Arbor APS STT - Unit 12 - Arbor APS Administration - 25jan2018pptx PDF

Partner Technical Training
Arbor APS Administration
Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives
At the conclusion of this unit you should understand how to:
• Perform administrative tasks related to:
• User Administration
• File Management
• Notifications
• System Alerts
• Backup and Restore
• Performance Management
• Data Retention Compliance
• Other Administrative Tasks
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

USER
ADMINISTRATION

Admin User Accounts
• User Account management is easy
Delete user account Edit user account Add new user
Arbor

User Accounts – Add a New User Account
User-specific
time zone

System & User-specific Time Zones
• There are two kinds of time zones in Arbor APS
• User-specific
• System
• By default, all users belong to the System time zone
• If user prefers to see the GUI in a different time zone, they can provide
a user-specific setting
• This will not affect system operation in any way

User Accounts – User Groups
• User groups define user privileges
• Arbor APS has four default user groups
• ddos_admin limited admin privileges and can view
and configure DDoS mitigation settings only
• system_admin has full privileges
• system_none disables account login
• system_user has privileges to see almost anything
but to change almost nothing
• Additional user groups may be configured in the CLI
• Privileges assigned via capability tokens
• User group selection box in GUI will show custom user groups created in CLI

User Group Privilege Levels (1 of 2)
• Users who have Administrator privileges…
• Can see all displayed information
• Can change anything
• Are designated using system_admin group
• Users who have User privileges…
• Can see all displayed operational information
• Can see only selected administration settings
• Cannot change anything
• Are designated using system_user group

User Group Privilege Levels (2 of 2)
• Users who have DDoS Administrator privileges…
• Have read/write access to some of the Web UI pages & a subset
of CLI commands
• Can add & delete ddos_admin, system_user, and system_none user
accounts
• Are designated using ddos_admin group
• Users in custom user groups are governed by capability token
configuration in CLI

Unprivileged Users Only Administration
Username is option available
not editable Arbor
User group is
not shown
• A user in group “system_user” or other group with no admin privileges

can edit only their own account
• Administration > User Accounts goes here directly

TACACS+ & RADIUS Authorization
• Arbor APS does fully support authentication and authorization via TACACS+
and RADIUS
• Configurable only via CLI
• TACACS+ and RADIUS do not appear in the Arbor APS GUI

Configuring TACACS+
• Enabling TACACS+ means setting the server IP, port and secret, timeout
• Accounting can also be configured
admin@demo / services aaa tacacs show

TACACS+ configuration:
Authentication configuration:
Accounting configuration:
Level: none (default)
Timeout: 2 (default)
Password expiry notification: disabled

Configuring RADIUS
• Enabling RADIUS means setting the server IP, port and secret, timeout
• Accounting can also be configured
admin@demo: / services aaa radius show
RADIUS configuration:
Authentication configuration:
Primary server:
Address: 10.2.99.99
Secret: ******
Port: 1812
Accounting configuration:
Level: none (default)
Timeout: 15
Retries: 3
NAS Identifier: none (default)

FILE
MANAGEMENT

File Management
• Up to 2Gb of
user-accessible
storage space

Upload a File via UI

File Download via UI
Clicked here:
file was
downloaded
to default
Downloads
directory

File Delete Selection
• File deletion is permanent

NOTIFICATIONS

Notification Configuration
• Arbor APS provides three notification methods
• SMTP email
• SNMP traps
• Syslog export
• Multiple export
destinations
per method

Adding Destinations
• When you click on the Add Destination button, you will then need to choose
which method to enter

Configure Notification Destinations
eMail
SNMP v2
SNMP V3
Syslog

Notification Alert Types
Seven Different Notification Alert Types:
1. System 5. Bandwidth
• Any type of system error; CPU, • Traffic volume
disk, memory, HW, Interface 6. Blocked Host
down, bypass, etc
• Messages on new source IP
2. Cloud addresses that got packets filtered
• Cloud signaling errors, Cloud • Summary messages during
signaling mitigation requests attacks from wide range of sources
3. Protection 7. Change Log
• Protection level change • Provide an external trail of all the
4. Deployment changes to your Arbor APS system
• Deployment mode change;
Inline, Monitor, Active, Inactive

