Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
• Management interfaces:
– Access the Command Line Interface (CLI):
• By direct connection using serial console or VGA/USB
• Via SSH over mgt0 or mgt1 ports
– Web User Interface (via HTTPS)
– Other management via SOAP APIs and a Web Services API
Protection Interfaces
EXT INT
Inbound
Outbound
Protection Interfaces
EXT INT
ext0 int0
ext1 int1
. .
. .
. .
ext5 int5
Protection Interfaces
EXT INT
10.2.24.76
• Login to UI
• Viewing the Summary Page and UI Walkthrough
• Basic configuration tasks
– Configure DNS – DNS used to find AIF
– Check licensing status
– Check if AIF working and force an update
– Set NTP – optional, unless Cloud Signaling is configured
– Configure SMTP Server
– Create Notifications
– Create Protection Groups
Protection monitoring
and configuration
Configure:
• Time Zone
• DNS
• NTP Servers
Update button
was clicked
AIF Update
In progress
Status of most
recent update
HTTPS proxy
service
Manual AIF
updates
Automatic AIF
updates
Adjustable
update interval
• Protection Groups (PGs) protect and provide extensive traffic analysis for a defined
group of hosts
• Represents either IPv4 hosts or IPv6 hosts that you need to protect
• Protection Groups are defined by a combination of
1. a list of protected internal hosts
• Host IP, subnet, or domain name
2. a Server Type
• A global object that provides prevention settings to this protection group
cv
DNS Hostname
IPv4 Default All IPv4 traffic, except for the traffic that
0.0.0.0/0
Protection Group is destined to 192.0.2.0/24
When different length prefixes of the same network are protected by more
than 1 PG, APS matches traffic to the most specific (longest) prefix
Protection Group 7
All IPv6 traffic, except for the
(serving as a default
::/0 traffic that is destined to
Protection Group
fe80:22:ab00::/40
for IPv6 hosts)
PASS
Specify name of
new server type
If Protection Level Automation is enabled, but you do not enable the Global
Total Traffic Threshold, then the APS does not automate the protection level
or trigger this type of alert
Attack Traffic
Good Traffic Web
172.17.##.20/30
DNS
172.17.XX.21/32
Firewall
File
172.17.##.22/32
DATA CENTER
• Time Period
• bps x pps
Buttons to choose time
period for all data
Tasks to complete:
• In the CLI, change Deployment Mode to Inline (Inactive)
• Change cabling so that traffic now flows through the APS
– Connect router to ext0
– Connect firewall to int0
• Let the APS operate in Inactive Protection Mode and
validate that its introduction does not cause any new
issues
– Sometimes there are problems in the physical Ethernet connections
• Check for possible false positives while in Inactive
Protection Mode
• Move to Active Protection Mode to mitigate attacks
• Check for possible false positives or unwanted side effects
Protection Interfaces
Note: Inline deployment mode appears as Inline Bridged and the layer 3
deployment mode appears as Inline Routed.
Note:
Capture is independent for each Server Type
and can happen also in Inactive or Monitor modes
• Ensure that the desired Protection Setting is enabled in order for Network
Profile to populate the profile window
• For the profile data to be accurate
– At a minimum the data must set for the current protection level
• In example we are using the low protection level
– Configured values for certain protection settings should be higher than the
traffic rates that you expect the capture to observe
• Example shows setting Low value to 999999999 (bps and pps) to populate the profile
window while not stopping any rate based traffic
Note: There is no View Profile icon next to Protection at this point
• AUTO button sets the thresholds for the Protection setting to values that
should work well for most circumstances
– It is calculated according to the following rules
• Low: Maximum seen * 2
• Medium: 99.9 percentile
• High: 99.0 percentile
Y-axis Scale
• Log histograms are useful for seeing values observed in traffic from any
number of hosts
– Useful for choosing settings for Low protection levels
– Helps choose settings that include all legitimate observed hosts, even those with
extreme usage
• Even a single extreme legitimate client is easily seen
– Typical behavior of majority is not obvious
• Linear histograms are useful for seeing values observed in majority traffic
– Useful for choosing settings for High protection levels
– Helps choose settings that include all typical users
– Hosts with extreme usage are not obvious
– A Protection that has rate settings configured should not block or blacklist any
traffic during the profile capture
• Blocked traffic will cause inaccurate network profile calculation
• This is valid even in Inactive or Monitor modes
• Changing the values of Protection settings during a profile data capture for
the following Protection settings:
– DNS NXDomain Rate Limit – Rate Based Blocking
– DNS Rate Limit – SIP Request Limit
– HTTP Rate Limit