Content Inspection DirectorSoftware Version: 2.41 7 July 2006 Table of Contents Table of Contents Chapter 1 - Introduction & Overview.............................. 1-1 Introduction ............................................................................. 1-2 Introducing CID ............................................................................. 1-3 CID Overview .......................................................................... 1-5 Content Management Load Balancing ......................................... 1-6 Flow Management ........................................................................ 1-9 Special Protocol Treatment ........................................................ 1-11 Technical Description ................................................................. 1-15 Chapter 2 - Device Management..................................... 2-1 Configuring Device IP Host Parameters for the First Time ..... 2-2 Device IP Host Parameters Introduction ....................................... 2-3 Erasing the Configuration file ........................................................ 2-8 Resetting the Device ..................................................................... 2-9 Version Management and Device Upgrading ....................... 2-10 Introducing Upgrades ................................................................. Software Version Update ............................................................ Saving and Restoring Configuration Files .................................. Upgrading Licenses .................................................................... Upgrading Boot Versions ............................................................ 2-11 2-13 2-18 2-20 2-24 Device Configuration Options ............................................... 2-25 APSolute Insite ........................................................................... 2-26 Command Line Interface ............................................................ 2-27 Device Access ....................................................................... 2-30 Bandwidth Management Access ................................................ 2-31 Users Table ................................................................................ 2-32 CID User Guide III Table of Contents Configuring SNMP ...................................................................... Web Based Management ........................................................... Telnet and SSH .......................................................................... FTP Content Management ......................................................... RADIUS Authentication .............................................................. Management Ports ..................................................................... .................................................................................................... Ping Physical Port Permissions .................................................. Dedicated Management Port ...................................................... 2-34 2-48 2-51 2-54 2-60 2-62 2-63 2-70 2-71 Device Tuning ....................................................................... 2-72 Device Tuning Parameters ......................................................... 2-73 Tuning Memory Check ................................................................ 2-74 Device Services .................................................................... 2-75 NTP Support ............................................................................... Daylight Saving Time Support ................................................... DNS Client .................................................................................. Show Tech Support .................................................................... Policy Scheduler ......................................................................... Notifications - General ................................................................ E-mail Notification ....................................................................... Syslog ......................................................................................... Event Log ................................................................................... 2-76 2-78 2-79 2-81 2-82 2-85 2-86 2-88 2-89 Device Reporting ................................................................... 2-84 Chapter 3 - Basic Switching & Routing.......................... 3-1 Port Settings ........................................................................... 3-2 Port Mirroring ................................................................................ 3-3 Port Trunking ................................................................................ 3-6 Virtual LAN .............................................................................. 3-8 What is a Virtual LAN? .................................................................. 3-9 CID VLAN Types ........................................................................ 3-10 VLAN Configuration .................................................................... 3-12 VLAN Auto Learn ........................................................................ 3-16 IV CID User Guide Table of Contents VLAN Tagging Support ............................................................... 3-18 Redundancy ............................................................................... 3-22 Bridging ..................................................................................... 3-23 IP Addressing & Routing ...................................................... 3-24 IP Addressing ............................................................................. Routing ....................................................................................... Alternate Default Gateway .......................................................... Routing Information Protocol ...................................................... Open Shortest Path First ............................................................ 3-25 3-26 3-28 3-29 3-32 Chapter 4 - Basic Application Switching ....................... 4-1 Farm Management .................................................................. 4-2 Farm Management Overview ....................................................... 4-3 Dispatch Methods ......................................................................... 4-7 URL Table and Parameters ........................................................ 4-11 Static URL Table ......................................................................... 4-14 Configuring Farms ...................................................................... 4-16 Configuring Dispatch Methods .................................................... 4-20 Configuring Content Based Rules .............................................. 4-21 Server Management .............................................................. 4-25 Servers Overview ....................................................................... 4-26 Physical Servers ......................................................................... 4-31 Server Load Balancing .......................................................... 4-36 Client Table Management ........................................................... Content Servers Overview .......................................................... Configuring Servers .................................................................... Alias Port .................................................................................... Sticky Clients Support ................................................................. Server Health Check ................................................................... 4-37 4-39 4-42 4-50 4-51 4-52 Cache Load Balancing .......................................................... 4-53 What is Caching? ........................................................................ 4-54 How Does Cache Load Balancing Work? ................................... 4-56 CID Cache Load Balancing ........................................................ 4-57 CID User Guide V Table of Contents Client-Server Combinations ........................................................ P2P/Kazaa Caching .................................................................... Web Cache Coordination Protocol (WCCP) 2 ............................ Enhanced Cache Coordination ................................................... 4-60 4-67 4-74 4-76 Local Triangulation ................................................................ 4-77 What is Local Triangulation? ...................................................... 4-78 Configuring CID with Local Triangulation ................................... 4-80 Server Spoofing .................................................................... 4-86 What is Server Spoofing? ........................................................... 4-87 Network Address Translation ................................................ 4-88 NAT Types .................................................................................. 4-89 Client NAT .................................................................................. 4-90 Server Based NAT ...................................................................... 4-94 Farm Based NAT ...................................................................... 4-106 Chapter 5 - Advanced Features ...................................... 5-1 Flow Management ................................................................... 5-2 What is Flow Management? ......................................................... 5-3 Where to Use Flow Management ................................................. 5-6 Configuring CID with Flow Management ...................................... 5-7 Content Load Balancing ........................................................ 5-19 URL Policies ............................................................................... URL Policies with Mime-Type ..................................................... URL Match .................................................................................. HTTP Match ................................................................................ MIME Type Support .................................................................... Configuring CID with Anti-Virus Servers ..................................... FTP Content Management ......................................................... POP3 Support ............................................................................ RADIUS Based Classification ..................................................... HTTP Advanced Features .......................................................... 5-20 5-21 5-22 5-23 5-25 5-28 5-46 5-53 5-58 5-62 Special Protocol Treatment ................................................... 5-45 VI CID User Guide Table of Contents SSL Content Check .............................................................. 5-65 What is an SSL Content Check? ................................................ 5-66 Spoofed AV Gateway Configuration ........................................... 5-68 Proxy AV Gateway Configuration ............................................... 5-71 DNS and NTP Services ......................................................... 5-78 DNS Services ............................................................................. 5-79 Chapter 6 - Redundancy.................................................. 6-1 CID Redundancy ..................................................................... 6-2 Introducing CID Redundancy ........................................................ Active / Backup Setup ................................................................... Interface Grouping ........................................................................ Mirroring ........................................................................................ 6-3 6-5 6-6 6-8 Proprietary ARP Redundancy ............................................... 6-10 Proprietary ARP .......................................................................... 6-11 Backup Fake ARP ...................................................................... 6-12 VRRP Redundancy ............................................................... 6-24 Introducing VRRP ....................................................................... 6-25 VRRP Redundancy Notes .......................................................... 6-30 Direct Server Connection with VRRP ......................................... 6-41 Chapter 7 - Health Monitoring......................................... 7-1 Introducing Health Monitoring ................................................. 7-2 Configuring Health Checks ..................................................... 7-5 Global Configuration ..................................................................... 7-6 Global Parameters Setup ............................................................. 7-7 Health Checks Database .............................................................. 7-9 Binding and Groups .................................................................... 7-16 Regular Health Check ................................................................. 7-19 Group Health Check ................................................................... 7-22 Farm Health Check ..................................................................... 7-23 Health Check Methods .......................................................... 7-25 CID User Guide VII Table of Contents Predefined Methods .................................................................... 7-26 User Defined Methods ................................................................ 7-39 Configuration Examples ........................................................ 7-44 Chapter 8 - Bandwidth Management .............................. 8-1 Introduction to Bandwidth Management ................................. 8-2 What is Bandwidth Management .................................................. 8-3 Bandwidth Management Policies ............................................ 8-7 What is Bandwidth Management Policy ....................................... 8-8 Bandwidth Management Classification Criteria ............................ 8-9 Bandwidth Management Rules ................................................... 8-12 Bandwidth Management Classes ......................................... 8-18 Services ...................................................................................... Networks ..................................................................................... Port Groups ................................................................................ VLAN Tag Groups ...................................................................... 8-19 8-25 8-26 8-27 Protocol Discovery ................................................................ 8-33 What is Protocol Discovery ......................................................... 8-34 Protocol Discovery Policies ........................................................ 8-35 Interface Classification .......................................................... 8-37 Port Bandwidth ........................................................................... 8-38 Interface Classification ................................................................ 8-39 Chapter 9 - Security ......................................................... 9-1 Security Overview .................................................................. 9-2 Security Introduction ..................................................................... 9-3 Security Modules .......................................................................... 9-6 Setting Up Security Policies in the Connect and Protect Table .. 9-10 Enabling Protection and Setting Up General Security Parameters 9-12 Defining Connectivity .................................................................. 9-19 Suspend Table ........................................................................... 9-23 Managing the Signatures Database ...................................... 9-25 VIII CID User Guide Table of Contents Protection Profiles and Groups Supplied by Radware ................ 9-26 Security Signatures File Update ................................................. 9-36 Intrusions .............................................................................. 9-43 Introduction to Intrusions ............................................................ Intrusion Prevention Profiles ....................................................... Setting Up Intrusion Prevention Using Profiles and Groups ....... Defining Intrusion Prevention with User-Defined Settings .......... Setting Up Attacks and Filters .................................................... Custom Attack Groups ................................................................ Creating a New User-Defined Intrusion Prevention Profile ......... 9-44 9-46 9-47 9-48 9-49 9-64 9-66 DoS/DDoS ............................................................................ 9-72 Introducing DoS/DDoS ............................................................... 9-73 DoS/DDoS Protection Services .................................................. 9-74 Introduction to DoS Shield .......................................................... 9-75 Setting Up DoS Shield Using Radware Profiles ......................... 9-80 Defining DoS Shield with User-Defined Settings ........................ 9-81 Introduction to Application Security ............................................ 9-92 Setting Up Application Security for DoS/DDoS Using Profiles and Groups 9-93 Defining Application Security Profiles with User-Defined Settings 9-94 Behavioral DoS ................................................................... 9-106 Introduction to Behavioral DoS ................................................. 9-107 Behavioral DoS Global Parameters .......................................... 9-109 Behavioral DoS Advanced Settings .......................................... 9-112 Connection Limit ................................................................. 9-119 Creating Connection Limiting Policies ...................................... 9-120 SYN Flood Protection .......................................................... 9-123 Introduction to SYN Flood Protection ....................................... Before Setting Up SYN Flood Protection .................................. SYN Flood Protection General Settings ................................... Creating Custom SYN Attacks .................................................. Configuring SYN Flood Protection Policies .............................. SYN Flood Reporting ................................................................ 9-124 9-129 9-130 9-134 9-136 9-140 CID User Guide IX Table of Contents Protocol Anomalies ............................................................. 9-142 Anomalies Introduction ............................................................. 9-143 Setting Up the Anomalies Module Using Predefined Profiles ... 9-144 Defining Anomalies with User-Defined Settings ....................... 9-145 Anti-Scanning ...................................................................... 9-156 Introduction to Anti-Scanning .................................................... 9-157 Setting Up Anti-Scanning Using Profiles and Groups ............... 9-158 Defining Anti-Scanning with User-Defined Settings .................. 9-159 Session Table ..................................................................... 9-171 What is the Session Table ........................................................ 9-172 Session Table Lookup Mode .................................................... 9-173 Configuring the Session Table .................................................. 9-174 Evasion Techniques ............................................................ 9-176 Introduction to Evasion Techniques .......................................... 9-177 IP Reassembly and Min IP Fragmentation ............................... 9-178 TCP Reassembly ...................................................................... 9-182 Security Events and Reports ............................................... 9-184 Events and Event Reporting ..................................................... 9-185 Reporting Channels .................................................................. 9-190 Security Reports ....................................................................... 9-197 Chapter 10 - Application Switching Platforms ............ 10-1 Introduction to Intelligent Application Switches ..................... 10-2 Application Switch 1 .................................................................... Application Switch 2 .................................................................... Application Switch 3 .................................................................... Application Switch 4 .................................................................... Application Switch 5 .................................................................... 10-3 10-4 10-5 10-6 10-9 Physical Description ............................................................ 10-11 Application Switches Physical Description ............................... 10-12 Device Installation ............................................................... 10-26 Checking the Contents ............................................................. 10-27 X CID User Guide Table of Contents Mounting the Device ................................................................. 10-28 Connecting the Device to Your Network ................................... 10-29 Device Interfaces ................................................................ 10-31 Interfaces - Introduction ............................................................ 10-32 Specifications ...................................................................... 10-37 Specification Table ................................................................... 10-38 Gigabit Ethernet Specifications ................................................. 10-42 Serial Cable Pin Assignment ............................................... 10-44 Trouble Shooting. ................................................................ 10-46 Chapter A - Troubleshooting .......................................... A-1 Troubleshooting Topics .......................................................... A-2 CID Limitations ....................................................................... A-5 Chapter B - Loopback Interfaces.................................... B-1 AIX ......................................................................................... B-4 HP-UX .................................................................................... B-5 Linux ...................................................................................... B-6 Solaris .................................................................................... B-8 Windows NT ........................................................................... B-9 Chapter C - Regular Expressions ................................... C-1 Chapter D - Glossary ....................................................... D-1 Commonly Used Terms ......................................................... D-2 List of Abbreviations ............................................................... D-6 Index...................................................................................... 1 CID User Guide XI Table of Contents XII CID User Guide Table of Figures Table of Figures Figure 1-1 CID Content Load Balancing .............................................. 1-6 Figure 1-2 Flow Management ............................................................. 1-9 Figure 1-3 RADIUS Based Classification........................................... 1-12 Figure 2-1 FTP Proxy Content Management Configuration............... 2-55 Figure 3-1 Transparent CIDs in VLAN ............................................... 3-12 Figure 3-2 VLAN Tagging Example ................................................... 3-19 Figure 4-1 Farm Policy Components ................................................... 4-3 Figure 4-2 URL Table Based Server Direction Configuration ............ 4-12 Figure 4-3 Client Table Configuration ................................................ 4-38 Figure 4-4 CID with Transparent Content Servers............................. 4-45 Figure 4-5 Caching Example.............................................................. 4-54 Figure 4-6 Proxy and Non-Proxy GET Request................................. 4-59 Figure 4-7 CID with Transparent Servers in VLAN Environment ....... 4-61 Figure 4-8 P2P/Kazaa Caching.......................................................... 4-69 Figure 4-9 Local Triangulation Network Setup................................... 4-78 Figure 4-10 Local Triangulation with Returned Cache Pages............ 4-81 Figure 4-11 CID NAT Operation......................................................... 4-91 Figure 4-12 Server Based NAT Configuration ................................... 4-95 Figure 4-13 NAT to Remote Servers................................................ 4-101 Figure 4-14 Farm Based NAT Configuration.................................... 4-106 Figure 5-1 Clients from Networks A & B .............................................. 5-3 Figure 5-2 Network A Client Redirection.............................................. 5-4 CID User Guide XIII Table of Figures Figure 5-3 Network B Client Redirection.............................................. 5-5 Figure 5-4 Flow Management .............................................................. 5-6 Figure 5-5 Cache Farm and URL Filter Farm in Spoofed Mode .......... 5-8 Figure 5-6 Cache Farm and URL Filter Farm in Non-Spoofed Mode 5-14 Figure 5-7 Single Interface Servers with MIME Type Support ........... 5-29 Figure 5-8 Dual Interface Gateway Servers with MIME Type Support 5-34 Figure 5-9 Single Interface Proxy Servers with MIME Type Support. 5-40 Figure 5-10 FTP Proxy Content Management Configuration............. 5-47 Figure 5-11 POP3 Interception Configuration .................................... 5-54 Figure 5-12 RADIUS Configuration.................................................... 5-59 Figure 5-13 SSL Content Check General Scheme ............................ 5-66 Figure 5-14 Traffic Flow in Spoofed AV Gateway .............................. 5-68 Figure 5-15 HTTPS Traffic Flow in Proxy AV Gateway ..................... 5-71 Figure 5-16 HTTP Traffic Flow in Proxy AV Gateway........................ 5-72 Figure 6-1 CID Redundancy Scheme .................................................. 6-4 Figure 6-2 Proprietary Redundancy with Routing .............................. 6-14 Figure 6-3 Proprietary Redundancy with Bridging ............................. 6-17 Figure 6-4 Proprietary Parallel Redundancy with Routing ................. 6-20 Figure 6-5 Redundant CID Configuration with VRRP ........................ 6-31 Figure 6-6 Parallel Redundant CIDs with VRRP................................ 6-35 Figure 6-7 Direct Server Connection with VRRP and Routing........... 6-42 Figure 6-8 Direct Server Connection with VRRP and Bridging .......... 6-44 Figure 6-9 Redundant CIDs with VRRP and Direct Connection ........ 6-47 Figure 7-1 Health Monitoring of Multiple Logical Servers .................. 7-45 Figure 7-2 Group Health Check ......................................................... 7-49 Figure 9-1 Connect and Protect Table ............................................... 9-10 Figure 9-2 Security Settings Window ................................................. 9-12 XIV CID User Guide Table of Figures Figure 9-3 Custom Attack Configuration ............................................ 9-49 Figure 9-4 Filter Configuration Window.............................................. 9-50 Figure 9-5 Attack Group Configuration Window................................. 9-64 Figure 9-6 DoS Shield Traffic Flow Diagram...................................... 9-77 Figure 9-7 Filter Configuration ........................................................... 9-82 Figure 9-8 Attack Group Configuration Window............................... 9-103 Figure 9-9 Delayed Binding Process................................................ 9-125 Figure 9-10 SYN Protection Policies............................................... 9-133 Figure 9-11 SYN Attack Configuration Window ............................... 9-134 Figure 9-12 Attack Group Configuration Window............................. 9-153 Figure 9-13 Attack Group Configuration Window............................. 9-168 Figure 10-1 Application Switch 1........................................................ 10-3 Figure 10-2 Application Switch 2........................................................ 10-4 Figure 10-3 Application Switch 3........................................................ 10-5 Figure 10-4 Application Switch 4........................................................ 10-6 Figure 10-5 Application Switch 5........................................................ 10-9 Figure 10-6 Application Switch 1 - Front Panel View ...................... 10-13 Figure 10-7 Application Switch 2 - Front Panel............................... 10-16 Figure 10-8 Application Switch 3 - Front Panel View ....................... 10-19 Figure 10-9 Application Switch 4 Front Panel View ........................ 10-22 Figure 10-10 Application Switch 5 Front Panel View ....................... 10-24 Figure B-1 Loopback Interface Example............................................. B-2 CID User Guide XV Table of Figures XVI CID User Guide It is strictly forbidden to copy. 2006 All rights reserved.Before You Begin Important Notice This guide is delivered subject to the following conditions and restrictions: Copyright Radware Ltd. The guide is provided to Radware customers for the sole purpose of obtaining information with respect to the installation and use of the Content Inspection Director (CID). duplicate. CID User Guide I . and may not be used for any other purpose. reproduce or disclose this guide or any part thereof without the prior written consent of Radware. The information contained in this guide is proprietary to Radware and must be kept in strict confidence. The copyright and all other intellectual property rights and trade secrets included in this guide are owned by Radware Ltd. GROUNDING Before connecting this device to the power line. and repair of the opened instrument under voltage should be avoided as much as possible and. There are no serviceable parts inside the unit. should be carried out only by a skilled person who is aware of the hazard involved. Do not use an extension cord (power cable) without a protective conductor (grounding). and energy. Capacitors inside the instrument may still be charged even if the instrument has been disconnected from its source of supply. when inevitable. SERVICING Do not perform any servicing other than that contained in the operating instructions unless you are qualified to do so. mechanical. II CID User Guide . The mains plug shall only be inserted in a socket outlet provided with a protective earth contact. disconnect the device from the power line before removing cover or panels. the protective earth terminals of this device must be connected to the protective conductor of the (mains) power cord. maintenance. HIGH VOLTAGE Any adjustment. To reduce the risk of fire and electrical shock.Before You Begin Safety Instructions CAUTION Due to the risks of electrical shock. any procedures that involve opening panels or changing components must be performed by qualified service personnel only. and fire hazards. This equipment generates. TRADEMARKS CID and Configware are trade names of Radware Ltd. LINE VOLTAGE Before connecting this instrument to the power line. This document contains trademarks registered by their respective companies. if not installed and used in accordance with the instruction manual. SPECIFICATION CHANGES Note: Specifications are subject to change without notice. uses and can radiate radio frequency energy and. EN 50082-1 For CE MARK Compliance. Note: This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules and EN55022 Class A. CID User Guide III . Refer to the Specifications for information about the correct power rating for the device. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense. may cause harmful interference to radio communications. Whenever it is likely that the protection offered by fuses has been impaired. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The use of repaired fuses and the short-circuiting of fuse holders must be avoided. ensure the voltage of the power source matches the requirements of the instrument. the instrument must be made inoperative and be secured against any unintended operation.Before You Begin FUSES Ensure that only fuses with the required rated current and of the specified type are used for replacement. The DC supply system is to be local. 