Notification Settings – Blocked Hosts
Found under
Settings tab
• Allows some time to pass between blocked host notifications for a given host,
even if the host is blocked again within that time
• Select a longer interval to minimize the number of notifications per blocked host
• Select a shorter interval for a more precise record of how often a host is blocked
• For example, you might want to receive more frequent notifications if you use
a Security Information and Event Management (SIEM) system to manage your
Arbor APS blocked hosts

Notifications for Protection Groups
• “Protection” alert type includes alerts for protection level changes
of a protection group
• Any change between Low, Medium, and High
Jan 18 11:01:05 LabAPS Arbor: Protection Level: Changed Protection Level from low
to high for protection group Web Server Farm,URL: https://labaps.arbor.net/summary/
• “Deployment” alert type now includes alerts for Protection Group Mode
changes
• Any change between Active and Inactive
Jan 18 11:01:10 LabAPS Arbor: Protection Mode: Changed protection mode to active
for protection group Web Server Farm,URL: https://labaps.arbor.net/summary/
• “Bandwidth” alert type for traffic alerts

Alert Types Selection Workflow
• Alert Types
selection box
Click here to select

alert types for this
destination

Alert Types Selection Workflow
• Click on Alert Types box for selection menu

• Select alert type from the menu
• Only unselected Alert Types are listed in the pull-down
• Selected Types are shown in Alert Types field
• Click next to Alert Type to deselect

SYSTEM ALERTS

Administration > System Alerts
• Manage Alerts types Alerts are
searchable
• Active Alerts
• Expired Alerts
(alerts history)
• Alert Settings

Configurable Interface Alerts
• Arbor APS allows individual alerting configuration for every protection
interface pair
• Prevents phantom alerts from unused interface pairs

Traffic Alerts & Baselining
• Arbor APS provides alerting based on violation of traffic baselines
calculated individually for each Protection Group
• The baselines types are:
• Total traffic
• Blocked traffic
• Botnet traffic
• Baselines are calculated separately for
• Bits per second (bps)
• Packets per second (pps)

Traffic Alert Types
• Total traffic
• Indication of possible new attack
• Blocked traffic
• Indication that legitimate traffic might be newly blocked
• Indication that attack may be increasing
• Botnet traffic
• Sum of medium and high AIF security levels only
• Indication to increase AIF security level
• Licensed traffic
• System traffic exceeds 90% of licensed throughput limit
• Not user configurable

Baseline Calculation
• Every hour, Arbor APS takes top 30-minute averages of each of previous
7 days and uses top 4 of those 7 values to form the baseline
• User can click icon on the Protection Group/Edit page to see traffic
statistics, calculated baselines and calculated alerting thresholds

AIF License Alert
• Arbor APS will generate an alert within 30 days of license expiration
AIF license
expiration Info
displayed by
clicking the
“About” link

Licensed Traffic Alert
• Licensed traffic alert context menu icon opens the About window
• System Information displays Throughput graph of inspected traffic
• Traffic above Inspected Throughput Limit appears in red

Traffic Alert Settings
• Global Traffic Alerting settings for each baseline type
• Possible to define minimum thresholds for alert triggering
• Per Protection Group Traffic Alerting
• May be triggered by either baseline-generated or static thresholds as chosen
in protection group settings
• Individual PG settings for each traffic alert type
• Can use static thresholds instead of baseline detection
• Can disable traffic alerting

Traffic Alerts – Global Settings
• Use slider to set threshold above baseline
• Threshold range is 1% to 750% above baseline
• Threshold slider at far left is “off” (disabled)
• Use minimum thresholds to reduce off-hours alerts

Traffic Alerts – Protection Group Settings
• View Protection Group status/settings pane now shows current traffic alert
settings for that PG
• Click “Edit” to modify traffic alert settings
Links to global baseline

settings, if used by PG
Traffic Alerts – Protection Group Settings
• When editing a protection group, each type of traffic alert can be separately
configured for:
• Baseline detection Link to traffic
using global settings baseline graph
• Static threshold settings
for this protection Link to global
group only baseline settings
• Disable traffic alerts

Alert Threshold Trigger & Duration
• Traffic is compared to thresholds every minute
• Baseline detection and static thresholds work the same
• License alerts are just a special form of static threshold
• If average traffic for the past 5 minutes exceeds a threshold, an alert
is triggered for that threshold
• Based on the previous five one-minute traffic counts
• A single minute could be a trigger with enough traffic
• Alert expires 1 hour after the alert trigger
• If a threshold violation is detected again for a threshold that has
an active alert
• Alert expiration is reset to 1 hour after current time
• Alert details are updated

