
applications, there is a need for application-aware multi-homing devices that can direct
application traffic to the link most suited to its requirement (performance, security,
availability).
To differentiate Web-based application, HTTP content-based decisions are required
LinkProof is application aware and based on HTTP content it can:
• load balance specific traffic to different routers or firewalls
• block traffic to specific URLs or traffic that includes specific content types.
To make a load balancing decision based on HTTP content (layer 7 decision) LinkProof
implements a mechanism referred to as Delayed Binding.
Delayed Binding
When Delayed Binding is used, LinkProof first performs a TCP handshake with the client in
order to receive the HTTP request. Then, LinkProof parses the HTTP request's data, usually
HTTP headers, and performs the load balancing decision according to the layer 7 policies
defined. Then LinkProof initiates a TCP handshake with the destination and forwards the
traffic to selected farm server.
LinkProof allows you to define parameters for the HTTP request parsing, including:
•
•
•
•
Search Depth in Bytes: How deep in the HTTP request or reply to search for the
required criteria (it can require waiting for a number of packets). Default is 4096 bytes.
Max Number of Request Fragments: The maximum amount of request fragments
that the device gathers to look for the required criteria. Default is 10.
Max Number of Reply Fragments: The maximum amount of reply fragments that the
device gathers to look for the required criteria. Default is 10.
SYN Protection Accumulate Request: Allows you to enable or disable this feature.
Doc. No.: 8261
169
LinkProof User Guide
To change Delayed Binding Global Settings:
1. From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2. From the LinkProof Setup window, click the General tab. The General pane appears.
3. From the General pane, select the Advanced Settings option and click Edit Settings.
The LinkProof Advanced Settings window appears.
4. From the LinkProof Advanced Settings window, set the parameters according to your
requirements.
5. Click Ok. Your preferences are recorded.
Alias Ports
LinkProof devices often are installed on networks that contain proxies. The function of the
proxie is to inspect the traffic before sending it out to the internet. These proxies tend to use
TCP ports that do not correspond to the well known TCP ports usually used by a certain
protocol (I.e. HTTP traffic may appear with port 8080 as the destination port).
LinkProof incorporates Alias Ports, which allows you to link any destination TCP port to one
of these protocols.
To create a new Alias Port:
1. From the LinkProof main window select Global > Advanced Settings. The LinkProof
Advanced Settings window appears.
2. From the LinkProof Advanced Settings window, click Alias Ports. The Alias Ports
window appears.
3. From the Alias Ports window, set the following parameters according to the explanations
provided:
Port Number:
Well Known Port Number:
This field contains the value of the destination
TCP port.
Enter a value that corresponds to a specific
protocol.
This field provides all possible values to
which special handling is provided, including:
• HTTP - For Web traffic usually found on
port 80.
•
POP3 - For mail traffic usually found on
port 110.
•
TCP - Default.
Select the relevant Well Know Port Number.
4. Click Update. The new alias port entry appears in the Alias Ports List.
To update a previously created Alias Port:
1. From the From the LinkProof main window select Global > Advanced Settings. The
SecureFlow Advanced Settings window appears.
170
Doc. No.: 8261
LinkProof User Guide
2.
From the LinkProof Advanced Settings window, click Alias Ports. The Alias Ports
window appears.
3.
From the Alias Ports window, double click on the relevant entry from the Ports list. The
Update Alias Ports window appears.
4.
From the Update Alias Ports window edit the parameters according to the explanations
provided in the previous step.
5.
Click Ok. Your preferences are recorded.
Note:
Any other type of traffic other than HTTP and POP3 should not use aliases.
Content Load Balancing Configuration
Content load balancing is integrated in flows using an entity called Content Rule.
Content Rule is an entity that allows LinkProof to load balance between different farms of
the same type, or different servers in a farm, based on HTTP content.
The Content Rule allows configuring traffic load balancing using Layer 7 policies.
When the first packet of a session is matched to a flow that contains a Content Rule,
Delayed Bind is used. When LinkProof receives enough information from the HTTP Header, a
farm and then a server can be selected according to the Layer 7 Policy attached to this
Content Rule.
Configuring Content Load Balancing includes the following steps:
•
•
•
Defining Layer 7 Policies, page 171
Defining Content Rules, page 173
Defining Flows with Content Rules, page 174
Note:
Content Rules are activated only for HTTP traffic over standard port 80.
Defining Layer 7 Policies
A single Layer 7 Policy can include several rules, all using the same HTTP criteria, such as
URL, HTTP Header, etc. and so on. For example, a Layer 7 Policy can send HTTP traffic to a
certain URL via a specific router always. In order to select farm according to a Layer 7 Policy,
LinkProof matches the packet against the entries within the Policy according to the defined
order, and uses the first matching entry.
Note:
The more specific policy must appear first, otherwise the less specific policy is
always matched and used
For example, when a packet with a request to URL www.a.com/a arrives to LinkProof, which
has a Layer 7 policy with the following entries:
• First entry with classification criteria - www.a.com/ab
• Second entry with classification criteria - www.a.com/a
Then the second entry is matched and used.
The criteria according to which LinkProof classifies traffic are called Methods.
The following Method Types are available for LinkProof:
•
•
URL: Looks for a specified hostname and/or path in the HTTP request.
File Type: Looks for a specified File Type in the HTTP request.
Doc. No.: 8261
171
LinkProof User Guide
•
•
•
Header Field: Looks for a specified Header Field in the HTTP request.
Cookie: Looks for a specified cookie in the HTTP request.
Regular Expression: Looks for a regular expression anywhere in the HTTP Header of
the request. LinkProof supports Posix 1002.3 regular expressions, the string can be up
to 80 characters.
Note:
All content settings of the Methods are case insensitive.
To define a new Layer 7 Policy:
1. From the main window, click Traffic Redirection. The Traffic Redirection window
appears.
2. From the Traffic Redirection window, click the Content Rules tab. The Content Rules
pane appears.
3. From the Content Rules pane, click L7 Policies. The Layer 7 Policies window appears.
4. From the Layer 7 Policies window, click Add Policy. The Policy pane appears in the right
pane; set the following parameters according to the explanations provided:
Parameter
Description
Policy Name:
The name of the policy that you define.
Policy Index:
The order by which policy entries are
matched. It is not possible to update the
Index once defined. It may be convenient to
use non-consecutive Index values (for
example set the first entry with Index 10 and
the second with Index 20) for ease of future
changes.
Farm Type:
The type of farms (Router or Firewall) for
which this policy applies
Method:
The method used for this policy.
Method Arguments:
The actual content that must be matched by
the packet. Table 14 on page 173 describes
the parameters of the available Method
Types.
The action that LinkProof must take if the
traffic matches this policy. The options are:
Action:
Select one of the farms configured on the
device (of the type defined above).
Discard packet.
Server:
If the Action is to load balance the traffic to a
farm, this parameter defines whether to
always select a specific server in this farm, or
load balance between the servers in the farm
according to the farm Dispatch Method.
5. Click Ok. Your preferences are recorded.
172
Doc. No.: 8261
LinkProof User Guide
Table 14: Layer 7 Method Types
Method Type
Method
Specific
Parameters
Description
Example
Host Name
The host name
part of the URL
in the HTTP
header
(mandatory).
Host Name =
www.a.com
Path
The path part of
the URI in the
Path = cgi-bin
HTTP heaser
File Type
The type of file in
Type = html
the URI.
Header Field
A specific
header field in
the HTTP
request
(mandatory)
Header Field +
AcceptLanguage
Token
A value inside
the specific
header field.
Token = en-us
Cookie Key
A specific cookie
key in the HTTP Cookie Key =
server
request
(mandatory)
Cookie Value
The value of the Cookie Value =
cookie key.
red
Regular
Expression
Regular
Expression
(string pattern
matching)
URL
File Type
Header Field
Cookie
Regular
Expression
Regular
Expression +
.ABC
Defining Content Rules
Once Layer 7 policies have been defined you can associate the Layer 7 policies to a Content
Rule.
To set up a Content Rule:
1.
From the main window, click Traffic Redirection. The Traffic Redirection window
appears.
2.
From the Traffic Redirection window, click the Content Rules tab. The Content Rules
pane appears.
3.
From the Content Rules pane, click Add. The Edit LinkProof Content Rule window
appears.
4.
From the Edit LinkProof Content Rule window, set the following parameters according to
the explanations provided:
Parameter
Doc. No.: 8261
Description
173
LinkProof User Guide
SuperFarm Name:
The name of the Content Rule that you
define.
Farm Type:
The type of farms (Router or Firewall) that
this Content Rule includes
L7 Rule:
Select the Layer 7 policy that should be
matched.
Default Action:
The action that LinkProof must take if the
request traffic does not match this policy. The
options are:
• Select one of the farms configured on the
device (of the type defined above).
•
Discard packet
•
Bypass all farms of the type defined in
this policy.
5. Click Ok. Your preferences are recorded.
Note:
The Layer 7 policies selected in the Content Rule must be polices defined for
the same type of farms as the Content Rule.
Defining Flows with Content Rules
Once Content Rules are defined, they can be used in the Flow configuration as any other
farm, see Flow Concept, page 146.
Content Rule Configuration Example
It is often required to use different WAN links for different applications provided over HTTP.
174
Doc. No.: 8261
LinkProof User Guide
In the following example shown here in Content Rule Configuration Example, page 175
there are 2 routers. Router 1 must always be used for the CRM application provided over
HTTP and for access to the corporate intranet. For the rest of the traffic, Router 2 should be
used, while Router 1 should only be used as backup in case Router 2 fails..
Router 1
Router 2
Interface 2
100.1.1.10
200.1.1.10
LinkProof
10.1.1.10
Interface 1
Local Network
10.1.1.x
Figure 18 -
Content Rule Configuration Example
To configure Content Rule Configuration:
1.
During initial installation, configure an IP address for the device, for example 10.1.1.10
on Interface 1.
2.
Define additional IP interfaces:
a.
b.
c.
From the main window, double-click the LinkProof icon. The LinkProof Connect to
Device window appears.
From the LinkProof Connect to Device window, type the device's IP address:
10.1.1.10 and click Ok.
Double-click the LinkProof icon again. The LinkProof Setup window appears.
d.
From the LinkProof Setup window, click Add. The Edit Interface window appears.
e.
From the Edit Interface window, set the following parameters according to the
explanations provided:
Parameter
Description
IF Num:
F-2
IP Address:
100.1.1.10
Doc. No.: 8261
175
LinkProof User Guide
Network Mask:
255.255.255.0
IF Num:
F-2
IP Address:
200.1.1.10
Network Mask:
255.255.255.0
f.
Click Ok. The LinkProof Setup window remains open.
3. Define at least one of the routers as a default gateway to the Internet, it is
recommended to define all the routers in the Routing Table.
a.
b.
c.
From the LinkProof Setup window, select Networking > Routing Table. The
Routing Table window appears.
From the Routing Table window, click Add. The Edit Route window appears.
From the Edit Route window, set the following parameters according to the
explanations provided:
Parameter
Description
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
100.1.1.20
IF Number:
F-2
Destination IP Address:
0.0.0.0
Network Mask:
0.0.0.0
Next Hop:
IF Number:
d.
F-2
Click Ok to apply the parameters.
4. Add two Routers:
a.
b.
From the LinkProof toolbar, click Add and from the drop-down menu select a router.
Double-click the Router icon that appears on the map. The Router window appears.
c.
From the Router window, set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Router1
IP Address:
100.1.1.20
d.
Add another router. Set the following parameters according to the explanations
provided:
Parameter
Description
FW Name:
Router2
IP Address:
200.1.1.20
e.
Click Ok. Your preferences are recorded.
5. Add a farm to the LinkProof:
176
Doc. No.: 8261
LinkProof User Guide
a.
b.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane
appears.
c.
From the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
From the Edit LinkProof Farms window, select Farm Type Router and define the
farm name, for example: Routers_Farm.
e.
From the Edit LinkProof Farms window, click Traffic Settings and set the following
parameters according to the explanations provided:
Parameter
Description
Dispatch Method:
as required
Persistency Mode:
as required
Packet Translation:
as required
f.
6.
Click Ok. Your preferences are recorded.
Add the two farm servers:
a.
b.
From the Farm Servers pane, click Add. The LinkProof Farm Router Server window
appears.
From the LinkProof Farm Router Server window, set the following parameters
according to the explanations provided:
Parameter
Description
Server Name:
Router 1
Server Address:
100.1.1.20
Operation Mode:
Backup
c.
Repeat this procedure for the second farms server. Set the following parameters
according to the explanations provided:
Parameter
Description
Server Name:
Router 2
Server Address:
200.1.1.20
Operation Mode:
Regular
d.
7.
a.
b.
c.
8.
Click Ok. Your preferences are recorded.
Enable Connectivity Checks:
From the Farms pane, click the Connectivity Checks tab. The Connectivity Checks
pane appears.
From the Connectivity Checks pane, select the Connectivity Check Status.
It is recommended to use the Health Monitoring option. If Health Monitoring
Connectivity Checks was selected for the farms configure health checks for the farm
servers, see Health Monitoring, page 353.
Configure Content Rules:
a.
b.
Doc. No.: 8261
From the Traffic Redirection window, click Content Rules. The Content Rules pane
appears.
From the Content Rules pane, click Layer 7 Policies and then click Add. The Edit
L7 policy window appears.
177
LinkProof User Guide
c.
From the Edit L7 Policy window, enter the following URL policies under the select-url
policy name:
Policy Name
select_url
select_url
Index
1
2
Farm Type
Router
Router
Methods
URL
URL
Arguments
www.site.crm.com
www.site.intranet.com
Action
Router_farm
Router_farm
Server
Router1
Router1
d.
From the Content Rules pane click Add. The LinkProof Content Rule window
appears.
e.
From the LinkProof Content Rule window, set the following parameters according to
the explanations provided:
Parameter
Description
Content Rule Name:
url_rule
Farm Type:
Router
L7 Rule:
select_url
Default Action:
router_farm
f.
Click Ok. Your preferences are recorded.
9. Define the flows:
178
a.
b.
click the Flows tab. The Flows pane appears.
From the Flows pane, click Add. The LinkProof Traffic Flows window appears.
c.
From the LinkProof Traffic Flows window, add 2 flows as follows:
Parameter
Description
Flow Name
general_flow
1st farm
url_rule
d.
From the Flows pane, highlight the flow you just created and click Policies. The
Farm Policies window appears.
e.
You may be prompted to enable BWM and reboot LinkProof, if so click Ok and follow
the on-screen instructions.
f.
From the Flow Polices window, click the Modify tab and then click Add. The Edit
Policy window appears.
g.
From the Edit Policy window, click New Network. The Edit Network Table dialog
box appears.
h.
From the Edit Network Table dialog box, set the following parameters according to
the explanations provided:
Parameter
Description
Network Name:
Local Network
Network Mode:
IP Mask
Doc. No.: 8261
LinkProof User Guide
IP Address:
10.1.1.0
IP Mask:
255.255.255.0
i.
Click Ok. Your preferences are recorded.
j.
Set the following policies for existing flows:
Parameter
Description
Policy Name
All_traffic
Policy Index:
1
Service Type:
None
Service Name:
None
Source:
Local Network
Destination:
any
Direction:
One way
Flow:
General_flow
k.
Click Update Active Policies.
10. Configure Dynamic NAT for the 2 routers:
a.
b.
From the LinkProof Traffic Redirection window click NAT. The NAT pane appears.
From the NAT pane, select Dynamic NAT from the NAT field to add NAT addresses
for outbound traffic and add the following entries:
From Local
Address:
10.1.1.0
10.1.1.0
To Local Address:
10.1.1.255
10.1.1.255
Router IP:
100.1.1.20
200.1.1.20
Dynamic NAT:
100.1.1.22
200.1.1.22
c.
After each entry, click Add to save your settings.
Virtual Tunneling
This section explains Virtual Tunneling and how this feature functions in the network in
conjuction with LinkProof.
This section includes the following topics:
•
•
•
Virtual Tunneling Introduction, page 179
Virtual Tunneling Terms, page 181
Virtual Tunneling Configuration, page 181
Virtual Tunneling Introduction
Providing high availability and load balancing over multiple WAN links for applications such
as VPN (Virtual Private networks) or VoIP can be very difficult if not completely impossible
with current technology. It should also be noted that Internet load balancing and high
availability for IP applications are difficult to NAT.
Doc. No.: 8261
179
LinkProof User Guide
Applications, such as VoIP signaling and VPN connectivity, have difficulties in multi-homed
environments that are not BGP-based for reasons such as the following:
•
The applications embed source address information in the packet payload in addition to
the packet header.
• The destination addresses for the applications are static and not resolved via DNS.
LinkProof addresses this issue by providing Virtual Tunneling. The LinkProof Virtual
Tunneling feature utilizes existing SmartNAT technology. LinkProof uses NAT to encapsulate
packets between sites by translating both source and destination addresses.
By using the Virtual Tunneling feature LinkProof creates virtual tunnels between the two
application servers located in different sites, allowing them to communicate via multiple and
diverse WAN links.
The Virtual Tunneling functionality is operational only between pairs of LinkProof devices. No
virtual tunnels can be provided to sites not equipped with LinkProof.
The following diagram Virtual Tunneling Scenario, page 180 provides an explanation of the
encapsulation mechanism used by the Virtual Tunneling functionality.
A.0/24
London
C.0/24
San Francisco
Internet
L.100
S.100
B.0/24
Figure 19 -
D.0/24
Virtual Tunneling Scenario
In the scenario shown above in Virtual Tunneling Scenario, page 180 LinkProof can provide
the following:
•
•
High availability for traffic between the two gateways.
Load balancing to increase the bandwidth available to the VPN traffic.
High Availability
If a client in London wants to establish a VPN connection to San Francisco, the London
firewall/VPN gateway (IP address L.100) initiates a connection to the internal IP address of
San Francisco firewall/VPN gateway (S.100).
LinkProof on the London side receives the packets and selects a virtual tunnel. Since both
London and San Francisco have dual Internet connections there are 4 virtual tunnels
available for the London LinkProof to choose from (A-to-C; A-to-D; B-to-C; B-to-D). If
tunnel A-D was chosen, the LinkProof will translate source address to its external IP (static
NAT) via router A and destination address to its external IP via router D.
If link D becomes unavailable:
LinkProof London chooses a new virtual tunnel, for example A-to-C and translates the
source and destination addresses accordingly. LinkProof San Francisco translates the
packets back to the original addresses (L.100 - S.100). This allows the connection between
the two VPN gateways to be sustained, regardless of the path that the traffic takes.
In order to achieve this functionality, the LinkProof units must be aware of the Static NAT
tables, WAN links health, response-time, and load at remote site. This can be achieved by
using the inter-LinkProof communication protocol, called TRP (Tunneling Report Protocol) to
populate and "teach" each participating LinkProof the afore mentioned information.
180
Doc. No.: 8261
LinkProof User Guide
Load Balancing
LinkProof provides an option to select a virtual tunnel per new Client Table entry or Packet
by Packet. The Packet by Packet option allows to load balance a tunneled connection over
multiple WAN links.
•
•
Per Client Table Entry: Once connectivity is established between two VPN gateways,
sessions between clients and servers behind the gateways are opened and closed, but
the VPN connection is open. Since LinkProof sees communication between the same two
IP addresses - the VPN gateways (L.100 and S.100 in our example), and entry in Client
Table already exists, all packets are forwarded to the same virtual tunnel, as long as the
virtual tunnel is active.
Packet by Packet: To load balance a VPN connection between all existing virtual
tunnels, LinkProof provides the option of selecting a virtual tunnel per packet instead of
per new Client Table entry. Each packet is encapsulated within the chosen virtual tunnel.
Virtual Tunneling Terms
Virtual tunnels are created for every pair of local service and remote service. There is a
tunnel for each combination of a local and a remote link. Tunnels are created automatically
according to the changes in the local or remote links.
A virtual tunnel is set between an IP address of the local LinkProof and an IP address of the
remote LinkProof.
During the load balancing decision a virtual tunnel is selected according to its health and
additional parameters required by the configured dispatch method (response time, load).
TRP
TRP (Tunneling Report Protocol) is a proprietary inter-LinkProof communication protocol
used to establish and maintain the virtual tunnels. The TRP protocol includes two types of
messages:
•
Regular - requires from remote LinkProofs the operational and load status of their WAN
links.
• Extended - requires from remote LinkProofs WAN links status and configuration
changes.
The interval at which these messages are exchanged is configurable.
Virtual Tunneling Configuration
Before approaching Virtual Tunneling configuration you should perform the following steps:
1.
Configure each LinkProof for basic load balancing. For the router farm that will be used
for Virtual Tunneling set the following parameters
—
Packet Translation: NAT & Virtual Tunneling.
—
Connectivity Check Status: Health Monitoring.
2.
Configure Static NAT/No NAT for local stations participating in virtual tunneling.
3.
Define static routes to local station subnets.
4.
Define static route to external subnets of remote LinkProof devices "destination=0.0.0.0" route covers all possible subnets.
Device-Based Virtual Tunneling Configuration:
For basic configuration of the Virtual Tunneling feature user is required to perform the
following steps for each participating LinkProof.
Doc. No.: 8261
181
LinkProof User Guide
To configure Device-Based Virtual Tunneling:
1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2. From the LinkProof Traffic Redirection,click the Virtual Tunneling tab. The Virtual
Tunneling pane appears.
3. From the Virtual Tunneling pane, check the Virtual Tunneling Admin Status
checkbox to enable Virtual Tunneling, and click Ok.
4. You will be prompted to reboot the device. Click Ok.
5. Once the reboot process ends, repeat steps 1. and 2.
6. Enable TRP Synchronization and Virtual Tunneling HM Admin Status.
7. Click Add to configure a local service. The Edit Local Service window appears.
8. From the Edit Local Service window, set the following parameters according to the
explanations provided:
Parameter
Description
Local Service Name:
Logical entity that represents the service
(VPN, VoIP) for which the local LinkProof
provides Virtual Tunneling functionality.
Password:
Password for TRP communication
(mandatory).
Domain name for TRP DNS resolution. This
parameter is not mandatory. If this parameter
is not configured step 12 must be performed.
Host Name:
Note:
Distribution Mode:
If you do not wish to use this
parameter you are required to enter
a blank.
Define the persistence mode of this service.
The values available are Client Table
(provides only high availability for the
tunneled traffic, not load balancing) and
Packet by Packet.
9. Click Ok. Your preferences are recorded.
10. Add local stations - (internal servers whose traffic will be tunneled by this service):
a.
b.
From the Edit Local Service window, enter the Internal Station Address (the address
of the server for which virtual tunneling is provided) and click Add. Your entry is
added to the table.
Repeat this procedure for all local stations attached to this service.
11. From the Edit Local Services window, click Remote Service. The Remote Service pane
appears.
182
Doc. No.: 8261
LinkProof User Guide
12. From the Remote Service pane, set the following parameters according to the
explanations provided:
Parameter
Description
Remote Service Name:
Logical entity that represents the remote
service (VPN, VoIP) to which the local
LinkProof provides Virtual Tunneling
functionality for the local service. Any service
defined as remote in a local LinkProof device
must be defined as local in a remote
LinkProof device.
Password:
Password for TRP communication
(mandatory).
Host Name:
Domain name for TRP DNS resolution. This
host name is used by LinkProof to find the
interfaces of the remote LinkProof for TRP
communication. This parameter is not
mandatory. If this parameter is not configured
step 12 must be performed.
Note:
If you do not wish to use this
parameter you are required to enter
a blank.
13. Click Add.
14. Repeat for all Remote Services. Click Ok to return to the Virtual Tunneling pane.
If host names were defined for each local/remote service DNS can be used to resolve
remote site addresses for TRP communications. In this case DNS Client must be
configured.
a.
b.
Click DNS Client button. The DNS Client window appears
Configure main and Backup DNS servers and click Ok.
(Now go to step 13.)
If hostnames were not defined for all local/remote services, one remote link (remote
LinkProof IP interface) must be defined for each remote service. This allows local
LinkProof to initiate TRP communication with all participating remote LinkProof devices.
a.
b.
Click Advanced. The Advanced Virtual Tunneling window appears.
From the Advanced Virtual Tunneling window, in the Remote Links pane, click Add.
The Edit Remote Links window appears.
c.
From the Edit Remote Links window, set the following parameters according to the
explanations provided:
Parameter
Description
Remote Service Name:
Select the Remote Service (previously
configured) to which this remote link belongs.
Remote Link Address:
IP address of the remote LinkProof tunneling
this Remote Service. The address can be
Virtual DNS or Remote VIP address (required
if redundant LinKProof devices are installed
at the remote site), or Physical IP address
(interface to the Routers) of the remote
LinkProof tunneling this Remote Service.
Remote Link Name:
Link name for reference.
Doc. No.: 8261
183
LinkProof User Guide
Remote Link Mode:
Whether the Remote Link functions in
Regular mode or Backup mode for this Virtual
Tunneling service.
15. To change basic parameters and size of Virtual Tunneling tables (not mandatory) click
Virtual Tunneling Settings from the Virtual Tunneling pane. The Virtual Tunneling
Settings window appears.
16. From the Virtual Tunneling Settings window, set the following parameters according to
the explanations provided:
Parameter
Description
TRP Port:
The port used by TRP communication.
Default is 2090. If there are LP devices on the
same network this port number must be
changed. The same TRP port must be
configured on all LinkProof devices
participating in the Virtual Tunneling
functionality.
TRP Retries:
The number of times this device tries to
initiate a TRP communication with remote
LinkProof devices.
TRP Regular Interval (sec):
The time interval, in seconds, at which
Regular TRP messages are initiated.
TRP Extended interval (min):
The time interval, in minutes, at which
Extended TRP messages are initiated.
Tunnel Check Interval (sec)
The time interval, in seconds, at which tunnel
health is checked.
Tunnel Check Retries:
The number of times that tunnel health
checks are attempted each time.
The period of time after which the operational
Tunnel Check Time-out (sec): status of a tunnel that does not respond to
health checks is set to Not In Service.
Tunnel Weight:
The weight applied to tunnel latency values in
the load balancing decision.
Local Link Weight:
The weight applied to local link load value in
the load balancing decision.
Advanced Configuration
Advance configuration is required in the following cases:
•
•
184
TRP communication is disabled. In this case the Remote Stations Table and Remote Link
Table have to be filled manually.
TRP communication is enabled, but you may want to change some of the parameters in
the Remote Stations Table manually, including:
— Remote Link Table
—
Service-NHR
—
Bind Table.
Doc. No.: 8261
LinkProof User Guide
To configure Virtual Tunneling in advanced mode:
1.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2.
From the LinkProof Traffic Redirection window, Click the Virtual Tunneling tab. The
Virtual Tunneling pane appears.
3.
From the Virtual Tunneling pane, Click Advanced. The Advanced Virtual Tunneling
window appears.
4.
From the Advanced Virtual Tunneling window, click Add. The Edit Remote Links window
appears.
5.
From this window you can configure the Remote Links (IP addresses of remote
LinkProof) for Remote Services.
6.
For the Remote links:
a.
b.
From the Advanced Virtual Tunneling window, click Remote Links. The Remote
Links pane appears.
From the Remote Links pane, set the following parameters according to the
explanations provided:
Parameter
Description
Remote Service Name:
Select the Remote Service (previously
configured) to which this remote link belongs.
Remote Link Address:
IP address of the remote LinkProof tunneling
this Remote Service. The address can be
Virtual DNS or Remote VIP address (required
if redundant LinKProof devices are installed
at the remote site), or Physical IP address
(interface to the Routers) of the remote
LinkProof tunneling this Remote Service.
Remote Link Name:
A link name for reference.
Remote Link Mode:
Whether the Remote Link functions in
Regular mode or Backup mode for this Virtual
Tunneling service.
7.
c.
Click Ok. Your preferences are recorded.
d.
Repeat this procedure for all the links of all the remote services configured on this
LinkProof.
For the Remote Service Station:
a.
b.
From the Advanced Virtual Tunneling window, click Remote Stations. The Edit
Remote Stations window appears.
From the Edit Remote Stations window, set the following parameters according to
the explanations provided:
Parameter
Description
Remote Service Name:
Select the Remote Service (already
configured) to which this remote link belongs.
Doc. No.: 8261
185
LinkProof User Guide
Remote Link Address:
IP address of the remote LinkProof tunneling
this Remote Service. The address can be
Virtual DNS or Remote VIP address (required
if redundant LinKProof devices are installed
at the remote site), or Physical IP address
(interface to the Routers) of the remote
LinkProof tunneling this Remote Service.
Remote Internal:
Link name for reference.
Remote Link Mode:
Whether the Remote Link functions in
Regular mode or Backup mode for this Virtual
Tunneling service.
Remote Internal Address:
Internal IP of station participating in this
remote service. The IP configured as Local
Station on the remote LinkProof on which this
remote service is local.
Remote External Address
(NAT):
The static NAT address configured for the
internal address above via this remote link.
c.
Click Ok. Your preferences are recorded.
d.
Repeat the procedure for all the remote stations via all the remote links of all the
remote services configured on this LinkProof.
8. For the NHR Bind:
This window allows you to view and change local routers’ availability for virtual
tunneling to each remote service.
a.
b.
From the Advanced Virtual Tunneling window, click NHR Bind. The NHR Bind pane
appears.
From the NHR Bind pane, set the following parameters according to the
explanations provided:
Parameter
Description
NHR Bind Mode:
Defines whether this Router (NHR) is
functioning in Regular mode or Backup mode
in relation to this Remote Service.
NHR Bind Status:
Defines whether this Router (NHR) is
enabled for this Remote Service or not.
c.
Click Ok. Your preferences are recorded.
Multi-Device Configuration:
Easy configuration of multiple devices is provided via the Virtual Tunnel Clusters feature
available on APSolute Insite.
The Virtual Tunnel Cluster is an entity that exists only on APSolute Insite, and which defines
a single Virtual Tunneling service for a group of devices.
Note:
This functionality requires Professional Insite license.
To configure multiple devices:
1. Perform preliminary configuration on all LinkProof devices.
186
Doc. No.: 8261
LinkProof User Guide
2.
From the General menu, select Virtual Tunnel Clusters. The Virtual Tunnel Clusters
window appears.
3.
If the Virtual Tunneling feature is not enabled for any of the LinkProof devices on the
map, you are prompted to turn this functionality on and to reboot the devices. Once the
functionality is enabled on all LinkProof devices the Virtual Tunnel Clusters window
appears.
4.
From the Virtual Tunnel Clusters window, click Add to add a new virtual tunneling
cluster. The Edit Virtual Tunnel Clusters window appears.
5.
From the Edit Virtual Tunnel Clusters window, enable TRP Synchronization and
Virtual Tunneling HM Admin Status. Set the following parameters according to the
explanations provided:
Parameter
Description
Cluster Name:
The name of the cluster for Insite purposes
only.
Type:
The relationships between the devices in the
cluster. The values available are:·
• Mesh - virtual tunnels are created
between all the devices in the cluster.
•
Password:
Star - virtual tunnels are created between
the headquarter site and all the other
sites.
Password for TRP communication. The same
password will be used for all the units.
6.
Click Add. The Edit Device in Cluster window appears.
7.
From the Edit Device in Cluster window, set the following parameters according to the
explanations provided:
Parameter
Description
Device IP:
Select the LinkProof IP address from the
drop-down list.
Status:
If the cluster type is Star, you can choose
whether this device is functioning as
HeadQuarters or Branch. If cluster type is
Mesh, the Status is always Peer.
Domain name for TRP DNS resolution. This
parameter is not mandatory. If this parameter
is not configured configure IP parameter.
Host Name:
Note:
IP:
Doc. No.: 8261
If you do not wish to use this
parameter you are required to enter
a blank.
IP of local device. The address can be Virtual
DNS or Remote VIP address (required if
redundant LinKProof devices are installed at
this site), or Physical IP address (interface to
the Routers) of the LinkProof device.This
parameter is required if Host Name was not
configured.This parameter is not configured
on the device, it is used by Insite to configure
Remote Links tables for this service on all the
other devices in the cluster.
187
LinkProof User Guide
Distribution Mode:
Define the persistence mode of this service.
The values available are Client Table
(provides only high availability for the
tunneled traffic, not load balancing) and
Packet by Packet.
8. Add Local stations - internal servers whose traffic will be tunneled by this service:
a.
b.
From the Edit Device in Cluster window, enter an Internal Station Address and click
Add.
Repeat for all local stations attached to this service.
c.
Click Ok. Repeat this procedure for all devices in the cluster.
9. From the Edit Virtual Tunnel Clusters window, click Ok. APSolute Insite records the
relevant Remote Service and Remote Link Tables on all participating devices.
View Virtual Tunneling Status
To view the virtual tunnels created for this device and their status:
1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2. From the LinkProof Traffic Redirection window, Click the Virtual Tunneling tab. The
Virtual Tunneling pane appears.
3. From the Virtual Tunneling pane, Click Virt. Tunnels. The Virtual Tunnels window
appears.
4. The following parameters can be viewed for each virtual tunnel:
•
•
•
•
•
Remote Service Name: The remote service name as it has been entered in the
Remote Service Table.
Remote Link Address: The IP address of the remote LinkProof that provides this
Remote Service as defined in the Remote Links Table.
Local Server Address: The IP address of a local Router (NHR) available for virtual
tunneling to this Remote Service.
Operational Status: The Operational status of this tunnel. Can be Active or Not In
Service.
VT Mode: The Virtual Tunnel mode depends on the Remote Link Mode and the local
NHR Bind Mode, which can have the following values:
— Regular-Regular
—
Regular-Backup
—
Backup-Regular
—
Backup-Backup
If there are Regular-Regular virtual tunnels available, then only they may participate in
the load balancing decision. If no Regular-Regular tunnels are available, Regular-Backup
tunnels are considered next, then Backup-Regular and finally Backup-Backup virtual
tunnels.
Integrated VPN Gateway
This section explains how LinkProof integrates IPSec VPN gateway software to ensure secure
communication over a public infrastructure.
This section includes the following topics:
188
Doc. No.: 8261
LinkProof User Guide
•
•
•
Integrated VPN Gateway Introduction, page 189
IPSec, page 189
Configuring VPN Gateways, page 191
Integrated VPN Gateway Introduction
Enterprises have the need to not only ensure the availability and reliability of their links, but
there is also the need for secure Intranet connectivity from the headquarters location to
branch offices while maintaining low connectivity costs by leveraging the Internet for secure
communications. Virtual Private Network (VPN) is a cost-effective alternative to traditional
dedicated networks such as Frame Relay and Leased Lines.
A VPN is a private network that uses a public network (usually the Internet) to connect
remote sites or users together. Instead of using a dedicated connection such as leased line,
a VPN uses "virtual" connections routed through the Internet from the company's private
network to the remote site or employee. Encryption and other security mechanism are used
to ensure that only authorized users can access the network and that the data cannot be
intercepted. IPSec technology is the de-facto standard for implementing VPNs.
Many of the same challenges associated with the connection between headquarters and
branch locations also apply to the VPN.
LinkProof Branch offers an integrated VPN gateway thereby providing complete end-to-end
secure connectivity between headquarters and branch locations. By implementing LinkProof
Branch with integrated VPN, enterprises consolidate the amount of devices installed at each
branch site. LinkProof Branch VPN solution will provide 100% availability (multi-homing)
and maximum performance and QoS (proximity, load balancing and bandwidth
management). Organizations can be assured of the security of the internal network (access
control and intrusion prevention) as well as secure connectivity with the LinkProof
Integrated VPN gateway.
Note:
A special license is required to activate this feature.
IPSec
IPSec combines a number of security technologies into a complete system that provides
confidentiality, integrity, and authenticity of IP datagrams.
IPSec standards include:
•
•
IP Security Protocol: Defines the type of security services provided for the data
(confidentiality, integrity, and authenticity) and the information that is added to an IP
packet to enable those services.
Internet Key Exchange: IKE is a security exchange protocol that is used to negotiate
security parameters between IPSec peers and establish authenticated keys in each peer
therefore establishing a Security Association. It is also possible to manually configure
security associations, although this is a complex and work intensive process. IKE is best
suited to most real-world applications enabling large-scale secure communications.
IPSec Protocols
IPSec defines a new set of headers to be added to IP datagrams that provide information for
securing the payload of the IP packet as follows:
Authentication Header (AH)-This header, when added to an IP datagram, ensures the
integrity and authenticity of the data, but does not provide confidentiality protection.
Encapsulating Security Payload (ESP)-This header, when added to an IP datagram, protects
the confidentiality, integrity, and authenticity of the data.
Doc. No.: 8261
189
LinkProof User Guide
Security Association
A Security Association (SA) is a relationship between two or more entities that describes
how the entities use security services to communicate securely. SAs are used for more than
just IPSec. For example, IKE SAs describe the security parameters between two IKE
devices. Further references to security associations provided further in this chapter specify
whether they are IPSec or an IKE SA.
The security association is unidirectional, meaning that for each pair of communicating
systems there are at least two security connections-one from A to B and one from B to A.
The security association is uniquely identified by a randomly chosen unique number called
the security parameter index (SPI) and the destination IP address of the destination. In
summary, the security association is simply a statement of the negotiated security policy
between two devices.
IKE
In symmetric cryptographic systems, both communicating parties use the same key for encryption
and decryption. The material used to build these keys must be exchanged in a secure fashion.
Information can be securely exchanged only if the key belongs exclusively to the communicating
parties.
The goal of the Internet Key Exchange (IKE) is for both sides to independently produce the
same symmetrical key. This key then encrypts and decrypts the regular IP packets used in
the bulk transfer of data between VPN peers. IKE builds the VPN tunnel by authenticating
both sides and reaching agreement on methods of encryption and integrity. The outcome of
an IKE negotiation is a Security Association (SA).
This agreement upon keys and methods of encryption must also be performed securely. For
this reason IKE is composed of two phases. The first phase lays the foundations for the
second. Diffie-Hellman is that part of the IKE protocol used for exchanging the material from
which the symmetrical keys are built. The Diffie-Hellman algorithm builds an encryption key
known as a "shared secret" from the private key of one party and the public key of the
other. Since the IPSec symmetrical keys are derived from this DH key shared between the
peers, at no point are symmetric keys actually exchanged via the Internet.
IKE Phase 1
During IKE Phase I the following occurs:
•
•
The peers authenticate via a pre-shared secret.
A Diffie-Hellman key is created. The nature of the Diffie-Hellman protocol means that
both sides can independently create the shared secret, a key which is known only to the
peers.
• Key material (random bits and other mathematical data) as well as agreement on
methods for IKE phase II are exchanged between the peers.
The outcome of this phase is the IKE SA, an agreement on keys and methods for IKE phase
II.
LP/VPN supports Main Mode for IKE phase I between Gateways. Main mode is partially
encrypted, from the point at which the shared DH key is known to both peers, and is less
susceptible to Denial of Service (DoS) attacks. In main mode, the DH computation is
performed after authentication.
IKE Phase II (Quick mode)
KE phase II is encrypted according to the keys and methods defined in the IKE phase I. The
key material exchanged during IKE phase II is used for building the IPSec keys. The result
of phase II is the IPSec Security Association. The IPSec SA is an agreement on keys and
methods for IPSec, thus IPSec takes place according to the keys and methods agreed upon
in IKE phase II.
Once the IPSec keys are created, bulk data transfer takes place.
190
Doc. No.: 8261
LinkProof User Guide
Configuring VPN Gateways
LP/VPN provides site-to-site VPN connectivity using IPSec tunnel mode. In tunnel mode, the
entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. The
major advantage of tunnel mode is that the end systems do not need to be modified to
enjoy the benefits of IP Security. Tunnel mode also protects against traffic analysis. With
tunnel mode, an attacker can only determine the tunnel endpoints and not the true source
nd destination of the tunneled packets, even if they are the same as the tunnel endpoints.
To prepare your system for VPN Gateway
1.
Configure the LinkProof device for multi-homing.
2.
Configure a special farm that includes the routers that will be used for VPN traffic.
3.
Set the Packet Translation parameter to VPN.
4.
Configure a flow that includes the farm and set the VPN rules for VPN traffic.
5.
Configure Virtual Tunneling functionality if required.
To configure the VPN Gateway
1.
Configure Keys.
2.
Configure VPN Rules.
Configuring Keys
Linkproof VPN gateway supports either key exchange via the IKE mechanism or manual key.
If the key is to be set via IKE, all parameters for both phases of IKE should be set. For IKE
phase 1 (the authentication phase) the following parameters are to be configured according
to the explanations provided:
•
•
•
•
•
Encryption Algorithm: Symmetric encryption algorithms for encrypting the data
transferred during IKE phase II. Currently 3DES algorithm only is supported.
Hash Algorithm: For providing packet authentication and ensuring data integrity
during IKE phase II. MD5 and SHA1 algorithms are supported.
Diffie-Hellman Group: Diffie-Hellman key exchange for deriving key material between
peers on a public network. The Diffie-Hellman key computation (also known as
exponential key agreement) is based on the Diffie Hellman (DH) mathematical groups.
The DH groups (DH key length) supported during the two phases of IKE are group 1 and
2 (default).
Pre-Shared Key: The password to be used for peer authentication during the first
phase of the IKE protocol.
IKE Lifetime: The IKE SA is only valid for a certain period, after which the IKE SA must
be renegotiated. The IPSec SA is valid for an even shorter period, (IKE phase II is less
processor intensive than phase I).
The period between each renegotiation is known as the lifetime. Generally, the shorter
the lifetime, the more secure the IPSec tunnel (at the cost of more processor intensive
IKE negotiations). With longer lifetimes, future VPN connections can be set up more
quickly.
Note:
Doc. No.: 8261
These parameters must be identical on both sides, otherwise phase I
negotiation will fail.
191
LinkProof User Guide
Phase 2 Parameters:
•
•
•
•
•
•
Protocol: Whether to use AH or ESP IPSec protocol for the data transfer
Encryption Algorithm: Symmetric encryption algorithms for encrypting the data.
Currently 3DES algorithm only is supported.
Hash Algorithm: for providing packet authentication and ensuring data integrity. MD5
and SHA1 algorithms are supported.
SA Lifetime: The IPSec SA lifetime (see IKE lifetime).
Perfect Forward Secrecy: The keys created by peers during IKE phase II and used for
IPsec are based on a sequence of random binary digits exchanged between peers, and
on the DH key computed during IKE phase I.
For this reason, the use of a single DH key may weaken the strength of subsequent
keys. If one key is compromised, subsequent keys can be compromised with less effort.
In cryptography, Perfect Forward Secrecy (PFS) refers to the condition in which the
compromise of a current session key or long-term private key does not cause the
compromise of earlier or subsequent keys.
The DH group used during PFS mode is configurable between groups 1 and 2, with
group 2 (1042 bits) being the default.
To add a Key:
1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2. From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane
appears.
3. From VPN pane, select the Key Management option button. The Key Management
table appears.
4. From the Key Management table, click Add. The Key Configuration window appears.
5. From the Key Configuration window, set the parameters according to the explanations
above.
6. Click Ok. Your preferences are recorded.
Manual Key
If manual key is to be used only protocol, encryption and hash algorithm for IPSec data
need to be configured, plus the manual key parameters:
•
•
•
•
Encryption key: key to be used with the encryption algorithm.
Authentication key: key for peer authentication
Inbound SPI: security parameter index for inbound security association
Outbound SPI: Security parameter index for outbound security association
To add a manual Key:
1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2. From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane
appears.
3. From the VPN pane, check the Key Management option button. The Key Management
table appears.
4. From the Key Management table, click Add. The Key Configuration window appears.
5. From the Key Configuration window, select Manual from the Key Mode drop-down
menu.
192
Doc. No.: 8261
LinkProof User Guide
6.
Set the parameters according to the explanations provided above.
7.
Click Ok. Your preferences are recorded.
Configuring VPN Rules
The VPN Rules define the IPSec policies to be implemented between the local gateway and
remote gateways. A separate rule must be defined for each combination of a local subnet
and a remote subnet that must communicate using IPSec.
For each rule set the parameters according to the explanations provided:
•
•
•
•
•
Local Subnet: Configure the local subnet protected by this rule.
Remote Subnet: Configure the remote subnet protected by this rule.
Key Name: Select one of the keys defined in the previous step.
Flow Mode: Defines the way traffic from/to protected network is treated by LinkProof.
The options are:
— Basic VPN: All the traffic from local subnet is encrypted and sent via the secure
tunnel configured for this rule or via backup secure tunnel if DPD protocol is
defined.
—
VPN with Virtual Tunneling: All the traffic from local subnet is encrypted (a single
VPN secure tunnel is created) and then load balanced between all the available local
NHRs. This mode uses the Virtual Tunneling functionality to load balance the VPN
tunnel traffic between multiple paths - it requires LinkProof in the remote site as
well.
—
Combined VPN/private links: This mode provides the ability to intelligently load
balance traffic between unencrypted (private) and encrypted paths. The load
balancing decision is taken based on NHR type (backup or regular) and application
grouping configuration. If the chosen NHR is part of the secure tunnel for this VPN
rule, traffic is encrypted before it is forwarded to the NHR, otherwise traffic is
forwarded to NHR as is.
Secure Tunnel: A secure tunnel is composed from the following parameters:
— Local Gateway: The IP address of local gateway. This is a virtual IP, you can use IP
from the encrypt NHR subnet, or IP that does not belong to any LinkProof subnet.
—
Remote Gateway: The IP address of remote gateway.
—
Local NHR: The local NHR that will be used for encrypted traffic from/to the
protected subnet.
Multiple Secure Tunnels (up to 4) Can be configured when Flow Mode is set to Basic VPN
and Dead Peer Detection is enabled in the key used for this rule.
•
Remote Service Name: If Flow Mode is set to VPN with Virtual Tunneling, the Remote
Service defined in Virtual Tunneling should be configured.
To To add a VPN Rule:
1.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2.
From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane
appears.
3.
From the VPN pane, check the VPN Rules option button. The VPN Rules table is
displayed.
4.
From the VPN Rule table, click Add. The VPN Rule window appears.
5.
The VPN Rule window, set the parameters according to the explanations provided
above.
6.
Click Ok. Your preferences are recorded.
Doc. No.: 8261
193
LinkProof User Guide
Configuration Notes:
•
•
Dead Peer detection mechanism is relevant only when working in Basic VPN Flow mode.
To prevent protected traffic to be transferred in clear text the following IP addresses
should be used in the grouping tables:
— In VPN with Virtual Tunneling Flow mode use local and remote gateway IPs in the
grouping tables
—
•
In Combined private & VPN lines Flow mode use the local and remote protected
subnets.
When using VPN with Virtual Tunneling Flow mode:
— No NAT or Static NAT must be configured for the local gateway IP
—
Packet by Packet - The distribution mode for the local service should be set to: Per
Packet.
—
Virtual Tunneling uses the LP dispatch method for load balancing. If there are
problems with packets arriving out of order it is recommended to change dispatch
method to hash
Cost Based Load Balancing
This section explains how LinkProof calculates the weight of the ISP links according to the
cost of the link, as well as by previous supported load balancing factors (i.e. Dynamic
Proximity and load).
When buying or leasing a new link today, network administrators must take into account not
only the capacity of the link but also the price, which has to be paid to the service provider.
The price paid is calculated by the service provider according to its preferred cost model.
There are a few cost models by which service providers calculate the cost of their lines:
•
Fixed usage price, limited to a certain bandwidth (called also "Flat Rate"). For example $100 for a certain link per month.
• Cost depending on the actual usage of bandwidth, so that users pay when the lines are
used. For example - $10 per Mbps.
• An enhancement of the above examples can be a model which combines the above
mentioned models, meaning it has a prepaid bandwidth level up to a certain threshold
and for any exceeding bandwidth the price is per usage.
• For example: $100 prepaid up to 2 Mbps and $20 per Mbps from 2Mbps and above.
Companies, which own more than one ISP link and use load-balancing traffic between their
links, need to take into account both the load of the link, the capacity of the link as well as
the cost of each link. When making a load balancing decision LinkProof can take into
consideration link cost as well. LinkProof then calculates the weight of the ISP links
according to the cost of the link as well as previous supported load balancing factors (i.e.
Dynamic Proximity and load).
The user must define the cost models by which their links are priced
To configure cost
1. From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2. From the LinkProof Traffic Redirection window, click the Cost tab. The Cost pane
appears.
3. From the Cost pane, check the Cost Admin Status checkbox to enable the cost
feature.
194
Doc. No.: 8261
LinkProof User Guide
4.
Enter a value for the Cost Weight to define the weight of the cost parameter in the load
balancing decision.
Notes:
i
If there is a static proximity entry for the destination, the router is chosen
according to this entry.
ii
If the farm Dispatch Method is set to Cyclic, Cost parameters are not taken
into consideration.
5.
Click Add to configure cost levels for the routers. The Edit Router Cost Table window
appears.
6.
From the Edit Router Cost Table window, set the following parameters according to the
explanations provided:
Parameter
Description
Router Name:
Defines the Router.
Method:
The pricing method by which the cost
calculation will be done. Can be either
Absolute (for "Flat Rate" price model) or Per
Kpbs
Represents the upper limit of each cost level
depending on the value of the Billing Mode
for this router, this parameter can represent
total bandwidth (inbound+outbound), inbound
bandwidth only or outbound bandwidth only.
Threshold:
The Price set for this cost level is valid for the
bandwidth strip between the Threshold of the
previous level (or 0 if no previous level) and
the Threshold of this level.
Bandwidth Unit:
The possible units for price calculation. Can
be 10 Kpbs, 100 Kbps, 1000 Kbps. If the
Method field is set to Per Kbps and the
Bandwidth Unit is set to 100 Kbps for
example, the value entered in the Price field
represents price for 100Kbps.
This parameter is relevant only if cost Method
is Per Kbps.
The amount of money paid per Bandwidth
Unit if Method is Per Kbps or per entire
bandwidth level is method is Absolute.
Price:
Note:
7.
A value of 0 in this field means that
the configured amount of bandwidth
has already been paid for.
Click Ok. Your preferences are recorded.