2. equipment must be installed in accordance to the US National Electrical Code. Section 12. and 110-18 and the Canadian Electrical Code. All equipment in the immediate vicinity shall be earthed in the same way. 3. Articles 110-16. INSTALLATION CODES This device must be installed according to country national electrical codes. The equipment shall be connected directly to the DC Supply System earthing electric conductor. and shall not be earthed elsewhere. There shall be no disconnect device between the earthed circuit conductor of the DC source (return) and the point of connection of the earthing electrode conductor IV CID User Guide .Before You Begin CID If you purchased this device. RESTRICT AREA ACCESS The DC powered equipment should only be installed in a Restricted Access Area. OVERCURRENT PROTECTION A readily accessible listed branch-circuit over current protective device rated 15 A must be incorporated in the building wiring. 110-17. make note of the following additional instructions. For North America. for example within the same premises as the equipment. DC POWER CONNECTION 1. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label adjacent to the power inlet. 5. Toutes les opérations d'entretien seront effectuées UNIQUEMENT par du personnel d'entretien qualifié. 7. turn on or attempt to operate an obviously damaged unit. 2. mettre sous tension ou essayer d'utiliser unensemble qui est défectueux de manière évidente. There are not user serviceable parts inside the unit. 6. All servicing should be undertaken only by qualified service personnel. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED. 6. 4. 3. Remplacez un fusible qui a sauté. Assurez vous que les ouvertures de ventilation du châssis NE SONT PAS OBSTRUEES. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove and/or check the main power fuse. 4. This equipment is designed to permit connection between the earthed conductor of the DC supply circuit and the earthing conductor equipment. Assurez vous que le cordon d'alimentation a été déconnecté AVANT d'essayer de l'enlever et / ou vérifier le fusible de l'alimentation générale. Do not operate the device in a location where the maximum ambient temperature exceeds 400 C / 1040 F. SEULEMENT par un fusible du même type et de même capacité.To Reduce the Risk of Electrical Shock and Fire 1. Aucun composant ne peut être entretenu ou remplacé par l'utilisateur. NE PAS connecter. 2. See Installation Instructions. CID User Guide V . NE PAS UTILISER l'équipement dans des locaux dont la température maximale dépasse 40°C. 5. DO NOT plug in. comme indiqué sur l'étiquette de sécurité proche de l'entrée de l'alimentation qui contient le fusible. 3. housing the fuse.Before You Begin Caution . Attention: Pour Reduire Les Risques d'Electrocution et d'Incendie 1. 4. Alle Wartungsarbeiten sollten ausschlielich von geschultem Wartungspersonal durchgefuhrt werden. 2. 6. Stellen Sie sicher. 3. eingeschaltet oder in Betrieb genommen werden. Ersetzen Sie eine defekte Sicherung ausschlielich mit Sicherungen laut Sicherheitsbeschriftung.Before You Begin Manahmen zum Schutz vor elektrischem Schock und Feuer 1. 5. Offensichtlich defekte oder beschdigte Gerte durfen nicht angeschlossen. VI CID User Guide . dass die Beluftungsschlitze am Gert nicht blockiert sind. Betreiben Sie das Gert nicht in Rumen mit Temperaturen uber 40C. Keine im Gert befindlichen Teile durfen vom Benutzer gewartet werden. Trennen Sie das Netzkabel von der Steckdose bevor Sie die Hauptsicherung prufen oder austauschen. Basic Application Switching This chapter describes the farm and server management concepts and the related features. Chapter 6 . Chapter 2 . including the management interfaces and methods by which CID devices are accessed. This chapter also provides examples of common configurations of application switching and load balancing schemes as implemented in Content Inspection Director (CID). Chapter 4 . configured and operated. It also provides common examples of the various CID redundancy configurations. Chapter 7 . Chapter 3 .Introduction & Overview This chapter presents an introduction and a general overview of the main features of CID (Content Inspection Director).Redundancy This chapter introduces the redundancy concept and guides you through the related features. • • • • • • • CID User Guide VII .Bandwidth Management This chapter presents the capabilities of the CID Bandwidth Management module. describes how CID participates in the processes of switching and routing.Before You Begin About This Guide • Chapter 1 .Health Monitoring This chapter provides the Health Monitoring module included in the Radware SynApps architecture Chapter 8 .Basic Switching and Routing This chapter provides theoretical explanations about switching and routing in general. Chapter 5 .Device Management This chapter explains the CID management and maintenance processes. and presents several aspects of the practical implementation of CID.Advanced Features This chapter presents additional advanced features of the CID devices. Application Switching Platforms This chapter provides an explanation of Radwares Application Swithching Platforms. Appendix C . Serial Cable Pin Assignment and a trouble shooting section Appendix A . Device Interfaces. list of specifications.Glossary and Abbreviations The glossary provides explanations of common terms and concepts used in network configurations. and describes known CID limitations. Chapter 10 . Procedures are included for AIX. Appendix D . according to the operating system.Security This chapter provides a general overview of the APSolute Insite Security modules and the sub modules within as well as an explanation of the signatures data base and Radware Security update service (SUS). HP-UX. Appendix B . Linux. Also provided in this chapter is an explanation of the tuning process. UNIX.Loopback Interfaces This appendix describes the loopback alias setup for CID. Solaris and Windows NT.Troubleshooting This appendix provides troubleshooting solutions to some common CID problems. Index VIII CID User Guide .Before You Begin • • • • • • • Chapter 9 .Regular Expressions This appendix provides an overview of the basic syntax of regular expressions used in CID modules. Screen displays can differ slightly from those included in this guide. To Statement: Detailed operating instructions that explain the step by step configuration process. CID User Guide IX . Windows systems use a two-button mouse. To drag and drop an object. Various icons are used through the document to indicate the following: Note: Important information that requires additional attention. depending on the system you use.Before You Begin Document Conventions This guide uses the following documentation conventions: • • Command paths in the GUI are presented as: File > Save As. • • Tip: A recommendation. click and hold the left mouse button on the object. Configuration Guidelines: General description of the configuration process. then release the button. Microsoft Windows screens are different from X-Windows screens. Example: An example configuration of an actual scenario. or an optimum way to perform an action. drag the object to the target location. For example. Before You Begin X CID User Guide . presents an introduction and a general overview of the main features of CID. page 1-2 CID Overview. This chapter contains the following sections: • • Introduction.CHAPTER 1 Chapter 1 - Introduction & Overview Chapter 1. Introduction & Overview. page 1-5 CID User Guide 1-1 . Introduction Section 1-1 Introduction Section 1-1 Introduction describes the purpose. page 1-3 1-2 CID User Guide . This section includes the following topics: • Introducing CID. main functions and benefits of CID and discusses CIDs‘ role on your network. Introduction & Overview Introducing CID Radware’s Content Inspection Director (CID) is a smart Internet Traffic Management (ITM) device that utilizes routing capabilities. Web page content is analyzed in real-time to prevent any malicious content or scripts from entering the network. Secure Web Access: Secure web access with low latency while maintaining the best content security possible. The CID transparently intercepts Internet-bound user traffic and intelligently load balances the applicable traffic among the content servers. SMTP and on traffic file type. CID is designed to fulfill the needs of large organizations that require 100% content inspection in conjunction with redundant high-speed connectivity. To prevent bottlenecks and single points-of-failure in the gateway content inspection solution. are eliminated. additional content inspection servers can be added to the existing content inspection architecture. greatly improves network performance and ensures Internet connectivity uptime. ensure that the content inspection server is not a single point-of-failure and that its resources are always optimized. • • CID User Guide 1-3 . Areas that were traditionally considered bottlenecks. Using CID on your network you can achieve these benefits: • • • Speed: Up to 500% increase in content inspection speed. Capacity: Increased capacity and volume of inspected traffic through the aggregation of content inspection servers into farms. Features such as ongoing health checks and transparent fail-over support. Content Security: Improved content inspection speed and elimination of malicious traffic is ensured by the distribution of content based on IP protocols such as HTTP. but without performance degradation or downtime.Chapter 1 . CID uses load balancing mechanisms to manage servers and server farms. As the need arises. Separating the different protocols and file types into several content inspection devices also speeds up the traffic. Distributing the inspection load across several content inspection resources. FTP. Scalability: Scalable architecture with Gigabit connectivity accommodates the needs of high capacity networks. CID allows you to set up heterogeneous server farms. The device must also be installed so that traffic between the anti-virus servers and the users flows through the CID. destination and traffic type. When installed as a router. CID Provides the flexibility to utilize any set of these load balancing techniques for each cluster of Content Inspection devices in order to optimize traffic flow through the network. Sequential load balancing: Flow management enables sequential load balancing of several server farms. Load Balancing CID includes several advanced load-balancing algorithms that intelligently distribute traffic between Content Inspection devices. CID reroutes the traffic to another device. based on each server’s specific performance capabilities. OSPF.Introduction • • • Availability: Health monitoring and traffic redirection provide high availability. each providing a different service. CID supports these protocols: RIP. CID can be installed into a network as a bridge or as a router. 1-4 CID User Guide . Specific content inspection policies can be assigned based on source. Interoperability: CID offers full compatibility with all types of content inspection servers and anti-virus gateways. RIPII. If one of the Content Inspection devices fails. that is farms that utilize servers of varying performance and load capabilities. Several flexible load-balancing algorithms are used for each server farm. and VRRP. This allows for additional flexibility when expanding or reducing resources within a farm. CID intelligently redirects traffic among servers in a farm. CID Role in the Network CID is installed in the path of a user community to the Internet. page 1-11 Technical Description. page 1-6 Flow Management. This section includes the following topics: • • • • Content Management Load Balancing.Chapter 1 .Introduction & Overview Section 1-2 CID Overview Section 1-2 CID Overview discusses the system architecture and specifications of the CID. page 1-9 Special Protocol Treatment. page 1-15 CID User Guide 1-5 . pointing them to a proxy server. anti-virus servers. In addition. As a result. CID also provides a Virtual IP address for the content farms. Figure 1-1 illustrates the Content Load Balancing concept.CID Overview Content Management Load Balancing CID is designed to perform load balancing on content inspection servers. CID transparently intercepts Internet-bound user traffic and intelligently load balances the traffic between the content servers that operate transparently or non-transparently. Server Farm Farm 1 4 3 2 Clients CID Router Internet Figure 1-1 CID Content Load Balancing 1-6 CID User Guide . users do not have to have any browser configuration. such as cache servers. URL filters and so on. so as to facilitate users who need to operate non-transparently. User traffic is distributed among content servers that can be heterogeneous. CID checks for the content available on each cache to maximize cache-hit ratio. cache-hit ratio indicates the efficiency of the cache. Regular Server: Non-transparent server or proxy server.Introduction & Overview Properties: • CID performs Load Balancing by selecting a server and then redirecting the client request to the server which maintains client server persistency. • CID receives the reply from the Internet. search for a specific content and block it (forbidden URLs. and at the same time it reduces the use of bandwidth and additional content servers. Content Server: Other servers. such as anti-virus servers. Cache Load Balancing In some environments. Cache Server: Cache server is a proxy server that stores-andforwards Web pages. the use of cache servers. can significantly improve network performance. URL filtering servers and others which have the ability to check the content up to Layer 7. The CID optimizes the use of cache servers through intelligent load balancing and transparent traffic interception.Chapter 1 . viruses and others). the higher the hit ratio. the more requests the CID User Guide 1-7 . When a user makes a request to the Internet. that is without changing the client’s request. • The selected server sends the clients request to the Internet which maintains server site persistency. Transparent Server: Server that serves the clients transparently. also called “proxy cache” or “proxy” servers. and sends it to the relevant server which maintains server site persistency. • The server returns the reply to the client which maintains client server persistency. Server Types CID supports the following server types: • • • • • Gateway: Server that uses two interfaces. CID can optimize cache use without burdening the network administration with the requirement for configuring user browsers.CID Overview cache serves by itself. CID uses the Server Spoofing capability to enable cache servers to retrieve pages on behalf of the client with the client's source address. 1-8 CID User Guide . Spoofing Server Spoofing is a process of one device talking to another device using the address of a third device. which results in an improvement in user response time and saves network bandwidth. By transparently intercepting traffic.This ability also allows for improved network performance and cache server optimization. Chapter 1 - Introduction & Overview Flow Management CID Flow Management feature leverages the Farm Management capability by sequentially load balancing several server farms, each providing a different service. Traffic flow is designed for packets that arrive from the client, are examined by CID, load balanced within a farm, returned from the selected server to CID, examined again and load balanced within a different farm, and so on. The farm selection decision is based on the source IP and on the MAC address. This way CID can distinguish between clients and servers, even if the servers use spoofing. Initially, farms and servers are configured then the policies handling the different traffic classifications for this farm are defined. Adding farms to a farm cluster element adds control to the distribution of traffic, by matching the various polices to the correct farms, including sending the traffic through multiple farms when a traffic condition meets those predefined polices. The example in Figure 1-2 illustrates the flow management concept. Users 1 CID Access Router 8 Internet 2 3 4 5 6 7 URL Filter Cache Server Anti Virus Gateway Figure 1-2 Flow Management CID User Guide 1-9 CID Overview Properties: 1. The Client sends a request to the Internet. The request packet is intercepted by the CID. 2. CID redirects the packet to the URL farm which checks the packet’s content. 3. The URL server returns the packet to the CID. 4. CID then sends the packet to the Cache server which checks the content. 5. The Cache server returns the packet to the CID. 6. CID sends the packet to the Anti-Virus server which checks the packet’s content. 7. The Anti-Virus server returns the packet back to the CID. 8. CID then sends the packet to the Internet through the Access Router. 1-10 CID User Guide Chapter 1 - Introduction & Overview Special Protocol Treatment Special protocol treatments implemented in CID include the following IP protocols: • • • • RADIUS POP3 FTP HTTP RADIUS Classification The RADIUS service allows authenticating and storing of the account information for network users. CID employs a special feature for the RADIUS support, RADIUS Based Classification. With RADIUS Based Classification, CID can provide service to clients, based on a configured RADIUS profile. The RADIUS profile identifies the user and allows CID to apply farm policies or cluster flow policies according to the attributes that are defined in the RADIUS Policy Table. This capability enables service providers and large networks to identify dial-up and NATed users by authentication tokens and not by source IP address. CID monitors the traffic and checks the RADIUS messages for user privileges. According to this information, CID assigns clients to networks that are added to the Network Table. The networks can then be used when defining farm policies, flow clusters, BWM policies and so on. CID releases a client from the network table when the NAS (Network Access Server) sends a RADIUS stop accounting message, or when the IP address is assigned to a new user. CID works with RADIUS in the following modes: • Transparent Mode In Transparent Mode, CID can be installed between the NAS and the RADIUS server. Proxy Mode In Proxy Mode, CID can be installed as RADIUS proxy. • CID User Guide 1-11 CID Overview Figure 1-3 illustrates the configuration used in RADIUS based classification. Farm1 Farm2 Clients NAS CID Router Internet RADIUS Server Figure 1-3 RADIUS Based Classification Properties: RADIUS based classification involves the following stages: 1. When the client initiates a dial-up session, the call (whether a phone or a broadband call) is terminated by the NAS (Network Access Server), which sends the client username and password to the RADIUS Server. 1-12 CID User Guide Chapter 1 - Introduction & Overview 2. The RADIUS server replies with the allocated client IP address and with the user attribute value. CID intercepts the RADIUS handshake traffic, and adds the client to the Network Table using its allocated IP address. 3. NAS completes the client dial-up session by assigning the client IP address and establishing the PPP link x. POP3 CID supports interception and redirection of POP3 traffic destined to a POP3 proxy server. POP3 sessions are transparently intercepted and redirected to the servers. The sessions are intercepted and sent to the IP address of the server, to open a POP3 session with the proxy agent of the server. The client is unaware of the POP3 proxy server's existence, and supposes that it is directly connected to the POP3 host on the Internet. To provide POP3 support, CID transforms the client's command from: to: USER(user name) USER(user_name#destination_IP) This transformation allows the POP3 proxy to extract the destination POP3 host and then to open the POP3 session to that host, on behalf of the client. This is done transparently to the client or in the destination IP address that is taken from Layer 3 information of the client request. FTP When deploying an FTP proxy server for FTP caching or FTP content inspection, CID provides special treatment for these servers. CID intercepts FTP sessions of non-configured client and load balances it to the FTP proxy server farm. CID transforms the client’s command from: to: username:password username:password@destination_IP This transformation allows the FTP proxy server to extract the original destination FTP host and then to open the FTP session to that host, on behalf of the client. This is process is transparent for the client.\ CID User Guide 1-13 CID Overview HTTP When deploying non- transparent cache server (Proxy server), CID can transform a regular HTTP request into a Proxy format from: GET HTTP/1.1 to: GET HTTP://HOST/HTTP/1.0 where the host used is the host of the original request. 1-14 CID User Guide Chapter 1 - Introduction & Overview Technical Description CID software is managed by a network interface and can run on one of the following platforms: • • • • • Application Switch 1 Application Switch 2 Application Switch 3 Application Switch 4 Application Switch 5 Network Management CID can be managed through the following network interfaces: • • • • • • APSolute Insite (SNMP based GUI) Secure Web based management SSH II Telnet HP OpenView for Sun Solaris Command Line Interface Note: For the detailed CID platform technical specifications and physical specifications, please refer to the CID data sheet, through the Radware Web site: http://www.radware.com/content/products/cid/ techspec CID User Guide 1-15 CID Overview 1-16 CID User Guide CHAPTER 2 Chapter 2 - Device Management Chapter 2, Device Management, explains the CID management and maintenance processes, as well as explaining the management interfaces and methods by which CID devices are accessed, configured and operated. The maintenance procedures presented here include information about upgrading and tuning of CID devices. In addition, this chapter contains explanations about the process of system notifications regarding possible system failures. This chapter includes the following sections: • • • • • • • Section 2-1: Configuring Device IP Host Parameters for the First Time, page 2-2 Section 2-2: Version Management and Device Upgrading, page 210 Section 2-3: Device Configuration Options, page 2-25 Section 2-4: Device Access, page 2-30 Section 2-5: Device Tuning, page 2-72 Section 2-6: Device Services, page 2-75 Section 2-7: Device Reporting, page 2-84 CID User Guide 2-1 Configuring Device IP Host Parameters for the First Time Section 2-1 Configuring Device IP Host Parameters for the First Time Section 2-1 Configuring Device IP Host Parameters for the First Time explains how you can establish connection with the device as well as how to erase the configuration file. This section includes the following topics: • • • Device IP Host Parameters Introduction, page 2-3 Erasing the Configuration file, page 2-8 Resetting the Device, page 2-9 2-2 CID User Guide Chapter 2 - Device Management Device IP Host Parameters Introduction The Device IP host parameters enables the user to establish communication with the device via: • • • • • Secure WBM Web Based Management SNMP (Simple Network Management Protocol) v1, 2C, 3. Telnet SSH Client To manually configure the Devices IP host parameters for the first time: 1. Connect the serial console to the device as follows: a. Open a terminal emulation program with the following parameters: Bits per second: Data bits: Parity: Stop bits: Flow Control: 19200 8 None 1 None 2. Ensure that the ASCII terminal is running on the Nms. 3. Turn on the power to the device. After the Boot process is complete the following start-up menu appears: Select the @ symbol to access the Startup Configuration window as shown below in Table 2-1.. Table 2-1 Startup Configuration # 0 1 2 Description IP Address IP subnet mask Port number Enable CID User Guide 2-3 Configuring Device IP Host Parameters for the First Time Table 2-1 Startup Configuration # 3 4 5 6 7 8 9 10 11 12 13 Description Default router IP address RIP version Enable OSPF OSPF area ID User Name User Password Enable Web Access Enable Secure Web Access Enable Telnet Access Enable SSH Access SNMP Configuration Enable (0,1,2) [0] (y/n) [n] (y/n) [y] (y/n) [y] (y/n) [y] (y/n) [y] Table 2-2 SNMP Startup Configuration # 0 1 2 3 4 5 Description Supported SNMP versions Community SNMP Root User Privacy Protocol Privacy Password Authentication Protocol Enable [1 2 3] [Public] radware (NONE/DES) [DES] radware (NONE/SHA/ MD50 [MD5] 2-4 CID User Guide Chapter 2 - Device Management Table 2-2 SNMP Startup Configuration # 6 7 8 Description Authentication Password NMS IP Address Configuration File Name Enable radware 0.0.0.0 4. Enter the number of the parameter for which you require to define the information. 5. Enter the parameters configuration and click Enter. The value of the parameter is displayed in the screen. If you do not require to access this command line, the Startup Configuration window is automatically displayed. Note: This startup configuration window appears only when the device has no previous configuration. Startup Configuration Parameter List The following list defines the parameters in the Startup Configuration window: • IP Address: The IP address of the interface is the only mandatory parameter. This address is used to access the device. • IP Subnet Mask: The IP subnet mask address of the device. The default value of this parameter is the mask of the IP address class. • Port Number: Device port number to which the IP interface is defined. The default value is 1. • Default Router IP Address: The IP Address of the router through which the NMS can be reached. The default value for this parameter is 0.0.0.0, which means that no default router is configured. • RIP Version: The RIP version used by the network router. The default value for this parameter is: disable. CID User Guide 2-5 Configuring Device IP Host Parameters for the First Time • • • • • • • • • OSPF Enable: This parameter enables or disables the OSPF protocol. The default value is: disable. OSPF Area ID: When the OSPF protocol is enabled, you can enter an area ID other than the default value. Enter an ID in the form of an IP address. The default value is 0.0.0.0. User Name: A user name which is added to the Users Table. The default user name is radware. User Password: The password used to access the device remotely using WBM, Telnet or SSH. The default password is radware. Web Access: Indicates whether Web access to the device is enabled. The default is: No. Secure Web Access: Indicates whether Secure Web access to the device is enabled. The default is: No Telnet Access: Indicates whether Telnet access to the device is enabled. The default is No. SSH Access: Indicates whether Web access to the device is enabled. The default is No SNMP Configuration: Enters the SNMP Configuration sub menu. SNMP Startup Configuration Parameter List The following list defines the SNMP Startup Configuration: • Supported SNMP Versions: Indicates which versions of the SNMP protocol are supported by the device. Default value 1&2&3. possible values: 1 or 2 or 3 or 1,2 or 1,3 or 2,3 Community Name: Device Community name. Enter the selected community name. The default community name is public. SNMP Root User: Defined the use for SNMPv3. default value is "radware" Privacy Protocol: Indicates whether to enable privacy or disable. Possible values: NONE or DES. Default value "NONE" . Privacy Password: Defines the password for the SNMPv3 User. Default – no password. • • • • 2-6 CID User Guide Chapter 2 - Device Management • • • • Authentication Protocol: Defines whether to use authentication and the authentication protocol. Must be use in conjunction with privacy. Default value – "None". Possible values "NONE" / "SHA" / "MD5. Authentication Password: Defines the password for the SNMPv3 authentication. Default – no password. NMS IP address: The required NMS IP address. Enter a value if you require to limit the device to a single specified NMS. The default value is 0.0.0.0 (any NMS). Configuration file Name: The name of the file, in a format required by the server, which contains the configuration. Select this parameter when you require to download a configuration file as NMS. The file must be located on the NMS, and the NMS must be located on a TFTP server. When you exit the Startup Configuration window, the device loads the configuration file from the NMS, resets and starts operating with the new configuration. The default value is: no name. Notes: • The device enters a default value for the parameters that are incomplete, with the exception of the IP Address, which is mandatory. A validity check of all the parameters is then performed. An initial default configuration is provided. When a device boots up for the first time, if the Start-Up is not used for 30 seconds, and a bootp server is not found within another 30 seconds, default settings are assigned to the device. The initial default configuration consists of a private IP Address (192.168.1.1), a subnet mask (255.255.255.0) port 1, an NMS IP Address (0.0.0.0, allowing any station to manage the device using SNMP), community string of public, Telnet, SSH, SSL and WBM are enabled with a default user of radware with password radware. • CID User Guide 2-7 33 Creation date: Jan 30 2005. 2-8 CID User Guide . Reboot the device and hit any key to stop the auto-boot process.MPC740/750 DRAM size: 128M Flash size: 16M BSP version: 5. 3..Configuring Device IP Host Parameters for the First Time Erasing the Configuration file You may require to erase the configuration in order to restore the factory default. 12:49:26 Press any key to stop auto-boot. 2.. In order the erase the configuration file. Press "@" to reboot the device. To erase the configuration file: 1. CPU: RadWare BOOMER . press "q0" and press enter and then "q1". Device Management Resetting the Device You may reset the device at any given time. To reset the device via the Reset butto from the Device: 1. To reset the device via APSolute Insite: 1. Press the reset button located on the front panel of the device. 3.Chapter 2 . then click Ok. From the Device dropdown menu. From the main window. Select the device you wish to reboot. select Reboot. 2. click Device. CID User Guide 2-9 . page 2-20 Upgrading Boot Versions. This section includes the following topics: • • • • • Introducing Upgrades. page 2-24 2-10 CID User Guide . page 2-18 Upgrading Licenses. page 2-11 Software Version Update.Version Management and Device Upgrading Section 2-2 Version Management and Device Upgrading Section 2-2 Version Management and Device Upgrading describes the interfaces and methods for upgrading the CID device. page 2-13 Saving and Restoring Configuration Files. In exceptional circumstances. This password can be obtained from the Radware corporate Web Site. 2. You must obtain this password before you load the upgrade file onto the Radware device. you cannot proceed. Depending on the maintenance contract. Performing the CID device upgrade involves two steps: 1.Chapter 2 . Save the current device configuration.Device Management Introducing Upgrades You can upgrade all Radware devices to newer versions with a straightforward FLASH process. new firmware versions are incompatible with legacy configuration files from earlier firmware versions. This most often occurs when users attempt to upgrade from very old firmware to the most recently available version. New major firmware versions require a password. you may be eligible for new versions with new features or only for the maintenance versions. Radware releases the updated versions of CID software that can be uploaded to your device. You can upgrade a device using one of the following methods: • • APSolute Insite Web Based Management A Device Upgrade enables the new features and functions on the device without altering the existing configuration. CID User Guide 2-11 . In case of a maintenance-only upgrade. The password is based on the firmware version file and on the Base Mac Address of the CID unit. If you do not supply the correct password during the upgrade process. Upgrade the device software. the password is not required. • 2-12 CID User Guide .Re-enabling mirroring should be done only after both active and backup devices have the same software version. Please contact Radware's helpdesk for more information. Before performing the upgrade process refer to the “Upgrading Notes” from MRN and RN. It is recommended to disable Mirroring on both the active device and the backup device prior to the upgrading the device. When downgrading to a software version that does not support the current license of the device. When using mirroring. the license will be lost. it is recommended to use the same CID software version for the main and for the backup devices. it is recommended to save the existing configuration file.Version Management and Device Upgrading Notes: • • • Before upgrading to a newer software version. 