Traffic Alerts – UI Presentation & Workflow
• Active traffic alerts
are presented on
summary page
• Mouse over the

alert name to get
a context menu
• Use the context menu

to view the Protection
Group page

Active Alerts Warning
• Summary warning in status bar for admin users when system

alerts occur
• Also appears at login if alerts are active

Active Alerts
• Shows all active system alerts

• Active alerts in Summary are exactly the same as active alerts
at Administration > System Alerts
• Only appears on Summary Page when there are active alerts
• Expired alerts are not shown here
– Go to Administration > System Alerts to see them or click Total Expired Alerts link

BACKUP AND
RESTORE

Backup & Restore Features
• Complete Backup and Restore feature
• Backup configuration locally or remotely
• Backup traffic databases remotely
• Full and Incremental backups
• Flexible scheduling
• Separate for full and incremental backups
• SFTP remote export of backups
• Manual HTTP download and upload
• Manual restore of local or uploaded backups

Backup & Restore Settings Configuration
Available backups list
includes action buttons Backup Scheduling
Arbor
Backup Server
Settings

Backup Data Options
• The backup
data can be
• Configuration
data only
• Configuration
and traffic data

Backup Files Location Options
• Backup files can be stored locally or in a remote file server
• Local backups
• Can save system configuration but not traffic data
• Remote backups
• Can save system configuration and, optionally, traffic data

Remote Backup Server Settings
• Server settings are required to
determine backup files storage location
• A single server, local or remote,
is used for all backups
• Both manual and scheduled backups
use the same server settings
• Backups can be exported via SFTP
• Configuration and / or traffic databases

Automatic Backup Scheduling
• Full or Incremental backups
• Once per day or per week
• Arbitrary start time
• 5 minute increments
Limited to “Configuration”
if remote server is not set

Traffic Data Backup
• Traffic Data can only be included if “Remote” server is set
Backup Items can be

selected or deselected

Creating a Manual Backup
• Backups can be
run manually at
any time Arbor
Start a backup
manually

Manual Backup Options
• Backups can be full or incremental Start a backup
• Backups can include traffic data or just configs manually

Manual Backup
• Status messages appear on when a backup or restore action is running
Status message bar
while process runs
Status messages User may cancel

backup process
Action buttons
disabled during
running process
Menu bar alert

appears briefly
at process start

Available Backups
Arbor
New backup result

appears as an available
backup

Available Backups – File Location
• The “Available Backups” list shows backups on the configured
backup server
• When the backup server is “Local”, the backup list shows backups stored
in the local Arbor APS file system
• When the backup server is a remote SFTP server, Arbor APS logs into
the SFTP server to derive the backup list from SFTP file list output on
the remote server

Backup File Download & Upload
• Local backups can be downloaded or uploaded manually
Download
cted
selected Upload a
backup file
Sele
backup file

Restoring
• Both local and remote backups can be restored from Available Backups
in the GUI
cted
Restore from selected
backup file
Sele

Restoring
• Confirmation is requested for backup restoration
Arbor
Arbor
Arbor

Restoring
Arbor
• During restoration Arbor APS goes into Software Bypass mode

Backup Deletion
• Arbor APS
• Keeps the five newest full backups
• Keeps any incremental backups that depend on the five most recent
full backups
• Automatically deletes all backups older than the fifth-oldest full backup
• Automatic deletion of expired backups is done on both local and remote
backup servers
• No manual deletion of backups from GUI

DATA RETENTION
COMPLIANCE

Data Collection Rules (1 of 2)
• Arbor APS stores data on the traffic that it sees
for both real-time and historical reporting/analysis
• All data is stored up to one year
• If Restrictive Data retention is enabled then it takes
precedence over the pre-defined timeframe of one year
• Interface
• Tx/Rx
• bps/pps
• System Level
• Total Traffic
• Passed/Blocked Traffic
• Passed/Blocked Traffic per country
• Top Sources/Destinations
• Blocked Hosts

Data Collection Rules (2 of 2)
Prevention Generic Web Other
Passed traffic Yes bps/pps Yes bps/pps Yes bps/pps
Blocked traffic Yes bps/pps Yes bps/pps Yes bps/pps
Blocked traffic per Prevention Yes * Yes * Yes *
URL’s Top 10 ** Top 10 ** No
HTTP Domains Top 10 ** Top 10 ** No
IP Location Top 10 Top 10 Top 10
Protocols Top 10 Top 10 Top 10
Services Top 10 Top 10 Top 10
Web Crawlers Top 10 Top 10 Top 10
*Data reported for each prevention is dependent on the type of prevention