Notes:
i
Doc. No.: 8261
A "ladder model' can be configured by defining several entries for the same
NHR with ascending Bandwidth Thresholds.
195
LinkProof User Guide
ii
It is possible that packets that belong to an open session cause the bandwidth
used to pass the bandwidth limit for this NHR. If the Cost feature is disabled
then the NHRs bandwidth limit is represented by the Kbps limit value (set via
the NHR table), otherwise is determined by the lower value between Kpbs
limit and the Bandwidth Threshold of the highest cost level. It is possible for
system administrators to configure for each NHR whether packets should be
discarded once this bandwidth limit is reached. This is done by setting the
Bandwidth Limit Exception flag to Enabled in the NHR table.
Data Compression
This section explains the concept of Data Compression feature, which is used to accelerate
applications response time and significantly reduce overall bandwidth requirements in
Intranet environments.
This section includes the following topics:
•
•
Data Compression Overview, page 196
Data Compression in LinkProof, page 196
Data Compression Overview
In today's economic environment, businesses must find ways to reduce their operational
costs. For enterprises with numerous branch offices, connectivity costs represent a
significant portion of their overall operational costs. Even a small reduction in connectivity
costs at each branch is multiplied at the enterprise level. The result is that enterprises are
required to meet seemingly opposite demand. There is the need to reduce their connectivity
costs, as well as meeting the need for high-availability and growing bandwidth requirements
of intra-enterprise connectivity.
LinkProof incorporates Data Compression, which is designed to accelerate applications
response time and significantly reduce overall bandwidth requirements in Intranet
environments
Data compression schemes used in internet working devices are referred to as lossless
compression algorithms. These schemes reproduce the original bit streams exactly, with no
degradation or loss, a feature required by routers and other devices to transport data across
the network.
Lossless compression algorithms use two basic types of encoding techniques
• Statistical: Searches for frequencies of different symbols.
• Dictionary: Searches for the existence of certain sequences.
Statistical compression, which uses a fixed, usually non-adaptive encoding method, is best
applied to a single application where the data is relatively consistent and predictable. The
traffic on internet works is neither consistent nor predictable, statistical algorithms are, in
general, not suitable for encoding data for compression on routers, and dictionary-based
algorithms are used.
Please note that lossless data compression algorithms cannot guarantee to compress
(reduce) all input data sets. Examples of which are data already compressed like ZIP files or
JPEG files, or encrypted data, such as IPSec, that does not contain repeatable sequences.
Data Compression in LinkProof
LinkProof has implemented a data compression solution based on the IPComp standard
(RFC 2393) that describes a protocol intended to provide lossless compression for Internet
Protocol datagrams in an Internet environment. As compression algorithm it uses the
lossless, dictionary-based, Deflate (zlib) algorithm.
Traffic that cannot be compressed, such as already compressed or encrypted traffic is
forwarded in its original form.
196
Doc. No.: 8261
LinkProof User Guide
To implement a data compression solution between two sites, a LinkProof device is required
at each site.
As mentioned before encrypted traffic is not compressible, traffic must be first compressed
and then encrypted. Using LP Branch VPN at both ends of the connection, it is possible to
compress first and then encrypt.
Note:
The compression functionality requires a special software license.
Data Compression Configuration
To activate the compression capability user is required only to enable the Compression flag
on the group of routers (farm) for which data should be compressed.
To enhance the efficiency and flexibility of the compression feature, you can apply the
compression only on certain hosts/subnets or applications by using different flows for
compressed traffic and non-compressed traffic.
To configure Data Compression:
1.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2.
From the Traffic Redirection window, click the Farms tab. The Farms pane appears.
3.
From the Farms pane, select an existing farm or click Add to create a new farm. The
Edit LinkProof Farms window appears.
4.
From the Edit LinkProof Farms window, click the Traffic Settings tab.
5.
From the Traffic Settings tab enable Compression.
VPN Compression Configuration
When compression of VPN traffic on LP Branch is required, the compression must be
activated in the IKE key and not in the farm, as in this case it is part of the VPN process.
To configure VPN Compression:
1.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2.
From the LinkProof Traffic Redirection window, click the VPN tab. The VPN pane
appears.
3.
From VPN pane, check the Key Management option button. The Key Management table
appears.
4.
From the Key Management table, click Add. The Key Configuration window appears.
5.
Set the key parameters according to the explanations on page Configuring Keys,
page 191 and enable the compression flag.
6.
Click Ok. Your preferences are recorded.
Compression Scenarios
The following scenarios are supported for compression:
•
•
•
Private Intranet Configuration, page 198
Combined Private/VPN Intranet Configuration, page 199
VPN Intranet Configuration, page 201
Doc. No.: 8261
197
LinkProof User Guide
Private Intranet Configuration
NHR 1B
NHR 1A
Site B
Site A
NHR 2A
Figure 20 -
NHR 2B
Private Intranet Compression Configuration
Properties:
•
•
The two sites are connected by two private links. Compression is required on both links.
Site A is also connected to sites not equipped with compression enabled LinkProof.
To set up a configuration for this environment:
Site A:
1. Configure farm ‘Compress_fm’ that includes NHR1A and NHR2A and has the
Compression flag enabled.
2. Configure farm ‘Regular_fm’ that includes NHR1A and NHR2A but has the Compression
flag disabled.
3. Configure flow ‘Compress_A’ that includes the ‘Compress_fm’ farm, and ‘Regular_A’ that
includes the ‘Regular_fm’ farm.
4. Configure the following flow policies:
Index
Source
Destination
Flow
1
SiteA_subnet
SiteB_subnet
Compress_A
2
SiteA_subnet
any
Regular_A
Site B:
1. Configure farm ‘Compress_fm’ that includes NHR1B and NHR2B and has the
Compression flag enabled.
2. Configure flow ‘Compress_B’ that includes the ‘Compress_fm’ farm.
198
Doc. No.: 8261
LinkProof User Guide
3.
Configure the following flow policies.
Index
Source
Destination
Flow
1
SiteB_subnet
SiteA_subnet
Compress_B
Notes:
i
Same physical routers can be part of farms for which compression is enabled
and farms for which compression is not enabled.
ii
In a farm for which compression is enabled, compression is applied for all
logical routers that belong to the farm. This means that the same traffic
(source and destination and application) cannot be load balanced between a
link over which compression is applied and a link for which compression must
not be applied.
Combined Private/VPN Intranet Configuration
NHR 1A
NHR 1B
Site B
Site A
NHR 2A
Figure 21 -
NHR 2B
Combined VPN/Private Compression Configuration
Properties:
•
•
The two sites are connected by one private link and one public link with VPN.
Compression is only on private link.
CRM and ERP applications between the two sites (HTTP) are transferred via the private
link only, the rest of the traffic via the VPN.
To set up a configuration for this environment:
Doc. No.: 8261
199
LinkProof User Guide
Site A:
1. Configure farm ‘Compress_fm’ that includes NHR2A and has the Compression flag
enabled.
2. Configure farm ‘Regular_fm’ that includes NHR1A and has the Compression flag
disabled.
3. Configure flow ‘Compress_A’ that includes the ‘Compress_fm’ farm and ‘Regular_A’ that
includes the ‘Regular_fm’ farm.
4. Configure the following flow policies:
Index
Source
Destination
Service
Flow
1
SiteA_subnet
SiteB_subnet
HTTP
Compress A
2
SiteA_subnet
SiteB_subnet
None
Regular_A
Site B:
1. Configure farm ‘Compress_fm’ that includes NHR2B and has the Compression flag
enabled.
2. Configure farm ‘Regular_fm’ that includes NHR1B and has the Compression flag
disabled.
3. Configure flow ‘Compress_B’ that includes the ‘Compress_fm’ farm and ‘Regular_B’ that
includes the ‘Regular_fm’ farm.
4. Configure VPN Rules to the VON gateway in site A.
5. Configure the following flow policies:
Note:
200
Index
Source
Destination
Service
Flow
1
SiteB_subnet
SiteA_subnet
HTTP
Compress B
2
SiteB_subnet
SiteA_subnet
None
Regular_B
The same traffic (source and destination and application) cannot be load
balanced between a link over which compression is applied and a VPN link
Doc. No.: 8261
LinkProof User Guide
VPN Intranet Configuration
NHR 1A
NHR 1B
Site B
Site A
NHR 2A
Figure 22 -
NHR 2B
VPN Intranet Compression Configuration
Properties:
•
The two sites are connected by two public link with VPN. Compression must be applied
within the VPN process.
To set up a configuration for this environment:
Site A (Site B is identical):
1.
Configure farm ‘VPN_fm’ that includes NHR1A and NHR2A and has the Compression flag
disabled, and Packet Translation set to VPN.
2.
Configure flow ‘VPN_A’ that includes the ‘VPN_fm’ farm.
3.
Configure an IKE key with compression flag enabled.
4.
Configure VPN rules between the two VPN gateways.
Doc. No.: 8261
201
LinkProof User Guide
202
Doc. No.: 8261
LinkProof User Guide
Chapter 6 - Redundancy
This chapter explains redundancy features and provides common examples of the different
LinkProof redundancy configurations, and includes the following sections:
•
•
•
LinkProof Redundancy, page 203
Proprietary ARP Redundancy, page 207
Proprietary ARP Redundancy, page 207
LinkProof Redundancy
This section introduces LinkProof redundancy capabilities and provides an explanation of
polling and teaching and how these redundancy schemes are incorporated into the LinkProof
configuration.
This section includes the following topics:
•
•
•
•
Introducing LinkProof Redundancy, page 203
Active / Backup Setup, page 204
Interface Grouping, page 205
Mirroring, page 206
Introducing LinkProof Redundancy
Radware recommends to install LinkProof devices in pairs, to provide fault tolerance in the
case of a single device's failure. Two processes are involved in the redundancy scheme:
polling and teaching.
The two LinkProofs have a mechanism that allows them to poll each other:
•
The polling mechanism allows the Backup device to constantly mirror the Main device
and to ensure the Main device is alive.
• The teaching mechanism is used by the Backup device when the Main device is down.
This is how the takeover takes place.
This way, one LinkProof can always recognize whether another LinkProof is up or down. In
LinkProof, physical IP addresses are configured to poll other LinkProof physical IP addresses.
In LinkProof Redundancy Scheme, page 204, the interface addresses of LinkProof 2 are
configured to poll the addresses of LinkProof 1 and the interface addresses of LinkProof 1
are configured to poll the addresses of LinkProof 2.
The teaching process is performed in the following way: once LinkProof interface considers
the other LinkProof interface to be down, it must assume responsibility for the failed IP
address. For example, in LinkProof Redundancy Scheme, page 204, if LinkProof 1 fails and
LinkProof 2 decides to pick up for it, LinkProof 2 must assume responsibility for IP addresses
of LinkProof 1.
Each pair of LinkProofs can function in an Active / Backup Setup.
To achieve redundancy between pairs of LinkProof devices, the following methods are
supported:
•
Proprietary ARP, working with Address Resolution Protocol that is used to monitor the
other device in pair and to check its availability. Using proprietary ARP redundancy, at
the fail-over time the IP Addresses of the Main device are managed by the backup
device and are associated with the Backup device’s MAC Address.
Doc. No.: 8261
203
LinkProof User Guide
•
VRRP, working with Virtual Router Redundancy Protocol, that enables to maintain
dynamic redundancy using a virtual router. With VRRP, IP Addresses are associated with
the Virtual MAC Addresses that are owned by the Main device, and are taken over by the
backup device at fail-over time.
Router 2
Router 1
Network B&C
Port 2
MAC B
Port 1
MAC A
IP B 2
IP B 1
Port 2
MAC D
Port 1
MAC C
IP A 1
IP A 2
Network A
Users
Figure 23 -
LinkProof Redundancy Scheme
Active / Backup Setup
In the case of an Active / Backup configuration, the main LinkProof device performs regular
LinkProof operation, handling all the inbound sessions to the Virtual Addresses and
distributing traffic among the servers in the farm.
The Backup LinkProof device is configured with identical forms containing the exact same
servers and farm settings. This device acts as a hot standby and does not perform load
balancing as long as the Main device is active.
The Backup LinkProof periodically verifies that the Main device is available. When Backup
LinkProof detects that the Main LinkProof fails, the Backup device resumes control for the IP
address of its main partner, letting all devices on the network know that the Backup device
is now responsible for the services of the Main device.
When the Backup device takes control over the services, it continues to monitor the Main
device. As soon as the Main device is back online, the Backup device releases the services.
204
Doc. No.: 8261
LinkProof User Guide
Interface Grouping
To provide a complete solution for redundancy against all failures, LinkProof employs a
mechanism called Interface Grouping. If LinkProof notices that one of its physical ports is
down, it intentionally brings all other active ports down.
When a physical port on LinkProof goes down, because of a cable failure, switch port failure,
hub failure, or other problems, LinkProof performs the following tasks:
1.
LinkProof examines the configuration to see if any IP addresses were configured on the
port that just went down.
2.
If there were IP addresses configured on the port that went down, LinkProof deactivates
all other active ports.
3.
If there were no IP addresses configured on the port that went down, nothing happens
and normal operation continues.
Notes:
i
Using Regular VLAN, when any of the ports associated with a VLAN is down,
Interface Grouping is triggered.
ii
Using Switched IP VLAN, Interface Grouping is triggered only when all ports
on a Switched IP VLAN are down.
iii When Using Vlan with interface groupings group may go down as a result of a
failing interface. In such an event all traffic to the interfaces belonging to the
group will be discarded including management traffic.
Selective Interface Grouping
One of the common installations of LinkProof is the LinkProof redundancy installation. In
many instillations of this kind, both the main and redundant LinkProof have a separate
Interface for management, which is used solely for management purposes and not for
handling actual traffic. An issue may occur if the management interface goes down, since it
causes Interface Grouping on the Main device to become activated resulting the Backup
device taking control. This issue occurs since the management interface is an IP interface,
which when down effects Interface Grouping.
LinkProof has the capability of defining, which interfaces initiate interface grouping and
which don't. A new table has been introduced, Master Interface Grouping. Through this
table you can define for each interface whether the interface should initiate Interface
Grouping if it becomes down (interface's Port Status is set to Included), or not.
Notes:
i
If an interface, which is part of a VLAN, becomes down and its Port Status is
set to Included, it does not initiate Interface Grouping.
ii
When an interface, which has its Port Status set to Included, becomes up
after it became down, Interface Grouping is turned off immediately and the
device regains control (becomes the Main device). No reboot is required
To configure Selective Interface Grouping:
1.
From the main window, select the Main device icon, then hold the Shift (or Ctrl) key,
and select the Backup device, and click Link. The Redundancies window appears.
Doc. No.: 8261
205
LinkProof User Guide
2. From the Redundancies window, click Master Interface Grouping. The Master
Interface Grouping window appears.
3. From the Master Interface Grouping window, select the port that you want to exclude
from Interface Grouping, and then in the Port Status field select Excluded and click
Update. Your preferences are recorded.
Backup Interface Grouping
The Backup device takes control only if *all* the interfaces of the Main device are out of
service. This solves the following problem: if an active and a backup device, each connected
to a switch, and the switches are cross-connected. When the cable cross-connecting the
switches fails, this is communicated to the main device and so the interface grouping is not
triggered, but the Backup device cannot communicate to the Main and so the Backup takes
over. This causes downtime in the service.
When the Backup Interface Grouping parameter is enabled, the Backup device takes over
only when all IP interfaces defined in its Redundancy Table fail. Respectively, the Backup
device releases those interfaces only when all the Main device's interfaces are up.When
Backup Interface Grouping is not activated, the Backup device takes control once one
interface of the Main device (defined in the Redundancy Table) is out of service.
Respectively, the Backup device releases the interface once all the interfaces of the Main
device are available.
To enable Interface Grouping and Backup Interface Grouping:
1. From the main window, select the Main device, then hold the Shift (or Ctrl) key, and
select the Backup device, and click Link. The Redundancies window appears.
2. From the Redundancies window, click Advanced Redundancy. The Advanced
Redundancy dialog box appears.
3. From the Device Name drop-down list, select the device for which you want to define
the advanced parameters.
4. To enable Interface Grouping, check the Interface Grouping checkbox and click Ok.
5. To enable Backup Interface Grouping, check the Backup Interface Grouping
checkbox and click Ok.
Mirroring
Mirroring enables a redundant Backup device to maintain a copy of the dynamic tables of
the Main device, by sending a snapshot of the Client Table information contained on the
Main device to the Backup device. If the Main device fails, the Backup device seamlessly
resumes the sessions, ensuring that the request for service is forwarded to the same server
in the farm which handled the session before the Main device failure. Mirroring is
recommended for use with very state sensitive and long term sessions, such as Telnet or
FTP. However, this feature should not be activated with HTTP applications where sessions
are short and a reload mechanism is built-in or transparent. Mirroring should not be used in
conjunction with the Dynamic Session ID Tacking feature. When enabling Mirroring on a
Backup LinkProof, the device must be reset. Setting up Mirroring affects the general
LinkProof performance.
Notes:
i
206
When setting up mirroring, it is recommended to use the same LinkProof
software version for the main and for the backup devices.
Doc. No.: 8261
LinkProof User Guide
ii
It is not recommended to use mirroring in conjunction with Layer 7 features
that requires Delayed Bind. This includes Dynamic session ID Persistency,
Layer 7 Policies, SSL ID tracking so on.
To configure Mirroring:
Mirroring parameters must be configured both on the Main device and on the Backup
device.
1.
From the main window, select the two devices by holding down the Shift key and click
Link. The Redundancies window appears.
2.
From the Redundancies window, click Mirroring. The LinkProof Mirroring dialog box
appears.
3.
From the LinkProof Mirroring dialog box, set the following parameters according to the
explanations provided:
Client Table
Mirroring:
% of Table to
Backup:
Enables or disables client table mirroring.
Default: Disabled.
The percentage of Client Table to send to the Backup
device. The newest percentage is always sent to the
backup device.
Default: 100%.
Mirror Update
Time:
4.
How often the Main device sends information to the
Backup device.
Default: 10 seconds.
Click Ok to apply the Setup and close the dialog box.
Proprietary ARP Redundancy
This section explains how the LinkProof platform employs the Address Resolution Protocol
(ARP) to check the availability of its partner. The ARP method ensures that the Radware
device is available and that the network connections between the devices are up.
The section includes the following topics:
•
•
•
Proprietary ARP, page 207
Backup Fake ARP, page 208
Advanced Forwarding, page 213
Proprietary ARP
The proprietary method, the LinkProof platform employs the Address Resolution Protocol
(ARP) to check the availability of the partner. The ARP method ensures that the Radware
device is available and that the network connections between the devices are up.
If the Main device fails, the Backup device takes control and continues seamlessly operating
between clients and servers that had been established on the primary device.
With Proprietary ARP redundancy, the Backup device manages the polling process by
continuously polling the Main device, using the ARP protocol, see Table 15 on page 208.
When the Main device fails, the teaching process is realized when the Backup device sends
Doc. No.: 8261
207
LinkProof User Guide
broadcast ARPs informing its network neighbors that the IP Addresses of the Main device
are now associated with its own MAC Addresses. This ensures that all traffic destined to the
IP Addresses of the Main device arrives to the Backup device.
Table 15: Polling Parameters
Parameter
Description
Polling Interval
How often the Backup device polls the Main device (in seconds).
Timeout
Default: 3.
The number of polling attempts that are made before the Backup
device takes over.
Default: 12.
Backup Fake ARP
When two LinkProof devices are working in the redundant mode, the Backup device
constantly monitors the health of the Main device. Once the Backup device detects that the
Main device fails, the Backup device takes control, which means that the Backup device now
owns the IP addresses of the Main device. The Backup device sends gratuitous ARP to all
local stations informing that the main device IP addresses now correspond to the MAC
addresses of the Backup device. This process ensures smooth redundancy from the main
device to the backup.
When the Main device is operational again, it uses the same technique. The main sends
gratuitous ARP to all local stations informing them that the main device IP addresses now
correspond to the MAC addresses of the Main device. In order to speed up this process, the
Backup device also publishes that the IP addresses of the main correspond to the MAC
addresses of the Main device. This is a fake ARP, as one device (the backup) publishes the
other device (the main). The fake ARP might confuse some Layer 3 switches, as they update
their ARP Tables by the source MAC of the packet, rather than by the MAC in the information
part of the packet.
The Backup Fake ARP option is enabled by default and can be disabled if needed.
Backup Device in VLAN
Using Redundancy with Bridging, the backup device must remain completely silent on the
network in order to avoid broadcast storms. In such case, this behavior must be set using
the Backup device in VLAN parameter.
To enable Backup Fake ARP and Backup Device in VLAN:
1. From the main window, select the Main LinkProof device icon, then hold the Shift (or
Ctrl) key, and select the Backup device, and click Link. The Redundancies window
appears.
2. From the Redundancies window, click Advanced Redundancy. The Advanced
Redundancy dialog box appears.
3. From the Device Name drop-down list, select the device for which you want to define
the advanced parameters.
4. To enable Backup Fake ARP, check the Backup Fake ARP checkbox and click Ok.
5. To enable Backup Device in VLAN, check the Backup Device in VLAN checkbox and
click Ok.
208
Doc. No.: 8261
LinkProof User Guide
Example: Proprietary Redundancy with Routing
Proprietary Redundancy with Routing illustrates the scheme for a proprietary redundancy
configuration with routing.
Router 2
200.1.1.20
Router 1
100.1.1.20
Interface 2
100.1.1.10
200.1.1.10
Interface 1
10.1.1.10
Interface 2
100.1.1.11
200.1.1.11
Interface 1
10.1.1.11
Local Network
10.1.1.x
Figure 24 -
Proprietary Redundancy with Routing
To Configure Proprietary Redundancy with Routing:
1.
Set the default gateway of the local network to the IP address of Main LinkProof using
10.1.1.10.
2.
Add a main device and backup device to the APSolute Insite map, set IP addresses and
routing as needed.
3.
Add Router1 and Router 2 to the map. Set Farm 1 with Router 1 and Router 2 on
LinkProof 1 and on LinkProof 2.
4.
From the main window, select the Main device, then hold the Shift (or Ctrl) key, and
select the Backup device, and click Link. The Redundancies window appears.
5.
From the Relation Type drop-down list, select IP Active-Backup.
6.
In the Main Device area you can view the name and IP address of the main device.
These are read-only fields.
7.
In the Backup Device area you can view the name and IP address of the backup device.
These are read-only fields.
8.
From the Redundancies window, click Add to define which IP addresses of the Backup
device corresponds to IP addresses of the Main device.
Doc. No.: 8261
209
LinkProof User Guide
Insert as many entries as needed, for each IP Interface where redundancy is provided.
In the network design of this example, add:
Main Device
Backup Device
10.1.1.10
10.1.1.11
100.1.1.10
100.1.1.11
200.1.1.10
200.1.1.11
9. Set Polling Interval and Time-out for each entry, see Table 15 on page 208.
10. From the Redundancies window, click Advanced Settings and set the following
parameters for each device according to the explanations provided:
For the Main device:
For the Backup device:
Select Interface Grouping, see enable
Interface Grouping and Backup
Interface Grouping:, page 206.
When needed, select Backup Interface
Grouping, see enable Interface Grouping
and Backup Interface Grouping:,
page 206.
Select the Backup Fake ARP checkbox, see
enable Backup Fake ARP and Backup
Device in VLAN:, page 208.
11. Set up mirroring, see configure Mirroring:, page 207.
Note:
Make sure that LinkProof settings on the Main and Backup devices are
corresponding. For example, every VIP who’s mode is set to regular on the
main device, is configured with mode backup in the backup device, as is the
case with NAT Addresses and so on.
12. To trigger an automatic configuration update of the secondary device in a redundant
configuration, from the Redundancies window, click Copy Configuration.
The configuration file of the Main device is used, and is modified as needed. Then the
file is sent to the backup device. The old configuration in the backup device is deleted.
Note:
The Copy Configuration button is enabled only when at least one IP
Interface is set for redundancy.
13. Click Ok to accept your preferences and exit the window. The redundancy relation is
visually displayed on the map.
210
Doc. No.: 8261
LinkProof User Guide
Example: Proprietary Redundancy with Bridging
The example in Proprietary Redundancy with Bridging, page 211 illustrates the scheme for
proprietary redundancy with bridging.
Router 2
200.1.1.20
Router1
100.1.1.20
Interface 2
200.1.1.10
Interface 2
200.1.1.11
LinkProof 1
LinkProof 2
Interface 1
100.1.1.10
100.1.1.11
Interface 1
Local Network
100.1.1.x
Figure 25 -
Proprietary Redundancy with Bridging
Properties:
Network side and server side are on the same IP subnet.
To Configure Proprietary Redundancy with Bridging:
1.
Set the default gateway of the local network to the IP address of the Main LinkProof
device using 10.1.1.10.
2.
Add a Main device and Backup device to the APSolute Insite map, and set IP addresses
and routing as needed.
3.
Add Router 1 and Router 2 to the map, set Farm 1 with Router 1 and Router 2 on
LinkProof 1 and on LinkProof 2.
4.
From the main window, select the Main device, then hold the Shift (or Ctrl) key, and
select the Backup device, and click Link. The Redundancies window appears.
5.
From the Relation Type drop-down list, select IP Active-Backup.
Doc. No.: 8261
211
LinkProof User Guide
In the Main Device area you can view the name and IP address of the main device.
These are read-only fields.
In the Backup Device area you can view the name and IP address of the backup device.
These are read-only fields.
6. From the Redundancies window, click Add to define which IP addresses of the Backup
device corresponds to IP addresses of the Main device.
7. Insert as many entries as needed, for each IP Interface where redundancy is provided.
In the network design of this example, add:
Main Device
Backup Device
100.1.1.10
100.1.1.11
200.1.1.10
200.1.1.11
8. From the Redundancies window, click Add and set Polling Interval and Time-out for
each entry, see Polling Parameters, page 208.
9. From the Redundancies window, click Advanced Settings and set the following
parameters according to the explanations provided for each device:
For the Main device:
For the Backup device:
Select Interface Grouping, see enable
Interface Grouping and Backup
Interface Grouping:, page 206.
When needed, select Backup Interface
Grouping, see enable Interface Grouping
and Backup Interface Grouping:,
page 206.
Select the Backup Device in VLAN checkbox
and the Backup Fake ARP checkbox, see
enable Backup Fake ARP and Backup
Device in VLAN:, page 208.
10. Set up mirroring, see configure Mirroring:, page 207.
Note:
Make sure that LinkProof settings on the Main and Backup devices are
corresponding. For example, every VIP who’s mode is set to regular on the
main device, is configured with mode backup in the backup device, as is the
case with NAT Addresses and so on.
11. To trigger an automatic configuration update of the secondary device in a redundant
configuration, from the Redundancies window, click Copy Configuration.
The configuration file of the Main device is used, and is modified as needed. Then the
file is sent to the backup device. The old configuration in the backup device is deleted.
Note:
The Copy Configuration button is enabled only when at least one IP
Interface is set for redundancy.
12. Click Ok to accept your preferences and exit the window. The redundancy relation is
visually displayed on the map.
212
Doc. No.: 8261
LinkProof User Guide
Advanced Forwarding
The LinkProof routing mechanism includes a table called IP Fast Forwarding Table (IPFFT).
IPFFT includes routing information for the purpose of saving CPU time while calculating
routing decisions.
A large IPFFT (over 100,000 entries) or IPFFT that overflows due to lots of traffic needs to
be routed. IPFFT performance may impair the overall performance of the LinkProof device.
The Advanced Forwarding feature uses a more efficient algorithm in the IPFFT that can keep
it the IPFFT small.
To configure Advanced Forwarding using WBM
1.
Select Router > IP Router > Operating Parameters > Advanced Fast
Forwarding Status.
2.
From the ARP Proxy drop-down list select enable or disable.
3.
Click Set.
To configure Advanced Forwarding using CLI
1.
Type in the command net route advanced-forwarding set <disable or
enable>.
2.
Press Enter.
VRRP Redundancy
This section explains Virtual Router Redundancy Protocol defined in RFC 2338 is a standard
protocol that enables dynamic router redundancy.
This section includes the following topics:
•
•
•
•
Introducing VRRP, page 213
VRRP Redundancy Notes, page 215
VRRP nxn Redundancy, page 219
Direct Server Connection with VRRP, page 219
Introducing VRRP
VRRP (Virtual Router Redundancy Protocol) defined in RFC 2338 is a standard protocol that
enables dynamic router redundancy. If the Main device fails, VRRP ensures that the Backup
device takes over, and traffic is forwarded to it.
The basic concept in VRRP is that of a Virtual Router (VR). A VR has a Virtual Router
Identifier (VRID) and one or more IP addresses associated with it. Each VR has a VRMAC,
which is a MAC address associated with the VR. This saves the need for a MAC address
update in case of a fail-over. The VRMAC address is determined by the VRID, and does not
need to be configured manually.
Typically, the same VR is configured on multiple devices to achieve redundancy between
them for the VR. Each device has a priority for a VR, the main device for the VR is the device
with the highest priority. Using VRRP, the main device constantly sends advertisements to
other VRRP routers, to indicate that it is online. When the advertisements stop, the main
device is assumed to be inactive. A new Main device is then selected for this VR, that is the
device with the next highest priority for that VR.
Doc. No.: 8261
213
LinkProof User Guide
For a typical Main-Backup scenario, a VR is required for each interface of LinkProof. In a
standard LinkProof Setup, 2 VRs are required:
VR-I
For the Internet side of LinkProof, is associated to the IP address of
the main LinkProof.
VR-S
For the server side of LinkProof.
You need to configure all VRs on each LinkProof device, and associate the appropriate IP
addresses with each VR.
Typically, the physical address of the external side of LinkProof and the farm address are
associated with VR-I. The physical address of the server side of the LinkProof is associated
with VR-S.
You need to set a priority for each VR on each LinkProof. The priorities for all VRs on the
main LinkProof may be 255, to indicate it is the Main device, and a lower value on the
backup device.
Using VRRP, it is possible to set up more than one redundant LinkProof to backup a main
LinkProof with hierarchy.
To configure VRRP Redundancy:
1. From the main window, select the two devices by holding down the Shift button, and
click Link. The Redundancies window appears.
2. From the Redundancies window, from the Relation Type drop-down list, select VRRP.
3. From the Master Device area, you can view the name and IP address of the device.
These are read-only fields.
4. From the Backup Device area, you can view the name and IP address of this
device.These are also read-only fields.
5. To assign virtual routers to both the Master and Backup devices, click Add. The Edit
VRRP Table window appears.
6. From the Edit VRRP Table window, set the following parameters according to the
explanations provided:
Interface:
The Interface Number.
VR ID:
The virtual router’s identification number.
Enable Virtual
Router:
(checkbox)
Priority:
Default: F-1.
Value range:1-255.
Enables or disables the administrative status of this
VR.
Default: Disabled.
Defined with the values 1-255, where the highest
priority (255) must be assigned to the VR that is
associated with a device’s physical IP address (IP
address that the device owns).
Default: 100.
Primary IP:
214
The primary IP address. The device adds a default
value unless the user defines one.
Doc. No.: 8261
LinkProof User Guide
Authentication Type:
The type of authentication, No Authentication or Text
Authentication.
Default: No Authentication.
Authentication Key:
Password up to 8 characters in length.
Advertisement
Interval:
The interval at which packets are checked. Default: 1
second.
Defines the takeover procedure for the VR when a
device fails and then resumes functioning.
Preemption Mode:
When a device with a certain priority fails, the device
with the next highest priority takes control of the VR.
When the device with the higher priority for this VR
resumes functioning, the Preemption Mode decides
whether it must retake control of the VR from the
device with the lower priority. Values are True, the
higher priority device takes over the VR, and False.
The device with the lower priority maintains control of
the VR. This mode is only applicable when more than
two devices share a VR.
Note:
The router that owns the IP address
associated with the VR is an exception to
this definition, as it always preempts
independently of this flag’s setting.
Default: True.
Protocol:
Name of the IP protocol for LinkProof (not
configurable),
7.
To define which IP Addresses are backed-up with VRRP, click Associated IP. The
Associated IP Address dialog box appears.
8.
From the Associated IP Addresses dialog box, insert an entry for each IP address that
you want to associate with each configured VR.
Typically, LinkProof and VIP addresses are associated with the VR used for the external
side of the device, as well as Virtual DNS Addresses. LinkProof addresses must be
associated with the VR used for the internal side of the device. Static NAT Addresses
must be associated either with the VR for the external side of the LinkProof or with the
internal one, depending on the configuration.
Note:
When assigning an IP address to a VRID the user should make sure that there
is an existing IP Interface belonging to the same subnet.
Example: If you add IP address 192.168.10.200 / 24, there is an Interface with a
Physical Address of 192.168.10.1 / 24
9.
Click Ok to apply the Setup and exit the window.
VRRP Redundancy Notes
Provided below is a list of points that should be taken into consideration with the initial use
of VRRP.
•
•
VRRP is not supported in a VLAN network design, using Regular VLANs, excluding
designs with server Direct Connection.
Zero cannot be configured as a VRID number.
Doc. No.: 8261
215
LinkProof User Guide
•
Each VRID must be a unique ID number. This is true even for VRIDs on different
interfaces.
• If two Radware devices belong in the same subnet, and each device is backed up by a
VRRP router, the VRID numbers for both devices must also be different.
When using interface grouping:
•
•
•
•
If a certain VRID’s Admin Status is Disabled, then either all VRIDs in that device are
disabled too, or all copies of that VRID in other devices are disabled as well.
If on a certain interface, a Radware device has IP Addresses which belong to a subnet
that the Backup device does not have on that interface, then it is the users’
responsibility to configure the Radware device with a primary IP Address that belongs to
a subnet which the Backup device has.
Upon creating a VR on a port, there must be at least one IP interface configured on that
physical port.
Ensure that the same parameters are configured in both devices for each VRID.
Example:
Redundant LinkProof Configuration with VRRP
The example in Redundant LinkProof Configuration with VRRP illustrates the scheme for
redundant LinkProof configuration with VRRP.
Router 1
100.1.1.20
Router 2
200.1.1.20
Port 1
Port 1
100.1.1.
200.1.1.11
200.1.1.10
LinkProof 1
LinkProof 2
Virtual Address
Regular 100.1.1.100 Backup
200.1.1.10
Port 2
10.1.1.1
Port 2
10.1.1.1
Firewall 1
Figure 26 -
Firewall 2
Redundant LinkProof Configuration with VRRP
Properties:
•
216
Network side and server side are on different subnets.
Doc. No.: 8261
LinkProof User Guide
•
•
•
Virtual IP addresses served by the LinkProofs are 100.1.1.100 and 200.1.1.100 usually
handled by LinkProof 1.
Routers 100.1.1.20 and 200.1.1.20 are assigned to the farm that is managed by
LinkProof 1.
Redundancy is performed using VRRP protocol.
To configure Redundant LinkProof with VRRP:
1.
Set the default gateway of the Firewall to the IP address of LinkProof 1using 10.1.1.10.
2.
Add LinkProof 1 and LinkProof 2 to the APSolute Insite map, set IP addresses and
routing as appears in Redundant LinkProof Configuration with VRRP, page 216.
3.
Add Router 1 and Router 2 to the map, set Farm 1 with Router 1 and Router 2 on
LinkProof 1 and on LinkProof 2.
4.
Add Firewall 1 and Firewall 2 to the map, set Farm 2 with Firewall 1 and Firewall 2 on
LinkProof 1 and on LinkProof 2.
5.
Set the VRRP for LinkProof 1(Master Device):
a.
b.
Double-click the LinkProof 1 icon. The LinkProof Setup window appears.
From the LinkProof Setup window, click Redundancies. The LinkProof
Redundancies window appears.
c.
From the Relation Type drop-down list, select VRRP.
d.
Click Add on the left side to add VRs to the master device configuration, and set the
following parameters according to the explanations provided:
Interface:
F-1
VRID:
100
Enable Virtual Router:
Selected
Priority:
255
Primary IP:
100.1.1.10
Interface:
F-1
VRID:
100
Enable Virtual Router:
Selected
Priority:
255
Primary IP:
200.1.1.10
Interface:
F-2
VRID:
10
Enable Virtual Router:
Selected
Priority:
255
Primary IP:
10.1.1.10
e.
Doc. No.: 8261
Access the Associated IP Addresses Table by clicking on Associated IP. The
Associated IP Address window appears.
217
LinkProof User Guide
f.
From the Associated IP Address window, set the following parameters according to
the explanations provided:
Interface:
F-1
VRID:
100
IP Address:
100.1.1.10
Interface:
F-1
VRID:
100
IP Address:
200.1.1.10
Interface:
F-2
VRID:
10
IP Address
IP Address 10.1.1.10
g.
Click Add.
6. Set the VRRP for LinkProof 2 (Backup Device):
a.
218
In the same window, set the backup device VRRP. From the Edit VRRP table, set the
following parameters according to the explanations provided:
Interface:
F-1
VRID:
100
Enable Virtual Router:
Selected
Priority:
100
Primary IP:
100.1.1.11
Interface:
F-1
VRID:
100
Enable Virtual Router:
Selected
Priority:
100
Primary IP:
200.1.1.11
Interface:
F-2
VRID:
10
Enable Virtual Router:
Selected
Priority:
100
Primary IP:
10.1.1.11
Doc. No.: 8261
LinkProof User Guide
b.
Access the Associated IP Addresses Table by clicking Associated IP. The Associated
IP Address window appears.
c.
From the Associated IP Address window, set the following parameters according to
the explanations provided:
Interface:
F-1
VRID:
100
IP Address
IP Address 100.1.1.100 (VIP Address)
Interface:
F-1
VRID:
100
IP Address
IP Address 200.1.1.100 (VIP Address)
Interface:
F-2
VRID:
10
IP Address:
IP Address 10.1.1.10 (LinkProof IP Address)
d.
Click Add.
7.
From the Redundancies window, click Advanced Redundancy. The Advanced
Redundancy dialog box appears.
8.
From the Advanced Redundancy dialog box, select the Interface Grouping checkbox
for the main device.
9.
From the Advanced Redundancy dialog box, select the Backup Interface Grouping
checkbox for the backup device if needed.
VRRP nxn Redundancy
Multiple LinkProof devices can be configured to achieve a full redundancy scheme between
any number of devices.
This can be extended for any number of devices, using a hierarchy of priorities between
VRIDs to reflect the order of backup precedence between LinkProof devices.
Direct Server Connection with VRRP
VRRP with Switched IP VLAN allows direct connection of servers to LinkProof in conjunction
with routing and bridging.
In this configuration, servers with dual Network Interface Card are directly connected to
LinkProof devices. LinkProof uses routing (Direct Server Connection with VRRP and Routing,
page 220) or bridging Redundant LinkProof Configuration with VRRP and Direct Connection,
page 221) between the external network connected to routers or switches, and the internal
network connected to servers. Servers are connected directly to the interfaces of LinkProof.
A cross cable is required in order to connect the two LinkProof devices together (using Giga,
or Fast Ethernet ports).
The interfaces to which the servers are connected and the interface used for connecting the
two LinkProof devices, are associated to a Switched IP VLAN. This puts all the servers on a
single switch.
Doc. No.: 8261
219
LinkProof User Guide
Using bridging, you need to configure a Regular VLAN including the switch IP VLAN and the
LinkProof interface to the external side. This creates a bridge between the Switched VLAN
and the interface to the external side. When needed, multiple LinkProof interfaces can be
added to this Regular VLAN.
Using routing with Layer 2 or Layer 3 switches, either connecting LinkProof and servers or
connecting LinkProof to the external subnet, you must avoid configuration that contains a
loop. For example, having a cross cable between the switches as well as between LinkProof
devices, or connecting each LinkProof to 2 cross-connected switches where the 2
connections are on the same Switched IP VLAN on LinkProof, must be avoided.
Routers
Switch IP
VLAN 1 on
LinkProof-L
Switch IP
VLAN 1 on
LinkProof-R
Switch IP
VLAN 2 on
LinkProof-L
Switch IP
VLAN 2 on
LinkProof-R
Figure 27 -
Direct Server Connection with VRRP and Routing
Configuration Notes for Direct Server Connection with Routing:
•
•
•
•
•
This configuration is supported with VRRP and Switched IP VLAN only.
Firewalls are connected directly to the interfaces of LinkProof. Cross cables are required
in order to connect the two LinkProof devices together (using Giga, or Fast Ethernet
ports).
The interfaces to which the firewalls are connected to and the interface used for
connecting the two LinkProof devices are associated to a Switched IP VLAN. This puts all
the firewalls on a single switch. An IP address (from the blue subnet) should be
associated with the Switched IP VLAN in each device.
LinkProof configuration remains as usual as well as LinkProof redundancy configuration.
The default gateway of firewalls and routers is the IP address of the respective Switched
IP VLAN of the active LinkProof.
Note:
•
220
When using dual NIC, where the active NIC is determined by ping to the
default gateway, set a virtual DNS with IP 10.1.1.20 on LinkProof. This IP
should be the default gateway of the servers. In the Associated IP Addresses
Table window configure the following entries: Interface=100002, VRID=10,
Associated IP=10.1.1.20.
LinkProof is using routing between the blue subnet (of the firewalls) and the orange
(routers) subnet. This is essential in order to avoid loops in the network.
Doc. No.: 8261
LinkProof User Guide
•
When adding or removing ports to a Switch IP VLAN that is already associated to a
VRID, you must set the VRID Admin Status to Down, make the change and then set the
VRID Admin Status to Up again.
Interface Grouping Used with Direct Connection
To support redundant configuration with direct server connectivity, the interface grouping
operation is modified. Interface grouping is always part of the LinkProof redundancy
mechanism. Enabling interface grouping on the Main device ensures that if one of the
interfaces of the device fails, the device closes all its other interfaces and becomes invisible
to the network.
Using switched VLAN, the grouping takes place only when all interfaces that were configured
in a switched VLAN are down. Interface grouping is released when the all interfaces in a
switched VLAN are up.
Using Switched VLAN as part of a Regular VLAN, grouping takes place only when all
interfaces in a Switched VLAN are down, or when any other port in the Regular VLAN is
down. Interface grouping is released when all interfaces in a switched VLAN are up and
when all other ports in the Regular VLAN are up.
Example: Redundant LinkProof Configuration with VRRP and Direct
Connection
The example in Redundant LinkProof Configuration with VRRP and Direct Connection,
page 221 illustrates the scheme for a redundant LinkProof configuration with VRRP and
direct connection. VRRP with Switched IP VLAN allows direct connection of servers to
LinkProof.
Router 1
Router 2
30.1.1.1
30.1.1.
Switched IP VLAN
100.1.1.10
100.1.1.2
Port 1
Port 5
Switched IP
VLAN
100.1.1.11
200.1.1.2
Regular 100.1.1.100 Backup
200.1.1.100
Port 1
Port 5
Port 2
Port 2
Port 4
Port 3
Switched
IP VLAN
10.1.1.1
Dual NIC
Firewall 1
10.1.1.1
Figure 28 -
Port 4
Switched
IP VLAN
10.1.1.1
Firewall 2
10.1.1.2
Redundant LinkProof Configuration with VRRP and Direct Connection
Properties:
•
Firewalls are directly connected to LinkProof, possibly with dual NIC.
Doc. No.: 8261
221
LinkProof User Guide
•
•
•
•
•
Each router is connected directly to a different LinkProof and they are inter-connected
as well (subnet 30.1.1.x). Route towards the other router should be configured on each
router.
Network side and server side are on different subnets.
The virtual IP addresses served by the LinkProofs is 100.1.1.100 and 200.1.1.100
usually handled by LinkProof 1.
Firewalls 10.1.1.1 and 10.1.1.2 are assigned to the farm managed by LinkProof 1.
Redundancy is performed using the VRRP protocol.
To configure Active LinkProof (LinkProof 1):
1. Define LinkProof 1: From the main window, double-click the LinkProof icon. The
LinkProof Connect to Device window appears. Type the device‘s IP address: 100.1.1.10
and click Ok.
2. Define VLANs on LinkProof 1:
a.
b.
From the main window, double-click the LinkProof icon, the LinkProof Setup
window appears.
From the LinkProof Setup window, click Networking > VLAN. The LinkProof Virtual
VLAN window appears.
c.
From the LinkProof Virtual VLAN window, select the IP VLAN Interface 100002 and
assign ports 2 and 4.
d.
From the Type drop-down list, select Switch, ensure the Protocol is set to IP. Click
Ok.
e.
Repeat steps c and d and assign ports 1 and 5 to VLAN 100003.
f.
From the LinkProof Setup window, click Add. The Edit LinkProof Interface dialog box
appears.
g.
From the Edit LinkProof Interface dialog box, set the following parameters according
to the explanations provided:
IF Num:
100002
IP Address:
10.1.1.10
Network Mask:
255.255.255.0
IF Num:
100003
IP Address:
100.1.1.10
Network Mask:
255.255.255.0
IF Num:
100003
IP Address:
200.1.1.10
Network Mask:
255.255.255.0
h.
Click Ok.
3. Add 2 routers to the map:
a.
222
From the LinkProof toolbar, click Add and from the drop-down menu add a Router.
The Router window appears.
Doc. No.: 8261
LinkProof User Guide
b.
From the Router window, set the following parameters according to the explanations
provided: For the first server, set:
Server Name:
Router 1
IP Address:
100.1.1.20
c.
Add the second server, by setting the following parameters according to the
explanations provided
Server Name:
Router 2
IP Address:
200.1.1.20
d.
4.
Click Ok.
Add 2 firewalls to the map:
a.
From the LinkProof toolbar, click Add and from the drop-down menu add a Firewall.
In the Firewall window, set the following parameters according to the
explanations provided for each server; For the first server, set:
Server Name:
Firewall 1
IP Address:
10.1.1.1
b.
Add the second server, by setting the following parameters according to the
explanations provided
Server Name:
Firewall 2
IP Address:
10.1.1.2
c.
5.
Click Ok.
Add 2 farms to LinkProof:
FM1: Firewall Farm to load balance inbound traffic via the firewalls.
FM2: Router Farm to load balance outbound and inbound traffic via the routers.
a.
b.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane
appears.
c.
From the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
From the Edit LinkProof Farms window, for Farm Type select Firewall and define
the farm name, for example: Internal Firewall.
e.
From the Edit LinkProof Farms window, click the Traffic Settings tab and set the
parameters as required:
f.
Add the farm servers. From the Farm Servers tab, click Add. The LinkProof Farm
Firewall Server window appears.
g.
From the LinkProof Farm Firewall Server window, select servers as specified in step
“i” below.
h.
From the LinkProof Farm Firewall Server window, click Traffic Settings and set the
parameters as required.
Doc. No.: 8261
223
LinkProof User Guide
i.
Repeat this procedure for all farms. For each farm define servers and load balancing
parameters according to the explanations provided:
Farm Name:
Firewall Farm
Router Farm
Server Name:
Firewall 1
Router 1
Server Address:
10.1.1.1
100.1.1.20
Server Name:
Firewall 2
Router 2
Server Address:
10.1.1.2
200.1.1.20
j.
Click Ok. Your preferences are recorded.
6. Define the Redundancy for LinkProof1:
a.
b.
Double-click the LinkProof icon. The LinkProof Setup window appears.
From the LinkProof Setup window, select Redundancies. The LinkProof
Redundancies window appears.
c.
From the LinkProof Redundancies window, click Advanced Redundancy. The
Advanced Redundancy window appears.
d.
From the Advanced Redundancy window, check the Interface Grouping checkbox
and click Ok.
7. From the Relation Type drop-down list, select VRRP.
8. From the LinkProof Redundancies window, click Add. The Edit VRRP Table dialog box
appears.
9. From the Edit VRRP Table dialog box, set the following parameters for LinkProof 1
according to the explanations provided:
224
Interface:
100003
VRID:
100
Enable Virtual
Router:
Selected
Priority:
255
Primary IP:
100.1.1.10
Interface:
100003
VRID:
100
Enable Virtual
Router:
Selected
Priority:
255
Primary IP:
200.1.1.10
Interface:
100002
VRID:
10
Enable Virtual
Router:
Selected
Doc. No.: 8261
LinkProof User Guide
Priority:
255
Primary IP:
10.1.1.10
10. From the LinkProof Redundancies window, click Associated IP. The Associated IP
Address window appears.
11. From the Associated IP Address window, set the following parameters according to the
explanations provided:
Interface:
100003
VRID:
100
Associated IP:
100.1.1.100 (VIP Address)
Interface:
100003
VRID:
100
Associated IP:
200.1.1.100 (VIP Address)
Interface:
100003
VRID:
100
Associated IP:
100.1.1.10 (LinkProof IP Address)
Interface:
100003
VRID:
100
Associated IP:
200.1.1.10 (LinkProof IP Address)
Interface:
100002
VRID:
10
Associated IP:
10.1.1.10 (LinkProof IP Address)
12. Click OK.
Note:
Doc. No.: 8261
When using dual NIC, where the active NIC is determined by ping to the
default gateway, set a virtual DNS with IP 10.1.1.20 on LinkProof. This IP
should be the default gateway of the firewalls. In the Associated IP Addresses
Table window configure the following entries: Interface=100002, VRID=10,
Associated IP=10.1.1.20.
225
LinkProof User Guide
To configure Backup LinkProof (LinkProof-2)
1. Define LinkProof 2: From the main window, double-click the LinkProof icon. The
LinkProof Connect to Device window appears. Type the device‘s IP address: 100.1.1.11
and click Ok.
2. Define VLAN on LinkProof 1:
a.
b.
From the main window, double-click the LinkProof icon. The LinkProof Setup
window appears.
From the LinkProof Setup window, click Networking > VLAN. The LinkProof Virtual
VLAN window appears.
c.
From the LinkProof Virtual VLAN window, select the IP VLAN Interface 100002 and
assign ports 3 and 4.
d.
From the Type drop-down list, select Switch, ensure the Protocol is set to IP. Click
Ok.
e.
Repeat steps c and d and assign ports 1 and 5 to VLAN 100003.
f.