3 and above.21 8. The software was burnt in duplicate on the internal flash.10 4.Chapter 2 . Application Switch 2 or Compact Application Switch.with the possibility to change active version by toggling between the two. Security upgrades Two different software versions in the memory (only one may be active) . CID User Guide 2-13 . To display list of software versions loaded on the device: • • From the Command Line Interface use command system file-system software From Web-based management click on File menu > Software List option. This allows for the following: • • • • • Use of compact flash in Application Switch 2.Device Management Software Version Update For product versions prior to the ones listed in Table 2-3 (below) a single software version was loaded on Application Switch 1. the way in which flash memory space is managed was changed to a File System mechanism.21 4.10 From these versions forward. More flexible memory management Prevent boot version changes caused by different memory allocation requirements (main reason for boot version changes).10 3. Table 2-3 Product Version Product CID CSD FP LP WSD Version 2. Note: Do not power up or reboot Application Switch 2 and above when the compact flash card is not inserted. open the device set-up (double-click on the device icon).Version Management and Device Upgrading • From APSolute Insite. click on Device Updates > Downloads table. Note: Each software version has its own configuration file. You will be prompted to reboot the device. To change active software version: • From the command line interface use command system filesystem config act-appl set X. On the internal flash only IP host parameters are saved to allow communication with the device in case of compact flash problems. where X is the application index as displayed previously. Select the inactive version (Active Field has value False) and change the Active Parameter to True and click on Set to record your preferences. From Web-based management click on File menu and choose the Software List option. 2-14 CID User Guide . • Flash Memory Management Table 2-4Displays the Flash Memory for the Application Switches Table 2-4 Flash Memory Management Switch AS1 AS2 and above CAS Internal Flash 2 Application Software versions Backup Application version 2 Application Software versions Compact Flash Not available 2 Application Software versions Not available On AS2 and above a copy of an application software version is loaded in the internal flash for backup purposes. asp Software Version: File: Enable New Version: Specify the actual version to be loaded using X. Select the Enable New Version check box to apply the recent upgrade.radware. while for previous versions it appears in binary (BIN) format. click Set.For versions using File Systems mechanism the firm ware file is in TAR format.XX. Select the appropriate firmware file. The Update Device Software window appears. From the File menu select Software Upgrade. You will be prompted to reset the device. Note: Before initiating software version update on Application Switch 3 or Application Switch 2 running file system version. To upgrade the software version via Web Based Management: 1. page 2-17. Note: The device operates according to the new version after the software download process is complete.com/content/support/ pwordgen/default. otherwise the device operates according to the previous version.XX format. 2. set the following parameters according to the explanations provided: Password: Enter the case-sensitive password you have obtained from Radware corporate Web Site for this upgrade: http:// www. ensure that a backup application is installed in the internal flash * see Backup Version Update.Device Management Software Version Update You can download a new software version by using either WBM or via APSolute InsiteAPSolute Insite. 3. To accept your preferences.Chapter 2 . CID User Guide 2-15 . From the Update Device Software window. 21.CX.05 to 8. for example when upgrading from 8.Version Management and Device Upgrading Note: When upgrading from a minor version or bug fix version AB.12 a password is not required. 2-16 CID User Guide .CD.EF to version AB.XX a password is not required.23. 6. From the Setup tab. In the New Version text box. The Device Upgrades dialog box appears. The device setup (device specific) window appears. In the Password text box.compact flash and internal flash have separate boot memories. Backup Version Update On Application Switch 2. You are prompted to restart the device. Click Set. type the software version number as specified in the new software documentation. type the password received with the new software version. On Application Switch 3 and above it is not necessary to update backup application version when there is a new boot version . If however you wish to manually update the backup application version or install it. 4. the backup application version (internal flash) is updated automatically when a new application version that includes a new boot version is downloaded to the device. type the name of the file. it is possible via the CLI command: system file-system files copy-to-flash x. In the File Name text box. click Device Upgrades. 2. 3.Device Management To update software version via APSolute Insite: 1. OR click Browse to find the desired file. otherwise the device operates according to the previous version. The status of the upload is displayed in the Progress Status bar. Note: The password is case sensitive 5. double-check on the device icon. where x is the index of the new application you want to use (existing applications and their indexes are displayed by: system file-system config act-appl command). Note: If Enable New Version check box is selected (default) the device operates according to the new version after the software download process is complete. CID User Guide 2-17 .Chapter 2 . From the device application window. 2. If a change to the configuration results in problems. The current configuration is saved. 2. You can perform this procedure also from WBM. the configuration can not be uploaded to a device that was configured to use only to SNMPv3. Note that this is relevant for SNMPv3 RFC. 3. Click the Browse button and navigate to the file you wish to save. When exporting the configuration file to another device. select Device > Configuration File > Download. Notes: • When downloading a configuration file using WBM. select Device > Configuration File > Upload. The Configuration file of the device. since passwords (of SNMPv3 users) can not be exported from one device to another. the passwords need to be re-entered. When downloading a configuration file using CWI and SNMPv3. can only be used by the specific device that the users configured. Select the required configuration file and click Ok. that contains SNMPv3 users with authentication. • • To save an existing configuration: 1. From the main window. administrators can restore a previous configurations to the unit. From the main window. Files are stored locally on the desktop or laptop running APSolute Insite in a binary format. 3. Therefore there must be at least one user in the user table (to be able to change the password) in case the configuration file is uploaded to another device. To restore an existing configuration file: 1.Version Management and Device Upgrading Saving and Restoring Configuration Files It is recommended to save existing configurations on each Radware device. The selected configuration is restored. the configuration can not be uploaded to a device that supports only SNMPv1. Click the Browse button and navigate to the file to restore. Select the required configuration file and click Ok. 2-18 CID User Guide . The downloaded configuration file appears in BER format. Click the Browse button and navigate to the BER file you wish to convert to ASCII.Chapter 2 . CID User Guide 2-19 . After the restored configuration has been applied to the Radware device. Select the required configuration file and click Ok. must be in BER format. reboot the unit.Device Management 4. From the Edit window. The Edit window opens. select Convert from BER to ASCII. 2. To convert a BER file to ASCII format: 1. If you wish to view the BER format file. From the main window. The file format is converted to ASCII. you must convert it to ASCII format. select Device > Configuration File > Edit. 3. the configuration file that is being uploaded to the device. 4. However. you need to send the MAC address and the current license ID of the device. double click the CID icon.Version Management and Device Upgrading Upgrading Licenses You can upgrade software capabilities of CID by means of the licensing mechanism. you can add support for the 10 Gigabit Ethernet Port using the hardware licensing mechanism. The license provided to you. Note: For more information regarding obtaining licenses. Once you receive and insert this new license. 2-20 CID User Guide . From the main window. without SynApps support. must be sent to Radware to prove that you are using the new license. To perform a license downgrade. The license is based on the MAC address of the device. click Device Upgrades. The CID window appears. For Application Switch 3. Radware provides you with another license. or the output of system license get CLI command. For example. The Device Upgrades dialog box appears. is a one-time license. and on a license ID that is changed every time a new license is inserted. From the Device Upgrades dialog box. the old license cannot be reused. 3. meaning that once this license is changed. a screen capture of the License Upgrade window. click Licence Upgrade. To upgrade a software license: 1. 2. you need to insert a new license code. if a SynApps license was given to you on a trial basis and not purchased. After that Radware assured that the old license cannot be re-used. The Licence Upgrade pane appears displaying the current license in the New Licence Code text box. The Licensing Mechanism In order to change license. To get a license upgrade. the old license code cannot be re-used. From the Set-Up tab. for example to add SynApps support. you need to send the MAC address and the current license ID of the device. please contact the Radware Technical Support. A success message is displayed on completion. The CID window appears. CID User Guide 2-21 . The reset may take a few minutes. 3.Chapter 2 . Note: The license code is case sensitive. 6. 2. The Information box prompts you to reset the device in order to validate the license. type your new license code. 5. This feature is only available for Application Switch 3. click Set-Up > Device Upgrades. In the New Licence Code text box. To upgrade a hardware license: 1. 6. The Licence Upgrade pane appears displaying the current license in the New Licence Code text box. type your new license code. double click on the CID icon. Click Ok. The Information box prompts you to reset the device in order to validate the license. In the New Licence Code text box. From the CID window. Click Ok. Click Ok to perform the reset. The Device Upgrades dialog box appears. click the Hardware Licence tab.Device Management 4. 4. Upgrading Hardware Licenses For Application Switch 3. Note: The license code is case sensitive. The reset may take a few minutes. From the Device Upgrades dialog box. Click Ok to perform the reset. 5. From the main window. A success message is displayed on completion. you can add support for 10 Gigabit Ethernet Port by means of the hardware licensing mechanism. Type reboot in order to reset the device. then type yes to confirm the reset. Type system license set <new license code>. The current license code is displayed. 3. 4. To upgrade a hardware license using CLI: 1. Click Enter. The current license code is displayed. Click Enter. In the command line interface. then type yes to confirm the reset. 2-22 CID User Guide . Note: To implement the upgrade. A license updated message is displayed in the command line. Click Enter. The license updated message is displayed in the command line. Note: To implement the upgrade. 3. Type: system hardware license set <new license code> 4.Version Management and Device Upgrading Upgrading Licenses Using CLI The following procedure enables you to upgrade your software and hardware licenses using the command line interface. the device must be reset. Click Enter. type: system hardware license 2. 2. In the command line interface. type system license get. Type reboot in order to reset the device. 5. 5. To upgrade a software license using CLI: 1. the device must be reset. select License Upgrade. CID User Guide 2-23 . To upgrade a license using WBM: 1. type the code of the new license and click Set. From the Device menu.Chapter 2 . In the Insert your License Code text box. 2. The License Upgrade window appears.Device Management Upgrading Licenses Using WBM You can perform license upgrades using Web Based Management. refer to Boot Version Update. For information regarding upgrading boot versions. To support new firmware. you may need to upgrade a device's Boot Code. page 10-34. 2-24 CID User Guide . it may become necessary to upgrade a device's Boot Code to support new firmware.Version Management and Device Upgrading Upgrading Boot Versions As Radware's product line develops. Device Management Section 2-3 Device Configuration Options Section 2-3 Device Configuration Options describes the interfaces and methods for CID device configuration and permissions.Chapter 2 . page 2-27 CID User Guide 2-25 . page 2-26 Command Line Interface. This section includes the following topics: • • APSolute Insite. This application allows the system administrator to configure.Device Configuration Options APSolute Insite APSolute Insite is the main management interface for all Radware devices. Notes: • • For further information regarding APSolute Insite. APSolute Insite presents the entire network configuration in a graphical format. refer to the APSolute Insite User Guide. refer to the APSolute Insite User Guide. 2-26 CID User Guide . Rather than focusing on a single device. and how to work with statistical graphs. For an explanation of how to access statistics about device performance. modify and manage all types of Radware devices in an enterprise network. with settings and configuration options organized in a logically related manner. Chapter 2 .Device Management Command Line Interface Access to the Command Line Interface (CLI) requires a serial cable and a terminal emulation application. the majority of the available options are the same: bwm classes device healthmonitoring help login logout CID manage net ping reboot redundancy security services statistics system Policy management and classification Configures traffic attributes used for classification Device Settings Advanced Health Monitoring Displays help for the specified command Login into the device Logout of the device CID parameters Device management configuration Network configuration Sends echo requests Reboot the device Redundancy settings Security settings General networking services Device statistics configuration System parameters CID User Guide 2-27 . Although each product has a slightly different list of commands. 218.74. Pasting the output of system config.203: 1: 2: 3: 4: 5: • • • 50ms 50ms 50ms * 50ms 50ms 50ms 50ms * 50ms 50ms 212.129 50ms 192. Use the command services dns nslookup <hostname>.2 * 50ms 80.radware.116.101. Help and command completion keys.40 • • • • • • • Telnet client: to initiate a telnet session to remote hosts. Use the CLI command ssh <Host>. Output format: CID#trace-route www. DNS Client: uses configured DNS servers to query IP addresses of a hostname. using the system config set command. Ping: Ping other hosts on the network to test availability of the other hosts. Use the CLI command telnet <Host>. This option can be used for easy configuration replication. 2-28 CID User Guide . Command history. or SSH.228.Device Configuration Options CLI Supported Capabilities Radware's Command Line Interface can be used through console access.96.43. or part of it. Telnet. A system config command to view the current configuration of the device. Command line editing keys. Traceroute: Use the command trace-route <destination Host >.130 50ms 80. Configurable banner for Telnet and SSH. to the CLI of another device. logically structured and intuitive command syntax.com trace-route to host 209. Configurable prompt. formatted as CLI command lines. CLI provides the following capabilities: • • • Consistent.150.74.214. SSH client: to initiate a telnet session to remote hosts. Chapter 2 . using the services DNS client commands. CID User Guide 2-29 .Device Management Make sure to enable DNS and set DNS servers appropriately. telnet. ping. refer to the Radware CLI Reference Manual. refer to page 2-79. For more information concerning CLI commands. The DNS client also enables using host names rather than IP addresses in commands such as traceroute. Notes: • • For description of the DNS Client. The DNS client is configurable also from APSolute Insite. and so on. This section includes the following topics: • • • • • • • • • Bandwidth Management Access. you can use the SynApps license to upgrade the security level for your network. page 2-31 Users Table. All Radware devices are equipped with a variety of security features and settings that help prevent unauthorized access and tampering with units. In addition to the predefined security. page 2-70 Dedicated Management Port. page 2-51 RADIUS Authentication. page 2-32 Configuring SNMP. page 2-62 Ping Physical Port Permissions. page 2-48 Telnet and SSH. page 2-60 Management Ports.Device Access Section 2-4 Device Access Section 2-4 Device Access describes the interfaces and methods related to CID device security. page 2-71 2-30 CID User Guide . page 2-34 Web Based Management. Interfaces connected to insecure segments of a network can be configured to discard some or all kinds of management traffic directed at the device itself. Port Management Configuration Guidelines: From the main menu select. while denying others (such as SNMP or Telnet). click BWM Management. based on a variety of factors. If an intruder attempts to access the device through a disabled port. and source or destination addresses. port. the Radware unit does not allow access and generates syslog and CLI traps as notification. Management Ports Access to any of the devices can be limited to specified physical interfaces. CID User Guide 2-31 . Bandwidth Management Configuration Guidelines: • From the main window.Device Management Bandwidth Management Access Radware devices also provide a packet-filtering database. such as SSH. such as protocol. which can be configured to control access to the unit and through the unit.Chapter 2 . General > Device Permissions > Management Settings. Administrators may wish to allow certain types of management traffic to a Radware device. 2-32 CID User Guide . Default: Operator. From the Edit Device Users window. Telnet. select General > Device Permissions. For more information see Configuration Trace. SSH. The Device Permissions window appears. set the following parameters according to the explanations provided: Device Name: User Name: Password: E-mail: Notification: Select the device name. Type the e-mail address of the user. Warning. The Edit Device Users window appears. 4. When Trace Status is enabled. users can receive e-mail notifications of changes made to the device. Values: None (the user receives no traps).Device Access Users Table You can create a list of personnel authorized to access the device. Info. 2. Error. Operator. page 2-86. From the main window. Select the Users Table tab and click Add. Default: None Trace Status: Enable this option to notify users of configuration changes made in the device. Type the password for the user. Values: Administrator. 3. Fatal (the user receives traps with severity info or higher). To set the Users Table: 1. Entries in this table allow access to the Radware device through any enabled access method (Web. Click Ok to apply the setup and exit the window. SWBM). Define the minimum severity level of traps that are sent to this user. Type the name of the user. The new device permission is listed in the Users Table. Chapter 2 . CID User Guide 2-33 .Device Management Note: User and Password can be up to 19 characters. 2. The Manager is the console through which the network administrator performs network management functions. which provides Secure Communication. From the CID main toolbar. View-Based Access Control Model (VACM). To connect to device using SNMPv3: 1. APSolute Insite connects to the CID device using SNMPv1. The CID Connect To Device dialog box appears. Note: By default. Double click the CID icon. and read access to wider portions. SNMP is a part of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. SNMPv3 is composed of 2 layers of communication between the manager and the agent: • • User Security Model (USM).Device Access Configuring SNMP The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. The CID icon appears on the map. SNMPv2 and SNMPv3. which provides granular access permissions. including message integrity and privacy. 2-34 CID User Guide . This section explains how to configure SNMP on CID. 2 and 3 are included. Agents are the entities that interface to the actual device being managed allowing changing or retrieving objects in the device. SNMP is the protocol that allows managers and agents to communicate for the purpose of accessing these objects. For example. a user can have write access to limited portions or the MIB. Network management systems contain two primary elements: managers and agents.These objects are arranged in what is referred to as management information base (MIB). Radware devices work with the following versions of SNMP: SNMPv1. Configuration examples for SNMP versions 1. click Add and select the CID icon. In the CID Connect To Device dialog box. displaying the current permissions. click Add. The CID device is connected using SNMPv3. 2. select General > Device Permissions. From the SNMP pane. displaying the current permissions. Defining SNMP Users With SNMPv3 user-based management each user can have different permissions based on the user name and connection method. To view the SNMP tab: 1. The Device Permissions window appears. 4. Click Ok. Set the Authentication and Privacy parameters as defined in the Users Table. To define a new SNMP user: 1. The SNMPv3 pane opens. Click the SNMP tab. CID User Guide 2-35 . You can create a new user by cloning the definitions of one of the existing users. From the User Based Security Model window. In the User Based Security Model window.Chapter 2 . type the Device IP Address and select the SNMPv3 check box. The User Based Security Model window appears. see page 2-35. 5. From the main window.Device Management 3. 2. The SNMP pane appears. you can define users who can connect to the device and you can store the access parameters for each SNMP user. 3. The SNMP pane appears. 4. Click the SNMP tab. From the main window. The Device Permissions window appears. select General > Device Permissions. click Users. then set the following parameters according to the explanations provided: Clone From User: Select the existing user from which you want to clone the definitions. Possible value is DES. Click Ok to apply the setup and exit the window. Privacy Password: Notes: • • Type the password required to use privacy. Privacy is only supported in conjunction with authentication The User Name parameter is also called Security Name 5. Note: The Configuration file of the device. Default: None. up to 18 characters. since passwords (of SNMPv3 users) can not be exported from one device to another. SNMP . that contains SNMPv3 users with authentication. When exporting the configuration file to another device. which means that the data is not encrypted. Therefore there must be at least one user in the device‘s user table (to be able to change the password) in case the configuration file is uploaded to another device. Type the algorithm to be used for encryption. Possible values are MD5 and SHA. can only be used by the specific device that the users configured.VACM Edit Security to Group SNMPv3 permissions are defined for groups of users. Authentication Password: User Privacy Protocol: Type the password to be used during the authentication process. Default: None. Type the protocol to be used during the authentication process. Note that this is according to SNMPv3 RFC. the passwords need to be re-entered.Device Access User Name: Authentication Protocol: Type the name of the new user. meaning using clear text during the session. In cases that there is a need to grant to the same user different permissions based 2-36 CID User Guide . A new user is defined for access to SNMP. click Add. Access rights are defined for groups of users.Device Management on the connection method. VACM .Write access based on the MIB tree. The VACM Edit Security to Group window appears. 4. each entry can include or exclude parts of the entire MIB tree. Those views are used to allow Read . Security Name: Select a relevant security name. that is the name as defined in the Users Table. For example. The same Family View Name can be used for multiple entries to allow maximum flexibility. The Device Permissions window appears. then this user gets Read-Only permissions. click the SNMP tab. Select a name from a list of all the available group names. the user gets Read-Write permissions. Possible values: SNMPv1. Group Name: 5. Click Ok to save the setup and to exit the window. select General > Device Permissions. From the SNMP pane. set the following parameters according to the explanations provided: Security Model: Select the SNMP version to be associated with this group. You can associate users with groups listed in the VACM Edit Security to Group window. From the main window. 2. it is possible to associate the same user to more than one group. CID User Guide 2-37 . From the Device Permissions window. 3. SNMPv2 or User Based (SNMPv3). while if the same user A connects to a Radware device with authentication and without privacy (data is not encrypted). To configure VACM Edit Security to Group: 1.MIB View The View Table defines subnets of the MIB tree.Chapter 2 . if user A connects to a Radware device using SNMPv3 with authentication and privacy. From the VACM Edit Security to Group window. The SNMP pane appears. 6. You can define the access rights for each group and Security Model in the VACM Group Access window. Write View Name and the Notify View Name parameters and depends on the defined Security Model. Write. This is the table that grants permissions to the groups. 3.5.2. to give access to MIBs that start with 1. Type the object ID of the MIB subtree.1 and 1.6. and Notify permissions are configured for Family View names.1. set the following parameters according to the explanations provided: Family View Name: Family Subtree: Type: Type the name of this entry as explained above. From the VACM MIB View window. To set the parameters of the VACM MIB Tree: 1.6. you can grant Read access to all MIBs starting with 1. write or notify action is specified through the Read View Name. Define whether the object of this entry is included or excluded in the MIB view. Click Update to apply the setup and click Ok to exit the window. SNMP . 4.3. From the VACM Group Access window. From SNMP pane. The SNMP pane appears. select General > Device Permissions and from the Device Permissions window.3.MIB View window. based on the SNMP version. The Read. 2-38 CID User Guide . click Access. which are defined in the VACM . 2.Access The Access Table binds the groups. 5.3. see page 2-37.1.1 but not to MIBs that start with 1. views and security models. The VACM MIB View window appears.Device Access For example. From the CID main window.3. click View. The VACM Group Access window appears.1.2 and yet.6. Range of objects which can be accessed for a read. click the SNMP tab. Click Add.Device Management To set the parameters of the SNMP Access Table: 1. SNMPv2 or User Based (SNMPv3). 4. but Privacy is not required Auth Private: Both authentication and privacy are required Default: No Authentication. 3. From the Device Permissions window. The security models are predefined sets of permissions that can be used by the groups. set the following parameters according to the explanations provided: Group Name: Security Model: Type the name of your group. By selecting the SNMP version for this parameter. The VACM Group Access window appears. Click Access. From the VACM Edit Group Access window. From the main window.Chapter 2 . click the SNMP tab. Security Level: Select the security level: • • • No Authentication: No authentication or privacy are required. Possible values: SNMPv1. Auth Not Private: Authentication is required. These sets are defined according to the SNMP versions. The SNMP pane appears. Select the SNMP version that represents the required Security Model. select General > Device Permissions. The VACM Edit Group Access window appears. you determine the permissions set to be used. CID User Guide 2-39 . 2. The Device Permissions window appears. 5.MIB View window and provide the Read access to the Object IDs specified in the selected view. Read View Name: Select an item from a list of all the available views that are configured in the VACM . click Add.Target Address In SNMP v3. From the Target Address window. 2-40 CID User Guide . Notify View Name: 6. click Targets. If the tag list of an entry contains a tag from the SNMP Notify Table. The SNMP pane appears. The Edit Target Address dialog box appears. click SNMP. From the main window select General > Device Permissions and from the Device Permissions window. Select an item from a list of all the available views that are configured in the VACM . 2. this target is selected for reception of notifications. If the Transport Tag of an entry in the community table is not empty it must be included in one or more entries in the Target Address Table. 3. SNMP .MIB View window and provide the Notify access to the Object IDs specified in the selected view. this table contains transport addresses to be used in the generation of traps.MIB View window and provide the Write access to the Object IDs specified in the selected view. To add a new SNMP Target Address: 1. From the SNMP pane. Set the following parameters according to the explanations provided: Name: Type the name of this entry.Device Access Write View Name: Select an item from a list of all the available views that are configured in the VACM . For SNMP version 1 and 2 this table is used to restrict the range of addresses from which SNMP requests are accepted. The Target Address window appears. Click Ok to save the setup and exit from the window. 3.Target Parameters The Target Parameters table contains parameters to be used in generating a message. see page 2-41. CID User Guide 2-41 . A list of tags separated by spaces. The name of the entry in the Parameters Table to be used when sending the SNMP Traps. SNMP . From the main window. Default:162.Device Management Target Address: Type the IP address of the management station that is used: • • To provide access to the specified IP address only To send SNMP traps to that IP address.Chapter 2 . click SNMP. The TCP port to be used: 161 for SNMP Access and 162 for SNMP Traps. Target Port: Type the number of the Target Port. The SNMP pane appears. Tag List: Parameters: 4. Tip: The SNMP Target Address window also allows you to access the SNMP Target Parameters window. click Targets.The Target Parameters window appears. This tag must be the same tag as the Community Transport Tag in the Community Table. The Target Address window appears. From the SNMP pane. Click Ok to save the setup and to exit the window. 2. From the Target Address window. Default: v3Traps. Entries in this table are referenced in the Target Address table. select General > Device Permissions and from the Device Permissions window. click Parameters. To set the Target Parameters: 1. Security Name: Security Level: Type the security name of the user. Select the security level: • No Authentication: No authentication or privacy are required. 5. SNMP . Click Ok to save the setup and click Ok to exit the Target Parameters and Target Address windows. 2-42 CID User Guide . Auth Not Private: Authentication is required.Device Access 4. User Based. Possible values: SNMP Ver 1.Community Table The purpose of the community table is to allow backwards compatibility with SNMPv1 and SNMPv2. but Privacy is not required Auth Private: Both authentication and privacy are required • • Default: No Authentication. The Community Table maps community strings to users. click Add. Select the model from: SNMP Ver 1. SNMP Ver 2c. The Edit Target Parameters dialog box appears. From the Target Parameters window. the device maps the Community Sting to a pre-defined user. Once a user is connected to Radware device with SNMPv1 or SNMPv2. Based on the Community String. which belongs to a group. the device checks the Community String sent in the SNMP packet. Set the following parameters according to the explanations provided: Name: Message Processing Model: Security Model: Name of the new parameter for the Target Address. SNMPVer 2c. SNMP Ver 3 Select the security model as explained on page 2-39. The Device Permissions window appears. From the Device Permissions window. Type the string for community. The SNMP pane appears. Type the user name associated with the community string. CID User Guide 2-43 . This string specifies a set of target addresses from which the SNMP agent accepts SNMP requests and to which traps may be sent. addresses are not checked when an SNMP request is received or when a trap is sent. the transport tag must be contained in the value of the Tag List parameter of at least one entry in the Target Address Table. click Community. The target addresses identified by this tag are defined in the Target Address Table.Device Management with certain access rights. Click Ok to save the setup and to exit the window. If this string is empty. when working with SNMPv1 or SNMPv2. From the SNMP pane. click the SNMP tab. select General > Device Permissions. and access must be defined as well. 2. To configure the SNMP Community Table: 1. 