** Reporting can be disabled to improve performance

Data Retention Settings
• Organizations with policies
against long term storage
of network data can set data
lifetime here
• Data is deleted daily

OTHER ADMINISTRATIVE
TASKS

Manual AIF Update Option
• Isolated deployments without
internet access on management
interfaces, can now get
AIF updates
• Update files are available at https://update.arbor.net/

• Update files are encrypted and compressed
• Manual update is possible only when valid AIF license key is installed

General Settings – Time & Date Format
• Change GUI
display of data System
Timezone
and time to local
preference
• Cannot set
time here
• Must use CLI

Custom Interface Names
• Administrators can set custom interface names for extX and intX interfaces.
• That simplifies identification of interfaces in complicated topologies (APS-2100
can have up to 12 interfaces)

Custom Interface Names: Presentation
• Interface names
will appear on
summary page
and Packet
Capture filter

Upload Custom Banner Logo
Default Arbor APS banner
logo shown in upload section
Button for upload

of custom logo
• Customers may replace the Arbor APS logo above the menu bar with their
own logo image

Upload Custom Banner Logo Dialog

Custom Banner Logo Upload is Complete
Current banner logo
shown in upload section
Arbor MIB SMI MIV

Arbor
May replace this logo again

Arbor
New button for return to

default logo
• Full page reload is required for new logo to appear

• Caution: Clicking the Lock Logo button (which appears after successfully uploading a custom logo) will
disallow uploading another custom or reverting to the default logo. This is permanent and non-recoverable

Upload PKI or Custom SSL Certificate
Upload new
GUI SSL
certificate
• Customers who must have a GUI SSL certificate signed via PKI or their
own CA can upload one
• Client sessions such as AIF will continue to use embedded Arbor certificate
• SSL cert must always be uploaded with a CA cert

Both certificates
are specified

• Arbor APS warns after upload button click that change of SSL certificate
will disrupt GUI session
• Full browser reload is often not needed, but is easiest to explain to customers


Custom SSL Certificate Upload Complete
• Most browsers will immediately show an error due to mid-session change
in Arbor APS SSL certificate
• A reload attempt on a secure browser will bring up a security warning exception
dialog
• A page reload and browser acceptance of the new certificate will restore
access to the Arbor APS GUI
• You might not even lose the login session

Custom SSL Certificate Upload Complete
New button for return

to default certificate
May update cert directly

Download SNMP MIB Files
• Customers can download Arbor APS MIB and Arbor SMI MIB for use with
SNMP queries and SNMP notification traps from the File Management page
Download
MIB files

Re-initializing disks from scratch
• Initialize the disks
• Creates the boot, data and system partitions
system disk initialize
• Start the disks
• This allows you to load ArbOS and Arbor APS to disk
system disk start all
• Install ArbOS and reboot for OS to take effect

system file install flash:arbos-X.X-YYYY-i686 reload
• Install Arbor APS package

system file install flash:Arbor-APS-V.v-YYYY

Unit Summary
In this unit we have learned how to:
• Perform administrative tasks related to:
• User Administration
• File Management
• Notifications
• System Alerts
• Backup and Restore
• Performance Management
• Data Retention Compliance
• Other Administrative Tasks

Q&A / THANK YOU

Arbor APS STT - Unit 12 - Arbor APS Administration - 25jan2018pptx PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Arbor APS STT - Unit 12 - Arbor APS Administration - 25jan2018pptx PDF

Caricato da

Copyright:

Formati disponibili

Partner Technical Training

Arbor APS Administration

Partner • Sales • Engineering

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

• A user in group “system_user” or other group with no admin privileges

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11

admin@demo / services aaa tacacs show

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

• “Bandwidth” alert type for traffic alerts

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25

Click here to select

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

• Click on Alert Types box for selection menu

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 32

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 33

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 34

• Traffic above Inspected Throughput Limit appears in red

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 35

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 36

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 37

Links to global baseline

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 39

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 40

• Mouse over the

• Use the context menu

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 41

• Summary warning in status bar for admin users when system

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 42

• Shows all active system alerts

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 43

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 44

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 45

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 46

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 47

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 48

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 49

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 50

Backup Items can be