From the LinkProof Setup window, click Add. The Edit LinkProof Interface dialog box
appears.
g.
From the Edit LinkProof Interface dialog box, set the following parameters according
to the explanations provided:
IF Num:
100002
IP Address:
10.1.1.11
Network Mask:
255.255.255.0
IF Num:
100003
IP Address:
100.1.1.11
Network Mask:
255.255.255.0
IF Num:
100003
IP Address:
200.1.1.11
Network Mask:
255.255.255.0
h.
Click Ok.
3. Add 2 farms to LinkProof:
FM1: Firewall Farm to load balance inbound traffic via the firewalls.
FM2: Router Farm to load balance outbound and inbound traffic via the routers.
a.
b.
226
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane
appears.
c.
From the Farms pane, click Add. The Edit LinkProof Farms window appears.
d.
From the Edit LinkProof Farms window, for Farm Type select Firewall and define
the farm name, for example: Internal Firewall.
e.
From the Edit LinkProof Farms click the Traffic Settings tab and set the
parameters as required:
Doc. No.: 8261
LinkProof User Guide
f.
Add the farm servers. From the Farm Servers tab, click Add. The LinkProof Farm
Firewall Server window appears.
g.
From the LinkProof Farm Firewall Server window, select servers as specified in step
“i” below.
h.
From the LinkProof Farm Firewall Server window, click Traffic Settings and set the
parameters as required.
i.
Repeat this procedure for all farms. For each farm define servers and load balancing
parameters according to the explanations provided:
Farm Name:
Firewall Farm
Router Farm
Server Name:
Firewall 1
Router 1
Server Address:
10.1.1.1
100.1.1.20
Server Name:
Firewall 2
Router 2
Server Address:
10.1.1.2
200.1.1.20
j.
Click Ok. Your preferences are recorded.
Note:
4.
The default router of the firewalls 10.1.1.1 and 10.1.1.2 is the 10.1.1.10
address of LinkProof 1, or when using dual NIC, the default gateway of
firewalls is the Virtual DNS address 10.1.1.20.
Define the redundancy for LinkProof 2:
a.
b.
Double-click the LinkProof icon. The LinkProof Setup window appears.
From the LinkProof Setup window, click Redundancies. The LinkProof
Redundancies window appears.
c.
From the LinkProof Redundancies window, from the Mode drop-down list, select
VRRP.
d.
Click Add. The Edit VRRP Table dialog box appears.
e.
From the Edit VRRP Table dialog box, set the following parameters for LinkProof1
according to the explanations provided:
Interface:
100003
VRID:
100
Enable Virtual Router:
Selected
Priority:
100
Primary IP:
100.1.1.11
Interface:
100003
VRID:
100
Enable Virtual Router:
Selected
Priority:
100
Primary IP:
200.1.1.11
Doc. No.: 8261
227
LinkProof User Guide
Interface:
100002
VRID:
10
Enable Virtual Router:
Selected
Priority:
100
Primary IP:
10.1.1.11
f.
Click Ok.
5. From the LinkProof Redundancies window, click Associated IP. The Associated IP
Address window appears.
6. From the Associated IP Address window, set the following parameters according to the
explanations provided:
Interface:
100003
VRID:
100
Associated IP:
100.1.1.100 (VIP Address)
Interface:
100003
VRID:
100
Associated IP:
200.1.1.100 (VIP Address)
Interface:
100003
VRID:
100
Associated IP:
100.1.1.10 (Main LinkProof IP Address)
Interface:
100003
VRID:
100
Associated IP:
200.1.1.10 (Main LinkProof IP Address)
Interface:
100002
VRID:
10
Associated IP:
10.1.1.10 (Main LinkProof IP Address)
7. Click Ok.
8. When using firewalls with dual NIC, where active NIC is determined using ping to default
gateway, configure a virtual DNS with IP address 10.1.1.20, with Redundancy Mode on
228
Doc. No.: 8261
LinkProof User Guide
the Backup. In the Associated IP Addresses Table window, click Insert and set the
following parameters according to the explanations provided:
Interface:
100002
VRID:
10
Associated IP:
10.1.1.120
Doc. No.: 8261
229
LinkProof User Guide
230
Doc. No.: 8261
LinkProof User Guide
Chapter 7 - Security
This chapter provides a general overview of the Synapps Security modules and the sub
modules within as well as an explanation of the signatures data base and Radware Security
update service (SUS). Also provided in this chapter is an explanation of the tuning process.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•
•
Security Overview, page 231
Intrusions, page 241
DoS/DDoS, page 258
SYN Flood Protection, page 275
Protocol Anomalies, page 283
Anti-Scanning, page 293
Managing Signatures Database, page 299
Security Tuning, page 305
Security Events, page 310
Security Reports, page 314
Security Overview
This section provides an introduction to the LinkProof Security modules, their configuration,
security policies and connectivity.
This section includes the following topics:
•
•
•
•
•
•
Security Introduction, page 231
Security Modules, page 232
Configuring Security Modules, page 234
Configuring Security Policies, page 235
Enabling Protection and Setting up General Security Parameters, page 235
Defining Connectivity, page 239
Security Introduction
Radware’s LinkProof isolates, detects and blocks application attacks at multi-Gigabit speed
protecting against viruses, worms, DoS and intrusions, anomalies and scanning for
immediate high capacity application security. LinkProof provides secure Internet
connectivity with high performance, maintaining the legitimate traffic of end users and
customers.
LinkProof performs deep packet inspection at multi-gigabits speed, to provide security from
the network layer up to the application layer. LinkProof provides multi-layer security
approach that combines several mechanisms for attack detection with advanced mitigation
tools such as:
•
•
•
•
•
Intrusions
DoS
Anomalies
SYN Flood
Anti-Scanning
Doc. No.: 8261
231
LinkProof User Guide
Detecting
The Security module performs detection of known and unknown attacks. Known attacks are
detected by searching for attacks’ signatures within the scanned packets. The Security
module or intrusions uses a constantly updated signatures database for updated attack
detection. Known attack detection is applied by defining Protection Policies. A profile binds
together network addresses and physical ports with a profile of attack protection.
Unknown attacks are detected using protocol anomaly inspection. The Security module
detects IP protocol anomalies and URI protocol anomalies using the Anomaly module/tool.
IP protocol anomalies stand for IP packet fragmentation. URI protocol anomalies may be
URI fragmentation or buffer overflow.
Protecting
The Security module protects network and application level resources against attacks
destined for the internal IP addresses of the network elements or for attacks destined for
the device. Protection is provided for applications, operating systems, network equipment
and resources behind the device.
Preventing
The Security module enables real-time prevention of the attacks within the defined network.
The attack attempts are blocked by terminating the sessions as they are recognized either
by dropping the malicious packets or by resetting the connection. Both source and
destination reset options are supported.
The Security module also protects against network port scanning using the Anti-Scanning
module/tool. Hackers perform scanning prior to launching an attack, looking for open TCP or
UDP ports on the target machine. Blocking the scanning prevents attacks being launched.
Reporting
When the Security module detects an attack, the module reports about the security event.
An event consists of complete traffic information, including source and destination IP
addresses, TCP/UDP port numbers, physical interface, date and time of attack and so on.
Events’ information is registered internally via the device log file and alerts table, or
externally via the Syslog channel, SNMP Traps or e-mails.
With APSolute Insite you can produce advanced statistic reports such as top attacks, total
attack traffic, attacks per IP address, and more.
Radware Security Update Service on the Web
Radware's Security Update Service delivers immediate and ongoing security filter updates,
protecting against the latest security exploits including viruses, worms and malicious attack
signatures to safeguard your applications, network and users.
Radware Security Update Service is available on a one-year or multi-year subscription basis
for all LinkProof and SynApps Security customers.
Note:
Refer to the “Radware Security Zone” available from the Radware web site for
up-to date security informatiom at http://www.radware.com/content/
support/securityzone/serviceinfo/default.asp
Security Modules
LinkProof Security is comprised of the following modules:
•
•
•
232
Intrusions
DoS/DDOS
SYN Floods
Doc. No.: 8261
LinkProof User Guide
•
•
Anomalies
Anti-Scanning
Intrusions
Intrusion prevention is a security technology that attempts to identify intrusions against
computer systems and prevent their damage by blocking attacks.
Application level attacks are aimed against mission critical applications. These attacks
threaten application integrity and bring networks and applications down. Most of attacks are
over port 80, and therefore cannot be blocked by access control devices.
LinkProof Intrusions module provides protection against application specific attacks, which
are targeted to damage various network resources and disable the attacked system. These
attacks include the following categories:
•
•
•
Web Server Attacks that are intended to damage or exploit Web servers.
E-mail attack - sending worms via the E-mail.
Attacks on services, such as FTP, RPC and so on.
DoS/DDoS
When hackers send mass volumes of traffic, they overload networks or servers, thus
causing denied access for real users. This is known as Denial of Service (DoS) or Distributed
Denial of Service (DDoS) attacks. DoS Shield samples traffic flowing through the device and
limits the bandwidth of traffic that was recognized as DoS attack using predefined action.
The Denial of Service (DoS) attacks are intended to compromise the availability of a
computing resource. Usually DoS attacks include ICMP floods, UDP floods and TCP-SYN
floods that consume network bandwidth and prevent normal transport of the legitimate
traffic.
DoS Shield, describes the process of protection against Denial of Service attacks provided
by the LinkProof DoS Shield module.This module provides protection against flooding of
UDP, TCP and ICMP.
Radware's security scheme, implemented by the DoS Shield module which is part of the
SynApps architecture, provides organizations with extensive Denial of Service (DoS)
detection and protection capabilities while maintaining high network throughput.
LinkProof DoS protection module provides real time DoS protection through the use of an
advanced sampling mechanism. This mechanism compares sampled traffic with a list of
attacks signatures (attacks in Dormant state), which are part of the LinkProof attack
database. The attacks’ signatures are looking for known flood tools by recognizing unique
bit patterns within the sample traffic. Once the activation threshold of an attack in the
Dormant state is met, its status changes to Currently Active, which means that each and
every packet is matched with the signature file of this Currently Active attack. If a match is
found, the packet is dropped. In case there is no match the packet is forwarded to the
network.
This unique mechanism facilitates DoS and DDoS protection for high capacity networks.
SYN Floods
A SYN flood attack is a denial of service attack where the attacker sends a huge amount of
please-start-a-connection packets and then no follow up packets.
LinkProof provides protection against any type of SYN flood attack, irrespective of the tools
that are used to launch the attack. This protection service utilizes a mechanism called SYN
Cookies that performs delayed binding (terminates TCP sessions) and inserts a certain
signature into the TCP sequence field.
SYN Flood Protection is a service intended to protect the hosts located behind the device
and the device itself from SYN flood attacks by performing delayed binding.
Doc. No.: 8261
233
LinkProof User Guide
The SYN Flood attack is performed by sending a SYN packet without completing the TCP
three-way handshake. Another type of SYN Flood attack is done by completing the TCP
three-way handshake, but no data packets are sent afterwords. Radware provides complete
protection against both types of SYN Flood attacks.
After the completion of the three-way handshake, LinkProof only processes requests that
include the signature that was inserted previously. This mechanism guarantees that only
legitimate requests are sent to the servers, while half open TCP connections, aimed to
consume servers’ resources, are terminated by the LinkProof and do not flood the servers,
as well as the LinkProof itself.
The attacks are detected and blocked by means of SYN Flood Protection Policies. The reports
regarding the current attacks appear in the Active Triggers table.
Anomalies
To avoid detection, hackers may use evasion techniques, such as splitting packets and
sending attacks in fragments. Fragmented packets are suspected of containing an attack.
An attack that contains fragmented packets is called Protocol Anomaly attack. The Protocol
Anomaly attacks are detected and blocked using the Protocol Anomaly Protection
mechanism.
The Anomalies module provides protection using three sub-groups:
•
•
Protocol_Anomalies group
Fragment Attack protection, including:
— HTTP Fragmentation protection
—
IP Fragmentation protection
• Buffer Overflow protection
Protection against Protocol Anomaly attacks is achieved by dropping the malicious packets.
Anti-Scanning
Prior to launching an attack, a hacker will normally try to identify what TCP and UDP ports
are open. An open port represents a service, application or a backdoor. Open ports that
were left open unintentionally can create a serious security problem.
The Anti-Scanning module provides a mechanism aimed to prevent hackers from gaining
this information by blocking and altering server replies sent to the hacker.
The Anti-Scanning module provides protection against network and port scanning including
the following groups:
•
•
Scanning: Provides protection against known scanning tools
Scanning-generic protection: Provides protection against scanning tool awaiting the
positive reply (SYN-ACK for TCP or UDP reply). The filters in this group block all traffic
returned from the scanned server.
Configuring Security Modules
Creating a new profile allows you to aggregate Attack Groups, Advanced Attacks or Basic
Attacks. You can set a profile(s) for each security module and then associates the protection
profile with the port/VLAN/network settings from the Connect and Protect Table.
Configuring security for LinkProof via APSolute Insite is performed in the Connect and
Protect Table.
You deploy security services in the following steps:
•
•
234
Configure connectivity - This is done by defining either port groups or IP address range
per row in the Connect and protect table.
Per each connectivity row, set security services according to the module breakdown.
Doc. No.: 8261
LinkProof User Guide
Configuring Security Policies
The Connect and Protect Table allows you to create a security policy to which you can assign
protection profiles. You may add protection profiles to the policy from any or all of the
security modules.
Every row in the Connect and Protect Table represents a policy.
Note:
When creating a security policy you must initially define Port/Net Settings. To
access the Connect and Protect Table.
From the LinkProof main application window select Security. The Connect and Protect Table
appears.
Note:
The Index number represents the policy number. Clicking on S enables and
disables policies. The policies are applied regardless of the policy number
without any order of policy number.
Configuring a security policy maybe divided into three stages: enabling security, connecting
and protecting.
To configure security policies:
1.
Enable Security: enable the security modules and define the general security
parameters, see Enabling Protection and Setting up General Security Parameters,
page 235.
2.
Configure connectivity: define either port groups/VLANs or IP address ranges per row in
the Connect and Protect Table, see Defining Connectivity, page 239.
3.
Define the Protection according to the protection module. For each connectivity row you
can set security services according to the module breakdown.
•
•
•
•
•
Set
Set
Set
Set
Set
up the Intrusion module parameters
the DoS/DDoS module parameters
up the SYN Flood module parameters
up the Anomaly module parameters
up the Anti-Scanning module parameters
Enabling Protection and Setting up General Security Parameters
The Radware security solution provides a multi-layer security approach that combines
several mechanisms for attack detection with advanced security modules, including:
Intrusions, DoS/DDoS, Anomalies, SYN Flood Protection, Anti-Scanning. The security
modules are configured in the Connect and Protect Table, and the mechanisms for attack
detection are configured in the Security Parameters window.
In addition you can set the general security parameters in that window. The following
general security settings can be performed in the Security Parameters window:
•
•
•
•
•
Application Security
DoS Shield
Protocol Anomaly Protection
Reporting
Security Tables Tuning
Doc. No.: 8261
235
LinkProof User Guide
Application Security Parameters
Application Security is a mechanism that delivers advanced attack detection and prevention
capabilities. This mechanism is used by several security modules to provide maximum
protection for network elements, hosts and applications.
Note:
Before using Intrusions, DoS/DDoS, Anomalies, and Anti-Scanning, you must
enable the Application Security mechanism and set its parameters.
To set the Application Security Parameters:
1. From the Connect and Protect Table, click Settings, OR from the main window, doubleclick the device icon and then select Global > Security Settings > Edit Settings. The
Security Parameters window appears.
2. From the Application Security Parameters pane, select Start Protection and click Ok.
Information boxes appear notifying that the device must be rebooted.
3. Follow the messages displayed in the Information boxes. Once the device is rebooted,
the Attacks DB Version text box displays the number of the version of the Signatures
database that is currently used by Application Security and DoS Shield.
4. From the Action text box, set the action that is taken in case an attack is detected:
Drop:
The packet is discarded.
Forward:
The packet is forwarded to the defined
destination.
Reset Source:
Sends TCP-Reset packet to the Packet
Source IP.
Reset Destination:
Sends TCP-Reset packet to the destination
address
5. The value that you set in this window appears as default value during the setting of the
custom attack.
6. Click Apply > Ok. You can start using the following security modules: Intrusions, DoS/
DDoS, Anomalies, and Anti-Scanning.
DoS Shield Parameters
The DoS Shield mechanism implements the sampling algorithm, and accommodates traffic
flooding targeted to create denial of the network services. This mechanism is included in the
DoS/DDoS security module.
Note:
Prior to configuring the DoS/DDoS security module, you must enable DoS
Shield and set its general parameters.
To enable DoS Shield and set its general parameters:
1. From the Connect and Protect Table, click Settings, OR from the main window doubleclick the device icon and then select Global > Security Settings > Edit Settings. The
Security Parameters window appears.
236
Doc. No.: 8261
LinkProof User Guide
2.
From the DoS Shield Parameters pane, select Start DoS Shield Protection and click
Ok. Information boxes appear notifying that the device must be rebooted.
3.
Follow the messages displayed in the Information boxes. Once the device is rebooted,
the Attacks DB Version text box displays the number of the version of the Signatures
database that is currently used by Application Security and DoS Shield.
4.
From the DoS Shield Parameters pane, set the following parameters according to the
explanations provided:
Enables the Panic mode.
Panic Mode (checkbox):
Panic mode - you can limit the number of the
enabled security Attacks, which are activated
when the network is under attack. During the
unrecognized attack disabled filters that are
defined as Panic become enabled and
function as Dormant state filters.
Note:
Action:
Packet Sampling Rate:
In reaction to the panic mode
activation, only the filters that are
configured to function in the Panic
mode are activated.
Defines how DoS Shield treats attacks. When
the Drop option is selected, the packed is
discarded. When the Forward action is
selected, the packet is forwarded to the
desired destination. Default value is Drop.
The rate in which packets are sampled and
compared to the Dormant Attacks. You can
configure a number that indicates per how
many packets the sampling is performed.
Default is 100, meaning 1 out of 100 packets
is checked.
How often DoS Shield compares the
predefined thresholds for each Dormant
Attack to the current value of counters of
packets matching the attack. Default is 5
seconds.
Sampling Time (seconds):
Overload Mechanism:
Doc. No.: 8261
Note:
If Sampling Time is very short,
meaning that there are frequent
comparisons of counters to
thresholds, regular traffic bursts
might trigger attacks. If Sampling
Time is too long, it is impossible to
detect attacks quickly enough.
Sets the device behavior when traffic load
approaches the device's maximum
processing capacity. Possible options are
Drop Excess Traffic, or Forward Excess
Traffic (without examining it). The default
value is Drop Excess traffic.
Note:
Only the excess traffic is affected by
the operation of the Overload
Mechanism.Using the Overload
Mechanism ensures that the device
CPU utilization does not exceed
90%.
237
LinkProof User Guide
5. Click Apply > Ok. You can start using the DoS/DDoS security module.
Protocol Anomaly Protection Permeates
The Protocol Anomaly Protection parameters are the general parameters of the Anomalies
security module.
Note:
Before using Anomalies, you must enable the Application Security mechanism
and set its parameters.
To define Protocol Anomaly Protection parameters:
1. From the Connect and Protect Table, click Settings, OR from the main window, doubleclick the device icon and then select Global > Security Settings > Edit Settings. The
Security Parameters window appears.
2. From the Protocol Anomaly Protection Parameters pane, define the following parameters
according to the explanations provided:
Min Fragment Size:
The minimum size of a fragmented IP packet
permitted. A shorter packet length is treated
as IP protocol anomaly and is dropped. The
default value is 512.
Max URI Length:
The maximum URI length permitted. If URI is
longer than the configured value, this URI is
considered as illegitimate and is dropped.
The default value is 500.
Min Fragmented URI
Packet Size:
The minimum permitted size of an incomplete
URI in an HTTP request. A shorter packet
length is treated as URI protocol anomaly
and is dropped. The default value is 50.
3. Click Apply > Ok. The Security Parameters window closes.
Reporting Parameters
You can enable the reporting channels used by Radware devices to get information about
the security events. The following reporting channels are available:
•
•
•
Traps
E-mails
Logging
•
•
Security Terminal Echo
Security Syslog
To define the reporting channels for security reports:
1. From the Connect and Protect Table, click Settings, OR from the main window doubleclick the device icon and then select Global > Security Settings > Edit Settings. The
Security Parameters window appears.
2. From the Reporting pane, select the reporting channels that you want to use.
3. In the Reporting Interval text box, type number of seconds that defines frequency in
which the reports are sent though the reporting channels.
238
Doc. No.: 8261
LinkProof User Guide
4.
In the Max Alerts Per Report text box, type number of seconds that defines the
maximum number of security events that can appear in each report.
5.
Click Apply > Ok. Your preferences are recorded.
Defining Connectivity
When creating a security policy, you must initially define connectivity. This is performed by
defining either port groups/VLANs or IP address range for each policy in the Connect &
Protect table.
Policies are represented by rows in the Connect & Protect Table. For each connectivity row,
you can set security services according to the module breakdown (Intrusions, DoS/DDoS,
Anomalies, SYN Flood, Anti-Scanning).
Configuring Port Groups
Port Groups allows you to define which ports are to be scanned. A port group can be defined
to include the ports you wish to scan.
To create a new Port Group:
1.
From the main window, click the device and click Security. The Connect and Protect
Table appears.
2.
From the Connect and Protect Table, double-click in the Port/VLAN column. The
Settings pane appears.
3.
From the Settings pane, click Add Port Group. The Edit Physical Port Group dialog box
appears.
4.
From the Edit Physical Port Group dialog box, type a name for the new group and then
select the ports to be associated with that group.
5.
Click Apply and Ok.
To define previously created Port/Port Groups:
1.
From the Connect and Protect Table, double-click in the Port Group column. The
Settings pane appears below.
2.
From the Settings pane, select the relevant port groups from the drop-down list, e.g F1, F-2.
3.
Click Apply. Your preferences are recorded.
Configuring VLANs
You can define which VLANs to scan.
To define VLANs:
1.
From the main window, select the device and click Security. The Connect and Protect
Table appears.
2.
From the Connect and Protect Table, double-click in the Port/VLAN column. The
Settings pane appears.
3.
From the Settings pane, click Add VLAN Tag. The Edit VLAN Tags Group dialog box
appears.
Doc. No.: 8261
239
LinkProof User Guide
4. From the Edit VLAN Tag Groups dialog box, set the following parameters according to
the explanations provided:
Group Name:
Group Mode:
VLAN Tag:
VLAN Tag From:
VLAN Tag To:
A user defined name for the VLAN group.
The VLAN Mode can be one of the following:
• Discrete - an individual VLAN tag as defined in
The interface parameters of the device.
•
Range - a group of sequential VLAN tag
numbers as defined in the interface parameters
of the device.
The VLAN tag number.
The first VLAN tag in the range.
The last VLAN tag in the range.
5. Click Apply > Ok. The Edit VLAN Tag Groups dialog box closes.
Configuring Networks
You may need to define which network IP address range is to be scanned.
To configure a new network:
1. From the Connect and Protect Table, double-click anywhere in the Networks column.
The Settings pane appears.
2. From the Settings pane, click Add New Network. The Edit Network window appears.
3. From the Edit Network window, set the parameters according to the explanations below:
Network Name:
Enter in a user identified name for the
Network
Network Mode:
Select the Network Mode, either:
• IP Mask
•
IP Range
From Address:
Define the From Address range.
To Address:
Define the To Address range.
4. Click Ok. Your preferences are recorded.
To define a network from the predefined list:
1. From the Connect and Protect Table, double-click anywhere in the Networks column.
The Settings pane appears.
2. From the Settings pane, set the following parameters according to the explanations
provided:
240
From Address:
Define the From Address range.
To Address:
Define the To Address range.
Check Packets:
Determines the profile inspection direction,
one way or two way.
Doc. No.: 8261
LinkProof User Guide
Note:
Chapters 7 through 9 provide an explanation of the Security modules and how
to configure them.
Intrusions
This section explains protection against intrusions into your network, and includes the
following topics:
•
•
•
•
Introduction to Intrusions, page 241
Intrusion Prevention Profiles, page 246
How to use the Intrusion Prevention Module, page 246
Creating a New User Defined Intrusion Prevention Profile, page 255
Introduction to Intrusions
The Intrusion Prevention module, which is part of the Security modules, provides advanced
intrusion detection and prevention capabilities providing maximum protection for network
elements, hosts and applications. The module prevents various intrusion attempts including
worms, Trojan horses, buffer overflow and one packet attacks.
Types of Attacks
Attacks’ recognition is performed by comparing each packet to the set of signatures stored
in a comprehensive Attacks Signature Database.
The attacks handled by the Application Security can be divided according to the following
types:
•
•
•
Network-oriented attacks
Operation System oriented attacks
Application oriented attacks
Network Oriented Attacks
Network based attacks use network layer packets, such as IP, TCP, UDP or ICMP packets, in
order to either learn about or damage, a destination host, as follows:
•
Mis-formed packets that can cause a server to crash, such as Ping of Death, or a ping
packet in which the source address is the same as the destination address, like in Land
Attack.
Operating System Oriented Attacks
Operating System (OS) oriented attacks are designed to break into the server exploiting
vulnerabilities of server’s operating system. The target of the OS-oriented attack is usually
to disable the application server functionality by damaging its flow or one of its resources.
The Application Security module protects against the following OS-oriented attacks:
•
Simple server attacks attempt to exploit the known vulnerabilities of a server's
operating system. An example for such an exploit is utilizing the vulnerabilities of the
default installations of known software applications. Enabling the Web related Protection
Policies in the Intrusion Prevention module, protects your Web servers from such
attacks. For example Welchia worm uses TCP port 135 for infecting Host, exploiting
vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface, which is an MS
Windows vulnerability.
Doc. No.: 8261
241
LinkProof User Guide
•
•
Advanced attacks attempt to gain access via back doors left open in the system for the
administrators' use, or via Trojan horses, which are hidden parts of the code, providing
you access to restricted areas. Intrusion Prevention protects against these attacks by
enabling Back door related Protection Policies (for example Back Orifice).
Buffer Overflow Attacks
Application-Oriented Attacks
Application-oriented attacks are designed to break into application servers. Such attacks
can be recognized by searching for known signatures of each application in the packets. For
example, a specific path, or a particular command that appears in a packet.
Attacks of the application-oriented type attempt to exploit vulnerabilities in the applications.
Intrusion Prevention protects against these attacks by enabling Web related Protection
Policies
For example:
•
•
SQL Injection Attacks
Cross Site Scripting Attacks
Attack Groups
The Intrusions Protection module provides protection against one packet or one session
attack. Table 16 on page 242 shows the attack groups included:
Table 16: Radware Supplied Attack Groups
242
Attack
Description
Top-N
The "Top-N" group contains signatures of attacks that
have the highest activity in the wild. This group is
updated whenever Radware's SOC finds it
necessary. The signature subset in "Top-N" can be
compiled of various services and can be later moved
to (or from) an appropriate group.
Worms
The "Worms" group contains signatures of attacks
classified as Internet worms. The types of worms in
this group include: mass-mailing worms, vulnerability
exploiting worms and network-aware worms.
Signatures in the "Worms" group stop the
propagation of the worms listed in the group.
IIS
The "IIS" group contains signatures of attacks that
exploit the vulnerabilities found in the Microsoft IIS
Web Service. Signatures in this group protect against
HTTP implementation attacks, default Web page
attacks, ISAPI extension attacks and SSL attacks.
HTTP-Apache
The "HTTP-Apache" group contains signatures of
attacks that exploit the vulnerabilities found in
Apache HTTPd and other modules. Signatures in this
group protect against HTTP implementation attacks,
default servlet attacks and vulnerabilities found in
Apache modules
HTTP-MISC
The "HTTP-MISC" group contains signatures of
attacks that exploit vulnerabilities found in
miscellaneous Web services. Signatures in this group
protect against HTTP implementation attacks, the
exploitation of various Web applications and against
information disclosure attacks.
Doc. No.: 8261
LinkProof User Guide
Table 16: Radware Supplied Attack Groups (cont.)
Attack
Description
Web
The "Web" group contains signatures of attacks that
perform command injection into Web services.
Signatures in this group prevent the command's
injection into Web applications. Command injection
allows command execution on the affected host with
the privileges of the Web server.
CGI
The "CGI" group contains signatures of attacks that
exploit CGI vulnerabilities in Web applications.
Signatures in this group prevent the exploitation of
vulnerabilities found in CGI scripts that could allow an
attacker to compromise the affected host.
XSS
The "XSS" group contains signatures of attacks that
perform cross-site scripting in Web applications. In
cross-site scripting, a script is injected into a dynamic
HTML page. When viewed by other users, the page
is redirected to malicious sites, using the users' local
environment credentials without them being aware of
it. Signatures in this group prevent the cross-site
scripting on the affected host that can lead to
information theft and Web session hijacking.
SQLInjection
The "SQL_Injection" group contains signatures of
attacks that perform SQL database modifications.
Signatures in this group prevent the SQL queries'
injection via Web applications. A successful SQL
query injection may lead to information disclosure,
data modification and data corruption.
Cold Fusion
The "ColdFusion" group contains signatures of
attacks that exploit vulnerabilities in the ColdFusion
Web service. Signatures in this group prevent the
exploitation of vulnerabilities found in ColdFusion
Web service, which may compromise the affected
host.
FrontPage
The "FrontPage" group contains signatures of attacks
that exploit vulnerabilities in the FrontPage Web
Service. Signatures in this group prevent the
successful exploitation of vulnerabilities found in
FrontPage Web service, which may compromise the
affected host.
SMTP_AS
The "SMTP_AS" group contains signatures of attacks
that exploit vulnerabilities in miscellaneous SMTP
servers. Signatures in this group prevent the
exploitation of vulnerabilities found in SMTP
implementation from miscellaneous vendors, and
prevent the propagation of Internet worms.
Telnet_AS
The "Telnet_AS" group contains signatures of attacks
that exploit vulnerabilities in miscellaneous Telnet
servers. Signatures in this group prevent the
exploitation of vulnerabilities found in Telnet
implementation from miscellaneous vendors.
Doc. No.: 8261
243
LinkProof User Guide
Table 16: Radware Supplied Attack Groups (cont.)
244
Attack
Description
FTP_AS
The "FTP_AS" group contains signatures of attacks
that exploit vulnerabilities in miscellaneous FTP
servers. Signatures in this group prevent the
exploitation of vulnerabilities found in FTP
implementation from miscellaneous vendors.
SQL_AS
The "SQL_AS" group contains signatures of attacks
that exploit vulnerabilities in miscellaneous SQL
servers. Signatures in this group prevent the
exploitation of vulnerabilities found in SQL
implementation from miscellaneous vendors
NetBIOS
The "NetBIOS" group contains signatures of attacks
that exploit vulnerabilities in NetBIOS service.
Signatures in this group prevent the exploitation of
vulnerabilities found in NetBIOS implementation.
DNS_AS
The "DNS_AS" group contains signatures of attacks
that exploit vulnerabilities in miscellaneous DNS
servers. Signatures in this group prevent the
exploitation of vulnerabilities found in DNS
implementation from miscellaneous vendors.
POP3_AS
The "POP3_AS" group contains signatures of attacks
that exploit vulnerabilities in miscellaneous POP3
servers. Signatures in this group prevent the
exploitation of vulnerabilities found in POP3
implementation from miscellaneous vendors.
IMAP_AS
The "IMAP_AS" group contains signatures of attacks
that exploit vulnerabilities in miscellaneous IMAP
servers. Signatures in this group prevent the
exploitation of vulnerabilities found in IMAP
implementation from miscellaneous vendors.
RPC-Unix
The "RPC-Unix" group contains signatures of attacks
that exploit vulnerabilities in the Sun RPC service.
Signatures in this group prevent the exploitation of
vulnerabilities found in Sun RPC implementation from
miscellaneous vendors.
ICMP_AS
The "ICMP_AS" group contains signatures of attacks
that exploit vulnerabilities in ICMP services.
Signatures in this group prevent the exploitation of
vulnerabilities found in ICMP implementation from
miscellaneous vendors.
Finger
The "Finger" group contains signatures of attacks
that exploit vulnerabilities in Finger service.
Signatures in this group prevent the exploitation of
vulnerabilities found in Finger implementations from
miscellaneous vendors, and prevent information
gathering attempts.
Buffer_Overflow
The "Buffer_Overflow" group contains signatures of
attacks that exploit various services by overflowing
the declared buffer. Signatures in this group prevent
the attempts of buffer overflow exploitation in those
services that do not fit the other service groups.
Exploitation of vulnerabilities found in those services
would compromise the affected host.
Doc. No.: 8261
LinkProof User Guide
Table 16: Radware Supplied Attack Groups (cont.)
Attack
Description
SNMP_AS
The "SNMP_AS" group contains signatures of
attacks that exploit vulnerabilities or bad
configuration in SNMP service. Signatures in this
group prevent the access to SNMP services with
public community strings, and protect from exploits of
vulnerabilities found in SNMP implementation.
Shellcodes
The "Shellcodes" group contains signatures of
shellcodes that are used to exploit buffer overflow
vulnerabilities. Signatures in this group prevent the
shellcode execution on various services that are
vulnerable to buffer overflow.
Brute-Force
The "Brute-force" group contains signatures of
password brute force attacks in miscellaneous
services. Signatures in this group prevent the
password-guessing attacks (brute force) in
miscellaneous services.
DoS
The "DoS" group contains signatures of denial-ofservice attacks on miscellaneous services and
protocol implementations. Signatures in this group
prevent the denial-of-service attacks against
miscellaneous services and protocols.
Backdoors_Inbound
The "Backdoors_ Inbound" group contains signatures
of backdoor communication that enters the infected
host. Signatures in this group prevent the backdoor
inbound communication, and prevent the backdoor
from being controlled remotely.
Backdoors_Out-bound
The "Backdoors_ Outbound" group contains
signatures of backdoor communication that exits the
infected host. Signatures in this group prevent the
backdoor outbound communication, and prevent the
backdoor from being controlled remotely.
Protocol_Anomalies
The "Protocol_Anomalies" group contains signatures
of miscellaneous protocol misbehaviors. Signatures
in this group prevent the usage of miscellaneous
protocol anomalies that could indicate a new
exploitation of protocol vulnerability or a denial-ofservice attack.
Archive
The "Archive" group contains signatures of
miscellaneous outdated attacks. Signatures in this
group prevent the outdated attacks that are not valid
nowadays. The group may include various types of
attacks and attacks from miscellaneous groups.
Unassigned_Filters
The "Unassigned_Filters" group contains signatures
that, for various reasons, did not fit other groups.
Signatures in this group are custom signatures
designed for specific network environments. Using
the signatures from this group in other environments
can cause false positives or severely degraded
performance.
Doc. No.: 8261
245
LinkProof User Guide
Note:
Groups can change according to Signature File version.
Intrusion Prevention Profiles
An Intrusion Prevention Profile is a mechanism that scans traffic of a particular Network and
a physical port. The traffic classification is performed within the predefined network range
with pre-configured traffic direction. All the packets that pass through this range are
examined by means of various Attacks.
Intrusion Prevention Profiles are applied on Attack Groups. An Attack Group uses Basic
Attacks and Advanced Attacks as building blocks. A Basic Attack represents a signature for
blocking a single attack. When one Basic Attack cannot prevent an attack and you need to
increase the protection capabilities, you can use an Advanced Attack. An Advanced Attack
consists of two or more Basic Attacks and represents a logical AND between Basic Attacks.
Intrusion Prevention Profiles can use only Attacks that are organized in Attack Groups. An
Attack Group represents a logical OR between its Attack.
Radware provides a comprehensive signatures database with attack signatures, divided
into Attack Groups according to types of protection. For example, all attack signatures
designed to harm IIS Web servers are grouped under the IIS Attack Group. The Intrusion
Prevention Profiles built over a single Attack Group and defines the network conditions on
which the attack is scanned. Each Intrusion Prevention Profile can be assigned to a policy.
The policy specifies Network, Physical Inbound Port parameters and Direction.
How to use the Intrusion Prevention Module
Radware supplies the set of predefined Attack Groups that provide constant protection
against all recent attacks, see Table 16 on page 242. You can use these groups to define
prevention profiles. Most of the existing intrusions can be prevented using Radware groups.
In addition to the Radware defined groups, you can create custom Attack Groups, custom
Advanced attacks, and custom Basic attacks. For new users, it is recommended to define
Intrusion Prevention profiles using Radware defined attacks only.
To configure Intrusion Prevention using Radware Defined Attack Groups
1. Enable Intrusion Prevention and define the general parameters, see Application Security
Parameters, page 236.
2. Define Intrusion Prevention Profile and apply it to the Connect and Protect Table, see
Creating a New User Defined Intrusion Prevention Profile, page 255.
To configure Intrusion Prevention using User Defined Attack Groups:
1. Enable Intrusion Prevention and define the general parameters, see Application Security
Parameters, page 236.
2. Define custom Basic attacks, see Configuring Basic Intrusion Prevention Attacks,
page 247.
3. Define custom Advanced attacks, see Configuring Advanced Intrusion Prevention
Attacks, page 253.
4. Define custom Attack Groups, see Defining Custom Intrusion Prevention Attack Groups,
page 254.
246
Doc. No.: 8261
LinkProof User Guide
5.
Define Intrusion Prevention Profile and apply it to the Connect and Protect Table, see
Creating a New User Defined Intrusion Prevention Profile, page 255.
Configuring Basic Intrusion Prevention Attacks
Basic Attack (Custom Intrusion Attacks Window, page 247) is the basic building block of the
Intrusion Prevention Profile. Each basic attack constitutes protection against a specific
attack, meaning that profile has a specific attack signature and protection parameters.
Radware provides you with a set of pre-defined attacks however you may create user
defined basic attacks.
Figure 29 -
Custom Intrusion Attacks Window
The parameters of each Basic Attack are divided into the following categories:
•
•
•
•
Description parameters
Protocol definition parameters
OMPC (Bit pattern) definition parameters
Content definition parameters
Description Parameters
Description parameters (Table 17 on page 247) are the user-defined description of the
custom attack.
Table 17: Description Parameters
Doc. No.: 8261
Parameter
Description
Attack Name:
The name of the attack as you define it.
Description:
A description of the attack.
247
LinkProof User Guide
Protocol Parameters
Protocol definition parameters (Table 18 on page 248) define transmission protocol.
Table 18: Protocol Parameters
Parameter
Description
Protocol
The protocol used, which is either IP, UDP, TCP or
ICMP.
Default: IP.
The first port in the range of destination ports for UDP
and TCP traffic only. The values can be: 0 - 65535.
Destination Port Range:
From
Note:
The defined value must be lower than the
Destination Port Range: To value.
Default value: 0.
The last port in the range of destination ports for UDP
and TCP traffic only. The values can be: 0 - 65535.
Destination Port Range: To Note:
The defined value must be greater than the
Destination Port Range: From value.
Default value: 0.
The first port in the range of source ports for UDP and
TCP traffic only. The values can be: 0 - 65535.
Source Port Range: From
Note:
The defined value must be lower than the
Source Port Range: To value.
Default value: 0.
The last port in the range of source ports for UDP and
TCP traffic only. The values can be: 0 - 65535.
Source Port Range: To
Note:
The defined value must be greater than the
Source Port Range: From value.
Default value: 0.
OMPC (Bit pattern) Parameters
Offset Mask Pattern Condition (OMPC) is a set of Attack parameters that define a rule for
pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses
fixed offset masking. This is useful only for attack recognition where the attack signature is
a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC
parameters are presented in Table 19 on page 248.
Table 19: OMPC Parameters
Parameter
Description
OMPC Length
The length of the OMPC (Offset Mask Pattern
Condition) data can be N/A, oneByte, twoBytes,
threeBytes or fourBytes.
Default: N/A.
248
Doc. No.: 8261
LinkProof User Guide
Table 19: OMPC Parameters (cont.)
Parameter
Description
The fixed size pattern within the packet that OMPC
rule attempts to find. Possible values: a combination
of hexadecimal numbers (0-9, a-f). The value must
be defined according to the OMPC Length
parameter.
OMPC Pattern
Note:
The OMPC Pattern parameter definition
must contain 8 symbols. If the OMPC Length
value is lower than fourBytes, you need
complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC
Pattern can be:abcd0000.
Default value: 00000000.
Offset
The location in the packet from which the checking of
data is started in order to find specific bits in the IP/
TCP header. The value can be: 0 - 1513.
Default value: 0.
OMPC Condition
The OMPC condition can be either N/A, equal,
notEqual, greaterThan or lessThan.
Default: N/A.
The mask for the OMPC data. Possible values: a
combination of hexadecimal numbers (0-9, a-f). The
value must be defined according to the OMPC
Length parameter.
Note:
OMPC Mask
The OMPC Pattern parameter definition
must contain 8 symbols. If the OMPC Length
value is lower than fourBytes, you need
complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC
Mask can be:abcd0000.
Default value: 00000000.
OMPC Offset Relative to
Indicates to which OMPC offset the selected offset is
relative to. In case the IP/UDP/ICMP protocols are
selected, you can set the following parameters:
None, IP Header, IP Data. In case the TCP protocol
is selected, you can set the following parameters:
None, IP Header, IP Data, TCP Data.
Default value: None.
Doc. No.: 8261
249
LinkProof User Guide
Content Parameters
Content parameters described in Table 20 on page 250 define the rule for a text/ content
string lookup. This rule is intended for attacks recognition where the attack signature is a
text/ content string within the packet payload.
Table 20: Content Parameters
Parameter
Description
Enables the user to search for a specific content
type, which can be one of the following:
• URL: In the HTTP Request URI
Content Type
•
Host Name: In the HTTP Header
•
Text: Anywhere in the packet
•
HTTP Header Field: In the HTTP Header
•
Mail Domain: In the SMTP Header
•
Mail To: In the SMTP Header
•
Mail From: In the SMTP Header
•
Mail Subject: In the SMTP Header
•
Regular Expression: Anywhere in the packet
•
Header Type: HTTP Header field. The "Content"
field includes the header field name, and the
"Content data" field includes the field value
•
File Type: The type of the requested file in the
http GET command (jpg, exe and so on)
•
Cookie Data: HTTP cookie field. The "content"
field includes the cookie name, and the "content
data" field includes the cookie value
Default: N/A.
Content Data
Content Offset
Refers to the search for the content within the packet
which can be either:
• N/A: Not available
•
URL: HTTP Get packets will be scanned for their
URL data.
•
Text: For text in all packets.
The location in the packet from which the checking of
content is started. The value can be: 0 - 1513.
Default value: 0.
Application Security can search for content in
languages other than English, for case sensitive or
case insensitive text as well as hexadecimal strings.
Values for this parameter include:
• None
Content Encoding
•
Case Insensitive
•
Case Sensitive
•
HEX
•
International
Note:
The value of this field corresponds to the
Content Type parameter.
Default: None.
250
Doc. No.: 8261
LinkProof User Guide
Table 20: Content Parameters (cont.)
Parameter
Description
Content
Contains the actual value of the content search.
Possible values: < space > ! " # $ % & ' ( ) * + , -. / 0 1
23456789:;<=>?@ABCDEFGHIJKL
MNOPQRSTUVWXYZ[\]^_`abcdefgh
ijklmnopqrstuvwxyz{|}~.
Content Language
Contains the language (characters set), in which the
content is written.
Default language: English.
The maximum length to be searched within the
selected Content Type. The value can be: 0 - 1513.
Content Max Length
Note:
The Content Max Length value must be
equal or greater than the Offset value.
Default value: 0.
Application Security can search for data in languages
other than English, for case sensitive or case
insensitive data as well as hexadecimal strings.
Values for this parameter include:
• None
Content Data Encoding
•
Case Insensitive
•
Case Sensitive
•
HEX
•
International
Note:
The value of this field corresponds to the
Content Type parameter.
Default: None.
Tracking Parameters
Tracking parameters which are described in Table 21 on page 252 defines how the attack is
tracked and treated once it’s signature is recognized in the traffic. Each Application Security
Attack is bound to a "Tracking" function that defines how the packet is handled when it is
matched against the Attack. The main purpose of these functions is to determine whether
the packet is harmful and to apply an appropriate action accordingly. There are two types of
match functions:
•
The "immediate" type that makes decisions based on a single packet. The signature
match between itself is considered as an indicator for the attack and the packet is
dropped ("Drop All"). For example, MS Blast.
Doc. No.: 8261
251
LinkProof User Guide
•
The "Threshold" or "Counter" functions. Those functions assume that the signature
match alone is not enough for detecting a packet as offensive, since the packet may be
legitimate unless the number of packets per a period of time exceeds a threshold that
defines a "reasonable" behavior of such traffic. Only packets that exceed the threshold
within a predefined time slot are dropped. For example, ICMP flood attacks and DoS
attacks.
Table 21: Tracking Parameters
Parameter
Tracking Time
Description
Sets the amount of time (in milliseconds) in which the
Threshold is measured. When a number of packets
that is greater than the Threshold value passes
through the device, during this defined time period,
the device recognizes it as an attack.
Default value: 1000.
Threshold
Sets the maximum number of attack packets that are
allowed in each Tracking Time unit. The attack
packets are recognized as legitimate traffic, when
they are transmitted within the Tracking Time period.
Default value: 10.
Defines how the device decides which traffic to block
or drop, when under an attack of this type. Values
can be:
• Drop All: Select this option when each packet of
the defined attack is harmful. For example: Code
Red and Nimda attacks.
Tracking Type
•
Target Attack: Select this option when the
defined attack is destination-based, meaning the
hacker is attacking a specific destination such as
a WEB server etc. For example: Ping Flood and
DDoS attacks.
•
Source and Target Attack: Select this option
when the attack type is a source and destination
based attack, meaning the hacker is attacking
from a specific source IP to a specific destination
IP. For example: Port Scan attack.
•
Source Attack: Select this option when the
defined attack is source-based, meaning the
hacker attack can be recognized according to its
source address. For example: Horizontal Port
Scan, were the hacker scans a certain application
port (TCP or UDP) to detect which servers are
available on the network.
Default: Drop All.
Action Mode
252
•
Drop: The packet is discarded.
•
Forward: The packet is forwarded to the defined
destination.
•
Reset Source: Sends TCP-Reset packet to the
packet Source IP.
•
Reset Destination: Sends TCP-Reset packet to
the destination address.
•
Default: Takes the Action Mode parameter
defined in the Security Parameters window.
Doc. No.: 8261
LinkProof User Guide
To create a Basic Attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the Intrusions column. The
Settings pane appears.
3.
From the Settings pane, click Custom Attack. The Custom Intrusion Attack window
appears.
4.
From the Custom Intrusion Attack window, select the Basic Attack option button
5.
Set the new Basic Attack parameters as explained in Description Parameters, page 247.
6.
Click Ok. The Custom Intrusion Attack window closes. The new basic attack appears in
the Custom Group window.
Configuring Advanced Intrusion Prevention Attacks
The second building block of the Intrusion Prevention Profile is the Advanced Attack. The
Advanced Attack represents a logical AND between two or more Basic Attacks. Some attacks
have a complex signature comprised of several patterns and content strings. These attacks
require more than one Basic Attack to protect against them.
Figure 30 -
Advanced Attacks
Advanced attacks are made up of a collection of Basic Attacks, selected/removed from the
Basic Attack list.
Tip:
You can create a new Advanced Attack using user defined Basic Attacks only.
To create an Advanced Attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
Doc. No.: 8261
253
LinkProof User Guide
2. From the Connect and Protect Table, click Custom Attack. The Custom Intrusion Attack
window appears.
3. From the Custom Intrusion Attack window, select the Advanced Attack option button.
The Advanced Attack pane appears.
4. Select the Basic Custom attacks from the Optional Basic Attacks list and add them to
the Selected Attacks list by clicking the mover arrows.
5. Click the Settings tab and define the parameters for each Advanced Custom Intrusion
Attack, see Table 21 on page 252.
6. Click Ok. The Advanced Attack pane closes.
Defining Custom Intrusion Prevention Attack Groups
The Custom Attack Group represents a logical OR between two or more Basic Attack or
Advanced Attacks. The right panel of the Custom Attacks Groups window (Custom Attack
Group Window, page 254) contains the list of all the existing groups.
Figure 31 -
Custom Attack Group Window
Radware provides you with a set of predefined Custom Attack Groups as a part of the
Signatures file. You can also add user defined Attack Groups using predefined Attacks or
user defined Attacks. The predefined attack groups are divided according to types of
protection. For example, all attack signatures designed to harm IIS Web servers are
grouped under the IIS Attack Group.
The groups can be activated within a Protection Profile, except for the Un-assigned group.
The Attacks that effect performance or are probable to false positive, are gathered under
Unassigned group and can be activated either by adding an Attack to an existing group or to
a user defined group.
To add a new Custom Attack Group:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the Intrusions column. The
Settings pane appears.
254
Doc. No.: 8261
LinkProof User Guide
3.
From the Settings pane, select Custom Group. The Custom Attack Group window
appears.
4.
From the Custom Attack Group window, enter a relevant name for the new Attack
Group.
5.
Select the attacks you want to include in this group and move them to the Selected
Attacks pane by clicking the mover arrows.
Creating a New User Defined Intrusion Prevention Profile
You can either select from the Radware predefined intrusion prevention Attack profiles or
create your own custom profiles.
To create a New User Defined Intrusion Prevention Profile:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, double-click anywhere in the Intrusions column.
The Settings pane appears.
3.
From the Settings pane, click New Profile. The New Intrusion Prevention Profile
window appears.
4.
From the New Intrusion Prevention Profile window, enter a name for your new Intrusion
Prevention Profile. The new profile appears in the Intrusion Prevention Profile pane.
5.
To add attacks to your new profile, select the relevant attacks and move them to your
profile using the mover arrows.
Editing Attacks
To edit an attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, double-click anywhere in the Intrusions column.
The Settings pane appears.
3.
From the All Attacks list, select the attack you want to edit and click Edit Attack. The
Custom Intrusion Attack window appears.
4.