4. see page 2-40. From the main window. 3. Click Add then set the following parameters according to the explanations provided: Index: Community Name: Security Name: Community Transport Tag: Type a descriptive name for this entry. Therefore. The Community window appears. users.Chapter 2 . Note: The SNMP Community Table is used only for SNMP v1 and v2. groups. If this string is not empty. click Add.Notify Table Using the SNMP Notify Table you can select management targets that receive notifications including the type of notification to be sent to each selected management target. The Notify Table window appears. is selected for reception of notifications. All entries in this table whose tag list contains this tag are selected for reception of notifications. 3. 5. set the following parameters according to the explanations provided: Name: Tag: Type the name of the entry. From the Notify Table window.Target Address. 2. for example trap. From the Target Address window. click Targets. page 2-40. select General > Device Permissions and from the Device Permissions window. From the main window. The Edit Notify Table appears. 4. Click Ok to apply the setup and click Ok twice again to exit the Notify Table window and the Target Address window. click SNMP. Select the type of notification. From SNMP pane. An entry in the Target Address table whose tag list contains the tag of one or more entries of the notification table. From the Edit Notify Table window. Type: 6. The Target Address window appears. This string selects one or more entries in the Target Address table. The Tag parameter contains a string that is used to select entries in the Target Address table.Device Access SNMP . The SNMP pane appears. click Notify. see SNMP . 2-44 CID User Guide . To set the notifications for the target Address: 1. SNMPv3 Access To the Device With Authentication and Privacy The following example shows how to configure a Radware device to allow access using only SNMPv3. The CID Connect To Device dialog box appears. From the CID main toolbar. select Security > SNMP > User Table and create a new entry by configuring the following parameters according to the explanations provided: User Name: Authentication Protocol: Authentication Password: Privacy Protocol: Privacy Password: administrator MD5 password DES password 2. From Web Based Management. Configuration: 1. Click Ok.Chapter 2 . MD5 as the authentication protocol and DES as the privacy protocol. 5. 6. Since the user with limited access privileges cannot create a user with unlimited access. CID User Guide 2-45 . click Add and select the CID icon. The device is connected using SNMPv3. 3. Open APSolute Insite. neither Authentication nor Privacy are required. The CID icon appears on the map. The pre-configured User Name for SNMPv3 is "radware". From the CID Connect To Device dialog box.Device Management Example . The SNMPv3 pane opens. Double click the CID icon. type the Device IP Address and select the SNMPv3 check box. When connecting using that User Name. 4. the first user must be created via the CLI or WBM. select General > Device Permissions. Click Ok and Ok again. To associate the user administrator with the admin group. • To create additional users with the same access rights. then set the following parameters according to the explanations provided: Group Name: Security Model: Security Level: Read View Name: Write View Name: Notify View Name: admin USM AuthPrivate iso iso iso 11. The Device Permissions window appears. from the SNMP tab. 9. Access. 12. The VACM Group Access window appears. click Add and associate the new user with its group. open the Users window. click Add. Community.Device Access 7. From the main menu. Views. In the VACM . The SNMP tab appears containing the following configuration options: Targets. and add a new user. Reconnect to the device using SNMPv3. from the SNMP window. Click SNMP. User Name "admin" and Password "password" both for Authentication and Privacy protocols. set the following parameters according to the explanations provided: Security Model: Security Name: Group Name: USM administrator admin 13. From the SNMP tab. click Add. see page 2-35. Click Ok and Ok again to close all the windows. From the VACM Group Access window. 10. or from a different user.Edit Security To Group dialog box appears. 8. click Access. Users. 14. • To associate a new user with a group. The new user can be cloned from the existing logged in user. 2-46 CID User Guide . CID User Guide 2-47 . remove the "public" community entry from the Community window.Chapter 2 .Device Management To restrict SNMPv1 and SNMPv2 access to the device. see page 2-42. However. By default. When using Web Based Management. • • 2-48 CID User Guide . Note: In WBM. Web access can also be confined to SSL. This functionality is also accessed from the Device Monitoring window. you can specify your own self-signed SSL certificate. On-line help is also available from the Radware corporate Web site. administrator can specify the TCP port for the Web Based Management and the secure Web Based Management (WBM). Web Based Management graphical user interface (GUI) does not require any installation on a client.. Mozilla when using Linix operating systems. Web Based Management is supported using the following Internet browsers: • • Internet Explorer version 6 (when using Windows operating systems) with cumulative security update for IE 6 sp-1. The Device Monitoring window is accessible from the WBM Device menu. You can configure an interval during which the page is refreshed (any number of seconds between 10 to 3600). HTTP Button to Switch Between Active and Backup Device: Using the Web-based interface. Online Help is available by clicking on the? Help icon that appears in every screen. However. Secure Web Based Management: An HTTPS session. and is designed for easy and fast single device management. the device has self-signed Radware SSL certificates.Device Access Web Based Management Each Radware device can be managed using a web-based interface enabled from General > Preferences. Web Based Management Features • HTTP Summary Page: Using the Device Monitoring summary page. you can specify a custom location for the help files. you can switch between the active device and the associated backup device. The summary page also provides a launching point from which to 'drill down' to more specific health and configuration information. you can get a quick view of the farm and server health. • SSL keys and certificates cannot be viewed. • Have no access to SSH Public Key Table. then users using Web Based Management or Secure Web Based Management experience the following limitations: • Can not change the configuration of the device. The name of the organization. select SSL > Certificates.Chapter 2 . Note: Setting this parameter requires restarting the device To create a new SSL certificate: 1. set the following parameters according to the explanations provided: Common Name: Organizational Unit: Organization: Locality: State/Province The name of the organization‘s contact. The Create Self Signed Certificate window appears. • Can not reset the device. From the Services menu. 3. • Can not view the Community Table or User Table. This setting effects both WBM and Secure WBM. The name of the city in which the organization is located. CID User Guide 2-49 . The name of the organization‘s subunit or branch. selecting Web Based Management. In the Create Self Signed Certificate window. • Software update to the device is not allowed. This configuration is accessible using Configware from Services menu. • Configuration File cannot be sent to the device or received from the device. or using the CLI command manage web access-level.Device Management • Web Based Management Access Level: You can set Web Based Management Access Level to Super (default) or Read Only. The state or province of the company‘s location. Click Create. When Web Based Management Access Level is set to Read Only. 2. Device Access Country: Fully Qualified Domain Key Size: Save Key File As: Save Certificate As: The country of residence or the organization. 4. Note: SSL Keys and certificates are not exported as part of the configuration. 2-50 CID User Guide . Can be either RSA 512 bits. The complete URL address of the company. The user defined name of the selfsigned certificate‘s key The user defined name of the selfsigned certificate. RSA 768 bits or RSA 1024. Fill in the relevant parameters and then click Ok. This means that the actual timeout can be up to 10 seconds longer.Timeout (in minutes) required for the device to maintain connection during periods of inactivity.120 minutes. Available for Telnet and SSH only. Default value is 5 minutes for Telnet and SSH and unlimited for the CLI. not sure if this info here or o CLI Timeouts It is possible to configure the timeout for Telnet. user name and password must be inserted within 30 seconds. In addition to the session timeout. You can specify the TCP port for Telnet management and SSH. SSH is enabled from General > Preference > Device Access > SSH Port. Note: In order not to affect the performance of the device. Note: CID supports up to two simultaneous Telnet or SSH sessions. starting from the moment the user established the Telnet or SSH connection. the terminal is locked for 10 minutes and no further logins are accepted from that IP address. a special task checks the timeout every 10 second. Optional values 1 . • CID User Guide 2-51 .Chapter 2 . Once a login is successfully completed.Device Management Telnet and SSH Radware products support Telnet and SSH management access.Timeout (in seconds) required to complete the authentication process. Optional values 10 . In case of 3 incorrect logins. "Authentication Timeout . SSH and the CLI sessions. system administrators can also configure the authentication timeout. Authentication timeout is the time that the user has in order to complete the authentication process. Time-outs are added for logging into CLI through Telnet and SSH. Telnet is enabled from General > Preference > Device Access > Telnet Parameters. Default value is 30 seconds.60 second. the CLI session closes after 5 minutes of idle time. Configurable Parameters: • "Session Timeout . After establishing of CLI session with the device. SSH. select Device > Device Permissions > Management Settings. From the Management Ports parameter. The Management Settings tab appears. 2-52 CID User Guide . Management applications are: SNMP. showing the current device in the Device dropdown list. Web. From the Device dropdown list. From the main window. select the required management application. it is also possible to disable launching Telnet or WBM through specific ports. Telnet. SSL Default: SNMP. SSH. only through those physical ports which are defined by the user. 2. To enable web managed ports: 1. Secure Web and Web Based Management. Enable All. Telnet. 3. In the same manner. select the device.Device Access Enabling Management Applications on Specific Physical Ports The Enabling Telnet and Web Based Management on Specific Port feature makes it possible to launch configuration tools such as SNMP based applications. To configure ports for another web management application. CID User Guide 2-53 . The window remains open. 6. check the ports you wish to enable or disable or check Enable All or Disable All.Device Management 4. from the Management Ports parameter select the application and the active ports. 5. Click Apply to save the setup and Ok to exit the window. To select the specific physical ports for the application. 7. as in steps 2 and 3. Click Apply to save the setup.Chapter 2 . This transformation allows the FTP proxy server to extract the original destination FTP host and then to open the FTP session to that host. This process is transparent for the client.Device Access FTP Content Management FTP Proxy Support When deploying an FTP (File Transfer Protocol) proxy server for FTP caching or FTP content inspection. on behalf of the client. CID transforms the client “username: password” command to "username:password@domain". CID supports both passive FTP sessions and active FTP sessions. By default. 2-54 CID User Guide . CID provides special treatment for these servers. CID intercepts FTP sessions of non-configured client and load balances it to the FTP proxy server farm. 1.1.100 Port 1 10.1. Internet FTP Content Servers 100.1.1 Client 2 10.1. • The virtual IP address of the CID is 10.Device Management Figure 2-1 shows a typical FTP Proxy Content Management setup.1.2 Figure 2-1 FTP Proxy Content Management Configuration Properties: • Network side and users side are on different IP subnets.1.100.1. • Configuring ftp-session service supports both passive and active FTP sessions. • Users are not configured to the CID.1.1 100.120 Network Side Port 2 100. CID User Guide 2-55 .1.10 Users Side Client 1 10.1.1.1.2 Access Router 100.1.1.Chapter 2 . • The delimiter ('@') is proxy dependent.10 CID Virtual IP Address 10. and may vary.1. • Content servers work in FTP Proxy mode.1. Double click on the CID icon. Add the servers: a. c. d. Click Ok to exit all windows: 3. click the Add menu and from the dropdown menu add a local server by defining the following parameters according to the explanations provided: Server Name: Server 1 2-56 CID User Guide .0 0. From the CID toolbar.1.Device Access Configuration: 1. type the device‘s IP address: 10.20 F-2 1 Remote d. Click on Networking and select Routing Table. c. Double click on the CID icon and from the CID Connect to device window that now appears.1. The CID window appears.0. From the Edit CID Interface window set the following parameters according to the explanations provided: IF Num: IP Address: F-2 100. Click Add.0 100.10 Click Ok to exit all windows. Add the second IP address: Double click on the CID icon. 2. Add the default router and a default gateway: a. Define two IP Addresses on the CID: a. The CID Routing Table appears. From the CID Routing Table set the following parameters according to the explanations provided: Destination IP Address: Network Mask: Next Hop: IF Number: Metric: Type: 0.1. The Edit CID Interface window appears. b. b.0.0.1.1.1.0.10 and click Ok. The CID window appears. select the Farms tab and click Add.1. The Edit CID Farm window appears. From the CID Farm Servers. b.1.Chapter 2 .1 b. From the Edit CID Farm window. Add a farm: a. The Edit CID Farm window appears. b.1. select the farm and click Add.1.2 d. Add a local network: Server 1 & Server 2 Disabled @ CID User Guide 2-57 . set the following parameters according to the explanations provided: Server Name: Transparent Mode: Server Delimiter: d.Device Management IP Address: 100.1. 6. The CID Farm Servers window appears. Server Name: IP Address: Server 2 100.100 Selected Selected c. From the CID Traffic Redirection window list of farms. In the same manner. c. Ensure that the Transparent Mode is enabled. From the Traffic Redirection window. Click Add and then click Ok. add the second server by defining the following parameters according to the explanations provided. 5. Click Add and then click Ok. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: Transform Request: (For Example) Farm 1 Disabled 10.1. Click Add and then Ok. 4. click Add. From the Edit CID Farm window that appears. c. Add the servers to the farm: a. then click the Farm Policies button. 2-58 CID User Guide . The CID Network Table window appears.1. click Add and then set the following parameters according to the explanations provided: Network Name: Network Mode: From Address: To Address: Local IP Range 10. From the Farm Policies window.1. click the Networks button. Click Ok and then Ok to return to the Farm Policies window. From the CID Classes window. c. From the pane that appears. b. From the CID Toolbar. click Traffic Redirection. click the Classes button. select the farm. Add a new policy for HTTP: a. The Farm Policies window appears.1. From the Farm Policies window. Click the Modify tab and from the Modify pane.1. 7.100 b. From the CID Traffic Redirection window list of farms.Device Access a. The CID Traffic Redirection window appears. Click Add Policy and then Ok to exit the window. right click Modify Farm Policy and select Add. e.2 f. set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Description: Operational Status: Cluster Farm: http 1 Regular Service ftp session Users any oneway FTP Proxy Configuration Active 10.1.1 10. The CID Classes window appears.1. d. This mode is in addition to the proxy FTP.Chapter 2 . Configuration No special configuration is needed by the user in order for CID to support the FTP Address Multiplexing. refers the FTP client to use a different FTP server for the Data Session using the PASV command. Transparent FTP Support The Transparent FTP feature supports FTP content servers that intercept FTP sessions transparently and open a session on behalf of the client. CID redirects FTP clients to proxy servers that support fully transparent FTP. CID supports load balancing of FTP sessions where the FTP server. CID User Guide 2-59 . which hosts the Control Session.Device Management FTP Address Multiplexing Support Traditional load balancing of FTP sessions supports only cases where the same FTP server controls both the Control Session and Data Session of the File Transfer Protocol. The RADIUS pane appears. Main RADIUS IP Address: Main RADIUS Port: Main RADIUS Secret: Define the IP address of the primary server. the Radware device can authenticate the user with a RADIUS server. SSH or Web Based Management. 2. click RADIUS. From the main window. Before a management session starts. From the Management Permissions window. select General > Management Permissions. From the RADIUS pane. you can use RADIUS servers to determine whether a certain user may or may not gain access to CID management. To set the RADIUS Authentication: 1. Default: 1645. 3. The Management Permissions window appears. Type the authentication password for the primary RADIUS server. 2-60 CID User Guide . using CLI. set the following parameters according to the explanations provided: Authentication Method: Define the Authentication method.1812. the Local Users Table is used. Note: The last option means that RADIUS servers are used but when unavailable. RADIUS: RADIUS & Local Users Table.Device Access RADIUS Authentication With RADIUS Authentication. The access port number of the primary RADIUS server. Telnet. Values: 1645. Radware devices provide additional security by authenticating the users who access the device for management purposes. You can also select whether to use the User Table when RADIUS servers are not available. Values: Local Users Table. Default:1645. Click Apply and Ok to apply the setup and to exit the window. Define the number of connection retries to the RADIUS server.1812. Notes: • The RADIUS Authentication feature is available for CLI. Default: 3. or (if the RADIUS Retries value is exceeded) before the device acknowledges that the server is offline. • CID User Guide 2-61 .Chapter 2 . Default: 5. Values: 1645. then the backup RADIUS server will be used. Telnet.Device Management Backup RADIUS IP Address: Backup RADIUS Port: Backup RADIUS Secret: RADIUS Timeout: Define the backup IP address of the RADIUS server. Define the length of time the device waits for a reply from the RADIUS server before a retry. when the RADIUS server does not respond to the first connection attempt. Define the backup access port number of the primary RADIUS server. Note: Once the RADIUS Retries value to the main RADIUS server is exceeded. Radware devices must have access to the Radius Server and must allow Radware device access. Type the authentication password for the backup RADIUS server. and if all connection attempts have failed (RADIUS Timeout). SSH and Web Based Management and Secure Web but not for APSolute Insite. RADIUS Retries: 4. Additional management interfaces that allow you to configure and operate Radware devices include: • • Web Based Management (WBM) Command Line Interface (CLI) You can connect a CID device to the management interfaces through the network physical interface or through the serial port. Telnet. The following table lists the CID physical interfaces and the supporting management interfaces: Table 2-5 Supported Interfaces Port APSolute Insite Web Based Management Command Line Interface SNMP V1.Device Access Management Ports APSolute Insite is the main management interface for all Radware products. CID supports the following port types: • • In the network connection: SNMP. V3 HTTP Secure Web: Telnet SSH RS-232 + + + + + + 2-62 CID User Guide . SSH.200 Kbps). In the serial port connection: RS-232 up to 115 Kbps (default is 19. HTTP. HTTPS. select General > Device Permissions.Chapter 2 . 4.Device Management Example . From the Device Permissions window click SNMP. Community. From the main window select. From the SNMP pane. The Device Permissions window appears. From the Community window. 6. 8. then set the following parameters according to the explanations provided: Index: Community Name: Security Name: SNMPv1 Access password administrator 10. click Add. The SNMPv3 pane opens. 5. Define SNMPv3 parameters as explained in the previous example. CID User Guide 2-63 . 2. These options are explained throughout this configuration example. The Community window appears.Configuring Read-Only Permissions for SNMPv1 and Full Access for SNMPv3 This example shows how to allow SNMPv1 access to the device by adding an entry in the Community Table using the configuration of the example on page 2-45. The CID Connect To Device dialog box appears. see page 2-45. click Community. The CID icon appears in the main window. The SNMP pane appears containing the following configuration options: Targets. Views. Access. The device is connected using SNMPv3. Double click the CID icon. 3. From the main menu. In the CID Connect To Device dialog box. Configuration: 1. 7. Device > Add Radware Device >CID. Click Ok. Users. Click Ok when and Ok again to close the Community window. type the Device IP Address and select the SNMPv3 check box. 9. from the SNMP window.Device Access 11. The VACM Edit Security To Group dialog box appears. 14. Click Ok and Ok again to return to the SNMP window. click Add. When the SNMPv1 session is initiated to the device with the community name "password". Note: APSolute Insite supports only SNMPv3 and SNMPv1. then set the following parameters according to the explanations provided: Group Name: Security Model: Security Level: Read View Name: Write View Name: Notify View Name: admins SNMPv1 No Authentication iso None iso 13. From the SNMP window. From the VACM Group Access window. According to the settings of the VACM Group Access window. 2-64 CID User Guide . click Access. only Read permissions are set for the User Administrator in SNMPv1. The VACM Group Access window appears. click Add. 12. the device associates the user name "administrator" with the Group "admins" based on the information from the VACM Edit Security To Group dialog box. To create a VACM entry for User Administrator and Security Module SNMPv1. 4. From the CID Connect To Device dialog box. 10. and this time delete the old public entry from the Community Table. The Community window appears. 12. The device is connected using SNMPv1. In the Edit Community dialog box. CID User Guide 2-65 . Click the SNMP tab. The CID Connect To Device dialog box appears.Chapter 2 . Configuration: 1. 2. click Community. Device > Add Radware Device >CID. From the main window select. 3. 8. use the default Device Community Name and click Ok. set the following parameters for the new entry according to the explanations provided: Index: Community Name: Security Name: a descriptive text new_community public 9. Click Ok and return to the main map.Device Management Example . type the new Community Name and click Ok. click Add.Changing the Default Community Name When Using SNMPv1 and SNMPv2 According to the default configuration of the device. The Edit Community dialog box appears. From the main menu. This example shows how to change the default Community Name from "public" to any other name. The CID Connect To Device dialog box appears. from the Community window. From the SNMP window. 11. 5. Right click on the device icon and click Connect. 6. Repeat the steps 4-8. 7. The Device Permissions window appears. select General > Device Permissions. type the Device IP Address. The SNMP tab appears. Double click the CID icon. To add a new entry to the Community table. The CID icon appears in the main window. In the CID Connect To Device dialog box. the default Community Name is "public". The Community window appears. 9. 5. click Ok and Ok again to return to the main SNMP window. 2. Click the SNMP tab. The CID icon appears in the main window. In the Community Transport Tag text box. 3. Set the following parameters according to the explanations provided: Name: Type a descriptive name. From the Community window. From the SNMP window. 6. use the default Device Community Name and click Ok. select Device > Device Permissions. 4. From the main menu. 10. In the CID Connect To Device dialog box. From the Target Address window. The Target Address window appears. Device > Add Radware Device >CID. click Community. type the Device IP Address. click Targets. select the required entry and click Edit. From the Notify window. The device is connected using SNMPv1. click Notify. Double click the CID icon. 2-66 CID User Guide . type "nms". The Device Permissions window appears. click Add. The Notify window appears. allowing only the predefined Network Management Stations to access the device. 7. From the SNMP window. From the main window select. The Edit Community dialog box appears. The SNMP tab appears. Configuration: 1.Allowing SNMPv1 and SNMPv2 Access to Predefined Management Stations This example shows how to restrict management access to a Radware device for SNMPv1 and SNMPv2. 8. 11. The Notify Table dialog box appears.Device Access Example . The CID Connect To Device dialog box appears. 161 nms public-v1 14.Device Management Tag: NMS Note: The value must be the same as the Community Transport Tag in the Community Table.Chapter 2 . CID User Guide 2-67 . click Add to add a new entry to the table by setting the following parameters according to the explanations provided: Name: Target Address: Target port: Tag List: Parameters: Type a descriptive name. Click Ok to close the Target window. 12. Type the IP address of the NMS. From the Target window. Click Ok and return to the Target window. 13. The Target Address window appears. The SNMPv3 pane opens. Configuration: 1. In the CID Connect To Device dialog box. click Target. The device is connected using SNMPv3.Sending Secured SNMP Traps to Specific Users The following example shows how to configure a Radware device to send SNMP traps using secure channel over SNMPv3. Device > Add Radware Device >CID. From the Target Parameters window. Double click the CID icon. Access. Click the SNMP tab. click Parameters. 2. From the main window select. type: administrator. The Device Permissions window appears. The Edit Target Parameters dialog box appears. Community. From the SNMP tab. 10. The Target Parameters window appears. 4. Users. Views. The CID Connect To Device dialog box appears. then set the following parameters according to the explanations provided: Name: Message Processing Model: Security Model: Security Name: Secure Traps SNMP Ver 3 User Based Administrator 2-68 CID User Guide . select Device > Device Permissions. In the User Name text box.Device Access Example . The SNMP pane appears containing the following configuration options: Targets. 7. 8. This example is based on the example on page 2-45. From the main menu. The CID icon appears in the main window. click Add. 5. type the Device IP Address and select the SNMPv3 check box. 9. Click Ok. 6. 3. From the Target Address window. and return to the Target Address window. The Events & Traps window appears. From the main menu.Chapter 2 . CID User Guide 2-69 . connect to the device. Click Ok twice. 14.100. 12.18 162 V3Traps Secure Traps 13. 15. From the Target Address window. The Events & Traps window displays SNMP traps that the device sends using SNMPv3 with Authentication and Privacy. Using interface other that APSolute Insite. click General > Events & Traps.Device Management Security Level: Auth Private 11.204. Click Ok to apply the setup and Ok again to close all windows. click Add and set the following parameters according to the explanations provided: Name: Target Address: Target Port: Tag List: Parameters: Admins_NMS 10. all interfaces of the device allow ping To define the ports to be pinged 1. The front panel icon appears on the right hand side of the main window. When a ping is sent to an interface for which ping is not allowed.Device Access Ping Physical Port Permissions CID allows you to define which physical interfaces can be pinged. By default. 2. the packet is discarded. Click Split view. Right click the port you wish to ping and from the dropdown menu that appears. 2-70 CID User Guide . check the Ping Port State option. From the main toolbar. double-click the device icon.Device Management Dedicated Management Port To provide better security for device management in case of port failures. The Management Port is not included in Interface Grouping. Only traffic with the port's specific MAC and IP interface(s) is accepted (or broadcast traffic). select Access. You cannot change Interface Grouping behavior for the configured Management Port. In the main window. which is a physical port of the device that is used for management traffic only. Other traffic to the Management Port is discarded. CID User Guide 2-71 . select the port that you want to define as management port and click Ok. page 6-6. 2. The Management Port cannot be a member of any VLAN. To define a Dedicated Management Port: 1. These entries are required in order to send replies for management sessions. This port can be any port of the device. The following notes apply to Dedicated Management Port behavior: • • • No traffic is forwarded through the Management Port. • • • The configuration is performed for each device. see Interface Grouping. For more information on Interface Grouping. port failures do not affect the device reach ability via the management port. you can define a Dedicated Management Port.Chapter 2 . It is automatically excluded from Interface Grouping decisions. The Access pane appears. Routing entries for the Management Port can be added to the Routing Table. The Management Port is automatically excluded from Interface Grouping and is not affected by Interface Grouping being activated. When a failure occurs on any of the physical or logical ports and the Dedicated Management Port is used. The Set-Up window appears. From the Dedicated Management Port dropdown list. In the Set-Up window. 3. Device Tuning Section 2-5 Device Tuning Section 2-5 Device Tuning describes the interfaces and methods for CID device tuning as well as providing an explanation of how to configure the Tuning Memory Check. page 2-74 2-72 CID User Guide . page 2-73 Tuning Memory Check. This section includes the following topics: • • Device Tuning Parameters. CID User Guide 2-73 . The Global pane opens.Device Management Device Tuning Parameters To determine the maximum number of entries allowed in the various tables. The values in the fields are synchronized and any changes are implemented after the device reset. To edit the device tuning settings in APSolute Insite: 1. Check the services group which you want to tune on the device and click Edit Settings. 2. The Content Inspection window appears. The device tuning settings table for the selected category opens.Chapter 2 . Double click on the CID icon. Click the Global tab. Note: It is strongly advised that Device Tuning only be carried out after consulting with the Radware Technical Support. you can use these Device Tuning Table tabs: • • • • • BWM Settings Advanced Settings URL Handling Settings Health Monitoring Settings NAT Settings You can also define the security parameters for your previously defined security policy. the device can check whether sufficient memory is available. However. 