Edit the parameters of the attack. See Description Parameters, page 247.
5.
Click Ok. Your preferences are recorded.
Example: Configuring an Intrusion Prevention Profile for Protection
Against MS Blast Worm
The MSBlast worm was first detected at August 11th 2003. This worm appears to exploit
known vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface.
The W32/Blaster worm exploits vulnerability in Microsoft's DCOM RPC interface. Upon
successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the
compromising host. Once this file is retrieved, the compromised system then runs it and
begins scanning for other vulnerable systems to compromise in the same manner. In the
course of propagation, a TCP session to port 135 is used to execute the attack. The access
to TCP ports 139 and 445 may also provide attack vectors and should be considered when
applying mitigation strategies.
Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood
denial-of-service attack against windowsupdate.com
Doc. No.: 8261
255
LinkProof User Guide
Affected Products
This MSBlast worm affects the following Microsoft products:
•
•
•
•
•
Microsoft
Microsoft
Microsoft
Microsoft
Microsoft
Windows
Windows
Windows
Windows
Windows
NT® 4.0
NT 4.0 Terminal Services Edition
2000
XP
Server™ 2003
Impact
A remote attacker could exploit these vulnerabilities to execute arbitrary code with Local
System privileges or to cause a denial-of-service condition.
Protection is obtained by adding two Custom Attacks and grouping them together.
To create the MS Blast Worm Protection Policy:
1. From the main window, click Security. The Connect and Protect Table appears.
2. Create the first Basic Attack:
a.
b.
c.
256
From the Connect and Protect Table, click anywhere in the Intrusions window. The
Settings pane appears.
From the Settings pane, click Custom Attack. The Custom Intrusion Attack window
appears.
From the Custom Intrusion Attack window, set the following parameters according
to the explanations provided:
Attack Name:
blast_shell
Protocol:
TCP
Destination Port (from):
4444
Destination Port (to):
0
Source Port (from):
0
Source Port (to):
0
OMPC Offset:
0
OMPC Offset Relative to:
None
OMPC Mask:
0000000
OMPC Pattern:
0000000
OMPC Condition:
None
OMPC Length:
None
Content Offset:
0
Content:
msblast.exe
Content Type:
Text
Attack Type:
Application Security
Content Max. Length
0
Content Encoding:
Case Sensative
Doc. No.: 8261
LinkProof User Guide
Content Data Encoding:
None
Attack Description:
Enter a user defined attack description
3.
Click OK. The new custom attack is created and appears in the All Attacks list.
4.
Create the second Custom Attack.
a.
b.
Click Custom Attack. The Custom Intrusion Attack window appears.
From the Custom Intrusion Attack window, set the following parameters according
to the explanations provided:
Basic Attack Name:
blast_rpc
Protocol:
TCP
Destination Port (from):
135 (RPC)
Destination Port (to):
135 (RPC)
Source Port (from):
0
Source Port (to):
0
OMPC Offset:
0
OMPC Offset Relative to:
None
OMPC Mask:
0000000
OMPC Pattern:
0000000
OMPC Condition:
None
OMPC Length:
None
Content Offset:
0
Content:
1F7457759580BFBB927F895A1ACEB1DE
Content Type:
Text
Attack Type:
Application Security
Content Max. Length
0
Content Encoding:
HEX
Content Data Encoding:
None
Attack Description:
Enter a user defined attack description
c.
Click Ok. The new custom attack is created and appears in the All Attacks list
Important Note: when using versions earlier than LinkProof 3.73, LinkProof 2.73,
LinkProof 8.0, CSD 4.0, CID 2.0, the following parameters must be modified in the
above Attack:
Content:
~'?bB
Content Encoding:
Case Sensitive
5.
Create a new Custom Attack Group:
Doc. No.: 8261
257
LinkProof User Guide
a.
b.
From the Connect and Protect Table, click Custom Group. The Custom Attack
Group window appears. In the Group Name field enter in the new group name:
virus_custom.
From the Custom Attack Group window, add the two new custom attacks that you
created in the previous steps by selecting them from the All Attacks list and moving
them to the Selected Attacks with the mover arrows.
DoS/DDoS
This section explains Dos and DDos attacks, and introduces the mechanism of DoS/DDoS
protection profiles.
This section includes the following topics:
•
•
•
Introduction to DoS/DDoS, page 258
DoS Shield Profiles, page 259
Application Security Profiles, page 270
Introduction to DoS/DDoS
Radware's security scheme provides organizations with extensive Denial of Service (DoS)
detection and protection capabilities while maintaining high network throughput.
When hackers send mass volumes of traffic, they overload networks or servers, thus
causing denied access for real users. This is known as Denial of Service (DoS) or Distributed
Denial of Service (DDoS) attacks.
Denial of service occurs as a result of various types of flooding caused by hackers, such as
UDP, TCP and ICMP. The DoS/DDoS module provides protection against packet flooding,
preventing by that way denial of service.
When mitigating DoS attacks another challenge is to deal with hackers, who are becoming
increasingly sophisticated. A basic DoS attack is considered as a single packet (TCP, UDP or
ICMP) flooding, generated by common tools, which are available on the Internet. Basic SYN
attacks can be accommodated by detecting incomplete TCP requests. However hackers may
also use new techniques, and tools such as Naphta, which creates a Connection Attack by
completing a TCP handshake without any data traffic.
Another type of DoS attack can be caused by one or few packets attacks. These are attacks
that exploit a server or network vulnerability, such as buffer overflows, Ping of Death, Land
attack and so on.
An intrusion attempt, unlike a DoS attack, is usually performed with a small amount of
packets. Hackers, trying to penetrate a network server, will either use single session attacks
or one packet attack targeting a service, application or even operating system vulnerability.
Intrusions are handled and protected by a set of services, which include Intrusion
protection, Anomalies and Anti Scanning.
DoS/DDoS Protection Services
To provide protection against denial of service, DoS/DDoS module incorporates two different
services, mitigating DoS attacks:
•
•
258
DoS Shield Profiles: Sampling-based service that provides protection against packet
flooding, which causes a denial of service effect. The protection is provided for TCP, UDP
and ICMP floods. This service utilizes an advanced sampling mechanism, which reduces
significantly the device CPU load, compared to packet-by-packet scanning.
Application Security Profiles: Packet-by-packet scanning service provides protection
against DoS attacks, using a signature based packet by packet scanning.
Doc. No.: 8261
LinkProof User Guide
The sampling-based service provides optimized performance in high throughput networks.
Once an attack is detected, DoS Shield module sets the relevant attack filter for packet-bypacket inspection. The packet-by-packet scanning service is based on DoS protection group,
named DOS.
Creating a New User Defined Profile
You can create a user defined profiles using one of the following mechanisms:
•
•
Application Security Profiles
DoS Shield Profiles
To configure User Defined DoS Profile:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, double-click anywhere in the DoS/DDoS column.
The Settings pane appears.
3.
If you select Application Security Profiles, the Application Security Profiles settings
pane appears, see DoS Shield Profiles, page 259.
4.
If you select DoS Shield Profiles, the DoS Shield Profiles settings pane appears,
see Application Security Profiles, page 270.
DoS Shield Profiles
To prevent denial of service, DoS Shield samples traffic flowing through the device and limits
the bandwidth of traffic that was recognized as DoS attack using predefined action.
The concept is based on the fact that sporadic attacks, that consume negligible amounts of
bandwidth can be tolerated by most of the networks and do not require any counter action.
An attack becomes a threat to the network when it starts to consume large amounts of the
network's bandwidth. The DoS Shield module detects the occurrence of such events with an
advanced sampling algorithm and takes automatic actions to solve the problem. The
combination of a unique sampling scheme with the strong computing power of the
Application Switch platform provides maximum security with maximum speed.
How the DoS Shield Module Works?
The DoS Shield mechanism is based on working with two attack states: Dormant and Active.
Dormant state indicates that the Sampling mechanism is used for the recognition prior to
action activation. Attack in Dormant state can become active only if the number of packets
that entered your network is beyond the pre-defined limit.
Active state indicates that the action execution must be implemented on each packet that
matches the attack Signature without sampling.
The DoS Shield counts packets matching Dormant and Active states. Samples of the traffic
are compared with the list of attacks in Dormant state. When a pre-configured number of
packets is met, the status of the attack is changed to Active.
The DoS Shield module involves two mechanisms working in parallel. One statistically
monitors the traffic to check if any of the attacks in Dormant state is active. When an attack
is detected as active, this attack is handled by the second mechanism. Each packet passing
through the device is compared to the list of the Currently Active Attacks. If no match is
found, a portion of the packets is sent to be compared with Dormant Attacks and the rest of
the packets are simply forwarded to the network, without being inspected against the
Dormant Attacks list.
Activation of the large number of the security Attacks, can cause a decline in overall
performance. You can limit the number of the enabled security Attacks, while the rest of the
filters remain disabled. The disable filters can be activated when the network is under
attack. This can be performed using the Panic mode feature. When not all the defined filters
Doc. No.: 8261
259
LinkProof User Guide
are used, there might be a situation where the servers are under an unrecognized attack. In
that case the DoS Shield module can operate in the Panic Mode. During the unrecognized
attack disabled filters that are defined as Panic become enabled and function as Dormant
state filters.
Note:
In reaction to the panic mode activation, only the filters that are configured to
function in the Panic mode are activated.
DoS Shield Traffic Flow
When traffic arrives to the device, samples of the traffic are copied and inspected against
each entry in the list of attacks in Dormant state to detect possible attacks.
You can control the sampling rate by setting the number of packets that pass through the
device before a packet is examined against the list of attacks in Dormant state, Packet
Sampling Rate in DoS Shield Traffic Flow Diagram, page 261.
You can also configure the duration of the sampling period over which the different
thresholds are checked, Sampling Time in DoS Shield Traffic Flow Diagram, page 261.
Whenever traffic matches an Attack filter, a counter is incremented. At the end of each
Sampling Time, the counter value is normalized and compared to the thresholds configured
for the attack.
You can configure a Warning Threshold and an Activation Threshold for each attack. When
the Warning Threshold is met, a warning message is sent notifying about the attack. When
the Activation Threshold is met, the attack state is changed to Active, every packet passing
through the device is inspected against that attack and the forwarding limit is executed.
260
Doc. No.: 8261
LinkProof User Guide
Incoming Packet
Sampling
Match
Compare to
Dormant Attacks
Copy of
Sampled
Packets
No
Match
All packets
No
Operation
Activation
Threshold
Passed
No Match
Match
Compare to
Currently Active Attacks List
No
Match
Match
Activate
Attacks
Pre-Configured Action
Forward the Packet to the Destination Port
Figure 32 -
DoS Shield Traffic Flow Diagram
When an attack is activated, the following actions are possible:
•
Bandwidth of traffic (kbps) that match a Currently Active Attack is limited when
forwarding packets to the network.
• When the forwarding limit is 0, all packets that match the Currently Active Attack are
blocked.
The status of a Currently Active attack reverts to Dormant when the amount of traffic
matching the attack filter is smaller than the Attack Termination Threshold, for a duration of
the Aging Period for that attack. The Aging Period allows you to set a number of Sampling
Time periods, over which the counters of that attack must not cross the Termination
Threshold, in order for this attack to considered to be over, and its status reverted to
Dormant. Termination of the attack is also reported to the management station.
You can also pre-configure an attack as Currently Active. In that case every packet passing
through the device is always matched against that attack filter, regardless of the Attack
Termination Threshold.
How to use the DoS Shield Module
The Dormant Attacks database consists of attacks supplied by Radware. These attacks
provide constant protection against all recent denial of service attacks. Each attack includes
protection filters that are configured to detect and block malicious packets. You can use
these attacks to define prevention profiles. Most of the existing denial of service attacks can
be prevented using Radware attacks.
Doc. No.: 8261
261
LinkProof User Guide
In addition to the Radware defined attacks, you can add user defined attacks to this
database. The parameters that are part of the Sampling (DoS Shield Traffic Flow Diagram,
page 261) process can be configured using the DoS Shield mechanism. For new users, it is
recommended to define DoS Shield prevention profiles using Radware defined attacks only.
The DoS Shield module enables you to perform the following actions:
•
•
•
To activate attack(s) provided by Radware.
To create new attack(s).
To view all the information about an attack in the Attack Dynamic Information table, see
Attacks Dynamic Info, page 268.
To configure DoS Shield using Radware Defined Attacks:
1. Enable DoS Shield protection and set the general parameters, see DoS Shield
Parameters, page 236.
2. Create a new DoS Shield profile and apply the new profile to the Connect and Protect
Table, see Creating a new DoS Shield Profile, page 267.
To configure DoS Shield using User Defined Attacks:
1. Enable DoS Shield protection and set the general parameters, see DoS Shield
Parameters, page 236.
2. Add Basic Service, see Configuring Basic DoS Shield Services, page 262.
3. Add Advanced Service, see Configuring Advanced DoS Shield Services, page 264.
(Optional step)
4. Define the DoS Shield attacks, see Defining DoS Shield Attacks, page 265.
5. Create a new DoS Shield profile and apply the new profile to the Connect and Protect
Table, see Creating a new DoS Shield Profile, page 267.
Configuring Basic DoS Shield Services
A basic element of DoS Shield profiles is a Basic Service. Radware provides a list of predefined services. You can create your own services (Basic Service Configuration, page 263).
The LinkProof Classes window allows you to create a new service.
262
Doc. No.: 8261
LinkProof User Guide
Figure 33 -
Basic Service Configuration
The parameters of LinkProof DoS Classes are divided into the following categories:
•
•
•
•
New Service parameters
Protocol definition parameters
OMPC definition parameters
Content definition Parameters
New Service Parameters
The user defined description of the service.
Table 22: New Service
Parameter
Description
Service Name:
The service that is used to provide protection against
the attack. You can select the service from the list
defined in the Service Type.
Description:
Enter a relevant description of the service.
Protocol Parameters
Protocol definition parameters define transmission protocol. For the detailed parameters
description refer to Table 18, “Protocol Parameters,” on page 248.
OMPC Parameters
Offset Mask Pattern Condition (OMPC) is a set of filter parameters that define a rule for
pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses
fixed offset masking. This is useful only for attack recognition where the attack signature is
a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC
parameters are described in Table 19, “OMPC Parameters,” on page 248.
Doc. No.: 8261
263
LinkProof User Guide
Content Parameters
Content parameters define the rule for a text/ content string lookup. This rule is intended
for attacks recognition where the attack signature is a text/ content string within the packet.
For the detailed parameters description refer to Table 20, “Content Parameters,” on
page 250.
To add a Basic Service:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The DoS
Settings pane appears.
3. From the DoS Settings pane, select the DoS Shield Profiles and then click Classes.
The LinkProof Classes window appears.
4. From the LinkProof Classes window, click Add Regular and define the parameters
according to the explanations above.
5. Click Update Active Classes and then click Add Service.
6. Click Ok. The Classes window closes and the new Basic Service can be used to define
an attack, see Defining DoS Shield Attacks, page 265.
Configuring Advanced DoS Shield Services
Using Basic Services you can define an Advanced Service (Advanced Attacks Window,
page 273). The Advanced Service represents a logical AND between two or more Basic
Services.
Advanced services are made up of a collection of Basic Services, selected from the Basic
Services list.
You can create the Advanced Service using the user defined Basic Services only.
264
Doc. No.: 8261
LinkProof User Guide
Figure 34 -
Advanced Service Configuration
To create an Advanced Service:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The
Settings pane appears.
3.
From the Settings pane, select DoS Shield Profiles and click Classes. The LinkProof
Classes window appears.
4.
From the LinkProof Classes window, click Add Advanced. The Advanced Service pane
appears displaying the following parameters:
—
Service Name: The name of the Advanced Service.
—
Basic Services Names: The list of all the user defined Basic Services.
5.
In the Service Name text box, type the name of the new Advanced Service.
6.
From the Basic Services list, select the Basic Services that you want to include
in the Advanced Service.
7.
Click Update Active Classes and then click Add Service.
8.
Click Ok. The Classes window closes and the new Advanced Service can be used to
define an attack, see Configuring Basic DoS Shield Services, page 262.
Defining DoS Shield Attacks
Profiles consist of attacks that are defined in the Attacks Table.
Doc. No.: 8261
265
LinkProof User Guide
Figure 35 -
Edit Attacks Table
The Attacks Database contains attacks provided by Radware. You can add user-defined
attacks to reflect specific needs of your network, or edit the existing attacks. Table 23 on
page 266 describes the attack’s parameters.
Table 23: Edit Attacks Table
Parameter
Service Type
Description
Enables selection of services from the following
categories:
• Basic Service - selecting from the Basic services
list.
•
Service Name
Advanced Service - selecting from the Advanced
services list.
The service that is used to provide protection against
the attack. You can select the service from the list
defined in the Service Type.
When this threshold is exceeded, a warning message
is sent to the management station.
Warning Threshold (Kbps)
Activation Threshold
(Kbps)
Forwarding Limit when
Active (Kbps)
Note:
You can select a value of "Do Not Alert" (or
0). This is only relevant when the attack is
not Active.
When this threshold is exceeded, the status of the
attack is changed to Active.
Note:
This is only relevant when the Attack Status
was configured as Dormant.
The number of packets matching the attack that can
be forwarded in each second when the attack is
Active.
A value of Drop All (or 0) means that all packets must
be blocked. Value other than Drop All is used for
attacks that match a pattern of legitimate traffic, for
example UDP Flood attacks.
Termination Message
Threshold (kbps)
If for the duration of the Attack Aging Period this
threshold is not exceeded, a notification message is
sent indicating that the attack may be over. Typically,
this threshold is higher than the Termination
Threshold and lower than Attack Activation
Threshold. You can also select "Do Not Alert" (or 0).
Termination Threshold
(Kbps)
If for the duration of the Attack Aging Period this
threshold is not exceeded, the status of the attack
reverts to Dormant. You can also select Do not
Deactivate (or 0).
The number of Sampling Time units required for
Deactivating an attack.
Aging Period (sec.)
266
In order to ensure the attack is considered to be
terminated due to a momentarily reduction of the
amount of traffic matching its pattern, the attack
termination is decided only after several Sampling
Time units have passed in which attack traffic was
below the Termination Threshold. The same concept
applies for the Alert Termination. You can also select
"No Deactivation" (or 0). Default value is 5.
Doc. No.: 8261
LinkProof User Guide
Table 23: Edit Attacks Table
Parameter
Description
•
Dormant - The attacks that are processed
through the Sampling mechanism to recognize
known signatures
•
Active - The attacks that are compared packetby-packet to the signatures database
•
Panic - The attack is in the Panic state. In this
state the number of activated filters is limited to
achieve better overall performance. In case an
unrecognized attack takes place, the module
activates only the filters that are required to block
the attack
•
Disabled - The attack’s filters are disabled.
Attack Status
When this value is originally set as Dormant, it is
automatically updated when traffic patterns match the
attack thresholds. This also allows the administrator
to manually add/remove attacks to/from the Active
Attack list. An attack that is manually set to Active or
Disabled is not automatically added or removed from
the Active Attack list, and the thresholds is not
relevant for such an attack.
Attack Name
A user defined name for this attack, maximum 30
characters. The Attack Name is used when DoS
Shield sends information about attack status
changes.
Attack Message Text
A message that is associated with the attack.
To add a new attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The
Settings pane appears.
3.
From the Settings pane, select DoS Shield Profiles. The DoS Shield Profiles pane
appears.
4.
From the DoS Shield Profiles pane, click Custom Attack. The Edit Attacks Table
appears.
5.
From the Edit Attacks Table, set the parameters as explained in Edit Attacks Table,
page 266.
6.
Click Ok. The Edit Attacks Table window closes and the new attack appears in the All
DoS Attacks List.
Creating a new DoS Shield Profile
Once the attacks are defined, you can create a new profile.
To define a new DoS Shield profile:
1.
From the main window, click Security. The Connect and Protect Table appears.
Doc. No.: 8261
267
LinkProof User Guide
2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The
Settings pane appears.
3. From the Settings pane, select DoS Shield Profiles. The DoS Shield Profiles pane
appears.
4. From the DoS Shield Profiles pane, click New Profile. The New Profile dialog box
appears.
5. In the Profile Name text box, type the name of the new profile and click Ok. The New
Profile dialog box closes and the new profile appears in the DoS Prevention Profiles
pane.
6. From the All DoS Attacks List pane, select the attack(s) that you want to add to the new
profile and click Add. The selected attack appears in the DoS Prevention Profiles pane.
7. Select the cell in the Connect and Protect Table where you want to apply the new DoS/
DDoS profile and click Apply. The name of the new profile appears in the selected cell.
Attacks Dynamic Info
The Attacks Dynamic Info window displays information regarding the current condition of
the attack. The table is updated in real-time.
Note:
This window is read only.
Figure 36 -
Note:
268
Attacks Dynamic Info
You can sort the DoS Shield Attack Dynamic Info table according to every
column in the table.
Doc. No.: 8261
LinkProof User Guide
Table 24 on page 269 describes the attack Dynamic Info table parameters.
Table 24: Attacks Dynamic Info
Parameter
Description
Attack ID
A unique number for identifying of attack.
Sampling Counter:
Number of bits matching this attack in the current
Sampling Time. This counter is used against the
Warning Threshold, Activation Threshold,
Termination Message Threshold and Termination
Threshold.
Active Counter:
Number of bits matching this attack in the last
second, examining every bit. This counter is used
only for limiting the amount of traffic matching an
Active attack.
Alert Status:
The status of the alert can be: Not Sent, Alert Sent,
Activation Alert Sent, Dropping Alert Sent.
Attack Status:
•
Dormant - The attacks that are processed
through the Sampling mechanism to recognize
known signatures
•
Active - The attacks that are compared packetby-packet to the signatures database
•
Panic - The attack is in the Panic state. In this
state the number of activated filters is limited to
achieve better overall performance. In case an
unrecognized attack takes place, the module
activates only the filters that are required to block
the attack
•
Disabled - The attack’s filters are disabled.
Termination Alert
Counter:
Number of intervals in which the Sampling Counter
was below the Termination Message Threshold,
when the value of this counter reaches the Aging
Period value, a Termination Alert message is sent.
Termination Counter:
Number of intervals in which the Sampling Counter
was below the Termination Threshold, when the
value of this counter reaches the Aging Period value,
an Attack Terminated message is sent and the Attack
Status reverts to Dormant.
Last Attack Detection
Time:
Time when this attack took place last time.
Last Attack Detection
Date:
Date when this attack took place last time.
Last Attack
Termination Time:
Time when this attack was last terminated.
Last Attack
Termination Date:
Date when this attack was last terminated.
Doc. No.: 8261
269
LinkProof User Guide
To view the Attacks Dynamic Info window:
1. From the main window, click Security. The Connect and Protect window appears.
2. From the Connect and Protect window, click anywhere in the DoS column. The DoS pane
appears.
3. From the DoS pane, select the DoS Profiles option button and then select Attacks
Dynamic Info. The Attacks Dynamic Info window appears as shown in Table 36 on
page 268.
Application Security Profiles
Application Security profiles are incorporated in the mechanism of protection and prevention
against the denial of service attacks. These profiles deliver advanced intrusion detection and
prevention capabilities providing maximum protection for network elements, hosts and
applications.
Application Security profiles are predefined traffic detectors that scan the incoming traffic in
order to identify known attack signatures. The profiles use various attacks that find the
malicious packets and make decisions in accordance with the predefined settings.
How to Use the Application Security Module
Radware supplies the set of predefined Attack Groups that provide constant protection
against all recent attacks. You can use these groups to define prevention profiles. Most of
the existing intrusions can be prevented using Radware groups.
In addition to the Radware defined groups, you can create custom Attack Groups, custom
Advanced attacks, and custom Basic attacks. For new users, it is recommended to define
Application Security protection profiles using Radware defined attacks only.
To configure Application Security using Radware Defined Attacks:
1. Enable Application Security protection and set the general parameters, see Application
Security Parameters, page 236.
2. Create a new Application Security profile and apply the new profile to the Connect and
Protect Table, see Creating a new Application Security Profile, page 274.
To configure Application Security using User Defined Attacks:
1. Enable Application Security and set the Application Security general parameters,
see Application Security Parameters, page 236.
2. Define Basic Attacks, see Configuring Basic Application Security Attacks, page 271.
3. Define Advanced Attacks, see Configuring Advanced Application Security Attacks,
page 272 (optional).
4. Define Custom Attack Groups, see Application Security Custom Attack Groups,
page 273.
5. Create a new Application Security profile and apply the new profile to the Connect and
Protect Table, see Creating a new Application Security Profile, page 274.
270
Doc. No.: 8261
LinkProof User Guide
Configuring Basic Application Security Attacks
Basic Attacks (Custom DoS Attack Window, page 271) are the basic building blocks of the
DoS Attack. Each Basic Attack constitutes protection against a specific attack, meaning each
Basic Attack has a specific attack signature and protection parameters. Radware provides
you with a set of pre defined attacks. You can also create user defined Basic Attacks.
Figure 37 -
Custom DoS Attack Window
The parameters of each Basic Attack are divided into the following categories:
•
•
•
•
Description parameters
Protocol definition parameters
OMPC definition parameters
Content definition parameters
Description Parameters
Description parameters (Table 17 on page 247) are the user defined descriptions of the
attack.
Parameter
Description
Attack Name
The name of the attack as you define it.
Attack Description
A description of the attack.
Protocol Parameters
Protocol definition parameters define transmission protocol. For the detailed parameters
description refer to Table 18, “Protocol Parameters,” on page 248.
Doc. No.: 8261
271
LinkProof User Guide
OMPC (Bit Pattern) Parameters
Offset Mask Pattern Condition (OMPC) is a set of filter parameters that define a rule for
pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses
fixed offset masking. This is useful only for attack recognition where the attack signature is
a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC
parameters are presented in Table 19, “OMPC Parameters,” on page 248.
Content Parameters
Content parameters define the rule for a text/ content string lookup. This rule is intended
for attacks recognition where the attack signature is a text/ content string within the packet
payload. For the detailed parameters description refer to Content Parameters, page 250 on
Content Parameters, page 250.
Tracking Parameters
Tracking parameters define how the attack is tracked and treated once it’s signature is
recognized in the traffic. Each Application Security Attack is bound to a "Tracking" function
that defines how the packet is handled when it is matched against the Attack. The main
purpose of these functions is to determine whether the packet is harmful and to apply an
appropriate action accordingly. There are two types of match functions:
•
The "immediate" type that makes decisions based on a single packet. The signature
match between itself is considered as an indicator for the attack and the packet is
dropped ("Drop All"). For example, MS Blast.
• The "Threshold" or "Counter" functions. Those functions assume that the signature
match alone is not enough for detecting a packet as offensive, since the packet may be
legitimate unless the number of packets per a period of time exceeds a threshold that
defines a "reasonable" behavior of such traffic. Only packets that exceed the threshold
within a predefined time slot are dropped. For example, ICMP flood attacks and DoS
attacks.
For the detailed parameters description refer to Tracking Parameters, page 252 on Tracking
Parameters, page 252.
To create a Basic DoS Attack:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The DoS
Settings pane appears.
3. From the DoS Settings pane, click Custom Attack. The Custom DoS Attack window
appears.
4. From the Custom DoS Attack window, select Basic Attack.
5. Set the new Basic DoS Attack parameters as explained in Configuring Basic Application
Security Attacks, page 271.
6. Click OK. The Custom DoS Attack window closes. The new attack can now be viewed in
the Custom Group window.
Configuring Advanced Application Security Attacks
The second building block of the DoS Attack is the Advanced Attack (Advanced Attacks
Window, page 273). The Advanced Attack represents a logical AND between two or more
Basic Attacks. Some attacks have a complex signature comprised of several patterns and
content strings. These attacks require more than one basic filter to protect against them.
Advanced Attacks are made up of a collection of Basic Attacks, selected and removed from
the Basic Attack list.
You can create the Advanced Attacks using the user defined Basic Attacks only.
272
Doc. No.: 8261
LinkProof User Guide
Figure 38 -
Advanced Attacks Window
To create an Advanced Attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The
Settings pane appears.
3.
From the Settings pane, click Custom Attack. The Custom DoS Attack window
appears.
4.
From the Custom DoS Attack window, select the Advanced Attack option button. The
following parameters appear:
—
Attacks Description: The name of the Advance Attack that you define.
—
Optional Basic Attacks: The list of all the user defined Basic Attacks.
—
Selected Attacks: Basic Attacks that you want to include in the new Advanced
Attack.
5.
In the Attack Name text box, type the name of the new Advanced Attack.
6.
From the list contained in the Optional Basic Attacks box, add Basic Attacks to the
Selected Attacks list using the mover arrows.
7.
Click Ok.
Application Security Custom Attack Groups
•
The Custom Attack Group represents a logical OR between two or more Basic Attack or
Advanced Attacks. The right pane of the Custom Attacks Groups window (Custom Attack
Group Window, page 254) contains the list of all the existing groups.
Doc. No.: 8261
273
LinkProof User Guide
Figure 39 -
Custom Attack Group Window
Radware provides you with a set of predefined Custom Attack Groups as a part of the
Signatures file. You can also add user defined Attack Groups using predefined Attacks or
user defined Attacks. The predefined attack groups are divided according to types of
protection. For example, all attack signatures designed to harm IIS Web servers are
grouped under the IIS Attack Group.
The groups can be activated within a Protection Profile, except for the Un-assigned group.
The Attacks that effect performance or are probable to false positive, are gathered under
Unassigned group and can be activated either by adding an Attack to an existing group or to
a user defined group.
To add a new Custom Attack Group:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The
Settings pane appears.
3. From the Settings pane, select Custom Group. The Custom Attack Group window
appears.
4. From the Custom Attack Group window, enter a relevant name for the new Attack
Group.
5. Select the attacks you want to include in this group and move them to the Selected
Attacks pane using the mover arrows.
Creating a new Application Security Profile
Once the attacks are defined, you can create a new profile.
To define a new Application Security profile:
1. From the main window, click Security. The Connect and Protect Table appears.
274
Doc. No.: 8261
LinkProof User Guide
2.
From the Connect and Protect Table, click anywhere in the DoS/DDoS column. The
Settings pane appears.
3.
From the Settings pane, select Application Security Profiles. The Application Security
Profiles pane appears.
4.
From the Application Security Profiles pane, click New Profile. The New Profile dialog
box appears.
5.
In the Profile Name text box, type the name of the new profile and click Ok. The New
Profile dialog box closes and the new profile appears in the Application Security Profiles
pane.
6.
From the All DoS Attacks List pane, select the attacks that you want to add to the new
profile and click Add. The selected attack appears in the Application Security Profiles
pane.
7.
Select the cell in the Connect and Protect Table where you want to apply the new DoS/
DDoS profile and click Apply. The name of the new profile appears in the selected cell.
SYN Flood Protection
This section explains SYN floods and describes how SYN Flood protection works, and
includes the following topics:
•
•
•
•
•
Introduction to SYN Flood Protection, page 275
Before Setting Up SYN Flood Protection, page 277
SYN Flood Protection General Settings, page 278
Creating Custom SYN Attacks, page 280
SYN Flood Reporting, page 283
Introduction to SYN Flood Protection
SYN Flood Protection is a service intended to protect the hosts located behind the device
and the device itself from SYN flood attacks by performing delayed binding.
A SYN flood attack is a denial of service attack where the attacker sends a huge amount of
please-start-a-connection packets and then no follow up packets.
The SYN Flood attack is performed by sending a SYN packet without completing the TCP
three-way handshake. Another type of SYN Flood attack is done by completing the TCP
three-way handshake, but no data packets are sent afterwords. Radware provides complete
protection against both types of SYN Flood attacks.
The attacks are detected and blocked by means of SYN Flood Protection Policies. The reports
regarding the current attacks appear in the Active Triggers table.
How Delayed Binding Works?
Delayed Binding is a process (Delayed Binding Process, page 276) in which the device alters
fields such as the sequence number of the TCP stream from the client to the destination
server. The subsequent session fetches the information that was requested in the original
session, and only when that information is gathered, it is returned to the client via the
original session.
Doc. No.: 8261
275
LinkProof User Guide
Client
Server
LinkProof
1 SYN
2 SYN-ACK
3 ACK
4 HTTP-GET
New Client Entry
SYN
SYN-ACK
ACK
HTTP-GET
Figure 40 -
Delayed Binding Process
Once a SYN Flood attack is identified, the device activates a protection mechanism known as
SYN Cookies. Delayed Binding Process, page 276 illustrates the delayed binding process
including the following steps:
1. A client initiates a request by sending a SYN. The SYN message includes the destination
port number and a TCP sequence number, which represents the connection with the first
segment from client’s side.
2. The device sends a SYN-ACK back to the client. The device creates a special initial TCP
sequence number. The sequence number is created in such a manner that it encodes a
time stamp and relevant SYN packet data in the SYN-ACK packet sent to the client.
3. The client sends an ACK for the device. When a client responds with an ACK packet, the
device uses the SYN Cookie to verify legitimate client responses.
4. Once the TCP handshake is completed, the client sends a data packet, in this example:
HTTP-GET. When the GET request is sent to the device with the SYN Cookie, the device
verifies the SYN Cookie. If the client response found in the SYN Cookie is legitimate, the
device creates a new client entry. If required, the device makes load balancing decision.
Then, the device selects the destination server and initiates the three-way TCP
handshake with it.
The core of Delayed Binding is the ability to handle two sessions and pass the information
between them. The device has to alter information such as the sequence number and the
source address from one session to another.
SYN Cookies can be used for any TCP port or application, where "usual" delayed bind is
typically used for HTTP sessions. The benefit of SYN cookies over "usual" delayed bind is
that when SYN Cookies are used, no memory resources on the device (for example Session
Table entries) are allocated for sessions before the 3-way handshake is complete. This
assures that device memory resources are not overloaded due to the SYN Attack.
276
Doc. No.: 8261
LinkProof User Guide
SYN-ACK Reflection Attacks Prevention
SYN-ACK Reflection Attacks Prevention is intended to prevent reflection of SYN attacks and
reduce SYN-ACK packet storms that are created as a response to DoS attacks.
When the device is under SYN attack, it sends a SYN-ACK packet with an embedded cookie,
in order to prompt the client to continue the session. In case of DoS SYN attacks, two
problems may arise:
•
Third parties can use the SYN-ACK replies to launch attacks on selected sites by
adopting the selected site's address as the source IP address of the attack.
• The SYN-ACK packets create a storm of reflected traffic that consumes bandwidth and
may block legitimate traffic.
SYN-ACK Reflection Attacks Prevention responds to the challenge of the DoS SYN reflection
attack by limiting the amount of SYN-ACK packets sent to a specific IP address. This
mechanism works in the following way:
1.
The limiting action is applied when the amount of SYN- ACK packets exceeds the defined
threshold.
2.
The threshold represents the number of uncompleted TCP sessions, and is calculated by
comparing each Source IP address and the total number of SYN packets that arrived to
the device with the number of completed TCP sessions. The time interval for this
threshold is set per second.
3.
The threshold is user defined (recommended values are pre-configured as defaults), see
SYN Flood Protection, page 275.
4.
The limitation of SYN-ACK packets does not affect the SYN attack detection (start/stop)
mechanism.
5.
Once the limiting action is applied, the device ignores any additional SYN packets
arriving from the specific IP address that is the source of the attack.
Note:
The device behavior in the case of Distributed SYN attack remains unchanged.
To configure SYN Flood Protection:
1.
Enable the Session Table, see enable Layer 4:, page 277.
2.
Set the Session Table Lockup Mode to Layer 4, see enable Layer 4:, page 277.
3.
Enable SYN Flood Protection and set SYN Flood General Parameters, see SYN Flood
Protection General Settings, page 278.
4.
Create a new custom SYN Attack Profile, see Creating Custom SYN Attacks, page 280.
5.
View the SYN Flood Order, see Viewing SYN Flood Order, page 281.
Before Setting Up SYN Flood Protection
Before activating the SYN Flood Protection module, you need to configure the Session Table
to operate at Layer 4, as SYN attack detection can take effect only when the device operates
at Layer 4.
To enable Layer 4:
1.
From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
Doc. No.: 8261
277
LinkProof User Guide
2. From the LinkProof Setup window, select Global. The Global pane appears.
3. From the Global pane, select the Session Table Settings option button and click Edit
Settings. The Session Table Settings window appears.
4. From the Session Table Settings window, set the following parameters according to the
explanations below:
Session Table Status:
Enabled
Session Table Lookup Mode:
Full Layer 4
5. Click Ok to exit all windows.
Note:
When using the SYN Flood Protection Filters (that are part of the Security
module) you must set the inbound and outbound traffic to operate in the
process mode.
SYN Flood Protection General Settings
Once you configured the Session Table to operate in the Layer 4 mode, you can enable SYN
Flood protection and configure its general parameters.
Table 25 - SYN Protection Parameters
Parameter
Description
SYN Flood Protection
Status
Enables/ Disables SYN Flood Protection mode.
(checkbox)
Default: Enabled.
Whether to calculate syn protection statistics
(number of SYNs and requests packets), also for
SYN Flood Global Statistics SYN protection enabled policies, or only for the
Status (checkbox)
triggers.
Default: Enabled.
Timeout to complete the TCP 3-way handshake.
SYN Protection Timeout
Range: 0-10 (0 means no timeout).
Default: 5 seconds.
SYN Protection Threshold
Up Ratio
Percentage of uncompleted SYNs compared to total
opened sessions within 1 second, used to invoke
SYN Protection.
Range: 0-100.
Default: 30.
278
Doc. No.: 8261
LinkProof User Guide
Table 25 - SYN Protection Parameters
Parameter
Description
Percentage of uncompleted SYNs compared to total
opened sessions, used to shut SYN Protection.
Measured per 1 second.
Note:
SYN Protection Threshold
Down Ratio
The "SYN Protection Threshold Down Ratio"
value must be lower than the "SYN
Threshold Up Ratio". In case you define an
equal or higher value, the Device responds
with an error message instructing to set a
lower value.
Range: 0-100.
Default: 20.
SYN Protection Tracking
Time
Invoke (or shut) SYN Protection if SYN threshold is
passed for more than the defined time interval
Range: 1-10.
Default: 5.
SYN Protection Minimum
SYNs for trigger
Absolute minimum figure of uncompleted SYNs
compared to total opened sessions within 1 second,
used to invoke SYN Protection.
Value: >= 0.
Default: 2500.
Activate the SYN-ACK Reflection Attack Prevention
mechanism using the following modes:
• Enable: The prevention mode.
SYN-ACK Reflection
Protection Mode
•
Report Only: The report-only mode (no
prevention).
•
Disable: The mechanism is disabled.
Default: Disable.
Amount of SYN packets per second that are sampled
SYN-ACK Reflection SrcIP and their source IP is to be monitored.
Sampling per second
Range: 0-10000.
Default: 100.
SYN-ACK Reflection
Maximum SYN Cookies
Per Source
The limiting threshold that represents the maximum
number of uncompleted TCP sessions per source IP
per second, that will be answered. Any session
exceeding this frequency will be ignored.
Range: 1 - 100,000.
Default: 1,000.
Maximum Traps per Time
Interval
Maximum number of SYN Flood and ACK reflection
traps per defined time interval.
Value: >0.
Default: 100.
User defined time interval for limiting traps.
Traps Time Interval
(seconds)
Value: >0
Default: 60 seconds.
Doc. No.: 8261
279
LinkProof User Guide
To enable SYN Flood protection and configure the general parameters:
1. From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2. From the LinkProof Setup window, select Global > SYN Flood Protection Settings
and click Edit Settings. The SYN Flood Protection Settings window appears.
3. From the SYN Flood Protection Settings window, set the parameters as explained in
Security Tuning Parameters, page 306 and click Apply > Ok.
Creating Custom SYN Attacks
Radware provides you with a set of SYN attacks. In addition you can create user defined
attacks.
Figure 41 -
Custom SYN Attack
To create a Custom SYN Attack:
1. From the main window, click Security. The Connect and Protect window appears.
2. From the Connect and Protect window, click anywhere in the SYN Floods column. The
Settings pane appears.
3. From the Settings pane, click Custom Attack. The Custom SYN Attack window
appears.
4. From the Custom SYN Attack window, set the following parameters according to the
explanations provided:.
280
Attack Name:
Enter the name of your new attack.
Protocol:
TCP
Destination Port Range
(To)
Enter the destination port range.
Doc. No.: 8261
LinkProof User Guide
Destination Port Range
(From)
Enter in the destination port from range.
Attack Description:
Enter in a user defined attack description.
5.
Click Ok. Your preferences are recorded.
Adding SYN Attack to the Selected SYN Attacks List
Once a custom attack is created, you can add this attack to the list of the Selected SYS
Flood attacks. This list contains attacks that have been selected to provide the protection.
To add a predefined SYN Attack to the Selected SYN Attacks:
1.
From the All SYNs Attack list, select the attack you wish to add.
2.
Click Add. The SYN Policy Details window appears.
3.
From the SYN Policy Details window, set the following parameters according to the
explanations provided:
Policy Index:
Verification Type:
Enter in the Index number. This defines the
order in which the device processes the SYN
Attack Profiles.
Define the process of completing the TCP
session:
• Ack: session is completed when the Ack
packet arrives (following a SYN / SYNACK packets exchange).
•
Request: session is completed when the
first data request packet arrives (following
a SYN / SYN-ACK / ACK packets
exchange).
Select either:
• Enabled: Activates full SYN Flood
protection.
Protection Mode:
4.
•
Triggered: Activates SYN Flood
protection only when an attack is
identified.
•
Disabled: SYN Flood protection is
disabled.
Click Ok. The selected attack appears now in the Selected SYN Attacks List.
Viewing SYN Flood Order
Clicking on View SYN Order allows you to view the index order in which the device
processes the SYN Flood Profiles.
To view the SYN Flood Order:
Doc. No.: 8261
281
LinkProof User Guide
From the SYN Flood Settings pane, click View SYN Order. The SYN Protection Policies
window appears, as shown below:
Figure 42 -
SYN Protection Policies
To edit an Attack:
1. From the All SYN Attacks list, select the attack you wish to edit.
2. Click Edit. The Edit SYN Attacks window appears.
3. From the Edit SYN Attacks window, set the following parameters according to the
explanations provided:
Attack Name:
Enter the name of your new attack.
Protocol:
TCP
Destination Port Range
(To)
Enter the destination port range.
Destination Port Range
(From)
Enter in the destination port from range.
Attack Description:
Enter in a user defined attack description.
4. Click Ok. Your preferences are recorded.
282
Doc. No.: 8261
LinkProof User Guide
SYN Flood Reporting
You can view active SYN Flood attacks via the Active Triggers Table. Table 26 on page 283
presents the parameters of the Active Triggers Table.
Table 26: Active Triggers Table
Parameter
Description
The type of the identified attack:
• SYN Flood Trigger: The identified attack is a
specific attack from the list of known attacks.
•
SYN Enabled Policies: The identified attack is
one of the attacks that are included in all the
enabled policies.
•
SYN Protection Total: Displays the total number
of identified attacks.
•
SYN ACK Reflection: The identified attack is a
SYN ACK Reflection attack.
Type:
IP Address:
Source IP for type "SYN ACK Reflection", and dest
IP for all other types.
L4 Port:
Destination L4 port (relevant only to type "SYN Flood
Trigger").
RX Port:
The physical port on the device through which the
attack enters.
Active Time:
The number of seconds from the moment the attack
was recognized.
Last Sec SYN counter:
How many SYNs were recognized in the last second.
Last Sec Verified counter:
How many ACKs were recognized in the last second.
Average SYN counter:
The average of the SYNs that were recognized from
the moment the attack began.
Average Verified counter:
The average of the ACKs that were recognized from
the moment the attack began.
Total SYN:
Total number of SYN packets for this trigger.
Total Dropped sessions:
Total number of unverified sessions for this trigger.
To view the Active Triggers Table:
1.
From the main window, click Security. The Connect and Protect table appears.
2.
From the Connect and Protect table, click in the SYN Floods column. The SYN Floods
Settings pane appears.
3.
From the SYN Floods Settings pane, click Active Triggers. The Active Triggers Table
appears.
Protocol Anomalies
This section explains Protocol Anomaly attacks and includes an explanation of the Anomalies
Module and Stateful Inspection.
This section contains the following topics:
Doc. No.: 8261
283
LinkProof User Guide
•
•
•
Introduction to Protocol Anomalies, page 284
How to Use the Anomalies Module, page 284
Stateful Inspection, page 290
Introduction to Protocol Anomalies
To avoid IDS, hackers may use evasion techniques, such as splitting packets and sending
attacks in fragments. Fragmented packets are suspected of containing an attack. An attack
that contains fragmented packets is called Protocol Anomaly attack. The Protocol Anomaly
attacks are detected and blocked using the Protocol Anomaly Protection mechanism.
Protocol Anomaly attacks are recognized according to the packet’s size. The size of the
fragmented packets exceeds boundaries of the predefined length.
Protection against Protocol Anomaly attacks is achieved by dropping the suspected packets.
Protocol Anomaly Protection provides protection against two types of protocol anomalies:
•
•
IP protocol anomalies
URI anomalies
IP Protocol Anomalies
IP protocol anomalies refer to IP fragmentation, which is an evasion technique where the
hacker deliberately fragments packets.
The hacker uses many small fragmented packets in order to either cause a server to crash
or to evade firewall defenses. For example, the Ping of Death Fragmentation attack uses
many small fragmented packets which when reassembled at the destination exceed the
maximum allowable size for an IP datagram. This can cause the victim host to crash, hang
or reboot.
URI Protocol Anomalies
IP fragmentation concept can be applied for packets that contain "fragments" of a URI.
When the size of the URI packet exceeds the lower boundary of the predefined length, this
packet may contain fragmented URI. When the size of the URI packet exceeds the higher
boundary of the predefined length, this is an indication for buffer overflow.
The hacker uses packets where the URL is split across multiple packets. This attack enables
hackers to insert malicious data into the Web server.
The Anomalies Module
The Anomalies module provides protection using three sub-groups:
•
•
•
Protocol_Anomalies group
Buffer Overflow protection (MAX URI Length parameter)
Fragment Attack protection, including:
— HTTP Fragmentation protection (MIN fragmented URI packet Size parameters)
—
IP Fragmentation protection (MIN Fragment Size parameters)
How to Use the Anomalies Module
Radware supplies the set of predefined Attack Groups that provide constant protection
against all recent attacks. You can use these groups to define prevention profiles. Most of
the existing intrusions can be prevented using Radware groups. Once a new protection
profile is defined, you can add Stateful Inspection to it.
In addition to the Radware defined groups, you can create custom Attack Groups, custom
Advanced attacks, and custom Basic attacks. For new users, it is recommended to define
Anomalies protection profiles using Radware defined attacks only.
284
Doc. No.: 8261
LinkProof User Guide
To configure Anomalies using Radware Defined Attacks:
1.
Enable Anomalies, see Application Security Parameters, page 236.
2.
Define the Protocol Anomalies general parameters, see Protocol Anomaly Protection
Permeates, page 238.
3.
Define Anomaly Flood Prevention Profile and apply it to the Connect and Protect Table,
see Creating a User Defined Profile, page 289.
4.
Add Stateful Inspection to the new profile (optional), see Stateful Inspection, page 290.
To configure Anomalies using User Defined Attacks:
1.
Enable Anomalies, see Application Security Parameters, page 236.
2.
Define the Protocol Anomalies general parameters, see Protocol Anomaly Protection
Permeates, page 238.
3.
Define Basic attacks, see Configuring Basic Protocol Anomaly Attacks, page 285.
4.
Define Advanced attacks (optional), see Configuring Advanced Protocol Anomaly
Attacks, page 287.
5.
Define Attack Groups, see Anti-Scanning Custom Attack Groups, page 298.
6.
Define Anomaly Flood Prevention Profile and apply it to the Connect and Protect Table,
see Creating a User Defined Profile, page 289.
7.
Add Stateful Inspection to the new profile (optional), see Stateful Inspection, page 290.
Configuring Basic Protocol Anomaly Attacks
Basic Attacks (Custom Intrusion Attacks Window, page 247) are the basic building blocks of
the Anomaly Prevention Profile. Each Basic Attack constitutes protection against a specific
attack, meaning that profile has a specific attack signature and protection parameters.
Radware provides you with a set of pre defined attacks. You can also create user defined
Basic Attacks.
Doc. No.: 8261
285
LinkProof User Guide
Figure 43 -
Custom Anomaly Attacks Window
The parameters of each Basic Attack are divided into the following categories:
•
•
•
•
Description parameters
Protocol definition parameters
OMPC definition parameters
Content definition parameters
Description Parameters
Description parameters shown in Table 17 on page 247 are the user-defined description of
the custom attack.
Table 27: Description Parameters
Parameter
Description
Attack Name
The name of the attack as you define it.
Description
A description of the attack.
Protocol Parameters
Protocol definition parameters define transmission protocol. For the detailed parameters
description refer to Protocol Parameters, page 248.
286
Doc. No.: 8261
LinkProof User Guide
OMPC Parameters
Offset Mask Pattern Condition (OMPC) is a set of Attack parameters that define a rule for
pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses
fixed offset masking. This is useful only for attack recognition where the attack signature is
a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC
parameters are presented in OMPC Parameters, page 248.
Content Parameters
Content parameters define the rule for a text/ content string lookup. This rule is intended
for attacks recognition where the attack signature is a text/ content string within the packet
payload. For the detailed parameters description refer to Content Parameters, page 250.
Tracking Parameters
Tracking parameters (Tracking Parameters, page 252) define how the attack is tracked and
treated once it’s signature is recognized in the traffic. Each Application Security Attack is
bound to a "Tracking" function that defines how the packet is handled when it is matched
against the Attack. The main purpose of these functions is to determine whether the packet
is harmful and to apply an appropriate action accordingly. There are two types of match
functions:
•
•
The "immediate" type that makes decisions based on a single packet. The signature match
between itself is considered as an indicator for the attack and the packet is dropped ("Drop All").
For example, MS Blast.
The "Threshold" or "Counter" functions. Those functions assume that the signature match alone
is not enough for detecting a packet as offensive, since the packet may be legitimate unless the
number of packets per a period of time exceeds a threshold that defines a "reasonable"
behavior of such traffic. Only packets that exceed the threshold within a predefined time slot are
dropped. For example, ICMP flood attacks and DoS attacks.
For the detailed parameters description refer to Tracking Parameters, page 252.
To create a Basic Attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the Anomalies column. The
Settings pane appears.
3.
From the Settings pane, click Custom Attack. The Custom Protocol Anomaly Attack
window appears.
4.
From the Custom Protocol Anomaly Attack window, select the Basic Attack option
button.
5.
Set the new Basic Attack parameters, see Configuring Basic Protocol Anomaly Attacks,
page 285.
6.
Click Ok. The Custom Anomalies Attack window closes.
Configuring Advanced Protocol Anomaly Attacks
The second building block of the Anomaly Prevention Profile is the Advanced Attack. The
Advanced Attack represents a logical AND between two or more Basic custom attacks. Some
attacks have a complex signature comprised of several patterns and content strings. These
attacks require more than one basic Attack to protect against them. Advanced attacks are
made up of a collection of Basic Attacks selected and removed from the Basic Attack list.
Doc. No.: 8261
287
LinkProof User Guide
You can create Advanced Attacks using the user defined Basic Attacks only.
Figure 44 -
Advance Attacks window
To create an Advanced Attack:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the Anomalies column. The
Settings pane appears.
3. From the Settings pane, select Custom Attack. The Custom Protocol Anomaly Attack
window appears.
4. From the Custom Protocol Anomaly Attack window, click Advanced Attack. The
Advanced Attack pane appears which contains the following parameters:
—
Attacks Description: The name of the Advanced Attack - user defined.
—
Optional Basic Attacks: The list of all the user defined basic attacks.
—
Selected Attacks: Basic Attacks that you decided to include in the new Advanced
Attack.
5. Select the Basic attacks from the Optional Basic Attacks list and add them to the
Selected Attacks list by moving them with the mover arrows.
6. Click Ok.
Setting Up Protocol Anomalies Attack Groups
The Custom Attack Group represents a logical OR between two or more Basic Custom Attack
or Advanced Custom Attacks. The right panel of the Custom Attacks Groups window
contains the list of all the existing groups.
288
Doc. No.: 8261
LinkProof User Guide
Radware provides you with a set of predefined Custom Attack Groups as a part of the
Signatures file. You can also add user-defined Attack Groups using predefined Attacks or
user-defined Attacks. The predefined attack groups are divided according to types of
protection. For example, all attack signatures designed to harm IIS Web servers are
grouped under the IIS Attack Group.
The groups can be activated within a Protection Policy, except for the Un-assigned group.
The Attacks that effect performance or are probable to false positive, are gathered under
Unassigned group and can be activated either by adding a Attack to an existing group or to
a user defined group.
To add a new Custom Attack Group:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the Anomalies column. The
Settings pane appears.
3.
From the Settings pane, select Custom Group. The Custom Attack Group window
appears.
4.
From the Custom Attack Group window, enter a relevant name for the new Custom
Attack Group.
5.
Select the attacks you wish to include in this group and move them to the Selected
Attacks pane using the mover arrows to the Selected Attacks list.
Creating a User Defined Profile
To create a New User Anomaly Profile:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the Anomalies column. The
Settings pane appears.
3.
From the Settings pane, click New Profile. The New Anomaly window appears.
4.
From the New Anomaly window, enter a name for the new profile.
5.
Click Ok. Your new profile appears in the Anomaly Flood Profiles list.
Editing Attacks
To edit an attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, double-click anywhere in the Intrusions column.
The Settings pane appears.
3.
From the All Attacks list, select the attack you wish to edit and click Edit Attack. The
Custom Intrusion Attack window appears.
4.
You may now edit the parameters of the attack.
5.
Click Ok. Your preferences are recorded. See Table , “Description Parameters,” on
page 286.
Doc. No.: 8261
289
LinkProof User Guide
Stateful Inspection
Stateful Inspection provides additional protection against application level attacks. Stateful
Inspection accommodates attacks where the packets, exchanged between a client and a
server, are legitimate, however the security threat is revealed when inspecting a sequence
of packets within a session. Most of the attacks protected by the Stateful Inspection are
cases of protocol miss-use, were a session does not obey the state transition defined by the
specific protocol.
Radware Stateful Inspection provides additional level of protection by preventing
application-layer attacks, such as:
•
•
TCP Flooding: SYN-ACK (reflector attack), TCP packet storms.
Stealth scanning: sending TCP fin / rst /ack / syn-fin packets, etc. to detect what ports
are open.
• DNS reply flooding: Floods server using DNS replies (usually done as reflector attack)
• ICMP Echo reply flooding: Floods server using echo replies a good example is Smurf
(usually done as reflector attack).
• WinNuke: WinNuking is a term for a simple procedure that malicious computer users
use on other computer users on the Internet. Effects of this procedure include the
victim's computer crashing, or loss of their connection to the Internet. The WinNuking
procedure is a very simple one, exploiting a large bug in Windows 95/NT's Networking
system. Basically, the program attaches it to port 139 of any Windows 95 computer, and
sends "junk" into the port. Also known as an OOB (Out of Bounds) attack, this causes
the networking system to bomb, and your computer crashes
• FTP Bounce: In some implementations of FTP daemons, the PORT command can be
misused to open a connection to a port of the attacker's choosing on a machine that the
attacker could not have accessed directly.
In Firewall implementation, stateful inspection provides protection against low-level
corruption attacks, such as Ping of Death, Land Attack, IP Source Route attacks, IP Range
Scan, and so on. Protection against this type of attacks is already provided by the Intrusion
Prevention module and by the Anomalies module.
To configure Stateful Inspection:
To set the activate Stateful Inspection:
1. From the main window, click Security and then on Anomalies. The Anomalies window
opens below the Connect & Protect table.
2. Create a new profile and add Stateful Inspection. The Stateful settings screen appears.
Select the required set of protocols to perform stateful protection and then click OK.
To set the Stateful Inspection Global Settings:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the Anomalies column. The
Anomalies pane appears.
290
Doc. No.: 8261
LinkProof User Guide
3.
From the Anomalies pane, click Inspection Settings. The Inspection Settings window
appears, as shown below:
Figure 45 4.
Inspection Settings
From the Inspection Settings window, set the following parameters according to the
explanations provided:
Protection Status:
Enable / Disable. You must set protection
status to enable to start stateful protection.
Define the Action mode:
• Forward: The packet is forwarded to the
defined destination.
•
Action Mode:
Drop: In case of UDP or ICMP sessions
the packet is dropped. For TCP and TCP
based sessions providing this is the first
packet of the session, then reset is sent to
the originator. If this is not the first packet,
then reset is sent both to the originator
and the destination.
Define the Startup mode, either:
• On: Start protection immediately. Existing
sessions will be dropped and only new
sessions will be allowed.
Startup Mode:
Startup Timer:
Doc. No.: 8261
•
Off: Do not protect
•
Graceful: Start protection while
maintaining existing sessions for a
configurable time, defined by Startup
Timer.
The time to maintain existing sessions when
Stateful Inspection feature is activated in
Graceful mode. Sessions that were not
closed after this time will be dropped.
291
LinkProof User Guide
Operational Status:
This enables the user to start/stop Stateful
Protection without resetting the device.
• On = protect
•
Off = do not protect.
5. Click Set. Your preferences are recorded.
Stateful Inspection Aging Settings
The Stateful Inspection aging Settings window allows you to view and change the aging
parameters of the protocols protected by this feature. The aging parameter specifies the
maximum idle time allowed between a request and a response per protocol or between two
sequential packets. When the aging is passed, sessions are considered as old, and packets
related with these sessions are dropped.
Note:
The user must tune the protocol aging with care. It is recommended to
consult with Radware Support before making any changes in this table.
To set Stateful Inspection Aging Settings:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the Anomalies column. The
Anomalies pane appears.
3. From the Anomalies pane, click Inspection Settings. The Inspection Settings window
appears.
4. From the Inspection Settings window, click Inspection Aging Settings. The Inspection
Aging Settings window appears, as shown below:
Figure 46 -
Inspection Aging Settings.
5. Select the Protocol Index that you wish to change and then click Edit. The Edit
Inspection Aging Settings window appears.
292
Doc. No.: 8261
LinkProof User Guide
6.
From the Edit Inspection Aging Settings window, set the following parameters according
to the explanations provided:
Protocol Name:
Enter the protocol name.
Protocol Aging Value:
The value of the aging parameters of the
protocol in seconds.
7.
Click Ok to exit all windows. Your preferences are recorded.
Anti-Scanning
This section explains scanning and anti-scanning techniques, as well as the Anti-Scanning
module and how to configure it.
This section contains the following topics:
•
•
Introduction to Anti-Scanning, page 293
How to Use the Anti-Scanning Module, page 293
Introduction to Anti-Scanning
Prior to launching an attack, hackers usually try to identify what TCP and UDP ports are
open. An open port represents a service, application or a backdoor. Open ports that were
left open unintentionally can create a serious security problem. Application Security
provides a mechanism aimed to prevent hackers from gaining this information by blocking
and altering server replies sent to the hacker.
Network Scanning
Legitimate traffic that is sent to a recipient in order to learn about the system and the
applications, perpetrating future attacks. As the packets sent by the attacker are legitimate
and legal, analyzing the whole flow of traffic is the only way to detect the scanning.
Anti-Scanning Module
The Anti-Scanning module provides protection against network and port scanning. The
groups included in this module are:
•
•
•
Scanning: Provides protection against known scanning tools.
Scanning Tools: The "Scanning-Tools" group contains signatures of miscellaneous
network scanning tools. Signatures in this group protect your network from the
scanning tools that attempt to scan your network.
Scanning-Generic: The "Scanning-Generic" group contains attack filters that detect
network horizontal scanning, in which a scanner runs a wide set of connection trials on
different ports to the same machine address. As the scanning tools are waiting for the
server positive reply, this group contains attack filters that detect and block all outgoing
server traffic according to attack source and destination IP addresses (TCP or UDP
positive reply packets).
How to Use the Anti-Scanning Module
Radware supplies the set of predefined Attack Groups that provide constant protection
against all recent attacks. You can use these groups to define prevention profiles. Most of
the existing intrusions can be prevented using Radware groups.
In addition to the Radware defined groups, you can create custom Attack Groups, custom
Advanced attacks, and custom Basic attacks. For new users, it is recommended to define
Anomalies protection profiles using Radware defined attacks only.
Doc. No.: 8261
293
LinkProof User Guide
To configure Anti-Scanning using Radware Defined Attacks:
1. Enable Anti-Scanning and set the general parameters, see Application Security
Parameters, page 236.
2. Define the Anti-Scanning profile and apply it to the Connect and Protect Table, see
Creating a New User Defined Profile, page 298.
To configure Anti-Scanning using User Defined Attacks:
1. Enable Anti-Scanning and set the general parameters, see Application Security
Parameters, page 236.
2. Define Basic attacks, see Configuring Basic Anti-Scanning Attacks, page 295.
3. Define Advanced attacks (optional), see Configuring Advanced Anti-Scanning Attacks,
page 296.
4. Define Attack Groups, see Anti-Scanning Custom Attack Groups, page 298.
5. Define the Anti-Scanning profile and apply it to the Connect and Protect Table, see
Creating a New User Defined Profile, page 298.
294
Doc. No.: 8261
LinkProof User Guide
Configuring Basic Anti-Scanning Attacks
Basic Attacks (Custom Intrusion Attacks Window, page 247) are the basic building block of
the Anti- Scanning Profile. Each Basic Attack constitutes protection against a specific attack,
meaning that profile has a specific attack signature and protection parameters. Radware
provides you with a set of pre defined attacks. You can also create user defined Basic
Attacks.
Figure 47 -
Custom Intrusion Attacks Window
The parameters of each Custom Attack are divided into the following categories:
•
•
•
•
Description parameters
Protocol definition parameters
OMPC definition parameters
Content definition parameters
Description Parameters
Description parameters shown in Table 28 on page 295 are the user-defined description of
the custom attack.
Table 28: Description Parameters
Parameter
Description
Attack Name
The name of the attack as you define it.
Description
A description of the attack.
Doc. No.: 8261
295
LinkProof User Guide
Protocol Parameters
Protocol definition parameters define transmission protocol. For the detailed parameters
description refer to Table 18, “Protocol Parameters,” on page 248.
OMPC Parameters
Offset Mask Pattern Condition (OMPC) is a set of Attack parameters that define a rule for
pattern lookups. The OMPC rule looks for a fixed size pattern of up to four bytes, which uses
fixed offset masking. This is useful only for attack recognition where the attack signature is
a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC
parameters are presented in Table 19, “OMPC Parameters,” on page 248.
Content Parameters
Content parameters define the rule for a text/ content string lookup. This rule is intended
for attacks recognition where the attack signature is a text/ content string within the packet
payload. For the detailed parameters description refer to Table 20, “Content Parameters,” on
page 250.
Tracking Parameters
Tracking parameters shown in Table 21, “Tracking Parameters,” on page 252 define how the
attack is tracked and treated once it’s signature is recognized in the traffic. Each Application
Security Attack is bound to a "Tracking" function that defines how the packet is handled
when it is matched against the Attack. The main purpose of these functions is to determine
whether the packet is harmful and to apply an appropriate action accordingly. There are two
types of match functions:
•
The "immediate" type that makes decisions based on a single packet. The signature
match between itself is considered as an indicator for the attack and the packet is
dropped ("Drop All"). For example, MS Blast.
• The "Threshold" or "Counter" functions. Those functions assume that the signature
match alone is not enough for detecting a packet as offensive, since the packet may be
legitimate unless the number of packets per a period of time exceeds a threshold that
defines a "reasonable" behavior of such traffic. Only packets that exceed the threshold
within a predefined time slot are dropped. For example, ICMP flood attacks and DoS
ttacks.
For the detailed parameters description refer to Table 21, “Tracking Parameters,” on
page 252.
To create a Basic Anti-Scanning Attack:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The
Settings pane appears.
3. From the Settings pane, click Custom Attack. The Anti-Scanning window appears.
4. From the Anti-Scanning window, select the Basic Attack option button.
5. Set the new Basic Attack parameters as explained in Table , “Description Parameters,”
on page 247.
6. Click Ok. The Anti-Scanning window closes.
Configuring Advanced Anti-Scanning Attacks
The second building block of the Anti Scanning Profile is the Advanced Attack. The Advanced
Attack represents a logical AND between two or more Basic custom attacks. Some attacks
have a complex signature comprised of several patterns and content strings. These attacks
require more than one basic Attack to protect against them. Advanced Attacks are made up
of a collection of Basic Attacks, selected and removed from the Basic Attack list.
296
Doc. No.: 8261
LinkProof User Guide
You can create the Advanced Attacks using the user defined Basic Attacks only.
Figure 48 -
Advanced Attack Window
To create an Advanced Attack:
1.
From the main window, click Security. The Connect and Protect Table appears.
2.
From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The
Settings pane appears.
3.
From the Settings pane, select Custom Attack. The Anti-Scanning window appears.
4.
From the Anti-Scanning window, click Advanced Attack. The Advanced Attack pane
appears which contains the following parameters:
•
•
•
Attacks Description: The name of the Advanced Attack that you define.
Optional Basic Attacks: The list of all user defined Basic Attacks.
Selected Attacks: Basic Attacks that you decide to include in the new Advanced
Attack.
In the Attack Name text box, type the name of the new Advanced Attack.
5.
6.
Select the Basic Custom attacks from the Optional Basic Attacks list and add them to
the Selected Attacks list using the mover arrows.
7.
Click Ok.
Doc. No.: 8261
297
LinkProof User Guide
Anti-Scanning Custom Attack Groups
The Custom Attack Group represents a logical OR between two or more Basic Custom Attack
or Advanced Custom Attacks. The right panel of the Custom Attacks Groups window
contains the list of all the existing groups.
Radware provides you with a set of predefined Custom Attack Groups as a part of the
Signatures file. You can also add user-defined Attack Groups using predefined Attacks or
user-defined Attacks. The predefined attack groups are divided according to types of
protection. For example, all attack signatures designed to harm IIS Web servers are
grouped under the IIS Attack Group.
The groups can be activated within a Protection Policy, except for the Un-assigned group.
The Attacks that effect performance or are probable to false positive, are gathered under
Unassigned group and can be activated either by adding a Attack to an existing group or to
a user defined group.
To add a new Custom Attack Group:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The
Settings pane appears.
3. From the Settings pane, select Custom Group. The Custom Attack Group window
appears.
4. From the Custom Attack Group window, enter a relevant name for the new Custom
Attack Group.
5. Select the attacks you wish to include in this group and move them to the Selected
Attacks list using the mover arrows.
Creating a New User Defined Profile
To create a new Use Defined Anti-Scanning Profile:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click anywhere in the Anti-Scanning column. The
Settings pane appears.
3. From the Settings pane, click New Profile. The New Anti-Scanning Profile window
appears.
4. From the New Anti-Scanning Profile window, enter a name of the new profile.
5. Click Ok. Your new profile appears in the All Anti-Scanning Attacks list.
Editing Attacks
To edit an attack:
1. From the main window, click Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, double-click anywhere in the Anti-Scanning
column. The Settings pane appears.
3. From the All Attacks list, select the attack you wish to edit and click Edit Attack. The
Edit Anti-Scanning window appears.
4. You may now edit the parameters of the attack. See Description Parameters, page 247.
5. Click Ok. Your preferences are recorded.
298
Doc. No.: 8261
LinkProof User Guide
Managing Signatures Database
This section explains Signatures Database and updating and downloading signatures to the
database both manually and automatically.
This section includes the following topics:
•
•
•
•
Application Security Signature File Update, page 299
Manual Update, page 299
Downloading and Updating, page 301
Scheduled Downloading and Updating, page 301
Application Security Signature File Update
Application Security module uses the Application Security Signature File Update feature for
constant updates of the signatures database. All devices with the Application Security
module are updated using the latest Application Security Signature file, which is a database
that contains a list of updated attacks.
To guarantee maximum protection for your network, you must update the Application
Security Signature file. The update is performed per device. During the update process
APSolute Insite connects to Radware web site to check if you can get the file for the
specified device.
Note:
To get Security Update Service, you need to purchase it separately.
An updated Application Security Signature file can be found on the Radware website every
Monday. If an emergency update is required, the website is updated in addition to weekly
updates.
Updating of the Application Security Signature file can be performed in the following ways:
•
•
•
Manual updating: if you have an update file that was downloaded manually from the
website, you can update the Application Security Signature file manually.
Manual downloading and updating: you can download the update file from the Radware
website and perform the manual update using this file.
Automatic downloading and updating: you can set automatic download and update of
the Application Security Signature file.
Tip:
To provide the best protection to your network, it is recommended to set
automatic daily updates.
Manual Update
If you have the updated file, you can update the Application Security Signature file
manually.
To update the Application Security Signature file:
1.
From the SynApps menu, select Security Updates > Upload Attacks File. The Upload
Attacks dialog box appears, displaying the list of devices that have Service Agreement.
Doc. No.: 8261
299
LinkProof User Guide
2. To view the parameters of a certain device, select the line with the desired device. For
each device in the Upload Attacks table, the following parameters are displayed:
—
Device (read only): The name of the selected device.
—
Current Version (read only): The current version of the device.
—
Attacks File Name: Type the name of the desired file, or click Browse to find the
file.
3. From the Upload Attacks table, select the devices to which you want to send the
selected Attack DataBase update and click Send Attacks File To Selected Devices.
The Progress bar of each selected device displays the progress of sending of the
Application Security Signature file to that device. The Progress Message box displays
message about sending the file.
Note:
300
You must choose only the devices that have Application Security Signature
File Update Service Agreement with Radware Support.
Doc. No.: 8261
LinkProof User Guide
4.
Click Update Table, to update the Upload Attacks table with the new parameters. The
selected devices are updated.
Downloading and Updating
You can download the signature files from the Radware Web site and then to perform the
update.
To update the Application Security Signature file:
1.
From the SynApps menu, select Security Updates > Upload Attacks File. The Upload
Attacks dialog box appears, displaying the list of devices that have Service Agreement.
2.
Select the devices for which you want to update the Application Security Signature file
and click Download Now. The updated Application Security Signature file is now
downloaded from the Radware Website.
3.
To view the parameters of a certain device, select the line with the desired device. For
each device in the Upload Attacks table, the following parameters are displayed:
—
Device (read only): The name of the selected device.
—
Current Version (read only): The current version of the device.
—
Attacks File Name: The path to the Application Security Signature file that was
downloaded from the Radware Web.
4.
Click Update Table, to update the Upload Attacks table with the new parameters.
5.
Select the devices to which you want to send the selected Attack DataBase update and
click Send Attacks File To Selected Devices. The Progress bar of each selected
device displays the progress of sending of the Application Security Signature file to that
device. The Progress Message box displays message about sending of the file. The
selected devices are updated.
Scheduled Downloading and Updating
You can set the automatic download of the upgrade files using the predefined schedule.
Once the upgrade files are downloaded, you can update the Application Security Signature
file. You can edit or remove the Application Security Signature file update settings from the
Scheduler (For the explanations about Scheduler, refer to the APSolute Insite User Guide).
To update the Application Security Signature file:
1.
From the SynApps menu, select Security Updates > Attacks Update Settings. The
Attacks Update Settings window appears.
Doc. No.: 8261
301
LinkProof User Guide
2. To perform the Time settings, specify the Start Hour.
Notes:
i
The End Hour option must not be used for this task.
ii
To set minutes, double-click in this box and then perform the settings.
3. To perform the Frequency settings, select an option button.
4. If you selected the Weekly option button, specify the day of the week on which the
update is performed.
5. If you selected the Minutes option button, type the number of minutes in the Minutes
text box.
6. Click Next. The Attacks Update Settings dialog box appears with the list of all the map
devices.
302
Doc. No.: 8261
LinkProof User Guide
7.
Select the devices for which you want to perform the Attack DataBase Update.
Note:
You must choose only devices that have Application Security Signature File
Update Service Agreement with Radware Support.
8.
Click Next. The Attacks Update Settings dialog box closes. The task appears in
Scheduler, see APSolute Insite User Guide.
9.
To update the Application Security Signature file, from the SynApps menu, select
Security Updates > Update Devices. The Upload Attacks dialog box appears,
displaying the list of devices that have Service Agreement.
Doc. No.: 8261
303
LinkProof User Guide
10. To view the parameters of a certain device, select the line with the desired device. For
each device in the Upload Attacks table, the following parameters are displayed:
—
Device (read only): The name of the selected device.
—
Current Version (read only): The current version of the device.
—
Attacks File Name: The path to the Application Security Signature file that was
downloaded from the Radware Web site according to the predefined schedule. To
use a different file, type the name of the desired file, or click Browse to find the
file.
11. Select the devices to which you want to send the selected Attack DataBase update and
click Send Attacks File To Selected Devices. The Progress bar of each selected
device displays the progress of sending of the Application Security Signature file to that
device. The Progress Message box displays message about sending of the file.
Note:
304
You must select the devices from the list defined in the Step 7.
Doc. No.: 8261
LinkProof User Guide
12. Click Update Table, to update the Upload Attacks table with the new parameters. The
selected devices are updated.
Note:
You can configure auto-download to the devices or prompt for download.
Security Tuning
This section explains security tuning, as well as information on the session table and SYN
table parameters.
This section includes the following topics:
•
•
•
•
Tuning Introduction, page 305
Security Tuning, page 306
Session Table Tuning, page 308
SYN Table Tuning, page 309
Note:
It is strongly advised that device tuning only be carried out after consulting
with Radware Technical Support.
Tuning Introduction
The Security Tables store information about sessions passing through the device and their
sizes which are correlated to the actual amount of sessions. Some of the tables store
information for every source-destination address pair of traffic going through the device,
Layer-3 information. These pairs require an entry for each combination. Some of the tables
need to keep information about Layer-4 sessions, which means that every combination of
source-address, source-port, destination address and destination port requires its own entry
in the table.
Note:
Layer-4 tables are usually larger than Layer-3 tables. For example, a typical
TCP client, using HTTP, opens several TCP sessions to the same destination
address.
Each security table has its own Free-Up mechanism, which is responsible for clearing the
tables of old entries that are no longer required, and ensuring that all detected attacks are
reported properly so that the attack can be logged. The Free-Up Frequency for each table
determines how often the device clears unnecessary entries from the table, and stores
information about newly detected security events, in a dedicated internal alerts buffer. The
alerts are then distributed to the Alerts Table, logoff, SNMP management station, and syslog
server, as required by the configuration. The alerts buffer ensures that the device is not
overloaded with alerts distribution.
Doc. No.: 8261
305
LinkProof User Guide
Security Tuning
You can tune the Security tables according to your needs. Table 29 on page 306 presents
description of the security tables and provides their tuning parameters.
Table 29: Security Tuning Parameters
Para-meter
Alerts Table
Log File
Polling Time
(ms)
Target Table
Source Table
306
Description
Information on security
events is registered
internally via the device
alerts table.
Plat-form
Memory
Max Value
AS II
256MB
10000
Mstr 256MB
Accl 512MB
10000
Mstr 256MB
Accl 1024MB
10000
Mstr 512MB
Accl 512MB
10000
Mstr 512MB
Accl 1024MB
10000
AS III
With the Log File Polling Time parameter you can configure
how often alerts are read from the internal alerts buffer and are
sent to the Log File.
If the environment of the device is busy, it is advisable to
change this value to 1,000 ms. to ensure that all alerts are
logged on time.
10000 ms.
The Target Table contains AS II
attacks detection
mechanism, which is
based on the destination
addresses of the
incoming traffic. If the
number of packets sent to
the same destination is
AS III
above the predefined
limit, this is identified as
an attack.
256MB
64000
Mstr 256MB
Accl 512MB
64000
Mstr 256MB
Accl 1024MB
64000
Mstr 512MB
Accl 512MB
64000
The Target Table tuning
parameter defines in how
many sessions to check
the destination address.
Mstr 512MB
Accl 1024MB
64000
The Source Table
AS II
contains attacks detection
mechanism, which is
based on the source
addresses of the
incoming traffic. If the
number of packets sent
from the same source is
AS III
above the predefined
limit, this is identified as
an attack.
256MB
64000
Mstr 256MB
Accl 512MB
64000
Mstr 256MB
Accl 1024MB
64000
Mstr 512MB
Accl 512MB
64000
The Source Table tuning
parameter defines in how
many sessions to check
the source address.
Mstr 512MB
Accl 1024MB
64000
Doc. No.: 8261
LinkProof User Guide
Table 29: Security Tuning Parameters
Para-meter
Source &
Target Table
Description
Plat-form
The Source&Target Table AS II
contains attacks detection
mechanism, which is
based on the source
destination addresses of
the incoming traffic. Each
entry of this table contains
source and destination
addresses. If the number
of packets sent from the
same source to the same AS III
destination is above the
predefined limit, this is
identified as an attack.
The Source&Target Table
tuning parameter defines
in how many sessions to
check the source
address.
Security
Tracking
Tables FreeUp
Frequencycy (ms)
DHCP
Discover
Memory
Max Value
256MB
64000
Mstr 256MB
Accl 512MB
64000
Mstr 256MB
Accl 1024MB
64000
Mstr 512MB
Accl 512MB
64000
Mstr 512MB
Accl 1024MB
64000
The Free-Up Frequency AS II
for each table determines
how often the device
clears unnecessary
entries from the table, and AS III
stores information about
newly detected security
events.
500 mms
500 mms
The DHCP Discover table AS II
contains attacks detection
mechanism based on
counting of IP requests
for each MAC address.
The requests are made
using the Dynamic Host
Configuration Protocol.
When the number of IP
requests for a particular
AS III
MAC address is above
the predefined limit, an
attack is identified.
256MB
64000
Mstr 256MB
Accl 512MB
64000
Mstr 256MB
Accl 1024MB
64000
Mstr 512MB
Accl 512MB
64000
The DHCP Discover
tuning parameter
determines for how many
MAC addresses to check
the number of IP
requests.
Mstr 512MB
Accl 1024MB
64000
To define Security tuning parameters:
1.
From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
Doc. No.: 8261
307
LinkProof User Guide
2. From the LinkProof Setup window, select Global > Security Settings and click Edit
Settings. The Security Settings window appears.
3. From the Security Settings window, set the tuning parameters as explained in Table 29
on page 306 and click Apply > Ok.
Session Table Tuning
Session Table tuning parameters are presented in Table 30 on page 308.
Table 30: Session Table Tuning
Parameter Description
Session
Table
Status
Plat-form Memory
Default
Value
Max Value
AS II
256MB
Enabled
500,000
Mstr 256MB
Accl 512MB
Enabled
358,000
Mstr 256MB
Accl 1024MB
Enabled
358,000
Mstr 512MB
Accl 512MB
Enabled
983,000
Mstr 512MB
Accl 1024MB
Enabled
1,144,000
256MB
1024
16000
Mstr 256MB
Accl 512MB
1024
16000
Mstr 256MB
Accl 1024MB
1024
16000
Mstr 512MB
Accl 512MB
1024
16000
Mstr 512MB
Accl 1024MB
1024
16000
Table that keeps track
of sessions that were
not recorded in the
AS III
Client Table.
AS II
Session
Passive
Protocol
Table that keeps track
of passive protocols
port commands, so
that all related
AS III
sessions can be
linked together.
To define Session Table tuning parameters:
1. From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2. From the LinkProof Setup window, select Global > Session Table Settings and click
Edit Settings. The Session Table Settings window appears.
3. From the Session Table Settings window, set the tuning parameters as explained in
Table 30 on page 308 and click Apply > Ok.
Note:
308
It is strongly advised that device tuning only be carried out after consulting
with Radware Technical Support.
Doc. No.: 8261
LinkProof User Guide
SYN Table Tuning
SYN tables are used to define the SYN Flood protection. SYN Flood protection tuning
parameters are presented in Table 31 on page 309.
Table 31: SYN Table Tuning
Parameter
SYN
Protection
Table
SYN Protection Requests Table
Description
Plat-form
Memory
Max Value
AS II
256MB
1000000
Mstr 256MB
Accl 512MB
1000000
Mstr 256MB
Accl 1024MB
1000000
Mstr 512MB
Accl 512MB
1000000
Mstr 512MB
Accl 1024MB
1000000
256MB
32000
Mstr 256MB
Accl 512MB
32000
Mstr 256MB
Accl 1024MB
32000
Mstr 512MB
Accl 512MB
32000
Mstr 512MB
Accl 1024MB
32000
256MB
100000
Mstr 256MB
Accl 512MB
100000
Mstr 256MB
Accl 1024MB
100000
Mstr 512MB
Accl 512MB
100000
Mstr 512MB
Accl 1024MB
100000
Stores policies that
AS II
control the syn protection
behavior for different
types of traffic. For each
traffic type the user can
configure whether to:
256MB
4096
Mstr 256MB
Accl 512MB
4096
Mstr 256MB
Accl 1024MB
4096
a) always apply SYN
protection
Mstr 512MB
Accl 512MB
4096
Mstr 512MB
Accl 1024MB
4096
Stores data regarding the
delayed binding process.
An entry in the table
exists from the time the
AS III
client completes the
handshake until the
handshake is complete.
Stores the ack or data
packet that the client
sends, until the
handshake with the
server is complete and
the packet is sent to the
server.
AS II
AS III
The Request table and
the Syn Protection table
must be about the same
size. the triggers table
should be much smaller.
AS II
SYN Protection Triggers
Table
SYN Protection Policies
Table:
Stores the active triggers the destination IPs/ports
on which the devices
AS III
identifies an ongoing
attack.
b) apply SYN protection
only when an attack is
detected.
c) never apply SYN
protection.
Doc. No.: 8261
AS III
309
LinkProof User Guide
Table 31: SYN Table Tuning
Parameter
Description
The amount of SYN
packets per second that
are sampled and their
source IP is to be
monitored.
SYN ACK
Reflec-tion
IPs Table
Session
Table L3
SYN Flood
Reports
Plat-form
Memory
Max Value
AS II
256MB
100000
Mstr 256MB
Accl 512MB
100000
Mstr 256MB
Accl 1024MB
100000
Mstr 512MB
Accl 512MB
100000
Mstr 512MB
Accl 1024MB
100000
AS III
Keeps track of application
Currently the parameter is not used.
security reporting SYN
flood attacks for Session
Table in Layer 3.
AS II
Session
Table SYN
Triggers
Creation
Counts incomplete TCP
sessions for detecting
SYN Floods from the
Session Table.
AS III
256MB
100000
Mstr 256MB
Accl 512MB
100000
Mstr 256MB
Accl 1024MB
100000
Mstr 512MB
Accl 512MB
100000
Mstr 512MB
Accl 1024MB
100000
To define the SYN Flood Protection tuning parameters:
1. From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2. From the LinkProof Setup window, select Global > SYN Flood Protection Settings
and click Edit Settings. The SYN Flood Protection Settings window appears.
3. From the SYN Flood Protection Settings window, set the tuning parameters as explained
in Table 31 on page 309 and click Apply > Ok.
Note:
It is strongly advised that device tuning only be carried out after consulting
with Radware Technical Support.
It
Security Events
This section describes security events, event reporting, and the list of event details.
This section includes the following topics:
•
•
310
Events and Event Reporting, page 311
Event Details, page 311
Doc. No.: 8261
LinkProof User Guide
Events and Event Reporting
Events include errors and security events (attacks or protocol anomalies). A device can be
configured to send information about an event whenever a security event takes place. For
every security event, which is detected by the device, information can be generated using
the following reporting channels:
• Local Alerts that appear in the Alerts table.
• Security Log, which are saved in a flash.
• SNMP traps can be sent to APSolute Insite and a management station.
• Syslog messages can be sent to a Syslog station.
• E-mail messages can be sent to specific users.
Reporting channels are configured individually, then enabled through the LinkProof main
application window.
Event Details
Table 32 on page 311 summarizes event’s parametersDevices send the following types of
information about a security event (attack):.
Table 32: Events Parameters
Parameter
Description
Risk
The severity of the risk, either high, medium or low.
Date/Time
The date and time when the report was generated.
Attack Name
The name of the attack that was detected.
Physical Port
The actual port on the device from which the attack
arrived.
Action
The attack action.
Category
The category of the attack: Anomalies, AntiScanning, DOS, Intrusion.
Protocol
The transmission protocol used in the attack: TCP/
UDP/ ICMP/IP.
Source Address
The IP address from which the attack arrived.
Source Port
TCP/UDP source port.
Destination Address
The IP address to which the attack is destined.
Destination Port
TCP/UDP destination port
Radware Attack ID
Radware’s unique identifier of the attack.
Packet Count
The number of packets in the attack.
Packet Bandwidth
The bandwidth of the attack since the latest trap was
sent (KByte)
Status
The status of the attack: occur, start.
Device IP
The IP of the device to which the attack is associated
to.
Reporting Channels
This section describes the different reporting channels and how to configure them.
Doc. No.: 8261
311
LinkProof User Guide
Sending Traps
Traps can be sent from the device to any computer that you choose. You must enable the
device to send SNMP traps to other computers, for example to the management station, by
defining the computers as targets.
Trap Notification is set up through the device’s Target Address table. For example, to ensure
that the management station receives traps, enter it’s IP address into the Target Address
table. You can specify SNMP parameters and select which type of notification it will receive.
In the Community Table, you can designate that specific users have access to the traps.
After configuring the device to send SNMP traps, enable the device to start sending traps.
These procedures are explained in Chapter 2, see Configuring SNMP, page 29.
To enable the device to send security traps:
1. From the main window, select Security. The Connect and Protect Table appears.
2. From the Connect and Protect Table, click Settings. The Security Reporting window
opens.
3.
In the Application Security Parameters area, ensure that Traps Sending is enabled.
Click Apply to enable.
E-mail Traps
E-mail traps can be sent to specific users in a similar manner to the way in which SNMP
traps are sent.
To enable the device to send e-mail security traps:
1. From the main window, select General > Preferences. The Management Preferences
window appears.
2. From the Management Preferences window, click Trap and SMTP. The Trap and
SMTP pane appears.
3. From the Trap and SMTP pane, ensure that you provide the IP address for your SMTP
server. Set the relevant parameters including:
•
Send E-mails on Errors: Select if you want to send an e-mail alert when an operational
error occurs on the device.
• One Trap: Generate only one trap per event.
4. From the main window, click Security. The Connect and Protect Table appears.
5. From the Connect and Protect Table, click Settings. The Security Reporting window
appears.
6. From the Security Reporting window, in the Application Security Parameters area,
ensure that E-mail Sending is enabled.
7. Click Apply to enable.
Logging
When the device recognizes security events, they are logged in an all-purpose cyclic Log
File. The device’s Log File can be obtained at any time, but is of limited size. When the
number of entries is beyond the permitted limit, the oldest entries are overwritten. You are
notified regarding the status of the Log File utilization. The notifications appear when the file
is 80% utilized, and 100% utilized.
Configure one or more devices to perform logging to start the logging process.
312
Doc. No.: 8261
LinkProof User Guide
To configure a device to perform event logging:
1.
From the main window, click Security. The Connect and Protect Table window appears.
2.
From the Connect and Protect Table, click Settings. The Security Parameters window
appears.
3.
From the Security Parameters window, in the Application Security Parameters area,
ensure that Logging is enabled. The Attacks DB Version field displays the version
number used for the local attack log database.
4.
Click Apply.
Note:
Information in the Log File can be viewed by downloading it at the
management station into a file.
To download the Log File at the management station:
1.
From the main window, click Security. The Connect and Protect Table window appears
2.
From the Connect and Protect Table, click TFTP Log. The Download Log File window
appears.
3.
From the Download Log File window, enter the name you wish to assign to the file in the
File Name text box.
4.
Click Browse to select the directory where you require the file to be saved.
5.
Select the External TFTP Server IP Address checkbox to specify the IP address for an
external TFTP server. To use the default TFTP server, clear this checkbox.
6.
Optionally, enable Clear Log File After Receive to clear the log file once the download
is completed.
7.
Select one of the option buttons, HTML, Excel, or Advanced to select the format in
which you want to export the Log File. If you select the Advanced option button, click
Advanced Settings. The Attacks Reports window appears.
8.
From the Attack Reports window, select categories by which the report is filtered:
Attack:
The attack that you want to appear in the
report. You can select the attack from the
drop-down list that contains all the attacks
that were recognized by the device. In case
the Attack checkbox is not selected, the
report includes all the attacks.
Source IP:
The range of Source IPs from which the
attacks arrived that you want to appear in the
report.
Destination IP:
The range of Destination IPs to which the
attacks are targeted that you want to appear
in the report.
Attack Date:
The range of dates in which the attacks were
recognized by the device.
9.
Select the checkboxes from the Select Fields section to define fields displayed in the
report.
Doc. No.: 8261
313
LinkProof User Guide
10. Click Create Top 10 Graph and choose an item from the drop-down list to create a
graph of the 10 most frequently mentioned items in the report.
11. Click Ok to close the Attacks Reports window.
12. Click Receive. The Log File is downloaded and the status of the download is displayed.
Tip:
You can access logged security events via Security Reports. Syslog messages
can be sent to a syslog station in a similar manner to the way SNMP traps are
sent.
To configure the device to send syslog messages:
1. From the main window, select General > Management Preferences > Device
Access. The Device Access pane appears.
2. From the Device Access pane, in the SysLog Reporting area, enter the IP address of the
device running the syslog service (syslog) in the Syslog Station Address field.
3. Select the Syslog Operation checkbox to enable syslog reporting.
4. Click Apply to implement your changes and click Ok to close the window.
Security Reports
This section includes explanations of security reports, attack reports, executive reports and
how to generate them, and an explanation of the dashboard.
This section includes the following topics:
•
•
•
•
•
•
Security Reports Overview, page 314
Security Reports Main Window, page 316
Generating Attack Reports, page 320
Attack Logs, page 325
Executive Reports, page 330
Dashboard, page 331
Security Reports Overview
Security Reports provide you with graphs, views and tools to understand attack activity and
their impact on your network. You can view attack activity over time, types of attacks, the
attack risk level, attack bandwidth, and attack sources and destinations.
How Data Is Gathered
You must initially select a LinkProof device, or group of devices, in order to generate data for
the reports. LinkProof devices monitor attack activity. When the LinkProof device detects an
attack, the security model logs data about a “security event.” A security event fits
predefined attack profiles.
Once reporting channels are configured, the device starts sending information about
security events to the management station via SNMP Traps. The management station
(running APSolute Insite) stores security event data and packet information in a local
database. This information is used to create Security Reports that provide the information
about the security events, see Events Parameters, page 311.
Security Monitoring Tools
Security monitoring tools include:
314
Doc. No.: 8261
LinkProof User Guide
• Generating Attack Reports, page 320
• Attack Logs, page 325
• Executive Reports, page 330
• Dashboard, page 331
Each focuses on different types of analysis requirements.
View of an Attack Report, page 315 shows the Attack Reports Desktop, which allows you to
access all the reporting options.
Figure 49 -
View of an Attack Report
In contrast, you can view individual security events via the Attack Logs. See Attack Logs,
page 315.
Attack Reporting
Attack reports show you attack performance and impact on your network in a graphical
layout. These historical reports show you attack activity over time. You can quickly view the
top ten attacks to the system and how they change over a specified period. Attack reports
are created using information selected from security event logs.
Radware provides a set of predefined reports. Use these reports to examine the type of
attacks affecting your defined network, and their volume, bandwidth or severity. These
reports can be drilled down for further details.
Along with predefined reports that provide pre configured types of network analysis, you
can set filtering parameters to select your own parameters for viewing attack activity.
Create graphs for high-level or drill-down views of network attacks. Reports can be tailored
to specific reporting needs by creating customized filters.
Attack Logs
Attack Logs display individual security events in a tabular format. The logs even allow deep
drill-down to the packet level itself.
Whereas Attack Reports display the overall attack activity, the Attack Logs allow you to
investigate individual security events. For further information about Attack Logs refer to
Attack Logs, page 325.
Doc. No.: 8261
315
LinkProof User Guide
Figure 50 -
Attack Logs
Dashboard
The Security Dashboard provides you with real time attack view displaying the most recent
attack activity in the defined network. The Security Dashboard also provides extracts of key
Attack Reports and the immediate performance of specific attacks. These reports graph the
most intensive (top) attacks by packet volume.
The Security Dashboard can be refreshed at user-defined intervals (every 2 minutes or
more). You may also select the period to display the data (the last hour, last 2 hours, and so
on). For further information on the Security Dashboard feature refer to Dashboard,
page 331.
Note:
The Security Dashboard view is not available when multiple devices are
selected.
Security Reports Main Window
Security Reports provides 2 methods or viewing and defining reports including Attack Logs,
and Attack Reports.
To view the Security Reports main window:
From the main window, click the Security Reports tab. The Security Reports main
window appears.
316
Doc. No.: 8261
LinkProof User Guide
Viewing Attack Logs
The Attack Logs window displays the security events in your network. For each security
event, detailed information is displayed in the attack log. The attack log allows you to view
the complete log of security events that have been reported in your network.
To view the Attacks Logs window:
1.
From the main window, click the Security Reports tab. The Security Reports main
window appears.
2.
From the Security Reports window, select the Attack Logs tab. The Attack Logs window
appears, which includes the following features:
—
Attack Logs main toolbar
—
Attack Logs main display area
—
Log Views
—
Log Custom views
Attacks Log main toolbar
The Attack Logs main toolbar includes the following features:
•
•
•
•
•
•
Device: From the device drop-down list you may select the relevant device for which to
view reports for. Note: Only devices for which traps were collected appear on this list.
Calendar: Clicking on the calendar button allows you to set the date and time period of
the reports to be viewed. Alternatively you may use the From and To buttons.
Display: Clicking the Display button allows you to see the type of attack depending on
what was selected from the Log views list.
Open New Window: Allows you to display the graph in a separate window by checking
the “Open New Window” check box.
Clear All: Clears all the entries from the Attack Log table. Once the button is pressed, a
confirmation message appears, requesting the user to confirm the deletion of the Attack
Log entries.
Delete button: The Delete button enables you to delete the selected log file. You may
also delete multiple log files by selecting numerous log files then clicking the Delete
button.
Doc. No.: 8261
317
LinkProof User Guide
•
Export button: Clicking on the Export button generates a report according to the type
of report defined and then automatically saves it an appropriate file that is located in the
same location as the installation file.
Attack Logs main display area
The Attack Logs main display area provides a list of individual security events in a tabular
format. The logs even allow deep drill-down to the packet level itself.
Log Views
Log views allow you to determine the type of log attack you wish to view either:
•
•
•
•
•
All Attacks
High Risk
Medium Risk
Low Risk
Intrusions
Log Custom Views
Custom Log Views allow you to create your own custom made log view filter according to
type, condition and arguments.
Note:
For further details on Attack Logs and how to view and configure them refer to
Attack Logs, page 325.
Viewing Attack Reports
The Attack Reports main window allows you to view custom reports according to your
requirements.
To view the Attack Reports main window
From the main window, click the Security Reports tab. The Security Reports main
window appears.
318
Doc. No.: 8261
LinkProof User Guide
The Attack Reports main window includes the following features:
•
•
•
•
Attack Reports Main Toolbar
Attack Reports Main Display Area
Reports List
Report Custom Views
Attack Reports Main Toolbar
The Attack Reports main toolbar includes the following features:
•
•
•
•
•
•
•
Device: From the device drop-down list you may select the relevant device for which to
view reports for.
Calendar: Clicking on the calendar tab allows you to set the date and time period of the
reports to be viewed. Alternatively you may use the From and To buttons.
Display: The Display drop-down list allows you to set the type of report to be displayed,
according to either:
— Bar display
—
Plot display
—
Pie display
Open New Window: Allows you to display the graph in a separate window by checking
the “Open New Window” check box.
Show: Clicking on the Show button displays the type of Report according to what was
selected in the Display and calendar.
Dashboard: Clicking on the Dashboard button allows you to view immediate attack
activity rather than activity over time. The Dashboard displays the most recent attack
activity in the defined network. Information is constantly refreshed according to a
configurable refresh rate. The Dashboard also provides extracts of key Attack Reports
and the immediate performance of specific attacks. These reports graph the most
intensive (top) attacks by packet volume.
Export: Clicking on the Export button allows you to generate reports according to
various formats and export the reports to a reports file located on your local station. For
example: C/Program Files/CWI_1.55.03/Configware Insite/UserFiles/
StatisticReports/18-10-2004_09_14_57.html
Export display options include:
—
•
•
Excel: Allows you to export a report in Excel format.
Advanced Export: Allows you to produce a report according to:
— Top ten Attackers per Target
—
•
HTML: Allows you to export a report in HTML format.
Top ten Targets per Attacker
Executive Reports: Executive Security reports can be generated and exported in HTML
format. Executive Reports can allow the generation of reports that are composed of
more than one report graph, see Executive Reports, page 330.
Attack Reports Main Display Area
The Attack Reports main display area displays the current device icon and its IP address.
Reports List
The Reports list provides you with a list of security attacks. Predefined Attack Reports help
you to explore Security attack patterns over time. Radware has created predefined reports
for specific types of attack analysis. Attacks can be ranked by volume and by type. See
Predefined Attack Reports, page 321.
Predefined reports also include reports for groups of attacks, or attacks relating to a specific
module including:
•
Intrusions
Doc. No.: 8261
319
LinkProof User Guide
•
•
•
DoS
Anomalies
Anti-Scanning
Report Custom Views
The Report Custom Views features advanced filtering capabilities to both the Security
Reporting and Attack Logs table. The new filtering capabilities allow applying multiple filters
on the same data, set a Filter Condition and introduce a new Filter Type to the filter list. For
example it is possible to define two filters (one according to Time and one according to
Action) and apply them both to the same graph.
Note:
For further information on Attack Reports refer to Generating Attack Reports,
page 320.
Generating Attack Reports
Attack Reports are generated using logs of security events, and comprise graphical analysis
of attack statistics. Radware provides predefined reports, each of which focuses on a specific
type or set of attacks.
Each Attack Report graph can be further drilled down for greater granularity. double-clicking
on a section of the graph provides you with the list of events that generated the area of the
graph. Reports can also be customized for specific reporting needs by creating customized
views. A view is generated by applying a filter to a predefined report. These customized
views (filters) are saved and may be regenerated whenever needed.
Reports can be exported to XML, HTML or Excel formats for future reference, or for analysis
using external tools.
Before You Start
Before you start using Attack Reports, ensure that you have enabled security event
reporting at the device. You must enable the device to send SNMP traps to the management
station (running APSolute Insite).
You must specify that your management station is the target for SNMP traps, and then start
sending the traps. For explanations about how to enable your device to start sending traps,
see Chapter 2 Configuring SNMP, page 29.
Recording Security Traps
Once you have configured the device to send traps, you must enable the management
station to receive and record the security traps.
Security traps are recorded into a local database. This database information is then used to
create Security Reports. Collection of the security traps is enabled by default when APSolute
Insite is launched. APSolute Insite continues to record traps until you stop this process.
To stop security trap recording:
From the main window, select SynApps > Stop Recording Security Traps. The local
database retains the information already collected.
Accessing Attack Reports
Once you configure the device to send traps, and enable the management station to receive
them, you are ready to generate reports.
320
Doc. No.: 8261
LinkProof User Guide
To access Attack Reports:
From the main window, click the Security Reports tab. The Attack Reports window
appears, initially containing a map of the defined network. Once a report is generated, it
is displayed in the main panel of the desktop.
Selecting a Device
In order to gather information for Security Reports, a device or group of devices must be
selected to generate data. This is because LinkProof devices monitor attack activity, and
once a device is selected, the Security Report knows from which source to draw data.
Using the Security Reports tab desktop, you can select one or more LinkProof devices,
whose security event logs are used to analyze attacks to your defined network.
To select a device or group of devices:
1.