2-74 CID User Guide . In Web Based Management. following the tuning changes. you can perform a manual check using Web Based Management or CLI. In CLI. For every value you update in a CID table. This is done automatically when you update tuning values in APSolute Insite. use the command: system tune test-after-reset-values.Device Tuning Tuning Memory Check The Device Tuning Table enables you to pre-check whether the configured values will not cause memory allocation problems. select: Services >Tuning > Memory Check. page 2-76 Daylight Saving Time Support.Device Management Section 2-6 Device Services Section 2-6 Device Services describes additional device-related CID utilities. page 2-82 CID User Guide 2-75 . page 2-79 Show Tech Support. This section includes the following topics: • • • • • NTP Support.Chapter 2 . page 2-81 Policy Scheduler. page 2-78 DNS Client. In the Network Time Protocol Preferences window set the following parameters according to the explanations provided: NTP Server Address: Active Checkbox: Type in the address of the NTP Server. in seconds that a time query message is sent to the NTPserver (default: 172. a device sends “time query” messages to the Network Time Server. the time and date have to be set manually for the device. The time zone offset from GMT (default: -12) 2-76 CID User Guide . When NTP is enabled. the time zone offset from GMT and the NTP server port (default 123). The interval. 2.800). NTP Port: NTP Checking Interval: Time Zone: The NTP server port (default: 123). Note: The NTP Server Address must be configured in order to enable the NTP feature. When NTP is disabled. several parameters need to be configured: the IP address of the Network Time Server. To configure NTP: 1. 3. select Networking > NTP. The Network Time Protocol Preferences window appears. the polling interval (in seconds). In the main window.Device Services NTP Support Network Time Protocol (NTP) enables users to synchronize devices by distributing an accurate clock across the network. The server then sends the date and time to the device. In predefined intervals. double-click on the device icon. Enables or disables the NTP feature (default: disabled). In the Set-up window. The Set-Up window appears. Enabling or disabling the NTP feature results in different levels of accuracy. Chapter 2 . Click Apply > Ok.Device Management 4. CID User Guide 2-77 . double-click the device icon. the system time is changed only when daylight saving time starts or ends. From the Daylight Saving Status dropdown list. 3. The Set-Up window appears. To configure Daylight Saving Time in APSolute Insite: 1. Click Apply. select Enable to enable daylight saving time. the device does not change the system time. During the daylight saving time period. From the dropdown list select Daylight Saving. In the Daylight Saving Ends [dd/mm:hh] field. enter the date and time that daylight saving time begins. The device also indicates whether it is on standard time or daylight saving time using the Daylight Saving Designations indicator. The Daylight Savings Time Settings dialog box appears. Configure the daylight saving time start and end dates and time. In the Set-Up window. In the Daylight Saving Begins [dd/mm:hh] field. In the main window. Click OK. click Networking button. 4. 2. 2-78 CID User Guide . The user has to configure the daylight saving time start and end dates and times. 5.Device Services Daylight Saving Time Support Radware devices support daylight saving time. This means that if daylight saving time is enabled during the daylight saving time period. the device automatically adds one hour to the system clock. Note: When the system clock is manually configured. enter the date and time that daylight saving time ends. To define the static DNS table: 1. To display the DNS table: 1. To display the dynamic DNS table in the CLI. Using the pre-defined static table that includes hostnames and IP addresses.Device Management DNS Client You can configure CID to operate as DNS client. The Traffic Redirection window appears. click Traffic Redirection. 3. When the DNS client is enabled. From the main window. type the following command: services dns nslookup <hostname> The DNS table is displayed. 6. select the DNS tab. To enable the DNS client. In the DNS Alternate Address text box. IP addresses cannot be resolved. 4. click APSolute OS >Traffic Redirection. In the DNS Primary Address text box. 2. From the DNS window. From the Traffic Redirection window. type the address of the primary DNS server that is used to query IP addresses of hostnames. The Traffic Redirection window appears. From the main window. type the address of the backup DNS server that is used to query IP addresses of hostnames in case the primary server is not in service. The Static DNS Table window appears. The DNS window appears. The DNS window appears. When the DNS client is disabled. From the Traffic Redirection window. select the DNS tab. select the Client DNS checkbox. select the Client DNS checkbox.Chapter 2 . 3. select the Static DNS option. CID User Guide 2-79 . 5. To enable the DNS client. 2. 4. IP addresses can be resolved in the following ways: • • Using the configured DNS servers to which DNS client sends queries about IP addresses of a hostname. The IP address of the URL. The new client is listed in the Static DNS Table.Device Services 5. Click Add to apply. 7. From the Static DNS Table window. 6. Click Ok to apply the setup and exit. 2-80 CID User Guide . set the following parameters according to the explanations provided: Host Name: IP Address: The URL name for which you want to set the IP address. Device Management Show Tech Support Radware's customers use the CLI in order to configure. buffer usage and others are needed. Adding the flag –v will also display the output of the command. monitor and debug Radware devices. such as printout of Client Table. which can be downloaded and then send to Radware's technical support. debugging is required and many CLI commands. The command is available via: • • • APSolute Insite – From the Device menu. Note: It is not possible to download the configuration file from the device. needed by Radware's technical support is now available. The output of this command is a text file. while the command Show Tech Support command is running. CID User Guide 2-81 . In case of problems. • To generate a file and send it via TFTP to a TFTP server. select "Support" and click on the "Download Support File" button. A new command which aggregates all the CLI commands. select "Download Technical Support File" Web Based Management – From File menu.Chapter 2 . use the CLI command: manage support display. use the command: manage support tftp put <file name> <TFTP server's IP>. • To display the output on the terminal.The device allows displaying the output of the command on the terminal or to generate a file and send it via TFTP. CLI . Days: If the Frequency chosen is daily or weekly. or a certain policy will only be activated at a specific time of the day for specific duration time. Generic 10. may want to block instant messaging during school hours. Date (DDMMYYYY): If the Frequency chosen is once. • For each Bandwidth Management Policy it is possible to configure the following parameters: • • Activation Schedule: The name of the Event which activates the policy Inactivation Schedule: The name of the Event which inactivates the policy Once an event has been configured it should then be attached to a Bandwidth Management policy. then it is required to configure the date on which the event should occur. Once the event occurs. the device 2-82 CID User Guide . By the use of the new feature called Event Scheduler the user can now create “events” which can then be attached to a policy's configurations. but allowing instant messages after school hours or an enterprise may give high priority for mail traffic between 08:00 – 10:00. daily or weekly. “Events” define the date and time in which an action should be performed. The default Time value is 12:00 am (0000). Configurable Parameters For each “event” it is possible to configure the following parameters: • • • • Name: The name of the event Frequency: Whether the event occurs once. For example – a school's library. Time (HHMM): The time on the designated day (if multiple days are chosen then the “Time” value is the same for all configured days) when the event should occur.20 introduces the ability to schedule the activation and inactivation of specific Bandwidth Management policies. the user must configure on which day the event should occur.Device Services Policy Scheduler System administrators may require that specific policies will not be active during certain hours of the day. Chapter 2 .Device Management activates or inactivates the Bandwidth Management policy and then it performs "Update Policy" action. CID User Guide 2-83 . Device Reporting Section 2-7 Device Reporting Section 2-7 Device Reporting describes the CID Reporting feature which distributes warning messages about failures and problems in network elements. page 2-88 Event Log. page 2-85 E-mail Notification. page 2-89 2-84 CID User Guide . Reporting distribution methods and configuration are described. This section includes the following topics: • • • • Notifications .General. page 2-86 Syslog. To send traps by CLI. E-mail. For example.General Most administrators prefer to receive a warning message about a network or server outage.10. Send Traps To All CLI Users This option enables you to configure whether traps will be sent only to the serial terminal or also to SSH and Telnet clients. the device generates traps when events occur. To help minimize the impact of failure in devices such as firewalls.10 Is Not Responding to Ping. if a Next Hop Router fails. routers or application servers. Syslog.10. all Radware devices provide a choice of notification methods: CLI Traps.Device Management Notifications . the command is: manage terminal traps-outputs set-on For console only: manage terminal traps-outputs set normal CLI Traps When connected to any Radware product through a serial cable. Telnet and SSH.Chapter 2 . CID generates the following error: 10-01-2003 08:35:42 WARNING NextHopRouter 10. CID User Guide 2-85 . and report those changes by sending out e-mail notifications. This is done in the Users table. The notification message contains the following details: • • • Name of the MIB variable that was changed New value of the variable Time of configuration change 2-86 CID User Guide . Note: CID optimizes the mailing process by gathering reports and sending them in a single notification message once the buffer is full or once a timeout of 60 seconds expires. This configuration applies both for SNMP traps and for SMTP email notifications. In addition to the SNMP traps.Device Reporting E-mail Notification You can configure the device to send e-mail messages to users listed in the device's User Table. information about all the variables in the same MIB entry is reported to users. Warning. Error and Fatal. Options > Preferences > Traps and SMTP. see page 2-48. The severity levels are: Info. Using the Send E-mail on Errors option. select. page 2-48. Configuration reports are enabled for each user in the Users Table. each user is assigned a level of severity and receives traps according to that severity or higher. E-mail Notifications Configuration Guidelines: From the main window. SMTP notifications are enabled globally for the device. For each user. see Web Based Management. the user receives e-mail traps of events with severity levels of Error and Fatal. you can configure traps to be sent by e-mail to predefined users with different levels of severity. another method of notification has been added to the device. Every time the value of a configuration variable changes. you can set the level of SNMP Traps notification the user receives. Configuration Trace CID is able to monitor any configuration changes on the device. When assigned the severity level of Error. when applicable. WBM) User name. SSH.Device Management • • Configuration tool that was used (Configware. CID User Guide 2-87 . Telnet.Chapter 2 . Device Reporting Syslog Event traps can also be mirrored to a syslog server. meaning “Local Use 6". The user defined Facility value is used when the device sends Syslog messages. The default value is 21. You can also define additional notification criteria such as Facility and Severity. The Severity value is determined dynamically by the device for each message that is sent. The current Radware syslog mechanism enables you to define the status and the event log server address. Facility indicates the type of device of the sender. while Severity indicates the importance or impact of the reported event. using the General > Preferences > Traps and SMTP option. you can configure the appropriate information. On CID. which are expressed by numerical values. as on all Radware products. 2-88 CID User Guide . Any traps generated by the Radware device will be mirrored to the specified syslog server. Its is possible to download the event log for later analysis. CID User Guide 2-89 .Chapter 2 .Device Management Event Log Radware devices keep track of events in the event log. Device Reporting 2-90 CID User Guide . and presents several aspects of the practical implementation of CID.CHAPTER 3 Basic Switching & Routing Chapter 3 - Chapter 3. page 3-24 CID User Guide 3-1 . page 3-2 Section 3-2: Virtual LAN. describes how CID participates in the processes of switching and routing. provides theoretical explanations about switching and routing in general. This chapter includes the following sections: • • • Section 3-1: Port Settings. Basic Switching & Routing. page 3-8 Section 3-3: IP Addressing & Routing. page 3-3 Port Trunking. page 3-6 3-2 CID User Guide . This section includes the following topics: • • Port Mirroring.Port Settings Section 3-1 Port Settings Section 3-1 Port Settings describes the CID features that assist with traffic and port management. This is useful for example when an Intrusion Detection System (IDS) device is connected to one of the ports on the CID device. 2. or transmitted traffic only. You can also decide whether to duplicate the received broadcast packets. You can choose to mirror either received and transmitted traffic. Configuration Guidelines: The Port Mirroring feature is configured as follows: 1. CID User Guide 3-3 . The Edit Port Mirroring window appears. The Port Mirroring Table window appears.Basic Switching & Routing Port Mirroring Port Mirroring enables the device to duplicate traffic from one physical port on the device to another physical port on the device. click Add. received traffic only. From the Set-Up window. select Networking > Port Mirroring. In the Port Mirroring window.Chapter 3 . in the Edit Port Mirroring window. • The Mirrored Port. which is part of a VLAN (Regular or Switched) with a configured IP address. cannot be part of a VLAN (Regular or Switched) or have an IP address. Port Mirroring Notes: The following notes apply to all Application Switching platforms. is not mirrored. or an interface. Note: Traffic from a port participating in a switched VLAN cannot be mirrored. set the following parameters according to the explanations provided: Input Port: Output Port: Recieve/ Transmit: Promiscious Mode: The port from which the traffic is mirrored. Traffic generated by the device itself such as connectivity checks or management traffic. • Currently Port Mirroring is supported for Fast Ethernet ports only. 4. • • • It is possible to copy traffic from one Input Port to multiple Output Ports.Port Settings 3. or be part of a VLAN (Regular or Switched) with a configured IP address. 3-4 CID User Guide . • The mirroring input port cannot be part of a Switched VLAN. must not have an IP address. • The Input Port.Click Ok. The port to which traffic is mirrored. from which traffic is mirrored. Port Mirroring Limitations: • Up to two output ports can be used for a single input port. • A port that participates in Port Mirroring as an Output Port. Regular VLAN traffic with destination multicast MAC is not always mirrored. must be an interface with a configured IP address. Enable or disable depending on whether you require received broadcasts packets to be mirrored. to which the traffic is mirrored. Select the direction of traffic to be mirrored. . or from many Input Ports to one Output Port. Your preferences are recorded. due to the switching of traffic in the ASIC. Basic Switching & Routing • • When mirroring traffic from a port which is a part of Switched VLAN. traffic between hosts on this VLAN is switched by the ASICs of the device. When mirroring traffic is received on a port which is a part of Switched VLAN.Chapter 3 . CID User Guide 3-5 . these packets are mirrored from all ports on the Switched VLAN. and the mirrored port is configured to mirror Receive Broadcast packets. This type of traffic is not mirrored. Up to eight physical links can be aggregated into one trunk. Link aggregation also provides load balancing where processing and communications activities are distributed across several links in a trunk.3ad standard for link aggregation. ensures the following advantages: • • • Higher link availability Increased link capacity Improvements in existing hardware No upgrading to higher-capacity link technology is necessary. 3-6 CID User Guide . Radware port trunking function allows you to define up to eight trunks.Port Settings Port Trunking Port Trunking (also known as Link Aggregration) is a method of increasing bandwidth by combining physical network links into a single logical link.both switches and end stations . bandwidth increments are provided in units of 100Mbps and 1Gbps respectively. all frames belonging to one conversation must be transmitted through the same physical link. Radware devices support port trunking according to the IEEE 802. Radware devices can define conversations upon Layer 2. The algorithm for assigning frames to a conversation depends on the application environment.3 MAC Point-to-point links Links operating in full duplex mode Aggregation is permitted only among links with same speed and direction. or on combined Layers. Link aggregation increases the capacity and availability of the communications channel between devices . Treating multiple LAN connections as one aggregated link. On Radware devices. To guarantee the correct ordering of frames at the receiving-end station. All trunk configuration is Static. The failure or replacement of a single link within a Link Aggregation Group does not cause failure from the perspective of a MAC client. Link Aggregation is supported on: • • • Links using the IEEE 802. MAC Client traffic can be distributed across multiple links. to prevent single link overloading. 3 or 4 information.by using the Fast Ethernet and Gigabit Ethernet technology. Multiple parallel physical links between two devices can be grouped together to form a single logical link. select the trunk and click Edit. select Networking > Link Aggregation. Create the interface for the new trunk. 3. The Edit Link Aggregation window opens. 5. 2. double click the CID icon. CID User Guide 3-7 . From the Link Aggregation window. 4. Select Hashing for Layers 2. The Set-Up window appears. From main window. Click Ok to apply the changes. Assign (link) ports to the selected trunk by checking in the Trunk index column for the port. the port speed and duplex must be fixed and must not be in the Auto Negotiation mode. by defining the IP address for the trunk.Chapter 3 . From the Set-Up window. 6.Basic Switching & Routing In port trunking configuration. 1. Port Trunking Configuration Guidelines 1. The CID Link Aggregation window opens. click Apply and Ok to exit the window. 7. From the Trunks Table. 3 and 4. This section includes the following topics: • • • • • • • What is a Virtual LAN?. their functionality and configuration in CID. page 3-10 VLAN Configuration.Virtual LAN Section 3-2 Virtual LAN Section 3-2 Virtual LAN. page 3-16 VLAN Tagging Support. explains the types of virtual LAN networks. page 3-23 3-8 CID User Guide . page 3-18 Redundancy. page 3-12 VLAN Auto Learn. page 3-9 CID VLAN Types. page 3-22 Bridging. When a switch supports multiple VLANs. • • • The device learns the Layer 2 addresses on every VLAN port.Basic Switching & Routing What is a Virtual LAN? A Virtual LAN (VLAN) is a group of devices that share the same broadcast domain within a switched network.Chapter 3 . Some switches may be configured to support single or multiple VLANs. the broadcast domains are not shared between the VLANs. Unknown unicast frames and broadcast frames are forwarded to all ports. Known unicast frames are forwarded to the relevant port. CID User Guide 3-9 . Broadcast domains describe the extent that a network propagates a broadcast frame generated by a device. Switched VLAN Switched VLAN provides wire-speed VLAN capabilities implemented through the hardware switch fabric of the CID device. Packets that need intelligent intervention are checked and modified by CID and then forwarded to the relevant port. This type of VLAN is used to bridge the non-IP traffic through CID.Virtual LAN CID VLAN Types CID VLAN provides bridging functionality among ports assigned to the same VLAN. frames are treated accordingly: Switched VLAN Protocol: Frames arriving at VLAN port are switched according to Layer 2 information. CID supports the following types of VLANs: • • Regular VLAN Switched VLAN Regular VLAN A Regular type VLAN can be described as an IP Bridge (a software bridge) between multiple ports that incorporate all the traffic redirection of the passing traffic at all layers (Layer 2-Layer 7). All of the traffic between the ports is intercepted transparently by the CID application. CID application does not intercept any traffic. except for frames with Layer 2 address same as 3-10 CID User Guide . Two Protocols can be used with Regular VLANs: IP Protocol: The VLAN must be assigned an IP address. IP Protocol: Frames arriving at VLAN port are switched according to Layer 2 information. Note that this option can be defined also with the Switched type VLAN (Switched VLAN protocol) for wire-speed performance. Other Protocol: A VLAN with the protocol "Other" cannot be assigned an IP address. Depending on the Protocol defined for the Switched VLAN. Other packets are simply switched by CID as if they were on the same wire. Frames with CID Layer 2 destination are processed by the CID application and then forwarded accordingly.Basic Switching & Routing CID port Layer 2 address. CID User Guide 3-11 .Chapter 3 . 1. VLAN protocol is set to IP.1 Client 193. Both VLANs are defined as Switched type.2 Figure 3-1 Transparent CIDs in VLAN 3-12 CID User Guide .1.1.11 P1 P2 CID P3 P4 User Side VLAN 100005 Client 193.1.1. CID is configured with two VLANs: Network side VLAN (with address 100003) and user side VLAN (address 100005).Virtual LAN VLAN Configuration In Figure 3-1. To enable CID to perform Traffic Redirection policies on traffic destined to the Internet.1.1.100 Server 192.1. Network Side VLAN 100003 Internet Router 192. to gain wire-speed throughput. This requires clients to configure CID as their default router. Set the remaining parameters according to the explanations provided: Interface Number: Type: The interface number of the VLAN. Switch: The Switch type is a Layer 2 VLAN. Regular: The device acts as a bridge. The new VLAN is listed in the CID Virtual LAN table. Note: Otherwise the protocol is IP or Other. 3. To connect a physical port on the device to the VLAN you are defining. Switched VLAN can be stand-alone or part of a Regular VLAN. automatically assigned by the management station. Protocol: Select the protocol for the VLAN. From the Set-Up window. select Networking > VLAN.Basic Switching & Routing VLAN Definitions in CID: Interface Number 100003 100005 Protocol IP IP VLAN Type Switched Switched To create a VLAN: 1. select one of the checkboxes in the Assign Port to VLAN pane. Tip: At any stage you can edit any of these parameters (for example change the protocol) and click Update to apply the new setup. Note: CID supports 64 VLAN‘s however an IP address can only be assigned to 36 VLAN‘s only. 4. CID User Guide 3-13 . Click Add.Chapter 3 . according to the VLAN Type: IP or Switch VLAN. The CID Virtual LAN window appears. 2. Select the bridge type. 1q Environment VLAN Forwarding Policy: 3-14 CID User Guide . See page 3-17. The Parameters pane appears. Define the Ethernet type for user defined VLANs. 2. Define the mask on Ethernet type for user defined VLANs. From Set-Up window select Networking > VLAN. packets are returned according to Layer 2 information. The CID Virtual LAN window appears. From the Parameters pane set the following parameters according to the explanations provided: IP VLAN Auto Config: Check to enable this function. From the CID Virtual LAN window. Type the MAC Address to be used by CID. Default: Transparent-only 801. if you want the environment to support VLAN tagging. Check to enable this function. When this policy is not enabled. Define the type of bridging to perform. click Parameters. Check to enable the policy in order to return packets from server to client according to Layer 3 information. Note: Layer 2 information supports transparent configuration within the network. CID automatically detects and adds physical ports to existing IP VLANs according to the incoming IP broadcasts and ARP requests. Range:10 -3600 seconds. 3.Virtual LAN To configure VLAN Parameters: 1. Define this parameter when using the VLAN Auto Config option. VLAN Tag Handling Auto Config Aging Time: Ethernet Type: Ethernet Type Mask: Bridge Address: Bridge Type: Choose whether to retain or overwrite. Default: 3600. that is the period for the unused entries to be retained in the Forwarding Table. Refer to Bridging. When the defined Aging Time expires.Basic Switching & Routing Bridge Forwarding Table Aging Time: Define the Aging Time. Click Apply to save the setup and click Ok to close the window. Range (in seconds): 10-3600. add and edit the bridge forwarding nodes. you can monitor. Default: 3600. page 3-23. CID User Guide 3-15 .Chapter 3 . 4. Note: In the Bridge Set-Up tab of the CID Virtual LAN window. unused entries are deleted from the table. Note: This counter is reset each time the entry is used. The common configuration is to connect CID in VLAN mode as a bridge. CID supports the ability to learn the MAC addresses of the approaching clients. using the learned MAC as the destination MAC address in the response packet. CID learns the source MAC address of the client's request. static routes must be defined on CID to accommodate networks with multiple subnets. a default gateway (Next Hop Router) must be defined on all servers and clients. 3-16 CID User Guide . Although this is a transparent installation. thus allowing CID to send all server's responses (answers) to that client. such as networks of large organizations or ISPs where each subnet has its own access router. This ability eliminates the need for configuration and maintenance of each network in the CID's Routing Table. and leaves the CID operation transparent to the network structure and to the network topology modifications that may take place. typically the Internet access router. When a new client is treated by CID (either if the client approached the Farm IP. all routers connect to a central point.Virtual LAN VLAN Auto Learn Configuring CID with VLANs is useful for the transparent CID installation. VLAN Auto Learn Configuration Guidelines: The VLAN Auto Learn requires no user configuration and is active when a VLAN is defined. Note: For the “Auto Learn” mechanism to operate correctly. or was intercepted by CID). you must add static routing entries to the Routing Table. The CID Virtual LAN window appears. click Parameters. select Networking > VLAN. 7. Layer 3: CID returns the packet based on the client IP address. CID can forward the packet according to Layer 2 information or according to Layer 3 information. CID forwards the client’s traffic and redirects it to selected servers according to the Layer 2 addresses. CID User Guide 3-17 . You can define the return policy of the packet by selecting the VLAN Forwarding Policy checkbox in the CID Virtual LAN Parameters window. The forwarding policy is now enabled. 8. • Layer 2: Requires no user configuration but requires clients and servers to define an NHR. From the Set-Up window. page 3-27.Chapter 3 . Layer 2 is the default policy and returns the packets based on the client MAC address. Reboot the system to apply the policy. The Parameters pane appears. thus supporting transparent configuration within the network. • To enable a VLAN Forwarding Policy: 5. see Setting up the Routing Table. From the CID Virtual LAN window. When a packet is returned from a server to a client. From the Parameters pane check VLAN Forwarding Policy and click Ok. 6.Basic Switching & Routing VLAN Forwarding Policy for Layer 2 and Layer 3 When VLAN is enabled. When configuring a VLAN with a Forwarding Policy set to Layer 3. Each VLAN is tagged with a unique identifier to allow the identification of different VLANs traffic on the same physical port. therefore packets cannot be tagged by the destination subnet if it is not local to the CID. VLAN Tagging (802.Virtual LAN VLAN Tagging Support VLAN Tagging is an IEEE standard (802.1q) for supporting multiple VLANs associated with the same switch port. When two VLANs are configured across two different switches. where CID is connected to multiple VLANs on the same switch. CID recognizes an IP interface as a physical port/IP address combination. to the corresponding VLAN on a second switch. 3-18 CID User Guide . and different cache servers are assigned to different VLANs. Each VLAN is tagged with a unique tag to allow the identification of different VLAN traffic on the same physical port. the switch needs to know to which VLAN to send traffic coming from port 10. belong to all of the VLANs on that switch. usually there is a connection between each of the VLANs on one switch.1q Environment) support can be used with CID. In this case. The tagging support is based on the local subnet to which the traffic is sent. Each IP interface has a VLAN tag associated with it. as this port belongs to all the VLANs. VLAN Tagging provides an indication in the Layer 2 header by which the switch decides through which port to connect to the VLAN on the other switch. This is done by a single cable connecting the two switches. for example port 10 on each. The ports that inter-connect the switches. The switch connected to the CID must be configured consistently with the CID tagging configuration. 0 CID P3 P4 Clients Clients Figure 3-2 VLAN Tagging Example P1: 10.Chapter 3 .1.1.1.1.1.1.1.1.Basic Switching & Routing Example .1.VLAN Tagging In Figure 3-2.2 P4: 20.1. tag 101 is associated to IP interfaces 1 & 3 and tag 102 is associated to IP Interfaces 2 & 4.0 even if a destination MAC address is a broadcast address.1 P2: 20. Clients Clients P1 VLAN 10.1.0 P2 VLAN 20. This guarantees that hosts on VLAN 10.2 Tag: 101 Tag: 102 Tag: 101 Tag:102 CID User Guide 3-19 .1.1 do not see any traffic destined to VLAN 20.1.1.1.1.1. P3: 10. From the dropdown list select either: ZEROFILL . The associated subnet mask. When multiple VLANs are associated with the same switch port.Virtual LAN All the packets sent to any destination host on a tag-configured IP interface carry the VLAN tag. Unicast ARPs between redundant CIDs. Note: The CID automatically sets the 802.1p prioritization portion of the tag (the first 3 bits) to 000. The permissible VLAN IDs to be configured on a CID range from 1 to 4063. In the Interface window.indicates a broadcast address filled with ones. the switch needs to identify to which VLAN to direct incoming traffic from that specific port. Forward Broadcast: VLAN Tag: 3-20 CID User Guide . set the following parameters according to the explanations provided: If Num: IP Address: Network Mask: Broadcast Type: The number of the interface. 2. Type the Tag to be associated with this IP Interface. packets are sent without a tag (standard Layer 2 MAC header). Gratuitous ARPs. including: • • • • All health checking packets from the CID to the cache servers. ONEFILL . From the Set-Up window. which are part of the redundancy mechanism. The IP address of the interface. ARP requests and responses from the CID to the cache servers. Whether the device forwards incoming broadcasts to this interface. The Interface window appears. VLAN tagging provides an indication in the Layer 2 header that enables the switch to make the correct decision.indicates a broadcast address filled with zeros. If an IP interface does not have a VLAN tag configured. click Add. To add a VLAN Tag to a network: 1. From the CID Virtual LAN window. CID allows preserving existing VLAN Tags on incoming traffic that passes through the device. The Parameters pane appears. Traffic generated by the device is tagged according to the IP Interface configuration. Retain: The device preserves the existing VLAN tags on the incoming traffic.Chapter 3 .Basic Switching & Routing 3. set the following parameters according to the explanations provided: 802. Default? Set this value to Retain. 