From the main window, select Security Reports. The Security Reports main window
appears.
2.
From the Device drop-down list, select the device for which the reports are generated.
Note:
3.
The Device drop-down list contains a list of all the devices on the site map.
To select a group of devices, click the
icon. The Elements Selection window appears.
From the Elements Selection window, select the devices for which you want to generate
the report and click OK.
Predefined Attack Reports
Predefined Attack Reports help you to explore Security attack patterns over time. Radware
has created predefined reports for specific types of attack analysis. Attacks can be ranked
by volume and by type. Predefined reports also include reports for groups of attacks, or
attacks relating to a specific module.
Doc. No.: 8261
321
LinkProof User Guide
Predefined reports allow you to focus attention on specific threats. Attack information is presorted, with the most important security event information plotted in easily read charts, for
your convenience.
The following predefined Attack Reports are available:
•
•
•
•
•
•
•
•
Top Attacks: Graphs the top ten attacks, according to packet count per attack.
Top Attacks by Category: Graphs the top ten attack groups (Intrusions, DoS,
Anomalies, SYN Floods, and Anti-Scanning), calculated according to packet count per
group.
Top Attack Targets: Graphs the top ten attack target destinations per IP Address.
Top Attack Sources: Graphs the top attacks according to attack sources per IP
Address.
Top Attack Targets Bandwidth: Graphs the top ten attacks by Bandwidth
Consumption.
Number of Attacks Over Time: Graphs the changes in total number of attacks over a
specified time period.
Attacks by Severity: Graphs the attacks ranked by severity of risk: i.e. High/Medium/
Low by displaying a breakdown of all attack over a set period of time according to the
attack severity.
Top Attacks by Module: Graphs the top ten policies in use, ranked by packet volume
per policy, per module (Intrusions, DoS, Anomalies, SYN Floods, and AntiScanning).
Creating and Using Predefined Reports
Once you decide which report you want to generate, use the Report List to create the
reports. The Report List allows you to quickly select a predefined report.
To generate a predefined report:
1. From the main window, select Security Reports. The Security Reports main window
appears.
2. From the Security Reports window, select one or more devices from which the report is
generated.
3. Specify the time frame for the report, using the From and To selection boxes or the
Calendar.
4. Select the display parameter from the Display drop-down box (Pie, Plot, or Bar).
—
Bar: A regular bar presentation when the parameters are presented one next to the
other.
—
Plot: The values are represented by dots that are connected by lines.
—
PIE: Available for top attack reports.
Note:
The options displayed vary according to the type of report selected.
5. Select a report from the Report List, such as Top Attack Targets. By default, Top
Attacks is selected.
6. Now that all the basic report parameters have been selected, click Show. Your report is
generated and displayed in the desktop.
Report Display Formats
Reports can be displayed in several chart formats: Pie, Plot or Bar. The options vary
according to the type of report selected.
322
Doc. No.: 8261
LinkProof User Guide
Changing from one chart type to another is simple. For example, it is possible to view the
Top Ten Attacks report as a pie chart, where each attack is shown as a percentage of the
overall volume of attacks, or as a bar chart, where each attack is displayed with packet
count volume.
To configure the display parameters:
1.
From the main window, select Security Reports. The Security Reports window
appears.
2.
From the Display drop-down list, select a display option:
3.
—
Bar: A regular bar presentation showing attacks by volume.
—
Plot: Attacks by volume are represented by dots that are connected by lines.
—
Pie: Available for top attack reports, showing individual attack types and their
volume as a percentage of the total attack volume.
Click Show to redraw the chart.
Drill Down Security Event Data
Once you have created a report, you can drill down to the security events that relate to a
particular attack. For example, you can choose a pie section, or a bar in the bar chart, and
view the security events which created the attack.
To drill down into your report data:
1.
From the main window, select Security Reports. The Security Reports window
appears.
2.
From the Security Reports window, select a graph bar, a pie section, or a plot node from
the Display drop-down list to display source events used to create the report, and then
click Display. The relevant display is shown.
3.
Double-click in any section. A list of events appears in a separate HTML page. The
events list can be sorted by clicking in the top of any column.
Comparing Reports
Having created a report, you may want to compare it with another type of attack analysis. If
you want to preserve the first report’s data temporarily, you can open the new report in a
new window.
Or, you can save your report by exporting it to a file, then creating the new report. Then,
you can examine the old report data at any time.
If generating a report the same window, the previous report graph is overwritten in the
view. However, all the original data is still available in the log.
Once you have generated your report, you can export it to a file.
To save your report:
1.
From the main window, click Security Reports. The Security Reports window appears.
2.
From the Security Reports window, click Export.
3.
Select whether to export the file to XML, HTML or Excel format. The report is saved and
available for future examination.
Doc. No.: 8261
323
LinkProof User Guide
To open a new report in another window:
1. From the main window, click Security Reports. The Security Reports window appears.
2. Select the device and define the display as previously mentioned.
3. Click Open New Window in the toolbar.
4. Click Show.The new report is launched in a separate window.
Customizing Attack Reports
You can customize your analysis of attack data by creating customized views. The
customized view employs a user designed filter to narrow analysis on a predefined report
further. For example, after generating a report of Top Attacks, you may want to narrow the
findings to activity on a particular subnet. You may also want to create a customized view
for frequent use, such as for a time range to apply to all reports generated for the current
month.
In the customized view the Security Reports are filtered according to the parameters of the
security event, see Events Parameters, page 311. Each customized view presents the attack
data according to the corresponding event parameter.
Once you have created a custom view, it appears in the Report Custom Views list. To
apply the custom view’s filter, simply click the name of the view as it appears in the list.
To create and apply a Custom view:
1. From the main window, click Security Reports. The Security Reports main window
appears.
2. From the Security Reports main window, select Report Custom views.
3. From the Report Custom Views pane, click Add. The Add Report View Filter window
appears.
4. From the Add Report View Filter window, in the Filter Name text box, enter a name for
the custom view, such as “January.”
5. From the Filter Type drop-down list, choose the type of filter you want the custom view
to use, such as Date & Time.
6. From the Filter Arguments area, fill in relevant information, such as a starting and
ending date and time for the report and click OK. From the Report Custom Views
area, the new custom view appears with the name you gave it. Click to Apply this view.
7. Define the parameters and click Show. The custom view’s filter is applied.
To create a report for a subnet:
1. From the main window, click Security Reports. The Security Reports main window
appears.
2. From the Security Reports toolbar, specify a device and a time frame for your report.
3. From the Report List, select a desired report, such as Top Attacks.
4. To examine the impact of the top attacks on a specific network segment, you must
create a custom view and apply it to the report.
5. From the Report Custom Views area, click New. The Add Report View Filter window
appears.
324
Doc. No.: 8261
LinkProof User Guide
6.
From the Filter Name text box, enter a name for the filter, such as “Tokyo Financial
Subnet.”
7.
From the Filter Type drop-down list, choose Subnets.
8.
From the Filter Arguments area, fill in the IP ranges for the subnets to be inspected. To
filter for attacks starting from a particular network segment, fill in the source IP range.
For attacks directed at a network segment, fill in the destination IP range. When
finished, click OK.
9.
From the Report Custom Views area, the new view appears with the name “Tokyo
Financial Subnet”. Click to apply this custom view.
10. From the toolbar click Show. The new report is generated and displayed.
To edit a custom view and apply it:
1.
From the main window, click Security Reports. The Security Reports main window
appears.
2.
From the Report Custom Views area, select a filter and click Edit. The Edit Report View
Filter window appears.
3.
You can change the name, select a different Filter Type, and/or change the parameters
in the Filter Arguments area.
4.
Click OK.
5.
From the Report Custom Views area, click View and define the parameters.
6.
Click Show. The view is filtered.
To remove a custom view (filter):
1.
From the main window, click Security Reports. The Security Reports main window
appears.
2.
From the Report Custom Views area, select a Filter.
3.
Define the report parameters.
4.
Click Show. The report is generated without a filter
Attack Logs
Attack logs displays the security events in your network. For each security event, detailed
information is displayed in the attack log. The attack log allows you to view the complete log
of security events that have been reported in your network.
For the description of the event’s parameters that are presented in the Attack Log table, see
Events Parameters, page 311.
Required Setup
In order to create the attack logs, ensure that you have enabled the LinkProof device to
send traps to the management station. This procedure is explained in: Before You Start,
page 320.
Once the device is configured to send traps to the management station, enable your
management station to record security events. The procedure is explained in: Recording
Security Traps, page 320.
Doc. No.: 8261
325
LinkProof User Guide
Enable Logging at the Device
After the device and management station are set up, once the device sends security event
information to the management station, security events are recorded in the local database.
You can then start examining the Security Event Log.
To select a device:
1. From the main window, click Security Reports. The Security Reports main window
appears.
2. From the Security Reports main window, select Attack Logs. The Attack Logs
pane appears
3. You must specify a device, or group of devices, that will be used to generate the local
security event database. If you have already specified a device, it will be the default
setting. Otherwise, in the toolbar (at top) select a device from the Device drop-down list
box.
4. To select a group of devices, click the
icon. The Elements Selection window appears.
From the Elements Selection window, select the devices for which you want to generate
the report and click OK.
Notes:
i
The Attack Log view in the desktop displays all security events in a table for
centralized attack management. Details for each security event are displayed
in columns, and the attack log can be sorted by double-clicking a column
header.
ii
The Attack Log view can be narrowed to specific types of data using
predefined views, to show attacks corresponding to specific levels of risk, or
to type of attack. Or, you can create customized views, using selected filters,
to examine specific types of attack information.
iii The attack log displays security events relating to the filter selected, as shown
below.
Working with the Attack Log View
Predefined views have been created for specific types of attack analysis. By default, the log
view displays security events for all attacks. However, you may prefer to sort the log so that
security events are shown according to risk factor. Or the View can show specific security
events corresponding to types of attacks such as Intrusions, DoS, Anomalies or AntiScanning attacks.
To apply a predefined filter to the Attack Log:
1. From the main window, select Security Reports. The Security Reports main window
appears.
2. Click Attack Logs.The Attack Logs pane appears.
3. From the Attack Logs pane select a predefined filter from the Log View panel such as
Intrusions. The log view is sorted to show only the entries which match your filter
selection.
326
Doc. No.: 8261
LinkProof User Guide
Upon opening a log, it is possible to sort the view by clicking on any column header. It is
also possible to delete security events which are deemed unimportant to keep in the
local database.
To delete events from the Attack Log:
1.
From the main window, select Security Reports. The Security Reports main window
appears.
2.
Click Attack Logs.The Attack Logs window appears.
3.
Select one or more security events in the log view.
4.
Click Delete from the toolbar.
Viewing Attack Descriptions
To drill down further, click a security event line. An attack description (taken from the Attack
Database) is displayed for the particular event, in the lower panel of the desktop, as shown
in Viewing Attack Descriptions., page 327.
Figure 51 -
Viewing Attack Descriptions.
Table 33 on page 327 summarizes the information displayed in the Attack Description panel.
Table 33: Attack Description
Parameter
Description
Name:
The name of the attack that was detected.
Attack Description:
A detailed description of the attack.
False Positives:
The identifying characteristics of the attack
Known Issues:
The current information that is know about the attack.
Recommended Network
Settings:
The recommended settings to counteract the attack.
Packet information includes:
•
•
Source
Destination
Doc. No.: 8261
327
LinkProof User Guide
•
•
•
•
•
For
Protocol
Source Port
Destination Port
Length
Bandwidth
multiple packets, the scroll menu allows navigation between data captures.
To display packet details for a security event:
1. From the main window, click Security Reports. The Security Reports main window
appears.
2. From the Security Reports main window, select a security event.
3. Click Packets. The packet contents and information is displayed in the bottom panel.
Working with Custom Log Filters
To sort the log view according to your needs, create a Customized Log Filter, which allow
you to analyze security events with maximum flexibility.
It is possible to filter the log messages according to the customized views. You can create
Custom log Filters according to the following filters:
Table 34: Customized Log Filters
Filter
Description
Date and Time
Allows you to filter according to the time in which an
event was logged.
Subnets
The subnet of the log filter either according to source
or destination network
Attack Name
The name of the attack filter
Category
The category for the filter.
Risk
Create a filter according to the Attack Risk, either;
High Priority, Medium Priority, Scheduled, Closed,
False Positive.
Radware ID
Radware defined filters.
Protocol
The transmission protocol for the filter, either TCP,
UDP or ICMP.
Source Port
TCP/UDP source Port
Destination Port
The TCP/UDP destination Port
Physical Port
The physical port on the device
Status
Defines the status of the filter.
Action
It is possible to filter the graph/logs according to the
action performed on the attack. The possible values
for the Action Filter Type are Drop or Forward.
To create a log filter:
1. From the main window, click Security Reports. The Security Reports main window
appears.
328
Doc. No.: 8261
LinkProof User Guide
2.
From the Security Reports main window, select Attack Logs. The Attack Logs window
appears.
3.
From the Log Filters panel click Add. The Add Log View Filter window appears.
4.
From the Filter Name text box, enter a name for the filter, such as “Saturday Attacks.”
5.
From the Filter Type drop-down list box, choose the type of filter category, such as Date
& Time.
6.
From the Filter Condition drop-down list define whether the filter definition is equal or
isn’t equal to the data being filtered.
7.
From the Filter Arguments area, fill in the relevant information, such as a starting and
ending date and time for the report. For example, specify that you want to examine
events from 7 p.m. to midnight. Then click OK.
8.
From the Log Filters area, the new filter appears with the name you assigned it. Check
that it is correct and click Apply to apply this filter.
To edit a log filter:
1.
From the main window, click Security Reports. The Security Reports main window
appears.
2.
From the Security Reports main window, select Attack Logs. The Attack Logs pane
appears.
3.
From the Log Filters panel, click Edit. The Edit Log View Filter window appears.
4.
From the Log Filters area, click the filter you want to change, then click Edit.The Edit
Log View Filters window appears. You can change the name, type of filter, and/or filter
details.
5.
Click OK.
Saving the Attack Log to a file
When the device recognizes security events, they are logged in an all-purpose cyclic Log
File. The device’s Log File can be obtained at any time, but is of limited size. This Log File
can be downloaded to a file in Excel or HTML format. It can also be filtered for specific types
of attacks before being downloaded.
To save the log to a file:
1.
From the main window, click Security Reports. The Security Reports main window
appears.
2.
From the Security Reports main window, select Attack Logs. The Attack Logs pane
appears.
3.
From the Attack Logs pane, click TFTP Log. The Download Log File window appears.
4.
From the File Name text box, enter the name you want to assign to the file. Click
Browse to select the directory where you require the file to be saved.
5.
If you want to enable an External TFTP Server, select the External TFTP Server IP
Address checkbox. This enables the field adjacent, in which you can enter the IP
address of the machine running the server. If you use an external TFTP server, the
configuration file is saved in the location configured in that server. To use the default
TFTP server, clear the checkbox.
6.
Click Clear Log File After Receive if you want to clear the device’s log file once the
download is completed.
Doc. No.: 8261
329
LinkProof User Guide
7. To select the format in which you want to export the Log File, select one of the option
buttons, HTML, Excel, or Advanced. The Advanced setting allows you to create a
custom filter for the downloaded log.
8. If you select the Advanced option button, click Advanced Settings. The Attacks
Reports window appears.
9. From the Attacks Reports window select one or more categories used to filter the report
from the “Filter by” Pane. Data can be filtered via the following categories:
Attack:
Select a specific type of attack from a drop-down list
of all the attacks recognized by the device. If the
Attack checkbox is not selected, the report includes all
attacks.
Source IP:
You can choose to specify a specific range of Source
IPs from which attacks arrived.
Destination IP:
You can specify a range of Destination IPs to which
the attacks are targeted.
Attack Date:
Specify a range of attack dates.
10. From the Selected fields pane select the relevant fields that you want to include in the
log file, either:
—
Attack Name
—
Source IP
—
Destination IP
—
Date and Time
11. To create a graph of the ten most frequently mentioned items in the report, select the
Create Top 10 Graph by checkbox and select an item from the drop-down list, which
includes:
—
Source
—
Destination
—
Attack
12. Click Ok. The Attacks Reports window closes.
13. Click Receive. The Log File is downloaded from the device and the status of the
download is displayed.
Executive Reports
Executive Security reports can be generated and exported in HTML format. Executive
Reports can allow the generation of reports that are composed of more than one report
graph. The Executive Report can include one or more of the following reports:
•
•
•
•
•
330
Top 10 Attacks - Displayed as PIE Chart and list of the top 10 attacks and packet
count.
Top 10 Attack Sources - Displayed as PIE Chart and list of the top 10 attack sources
and packet count.
Top 10 Attack Source and Destination - Displayed as a PIE Chart and a list of the
top ten attack source and destination and packet count.
Top Attack Destinations - Displayed as PIE Chart and list of the top 10 attacked
destinations and packet count.
Attacks by Category - Displayed as PIE Chart and list of the top 10 attacks including
their Category (Intrusions, Anomalies, etc.) and packet count.
Doc. No.: 8261
LinkProof User Guide
•
Attacks by Risk - Displayed as PIE Chart and list of the top 10 attacks including their
Risk and packet count.
To generate an Executive Report:
1.
From the main window, click Security Reports. The Security Reports window appears.
2.
From the Security Reports window, click Export and then from the drop-down list,
click Executive Reports. The Executive Reports window appears.
3.
From the Executive Reports window, choose the required report, by selecting the
checkbox beside its name.
4.
Set the time frame for the report, The time frame can be either the "last day", "last
week" or "last month". Note that the time frame is relative to the current date of the
station running APSolute Insite.
5.
Click Generate Now. The report is saved in the APSolute Insite\Userfiles folder
(relative to the installation path).
Printing Executive Reports
Internet Explorer typically is not set to print background color or images, including table cell
colors.
To enable background color and images when printing Executive Reports:
1.
From your browser‘s tool bar select Tools > Internet Options. The Internet Options
window appears.
2.
From the Internet Options window click the Advanced tab. The Advanced pane
appears.
3.
From the Advanced pane, select the Print Background Colors and Images checkbox.
This setting affects both page backgrounds and table cell backgrounds.
Dashboard
The Security Dashboard provides a real-time tool for examining the activity in your network
system. This view is automatically refreshed at a selectable rate, to provide ongoing realtime analysis of the system.
The Security Dashboard also provides a live moving radar, on which attacks can be viewed
as they occur. The attacks are presented according to their severity and number of
occurrences.
To view the Dashboard:
1.
From the main window, select Security Reports. The Security Reports main window
appears.
Doc. No.: 8261
331
LinkProof User Guide
2. From the Security Reports main window, click Dashboard. The Dashboard appears as
shown below in Dashboard Desktop.
Figure 52 -
Dashboard Desktop
Dashboard Layout
The Dashboard has two panels. To the left is the Top Security Attacks Radar, which displays
the most intensive attacks currently in the system. To the right are four graphs which graph
the top attacks in the defined network, and their severity. These four graphs provide a more
comprehensive picture of real-time attacks to the system by mapping the following:
1. Total Number of Attacks: Shows the current total number of attacks and the total for
the display period.
2. Attacks By Severity: Breakdown of attacks in the display period by severity: High,
Medium, Low.
3. Top Attack Targets: IP of top five attack targets for the display period (single set
of bars).
4. Top Attack Sources: IP of top five attack sources for the display period (single set
of bars).
The Radar
You select how many of the top attacks will be tracked in the Radar. The attacks are
positioned in the Radar panel based on a metric which factors attack risk, the number of
attacks and attack frequency. The highest relative severity is shown at the center, with
medium severity in the middle circumference, and lower severity attacks at the outer
circumference.
To select the number of Top Attacks shown in the Radar
1. From the main window, select Security Reports. The Security Reports main window
appears.
2. From the Security Reports main window, click Dashboard. The Dashboard appears.
3. From the Display Top Attacks drop-down list, select the number of attacks to be
displayed in the radar. The radar display changes to show the relevant top attacks in the
network.
332
Doc. No.: 8261
LinkProof User Guide
Real-time data refresh
In order to achieve real-time analysis, the radar uses an automatic refresh rate to
constantly update the data available. The radar cycles around its circumference in one
minute, with attack data refreshed according to a configurable setting.
To select the refresh period
1.
From the main window, select Security Reports. The Security Reports main window
appears.
2.
From the Security Reports main window, select Dashboard. The Dashboard appears.
3.
From the Auto Refresh combo-box, set the length of the refresh period. The view in the
Top Security Attacks Radar is updated at the rate selected.
Note:
Doc. No.: 8261
To drill down to view the security events, double-click an attack in the Radar
panel, or the attack data in one of the graphs. Detailed information is shown
regarding related security events.
333
LinkProof User Guide
334
Doc. No.: 8261
LinkProof User Guide
Chapter 8 - Bandwidth Management
This chapter explains the capabilities of the Bandwidth Management module and includes
the following sections:
•
•
•
•
•
•
Bandwidth Management Overview, page 335
Bandwidth Management Policies, page 336
BWM Classes, page 340
BWM Example Configuration, page 344
Protocol Discovery, page 348
Interface Classification, page 349
Bandwidth Management Overview
This section provides an explanation of the Bandwidth Management module and explains
how administrators can gain full control over their available bandwidth.
The Bandwidth Management module includes a feature set that allows administrators to
have full control over their available bandwidth. Using these features, applications can be
prioritized according to a wide array of criteria, while taking the bandwidth used by each
application into account. For example, Bandwidth Management allows an administrator to
give HTTP traffic a higher priority over SMTP traffic, which in turn may have higher priority
over FTP traffic. At the same time, a Bandwidth Management solution can track the actual
bandwidth used by each application and either ensure a guaranteed bandwidth for a certain
application and/or set limits as to how much each classified traffic pattern can utilize.
LinkProof‘s Bandwidth Management capability allows users to define policies, which restrict
or maintain the bandwidth that can be sent or received by each application, user or
segment. Controlling the maximal bandwidth that DoS attacks can consume of corporate
resources, limits the attack spread, ensuring that other mission critical operations are not
affected and continue to enjoy the bandwidth and service level required to guarantee
smooth business operation. In a similar manner, carriers can ensure that a customer's
Service License Agreement (SLA) is not compromised due to a DoS attack launched on
another customer.
Using the Bandwidth Management module Radware devices can classify traffic passing
through it according to pre-defined criteria and can enforce a set of actions on traffic. A
comprehensive set of user-configurable policies controls how the device identifies each
packet and what it does with each packet.
When a packet is matched, the device can do one of three things:
•
Discard the packet - This allows the Bandwidth Management module to provide a very
robust and granular packet filtering mechanism.
• Forward the packet in “real time” - This means that the packet bypasses the entire
bandwidth management system and is immediately forwarded by the device. The endresult is effectively the same as if bandwidth management was not enabled at all.
• Prioritize the packet - This allows the mechanism to prioritize services.
If the packet is to be prioritized, it is placed into a queue, which then is assigned a priority
from 0- 7, with 0 being the highest priority and 7 the lowest. Each policy gets its own
queue. The number of queues is equal to the number of policies in the policy database, but
each queue is labeled with one of the 8 priorities 0-7. This means that there could be 100
queues (if there are 100 policies), with each queue having a label from 0-7.
Scheduler Algorithm
Scheduler takes packets from the many queues and forwards them. The scheduler operates
through one of two algorithms: Cyclic and CBQ (Class Based Queuing).
Doc. No.: 8261
335
LinkProof User Guide
With the Cyclic algorithm, the scheduler gives each priority a preference ratio of 2:1 over
the immediately adjacent lower priority. In other words, a 0 queue has twice the priority of
a 1 queue, which has twice the priority of a 2 queue, and so on. The scheduler
systematically goes through queues of the same priority when it is time to forward a packet
with this priority.
The CBQ algorithm has the same packet-forwarding pattern as the WFQ algorithm, with one
significant difference. The CBQ algorithm is aware of a predefined bandwidth configured per
policy. As policies are configured, they can be given a minimum (guaranteed) allotted
bandwidth number, in Kbps, see Guaranteed Bandwidth, page 339.
Note:
Unless CBQ is used, policies cannot be configured with an associated
bandwidth.
Application Classification
If Application Classification is defined as Per Packet, the device classifies every packet that
flows through it. In this mode, every single packet must be individually classified.
If Application Classification is defined as Per Session, all packets are classified by session.
An intricate algorithm is used to classify all packets in a session until a “best fit” policy is
found, fully classifying the session. Once the session is fully classified, all packets belonging
to the same session are classified accordingly. This not only allows for traffic classification
according to application, but also saves some overhead for the classifier, as it only needs to
classify sessions, and not every single packet.
Classification Mode
The following classification modes are available:
•
•
•
Policies: The device classifies each packet or session by matching it to policies
configured by the user.
Diffserv: The device classifies packets only by the DSCP (Differentiated Services Code
Point) value.
ToS: The device classifies packets only by the ToS (Type of Service) bit value.
Random Early Detection
The Random Early Detection (RED) algorithm can be used in order to protect queues from
overflowing that may cause serious session disruption. The algorithm draws from the
inherent retransmission and flow control characteristics of TCP.
If the RED algorithm is deployed, the status of the queues is monitored. If the queues are
approaching full capacity, random TCP packets are intercepted and dropped. Note, that only
TCP packets are dropped, and the packet selection is entirely random. This protects the
queues from becoming completely full, which will cause less disruption across all TCP
sessions and will also protect UDP packets.
Radware's bandwidth management mechanism can deploy RED in two forms:
•
•
Global RED - Global RED monitors the capacity of all the queues (i.e. the global set of
queues) and randomly discards TCP packets before the classifier sees them.
Weighted RED (WRED) - The RED algorithm is deployed per queue (instead of for all
the packets in all the queues) and the priority of the queue has an effect on whether a
packet gets dropped or not.
Bandwidth Management Policies
This section explains what Bandwidth Management policies are and describes how to define
them, and includes the following topics:
336
Doc. No.: 8261
LinkProof User Guide
•
•
•
•
What is Bandwidth Management Policy?, page 337
Bandwidth Management Classification Criteria, page 337
Bandwidth Management Rules, page 338
Policy Index, page 340
What is Bandwidth Management Policy?
The policy mechanism enables you to classify traffic passing through the Radware device
and enforce on it bandwidth management.
The policy database is made up of two sections. The first is the temporary or inactive
portion. These policies can be altered and configured without affecting the current operation
of the device. As these policies are adjusted, the changes are not in effect unless the
inactive database is activated. The activation basically updates the active policy database,
which is what the device uses to sort through the packets that flow through it.
A policy consists of a set of conditions (classification criteria) and a set of actions that apply
as a consequence of the conditions being satisfied.
Bandwidth Management Classification Criteria
A policy includes the following traffic classification criteria:
•
•
Source: Defines the source of the traffic. Can be specific IPs, a range of IP addresses or
IP Subnet address. You should first configure Networks. The default value is “any”,
which covers traffic from any source.
Destination: Defines the destination of the traffic. Can be specific IPs, a range of IP
addresses or IP Subnet address. The default value is “any”, which covers traffic to any
destination.
Note:
•
•
To limit or block an access to the device's interface, type the IP address of the
interface in the Destination box.
Direction: Setting the direction mode to "one way" enables asymmetric BWM. When a
policy is set to "one way" the classifier searches for traffic in one direction only, while on
"two ways" the device searches both directions. When a rule is set to "one way" the
device classifies only one direction of the traffic and the return traffic is not classified.
When a rule is set to "Two ways" on the way back, the device replaces the source and
destination IP addresses and ports (in case the rule is a L4 or L7 rule).
examples:
If you have the following rule:
—
Source: IP_A
—
Destination: IP_B
—
Service: HTTP
—
Direction: One Way
only traffic with a source IP, IP_A and a destination IP IP_B with source port X and
destination port 80 would be classified. The return packet, with source IP_B and destination
ip IP_A, with source port x and destination port 80 would not be classified.
If you have the following rule:
•
•
•
•
Source: NET_A
Destination: Bet_B
Service: HTTP
Direction: Two ways
Doc. No.: 8261
337
LinkProof User Guide
A packet with source IP belongs to NET_A with a destination IP belongs to NET_B requesting
a HTTP request will be matched, while a packet with source IP belongs to NET_B with a
destination IP belongs to NET_A requesting a HTTP request will not be matched, even if the
rule is set to "Two-Ways".
•
•
•
•
•
Service: Defines the traffic type. The Service configured per policy can allow the policy
to consider other aspects of the packet, such as the protocol (IP/TCP/UDP), TCP/UDP
port numbers, bit patterns at any offset in the packet, and actual content (such as URLs
or cookies) deep in the upper layers of the packet. Available Services are very granular.
The default value is “none” that covers all protocols.
Inbound Physical Port Group: Classifies only traffic received on certain interfaces of
the device. Enables you to set different policies to identical traffic classes that are
received on different interfaces of the device.
VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID (VLAN
Identifier) tags.
Traffic Flow Identification: Defines what type of traffic flow we are going to limit via
this policy. The available options are:
— Client (source IP).
—
Session (source IP and port).
—
Connection (source IP and destination IP).
—
FullL4Session (source and destination IP and port).
—
SessionCookie (must configure cookie identifier).
Cookie Field Identifier: String that identifies the cookie field whose value must be
used to determine the different traffic flows.
Note:
This is required only when Traffic Flow Identification is set to SessionCookie.
When Traffic Flow Identification is set to SessionCookie, the BWM classifier
searches for the Cookie Field Identifier followed by “=” and classifies flows
according to the value.
Bandwidth Management Rules
Once the traffic is classified and matched to a policy, the Bandwidth Management rules can
be applied to this policy.
Action
The action determines the access given to traffic. Possible values include:
•
•
•
•
Forward: The connection is accepted and traffic is forwarded to its destination. This is
the default value.
Block: All packets are dropped.
Block and Reset: All packets are dropped. In TCP traffic, an RST packet is sent to the
client.
Block and Bi-directional Reset: All packets are dropped. In TCP traffic, an RST packet
is sent to both client and server.
Priority
If the action associated with the policy is “forward”, then the packet is classified according to
the configured priority. There are 9 options available: Real time forwarding and priorities 0
through 7.
338
Doc. No.: 8261
LinkProof User Guide
Guaranteed Bandwidth
If the scheduler is configured to use the CBQ algorithm, the policy can be assigned a
minimum (guaranteed) bandwidth. The scheduler will not allow packets that were classified
through this policy to exceed this allotted bandwidth, unless borrowing is enabled. Note,
that the maximum bandwidth configured for the entire device, as described above,
overrides per-policy bandwidth configurations. In other words, the sum of the guaranteed
bandwidth for all the policies cannot be higher than the total device bandwidth.
Borrowing Limit
Borrowing can be enabled when the scheduler operates through the CBQ algorithm. If
enabled, the scheduler can borrow bandwidth from queues that can spare it, in order to
forward packets from queues that have exceeded (or are about to exceed) their allotted
amount of bandwidth. The combination of Guaranteed Bandwidth and Borrowing Limit fields
value will cause the bandwidth allotted to a policy to behave as follows:
Table 35:
Guaranteed
Bandwidth
Borrowing Limit Policy Bandwidth
0
0
Burstable with no limit, no
minimum guaranteed.
X
0
Burstable with no limit, minimum
of X guaranteed.
0
Y
Burstable to Y, no minimum
guaranteed.
X
Y (Y>X)
Burstable to Y, minimum of X
guaranteed.
X
X
Non-burstable, X guaranteed.
Policy Group
You can define several bandwidth borrowing domains on a device by organizing policies in
groups. Bandwidth that is not utilized by a specific policy in a group is allocated
proportionally to the other policies, enabling them to borrow from other policies preventing
starvation and utilizing the bandwidth more efficiently. Only policies that participate in a
specific group can share bandwidth.
The total bandwidth available for a policy group is the sum of Guaranteed Bandwidth values
of all policies in the group.
To configure a Policy Group:
1.
Set the Global BWM parameter Dynamic Borrowing to Enable.
2.
Define Policy Groups.
3.
Define the device policies. Configure Guaranteed Bandwidth with the desired value and
Borrowing Limit as 0 - bandwidth limitation is ignored as the policy is able to borrow
unused bandwidth from other policies in the group. For each policy select the relevant
policy group to which it belongs
4.
Perform Update policies command.
Doc. No.: 8261
339
LinkProof User Guide
Notes:
i
Whenever bandwidth borrowing and/or prioritization is applied the maximum
bandwidth available for allocation per each physical port must be configured
(for example a device Fast Ethernet port is connected to a router that
supports up to 2 Mbps, the bandwidth for this port must be set to 2Mbps default is according to physical size 100Mbps).
ii
The Borrowing Limit parameter must be set to 0 for all the policies in the
group and the Dynamic Borrowing global parameter must be enabled.
Traffic Flow Control
The maximum bandwidth allowed per traffic flow.
Max Concurrent Sessions
String that identifies the cookie field whose value must be used to determine the different
traffic flows.
Note:
This is required only when Traffic Flow Identification is set to SessionCookie.
When Traffic Flow Identification is set to SessionCookie, the BWM classifier
searches for the Cookie Field Identifier followed by “=” and classifies flows
according to the value.
Packet Marking
Packet Marking refers to Differentiated Services Code Point (DSCP) or Diffserv. Enables the
device to mark the packet with a range of bits.
Policy Index
The policy order or index is a number that determines the order of the policy in the entire
policy database. When the classifier receives a packet, it tries to find a policy that matches
the packet. The policy database is searched starting with policy #1, in descending order.
Once a policy is matched the process is stopped. Using this logic, the very last policy
configured should be the policy that is enforced on all packets that do not match any other
policies. In other words, the last configured policy should be the “default” policy.
BWM Classes
This section explains how to define a service, which provides flexibility to the classifier and
gives the system a large number of possibilities for packet identification and includes the
following topics:
•
•
•
•
•
340
Services, page 341
Basic Filters, page 341
Advanced Filters and Filter Groups, page 341
Pre-Defined Services for BWM, page 342
Pre-Defined Services for BWM, page 342
Doc. No.: 8261
LinkProof User Guide
Services
A very advanced and granular set of services can be configured within the bandwidth
management system. Services are configured separately from policies. As each policy is
configured, it can be associated with a configured Service.
The service associated with a policy in the policy database can be a basic filter, an advanced
filter, or a filter group. This represents tremendous flexibility for the classifier as it
essentially gives the system a large number of possibilities for packet identification.
Basic Filters
The basic building block of a Service is a basic filter. A basic filter is made up of the following
components:
•
Protocol: The specific protocol that the packet should carry. The possible choices are IP,
TCP, UDP and ICMP. If the protocol is configured as “IP”, all IP packets (including TCP
and UDP) will be considered. When configuring TCP or UDP protocol, some additional
parameters are also available:
— Destination Port (From-To) - Destination port number for that protocol. For
example, for HTTP, the protocol would be configured as TCP and the destination port
as 80. The port configuration can also allow for a range of ports to be configured.
—
•
Source Port (From-To) - Similar to the destination port, the source port that a
packet should carry in order to match the filter can be configured.
Offset Mask Pattern Condition (OMPC): The OMPC is a means by which any bit
pattern can be located for a match at any offset in the packet. This can aid in locating
specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples
of where OMPC's can be useful. It is not mandatory to configure an OMPC per filter.
However, if an OMPC is configured, there should be an OMPC match in addition to a
protocol (and source/destination port) match. In other words, if an OMPC is configured,
the packet needs to match the configured protocol (and ports) AND the OMPC.
Content
In case the protocol configured is TCP or UDP, it is possible to search for any text string in
the packet. Like OMPC's, a text pattern can be searched for at any offset in the packet. HTTP
URL's are perfect examples of how a text search can aid in classifying a session.
The service editor allows you to choose between multiple types of configurable content:
URL, hostname, HTTP header field, cookie, mail domain, mail to, mail from, mail subject, file
type, regular expression and text. If the content type is “URL” for example, then the session
is assumed to be HTTP with a GET, HEAD, or POST method. The classifier searches the URL
following the GET/HEAD/POST to find a match for the configured text. In this case, the
configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP
header. If the content type is “text”, then the entire packet is searched, starting at the
configured offset, for the content text.
By allowing a filter to take actual content of a packet/session into account, the classifier
gains a powerful way to recognize and classify even a wider array of packets and sessions.
Like OMPC's, content rules are not mandatory to configure. If a content rule exists in the
filter, then the packet needs to match the configured protocol (and ports), the configured
OMPC (if one exists), AND the configured content rule.
Advanced Filters and Filter Groups
An Advanced Filter is a combination of basic filters with a logical AND between them. Let's
assume filters F1, F2, and F3 have been individually configured. Advanced filter AF1 can be
defined as:
AF1= {F1 AND F2 AND F3}
In order for AF1 to be a match, all three filters of F1, F2, and F3 must match the packet
being classified.
Doc. No.: 8261
341
LinkProof User Guide
A Filter Group is a combination of basic filters and advanced filters, with a logical OR
between them. To continue the example above, filter group FG1 can be defined as:
FG1 = {AF1 OR F4 OR F6}
In order for filter group FG1 to be a match, either advanced filter AF1, basic filter F4, or
basic filter F6 have to match the packet being classified.
Radware devices are pre-configured with a set of basic filters and group filters that
represent applications commonly found in most networks.
Note:
For a detailed description of the pre-configured filters, see Click Ok to record
your preferences and exit from the window., page 348.
Pre-Defined Services for BWM
Provided below is a list of pre-defined filters for BWM:
Table 36: Pre Defined Filters for BWM
Service Name Description
Filter Name
ERP/CRM
sap
Basic
Database
mssql
Microsoft SQL service group
Group
mssql-monitor
SQL monitoring traffic
Basic
mssql-server
SQL server traffic
Basic
oracle
Oracle database application service group
Group
oracle-v1
Oracle sql* Net v1-based traffic (v6, Oracle7) Basic
oracle-v2
Oracle SQL*Net v2/Net 8-based traffic
(Oracle7,8,8i,9i)
oracle-server 1
Oracle Server (e-business solutions) on port
Basic
1525
oracle-server2
Oracle Server (e-business solutions) ON
PORT 1527
oracle-server3
Oracle Server (e-business solutions) on port
Basic
1529
Basic
Basic
Thin Client or Server Based
Citrix connectivity application service group.
citrix
342
Enables any type of client to access
applications across any type of network
connection.
Group
citrix-ica
Citrix Independent Computer Architecture
(ICA)
Basic
citrix-rtmp
Citrix RTMP
Basic
citrix-rtmp
Citrix RTMP
Basic
citrix-ima
Citrix Intergrated Management Architecture
Basic
citrix-ma-client
Citrix MA Client
Basic
citrix-admin
Citrix Admin
Basic
Doc. No.: 8261
LinkProof User Guide
Table 36: Pre Defined Filters for BWM
Service Name Description
Filter Name
Peer-to-Peer
p2p
peer-2-peer applications
Group
edonkey
File sharing application
Basic
gnutella
File sharing and distribution network
Basic
fasttrack
User-to-User Media Exchange
Basic
Kaaza
Kaaza File Sharing Application (Note: Music
City Morpheous and Grokster also classify
Basic
as Kazza)
Internet
dns
Domain Name Server protocol
ftp-session
File Transfer Protocol service - both FTP
commands and data
Basic
http
Web traffic
Basic
http-alt
Web traffic on port 8080
Basic
https
Secure web traffic
Basic
icmp
Internet Control Message Protocol
Basic
ip
IP traffic
nntp
Usenet NetNews Transfer Protocol
Basic
telnet
tftp
Basic
udp
Basic
Instant Messaging
aol-msg
AOL Instant Messenger
Basic
icq
ICQ
Basic
msn-msg
MSN Messenger Chat Service
Basic
yahoo-msg
Yahoo Messenger
Group
yahoo-msg1
Yahoo Messenger on port 5000
Basic
yahoo-msg2
Yahoo Messenger on port 5050
Basic
yahoo-msg3
Yahoo Messenger on port 5100
Basic
Email
mail
Group
smtp
Basic
imap
Basic
pop3
Basic
Networks
A Network a logical entity, which consist of a group of IP addresses linked together by a
network IP and subnet or a range of IP addresses (from-to) and identified by name. A
Network can be configured separately and individual elements of the Network list can then
be used in the individual policy. An entry in the Network list is known as a configured
Doc. No.: 8261
343
LinkProof User Guide
“name” and can be either an IP/Mask combination or an IP range. For example, network
“net1” can be 10.0.0.0/255.0.0.0 and network “net2” can be From: 10.1.1.1 to: 10.1.1.7.
The Network list allows either configuration.
The bandwidth management module allows multiple Networks to have the same configured
“name”. This allows a Network with the name “net1” to actually encompass multiple
disjointed IP address ranges. Essentially, this makes the Network “name” a logical pointer to
all ranges configured with that name. This will further facilitate the configuration and
management of the system.
To configure a Network using WBM:
From the main window select; BWM > Classes > Networks > Modify > Add.
Port Groups
Enables the user to set different policies to identical traffic classes that are received on
different interfaces of the device. For example, the user can allow HTTP access to the main
server only to traffic entering the device via physical interface 3. This provides greater
flexibility in configuration. The user should first configure Port Groups.
To configure Port Groups using WBM:
From the main window select; BWM > Port Groups > Physical Port Groups.
VLAN Tag Groups
VLAN Tag Groups allow the user to set different policies to identical traffic classes that are
received with different values of 802.1q VLAN Tags. For example, the user can allow SMTP
access to the internet only to traffic tagged with a VLAN Tag with a specific value. This
provides greater flexibility in configuration. The user should first configure VLAN Tag
Groups.
To configure VLAN Groups using WBM:
From the main window select BWM > Port Groups > VLAN Tag Groups.
BWM Example Configuration
The following is a complete example configuration for bandwidth management, addressing
the following:
•
•
•
•
344
Limit FTP traffic to servers (20.10.1.3, 20.10.1.7 and 20.10.3.17) incoming via physical
port 5 or 7 to 300kbps.
Guarantee 2Mbps to Citrix traffic running on VLAN 2 and VLAN 7.
Limit HTTP traffic to and from internal network 10.x.x.x to 1Mbps.
Prevent the infection of an e-mail virus on the network named “Love Letter”.
Doc. No.: 8261
LinkProof User Guide
To configure the BWM Example:
1.
From the main window, click BWManagement. The Bandwidth Management window
appears.
2.
Click BWM Parameters. The BWM Global Parameters window appears.
3.
From the BWM Global Parameters window, set the following parameters according to the
explanations provided:
Table 37:
Classification Mode:
Policies
Application Classification:
Per Session
Scheduling Algorithm:
CBQ
Click Ok to record your preferences and exit from the window.
4.
Configure the required Physical Port Group:
a.
b.
5.
From the Bandwidth Management window, click Port Groups. The Ports Group
window appears.
From the Ports Group window, select the Physical Port Groups option button.
Click the Modify Table tab and click Add. The Edit Physical Port Group window
appears.
c.
From the Edit Physical Port Group window, in the Groups parameter enter a new
group entitled FTP ports. Select the port 5 and port 7 checkboxes.
d.
Click Ok.
Configure the required VLAN Tag Groups:
a.
Doc. No.: 8261
From the Port Groups window, select the VLAN Tag Groups option button and click
Add from the Modify Table tab. The Edit VLAN Tag Groups window appears.
345
LinkProof User Guide
b.
From the Edit VLAN Tag Groups window, create 2 separate entries for the Citrix
VLAN by setting the following parameters according to the explanations provided:
Table 38:
Group Name:
Citrix VLAN
Group Mode:
Discrete
VLAN Tag:
•
2 (first)
•
7 (second)
c.
Click Ok > Update Modifications.
6. Add 2 networks:
a.
b.
c.
From the Bandwidth Management window, click Classes. The LinkProof Classes
window appears.
From the LinkProof Classes window, click Networks. Select Modify and then click
Add. The Edit Network window appears.
From the Edit Network window, set the following parameters according to the
explanations provided:
Table 39:
Network Name:
FTP Servers
Network Mode:
IP Range
Create 3 separate entries for the FTP
Servers with the following IP Addresses:
From Address:
20.10.1.3
20.10.1.7
20.10.3.17
To Address:
The same as the From Address.
7. Add the second network as explained above by setting the parameters according to the
explanations provided:
Table 40:
Network Name:
Internal
Network Mode:
IP Mask
From Address:
10.0.0.0
To Address:
255.0.0.0.
8. Click Ok to record your preferences and exit the window.
9. Configure the Basic Filter to identify the e-mail virus:
a.
b.
346
From the Bandwidth Management window, click Classes. The Classes window
appears.
From the Classes window, click Add Regular. The New Service pane appears.
Doc. No.: 8261
LinkProof User Guide
c.
From the New Service pane, set the following parameters according to the
explanations provided:
Table 41:
Service Name:
Love Letter
Protocol:
TCP
Content Type:
Mail Subject
Content:
Love Letter
d.
Click Add Service and then click Update Active Classes.
10. Configure the policies: From the Bandwidth Management window, click Modify and then
click Add. The Edit Policy window appears.
11. From the Edit Policy window, add the following 4 policies according to the explanations
provided:
Table 42:
To limit FTP Traffic to FTP Servers via ports 5,7 to 300kbps:
Policy Name:
FTP
Service Type:
Regular
Service:
FTP
Source:
Any
Destination:
FTP Servers
Direction:
Oneway
Action:
Forward
Priority
4
Inbound Physical Group:
FTP Ports
Borrowing Limit:
300
Table 43:
To guarantee 2 Mbps to Citrix traffic running on VLAN 2,7:
Policy Name:
Citrix
Service Type:
Group
Service:
Citrix
Source:
Any
Destination:
FTP Servers
Direction:
Twoway
Action:
Forward
Priority
2
Generated Bandwidth:
2000
Doc. No.: 8261
347
LinkProof User Guide
Table 44:
To limit HTTP Traffic to Local Network to 1 Mbps:
Policy Name:
HTTP
Service Type:
Regular
Service:
HTTP
Source:
Any
Destination:
Internal
Direction:
Twoway
Action:
Forward
Priority:
3
Inbound Physical Group:
FTP Ports
Borrowing Limit:
1000
Table 45:
To block “Love-Letter” e-mail virus:
Policy Name:
Virus Love Letter
Service Type:
Regular
Service:
Love Letter
Source:
Any
Destination:
Any
Direction:
Twoway
Action:
Block
12. Click Ok to record your preferences and exit from the window.
Protocol Discovery
This section describes the Protocol Discovery feature which allows you to recognize the
different applications running on your network by creating Protocol Discovery Policies.
This section includes the following topics:
•
•
What is Protocol Discovery?, page 348
Protocol Discovery Policies, page 349
What is Protocol Discovery?
To use the Bandwidth Management module in an optimal way, network administrator must
be aware of the different applications running on their network and the amount of
bandwidth they consume. To allow a full view of the different protocols running on the
network a traffic discovery feature has been added known as Protocol Discovery.
348
Doc. No.: 8261
LinkProof User Guide
The protocol discovery feature can be activated on the entire network or on separate subnetworks by defining Protocol Discovery policies.
Protocol Discovery Policies
A Protocol Discovery policy consists of a set of traffic classification criteria which includes:
•
•
•
•
•
•
•
Source: Defines the source of the traffic. Can be specific IPs, a range of IP addresses or
IP Subnet address. The default value is “any” which covers traffic from any source.
Destination: Defines the destination of the traffic. Can be specific IPs, a range of IP
addresses or IP Subnet address. The default value is “any” which covers traffic to any
destination.
Source MAC Address Group: Enables to discover applications and protocols present in
the traffic sent by a transparent network device (firewall, router).
Destination MAC Group: Enables to discover applications and protocols present in the
traffic sent to a transparent network device (firewall, router).
Inbound Physical Port Group: Classifies only traffic received on certain interfaces of
the device. Enables you to set different policies to identical traffic classes that are
received on different interfaces of the device.
VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID (VLAN
Identifier) tags.
Direction: Defines the direction of the traffic. Can be OneWay (from Source to
Destination) or TwoWay.
To configure the Protocol Discovery using APSolute Insite:
1.
From the main window, click Bandwidth Management. The Bandwidth Management
window appears.
2.
From the Bandwidth Management window, click Protocol Policies. The Protocol
Discovery Policies window appears.
3.
From the Protocol Discovery Policies window, click Add. The Edit Protocol Discoveries
window appears.
4.
From the Edit Protocol Discoveries window, set the parameters according to the set of
traffic classification criteria, as explained above.
5.
Click Ok to accept your changes and exit from the window.
To view the results:
1.
Configure the Protocol Discovery as explained above in steps 1-2.
2.
From the Protocol Discoveries window, click View Protocol Statistics. The Protocol
Statistics appears.
Interface Classification
This section describes the process of interface classification which is designed to give you
more Bandwidth performance.
This section includes the following topics:
•
•
Port Bandwidth, page 350
Interface Classification, page 350
Doc. No.: 8261
349
LinkProof User Guide
Port Bandwidth
In order to optimize the queuing algorithm, it is essential for the BWM module to be aware
of the maximum available ports bandwidth. This can configured via the "BWM port
Bandwidth table". by default, the maximum available throughput is determined by the port
type - 100Mbps for the FE ports and 1Gbps for the Giga ports. The queuing mechanism will
only begin to function upon link saturation. Configuring the maximum throughput is the only
way of telling if the link is saturated.
To define a ports maximum available bandwidth:
1. From the main window, right-click the LinkProof icon and select Zoom > Zoom In.
Repeat this process until you can see the front view of the device.
2. Right-click the required port (f1, f2, etc.) and select Interface Parameters from dropdown list. The Interface Parameters window appears.
3. From the Interface Parameters window, set the Available Bandwidth parameter for that
port in Kbps and click Ok.
Interface Classification
To increase performance, Bandwidth Management module can be configured to exclude
traffic running through certain physical ports and/or VLANs from the classification effort. In
this way valuable processing time can be saved while enabling a simpler method of
configuring the device.
You may cancel classification according to Port or according to VLAN.
To cancel Interface Classification by port:
1. From the main window, click Bandwidth Management. The Bandwidth Management
window appears.