2. Click Ok to save the setup and exit the window. From the Set-Up window select Networking > VLAN. Configuration of this feature is done in the VLAN Tagging window from the Device menu.1q Environment: VLAN Tag Handling: Set this value to Enabled. click Parameters. OR MAC address of the firewall that is configured on CID and through which the packet is sent. From the Parameters pane. To retain the existing VLAN Tags: 1. CID User Guide 3-21 . 3. Click Ok to exit all windows. Note: In case a packet arrives without a VLAN tag. CID sets tags for packets according to the following parameters: destination IP of the packet in case it is on the same local subnet with CID. Default: Overwrite 4. CID sets a tag according to destination local subnet or server. Overwrite: The device performs VLAN Tagging of the outgoing traffic according to the IP Interface configuration. The CID Virtual LAN window appears. For further information on Redundancy configurations. A special provision in the CID prevents the occurrence of network-bridging loop. Redundancy. refer to Chapter 6. one backing up the other.Virtual LAN Redundancy When working with VLANs. 3-22 CID User Guide . The CID can transparently intercept traffic not destined to its MAC address through the configuration of VLANs. two CIDs can operate together. Chapter 3 . CID looks for the frame destination addresses within its address list according to the following conditions: • • • If the destination address is listed in the same interface of the source address. CID enables you to modify the Address lists by registering additional MAC addresses per interface. This is done from the Bridge Set-Up menu. then Ok. The CID Virtual LAN window appears. Click Apply. CID forwards the frame to the relevant interface. If the destination address is listed in another interface. 2. When a frame arrives from one interface. CID broadcast the frame to all interfaces participating the VLAN. From the Set-Up window. 3. and maintains a list of MAC addresses per interface. Select the port.Basic Switching & Routing Bridging When a VLAN is defined. 5. Bridging within a VLAN means that CID learns the MAC addresses of frames arriving from each physical interface. CID discards the frame. click the Bridge Set-up tab. To add a MAC address to a port: 1. From the Edit Global Forwarding Table window. If the address is not listed in any interface. select the relevant port to which you wish to add a MAC address and click Add. select Networking > VLAN. CID performs bridging among interfaces assigned to the same VLAN. Define the status for the port: Permanent or Delete On Reset 4.The Edit Global Forwarding Table window appears. what next? CID User Guide 3-23 . From the CID Virtual LAN window. set the following parameters according to the explanations provided: MAC address: Port: Status: Type in the relevant MAC address for the port. This section includes the following topics: • • • • • IP Addressing.IP Addressing & Routing Section 3-3 IP Addressing & Routing Section 3-3 IP Addressing & Routing deals with the configuration of VLAN addressing and routing. page 3-25 Routing. page 3-28 Routing Information Protocol. page 3-26 Alternate Default Gateway. page 3-29 Open Shortest Path First. page 3-32 3-24 CID User Guide . Basic Switching & Routing IP Addressing IP addresses are 32-bit binary numbers. and which portion relates to the host. The location of the boundary between the network and host portions of an IP address is determined through the use of a subnet mask. A subnet mask is another 32-bit binary number that acts like a filter when it is applied to the 32-bit IP address. with an imaginary boundary separating the two. You are required to assign an IP address and IP Network Mask for each defined interface. • • Anywhere the subnet mask has a bit set to "1". Anywhere the subnet mask is set to "0". systems can determine which portion of the IP address relates to the network. one identifying the network and the other identifying the host to the network. CID performs routing between the all defined IP interfaces. CID User Guide 3-25 .Chapter 3 . Each 32-bit IP address consists of two sub-addresses. By comparing a subnet mask with an IP address. the related bit in the IP address is part of the host address. for example: 11000000101010000000000100010100. the underlying bit in the IP address is part of the network address. Setting Up Interface IP Addresses You can set up the IP addresses for CID interfaces using the main Setup window. Compliance Notes CID support for IP routing is compliant with the RFC1812 router requirements. RIP II and OSPF routing protocols. the next-hop MAC address is the address of an IP router according to the IP Routing Table. intended to replace RIP in bigger or more complex networks. By default.IP Addressing & Routing Routing Routing is the CIDs ability to forward IP packets to their destination using an IP Routing Table. Dynamic addition and deletion of IP interfaces is also supported. This ensures that extremely low latency is maintained. all networks directly attached to CID are registered in the IP Routing Table. when the destination is not a neighboring node. For an indirect delivery. The destination MAC (Layer 2 information) is manipulated to move a packet across networks and then the MAC of the destination host is applied when the packet arrives on the destination network. OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850. Other entries to the table can either be statically configured by users or dynamically created through a routing protocol. 3-26 CID User Guide . • The destination IP address does not change on the path from source to destination. the IP Routing Table is the resource for establishing the next-hop IP address and the next-hop interface. The IP Routing Table stores information about destinations and how they can be reached. OSPF is an intra-domain IP routing protocol. • For a direct delivery. with some limitations. When CID forwards an IP packet. The IP router supports RIP I. the next-hop MAC address is the destination MAC address for the IP packet. when the destination is a neighboring node. 3. From the Set-Up window. select Networking > Routing Table. Follow steps 1-2 as explained above.0. click Ok. The IF (interface) Index number of the local interface or VLAN through which the next hop of this route is reached. 7. Reject (Discards packets). The IP address of the next hop towards that destination subnet. The next hop must reside on a subnet which is local to the device. To configure a default gateway: 1. The Edit Route window appears.0. Values: Remote (Forwards packets).Basic Switching & Routing Setting up the Routing Table The Routing Table allows you to configure routing and to define the default gateway. Destination IP Address and Network Mask remain at default values (0. Local (read-only). From the Edit Route window.0). Click Add.The CID Routing Table window appears. To close all the windows. Define how remote routing is handled.Chapter 3 . Default: Remote IF Number: Metric: Type: 9. The network mask of the destination subnet (IP). 8. Number of hops to the destination network. To configure routing: 6. set the following parameters according to the explanations provided: Destination IP Address: Network Mask: Next Hop: The destination IP address for the route. CID User Guide 3-27 . 2. Click Ok to close all the windows. From the Edit Route table (see step 4 above). type the relevant value for the Next Hop parameter. select Networking > Routing Table. Define the name of the health check. 5. Each default gateway may be checked using the Health Monitoring module. if it is required to bind a health check to the already existing default gateway. 6. Click Ok to exit all windows. the check must be deleted and then reconfigured. From the main window. All configured alternate default gateways appear in the Binding Table's Server dropdown list. 9. By using the Health Monitoring Binding Table it is possible to bind the health checks to the configured Alternate Default Gateways.The CID Routing Table appears. 3-28 CID User Guide . meaning that after an upgrade from a lower version. From the Set-Up window. first define the required health check using the Health Monitoring Check Table and then using the Binding Table bind the check to the relevant default gateway. The CID Health Checks window appears. Click Add. set the following parameters according to the explanations provided: Check Element: Health Check Name: Select the new default gateway. 7. Note: CID supports binding health checks only to the newly configured alternate default gateways. click Health Monitoring. Click Add.IP Addressing & Routing Alternate Default Gateway CID enables you to define up to 15 default gateways on the device. Click Ok to exit all windows. 8. providing high availability between the default gateways. refer to Chapter 7. The Edit Active Health Check window appears. For further information on Health Checks and Binding. To bind a new health check to an alternate default gateway. From the Edit Active Health Check window. 10. Health Monitoring. To configure an alternate default gateway: 4. where you can add a new default gateway and add a value for Next Hop. The Edit Route table appears. RIP is classified by the Internet Engineering Task Force (IETF) as one of several internal gateway protocols (Interior Gateway Protocol). When enabled. which lists all the other hosts that it recognizes to its closest neighbor host every 30 seconds. a gateway host (with a router) sends its entire routing table. Check to enable this protocol.Chapter 3 . Other protocols use more sophisticated algorithms including timing. This is known as network convergence. select Networking > RIP. To configure RIP: 1. RIP uses a hop count as means to determine network distance. set the following parameters according to the explanations provided: Leak OSPF Routes: (checkbox) Controls redistribution of routes from OSPF to RIP. 3. In the CID Edit RIP window that appears.Basic Switching & Routing Routing Information Protocol Routing Information Protocol (RIP) is a commonly-used protocol for managing router information within a self-contained network such as a corporate local area network or an interconnected group of such LANs. Using RIP. Leak Static Routes: (checkbox) Enable RIP: (checkbox) Controls redistribution of routes from static routes to RIP. When enabled. Click Edit. CID User Guide 3-29 . you define all the static routes in the Routing Table. CID supports RIP versions 1 and 2. 2. all routes learned through OSPF are advertised into RIP. refer to a description on page 3-32. The CID RIP Parameters window appears. RIP is intended for small homogeneous networks. From the Set-Up window. Note: For information about OSPF. The neighbor host then passes the information on to its next available neighbor and so on until all hosts within the network have the same knowledge of routing paths. Each host with a router in the network uses the routing table information to determine the next host to route a packet to a specified destination. From the CID RIP Parameters window. Select the Metric for the default route entry in RIP updates. Invalid. Default: RIP Version 1 Select the type of RIP to be received: • • • Default Metric: RIP 1: Accepting RIP 1. originated on this interface. From the CID Edit RIP window. Virtual Distance: Define the virtual number of hops assigned to the interface. RIP 2: Accepting RIP 2. a default route through another router may be propagated. Do Not Receive: No RIP updates are accepted. Values: Valid. This enables fine-tuning of the RIP routing algorithm. Default: Valid. Select the type of RIP to be sent: • • • Incoming RIP: RIP Version 1: Sends RIP updates compliant with RFC 1058. Default: 1 Define the status of the RIP in the router.IP Addressing & Routing 4. RIP Version 2: Multicasts RIP-2 updates. Status: 3-30 CID User Guide . in this case. set the following parameters according to the explanations provided: IP Address: (read-only) Outgoing RIP: The IP address of the current interface. Note: 0 (Zero) indicates that no default route must be originated. Do Not Send: No RIP updates are sent. Default: 0. If the device detects another RIP message. Auto Send is disabled. CID User Guide 3-31 . This allows some stations to learn the default router address.Chapter 3 . Note: When this option is enabled.Basic Switching & Routing Auto Send: Enable (check) this option to minimize network traffic when CID is the only router on the network. the device advertises RIP messages with the default metric only. With OSPF you can build a more stable network. The OSPF algorithms allow more frequent updates. Routers use link-state algorithms to send information to all access nodes in a network by calculating the shortest path to each node based on the Internet topography. because fast convergence prevents such problems as routing loops and Count-toInfinity (when routers continuously increment the hop count to a particular network).IP Addressing & Routing Open Shortest Path First The Open Shortest Path First (OSPF) protocol was developed for IP networks and based on the shortest path first or link-state algorithm for interior gateway routing. but require a lot of CPU power and memory. each router sends the portion of the Routing Table (keeping track of routers to particular network destinations) that describes the state of its own links. After sending the routing information. 3-32 CID User Guide . page 4-77 Section 4-6: Server Spoofing. page 4-36 Section 4-4: Cache Load Balancing. page 4-88 CID User Guide 4-1 . This chapter also provides examples of common configurations of application switching and load balancing schemes as implemented in Content Inspection Director (CID).CHAPTER 4 Basic Application Switching Chapter 4 - Chapter 4. Basic Application Switching. This chapter includes the following main sections: • • • • • • • Section 4-1: Farm Management. page 4-2 Section 4-2: Server Management. describes the farm and server management concepts and the related features. page 4-25 Section 4-3: Server Load Balancing. page 4-53 Section 4-5: Local Triangulation. page 4-86 Section 4-7: Network Address Translation. This section includes the following topics: • • • • • • • • • Farm Management Overview. page 4-3 Configuring Dispatch Methods. Farm Management. page 4-20 Configuring Content Based Rules. page 4-20 Dispatch Methods.Farm Management Section 4-1 Farm Management Section 4-1. page 4-14 Configuring Farms. page 4-16 Configuring Client Table. page 4-37 Configuring Dispatch Methods. page 4-11 Static URL Table. page 4-7 URL Table and Parameters. page 4-21 4-2 CID User Guide . describes the farm-related CID features designed to maximize utilization of the existing network resources when providing various services. Service Network Farm Figure 4-1 Farm Policy Components Farm: A group of servers that provide the same service. such as cache servers. Each server within a CID farm is recognized by its IP address. In addition. That IP address can be CID User Guide 4-3 . When a new request for service arrives. Figure 4-1 illustrates this model. Servers are grouped in farms according to the type of service that they provide .for each service you can define a farm on CID. As a result.Basic Application Switching Farm Management Overview CID is designed to load balance Content servers. Network and Service. This address is used by configured clients to approach the farm.Chapter 4 . anti-virus servers or URL filters. Traffic is distributed within a group of heterogeneous content servers. Each CID farm is identified by its VIP (Virtual IP Address). users do not need browser configurations that point them to a proxy server. CID identifies the required service and selects the most available server within the farm that provides this service. CID transparently intercepts the Internet-bound user traffic and intelligently load balances the traffic among the content servers that operate transparently or nontransparently. CID operation is based on three main components bound together into a Farm Policy: Farm. In that manner CID optimizes the server operation and improves the overall quality of service. to facilitate users who need to operate non-transparently. CID also provides Virtual IP addresses for the content farms. content based rule for server-site persistency. making the process of server selection transparent for the users. connectivity check methods and more. CID enables users to build a Farm Policy based on a rule that combines these components. A Farm definition includes server farm functions such as load balancing scheme for client-server persistency. is identified by the defined Service.Farm Management hidden from the clients. a rule that takes into consideration client traffic that arrives from (or is destined to) a certain network. and then is redirected to a Farm for packet or session treatment. Service: An application that can be a TCP or a UDP port number. For example. or a complex service that combines several basic services. 4-4 CID User Guide . Network: A range of network IP addresses. There is a match between the packet's information (source IP. the TCP destination port 80. The service can consist of a basic filter. CID treats the packets: • • The packet’s destination IP is the address of one of the CID farms this indicates that the client is a configured client. Two types of policies are used: • • Farm based policy is used in a single farm network configuration. CID first checks whether the incoming packet should be treated. destination IP and application) and a predefined policy on CID. or the UDP source ports 100 -200). Filter group: A collection of basic filters with a logical OR condition. destination network (or a single IP) and service. CID routes (forwards) the packet according to the packet’s Routing Table information. you need to create an appropriate policy for CID decisions. or whether it can be forwarded to the next hop router (NHR). If neither condition is met. When a packet arrives. You can use this service to create a group of applications that you want to send to the same farm. Cluster based policy is used in a network configuration that uses multiple farms. a filter group or an advanced filter.Basic Application Switching Packet Treatment Basics To benefit from the powerful engine that classifies each and every packet arriving at CID. Advanced filter: A collection of basic filters with a logical AND condition. CID User Guide 4-5 . Each policy contains information about the source network (or a single IP). When one of the following two conditions is met. Basic filter: Specifies the application (for example.Chapter 4 . Defined by the Match Method parameter. Define a service (define a new service or select an existing service). See "Static URL Table" on page 4-14. 4-6 CID User Guide . HTTP Match. Token Match. See "Network Address Translation" on page 4-88. URL Policies. See "Client Table Management" on page 4-37. Set a farm policy. Content Servers Definitions. Network Address Translation. See "Static URL Table" on page 4-14. including: • • • • • Content Based Policies. 3. Farm Based Policy A farm based policy binds a farm to a network and a service. Configuring a farm policy involves the following steps: 1. enabling a fast and easy configuration. All features are farm-associated.Farm Management Farm Related Features CID provides a wide range of features to assist you to effectively build both basic and complex network configurations and redirection schemes. 2. such as URL Match. Preferred Sites. Define a network. 4. Define a farm and assign servers to the farm. CID finds the best server to provide the requested service.Basic Application Switching Dispatch Methods Dispatch Methods are the load balancing algorithms that determine how the client requests are distributed between servers in the farm. see You can define the Dispatch Method during the process of CID Farm configuration. The following Dispatch Methods are available on CID: • • • • • • • • • • • • • Cyclic Fewest Number of Users Fewest Number of Users .Local Least Amount of Traffic Least Amount of Traffic . Existing sessions are handled by the Client Table.Local NT.Chapter 4 . the number of users is a significant factor for a Web farm. according to farm characteristics and users’ needs. Dispatch Methods are defined only for new sessions.2 Private .2 Destination Hashing Source Hashing HM Load Statistics WCCP CID User Guide 4-7 . Criteria may vary for different applications. For example.1 Private . while the amount of traffic can be more important for an FTP farm. The criteria by which CID selects the best server are defined by the Dispatch Method. CID receives requests for service from clients and decides to which server to direct each request.1 NT. During this process. CID looks for a server with the least amount of traffic related to service A. within the farm that is currently addressed by the client. Traffic of other farms is not considered. 4-8 CID User Guide .Local. When the client's request for service A is sent to Farm A. Note: The session number is defined by the active Client Table entries to this server. Users of other farms are not considered. as is recorded in CID Client Table for all traffic forwarded to that server. This Method can be used when same servers participate in multiple farms. Directs users to the server with the least traffic which includes the locally configured farm.Farm Management Cyclic. CID looks for the server with least amount of traffic only within the farm that is currently addressed by the client. Directs traffic dynamically to the server with the least number of users. The traffic that is related to service B on the same servers is not considered by CID. Traffic of other farms is not considered. Least Amount of Traffic. A new request for service that is sent to CID is directed to the server with the least amount of traffic at that given time. CID looks for the server with fewest number of users only. When the Cyclic Dispatch Method is defined. Fewest Number of Users. The amount of traffic is defined as packets per second (pps) from CID to the server and from the server to CID (back to the client).Local. Fewest Number of Users . Directs traffic dynamically to the server with the least traffic. CID forwards the traffic dynamically to each server in a round-robin fashion. When this method is selected. This method can be used when the same servers participate in multiple farms. When this Method is selected. Directs users to the server with the fewest users that includes the locally configured farm. CID considers only the traffic that is related to service A. and forwards client's request to this server. Least Amount of Traffic . which uses this Dispatch Method. Users of other farms are not considered. For example: Server 1 and Server 2 provide service A and service B. These servers are used as part of Farm A to provide service A and as part of Farm B to provide service B. The parameters are considered according to the weights that you define in the first Windows NT weights scheme for the NT-1. For configuration guidelines.Basic Application Switching For example. Private . Server 1 & Server 2 can provide service A and service B. which is assigned to a specific cache server. you need to configure the Private scheme and set the weight of the statistics parameters. NT. CID forwards the farm’s clients to the least busy server according to the servers’ reported statistics. and second Windows NT weights scheme for the NT-2. as defined in the first private weights scheme.1 and NT-2. When the client’s request for service A is sent to Farm A. You need to define which MIB variables are queried and to set the private weights scheme. The ratios of users on the servers is balanced according to the statistics. Note: To use these Dispatch Methods. which uses this Dispatch Method.2.Chapter 4 . Note: To use these Dispatch Methods.1 and Private . CID queries the farm’s servers for private SNMP parameters according to a predefined private weights scheme. These servers are used as part of Farm A to provide service A and as part of Farm B to provide service B. see page 4-20. For configuration guidelines. This method is uncommon and can be used when there are several customers sharing the same cache CID User Guide 4-9 . The parameters are considered according to the weights that you define in the first private weights scheme for the Private-1 and second private weights scheme for the Private-2. When either mentod is selected. CID looks for a server with the fewest number of requests for service A. CID uses a deterministic algorithm to convert the URL or IP address of the site to a numerical value. The requests for service B that exist on the same servers are not considered by CID. CID queries the farms’ servers for private SNMP parameters. You can select from a list of statistics. see page 4-20. When either method is selected. The ratios of sessions on the servers is balanced according to the statistics. Destination Hashing. CID queries the farm servers for Windows NT SNMP statistics. you need to configure the Windows NT scheme and set the weight of the statistics parameters. HM Load Statistics. which is assigned to a specific cache server. CID selects a server for a session using a static Hash function. page 4-76. Hashing ensures that all requests for the same host name are sent to the same server. When the Hashing Dispatch Method is applied. The output that is received. For Reverse Proxy support this is done by using Hashing of the URL requested by the client. each of a different customer. Hashing provides persistency on the basis of the client IP address. Using this method enables CID to repeatedly direct requests from the same client to the same server within a farm. CID uses a deterministic algorithm to convert the client IP address to a numerical value. The input for the Hash function is usually the Client IP only. Source Hashing. For more information on this feature. When Layer 7 policies are used. For each request from the same client. WCCP (Web Cache Coordination Protocol) specifies interactions between Cisco routers and Web caches to establish and maintain the transparent redirection of selected types of traffic flowing through a group of routers. avoiding data replication among the proxy servers. 4-10 CID User Guide . This method load balances the servers in the farm based on the least loaded server as calculated by the Response Level. on only one cache. Enables Response Time load balancing. Enables sticky connection. In this method. is a numeric value. CID applies the same formula and receives the same output number. WCCP. and it is required to maintain a URL requested by two clients. the client is always directed to the same cache server if it is available. This Dispatch Method also provides support for reverse proxy Web farms. see Enhanced Cache Coordination. A static Hash function enables CID to choose the server for a session on the basis of the session’s information. A formula is applied to this IP address. This method aims to optimize the resource usage and lower the response times. This ensures that the same server within the farm is selected for all requests from the same client IP.Farm Management server farm (POP). Chapter 4 .Basic Application Switching URL Table and Parameters When a request for a Web page is handled by CID. the URL Table prevents the duplication of information on several cache servers. otherwise the device forwards clients to the Internet (limited to transparent clients). • • For setting up the URL Handling options. The URL entries allow CID to keep track of the cache servers storing the cached pages. instead of having another cache server fetch the information from a distant Web server. CID User Guide 4-11 . effectively keeping the server-site persistency. for example. The ability to monitor the requested URLs helps optimize the device performance by ensuring that requests are referred to the same cache server that already stores the information. Static Entries: The device forwards clients to the server if the entries are listed in the URL Table. This option should also be selected when URL policies are in use. the requested URL is entered in the URL Table. In addition. The URL Table presents three usage modes: • Use URL Table: Select this option when caching is required and previous site cached data is needed which leads to better response time. Do Not Use URL Table: While previous visits to sites are irrelevant or while supporting sticky sessions such as sticky chat and distribution hashing. Note: In some cases the CID does not need to use the URL Table. refer to page 4-17. This option should also be selected when reverse caching is required. when performing anti-virus load balancing. 1 Server 2 130.com www.8 www.radware.2 Dynamic Dynamic Dynamic Last Activity Time 23 33 12 Number of Hits 2 4 Figure 4-2 illustrates the server direction configuration based on the URL Table information.1 130.0.site.0.0.0.com Server 1 130.0.cnn.2 Figure 4-2 URL Table Based Server Direction Configuration 4-12 CID User Guide .0.1 130. Clients www.0.0.0.com 192.0.cnn.radware.0.1.0.Farm Management Table 4-1 shows an example of a CID URL Table.com www.0.0.com CID 192. Table 4-1 CID URL Table Example Requested URL www.5 www.com Requested Server Type Address Address 130.1.0.0.20 Farm 1.site.1 192. CID performs additional checking of the HTTP header. Having established that URL’s header includes URL1. CID caches the URL2 request to Cache Server1.Chapter 4 . While caching the URL2 request. For example: A client sends a request for cnn. and not Cache Server2. Enhanced URL Retrieval When CID is enabled with this option.Basic Application Switching The URL Table can operate in various modes according to the Content Based Rule.com (URL1) and that Web site then sends a request for another URL. refer to page 4-21. CID User Guide 4-13 . for example “Advertisement” (URL2). This capability enhances the reliability of host name retrieval. Selection of the Content Based Rule depends on these network configuration parameters: • • • • • • Address Host Name URL Match HTTP MIME Type P2P For the descriptions of these parameters and configuration of the Content Based Rules. CID checks the Refer field in the HTTP header of URL2. CID caches the URL1 request to Cache Server1. set the following parameters according to the explanations provided: Device Name: Farm Address: Host Address: Select the device name. click URL Policies. or discarded. in case of intercepted clients. The Redirection pane appears. and no dynamic entries are added. are either forwarded directly to the Internet. in case of configured clients. the configuration of URL Policies determines the static content of the URL Table. CID is used by organizations in order to reduce the bandwidth costs. Another approach is to use CIDs to provide a better service for certain preferred sites. From the URL Policies window. 3. The URL Policies window appears. Type the IP address of the farm for which the preferred sites are configured. Requests to URLs not configured in the URL Policies for that farm. This means that the content inspection is performed only for the sites which were registered and pre-paid for that service. From the main window click APSolute OS > Traffic Redirection > Redirection . Type the hostname or destination IP address of the URL for which you want to set a policy. To configure Static URL Table: 1. 4-14 CID User Guide . From the Redirection pane.Farm Management Static URL Table Typically. 2. When this approach is used. to upload URL policies from a file. Note: This field is not relevant if Direct or Blocked mode is configured. The file is uploaded to the device. 5. you must enable DNS support and configure DNS servers. Server Address: Type the IP address of the server to which the static URL is assigned. and then click Load. 6. 4. Load File Mode: See step 3.Chapter 4 . select the Load File Mode: Direct or Blocked. irrespective of the configured redirection mode. browse to the location of the required file and click Open. in the Load From File area. Optionally. • Note: To set Direct URL policies. In the Open window. Blocked: The CID does not cache the URL or connect the client.Basic Application Switching Mode: Select the policy mode: • • Direct: CID does not cache the URL. The connection is reset. Click Ok to exit all windows. CID User Guide 4-15 . but connects the client directly to it. Local Server: Assigns the URL to a specific cache server in the farm. CID changes the destination port. then before forwarding the request. When this port is the configured Multiplexed Farm Port. The Edit CID Farms window appears where you can set the parameters of the farm. select Traffic Settings and select an item from Multiplexed Farm Port dropdown list. click APSOlute OS > Traffic Redirection. 3. The Farm window appears 2. Note: Server Weight is not supported when the Cyclic Dispatch Method is selected in the farm to a particular server in the farm. To enable Multiplexed Farm Port: 1. From the main window double click on the CID icon. CID changes the destination port of the request to the configured Multiplexed Server Port before forwarding the request to the selected server. Click Add. From the main window. select APSolute OS >Traffic Redirection >Farms > Add. The CID Traffic Redirection window appears. The client sends the request for service using a destination port of the farm. for example HTTP port 80. 4-16 CID User Guide . When client requests for service are destined to a configured Multiplexed Farm Port. 2. Port Multiplexing Port Multiplexing is a port address translation that allows CID to accept traffic destined to a specific port and translate that traffic to a different port before forwarding it to a server farm. Click the Farms tab. From the main window. The new destination is configured according to the predefined Multiplexed Server Port parameter. Type the device‘s IP address and click Ok.Farm Management Configuring Farms Farm Configuration Guidelines: 1. 2. The process of the address translation includes the following stages: 1. The CID Connect to Device window appears. The Farms pane appears. In the Farm window. Through this process CID allows for the possibility that though the client may access a site. The maximum number of users that can be directed to a server for a service provided by the farm. 2. Enables or disables URL refreshing which periodically cleans the URL Table based on defined Life Time and number of hits. 4. into the URL Table. from which an HTTP reply of 403 (forbidden) has been received. double click on the CID icon. Enhanced URL Retrieval: Re-balancing: CID User Guide 4-17 . The CID URL Handling window appears. click Edit Settings. Enables or disables checking of the URL referral field in the HTTP header. see page 413. The CID setup window appears. The URL settings parameters are listed with the default values. Defines the frequency of refresh. CID inserts URLs of sites. In the Setup window select Global . on each cache server. the Cache Server may be denied. Select the URL Handling Settings radio button.Basic Application Switching To configure global URL Handling parameters: 1.Chapter 4 . The Global pane appears. When this feature is enabled. From the main window. by hits. CID then sends future requests for these URLs directly to the Internet and not to the Cache Server. Enables or disables URL Balancing which balances the number of host names. In the Set-Up window Global tab. 3. From the CID URL Handling window. set the following parameters according to the explanations provided: URL Life Time: URL Connection Limit: Refresh URL Status: Refresh Interval: Add Forbidden Site to URL Table: The period for which URLs remain listed in the URL Table. regardless of the source port. 4-18 CID User Guide . but using different source ports. IPandPort: Enables the regular hashing function based on the client's IP address and source port. Defines the frequency of URL Balancing. This means that all packets from this IP address. Click Apply and OK to close the window. Remove: Client entry is cleared from the Client Table at the end of the session. Enables or disables the configuration of the Client Table. URL balancing begins. IPOnly: Enables the Sticky Client Support by performing the hash function based on the client's IP address only. rebalancing begins. Re-balancing Ratio: Re-balancing Threshold: Client Table Hash Mode: When this ratio is reached (meaning a disparity between the number of host names). 5. This is the default and the recommended mode for this feature. This means that packets sent from a single IP address. FIN or RST FLAG. TCP. When this threshold is reached (meaning the difference between the number of host names on servers). This is the default and the recommended mode for this feature. Enables or disables configuration of the hash function to allow "sticky client". are sent to different servers based on the decisions of the device. are sent to the same server. Leave: Client entry remains in the Client Table at the end of the session.Farm Management Re-balancing Algorithm: Re-balancing Interval: Remove Entry at End of Session: The host names to transfer are chosen in chronological order on First Found basis. Chapter 4 .Basic Application Switching 6. Reboot the device in order to implement the URL handling definitions. CID User Guide 4-19 . select Traffic Settings and from the Dispatch Method dropdown list. Define the parameters for the selected method. double click on a farm (previously created). Click Ok again to exit the Edit Farm window. NT-2. The NT-1. From the main window. 3. or NT2. The CID Load Balancing Algorithms window appears. 4. click APSolute OS > Traffic Redirection. From the main window. 2. 4-20 CID User Guide . consequently their configuration involves additional steps. Private-1. Follow steps 1-3 of the general dispatch method configuration. and click Ok to apply the settings. and Private-1. Note: Ensure that Use URL Table is selected in the Use URL Table field. select the dispatch method. 4. The parameters for these methods are defined in the Private tab of the CID Load Balancing Algorithms window. From the Edit CID Farm window.Farm Management Configuring Dispatch Methods Dispatch Method Configuration Guidelines: 1. The CID Traffic Redirection window appears. NT-2. From the main window. The Edit CID Farm window appears. 3. select the dispatch method. add a CID device and assign a relevant IP Address. 2. select Traffic Settings and from the Dispatch Method dropdown list. The selected farm will apply the defined dispatch method. Default parameter values are displayed. NT1. the Load Balancing option button is enabled. Private-2 1. Configuration Guidelines for NT-1. Click Load Balancing. Private-2 dispatch methods include load balancing parameters. The Scheme field in the Windows NT tab shows the selected dispatch method. From the Edit CID Farm window. Note: For Private 1 and 2 the configuration procedure is the same. From the CID Traffic Redirection window. click Add and from the dropdown menu add a CID device. From the main window. From the Farms table. assign an IP Address to the device. double click the farm (previously created). 2. select the Traffic Settings tab. 4. 3.Chapter 4 . The farm information is updated in the CID Traffic Redirection Farms Table. From the Edit CID Farm window. 5. From the main window. Click Apply and Ok to exit the window. The CID Traffic Redirection window appears. click APSolute OS > Traffic Redirection. select the relevant rule according to the URL Table parameters as explained in Table 4-2 on page 22. then click Ok. Double click the CID device icon. 6.Basic Application Switching Configuring Content Based Rules The URL Table is configured from the Content Based Rule field which is accessible from the Edit CID window. The Edit CID Farm window appears. 7. select the Farms tab. To configure a Content Based Rule: 1. from the CID Connect to Device window that appears. Note: Ensure that Use URL Table option is selected in the Use URL Table field. From the Content Based Rule dropdown menu. Click Ok to apply the setup. CID User Guide 4-21 . 4-22 CID User Guide . redirects the session. When working in this mode.1.Farm Management Table 4-2 lists the Content Based Rules and provides their short deceptions. Table 4-2 CID Content Based Rules Parameter Address Description Sessions are evaluated according to the packet’s destination IP address from the client to the Internet. Host Name CID checks the HTTP data of the sessions and identifies the host name for the request (such as www. the session is redirected.1 and destination port 80. For example. if a user arrives with source IP 192. CID handles all subsequent requests from that client to port 80 the same way.com). The URL Table entries are host names and not IP addresses. and registers the new address in the URL Table. CID redirects the packet to the indicated server. CID performs delayed binding. a new server is chosen. If the destination IP address is a known address and is registered in the URL Table. CID performs load balancing decisions for the client traffic. CID chooses a server. If the session carries a new host name. If the destination is a new IP address. and a new entry is made into the URL Table. Requests for known host names are redirected to the server that was chosen for this host name.company.1. based on the client‘s source IP and destination port. MIME (Multipurpose Internet Mail Extensions) is a specification for formatting nonASCII messages. HTTP Match CID can redirect requests based on: HTTP header. Some MIME Types are considered 'trusted'.vbs” in the Get Request and block such traffic. so that only distrusted data is forwarded to the Content Servers. Headers contain additional information about the request. or additional message headers. CID enables high throughput by defining traffic redirection policies based on MIME Type. POST). destination host. It can also search for “. When working in this mode.Chapter 4 . Block or Local Server. When CID uses the URL Match table mode. the request method itself (GET. connection type (persistent or not). Based on the URI (CID search of the HTTP GET request for specific information). CID performs delayed binding. cookies. MIME Type CID User Guide 4-23 . or a Web browser). CID can search for CGI-BIN scripts and forward those requests directly to the Internet. For example.Basic Application Switching Table 4-2 CID Content Based Rules (cont. If the administrator wishes to direct a category of clients (for example. and the Content Server does not need to process them. hence saving processing power. decisions are made based on the URL. CID treats the requested URI in one of the three manners. HTTP request contents.) Parameter URL Match Description CID can enforce predefined policies: Direct. such as browser type. Some Content Security servers use security policies based on MIME Types. so that they can be sent over the Internet and displayed by a client-side application (such as an e-mail application. Netscape users) to a specific cache server. When working in this mode. he can direct them to the Internet. or part of it. or block users with certain characteristics. CID performs delayed binding. 4-24 CID User Guide . without the need for a central point of management. CID supports caching of Kazaa v1 and Kazaa v2. P2P The MIME Type rule should be used for load balancing anti-virus servers.) Parameter Description Supports Peer-to-Peer (P2P) sharing technology which enables individual Kazaa users to connect to each other directly.Farm Management Table 4-2 CID Content Based Rules (cont. presents the server management features.Basic Application Switching Section 4-2 Server Management Section 4-2.Chapter 4 . page 4-26 Physical Servers. Server Management. This section includes the following topics: • • Servers Overview. page 4-31 CID User Guide 4-25 . Physical server configuration is performed for each Server Name. Farm server parameters are configured per farm and per server and control the process of providing a particular service. in case one of the services provided by a physical server is not available.Server Management Servers Overview Farm servers are logical entities that are associated with application services provided by physical servers that run these applications. and applies to all farm servers on the same CID with the same name. The process of adding and configuring servers in the CID farm consists of two main stages: 1. This is done using APSolute Insite after the actual installation of the physical server is performed. By that way. All farm servers with the same server name are considered by CID as running on the same physical server. Configure the physical server’s parameters 2. Configure the farm server’s parameters 4-26 CID User Guide . Server Configuration Guidelines: 1. implying they all run on the same machine. farm servers are organized in groups. In each farm this physical server is represented by a unique farm server that provides one specific service. For each service provided by a physical server. and you can define its own load balancing scheme and customized health checks. To enable tracking of all the farm servers associated with the specific physical server. you can define a farm server and attach it to the farm that provides this service. A physical server that provides multiple services may participate in multiple farms. Each service is accosted with a farm. identified by the server name. Configuring farm servers means organizing the servers the way you use their services. Adding physical servers 2. other services can still be used. Setting up farm servers Adding physical servers means adding the hardware elements to the network and defining them as servers. You can define that a particular server in a farm has more weight than other servers. the weights determine the ratio of the amount of traffic between the servers. Local Triangulation: local server that has the feature enabling it to send the response from server directly to client. or server’s importance. Server weights operate as ratios. The Server Description can be up to 80 characters long. This means that more traffic is forwarded to this server than to other servers. when the Dispatch Method is set to Least Number of Users. the weights determine the ratio of the number of users between the servers. all the requests for service from a single client IP destined to the same server are reflected by a single entry in the Client Table. Server Parameters • Server Description: A free text field that allows you to type a description for each server. CID User Guide 4-27 . The weight ranges from 1 to 10.000. When the Regular mode is selected.Basic Application Switching Server Types Server types are: • • Regular: A local server. bypassing CID. which is the default server type. The default weight is 1.Chapter 4 . When the Entry Per Session or Server Per Session modes are selected. For example. If the Least Amount of Traffic method is used. the number of active entries destined to the same server is higher that in the Regular mode. • Connection Limit: Connection Limit is the maximum number of users that can be directed to a server for a service provided by the farm. • Note: Server Weight is not supported when the Cyclic Dispatch Method is selected in the farm. Server Weight: Weight of the server in a farm is server’s priority. because it is determined by the number of active entries in the Client Table for sessions destined to the specific server. A server with weight 2 receives twice the amount of traffic as a server with weight 1. The number of users depends on the Sessions Mode. Response Threshold: Using Farm connectivity checks with HTTP Page check. page 4-88. which defines how CID behaves when there is a conflict between Connection Limit and persistency scheme. On a per farm basis CID can be configured with an upper threshold for Kilobytes per second (Kbps) for that farm. To enable exceeding of the Connection Limit parameter. CID drops excess packets. in case an existing client opens a new session and according to the Sessions Mode the session uses the same server. The default value is 0. If traffic through that farm exceeds the configured limit for any given second.Server Management • • The default value for the Connection Limit parameter is 0. For detailed description of this feature. Client NAT: Using the Client NAT parameter. you can enable the Client NAT feature for the given farm server. Bandwidth Limit: Bandwidth Limit is the maximum amount of bandwidth in Kbps allowed for this application server. the status of the logical server is set to No New Sessions. This applies. When this parameter is configured to 0. A value of 0 means that there is no bandwidth limit. Using Client NAT for a servers means that CID hides source IP addresses of clients that access the server in the farm. Note: The limit is measured in Kbps. The following options are available: • • • 4-28 CID User Guide . this mechanism is disabled for this server and there is no user number limit. If traffic through that server exceeds the configured limit for any given second. so 1Mbps is represented with a bandwidth limit of 1000. when using the Entry Per Session Sessions Mode or the Client Grouping Mask feature. CID drops excess packets. When the server's reply takes longer. Admin Status: Admin Status is the user defined management status of the server that you can change at any stage of server’s configuration or operation. the Response Threshold parameter defines the number of milliseconds in which the server may reply to the GET command. Connection Limit Exception: The Connection Limit parameter can be exceeded. see Network Address Translation. for example. The default value is No Limit. you can enable the Connection Limit Exception parameter. The Connection Limit Exception parameter is defined for each farm. CID removes all the entries relevant to this server from the Client Table. Shutdown: The server cannot get new requests for service. Note: You can also set a server to provide backup for a specified server. Backup servers configured on the farm level are activated only when all the active servers are down. You can start maintenance procedures after completion of active sessions. The existing sessions are completed according to the Aging Time. set the Shutdown Admin Status. Disabled: The server is not active. stops sending new requests for service to this server and disconnects all the connected clients.Chapter 4 . but the server does not receive any client requests. Tip: Before performing maintenance procedures. When setting the Admin Status to Disabled. • Operation Mode: A farm server can be configured to have one of the following operational modes: • Regular: The server's health is checked.Basic Application Switching • • • Enabled: The server is active and ready to reply new requests for service. • Backup: The server's health is checked. This is the default operation mode. as long as it is available the server is eligible for receiving client requests. CID User Guide 4-29 . The server becomes eligible for client requests when all the servers in the Regular mode have failed. see Backup Server Address. To define Bandwidth Limit for a farm: • From the main window. click APSolute OS >Traffic Redirection > Edit CID Farm. From the Edit CID Farm window. 4-30 CID User Guide . The Edit CID Farm window appears. select the Traffic Settings tab and then select the Connection Limit Exception checkbox.Server Management To enable Connection Limit Exception: • • From the main window. click on Traffic Settings then set the Bandwidth Limit parameter. click Traffic Redirection > Edit CID Farm. From the Edit CID Farm window. Adding a new server to a farm using a Server Name that was already defined in another farm. Before setting up a physical server. Once hardware connections are completed. you can start adding physical servers to the APSolute Insite map. you must connect the server to the CID device on the hardware level. Recovery Time CID User Guide 4-31 .Chapter 4 . When this value is at 0. the server becomes eligible for receiving clients requests. This parameter applies to all servers in all farms that share the same Server Name. the server is not eligible to receive client data for this period of time. The Server name defines the name of the farm servers group that are associated with this physical server. The parameters of the physical server are defined globally and are applied to all the farm servers that use the physical server. Once recovery time elapses. Table 4-3 describes physical servers’ setup parameters. Table 4-3 Physical Server Parameters Parameter Server Name Description The physical server name. When a server's operational status is changed from inactive to active (dynamically or administratively). implies that it is the same physical server. the server is eligible immediately after changing operational status from inactive to active.Basic Application Switching Physical Servers Physical servers are hardware units configured to operate as an integral part of the network. depending on farm’s Sessions Mode.) Parameter Connection Limit Description The maximum number of Client Table entries that can run simultaneously on the physical server. Note: This option is not applicable for farm servers when using the Cyclic Dispatch Method. The total number of active sessions that run simultaneously on the farm servers must not be higher that the physical server’s Connection Limit.Server Management Table 4-3 Physical Server Parameters (cont. CID internally raises the weight of the server for this period of time. When the limit is reached. Enables this server to be available to other remote CID devices to provide Global load balancing solution architecture. the server performs activation at full weight upon a change in operational status from “inactive" to "active” and after waiting the Recovery Time. Note: When configuring Connection Limit for the physical server. Warm-up Time The time. When this parameter is set to 0 (default). during which clients are sent slowly to this server so that the server can reach its capacity gradually. you define an IP address. at the end of which the server's weight reaches the pre-configured weight. after the server is up. new requests for service are no longer directed to this server but all open sessions are continued. this mechanism is disabled for this physical server and there is no user number limit. Global Server (checkbox) 4-32 CID User Guide . IP Address The IP addresses of the server. For each farm server associated with this physical server. ensure that this value in the farm servers with the same Server name is lower or equal to Connection Limit in the physical server. in seconds. When this parameter is configured to 0 (default). CID User Guide 4-33 . The Edit CID Farm window appears. The Edit CID Farm window appears. select Traffic Redirection. c. set the following parameters according to the explanations provided: Device Farm Name: VIP Address: Active Farm: Mode: CID (For example) Farm 1 Type the VIP address Selected Active e. Add a farm server to the farm: a. The Edit CID Farm window closes and a new farm appears in the Farms table. set the following parameters for the physical server according to the explanations provided: Server Name: IP Address: (For example) Server 1 Add an IP address 4. Click Ok. d. From the Edit CID Farm window click Farm Servers then click Add. click Add and from the dropdown menu select a local server. 3. From main window double click the server icon. From the Farms pane click Add.Basic Application Switching To add a server to a farm: 1. b. The CID Traffic Redirection window appears. The CID Farm Servers window appears. From the CID toolbar. From the Farms pane. b. 5. From the main window. From the Traffic Redirection window click Farms.Chapter 4 . The Farms pane appears. From the Server window. From the Edit CID Farm window. The Server window appears. select the farm that you have created and click Edit. 2. Add a farm to CID: a. Multiplexed Farm/Server Port Port Multiplexing is a port address translation that allows CID to accept traffic destined to a specific port and translate that traffic to a different port before forwarding it to a server farm. CID changes the source port back to the farm’s port. When the response is sent from the server to the client.Server Management c. for example HTTP port 80. The Server window appears. double click the server’s icon. The CID Farm Servers window closes and the new server appears in the Farm Servers table. From the CID Farm Servers window. a. The new destination is configured according to the predefined Multiplexed Server Port parameter. From the APSolute Insite network map. Set up the physical server parameters. When client’s requests for service are destined to the configured Multiplexed Farm Port. 4-34 CID User Guide . 3. 2. CID changes the destination port of the request to the configured Multiplexed Server Port before forwarding the request to the selected server. When this port is the configured Multiplexed Farm Port. and click Ok to apply. then before forwarding the request. CID changes the destination port to a particular server in the farm. The process of the address translation includes the following stages: 1. set the parameters of the physical server as explained in Table 4-3. for example from port 8080 to port 80. 6. From the Settings tab. b. Click Ok. set the following parameters according to the explanations provided: Server Name: Type: Admin Status: Server Address: Operation Mode: Server 1 Regular Enabled The address of the server Regular d. The client sends the request for service using a destination port of the farm. select the Multiplexed Farm Port for the farm. Disable. SMTP. CID User Guide 4-35 .Chapter 4 . select the farm to configure and click Edit. NNTP. and edit each server in the farm and then select the Traffic Settings tab and edit the Multiplexed port. Click the Farm Servers tab.Basic Application Switching For Multiplexed Farm / Server Port there are pre-defined values: FTP. The Edit CID Farm window appears. 2. HTTP. 4. meaning port multiplexing is not used for the server. select the Farms tab. The Farm port is 80 and it is defined during the farm configuration process. For example. From the main window. The Traffic Redirection window appears. Multiplexed Farm Port Configuration Guidelines: 1. From the Traffic Redirection window. 3. or any port number. From the Edit CID Farm window. The default value is Disable. DNS. HTTPS. select APSolute OS > Traffic Redirection. the Server port is 8080 and it is defined during the server configuration process. page 4-39 Alias Port. page 4-50 Sticky Clients Support. page 4-37 Content Servers Overview. page 4-52 4-36 CID User Guide . page 4-51 Server Health Check. This section includes the following topics: • • • • • Client Table Management. describes the farm-related CID features designed to maximize utilization of the existing network resources when providing various services.Server Load Balancing Section 4-3 Server Load Balancing Section 4-3. Server Load Balancing. 0. For an existing session.2 CID User Guide 4-37 . all subsequent packets that arrive from the client to the CID farm are forwarded to the server indicated in the Client Table entry.1 Client Address 192.0.5 192. there is no need to make a load balancing decision. irrespective of load balancing considerations. This table keeps track of the client . If an entry does not exist. a server is selected according to the load balancing considerations that are defined by the Dispatch Method.0. for example.0. You can configure such clients using the Client Table window.0. In this case.0.server connections for each of the local farms.1.1.8 Server Address 130. if Port Multiplexing is used.0.1.0.1. If the packet has to be treated by CID. CID first searches the Client Table to check whether this is a new session or an existing session.0.0.1 1.Basic Application Switching Client Table Management To maintain client-server persistency in a CID farm.1. the client is directed to the server that appears in the Client Table. CID uses the Client Table. CID checks whether an entry for this client already exists in the Client Table: • If the appropriate entry is found. The following table shows an example of Client Table information: Farm Address 1.Chapter 4 . The traffic in the opposite direction Configuring Client Table The Client Table provides information about the way a client is sent to the server.0.0.1 Source Port 1062 1011 1079 Destination Server Port Port 80 80 80 8080 8080 8080 Attached Time 234 332 643 192. there is no need to make a load balancing decision.1 1.1 130. An entry is made into the Client Table indicating the selection of the server. When a client first approaches a CID farm. • Once an entry is created in the Client Table.1.20 130. You may need to ensure that certain clients always access a specific server on the server farm. Clients www.0.com 192. However.1 Server 2 130.0.com CID 192.radware.1 Figure 4-3 Client Table Configuration When a session is already established. when one of the following conditions is met.20 Server 1 130. When the Remove Entry at Session End flag is set to Remove under the CID tweaks.1. CID updates the Attached Time in the Client Table and sends the client to the same server that serves the client. This removes the session when CID detects a FIN or RST packet. CID removes the entry from the Client Table: • • One of the servers within a farm becomes unavailable.0.site.0.Server Load Balancing Figure 4-3 displays a farm configuration according to the Client Table example.0.0. For the explanation of these parameters.8 192. • 4-38 CID User Guide .2 Farm Address 1.0.5 www. see page 3-14.1.0. The value of the Attached Time parameter is equal to the value of the Aging Time parameter.0.0. URL filters and others. The name of the gateway server indicates its location in the network topology. When using gateways. Gateways need to be part of the traffic flow . To facilitate users who need to operate non-transparently.Basic Application Switching Content Servers Overview CID is designed to load balance content servers. and the server uses the client's IP address as the source IP (spoofing). CID sends the packet to the MAC address of the server. Each server can be installed in a one-leg configuration or in a two-leg configuration. users do not need any browser configuration to direct them to a "proxy" server. anti-virus servers. and the client’s requests remain unchanged. All server types may be configured in the regular mode (using their own IP address) or spoofed mode (using the clients IP address) including: • Gateway: A Gateway is a server that uses two interfaces: the interface that receives. it sends the traffic to the server's MAC address. When CID forwards traffic to a transparent server.Chapter 4 . User traffic that is distributed among these content servers can be heterogeneous.in most cases these servers are bottlenecks in the network due to their limited processing power. processes and forwards the traffic. and the interface that the traffic is forwarded to. CID intelligently directs sessions to the most available server. • CID User Guide 4-39 . When CID load balances gateways. it moves the servers from the traffic flow and also ensures that the packet that leaves the second interface of the selected server returns to the same server. Server Types CID supports several types of content servers. Because CID transparently intercepts Internet-bound traffic and intelligently load balances the traffic between the content servers. while the destination IP is the IP address of the real site's IP. such as cache servers. CID provides a Virtual IP address for the content farms. Transparent Server: A server that serves the clients transparently. sending repeated requests for the same site to the same cache server when it load balances cache servers. it can automatically transform the requests to a proxy form. Many kinds of content servers are in use and each vendor uses a different operation method. the Content server uses two interfaces and routes the traffic from one interface to another. instead. and to send the real mail server along with their username using a special delimiter. the cache server forwards it to the user who made the initial request. for cache servers that support spoofing) to request the page from a server out on the Internet. For HTTP. the clients send their requests directly to the proxy server which then fetches the content on behalf of the client. When a cache server receives a request for an Internet service (it can be a request for a Web page or a file download using FTP) from a user. When a nontransparent proxy server is in use. Cache Server: A proxy server that stores-and-forwards Web pages. The requests are sent to the proxy server using the protocol that this proxy server supports. When CID load balances proxy servers. the client's browser does not connect to the requested Web server on the Internet. the client's browser connects to the cache server. the cache server looks in its local cache of previously downloaded Web pages. When a client configures the Web browser to use a cache server. If the page is not in the cache. For example. the anti-virus servers can be installed as a gateway. the cache server acts on behalf of the client. so the clients do not have to change their configuration. Content Server: A server.Server Load Balancing • • • Regular Server: A server that serves the clients non-transparently. using one of its own IP addresses (or the client's IP address. A Content server can also operate as a proxy server without the 4-40 CID User Guide . and asks it to get the URL for the client. server that has the ability to check the content up to Layer 7 to search for a specific content and block it. With that method. for POP3 the users have to configure their mail client to use a proxy server as their POP3 server. Cache server returns the found page to the user without having to retrieve the content from the Internet. the clients have to configure their browsers to use a proxy server. such as anti-virus or a URL filtering. The clients have to send the requests to the IP address of the server and to the MAC address of the server. When the page is returned. or it can have a single interface. you can start adding physical servers to the APSolute Insite map.Basic Application Switching • caching capabilities. Once hardware connections are completed. Before setting up a physical server.Chapter 4 . The parameters of the physical server are defined globally and are applied to all the farm servers that use the physical server. CID supports all vendors and types of content servers. you must connect the server to the CID device on the hardware level. Physical Server: Physical server is a hardware unit configured to operate as an integral part of the network. CID User Guide 4-41 . click Add. From the main window. c. From the Farms pane. From the Edit CID Farm window select the Farm Servers tab. From the Server window define the server and set its physical parameters according to the explanations provided: Server Name: Admin Status: Recovery Time: Warm Up Time: Connection Limit: IP Address: Global Server: Type the name for the server. The new server IP appears in the Server IP Address list.Server Load Balancing Configuring Servers To add a server to a farm: 1. b. for example: Server 1. From the Traffic Redirection window select the Farms tab. Check/Enable. refer to Table 4-3 on page 31. Add a farm to the map: a. In the same manner. The CID Traffic Redirection window appears. 