2. From the Bandwidth Management window, click Interface Classification. The
Interface Classification window appears.
3. From the Interface Classification window, select the Cancel Classification by Port
option button and set the following parameters according to the explanations provided:
Inbound Port:
The number of the required port for inbound
traffic.
Outbound Port:
The number of the required port for outbound
traffic.
Direction:
The direction of the flow through each port.
Values can be Oneway - the traffic flows in
through the Inbound Port and out through the
Outbound Port, or Twoway - the traffic flows
both ways through both ports.
4. Click Add to add your parameter settings to the table.
5. Click Ok to record your changes and exit from the window.
350
Doc. No.: 8261
LinkProof User Guide
To cancel Interface Classification by VLAN:
1.
From the main window, click Bandwidth Management. The Bandwidth Management
window appears.
2.
From the Bandwidth Management window, click Interface Classification. The
Interface Classification window appears.
3.
From the Interface Classification window, select the Cancel Classification per VLAN
option button.
4.
Select the number of the required VLAN you wish to cancel.
5.
Click Ok to record your changes and exit from the window.
Doc. No.: 8261
351
LinkProof User Guide
352
Doc. No.: 8261
LinkProof User Guide
Chapter 9 - Health Monitoring
This chapter describes Health Monitoring, which incorporates Radware SynApps architecture
and includes the following sections:
•
•
•
Health Monitoring - Introduction, page 353
Health Check Configuration, page 355
Health Check Methods, page 364
Health Monitoring - Introduction
This section describes the general function of the module and the basic health monitoring
concepts.
This section includes the following topics:
•
•
•
•
•
Module, page 353
Checked Element, page 354
Health Check, page 354
Method, page 354
Binding and Groups, page 354
Module
The Health Monitoring module, implemented on all Radware IAS (Intelligent Application
Switching) products, is responsible for checking the health of the network elements such as
servers, firewalls, and Next Hop Routers (NHRs) that are managed by the IAS device.
The Health Monitoring module determines which network elements are available for service
to enable the IAS device to load balance traffic among the available resources.
Traffic management decisions are based mainly on the availability of the load balanced
elements and on other resources on the data path. The module provides flexible
configuration for health monitoring of the load balanced elements. The module supports
various pre-defined and user defined checks, and enables you to create dependencies
between health checks of different elements.
Previous versions supported load balancing of traffic between servers only based upon
health of the servers or SNMP variables polled from the servers.
It is now possible to load balance the traffic between servers according to Response Level,
this enables the user to always serve clients using the fastest server.
The Health Monitoring Module now enables users to track the round trip time of health
checks. The device keeps a Response Level indicator for each check. The response Level is
the average ratio between the actual response time to the configured Timeout. The average
is calculated over a number of samples as defined in the Response Level Samples
parameter, available in the Global Parameters window via the Health Monitoring menu. A
value of 0 in the Response Level Samples parameter disables the parameter, any other value
between 1-9 defines the samples value.
For example if the user configured 2 health checks - c1 which checks ping to server 1 and
c2 which checks ping to server 2 and enabled the Track Load flag to both checks, 2 Load
Factors will be generated.
Response Time Load Balancing is achieved by choosing the Response Time dispatch method
in the farm parameters. The device will then load balance the traffic to the “fastest” element
until the Load Factors are equal.
Doc. No.: 8261
353
LinkProof User Guide
Checked Element
A Checked Element is a network element that is managed and load balanced by the
Radware device. For example, LinkProof-checked elements are the Farm Servers, NHRs and
LRP, PRP reports, while for CSD the checked elements are Cache Servers, for CID – Content
Servers, for LinkProof – Security Servers, and for LinkProof – the Next Hop Routers.
The health of a checked element may depend on a network element that the IAS device
does not load balance. For example, the health of a server managed by LinkProof may
depend on the health of a database server or other application servers, which are not load
balanced by the LinkProof, or the health of a Next Hop Router managed by LinkProof may
depend on the availability of the service provider.
Health Check
A Health Check defines how to test the health of any network element (not necessarily a
Checked Element). A check configuration includes such parameters as: the Check Method,
the TCP/UDP port to which the test should be sent, time interval for the test, its timeout, the
number of Retries, and more. These parameters are explained in detail in Regular Health
Check, page 360.
A network element can be tested using one or several Health Checks.
Method
Health check methods are applications or protocols that the IAS device uses to check the health of
network elements. For example, a method can be Ping, HTTP or other. Although the Health
Monitoring module provides a wide array of predefined methods, user defined methods are also
supported. In addition, method-specific arguments can be configured for each method.
For a complete list of supported health check methods, refer to Health Check Methods,
page 364.
Binding and Groups
The Health Check defines only how to check elements, however you need to define which of
the Checked Elements are affected by the results of these checks and how the results are to
affect them. This is done by the means of the Health Check Binding function.
Health Check Binding describes the relation between the Checked Elements (the load
balanced elements) and Health Checks and defines how the Health Checks affect the health
of the Checked Elements. For example, when a Health Check is bound to a Checked Element
and the check fails, the status of the Checked Element is changed to Not in Service.
A Checked Element may be bound with more than one Health Check. For example, a Web
server can be bound to an HTTP check, which verifies that the Web server is functioning,
and to another Health Check that makes sure that the database server used by this Web
server is also functioning.
In addition, a Health Check can be associated with more than one Checked Element,
meaning that a single resource affects the status of multiple Checked Elements. For
example, a single DB server may influence the health of multiple Web servers. The shared
resource (DB server) is tested only once, and the test results affect multiple Checked
Elements. When a Health Check fails, the Health Monitoring module reevaluates the status
of all Checked Elements bound to the check.
Health Check Binding can also be grouped for complex conditioning of tests, using logical
AND/OR. This is discussed with more detail in the Configuration section.
354
Doc. No.: 8261
LinkProof User Guide
Health Check Configuration
This section describes how to configure health monitoring according to health check types
and includes the following topics:
•
•
•
•
•
•
•
Global Configuration, page 355
Global Parameters Setup, page 355
Health Checks Database, page 356
Regular Health Check, page 360
Bindings and Groups, page 359
Group Health Check, page 362
Farm Health Check, page 363
Global Configuration
The Health Monitoring module may be accessed using the Health Monitoring menu from
APSolute Insite, Web Based Management or via CLI.
Setting up the Health Monitoring module on an IAS device involves the following steps:
1.
To enable the Health Monitoring Module; from the Health Monitoring Global Parameters
window, set the Health Monitoring parameter to Monitoring Module.
2.
Set the Connectivity Method of each farm to Disabled. This allows the device to use the
results of the Health Monitoring Module to determine the status of the servers in this
farm.
To enable the Health Monitoring module on a device:
•
•
WBM > Health Monitoring menu > Global Parameters
Configure Insite > Health Monitoring Settings
Global Parameters Setup
From Configure Insite, Global parameters Setup is done through the Health Monitoring
Settings window.
To configure Global Health Monitoring:
1.
From the main window, double-click the LinkProof icon. The LinkProof Setup window
appears.
2.
From the LinkProof Setup window, click the Global tab. The Global pane appears.
3.
From the Global pane, select the Health Monitoring Settings option button and click
Edit Settings. The Health Monitoring Settings window appears.
4.
From the Health Monitoring Settings window, set the following parameters according to
the explanations provided:
Health Monitoring:
Determines whether to use the Health Monitoring Module or
the device's Connectivity Checks.
Default: Health Monitoring
Doc. No.: 8261
355
LinkProof User Guide
Response Level
Samples:
The Health Monitoring Module enables users to track the
round trip time of health checks. The device keeps a
Response Level indicator for each check. The Response
Level is the average ratio between the actual response time
to the configured Timeout. The average is calculated over a
number of samples as defined in the Response Level
Samples parameter (Floating average). A value of 0 in the
Response Level Samples parameter disables the
parameter; any other value between 1-9 defines the
samples value. Response Time Load Balancing is achieved
by choosing the Response Time dispatch method in the
farm parameters. The device will then load balance the
traffic to the “fastest” element until the Load Factors are
equal.
SSL Certificate
File:
This file is used by the device when the Web server requires
a Client Certificate during the SSL handshake.
SSL Private Key
File:
This file is used by the device when the Web server requires
a key during the SSL handshake.
Default: Client Certificate generated by the device.
Default: Private Key generated by the device.
5. Click Ok. Your preferences are recorded.
Note:
SSL Certificate file and SSL Private Keys are not exported as part of the device
configuration export.
Health Checks Database
APSolute Insite enables you to configure and view the currently defined health checks in a
database, prior to attaching them to a network element.
To configure the Health Check database:
1. From main window, select a device and click Health Monitoring. The Health Checks
window appears.
2. From the Health Checks window, click Health Checks DB. The device Health Check DB
window appears.
3. From the Health Check DB window, click Add. The device Edit Health Check window
appears. In this window you can create a new entry for the Health Check DB.
4. Set up the Regular check parameters for the device.
356
Health Check
Name:
Type the name of the new check.
Method:
From the drop-down list, select the check method. For the
full description of methods, see Predefined Methods,
page 364.
Doc. No.: 8261
LinkProof User Guide
Specify the IP address for the Health check.
Destination IP
Address:
Note:
You can specify any IP address, to enable the
testing of any network elements (not only checked
elements)
When the best possible IP is not available locally for the
device a default gateway must be configured.
Type the IP address of the Next Hop Router that should be
used for the Health Check, this means that the Health
check is sent to the destination MAC address of the IP
address configured in this field. This field can be used
when for example you need to check the health of NHRs,
or for a loopback server (Destination IP Address is the
farm IP, Next Hop IP Address is the server’s address).
Next Hop IP
Router:
The Next Hop IP Address should be on the same network
segment as one of the device interfaces. When this field is
left blank and the Destination IP Address does not reside
on the same subnet, the Health Monitoring module uses
the device’s Routing Table to forward the packet.
Notes:
•
The Next Hop IP Address is not used for ARP checks
since ARP checks are performed only on the same
broadcast domain.
•
In case the destination port is not set, or the value is
set to 0, the device use the applications' well known
port as a destination IP. For example, if the method is
set to HTTP and destination port is 0, the device uses
port 80 when it performs the check.
•
When using TCP user define health check, the
destination port must not be 0.
Destination
Port:
The destination TCP/UDP port number to which the health
check is sent. The destination port is method specific.
Interval:
Define the time interval between checks.This interval
defines the health check’s execution interval in seconds.
This field accepts only integers, and its value must be
greater than the timeout value. Maximum value is 2^32-1
seconds. Values: Default: 10.
Retries:
Define the number of times that a health check must fail
before the Health Monitoring module reevaluates the
element’s availability status.
Note:
Timeout:
Define the maximum number of seconds that the device
waits for a response to the Health Check. Maximum value
is 2^32-2 seconds.
Note:
Response
Level:
Doc. No.: 8261
This field accepts only integers.
This field accepts only integers.
Define the response level of the checked element.
357
LinkProof User Guide
If applicable, check to enable this option.
Measure
Response Time:
Using the Response Time Dispatch Method, this
parameter indicates whether the response time of this
check participates in measuring response time. Note that
average response time is calculated over a number of
checks as defined in the Response Level Parameter, see
Global Parameters Setup, page 355.
5. Click Ok to apply the Setup. The Regular health checks you defined are listed in the
Health Checks table.
6. For each selected method, you can edit the arguments. Click Method Arguments. The
Edit Method Arguments window appears with additional configurable parameters for the
selected method.
Note:
Arguments are method-specific. For a full list, see Additional Method
Arguments, page 367.
7. Select or type the relevant values for the arguments and click Ok. The Edit Method
Arguments window closes. The information you added appears in the Specific Check
Parameters pane in the Edit Health Check window.
8. From the Edit Health Check window, click Ok. The health check is configured and the
Edit Health Check window closes. The new health check now appears in the Health
Check DB window table.
9. From the Health Check DB window, repeat steps 2. through 5. to configure each Health
Check.
Action Macro
Radware devices support a wide range of health monitoring checks, allowing for highly
granular checks and monitoring capabilities. The results of these checks is always a status,
either “Active” or “Down”. The Action Macro feature complements this capability and allows
performing an action based on the status of a health check. The action is performed by
running a predefined macro file, which is bound to the health check.
Configuration of the feature involves the following stages:
1. Define the relevant health checks in the Health Checks DB window.
2. Record the macro files you wish to execute upon receiving a trap from the device.
Through the Health Check Actions window, available by clicking the Action button in the
LinkProof Health Check DB window, bind the health checks and the macro files.
To configure an Action macro:
1. From the main window, click Health Monitoring. The Health Checks window appears.
2. From the Health Checks window, click Health Check DB. The Health Checks DB window
appears.
3. From the Health Checks DB window, click Action. The Health Checks Action window
appears.
4. From the Health Checks Action window, click Add. The Edit Heath Check Action window
appears.
358
Doc. No.: 8261
LinkProof User Guide
5.
From the Edit Health Check Action window, set the following parameters according to
the explanations provided:
Check Name:
Select from the checks you defined.
Condition:
Select the health check status to activate the Action
macro.
Value range: Success; Fail. Default: Success.
Action:
Select the type of action.
Value: Macro.
6.
To edit the arguments for the selected action, click Action Arguments. The Action
window appears.
7.
From the Action window, set the following parameters/conditions for action according to
the explanations provided:
Device:
Select the relevant device.
File Name:
Select the relevant Macro File.
8.
Click Ok and then Ok twice more to exit all the Action windows. The test you configured
is updated in the Health Check DB window.
9.
Click Ok to apply the Setup and exit. The Health Check DB window closes.
Bindings and Groups
You can associate a Health Check to a Checked Element. You can also define whether the
check is Mandatory or not, and set the Group Number.
Non-Mandatory checks in a group are evaluated with a logical OR between them so if there
is more than a single Non-Mandatory check in a group, a failure of one check does not fail
the server.
When several groups are associated with a single Checked Element, they are evaluated with
a logical AND between them.
Note:
When a Group consists of a single check which is defined as Non-Mandatory,
then technically it is Mandatory.
The Group Number is unique per Checked Element. This means that, for example, Group
Number 2 for Server1 and Group Number 2 for Server2 are two separate groups.
Using groups enables the creation of complex health conditions for the Checked Elements.
For instance, consider a Web server that communicates with one of two database servers
and must use one of two routers in order to provide service. This Web server will be bound
using three different binding groups: one group contains Health Checks for the two routers
(each check is Non-Mandatory), one group contains Health Checks to the database servers
(each check is Non-Mandatory) and the third group contains the Health Checks on the Web
server. As long as one of the database servers and one of the routers is active, and the Web
server health check passes, the Web server is considered active. Otherwise, the Health
Monitoring module determines that the Web server cannot provide the required service.
Up to 20 binding groups can be defined per Checked Element.
Using Configure Insite, binding is performed by setting regular checks and Group Checks.
Doc. No.: 8261
359
LinkProof User Guide
The Binding Table contains the following parameters:
Check Name:
Checked Element
Name:
Group:
Mandatory:
The Health Check to be bound to a Checked Element.
Possible values: All checks as defined in the Check DB.
The Checked Element to which the Health Check is
bound.
Possible values: All defined servers in the Application
Server/Firewall/ NHR Table.
The group number to which the check belongs. The
group number is unique per server.
Defines if the Health Check is mandatory for the Checked
Element’s health. The Non-Mandatory status for checks
within a group is equal to an OR relationship between the
Health Checks, while the Mandatory status is equal to an
AND condition.
Possible values: Mandatory, Non-Mandatory.
A Health Check is still performed even if it is not bound to any of the Checked Elements. If
the check fails, the device sends notification messages (SNMP Traps, Syslog messages or
mail messages, as configured) indicating the failure of the check.
Regular Health Check
A Regular type Health Check is a check of an individual network element. You can add or
edit health check parameters through the Check Table. The Check Table lists the configured
health checks.
If a check is not bound to any of the Checked Elements, it is still performed. If it fails, the
device sends notification messages, as configured (SNMP Traps, Syslog messages or mail
messages), indicating the failure of the check.
To Configure a Regular Health Check:
1. From the main window, click Health Monitoring. The Health Checks window appears.
2. From the Health Checks window, select Regular and click Add to define a single health
check. The Device Edit Active Health Check window appears.
3. From the Device Edit Active Health Check window, click New Health Check. The Edit
Health Check window appears.
4. Using this window, you can associate Health Checks to Checked Elements, and define
the way the results of the Health Check affect the checked element
5. From the Edit Health Check window, set the following parameters according to the
explanations provided:.
Health Check
Name:
Method:
360
Type the name of the new check.
From the drop-down list, select the check method. For
the full description of methods, see Health Check
Methods, page 364.
Note:
if you change the method, the Method
Arguments button is enabled. You can edit the
predefined method arguments.
Doc. No.: 8261
LinkProof User Guide
Destination IP
Address:
Type the address of the checked element.
Next Hop Router:
Type the router address.
Destination Port:
The destination port is method specific.
Interval:
Define the time interval between checks?
Values:.Default: 10.
Retries:
Select the number of retries, that is repeated checks on
a non responsive element?
Default: 5
Timeout:
Define the timeout value.
Response Level:
Define the response level of the checked element?
Measure
Response Time:
If applicable, check to enable this option.
Note:
Arguments are method-specific. For full list, see Health Check Method
Arguments, page 368
6.
Click Ok to apply the Setup.
7.
From the Edit Active Health Check window, click Apply.
8.
To configure all the Regular type health checks, repeat steps 4. through 7.
9.
Click Ok. The Edit Active Health Check window closes.
10. From the Edit Health Check window, set the following parameters according to the
explanations provided:
Check
Element:
Mandatory:
Select the network element to be checked. This list displays
all elements managed by LinkProof that a Health Check can
be associated with. The IP address shows next to the
selected element.
Define if the health check must be mandatory to determine
the checked element’s health. Definition of non-mandatory
checks within a check group implies an OR relation between
the health checks, while a mandatory status dictates an
AND condition.
Possible values: Mandatory; Non-Mandatory.
Health Check
Name:
Check ID:
Doc. No.: 8261
The name of the health check that you define. You can type
a new name or select the name from the drop-down list
which contains all the checks previously defined in the
Health Checks Database.
Note:
To create a new Health Check, you can use the
Health Checks DB configuration described in the
Health Checks Database, page 356, or click
the New Health Check button to open the Edit
health Check window.
The health check number as assigned by the device.
361
LinkProof User Guide
Select the method from the drop-down list.
Method:
The health check method is an application or a protocol
which the device uses in order to check the network
elements.
Destination IP
Address:
The destination IP address of the network element to be
checked. If no IP address is entered the default IP address
is the Checked Element.
Next Hop
Router:
The IP address of the next hop on the network for this
check. This is needed in order to direct the health check
session to a network element's MAC address.
Destination
Port:
The number of the destination TCP\UDP port.
Interval:
The time interval to elapse before performing the next
check.
Retries:
The number of times that the device should attempt to
check the element device, when the result is “inactive”,
before updating the Availability Status to Not-Available.
Timeout:
The time period to elapse between the moment of initiation
of the health check and the moment of its termination.
No New
Session
Timeout:
The user may define a timeout for each check whereby the
status of the checked element can be set to No New
Sessions, and is configured for each specific check and
check type. If the check timeout is above the threshold, the
device considers the element as heavily loaded and does
not send new sessions. If the check timeout reaches the
timeout threshold, the element is considered “Not In
Service”.
Note:
Measure
Response
Time:
Setting the timeout to 0 (zero), disables this
feature.
The Response Level Samples parameter can be used in the
health checks in which the Measure Response Time
parameter is enabled.
11. Click Ok to apply the Setup. The Regular health checks you defined are listed in the
LinkProof Health Checks table.
To define and edit Health Check Methods
1. To define the health check method parameters, click Method Arguments. The Edit
Method Arguments window appears.
2.
From the Edit Method Arguments window, set the parameters as required.
3. Click Ok. The Edit Method Arguments window closes. The Specific Check Parameters
field in the Edit Health Check window shows the edited method arguments information.
Group Health Check
In addition to individual or regular checks, you can configure groups of regular checks.
362
Doc. No.: 8261
LinkProof User Guide
To configure a Group health check:
1.
From the LinkProof Health Checks window, click the Group option and click Add. The
device Edit Health Check Group window appears.
2.
From the Group Check Name drop-down list, select the name of the required Health
Check Group.
Note:
You can set up to 20 groups for a Checked Element.
3.
From the Element Name drop-down list, select the name of the network element to
check and click Apply. The group check you defined appears in the Edit Health Check
Group table.
4.
From the Enable column, select the checks required for this group.
5.
From the Mandatory column, select the mandatory or non-mandatory status for each
health check. (Define if the health check must be mandatory to determine the
checked element’s health).
6.
Click Apply. The health check Group is configured.
7.
Continue to configure new groups or click Ok to exit the window. In the Health Checks
window, the group you configured is listed in the Groups column, while the checks for
each group are listed in the Health Checks column.
8.
Click Ok. The Health Checks window closes.
Farm Health Check
Used in large configurations with farms containing multiple servers, the Farm oriented
Health Check automates and simplifies the Health Monitoring configuration process by
replicating a defined check for all servers in a farm.
To configure Farm Health Checks
1.
From the main window, click Traffic Redirection. The LinkProof Traffic Redirection
window appears.
2.
From the LinkProof Traffic Redirection window, click the Farms tab. The Farms pane
appears.
3.
From the Farms pane, select the relevant farm that you want to check then click Health
Monitoring Settings. The Health Checks Per Farm window appears.
4.
From the Health Checks Per Farm window, click Add. The Edit Active Health Check
window appears where you can set up the Farm health check. Select from the following
options:
•
Duplicate this Health Check for all Farm’s servers: If you select this option, the
health check you define will be replicated and associated to all the servers of the
selected farm
Set Health Check attribute for each Server in Farm: If you select this option, you
can manually configure a custom health check for each server of the selected farm.
From the Health check Name drop-down list, select the name of the check. For the
remaining parameters and settings from the Edit Active Health Check window, see
Regular Health Check, page 360.
•
5.
Doc. No.: 8261
363
LinkProof User Guide
6. Click Ok to apply the Setup. The new farm check appears in the Health Checks per Farm
table.
Health Check Methods
This section describes the methods or protocols that are used in Health Check configuration
and includes the following topics:
•
•
Predefined Methods, page 364
User Defined Methods, page 372
Predefined Methods
Table 46 on page 364 describes the predefined Health Check Methods and their configurable
parameters.
Table 46: Health Check Methods
Parameter
Description
ARP
The module sends an ARP request to the destination address,
and waits for a reply.
Parameters: N/A
DNS
The module submits a DNS query to the configured destination
address and host. The module verifies that the reply is received
with no errors, and that the reply matches a specific address (if
specified). If the IP address parameter is not defined, only the
return code of the reply is validated (not the IP address it
contains).\
Parameters: Hostname to Query; Address to match
FTP
The module executes USER and PASS commands on the FTP
server. When the login process is successfully completed, the
module executes a SYST command. It can verify the existence
of the file on the FTP server, but it does not download the file or
check its size The module verifies that all the commands are
executed successfully and then terminates the connection.
Parameters: Username; Password; Filename.
Note:
HTTP
The module uses a control session only, not a data
session.
The module submits an HTTP request to the destination IP
address. In addition, it is possible to define a specific URL to
test. The request may be a GET, POST, or HEAD request.
Requests may be in a proxy format or a Web format, and may
include a no-cache directive. The module verifies that the
returned status is 200. if the checked server is password
protected, the module may send an authorized name and user
password. The module sends the HTTP request in HTTP 1.0
format.
Parameters: Hostname, path, HTTP method, HTTP format
(proxy/Web), use of no-cache, text for search within HTTP
header and body, plus an indication whether the text should
appear or not, Username and Password for basic authentication
and up to four valid HTTP return codes in addition to the return
code of 200
364
Doc. No.: 8261
LinkProof User Guide
Table 46: Health Check Methods
Parameter
Description
IMAP4
The module executes a LOGIN command to the IMAP server,
and verifies that the returned code is Ok.
Parameters: Username; Password.
LDAP
LDAPS
The Health Monitoring module enhances the health checks
for LDAP servers, by allowing performing search in the LDAP
server. Before Health Monitoring performs the search, it first
issues a Bind command to the LDAP server and after
performing the search, it closes the connection with Unbind
command. A successful search receives an answer from the
server that includes a "searchResultEntry" message. An
unsuccessful search receives only an answer of
"searchResultDone" message.
Arguments:
• User Name: A user with privileges to search the LDAP
server.
•
Password: The password of the user.
•
Base Object: The location in the directory from which the
LDAP search begins.
•
Attribute Name: The attribute to look for. For example CN Common Name.
•
Search Value: The value to search.
The Health Monitoring Module allows to perform LDAP health
checks over the SSL transport layer. When using LDAP over
SSL, the device uses the same SSL privet key as the HTTPS
health check, take from Health Monitoring global parameters.
When using the LDAPS checks, it is recommended to use
values higher than 15 seconds for time interval and 10 seconds
for timeout.
NNTP
The module executes a LIST command and verifies that the
returned status is valid.
Physical Port
Module checks the status of the physical interface. When the link
is up, the check passes.
Arguments: Physical port number.
Module sends an ICMP echo request to the destination address
and waits for an echo reply. The module checks that the reply
was received from the same destination address that the
request was sent to, and that the sequence number is correct.
Ping
Arguments: Should Ping fail; Ping Data Size
Should Ping Fail: whether the reply is received or not, the default
is that the check fails when the server does not reply.
Ping Data Size: the size of the ICMP echo request (1 byte to
1024 bytes). When not configured, the default is 64 bytes.
POP3
The module executes USER and PASS commands on the POP3
server, and checks that the returned code is OK.
Arguments: Username; Password.
Doc. No.: 8261
365
LinkProof User Guide
Table 46: Health Check Methods
Parameter
RADIUS
Description
The module sends an Access Request with a user, password
and a secret string, and verifies that the request was accepted
by the server which then expects an Access Accept reply.
Arguments: Username; Password; Secret.
Note:
RTSP
Ensure the radius server is configured to accept radius
requests for the device.
The module executes a DESCRIBE command and expects a
return status of 200.
Arguments: Path on the server (like http); Hostname.
Health Monitoring Module allows now to perform Health
Monitoring checks on SIP servers. The SIP health check is
done using the OPTIONS method. This method is used to query
SIP proxies and end-points as to their capabilities. The
capabilities themselves are not relevant to the health check and
what is relevant, is the "200 OK" response from the server.
Arguments:
• Request URL: The request‘s destination.
SIP UDP/ SIP
TCP
SMTP
•
From: The “logical name” of the device.
•
Max Forwards: The default is 1
•
Transport Protocol: The check can be performed on top of
UDP (default) or TCP.
•
Destination Port: Default is 5060.
•
Acceptable Response Codes: 200 is the default. When an
unacceptable response code is received - the check fails.
•
Content Match: a content that must be matched in the
response for it to be considered successful.
•
Reverse Match Result: a content that must not be found in
the response for it to be successful.
The module executes a HELO command to the SMTP server
and checks that the returned code is 250.
Arguments: Server name for the command. Default: Radware.
The module sends an SNMP GET request, and validates the
value in the reply. When the returned value is lower than the Min.
Value or higher than the Max. Value, the check fails. When the
returned value is higher than the No New Sessions Value, the
bound element is set to No New Sessions. The results of the
SNMP Check can be used for a load balancing decision, similar
to Private Parameters Load Balancing Algorithms.
SNMP
The SNMP check supports Integer, Counter and Gauge. While
Interger can be a negative value, Counter and Gauge must be
>0.
Arguments: SNMP Object ID to be checked; Community; Min.
Value; Max. Value; No New Sessions Value; Use Results For
Load Balancing.
Note:
366
For a device to consider the outcome of the check in the
load balancing decisions, the farm’s Dispatch Method
should be set to Response Time.
Doc. No.: 8261
LinkProof User Guide
Table 46: Health Check Methods
Parameter
Description
The module sends an SSL Hello packet to the server (using
SSL3), and waits for an SSL Hello reply. The session is then
closed (using a RESET command).
Note:
SSL Hello
Since generating SSL keys on the server is a time
consuming process, it is recommended to use a timeout
of 3 to 5 seconds.
Arguments: SSL Version, can be either V23 or V30. SSL v30
means that pure SSLv3 is used, SSLv23 means that the client
sends an SSLv2 request to open an SSLv3 session (this is how
Internet Explorer works, for example).
The module performs an SSL handshake towards the server
and after the session starts, the device performs a GET request
from the checked element.
SSL
Arguments: Similar to HTTP Check (Hostname, Path, HTTP
Method, Authorized Username and Password, Match Search
String, Match Mode, HTTP Return Codes). Also, the user can
set:
• SSL Certificate File – Used by the device when the Web
server requires a Client Certificate during the SSL
handshake. By default, Client Certificate generated by the
device.
•
SSL Private Key File – Used by the device when the Web
server requires a key during the SSL handshake. By default,
Private Key generated by the device.
The module checks the availability of the specified TCP port.
TCP Port
TCP User
Defined
UDP Port
Arguments: Complete TCP Handshake, sets whether the sends
an ACK packet before the RST packet or not. Setting this
parameter to Yes results in the following TCP handshake flow:
SYN, SYN_ACK, ACK, RST. Setting this parameter to No results
in the following TCP handshake flow: SYN, SYN_ACK, RST.
The module uses a User Defined TCP Health Check.
Arguments: Packet Sequence ID (which user defined check to
use).
The module checks the availability of the specified UDP port.
Note that this check does not test the server's availability, but the
application's availability within the server. This is due to the
nature of UDP: when the UDP application is operational no reply
is received; when the UDP application is not operational, an
ICMP message UDP Port Unreachable is sent, so that the
absence of a reply indicates the application’s availability. This
means that when the server is down, the application might still
be considered as running. Therefore, the UDP Port check
should always be used in combination with another server
availability check, for example Ping or ARP.
Additional Method Arguments
You can configure additional arguments specific to each Health Check Method.
When using APSolute Insite, the Health Check configuration window automatically shows
argument values relevant to the configured Method, to fit the required additional arguments
for that check.
Doc. No.: 8261
367
LinkProof User Guide
When using Web Based Management, CLI, Telnet or SSH, you can configure the additional
arguments using a string with this format:
ARG=VAL|ARG=VAL|
Following each argument, the equation sign should appear, then the required value. A “|”
sign is used as a delimiter between the arguments. No extra spaces are allowed.
Table 47 on page 368 lists the additional configurable method arguments for each Check
Method, and details mandatory arguments, default values, and more.
Table 47: Health Check Method Arguments
Method
Argument Argument
Additional
Name
Mandatory
Name
Description
Info
(and ID)
ARP (11)
No args
HOST
Hostname to
query
ADDR
Address to be
No
received
USER
Username
Yes
PASS
Password
Yes
PATH
Path of file on
Web server to No
be requested
HOST
Hostname
MTD
HTTP method
No
to submit
G=GET,
P=POST,
H=HEAD
PRX
Use proxy
HTTP
No
Y=Use proxy
HTTP, N=Use
N
Web server
HTTP
No
Y= Use
pragma: nocache, N=Do
N
not use
pragma: nocache
DNS (10)
FTP (6)
HTTP (2)
368
Default
Yes
Validate
only the
DNS return
code
Any
configured
/
value must
begin with a/.
Server IP
address
No
G
NOCACHE
Use pragma:
no-cache
MTCH
Pattern for
No
content match
Wildcards not
supported
MEXIST
Content match
pattern should
No
be present or
absent
Y=Fail check
if pattern not
found, N=Fail
Y
check if
pattern is
found
USER
Username for
basic
No
authentication
Doc. No.: 8261
LinkProof User Guide
Table 47: Health Check Method Arguments
Method
Argument Argument
Additional
Name
Mandatory
Name
Description
Info
(and ID)
IMAP (7)
PASS
Password for
basic
No
authentication
C1
Valid http code
No
1
C2
Valid http code
No
2
C3
Valid http code
No
3
C4
Valid http code
No
4
USER
Username
Yes
PASS
password
Yes
FAIL
Check fails
when reply is
No
received or not
received
DSIZE
Packet size
No
USER
Username
Yes
PASS
Password
Yes
USER
Username
Yes
PASS
Password
Yes
SECRET
Radius secret Yes
PATH
Path of file on
RTSP server
Yes
to be
requested
HOST
Hostname to
No
use in request
OID
Object ID to
be used by the Yes
check.
PING (0)
POP(3)
RADIUS
(12)
RTSP (13)
SMNP
Doc. No.: 8261
Default
Y= Fail when
server replies,
N=Fail when
server does
not reply
=1 - 1024
bytes
N
64
IP address of
server
369
LinkProof User Guide
Table 47: Health Check Method Arguments
Method
Argument Argument
Additional
Name
Mandatory
Name
Description
Info
(and ID)
COMM
The community Yes
used by the
device.
MIN
The minimum Yes
value for the
check to pass.
If the minimum
is lower than
the value
configured,
then the check
will fail.
MAX
The maximum Yes
value for the
check to pass.
If the maximum
is higher than
the value
configured,
then the check
will fail.
NNS
The value
Yes
between the
NNS and the
max. If the
value falls
between these
two numbers
then the
checked
element will be
in No New
Session.
UR
The measured Yes
response time
for the check.
SSL Hello SSLV
370
Default
can be either Yes
v23 or v30.
SSL v30
means pure
SSLv3 is used,
SSLv23 means
that the client
sends an
SSLv2 request
to open an
SSLv3 session
(this is how
Internet
Explorer works,
for example).
Doc. No.: 8261
LinkProof User Guide
Table 47: Health Check Method Arguments
Method
Argument Argument
Additional
Name
Mandatory
Name
Description
Info
(and ID)
Default
SMTP (4) HELO
Argument for
SMTP HELO
No
RADWARE
SSL (14)
SSLV
SSL Version
No
TCP Port
(1)
no args
TCP User SEQID
Defined
(8)
V23 or V30
No
Packet
sequence to
submit
Yes
UDP Port
no args
SIP UDP
UR
The URI for the Yes
check.
FROM
The senders
information
FRWD
The max # of No
hops between
Proxy Servers.
MTCH
Pattern for
No
content match
Wildcards not
supported
MEXIST
Content match No
pattern should
be present or
absent
Y=Fail check if
pattern not
found, N=Fail
check if
pattern is
found.
C1
Valid SIP code No
1
C2
Valid SIP code No
2
C3
Valid SIP code No
3
C4
Valid SIP code No
4
Doc. No.: 8261
V23
Yes
371
LinkProof User Guide
Table 47: Health Check Method Arguments
Method
Argument Argument
Additional
Name
Mandatory
Name
Description
Info
(and ID)
LDAPS
USER
A user with
privileges to
search the
LDAP server.
No
If you
configure a
user then
password is
mandatory.
PASS
The password No
of the user
If you
configure a
user then
password is
mandatory.
BASEO
The location in No
the directory
from which
If you
configure
BASEO then
ATTR is
mandatory.
ATTR
The attribute to No
search for, e.g
CN: Common
Name
If you
configure
ATTR then
BASEO is
mandatory.
SEARV
The value to
search.
Default
No
User Defined Methods
if you require a specific Health Check Method that is not provided by the module, you can
configure the health check protocol manually. This is done by defining for every packet
sequence a stream of send and receive packets, each with a string to send or receive. The
module then sends the packets, and verifies that the received packets contain the matching
predefined string. Packet sequences are defined in the Packet Sequence Table. Then the
user-defined check can be used in Health Checks configuration.
Note:
User Defined Checks are available for TCP checks only.
To configure a user defined method for health check:
1. From the Health Checks window, click User Defined Methods. The User Defined
Methods window appears.
2. From the User Defined Methods window, click Add. The Edit User Defined Methods
window appears.
372
Doc. No.: 8261
LinkProof User Guide
3.
From the Edit User Defined Methods window, set the following parameters according to
the explanations provided:
Sequence ID:
Packet ID:
The ID number of the entire packet sequence. Each
sequence defines a new user defined check. All
packets with the same Sequence ID belong to the
same check.
The ID number to identify the packet within this
packet sequence. While several informationcarrying packets can be defined to a user defined
check of the same sequence ID, this identifier is
unique within a packet sequence.
Note:
Sequence Type:
The first Packet ID of each sequence must
always be 0. Packet ID numbers of a
sequence must be consecutive.
Define whether this packet is a Send or Receive
packet.
Values: Send; Receive. Default: Send.
Compare Method:
Sequence String:
Values: Regular Expression; Binary.
Default value: Regular Expression.
The content of the packet for the verification
process. This string is either sent within the packet,
or is matched when the packet is received. For
Receive type packets, the string can include a
regular expression.
Note:
Sequence
Description:
Doc. No.: 8261
The Health Monitoring module supports
Posix 1002.3 regular expressions. The
string can be up to 80 characters long.
The description of the specific packet in the
sequence.
373
LinkProof User Guide
374
Doc. No.: 8261
LinkProof User Guide
Chapter 10 - Application Switching Platforms
This chapter explains Radware’s Application Swithching Platforms and Device Interfaces and
also provides a list of specifications, which include Serial Cable Pin Assignment and a trouble
shooting section.
•
•
•
•
•
•
•
•
This chapter includes the following sections:
Introduction to Intelligent Application Switches, page 375.
Getting Started, page 377
Device Interfaces, page 387
CLI Installation Wizard, page 392
Specifications, page 397
Serial Cable Pin Assignment, page 400
Trouble Shooting for AS1 & AS2., page 400
Introduction to Intelligent Application Switches
Each Radware device is built on top of Radware’s Intelligent Application Switching
Architecture combining high speed hardware processing power with SynApps Application
Aware Services for total IP Application performance across layers 4-7.
Radware’s Application Switching Platforms consist of the following Application Switches:
•
•
•
•
•
Application Switch 1, page 375
Application Switch 2, page 376
Application Switch 3, page 376
Application Switch 4, page 377
Compact Application Switch, page 377
Application Switch 1
Figure 53 -
Application Switch 1
Application Switch 1 combines ASIC-based switching, CPU processing power and SynApps
'Application Aware' Services to deliver performance and service to address all IP application
requirements across network layers 4-7. Designed to guarantee application availability,
security and performance, Application Switch 1 is the first platform to bridge the gap
between your IT infrastructure and IP Applications for comprehensive control of all critical
operations across the enterprise.
Doc. No.: 8261
375
LinkProof User Guide
Wire Speed Forwarding and Central Processing Power
With switching ASICs on the port levels, Application Switch 1, ensures wire speed
forwarding speeds across the 2 Gigabit and/or 8 Fast Ethernet ports available in the 1U
device. Layer 3 -7 operations are powered by the Motorola PowerPC 755 central processing
unit, powering SynApps application services for optimized resource utilization and maximum
application performance.
Application Switch 2
Figure 54 -
Application Switch 2
Application Switch 2 enables wire speed forwarding across 5 GBIC ports and 16 Fast
Ethernet Ports or 7 GBIC ports, non-blocking traffic throughputs across a 19.2 GB backplane
and strong central processing, based on a Motorola PowerPC 7410 CPU. Fusing accelerated
processing speeds with the ability to optimize routing decisions based on specific
applications, web requests and content, Application Switch 2 guarantees complete reliability,
performance and security across all IP applications, for complete control over enterprise
operations.
Application Switch 2 is powered by a multi-layered switching architecture combined with
comprehensive SynApps 'Application Aware' services, to address the widest set of protocols
and service requirements across network layers 4-7, boosting IP application performance to
Gigabit Speeds.
Application Switch 3
Figure 55 -
Application Switch 3
Application Switch 3 provides an innovative three-tiered architecture that couples enhanced
performance and power with 10Gb connectivity, providing for the first time businesses with
a comprehensive solution for ensuring the integrity of applications carried over highbandwidth networks. Application Switch 3 delivers SynApps security, availability and
reliability of services at multi-gigabit speeds, bullet-proofing any IP or Web Service
application running on the network.
376
Doc. No.: 8261
LinkProof User Guide
Multi-Gigabit Switching Architecture
Driving Intelligent Application Switching performance to up to 3-Gigabit speeds, AS3 affords
complete control over mission critical applications and explosive transactions across the
most demanding networking environments.
Application Switch 3 features 44Gb connectivity and multi-Gigabit network processors.
Application Switch 4
Application Switch 4 is the next generation of Radware's hardware platform. The new
platform is a 2U device. This platform uses a stronger CPU, the Motorola PPC 7457, and also
supports 802.1q VLAN Tagging. The new platform has 12 10/100/1000 RJ-45 copper
interfaces and 8 Gigabit Gbics Ports for copper and fiber infrastructure.
Compact Application Switch
Figure 56 -
Compact Application Switch
Compact Application Switch, page 377 is Radware’s new desktop platform, featuring an
integrated eight-port Fast Ethernet Switch. This platform is designed to meet the
requirements of Remote offices and Branch offices.
Getting Started
This section is designed to familiarize the user with the devices, and provides instructions on
the installation procedure as well as offering an explanation of how to configure the device
IP Host Parameters.
This section includes the following topics:
•
•
•
•
Application Switches Physical Description, page 378
Compact Application Switch, page 384
Device Installation, page 385
Device Interfaces, page 387
Doc. No.: 8261
377
LinkProof User Guide
Application Switches Physical Description
This section includes a diagram of each device including a description of the devices
features.
Application Switch 1
Figure 57 -
Application Switch 1 - Front Panel View
Table 48: AS 1 Front Panel Description
Feature
Description
Reset:
Allows you to reset the device
Mode:
Allows you to change the display mode of
the Port LEDs.
Upper
LED:
The upper LED indicates that the device
is powered.
Lower
LED:
The lower LED indicates that the
application is currently running. This LED
is off when the application is still loading
or has failed.
This display indicates the display mode of the Port LEDs
as follows: From top line, left to right:
378
Mode
Indication
LNK:
LNK - Link Status
FE:
Ethernet Mode (for fast ethernet ports
only)
COL:
Collisions
ERR:
Errors
ACT:
ACTIVITY
FD:
Duplex Mode
TX:
Transmission Activity
RX:
Receiving Activity
Doc. No.: 8261
LinkProof User Guide
Table 48: AS 1 Front Panel Description
Feature
Description
RS-232C Console Port
Gigabit Ethernet Port and LED. The LED indicates the
following information according to display mode.
Mode
LNK
Indication
On - Physical connection detected
Off - No physical connection detected.
ACT
Flashing indicates that data is being
transferred via the port.
Mode
Indication
FD:
On - Indicates Full Duplex mode.
Off - Indicates half Duplex mode.
COL:
On - Indicates collisions are occurring
ERR
On - indicates errors are occurring.
TX
Flashing indicates that the port is
transmitting data
RX
Flashing indicates that the port is
receiving data.
The status LEDs for the 8 fast Ethernet Ports
Table 49: AS 1 - Back Panel Description
Feature
Power Socket
Power Switch
Description
The socket to which the power cable is connected
On / Off power
DipSwitch 1 (First left) this switch determines the active
boot on the device.
Act Boot
Switch “Down” Boot 1 is active.
Switch “Up” means Boot 2 is active
Doc. No.: 8261
379
LinkProof User Guide
Application Switch 2
Figure 58 -
Application Switch 2 - Front Panel
Table 50: AS 2 Front Panel Description
Feature
Description
These LEDs indicate the status of the following:
PWR: The device is powered.
SYS: The application is currently running. This LED is off
when the application is still loading or has failed.
FAN: Green when all fans are operational. Red
indicates that the fans are not operational.
RST: Reset button.
Gigabit Ethernet Port and LED. The LED indicates the
following information:
Upper LED:
• On - Physical connection detected.
•
Off - No physical connection detected.
Middle LED:
• Lit Green - Port is receiving data.
•
Lit Red - Receive loss or no physical connection
•
Lower LED:
•
Lit Green - Port is transmitting data
•
Lit Red - Transmission faults
Mode: Allows you to change the display mode of the Fast
Ethernet Port LEDs.
The LEDs indicate the display mode of the Fast Ethernet
Ports.
• LNK - Link Status
380
•
ACT - Activity
•
FE - Ethernet Mode
•
FD - Duplex Mode
Doc. No.: 8261
LinkProof User Guide
Table 50: AS 2 Front Panel Description
Feature
Description
The Status LEDs for the Fast Ethernet Ports.
Each Port LED indicates the following information
according to display mode.
Mode
Indication
LNK
On - Physical connection detected.
Off - No physical connection detected.
ACT
Flashing indicates that data is being
transferred via the port.
FE
On - Indicates 100BaseT mode.
FD
On - Indicates Full Duplex mode.
Off - Indicates 10BaseT mode.
Off - Indicates half Duplex mode.
Fast Ethernet Ports F1-F16
Table 51: AS 2 Back Panel Description
Feature
Description
Power Socket
The socket to which the power cable is connected
Power Switch
On / Off power
DipSwitch 1 (First left) this switch determines the active
boot on the device.
Act Boot
Switch “Down” Boot 1 is active.
Switch “Up” Boot 2 is active
RS-232C
RS-232C Console Port for out-of-band management
Compact Flash
Insertion point for Compact Flash Card
Ethernet Port
Ethernet Port (for debugging purposes only - Radware
R&D only)
Application Switch 3
Doc. No.: 8261
381
LinkProof User Guide
Figure 59 -
Application Switch 3 - Front Panel View
Table 52: AS 3 Front Panel Description
Feature
Description
These LEDs indicate the status of the following:
PWR: The device is powered.
SYS: The application is currently running. This LED is off
when the application is still loading or has failed.
FAN: When lit, indicates that the fans are not operational.
RST: Reset button
The 10 Gigabit Ethernet Port and LEDs. The LED
indicates the following information:
Upper LED:
• On - Physical connection detected.
•
Off - No physical connection detected.
Middle LED:
• Lit Green - Port is receiving data.
•
Lit Red - Receive loss or no physical connection
•
Lower LED:
•
Lit Green - Port is transmitting data
•
Lit Red - Transmission faults
Gigabit Ethernet Ports (G1-G8) and LEDs. The LED
indicates the following information:
Upper LED:
• On - Physical connection detected
•
Off - No physical connection detected
Middle LED:
• Lit Green - Port is receiving data
•
Lit Red - Receive loss or no physical connection
•
Lower LED:
•
Lit Green - Port is transmitting data
•
Lit Red - Transmission faults
Fast Ethernet Ports (F1-F16) and LEDs
Left LED:
Lit green - Indicates 100BaseT mode.
Flashing green - Indicates that data is being transferred
via the port in 100BaseT mode
Lit Yellow - Indicates 10BaseT mode
Flashing yellow - Indicates that data is being transferred
via the port in 10BaseT mode
Off indicates no link
382
Doc. No.: 8261
LinkProof User Guide
Table 53: AS 3 Back Panel Description
Feature
Description
Power Socket
The socket to which the power cable is connected
Power Switch
On / Off power
DipSwitch 1 (First left) this switch forces the device to use
the internal flash application version after a reboot has
occurred.
Act Boot
Switch “Down” device reboots from compact flash
(default).
Switch “Up” device reboots from internal flash.
RS-232C
RS-232C Console Port for out-of-band management.
Compact Flash
Insertion point for Compact Flash Card.
Ethernet Port
Ethernet Port (for debugging purposes only - Radware
R&D only).
Application Switch 4
Table 54: AS 4 Front Panel Description
Feature
Description
These LEDs indicate the status of the following:
PWR: The device is powered.
SYS: The application is currently running. This LED is off
when the application is still loading or has failed.
FAN: When lit, indicates that the fans are not operational.
RST: Reset button.
Gigabit Ethernet Ports (G9-G20) and LEDs. The LED
indicates the following information:
Upper LED:
• On: Physical connection detected.
•
Off: No physical connection detected.
Middle LED:
• Lit Green: Port is receiving data.
•
Lit Red: Receive loss or no physical connection.
Lower LED:
• Lit Green: Port is transmitting data.
•
Doc. No.: 8261
Lit Red: Transmission faults.
383
LinkProof User Guide
Table 54: AS 4 Front Panel Description
Feature
Description
10/100/1000 Copper Ethernet Ports (G1-F12) and LEDs.
Left LED:
• Lit green: Indicates 1000BaseT mode.
•
Flashing green: Indicates that data is being transferred
via the port.
Right LED:
• Lit green: Indicates that the link is active and the port
is synchronized to 1000 Mbps.
•
Lit Yellow: Indicates that the port is synchronized to
100 Mbps.
•
No LED: Indicates that the port is synchronized to 10
Mbps.
Table 55: AS 4 Back Panel Description
Feature
Description
Power Socket
The socket to which the power cable is connected.
Power Switch
On / Off power.
Act Boot
DipSwitch 1 (First left) forces the device to use the internal
flash application version after a reboot has occurred.
• Switch “Down”: Device reboots from compact flash
(default).
•
Switch “Up”: Device reboots from internal flash.
RS-232C
RS-232C Console Port for out-of-band management.
Compact Flash
Insertion point for Compact Flash Card.
Compact Application Switch
Figure 60 -
Compact Application Switch - Back Panel Description
Table 56: Compact Application Switch - Back Panel Description
Feature
Description
Power supply connection point
384
Doc. No.: 8261
LinkProof User Guide
Table 56: Compact Application Switch - Back Panel Description
Feature
Description
RS-232C Console Port
LNK/ACT LED:
• Off - No physical connection detected
•
On - Physical connection detected
•
Flashing - Data transferred via port
10/100 LED:
• Off: Port working in 10BaseT mode
•
On: Port working in 100BaseT mode
Device Installation
This section explains the process of installation including checking the contents, mounting
the device and connecting the device to your network.
Checking the Contents
Before beginning the hardware installation, open the box and check that the following
components are included:
•
•
•
•
•
•
Radware device.
APSolute Insite Software CD ROM.
One power cable (only for countries using 110v power supply).
One serial cable.
Two cross cables (Application Switching I and Application Switch 2 platforms only).
A set of monitoring brackets.
Notes:
i
If any of the above items are missing please consult your Radware agent.
ii
Power cables with PSE mark must not be used by any other products.
Mounting the Device
Radware’s devices can be either rack-mounted or mounted on a tabletop. The package
includes brackets to enable rack-mounting of the device. Rubber feet are attached to the
bottom of the device to enable tabletop mounting.
Note:
After mounting the device, ensure that there is sufficient airflow surrounding
the device
To rack mount the device:
1.
Attach one bracket to each side of the device, using the screws provided.
Doc. No.: 8261
385
LinkProof User Guide
2. Attach the device to the rack with the mounting screws.
Note:
For Compact Application Switch a separate rack mountable tray must be
ordered from Radware,
Connecting the Device to Your Network
After you have mounted the device, connect the cables.
To connect the device the following connections must be completed in the following order:
1. AC Power Connection
2. ASCII Terminal (Serial) Connection
3. LAN Connections
To connect the AC power connection:
1. Connect the power cable to the main socket, located on the rear panel of the device.
2. Connect the power cable to the grounded AC outlet.
To make the ASCII terminal connection:
1. Connect the serial port connector the front panel.
2. Connect the other end of the serial port connector cable to your computer.
3. Access Hyper Terminal.
4. From the Hyper Terminal opening window, select the File menu, then Properties
Or
Click the Properties icon from the toolbar. The New Connection Properties dialog box is
displayed.
5. Click Configure. The Properties dialog box containing the Port Settings tab is displayed.
6. Verify that the parameters are set as follows:
Bits per second:
19200
Data bits:
8
Parity:
None
Stop bits:
1
Flow Control:
None
7. Turn on the power to the unit. When the device is connected and operating properly, the
PWR and System Ok indicators on the front panel are lit continuously.
386
Doc. No.: 8261
LinkProof User Guide
LAN Connections
The cables used for LAN Connections differ as follows:
Fast Ethernet Port:
Standard UTP or STP Ethernet cable, RJ45
connector.
Gigabit Ethernet Port:
1000BaseSX fiber optic cable - SC
connector.
10 Gigabit Ethernet Port:
10 GBaseLR fiber optic cable.
Note:
ASl version 2 and ASll can use both cross and straight cables when Auto
Negotiation is enabled.
To connect a device port to a LAN:
1.
Connect the cable to the port interface, located on the front panel.
2.
Connect the other end of the cable to the LAN switch.
Device Interfaces
This section explains device interfaces and how to configure them. and includes the
following topic:
Radware Application Switch platforms may have as few as 8 network interfaces and as many
as 24. It is helpful to understand interface-indexing conventions before you perform
configuration tasks such as displaying interface status and setting physical parameters
(such as speed, duplex mode or auto-negotiation) via the command line interface (in webbased management and Insite interface description makes it easier to understand interfaceindex convention).
Note:
On the back of the device there is an ethernet port. This port is for R&D
debugging purposes only. It has no other use.
Interface Numbering Conventions
By convention, the numbering of the Ethernet interfaces on each platform starts with the
copper ports. Within the different port types, numbering is from up to down.
Table 57: Physical Interface Numbering
AS 1
AS2
AS3
AS4
Fast Eternet 1-8
Ports
1-16
1-16
N/A
Giga
N/A
Ethernet RJ45 Ports
N/A
N/A
1-2
Doc. No.: 8261
AS5
N/A
1-8
387
LinkProof User Guide
Table 57: Physical Interface Numbering
Giga
Ethernet
Ports (Gbic
and SFP)
10G Ports
AS 1
AS2
AS3
AS4
9-10
17-21
17-23
13-20
AS5
9-17
N/A
N/A
24
N/A
18-19
Logical Interface Numbering
There are two types of logical interfaces - Trunks (for Link Aggregation) and VLANs.Trunks
are the last 7 ports of the device:
Table 58: Logical Interface Numbering
Trunk
AS1
AS2
AS3
AS4
AS5
11-17
22-28
25-31
21-27
20-26
VLAN Interface Numbering
Radware devices support up to 64 VLANs. Two VLANs are pre-defined: 100000 and 100001.
VLANS are numbers from 100000 - 1000063.
Displaying Interface Status and Properties
The status and settings for interfaces can be viewed via all management tools:
To display the interfaces:
•
•
•
•
From the CLI use the command:
net l2-interface
From Web-Based Management click on Device menu and choose L2 Interface option.
From APSolute Insite right-click on device and select the Zoom In option. A graphic
representation of the device front panel will be displayed. Operational status of the
interfaces is displayed graphically (green for up and red for down). To view more
information about each interface right-click on desired interface and choose Interface
Parameters.
To display current settings for the interfaces:
•
•
•
•
From the CLI use the following command
net physical-interface
From Web-Based Management click on the Device menu and choose the Physical
Interface option.
From APSolute Insite right-click on Device and select the Zoom In option. A graphic
representation of the device front panel will be displayed. To view the settings of each
interface right-click on desired interface and choose Physical Settings.
Setting Interface Properties
Properties that are configurable on the interfaces include:
•
•
388
Auto-negotiation mode.
Port Speed (available only when Auto negotiation mode is off).
Doc. No.: 8261
LinkProof User Guide
•
Duplex mode (available only when Auto negotiation mode is off).
To set interface properties:
•
From the Command Line Interface use the following command:
net physical-interface set <port index> <-switch value>
where switch can have the following values:
•
•
—
-a for auto negotiation (1=On, 2=Off)
—
-s for speed (1=10Mbps, 2=100Mbps, 3=1000Gbps) -
—
(this parameter cannot be changed for Gigabit Ethernet ports).
—
-d for duplex mode (1=Half, 2=Full)
From Web-Based Management click on Device menu and select the Physical
Interface option. Click on the interface whose properties you wish to change. Perform
changes and click Set.
From APSolute Insite right-click on the device and select the Zoom In option. A graphic
representation of the device front panel will be displayed. To change the settings of an
interface right-click on desired interface and choose Physical Settings. Change
parameters and click Ok.
Boot Version Update
As Radware's product line develops, it may become necessary to upgrade a device's Boot
Code to support new firmware. Check Boot Prom matrix: http://www.radware.com/content/
support/software/bootprom/default.asp for more information regarding boot code
compatibility with older firmware versions and configurations.
Radware application switch units are supplied with two boot PROMs, only one of which is
used for the active boot process. The second PROM can be flash upgraded through the CLI
only to a newer version. Once the process is completed, you can configure the device to
boot from the secondary PROM (the one with the new boot code) using a DIP switch. The
information below provides the steps for upgrading and switching a device's boot code.
On Application Switch 1, whenever a new boot version is required you must update it
manually prior to downloading the new software version.
On Application Switch 2 and Application Switch 3 new boot version are updated
automatically during the software download process - if the new software version includes
new boot version. For Application Switch 2 you will be prompted to change the position of
the dip-switch that defines which boot is used.
To upgrade the Boot version manually:
1.
Obtain the file with the new boot version from Radware Technical Support.
2.
Reboot the device, press any key to stop the auto boot. Type "u" to download new boot
version. The following message appears:
>u
port ("com1", "com2" or Enter to choose the default ("com1")): com1
baud rate (valid baudrate) or Enter to choose the current: 19200
Please download program using XMODEM.
For port use: "com1".
3.
Send the new boot file to the device using the Xmodem protocol. The new boot version
is written into the non-active boot.
Doc. No.: 8261
389
LinkProof User Guide
4. In order to boot the device with the existing boot, type "@" when prompted with
"Download completed
boot flash address 0x1c000000
boot flash number 0 update done.
>"
5.
In order to start using the non-active boot, the position of the Dip- switch needs to be
changed (Application Switches I and II only). Before changing the position of the dipswitch turn the power off.
Locating the active boot selection switch:
—
Devices with an external Dip-switch at the rear of the device: Looking at the rear
panel of the device, the boot selection switch is the first switch from the left and is
labeled "Act. Boot" and with the number "1."
—
Devices with internal DIP switch: The device has to be powered off and opened up
to access the Dip-switch. Looking at the rear of the open device, the switch for the
boot selection is located above the right corner of the power supply. The active boot
selection switch is the first switch from the left of the eight switches, labeled with
the number "1." The Application Switch platform has two boot EPROMs, labeled
"Boot1" and "Boot2". With the switch in the down position, which is the default
position, the device uses Boot1. Changing the switch to the up position, sets the
device to use Boot2.
6. After the dip-switch position is changed, turn the power on.
Note:
On Compact Application Switch, whenever a new boot version is required you
must replace the boot EPROM prior to downloading the new software version see CAS Boot EPROM Replacement document (http://www.radware.com/
content/document.asp?_v=about&document=3961).
Boot Level Commands
Radware application switches include a BSP (Board Support Package), which is the low level
operating system of the application switch.
The following Boot Level Commands are included:
Table 59: Boot Level Commands
Command
Description
a
Prints installed application list - using the 'a' command, the
device prints all the available applications and their indexes.
Application with index 0 represents the recovery application on
the internal flash.
i
Sets active application - using the 'i' command, the user can set
the active application (the application which will be used after
the next reboot).
Usage: press 'i' and hit enter. The device will prompt to enter
the index of the required application.
390
Doc. No.: 8261
LinkProof User Guide
Table 59: Boot Level Commands
Command
Description
W
Downloads via Xmodem - using the 'w' command the user can
download the software image and config.ini (from the PC to the
device) using the Xmodem protocol. If there is a backup
application on the device's internal flash it is recommended to
download the new software via the web based management,
which is much faster than the Xmodem Protocol.
X
Extracts the downloaded TAR file image from the specified
destination: cm:/ or fl:/
q0
Erases the configuration file (including the networking
parameters in config.ini) from the internal flash. Using this
command will erase the configuration of the recovery
application and the device will not be accessible remotely,
unless BOOTP server is configured to supply an IP address to
the device.
q1
Erases the configuration file from the compact flash. After
rebooting the device the initial startup configuration window will
appear.
q
Erases the configuration file. After rebooting the device the
initial startup configuration window will appear. This is only
available on Application Switch 1 and Compact Application
Switch.
y0
Formats the internal flash. It is recommended to obtain
Radware's technical support before executing this command.
The device MUST be rebooted after executing the 'y0'
command. Executing the 'y0' command erases the recovery
application. If this command is being used, it is a MUST to
perform "system file-system files copy-to-flash
<index of active application>"
y1
Formats the compact flash. Using this command is required
when one of the following error messages appears in the
console: "malformed boot sector" or "invalid partition entry
encountered". The device MUST be rebooted after executing
the 'y' command.
y
Formats the internal flash. It is recommended to obtain
Radware's technical support before executing this command.
Available only on Application Switch 1 and Compact Application
Switch. The device MUST be rebooted after executing the 'y'
command.
z
Performs low level format for the internal flash. DO NOT
execute this command without explicit instructions from
Radware Technical Support. 'z' Command must be followed
with y0 and y1 commands.
u
Downloads to secondary boot via Xmodem - using the 'u'
command allows the user to burn the inactive boot of the
device.
v
Clears NVRAM, including license and real time clock. This is
useful when NVRAM corruption is suspected, e.g. in case of
repeating a request to enter a new license. It is recommended
to obtain Radware technical support approval before executing
this command.
Doc. No.: 8261
391
LinkProof User Guide
Table 59: Boot Level Commands
Command
Description
@
Loads the active application.
log
Reboots the device
CLI Installation Wizard
The CLI Installation Wizard is a for first time installation and enables you to easily install and
configure LinkProof without any specific networking knowledge.
Note:
This wizard is designed for 1 IP users.
To install and configure Linkproof using the CLI Installation Wizard:
1. Connect your device to the network using Hyper Terminal. See Connecting the Device to
Your Network, page 386.
2. A the prompt you are asked whether you want to use the CLI Installation Wizard.
Note:
If the user selects no, the CLI wizard returns to the original LP configuration
wizard where the device can be configured for an IP Address and initial access
only.
3. Click Enter. Default: Yes.
4. Enter the IP Address for the device on the Internal LAN and the Subnet
mask, and press Enter.
5. Select the Port Number, and press Enter. Default: 1
Port Number ranges for the following platforms are:
AS 1
1 - 16
AS 2:
1 - 16
AS 3:
1 - 16
AS 4:
1 - 20
CAS:
1-8
6. Enter the User name and Password, and press Enter. Default: Radware /
Radware.
7. You are prompted whether you want to enable SSH access and/or Web SSL access for
device management. Press Enter. Options - y/n. Default: Yes.
8. Use the Ping option to enable a ping response on all router ports of the
device.
392
Doc. No.: 8261
LinkProof User Guide
9.
Configure the Client Table Size with values between 1000 and the maximum
recommended value per memory (per platform).
Default: Average between 1000 and the maximum allowed value, depending on the
memory of the device as described in Table 60 on page 393
Table 60: Memory Value Options
Accelerated Platform:
AS3 - 512Mb - 333,000 (recommended) 500,000 (Maximum)
AS4 - 512Mb - 350,000 (recommended) 524,000 (Maximum)
CAS - 64Mb - 20,000 (recommended) 28,000 (Maximum)
Non Accelerated
Platforms:
AS1 - 128Mb - 80,000 (recommended) 118,000 (Maximum)
AS2 - 256 Mb - 200,000 (recommended) 300,000 (Maximum)
Notes:
i
It is not recommended to set the Client Table Size to maximum as it might
render the device without operational memory. It is important that the user
configuring higher values perform a manual check using the WBM or CLI
'system tune check-memory-capacity.
ii
The memory recommendations are the minimum default memory per
platform. For a non-default memory configuration refer to SYN Table Tuning,
page 309.
You are now required to perform a Routers and NAT Configuration by defining the IP
address of the Routers as well as the IP addresses of the Linkproof interfaces.
Note:
Steps 9 - 13 need to be repeated for 2nd and 3rd Routers. You can bypass
2nd & 3rd Router configuration by selecting no instead of an IP.
10. Define the IP Address of the 1st Router and press Enter.
11. Define the Subnet Mask of the 1st Router and press Enter.
12. Define the Linkproof IP Interface of the1st Router and press Enter.
13. Define the Linkproof physical Port Number of the 1st Router and press Enter.
14. Set the Router Operation Mode. Either Regular - LB or Backup - HA. Default is LB.
15. You are prompted whether Dynamic NAT is used. If it is, then define the IP Interface
of that specific Interface the NAT Address. Default: Yes.
16. Select the relevant Dispatch Method from the following options:
—
Least Amount of Traffic (The Default).
—
Cyclic.
—
Least Number of bytes.
—
Least Amount of Users.
—
Hashing.
—
Response time.
Doc. No.: 8261
393
LinkProof User Guide
For more information on Dispatch Methods see Dispatch Methods, page 89.
17. Press Enter. You are prompted if there is to be a change in the topology of the Linkproof
installation. Default: no.
If you select yes, the following occurs:
—
All Router ports become members of the 1 VLAN Bridge group.
—
Radware ensures that all IP addresses belong to the same subnet mask.
18. Press Enter. Static Port Address Translation (Static PAT) is an option, and offers the
following Inbound Services:
:
Web (HTTP):
TCP port 80
Web SSL (HTTPs):
TCP 443
FTP:
TCP port 21 & 20.
Mail (SMTP):
TCP port 25
VPN (IPsec):
UDP & TCP port 500 plus AH / ESP L3.
Static PAT allows you to configure up to 3 servers, each with up to 5 services with the
following limitation:
—
Starting from 1 Server with all the 5 services or 5 servers (with different IPs) with 1
service each, or a combination of the above.
19. Press Enter.
When using inbound services with Static PAT, Management ports have to be disabled in
order to prevent a conflict with inbound services.
The following ports have been chosen by Radware using RFC 4340. You can alternatively
use an optional port recommended by IANA (Internet Assigned Numbers Authority).
(http://www.iana.org/assignments/port-numbers)
Web SSL (HTTPs):
TCP 9062
FTP:
TCP port 9061
Notes:
i
A message is sent to the user, both via Terminal and the Web to inform the
user that the configuration was successful.
ii
An error message appears if the ports used were in conflict and the
configuration was unsuccessful.
Examples: CLI Installation Wizard Configuration Examples
The following examples are possible configurations using the CLI Installation Wizard.
394
Doc. No.: 8261
LinkProof User Guide
Figure 61 -
3 ISP Connected
A – 3 ISP Connected
CLI Wizard Supported Network Configuration:
—
3 X ISP configured per Router
—
Different Interface per each ISP
—
4 X Different Subnets (1 per Interface)
Figure 62 -
Regular VLAN (Bridge)
B – Regular VLAN (Bridge)
CLI Wizard Supported Network Configuration:
—
Doc. No.: 8261
2 X ISP configured per Router
395
LinkProof User Guide
—
Both ISP 1 (LP Interface 2, 192.168.10.0/24) and internal LAN (Interface 1) Subnet 192.168.10.0/24 are on the same subnet.
—
ISP on LP Interface 3 – Subnet 192.168.30.0/24
Application Recovery Procedure
Application Switch 2 and above are equipped with Internal Flash and Compact Flash.
When the devices are shipped from Radware, there are two applications on the device:
• Active Application - stored on the Compact Flash.
• Recovery Application - Stored on the Internal Flash.
During the normal operation of the device, the device loads the application from the
compact flash. However, in some cases, when the compact flash is corrupted or the image
file was damaged or config.ini was erased or any other cause that prevents the device
loading from the compact flash, the device will then load from the recovery application and
the user will be able to perform regular software upgrade in order to recover the device. The
user can manually load the device from the internal flash in order to recover the defective
application.
Recovering the Application Remotely
To recover the application remotely:
1. Telnet or SSH to the device.
2. From the CLI type the following command: "system file-system config act-appl
set 0". The device will reboot.
3. Wait until the device reboots and connect to the device using Web Based Management
or APSolute Insite.
4. Perform the software upgrade to the desired software.
5. Reboot the device.
Note:
After reboot, the device will load the new application.
Recovering the Application Locally
To recover the application locally:
Option A:
1. Toggle DIP Switch 1 and change it to the upper position.
Note:
On Application Switch 2, this option is supported for hardware revision 4.45
and higher with Boot 6.041 and 6.06 and higher
2. Reboot the device. The device will load from the recovery application.
3. Toggle DIP Switch 1 and change it back to the lower position.
396
Doc. No.: 8261
LinkProof User Guide
Note:
4.
If there is a need to configure recovery application or enter its license, it is
useful to keep dip-switch 1 in the upper position and set it down prior to the
upgrade.
Connect to the device and perform the software upgrade.
Option B:
1.
Connect to the device using the serial console.
2.
Reboot the device and stop it during the boot process.
3.
From the CLI type 'i' followed by '0' and hit enter.
4.
After the device reboots do the following:
a.
b.
Connect to the device using Web Based Management or APSolute Insite and perform
the software upgrade to the desired software and reboot.
Sending the files using Xmodem:
—
From the CLI prompt type y1 in order to format the compact flash.
—
Send the new software via Xmodem using the 'w' command. Ensure that the
destination is the compact flash (cm:/<name of the tar file>). The file should be
sent using Binary mode).
—
Send the config.ini via Xmodem using the 'w' command. Make sure that the
destination is the compact flash (cm:/config.ini). The file should be sent using ASCII
mode)
—
Extract the uploaded tar file using the 'x' command. Make sure that the destination
is the compact flash (cm:/<name of the tar file>)
—
Type 'a' to print the list of installed applications
—
Type 'i' followed by the index of the newly installed application.
Notes:
i
After reboot the recovery application burns the new boots and only then the
device will load the new application.
ii
During the process of software upgrade, only the application on the Compact
Flash is being upgraded
iii OneIP: A single IP is used as IP interface towards the load balanced router as
well as for NATting traffic through that router.
Specifications
This section includes a specifications table for Application Switching Platforms, and includes
the following topics:
•
•
Specification Table, page 398
Serial Cable Pin Assignment, page 400
Doc. No.: 8261
397
LinkProof User Guide
Specification Table
Feature
AS1
AS2
AS3
AS4
CAS
Architecture
Two - Tier
Two - Tier
Three - Tier
Three - Tier
Two - Tier
Backplane
9.6Gbps
19.2Gbps
44Gbps
44Gbps
2.4Gbps
16MB
Internal
8MB internal
+ 16MB
compact
flash
8MB internal
+ 32MB
compact
flash
8MB internal
+ 32MB
compact
flash
16MB
internal
256-512MB
+ 5121024MB
256-512MB
+ 5121024MB
1024 mb
1024 mb
2048 mb for
network
processors
2048 mb for
network
processors
System
Memory
Flash
RAM
128-256MB
128-256MB
64MB
Network Interfaces
Fast Ethernet
(10/100BaseT)
8 or none
16 or none
16
16
8
Gigabit
Ethernet
2 or none
(SFP - fiber
optic or
copper)
5 or 7 (GBIC
- fiber optic
or copper)
7 (SFP fiber optic or
copper)
7 (SFP fiber optic or
copper)
None
10 Gigabit
Ethernet
none
none
1 (optical
module)
1 (optical
module)
None
9-pin female
RS-232
connector
9-pin female
RS-232
connector
9-pin female
RS-232
connector
9-pin female
RS-232
connector
9-pin female
RS-232
connector
DCE Setup:
19200 bps, 8
bits, one
stop bit, no
parity.
DCE Setup:
19200 bps, 8
bits, one
stop bit, no
parity.
DCE Setup:
19200 bps, 8
bits, one
stop bit, no
parity.
DCE Setup:
19200 bps, 8
bits, one
stop bit, no
parity.
DCE Setup:
19200 bps, 8
bits, one
stop bit, no
parity.
Out of Band
Management
Power
398
Doc. No.: 8261
LinkProof User Guide
Feature
AS1
AS2
AS3
AS4
CAS
Auto-range
Auto-range
External
power
supply
90v - 264v
90v - 264v
50-60Hz
single or
dual power
supply
50-60Hz
single or
dual power
supply
Auto-range
90v - 264v
Auto-range
Power Supply
50-60Hz
50-60Hz
single or
dual power
supply
Or
Or
38-72VDC
38-72VDC
90v - 264v
single /
double
Input: Autorange supply
100-120/
220-240VAC
50-60Hz
Output:
3.3V/4A
Power
consumption
35Watt
44Watt
60Watt
Heat
dissipation
157.08 BTU/
h
150.27 BTU/
h
204.86 BTU/
h
60Watt
204.86 BTU/
h
78 Watt
With SME:
266.33
Dimensions
Width
432 mm
Depth
475 mm
240 mm
432 mm
432 mm
432 mm
455 mm
485 mm
485 mm
44 mm (1U)
44 mm (1U)
44 mm (1U)
44 mm (1U)
88 mm (2U)
for dual
power
supply
88 mm (2U)
for dual
power
supply
88 mm (2U)
for dual
power
supply
3.85 kg
5.3 kg
7 kg
Operating
Temperature
0-40C
0-40C
0-40C
0-40C
0-40C
Humidity (noncondensing)
20% to 80%
20% to 80%
20% to 80%
20% to 80%
20% to 80%
EN 60950
EN 60950
EN 60950
EN 60950
EN 60950
UL 1950
UL 1950
UL 1950
UL 1950
UL 1950
CSA 22.2
No. 950
CSA 22.2
No. 950
CSA 22.2
No. 950
CSA 22.2
No. 950
CSA 22.2
No. 950
Height
Weigh
7 kg
170 mm
47 mm (1U)
0.5 kg
Environmental
Certifications
Safety
Doc. No.: 8261
399
LinkProof User Guide
Feature
Electromagneti
c Emission
AS1
AS2
AS3
EN 55022,
class A
EN 55022,
class B
EN 55024
EN 55024
FCC, part
15B, class A
FCC, part
15B, class B
EN 55022,
class A
EN 55024
FCC, part
15B, class A
AS4
CAS
EN 55022,
class A
EN 55022,
class A
EN 55024
EN 55024
FCC, part
15B, class A
FCC, part
15B, class A
Serial Cable Pin Assignment
Table 61: PC Serial Port to Radware Device Pinout
Standard PC DB9
Serial Port (DTE)
DB9F to DB9M Straight
Cable
Radware Device
ASCII Port (DCE)
DB9F
Pin
Signal
DB9M
Pin
DB9F
Pin
Directi
on
DB9M
Pin
CD
1
1
-
1
RxD
2
2
2
2
RxD
TxD
3
3
3
3
TxD
DTR
4
4
-
4
-
-
GND
5
5
-
5
5
GND
DSR
6
6
-
6
-
-
RTS
7
7
-
7
-
-
CTS
8
8
-
8
-
-
RI
9
9
-
9
-
-
-
Signal
-
Trouble Shooting for AS1 & AS2.
This section provides Hardware Troubleshooting for AS1 and AS2.
Note:
400
Most cases of suspected hardware problems are usually incorrectly identified
and may be software related.
Doc. No.: 8261
LinkProof User Guide
Table 62: Trouble Shooting for AS1 and AS2
Problem
Possible Solution
Outcome
Check the following:·
•
After powering up the
device the power LED
remains unlit.
•
•
The device Power LED is
lit, however the there is no
•
console response.
The Device LEDs are lit
however the device does
not communicate via the
LAN ports.
Verify that the power
lead is correctly
connected to the
mains supply and to
the device.·
Ensure that the On/
Off switch located
on the back panel of
the device is in the
On position.
If all the previously
described requirements
are met and the device
power LED remains unlit,
please contact Radware
Technical Support.
Check that the serial
cable is properly
connected to the
If the problem persists,
device.
please contact Radware
Check that the serial
Technical Support.
port parameters,
including speed, are
correctly configured.
Connect to device serial
port and open terminal
connection. If fatal error
messages appear on the
terminal and no product
prompt appears this
indicates an incomplete
boot process.The
following process should
be implemented to
If the problem persists,
eliminate possible causes: please contact Radware
Technical Support.
1. Stop during boot
2.
countdown and
erase configuration
(q1 command)
Reboot ("@") and fill
in connectivity data
(IP address) in
Startup
Configuration
window.Should the
problem persist,
check in the release
notes if the product
matches the running
boot version. If not,
update boot.
Doc. No.: 8261
401
LinkProof User Guide
Table 62: Trouble Shooting for AS1 and AS2
Problem
Possible Solution
AS2 Flash Management.If
during the boot process
the following message
This indicates a possible
appears in the console
problem with Flash
window: FATAL ERROR: Management (AS2 only)
tRootTask:
RSFLEG_write: is failed
Outcome
Contact Radware
Technical Support.
Boot upgrade failure·
•
•
If after the boot
upload is complete
(via XModem) a
write protection error
message appears
on the ASCII
terminal.
In this event implement
the following steps:
1. Change the position
of dip-switch #1)
2.
Upload the boot
image again.
If after a successful
boot image upload
and change of the
Verify that dip-switch # 1
dip-switch # 1
was moved (not # 8 by
position, followed by
mistake)
reboot, the device
still boots up with
the older version
In the event a “Write
Protection Error” appears
again, contact Radware
Technical Support.
If the correct dip-switch
was moved, this indicates
dip-switch failure. Please
contact Radware
Technical Support.
In this event check the
following:
1.
2.
Device Port
Communication failure.If
the device fails to
communicate through one
or more of its LAN ports.
402
Check that correct
cable was used.
Verify that the correct
speed and duplex
mode is configured
on both Radware
If the problem still occurs
device and the device
please contact Radware
connected to its
Technical support.
ports.
3.
Change the
configuration of the
ports on Radware
device or connected
device, or both.To
change port
settings.
Doc. No.: 8261
LinkProof User Guide
Appendix A – Glossary
The glossary provides terms that are frequently used in this guide and a list of common
abbreviations and includes the following sections:
•
•
Commonly Used Terms, page 403
List of Abbreviations, page 404
Commonly Used Terms
Multiplexing
To combine multiple signals (analog or digital) for transmission over a single line or media.
To combine data from several sources into a stream in such a way that it can be separated
again later.
Protocol Port
The abstraction that TCP/IP transport protocols use to distinguish among multiple
destinations within a given host computer. TCP/IP protocols identify ports using small
positive integers. Usually, the operating system allows an application program to specify
which port it wants to use. Some ports are reserved for standard services (for example
electronic mail).
Advanced Monitoring and Statistics
LinkProof provides various statistics, such as Current Server Load, Current Attached Clients
per Server, and numerous URL based statistics, which enables unique monitoring and
utilization of the network. The Client Table and URL Table are dynamically learned,
containing information regarding clients and URLs. Traps are initiated in case of special
events.
Content Inspection Server Farm
Refers to a set of content inspection servers, which have a single IP address (Farm Address)
defined on the LinkProof.
IP Interface
An IP interface on the LinkProof is comprised of two components: an IP address and an
associated interface. The associated interface can be a physical interface or a virtual
interface (VLAN). IP routing is performed between LinkProof IP interfaces, while bridging is
performed within an IP interface that contains an IP address associated with a VLAN.
The LinkProof was designed to intercept HTTP requests and to redirect them to a content
inspection server farm. The first assumption in designing a LinkProof network is that the
LinkProof resides on the path between the clients and both the Internet and the content
inspection servers. This is required since the LinkProof needs to intercept the clients'
requests going to the Internet and to manipulate the packets returning from the content
inspection servers to the clients.
Except when using local triangulation or transparent proxy, all traffic must travel physically
through the LinkProof. This includes traffic from the users to the Internet and from the
content inspection server farm back to the users.
If there are users that are statically configured to use a content inspection server, they
should be configured to the LinkProof virtual address. This address is the access IP address
for the content inspection servers.
Doc. No.: 8261
403
LinkProof User Guide
Note:
This address is used only for statically configured users.
Physical Interface
One of the actual Fast Ethernet or Application Switch ports of the LinkProof. In the Fast
Ethernet platform, a LinkProof can have either 2 or 4 physical interfaces, depending on the
hardware configuration. In the Application Switch platform, the LinkProof can have up to 10
physical interfaces.
Physical IP Address
An IP address assigned to a LinkProof interface. This address belongs to the LinkProof and is
used for SNMP management and/or routing purposes.
RTSP, MMS (Streaming) Request Interception
In addition to HTTP ports, the LinkProof intercepts and redirects common streaming protocol
ports transparently and redirects them to the cache farm.
Virtual Interface (VLAN)
A collection of physical interfaces. A VLAN is defined according to protocol. Bridging for the
defined protocol is performed between the ports that belong to a VLAN. In the case of IP,
bridging is performed within a VLAN depending on the IP address assigned to that VLAN. For
example, if an IP VLAN contains physical interfaces 1, 2, and 4 and is given an IP address of
192.1.1.1 (with subnet mask 255.255.255.0). Bridging is performed for IP network
192.1.1.0 between LinkProof ports 1, 2, and 4.
Virtual IP Address (Farm address)
An IP address assigned to the LinkProof that represents a content inspection server farm.
Packets destined to this address are load balanced between the servers of the farm. The
LinkProof can hold a single farm.
VLAN types
Two types of IP VLANs are commonly encountered when configuring a LinkProof. Either
VLAN can be used depending on the LinkProof configuration requirements.
Regular: A Regular VLAN provides transparent bridging within the VLAN. This means that
when two stations communicate within the VLAN, they are aware of each other's MAC
addresses. For example, if stations A and B are on two different LinkProof ports that belong
to the same VLAN, during communication A knows B's MAC address and B knows A's
address. In addition, Regular VLAN also supports redundancy and transparent proxy
features.
Broadcast And Unicast: This is a special VLAN which allows bridging using standard proxy
ARP techniques. For example, stations on one VLAN port of the LinkProof believe that all
stations on other LinkProof ports belonging to this VLAN have the same MAC address. This
one MAC address is actually the MAC of the LinkProof. It may be necessary to use this VLAN
type in LinkProof configurations to ensure that packets are destined to the MAC address of
the LinkProof during end station to server communications.1
List of Abbreviations
404
Acronym
Meaning
ARP
Address Resolution Protocol
Doc. No.: 8261
LinkProof User Guide
AS
Autonomous System
AS
Application Switch
BGP
Border Gateway Protocol
CID
Content Inspection Director
CIDR
Classless Interdomain Routing
CSD
Cache Server Director
CW
ConfigWare
DGW
Default Gateway
DHCP
Dynamic Host Configuration Protocol
DMZ
Demilitarized Zone
DNS
Domain Name System
DSL
Digital Subscriber Loop
EGP
Exterior Gateway Protocol
EIGRP
Enhanced Interior Gateway Protocol
FDDI
Fiber Distributed Digital Interface
FE
Fast Ethernet
LinkProof
Fire Proof
FTP
File Transfer Protocol
FW
Firewall
GARP
Gracious Address Resolution Protocol
GTLD
GenericTop level Domain
GUI
Graphic User Interface
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocols Secure
HW
Hardware
ICMP
Internet Control Message Protocol
IDS
Intrusion Detection System
IGP
Interior Gateway Protocol
IGRP
Interior Gateway Routing Protocol
IP
Internet Protocol
ISDN
Intergrated Services Digital Network
ISO
International Standards Organization
ISP
Internet Services Provider
ITM
Internet or Intelligent Traffic Management
LAN
Local Area Network
LB
Load Balancer/Balancing
LLC
Logical Link Control
LP
LinkProof
LRP
Load Reporting Protocol
MAC
Media Access Control
MAN
Metropolitan Area Network
Doc. No.: 8261
405
LinkProof User Guide
406
MED
Multi-Exit Discriminator
MIME
Multi-Purpose Internet Mail Extension
NAP
Network Access Point
NAT
Network Address Translation
NetBEUI
NetBIOS Extended User Interface
NetBIOS
Network Basic Input/Output System
NHR
Next Hop Router
NIC
Network Interface Card
NP
Network Proximity
NTP
Network Time Protocol
OSI
Open Systems Interconnect
OSPF
Open Shortest Path First
OUI
Organizational Unique Identifier
PD
Peer Director
POP3
Post Office Protocol 3
PRP
Proximity Reporting Protocol
QoS
Quality of Service
RFC
Request for Comment
RIP
Route Information Protocol
RND
Rad Network Devices
SmartNat
Smart Network Address Translation
SMTP
Simple Message Transfer Protocol
SNMP
Simple Network Management Protocol
SONET
Synchronous Optical Network
SSH
Secure Shell
SSL
Secure Sockets Layer
SW
Software
TCP
Transmission Control Protocol
TFTP
Trivial File Transfer Protocol
TLD
Top Level Domain
UDP
User Datagram Protocol
URL
Uniform Resource Locator
VACM
View-based Access Control Model
VLAN
Virtual Local Area Network
VLSM
Variable Length Subnet Masking
VRRP
Virtual Router Redundancy Protocol
WAN
Wide Area Network
WBM
Web Based Management
WINS
Windows Internet Naming Service
LinkProof
Web Server Director
WWW
World Wide Web
Doc. No.: 8261
LinkProof User Guide
Appendix B – Loopback Interfaces
This appendix describes the Setup of loopback interfaces on the most commonly used
operating systems and instructs how to configure the alias IP addresses for each loopback
interface. Loopback addresses are required on servers when using LinkProof network
configuration with local triangulation.
Definitions are provided for loopback configuration on these operating systems:
•
•
•
•
•
AIX, page 408
HP-UX, page 408
Linux, page 409
Solaris, page 410
Windows NT, page 410
Example: Loopback Interface
LinkProof
Farm IP:
10.1.1.100
IP: 10.1.1.10
Server 1
IP: 10.1.1.1
Loopback:
10.1.1.100 Def
Router
IP: 10.1.1.20
Server 2
IP: 10.1.1.2
Loopback:
10.1.1.100 Def
Server 3
IP: 10.1.1.3
Loopback:
10.1.1.100 Def
Figure 63 -
Loopback Interface Example
In this example, the LinkProof load balances among the servers:
• Server 1: 10.1.1.1
• Server 2: 10.1.1.2
• Server 3: 10.1.1.3
Each server has a loopback alias of 10.1.1.100, which is the same as the LinkProof Farm
IP address (virtual IP address).
Each server has the network router (10.1.1.20) configured as the default router, so traffic
from the server to the client can go directly back to the client through the router, without
passing through the LinkProof.
Doc. No.: 8261
407
Servers are defined in the LinkProof, along with their IP addresses, and
are configured as Local Triangulation participants. When Internet traffic
from clients arrives at a LinkProof farm, LinkProof selects the least busy
server as its destination and forwards the request to it, using the
predefined loopback IP (farm IP). The server then sends the reply
directly to the default gateway, saving the need to go through LinkProof.
AIX
For loopback on the AIX operating system, the command syntax is:
ifconfig lo0 alias <LinkProof virtual IP> netmask
<netmask>
This command sets the first alias of the loopback interface “lo0” to have
the same IP address as the IP address of the LinkProof Virtual IP (VIP).
For the example network as shown in Loopback Interface Example,
page 407, the command is:
Ifconfig lo0 alias 10.1.1.100 netmask 255.0.0.0
This command should be executed on all servers.
Note:
Resetting the server erases the configuration. Therefore,
the command should be inserted in a boot-up script, so
that each time the server is reset, the loopback alias will
be automatically configured.
HP-UX
For loopback on the HP-UX operating system, the command syntax is:
Ifconfig lo0 <LinkProof virtual IP>
This command sets the alias of the loopback interface “lo0” to have the
same IP address as the IP address of the LinkProof Virtual IP (VIP).
For the example network as shown in Loopback Interface Example,
page 407, the command is:
Ifconfig lo0 10.1.1.100
408
LinkProof User Guide
LinkProof User Guide
This command should be executed on all servers.
Note:
Resetting the server erases the configuration. Therefore, the command should
be inserted in a boot-up script, so that each time the server is reset, the
loopback alias will be automatically configured.
Linux
For loopback on the Linux operating system, the command syntax is:
Ifconfig lo:1 <LinkProof virtual IP> netmask <netmask> up
This command sets the first alias of the loopback interface "lo" to have the same IP address
as the IP address of the LinkProof Virtual IP (VIP). Also included in the command is the
proper network mask.
See Figure: Loopback Interface Example, page 407, for an example network.
Assuming standard class A masks, the command is:
Ifconfig lo:1 10.1.1.100 netmask 255.0.0.0 up
Various Linux operating systems, for example RedHat Linux Enterprise 3.0, may require that
the netmask be 255.255.255.255.
This command should be executed on all servers.The loopback configuration is activated by
the server reset.
Note:
Resetting the server erases the configuration. Therefore, the command should
be inserted in a boot-up script, so that each time the server is reset, the
loopback alias will be automatically configured.
To configure loopback in RedHat Linux Enterprise 3.0 (kernel 2.1 and above):
1.
To gain administrative access, the command is:
su to root
2.
Edit /etc/rc.d/rc.local and add the following lines to the end of the file:
/sbin/sysctl -w net.ipv4.conf.all.hidden=1
This runs the kernel commands across reboots and enables the kernel configuration of
all hidden network devices needed to configure the loopback interface properties.
/sbin/sysctl -w net.ipv4.conf.lo.hidden=1
This hides the loopback device, to stop the loopback from answering to ARP queries.
3.
To access startup scripts, the command is:
cd /etc/sysconfig/network-scripts
This is where the network startup scripts are stored.
4.
To copy the generic loopback interface configuration template to a loopback interface
instance lo:1, the command is:
cp ifcfg-lo ifcfg-lo:1
Doc. No.: 8261
409
LinkProof User Guide
5. Edit the file: ifcfg-lo:1 and make necessary changes to the IP address, netmask,
network and broadcast addresses.
Note:
Netmask must be set to: /32 (255.255.255.255). The device
must be set to lo:1 (lo:1 is used as an example, it could lo:x,
x=1...n)
6. To activate the changes to the kernel without rebooting, the command is:
sysctl -p
A patch has to be installed on the Linux server to disable the loopback interface from
replying to ARP requests. For more information, see http://www.ssi.bg/~ja/#hidden.
Solaris
For loopback on the Sun’s Solaris operating system, the command syntax is:
Ifconfig lo0:1 <LinkProof virtual IP> 127.0.0.1 up
This command sets the alias of the loopback interface “lo0” to have the same IP address as
the IP address of the LinkProof Virtual IP (VIP).
For the example network as shown in Loopback Interface Example, page 407, the command
is:
Ifconfig lo0:1 10.1.1.100 127.0.0.1 up
This command should be executed on all servers.
Note:
Resetting the server erases the configuration. Therefore, the command should
be inserted in a boot-up script, so that each time the server is reset, the
loopback alias will be automatically configured.
Windows NT
Setting up the loopback interface in Windows NT is not straightforward and can sometimes
create unpredictable behavior.
1. Add a new a loopback adapter.
2. Configure the loopback adapter with the appropriate IP address.
3. Reset the server.
4. Check the server’s routing table and make adjustments if necessary.
5. Create a batch file or service to ensure that the necessary adjustments are made after
every server reset.
These steps are detailed in the procedure below:
410
Doc. No.: 8261
LinkProof User Guide
To add and configure a loopback adapter in Windows NT:
1.
Right click Network Neighborhood and select Properties. Alternatively, you can get
to network properties by choosing Network from the Control Panel.
2.
From the Network window, click the Adapters tab.
3.
From the Adapters tab, click Add. The list of available adapters appears.
4.
From the Adapters list, select MS Loopback Adapter.
5.
Click Ok. The MS Loopback Adapter Setup dialog box appears.
6.
In the Frame Type field, select 802.3. You are prompted to provide the NT disk or the
NT source files.
7.
Choose the location and continue.
Note:
Your NT server may automatically know where the source files are and skip
this section.
8.
After the loopback adapter has been properly installed, click Close. The Network
Properties window closes. NT will prompt you to configure the loopback adapter with an
IP address by displaying the Microsoft TCP/IP Properties dialog box.
9.
In the Microsoft TCP/IP Properties dialog box, choose the loopback adapter.
10. Configure the Loopback IP. This should be the same as the LinkProof Farm IP. Configure
an appropriate mask, but do NOT configure a default gateway.
11. Click Ok. NT completes the configuration, then prompts to be reset.
Note:
The loopback configuration is activated by the server reset.
12. Reset the server. Once it has rebooted, login and go to a command prompt (DOS
prompt).
13. Adjust the IP Routing Table, as described in the procedure to adjust the Routing Table
following loopback configuration:, page 411.
Deleting Unnecessary Routes
After you add and configure the loopback adapter, it is likely that the server’s IP Routing
Table contains one or more unnecessary routes which you must delete. These are the nonmulticast/broadcast routes which have the same gateway address as the IP address of the
loopback interface.
You can identify extraneous routes in the server’s IP Routing Table which you can access
using the route print command. These routes usually appear in pairs (for the same
destination network, usually the server’s local network). One route points to the server’s
physical IP address, while the other route points to the loopback IP address. These duplicate
entries pointing to the loopback IP address as the gateway must be removed, otherwise the
Local Triangulation mode may not function properly.
To adjust the Routing Table following loopback configuration:
To remove the table entry for extraneous route, use this command:
route delete <network address> mask <net mask> <gateway address>
Doc. No.: 8261
411
LinkProof User Guide
where <gateway address> is the same as the loopback interface.
If the above command is unsuccessful, use this command:
Route delete <network address>
This will remove both table entries. The appropriate entry must be re-added using the
following command:
route add <network address> mask <net mask> <gateway address>
Note:
Resetting the server erases the Routing Table changes. Therefore, a batch file
or service should be installed to ensure these changes are re-applied after a
reset. To operate the batch file as a service, use the NT resource kit.
For further assistance, please contact the Radware Technical Support.
412
Doc. No.: 8261
Appendix C – Regular Expressions
This appendix provides an overview of the basic syntax of regular expressions used in
LinkProof modules, for example in the DNS Regexp Hostame table, in the Health Monitoring
Module.
'^' and '$'. These symbols indicate the beginning and end of a string, respectively, as
follows:
•
•
•
"^The": Matches any string that starts with "The"
"of despair$": Matches a string that ends in the substring "of despair"
"^abc$": A string that starts and ends with "abc" – this can only be "abc"
"notice": A string that has the text "notice" within it.
•
If neither of the two characters is used (as in the last example), this means that the pattern
may occur anywhere within the string – and is not "hooked" to any of the edges.
Symbols '*', '+', and '?' indicate the number of times a character or a sequence of
characters may occur. These symbols mean "zero or more", "one or more", and "zero or
one" respectively.
For example:
•
"ab*": Matches a string that has an a followed by zero or more b's ("a", "ab", "abbb",
•
"ab+": Same, but there is at least one”b” ("ab", "abbb", etc.)
"ab?": There might be one or no ”b”
"a?b+$": A possible ”a” followed by one or more ”b”'s ending a string
etc.)
•
•
Bounds can also be used. Bounds are defined inside the brace brackets and indicate ranges
in the number of occurrences:
•
•
•
"ab{2}": Matches a string that has an ”a” followed by exactly two ”b”'s ("abb");
"ab{2,}": Matches a string that has at least two ”b”'s ("abb", "abbbb", etc.);
"ab{3,5}": Matches a string that has from three to five ”b”'s ("abbb", "abbbb", or
"abbbbb").
The first number of a range must always be specified, for example: "{0,2}", not "{,2}").
Symbols '*', '+', and '?' denote the same as bounds "{0,}", "{1,}" and "{0,1}",
respectively.
To quantify a sequence of characters, they must be defined within parentheses:
•
"a(bc)*": Matches a string that has an ”a” followed by zero or more copies of the
sequence "bc";
•
"a(bc){1,5}": Matches a string that has one to five copies of ”bc”.
The '|' symbol is an OR operator:
•
"hi|hello": Matches a string that includes either "hi" or "hello".
"(b|cd)ef" is a string that includes either "bef" or "cdef".
• "(a|b)*c" is a string that has a sequence of alternating ”a”’s and ”b”'s ending with ”c”.
A period ('.') stands for any single character:
•
•
"a.[0-9]": Matches a string that has an a followed by a single character and a digit.
"^.{3}$": A string with exactly 3 characters
•
Bracket expressions specify which characters are allowed in a single position of a string:
•
•
"[ab]": Matches a string that has either an ”a” or a ”b” (identical to "a|b")
"[a-d]": A string that has lowercase letters 'a' through 'd' (identical to "a|b|c|d" and
"[abcd]");
•
Doc. No.: 8261
"^[a-zA-Z]": A string that starts with a letter
413
•
•
"[0-9]%": A string that has a single digit before a percent sign
",[a-zA-Z0-9]$": A string that ends in a comma, followed by an alphanumeric
character
You can also list the characters which you do not want to appear in the string. Use a '^' as
the first symbol in a bracket expression. For example:
"%[^a-zA-Z]%" matches a string with a character that is not a letter, between two
percent signs.
To take the characters "^.[$()|*+?{\" literally, they must follow a backslash ('\'), to
denote they have a special meaning. This includes the back slash character itself.
Remember that bracket expressions are an exception to the above rule. Within brackets, all
special characters, including the back slash ('\'), lose their special meanings. For example,
"[*\+?{}.]" matches precisely any of the characters within the brackets.
414
Doc. No.: 8261
Appendix D – Index
A
Action 8-338
Active 7-259
Advanced Filters 7-253, 7-262, 7-272, 8-341
Application Classification 8-336
Application Security 7-231
B
Backup Device in VLAN 6-208
Backup Fake ARP 6-208
Backup Interface Grouping 2-43, 6-206
Bandwidth Management 1-23, 8-335
Basic Filters 7-271, 8-341
C
Classification 8-336, 8-349
Content 1-21, 8-341
Content Parameters 7-250, 7-272, 7-287, 7-296
D
Destination 8-337
Detecting 7-232
Device Management CLI 2-43
Device Notifications 2-65– 2-66
Device Security 2-45– 2-48
Device Tuning 2-56– 2-65
Device Upgrading 2-48
Direct Connection 6-221
Direction 8-337
Dormant 7-259
DoS Shield 7-259, 7-260
E
E-mail Traps 7-312
Doc. No.: 8261
415
F
Farm 1-20
Farm Health Check 9-363
Filter Groups 8-341
G
Groups 7-254, 7-288, 7-298
H
Hardware Licenses, Upgrading 2-54
Health Monitoring 1-23
I
Important Notice 1-3
Inbound Physical Port Group 8-338
Interface
Loopback A-407– A-412
Interface Grouping 6-205
IP Addressing 3-79
IP fragmentation 7-284
L
Loopback
Configuration A-407
Loopback Configuration
AIX A-408
HP-UX A-408
Linux A-409
Solaris A-410
Windows NT A-410
Loopback Interfaces 10-400
M
Management 1-24
Management Interfaces 2-29
Mirroring 6-206
N
NAT 1-21
416
Doc. No.: 8261
O
OMPC 7-248, 7-287, 7-296
Open Shortest Path First (OSPF) 3-82
P
Panic Mode 7-260
Ping Physical Port 2-43
Policies 8-336, 8-340, 8-349
Port Management 3-69– 3-71
Port Mirroring 3-69
Port Trunking 3-70
Preventing 7-232
Proprietary ARP 6-207
Protocol Discovery 8-348
R
RADIUS Authentication 2-47
Redundancy 1-21, 6-203
Regular Expressions in WSD A-413– A-414
Reporting 7-232
Resetting Devices 2-56
Restoring Configuration Files 2-52
Routing 3-79
Routing Information Protocol (RIP) 3-80
Routing, Routing Table 3-79
S
Safety Instructions 1-5
Sampling 7-260
Scheduler Algorithm 8-335
Security 1-23
Server 1-21
Service 8-338
Signature File Update 7-299
Signatures Database 7-299
SNMP Configuration 2-29– 2-41
Source 8-337
Doc. No.: 8261
417
SuperFarm 1-21
Switched VLAN 3-73
SynApps Models 8-335
T
Tagging, VLAN 3-73
Telnet and SSH Configuration 2-41
Tracking 7-251, 7-272, 7-287, 7-296
Traffic Redirection 1-23
Tuning 7-305
Types of Attacks 7-232
U
Upgrading Boot Versions 2-55
Upgrading devices in WBM 2-54
V
Virtual LAN, general 3-72
VLAN
Bridging 3-73
Configuration 3-74
Tagging Support 3-76
VLAN Tag Group 8-338
VLAN Tagging 3-78
VLAN Types
Regular 3-73
Switched 3-73
VRRP 6-213
VRRP nxn Redundancy 6-219
W
Warm-up Time 4-105
418
Doc. No.: 8261
Download