5. 6. Click Ok to apply the setup and exit the window. Check to enable. 4. Click Add. 2. From the CID toolbar. click Add and from the dropdown menu add a local server. Double click the Server icon. Type the value (in seconds) Type the value (in seconds) Type the value (number of clients) Type the IP address for the server. select APSolute OS >Traffic Redirection. 7. Note: For explanations of the server physical parameters. The Edit Farm window appears. The window remains open. The Server window appears. add more servers as explained in steps 2-3. then set the following parameters according to the explanations provided: Farm Name: (For example) Farm 1 4-42 CID User Guide . 3. d. Check/enable this option.Basic Application Switching Multiplexed for Port: VIP Address: Admin Status: Disable this option. select the farm that you have created and click Edit. c. From the CID Farm Servers. From the Farm Servers tab. The CID Farm Servers window closes and the new farm server appears in the Farm Servers table in the Edit CID Farm window. Click Ok. click Add.Chapter 4 . b. Add a farm server to the farm: a. d. set the following parameters according to the explanations provided: Server Name: Admin Status: Server Address: Operation Mode: Weight: Multiplexed Server Port: Connection Limit: Local Triangulation: Transparent Mode: (checkbox) Server 1 Enable Select the address of the server Regular 1 Select Disabled or HTTP 0 Check to Enable Select the mode according to the type of server to configure: For Transparent server: Check For Proxy non-transparent server: Clear Server Delimiter: Alternative Server Address: @ Select from the dropdown list. Click Ok to apply. The Edit CID Farm window appears. CID User Guide 4-43 . Type the VIP address. The CID Farm Servers window appears. From the CID Traffic Redirection window Farms tab. 8. 4-44 CID User Guide . Note: The port number that the server is listening on can be used only when port multiplexing is enabled and defined in the farm configuration. see page 4-35.Server Load Balancing e. Click Ok and Ok again to exit all windows. In this type of configuration. • The virtual IP address of CID is 10.100.1. Switch 1 P1 CID P2 Switch 2 Internet Clients 10.Basic Application Switching Example . • Content servers use port 80 for the HTTP traffic.20 CID VIP Address 10.1. CID User Guide 4-45 . in addition to the basic operation.1. • Content servers are transparent. CID acts as a router and users are configured to CID or transparently intercepted by CID.1.1.1.20 Server 100. Note: An example of CID configuration with transparent servers in a VLAN environment is provided on page 4-61.1 Figure 4-4 CID with Transparent Content Servers Properties: • Network side and user side are on different subnets.100 Router 100.Chapter 4 .1.1. • Users are not configured on CID and thus traffic is transparently inspected by CID.1.1.2 Server 100.1.CID with Transparent Content Servers Figure 4-4 illustrates a configuration where clients and content servers are on different subnets.1. 0. Type the device‘s IP address: 10.1. Define the default gateway: a. a. Click Ok. set the following parameters according to the explanations provided: IF Num: IP Address: Network Mask: Broadcast Type Forward Broadcast VLAN Tag Selected 0 F-2 100. The Edit CID window remains open. The CID Connect to device window appears. Define the interfaces for ports 1 and 2. From the Edit CID window. Double click on the CID icon again.0. b. 2. d.10 255.1.0.0. b.255. 4-46 CID User Guide .1.0 e. set the following parameters according to the explanations provided: Destination IP Address: Network Mask: Next Hop: IF Number: Metric: Type: 0. Click Ok to exit all windows. From the Set-Up window.1. From the CID Routing Table. click Add.10 and click Ok.255.Server Load Balancing Configuration: 1.1. c. In the CID window. select Networking > Routing Table.0.0 0.1.The CID Routing Table appears. 100. From the Edit Route window.20 F-1 1 Remote d. The Edit CID window appears. From the main window double click on the CID icon. c.The Content Inspection Director window appears. click Add. The Edit Route window appears. From the Traffic Redirection window. b.1. Add two servers to the map: a. In the same manner add the second server by setting the following parameters according to the explanations provided: Server Name: IP Address: Server 2 100. Add servers to the farm: a.2 d. From the CID toolbar. select the Farms tab and then click Add. Set the following parameters according to the explanations provided: Server Name: IP Address: Server 1 100. set the following parameters according to the explanations provided: Farm Name: VIP Address: Admin Status: (For Example) Farm 1 10. CID User Guide 4-47 . The Edit CID Farm window appears.1 b.Basic Application Switching 3. click Add.1. From the main window.1. 5. Click Add and then click Ok. Click Add and then click Ok. c.1. The Traffic Redirection window appears.Chapter 4 . click APSolute OS >Traffic Redirection. From the Edit CID Farm window. 4.1. From the Edit CID Farm. Click Add and then click Ok. c.1. The CID Farm Servers window appears. Add a farm to the map: a.100 Selected Note: Ensure that the Transparent Mode is enabled. d. click Add and from the dropdown menu add a local server. c. 6. 7.1. From the pane that now appears. From the CID Traffic Redirection window. From the Farm Policies window. From the Farm Policies window.Server Load Balancing b.1. set the following parameters according to the explanations provided: Server Name: Transparent Mode: Server 1 & Server 2 Enabled Note: Ensure that the Transparent Mode is enabled.1. right click the Modify Farm Policy tab and select Add. Click Ok and then Ok to return to the Farm Policies window. select Classes > Networks > Modify > Add.1 10.2 c. Add a new policy for HTTP: a. Set the following parameters according to the explanations provided: Network Name: Network Mode: From Address: To Address: Local IP Range 10. select the desired farm and click Farm Policies. set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service Source Address: Destination Address: Direction Description http 1 Regular Service http Local any oneway example 1 4-48 CID User Guide . Click Add and then click Ok. From the CID Farm Servers window.1. Add a local network: a. b. The Farm Policies window appears. 1.100 b. When the Host Name rule is used.Chapter 4 . Note: Users can be configured to the IP Address of the farm or to the farm host name.1. CID User Guide 4-49 . CID has to be configured as DNS Server.Basic Application Switching Operational Status: Cluster Farm Active 10. Click Add Policy and then Ok to exit the window. To configure Alias Ports: 1. From the Traffic Redirection window. unlike port 80. For example. CID treats this port as an HTTP port. The Edit CID Farm window appears. From the Alias Ports window. From the Edit CID Farm window. UDP. 3. Click Add and then Ok.Server Load Balancing Alias Port An Alias Port enables CID to work with non-standard ports. is not a standard. Both. Select the port type for this alias. Type the well known port number. Values: TCP. set the following parameters according to the explanations provided: Port Number: Well Known Port Number: Port Type: Type the Port Number. The Alias Ports window appears. click Alias. 4. if a Web server works on the TCP port 81 which. 2. 4-50 CID User Guide . select a farm and click Edit. Typically. The Edit CID Farm window appears. From the Edit CID Farm window. The Traffic Settings pane appears. 2. CID User Guide 4-51 . CID allows using the source IP only as the input for the hash function. From the Traffic Settings pane Dispatch Method dropdown menu. Click Ok to exit all windows. To enable Sticky Clients Support: 1. using any Dispatch Method. 4. click the Traffic Settings tab. the hash function uses the source IP and source port which indicates that a new Client Table entry is used for each source IP and source port combination.Chapter 4 . implying that the same server is to be used for different sessions of the same client (using the same farm). From the Traffic Redirection window. select a farm and click Edit.Basic Application Switching Sticky Clients Support CID allows maintaining client stickiness to a Cache Server regardless of TCP/UDP ports. CID uses the hash function to access the Client Table. select Source Hashing. 3. Health Monitoring. CID can periodically perform HTTP GETs from the cache server for a predefined URL. CID can also be configured to pull an un-cached page from servers in the farm by sending an HTTP request for a specified page using the "pragma . which is performed by the Health Monitoring Module. For this purpose. Note: The CID Health Monitoring Module is described in detail in Chapter 7. Both options are available from the CID Health Monitoring menu (where the HM module is installed).Server Load Balancing Server Health Check CID can be configured to monitor the status of servers in its farms to ensure that they are available and that they can handle the load balancing requests to content servers. which is also referred to as the Farm Connectivity Check. This method can be used to ensure that the server can actually access an external site and retrieve the specified page. Failure to establish a successful connection on the specified port means that CID considers the server unavailable for traffic. two categories of health checks are available: • • Basic Health Check. its method. The Farm Connectivity check examines these functionalities: • • • • Ping HTTP Port (checks that port 80 is available) HTTP Page (checks the availability of a specific Web page) Un-cached HTTP Page (also checks the internet connection) In HTTP Port checks. Health check attributes. and number of retries can be configured according to need. the CID periodically opens a session with the server on port 80. intervals. A successful connection indicates that the server is available.no cache” command. This instructs the server to respond with fresh content. CID continues to check for the server's availability and generates a syslog trap that the server is "Not In Service". 4-52 CID User Guide . When a failure occurs. not with content from cache. For HTTP Page checking. CID examines the HTTP header of the server response and considers responses with HTTP status code of 200 (status Ok) to indicate a healthy cache server. Advanced Health Check. page 4-76 CID User Guide 4-53 .Chapter 4 . This section includes the following topics: • • • • • • • What is Caching?. page 4-67 Web Cache Coordination Protocol (WCCP) 2. page 4-56 CID Cache Load Balancing.Basic Application Switching Section 4-4 Cache Load Balancing Section 4-4. page 4-54 How Does Cache Load Balancing Work?. presents the Cache Load Balancing functions and enhancements as implemented in CID. page 4-74 Enhanced Cache Coordination. page 4-57 Client-Server Combinations. page 4-60 P2P/Kazaa Caching. Cache Load Balancing. The network bandwidth is saved because the cache does not have to access to the origin server over the Internet again. the cache gets the request for this page but does not have the content. When the first user. in order to shorten response time and save network bandwidth.com/home/logo.Cache Load Balancing What is Caching? The role of caching is to store the frequently accessed Web content. User B gets the response much more quickly than User A. The browser retrieves each object and then assembles and displays the complete page.com in the browser.radware. When User B tries to access the same Web page later on. User A.gif User A Cache Server Local Servers User B www.com/home/logo.radware. 4-54 CID User Guide .gif Figure 4-5 Caching Example Tip: It is useful to remember that each Web page actually consists of multiple objects. www. such as memory or disk.com and keeps the page in its local storage. Figure 4-5 illustrates a caching configuration example. finds the content on its local storage and replies to the user without having to go to the origin Web server. types the URL: http://www. The cache gets the Web page from the original Web server for radware. The cache then replies to the user with the requested Web content. the cache gets the request again.radware. If a requested object is in the cache local storage so that the cache serves the object by itself. it is called a “cache miss”. it is called a “cache hit”.Chapter 4 . CID User Guide 4-55 . the cache obtains the object from the origin server. which results in an improvement in user response time and saves network bandwidth. the more requests the cache serves by itself.Basic Application Switching Because caches make requests to origin servers on behalf of the end user. The cache-hit ratio is defined as the number of hits expressed as a percentage of the total requests received by the cache. In case of “cache miss”. they are also called proxy cache or proxy servers. Cache-hit ratio indicates the efficiency of the cache. If the cache does not store the requested object. The higher the hit ratio. gif is sent to cache 1 for the first time.Cache Load Balancing How Does Cache Load Balancing Work? Load balancing across caches is different from load balancing across servers. If a request for example www. When load balancing across caches. the cache-hit ratio is increased and the response time to the end user is improved. When a subsequent request for the same object is received: • • If the load balancer sends this to cache 2.presents. In the case of server load balancing. it‘s inefficient because now cache 2 must also go to the original server and get the object.com/home/products. 4-56 CID User Guide . the local balancer tries to configure which server has the least load. and forwards all subsequent requests for this object to cache 1. the cache retrieves from the original server. in order to send the next request. If the load balancer remembers that this object is already in cache 1. attention is paid to the content available on each cache to maximize cache-hit ratio. Chapter 4 . Due to this. • CID User Guide 4-57 . and at the same time it can cut costs by reducing the use of bandwidth and additional content servers. so as to facilitate users who need to operate non-transparently. cache server port number (Layer 4) and proxy request type (Layer 7). Intercepted Clients: Intercepted clients send regular requests that are directed to their default gateway. you can save time normally spent configuring client browsers to use cache servers. even if the client browsers are not configured to use a proxy server when it load balances cache servers. all the HTTP requests are sent to the proxy server using the cache server's IP as the destination IP address (Layer 3). because CID can intercept all client requests by itself. sending repeated requests for the same site to the same cache server while it load balances cache servers. CID intelligently directs sessions to the most available server. Client Types There are two types of clients in a cache server environment: • Configured Clients: Configured clients are clients that configure their Web browser (or mail client) to use a content/proxy server. CID provides a Virtual IP address for the cache farms. Moreover. the destination port is the application port number and the request type is a regular HTTP request (Layer 7). The destination IP address is the IP address of the Internet Web site (Layer 3). users do not have to have any browser configuration that directs them to a proxy server.Basic Application Switching CID Cache Load Balancing CID is designed to load balance cache servers. When the client's Web browser is configured to use a proxy server. CID can significantly improve network performance. CID transparently intercepts Internet-bound user traffic and intelligently load balances the traffic between the cache servers that operate transparently or nontransparently. the client must send an HTTP request which differs from a typical HTTP request in the following parameters: • The destination IP of the packet is that of the cache server instead of the site's IP. the client is not necessarily aware of the cache server. a proxy-connection keep-alive and the GET request containing the entire requested URL (this is how the proxy knows which URL to retrieve). To use a non-transparent cache server. The client sends the request to the Internet Web site. Intercepted traffic is sent to transparent caches/proxies without any IP header manipulation. the clients must send a proxy request. • CID also supports spoofed servers. Proxy Transparent Cache Server: When using transparent servers. With transparent proxies. an asymmetric traffic flow can easily be achieved in the network (traffic flow of client > CID > cache > client). A spoofed server uses the clients original IP address and the servers’ source port. • The GET header field containing the complete requested URL.Cache Load Balancing Cache Server Types There are two types of cache servers: • Proxy Non-Transparent Cache Server: When using a nontransparent proxy server. • 4-58 CID User Guide . because no IP header manipulation is necessary. • A Proxy-Connection header field is used instead of the normal Connection header field. The server expects to receive a special type of request containing the destination IP address of the proxy server. but the cache server intercepts the request and fetches the content of the requested URL and stores the content locally. see Line 1. Non Proxy GET Request Proxy GET Request Figure 4-6 Proxy and Non-Proxy GET Request Note: The URL for Proxy GET Request is part of the GET command.Basic Application Switching Proxy and Non-Proxy GET Request Figure 4-6 shows the example of both types of the GET Request. CID User Guide 4-59 .Chapter 4 . 4-60 CID User Guide . using the Layer 2 address of the selected cache server and CID.Cache Load Balancing Client-Server Combinations CID supports several combinations of clients and servers. This is an advantage because there is no need to configure the entire network to use the proxy server. CID has the ability to intercept the clients’ requests and change them from an HTTP request to a PROXY request. Intercepted Non-transparent Intercepted Transparent Note: Transparent and Non-Transparent mode are enabled from the CID Server’s Farm window. in situations where there are many clients on a network with a proxy server. Cannot work because the transparent cache server expects to receive the IP address of the Internet Web site. CID sends the original client traffic without an IP header manipulation. CID intercepts the client traffic and transforms the client requests from an HTTP request to a Proxy request. while configured clients send the IP address of the proxy as the IP address of the Internet Web site. but it still forces all clients to use the proxy server. Table 4-4 shows the available combinations of clients and types of cache servers: Table 4-4 Client-Server Combinations Client Type Configured Configured Server Type Non-transparent Transparent CID Supported Configuration Clients are configured to the cache Servers Farm. 1. Internet Router 10.1.1.100 CID P1 Client 10.1.Basic Application Switching Example .12 Client 10. CID is a transparent device that requires no client configuration.1.1.1.Chapter 4 .1. Clients can be either configured to CID.4 Network Side IP VLAN Interface 10.1.CID with Transparent Cache Servers in VLAN Environment The Figure 4-7 example illustrates a configuration where a CID is added to an existing network in a VLAN configuration.3 Figure 4-7 CID with Transparent Servers in VLAN Environment CID User Guide 4-61 .20 Content Inspection Server 10. or configured transparently.1.1.1 User Side P2 Virtual IP Address 10. The CID window appears. From the CID Virtual LAN window. d. The CID window appears.1. From the CID window.1.Selected F2 . • Users are non-configured to CID. From the Set-Up pane. • The virtual IP address of CID is 10.Selected Regular IP 2. select the Parameters tab and select the VLAN Forwarding policy checkbox. 3. • Cache servers use port 80 for HTTP traffic. • If an IP interface with the 10. b.1 address. The Set-Up pane appears. Configuration: 1.1 to be associated with the VLAN.1. a. • Cache servers are transparent. 4.100.1. b. set the following parameters according to the explanations provided: Assign Port to VLAN Type: Protocol: F1 . define one. select Networking > VLAN. thus intercepted by CID. Enable the VLAN Forwarding policy: a. • If there is no defined IP interface with the 10.1. click the Set-Up tab. Define an IP VLAN that includes ports 1 and 2.1 address with the VLAN (10000X).1. Define the default gateway: 4-62 CID User Guide . Define an IP interface with the address 10.1 address is already defined. Double click on the CID icon. From the CID Virtual LAN window.Cache Load Balancing Properties: • Network side and user side are on different subnets. edit the interface to associate the 10. c. a.1.1.1. The CID Virtual LAN window appears. Double click on the CID icon.1. Click Ok to apply the setup and exit the window. Basic Application Switching a. From the Edit CID Farm window.0 0. From the Edit CID Farm window. From the CID window. The Edit CID Farm window appears. select Networking > Routing Table.0. Click Add. click Add. b.The CID Routing Table appears. set the following parameters according to the explanations provided: Destination IP Address: Network Mask: Next Hop: IF Number: Metric: Type: 0. b. Double click on the Server icon. e. From the Traffic Redirection window. The Edit CID Farm window remains open. c.1. d.1.0. Add a server: a.100 Selected c. Click Ok to apply the setup.4 to the server and click Ok. click Add and select a local server. Add a new farm to the CID: a. From the main window. 7.0.20 F1 1 Remote d.0. From the Edit Route window. assign a name to the server and click Ok. click the Farms tab and then click Add. 6. Add a new network: CID User Guide 4-63 .Chapter 4 .1.1. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: (For example) Farm 1 Disable 10.1. Click Ok to apply the setup and exit the window.0. The CID Farm Servers window appears. The Server window appears. The Edit Route window appears. 5. From the Server Name parameter. b. Assign the IP address of 10.1. 10. click the Modify tab and click Add. set the following parameters according to the explanations provided: Network Mode: Network Name: From Address: To Address: IP Range Local 10. click Classes. 8.1. d. Click Ok and then Ok again. c. Add a new policy for HTTP: a.2 10.Cache Load Balancing a. The CID Classes window appears. set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Description: Operational Status: Cluster Farm: http 1 Regular Service http Any Any One way Example Active 10. b. click Modify Farm Policy and then click HTTP then. From the CID Farm Policies window.1. From the CID Farm Policies window. The Edit Network Table appears. The Farm Policies window appears. From the Edit Network Table.3 e.1. From the CID Traffic Redirection window. From the CID Classes window.1.1.1. select the desired farm and click Farm Policies.100 4-64 CID User Guide . click Update Active Classes. From the CID Classes window. 9. Note: Ensure that: • The default router of the CID is the internet router at 10. Click Add Policy and then click Ok.20.Chapter 4 .Basic Application Switching b.1. CID User Guide 4-65 . • The default router of the content server is CID. set your VLAN to be a regular VLAN type. To operate the load balancing in a VLAN network topology.1. enable (check) Transform Request from the Traffic Settings tab. Configuring CID with non-transparent cache servers is similar to configuring CID with transparent cache servers in VLAN environment. When setting the parameters in the CID Farm Servers window. disable (clear) Transparent Mode. CID intercepts client traffic and transforms client requests from the HTTP GET request to the Proxy GET request.Cache Load Balancing Example . with the following exceptions: • • When setting the parameters in the Edit CID Farm window. 4-66 CID User Guide .CID with Non-Transparent Cache Servers When servers are of the non-transparent type and clients are not configured. which results in non-Kazaa traffic cache redirection. Support for sessions initiated by the downloader is required in cases where the remote Kazaa peer is located behind a firewall. source port range:1000-6000.Basic Application Switching P2P/Kazaa Caching CID provides support for Peer-to-Peer (P2P) sharing technology. Filter for Kazaa session initiated by the uploader: destination port = any. Filter for Kazaa session initiated by the uploader: destination port = any. This method reduces false positive cases. define two Basic TCP filters: a. CID intercepts the Kazaa port range. and then performs delayed binding to search for Kazaa signatures. Filter for Kazaa session initiated by the downloader: destination port = 1214. • Farm Policy Configuration Guidelines: Setting a Farm policy to support the Kazaa protocol is performed in the CID Traffic Redirection window and involves the following steps: 1. CID supports Kazaa sessions which are initiated by the uploader and the downloader. Define a new Content Servers Farm with Content Based Rule: P2P. P2P technology enables individual users running Kazaa Media Desktop (KMD) application to connect to each other directly. without the need for a central point of management. 3. source port = any. CID accelerates Kazaa v2 caching by initially intercepting all traffic destined to a predefined port range. Notes: • Kazaa v2 protocol uses a range of ports. CID supports caching of Kazaa v1 and Kazaa v2. source port = 1214. Kazaa v1 can use also Content Based Rule = IP Address. CID User Guide 4-67 . b. define two Basic TCP filters: a. and the values of 1000-6000 are a general recommended value. however this parameter is network dependent. as there is no need to search for a signature within the packets. For Kazaa v2. 2.Chapter 4 . For Kazaa v1. 4. 4672 TCP: 4662. Define a Farm Policy for the service group by setting the following parameters according to the explanations provided: Service Type: Service: Grouped Service Kazaa Support for other P2P Protocols While setting Farm Policies with service assigned to the service ports. 4665 4-68 CID User Guide .Cache Load Balancing b. containing the two defined regular filters. 5. 6347 TCP: 6346. source port = any. 4771 UDP: 4672. Filter for Kazaa session initiated by the downloader: destination port range:1000 -6000. Create a new service group for Kazaa v1 or Kazaa v2. 4662 UDP: 4665. Table 4-5 lists the P2P protocols and their corresponding port numbers for configuration: Table 4-5 P2P Protocols and Supporting Ports Protocol Kazaa v1 Port Number TCP: 1214 TCP: 1214 Type of Traffic inbound outbound inbound outbound outbound outbound inbound inbound Gnutella TCP: 6346. you can configure other P2P protocols. which use well-known ports. 6347 eDonkey / eMule TCP: 4661. 1.1. CID User Guide 4-69 . Define an IP VLAN that includes ports 1 and 2: a.1.1. The CID Virtual LAN window appears.1. select Networking > VLAN. In the Set-Up window. Double click the CID icon.1.4 P1 Clients Figure 4-8 P2P/Kazaa Caching Configuration: 1.1. The Set-Up window appears.P2P/Kazaa Caching Figure 4-8 shows an example of P2P Kazaa caching configuration.100 Router 10. b.Chapter 4 .1 CID Server P2P 10. Internet Virtual IP Address 10.20 P2 P3 IP VLAN I/F 10.Basic Application Switching Example .1. set the following parameters according to the explanations provided: Destination IP Address: Network Mask: 0.1 address is already defined. Double click the CID icon. From the Edit Route window.0. edit the interface to associate the 10.1 address with the VLAN (1000X).Selected F3 .1 to be associated with the VLAN. 3. Enable VLAN Forwarding policy: a. From the CID Virtual LAN window. set the following parameters according to the explanations provided: • If an IP interface with the 10. a. From the CID Routing Table click Add. set the following parameters according to the explanations provided: Assign Port to VLAN F1 . • If there is no defined IP interface with the 10. Define the default gateway: a.1. The Edit Route window appears. b. 4-70 CID User Guide . define one. select the Parameters tab then select VLAN Forwarding Policy checkbox. From the CID Virtual LAN window. c.1. click on the Set-Up tab.Selected Type: Protocol: Regular IP 2.1. 4. Click Ok to apply the setup and exit the window.1. d. The Set-Up pane appears. In the Interface window.0.1.1. From the Set-Up pane. c. In the Set-Up window click Add.1.Selected F2 . The CID Routing Table appears.0 0.1.0. b.0. From the Set-Up window select Networking > Routing Table. b. The Interface window appears. The Set-Up window appears.0.Cache Load Balancing c.1 address. Define an IP interface with the address 10. 7. The CID Classes window appears. From the Server Name parameter add the server and click Ok. c. Add a server: a. From the Edit CID Farm window. click Add and select a local server.100 Checked P2P c. The CID Farm Servers window appears. Click Ok.1. Define two basic TCP filters: a. select Traffic Redirection. From the Server window assign the server an IP address of 10. select the desired farm and click Farm Policies. From the main window. From the CID Traffic Redirection window. b. b. From the main window.1. Click Ok to apply the setup and exit the window. Double click the Server icon. The Farm Policies window appears. From the Farm Policies window.20 F1 1 Remote d. The Server window appears. click Classes. From the Edit CID Farm window.1. d.1. b. The Edit CID Farm window remains open. select the Farms tab and then click Add.4.Chapter 4 . CID User Guide 4-71 . 6.1. The Edit CID Farm window appears. click Add. Click Ok to apply the setup and exit the window. d.Basic Application Switching Next Hop: IF Number: Metric: Type: 10. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: Content Based Rule: (For example) Farm 1 Disable 10. Add a new farm to the CID: a.1. 5. From the Traffic Redirection window. 8. Add a new policy for HTTP: a. select Add Group. select the predefined services. Create a new Service Group for Kazaa v2. then set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: http 1 Grouped Service Kazaa Any Any One way 4-72 CID User Guide . To: 6000 Any Filter for Kazaa session initiated by downloader: d. From the CID Classes window. click Modify Farm Policy and then click HTTP. then set the following parameters according to the explanations provided: Filter for Kazaa session initiated by uploader: Service Name: Protocol: Destination Port: Source Range: Service Name: Protocol: Destination Port: Source Range: Kazaa uploader TCP any From: 1000. From the CID Classes window. Kazaa uploader. Click Ok and then Ok again. From the Farm Policies window. To: 6000 Kazaa downloader TCP From: 1000. b. From the Basic Services list. 9. a.Cache Load Balancing c. Kazaa downloader and then click Add Service and click Ok. containing the two regular filters that you defined. click Update Active Classes. click Add Regular. From the CID Classes window. 20.Chapter 4 . Click Add Policy and then click Ok. set your VLAN to be a regular VLAN type. The default router of the content server is CID.1. To operate the load balancing in a VLAN network topology. CID User Guide 4-73 .100 b.1.1. 10.Basic Application Switching Description: Operational Status: Cluster Farm: Note: Ensure that: • • Example Active 10.1. The default router of the CID is the internet router at 10. After all the caches completed establishing their connection with the CID. Redirection is with hash assignment. CID supports WCCPv2 in the same manner as Cisco routers support. Only one farm can be configured with WCCP. WCCP Configuration Guidelines: WCCPv2 is configured as part of server farm configuration from the CID Edit Farm window: 4-74 CID User Guide . CID WCCPv2 is implemented according to IETF Internet draft draftwilson-wrec-wccp-v2-00 from July 13. The selected traffic is redirected to a group of web-caches with the aim of optimizing resource usage and lowering response times. 2000 with the following notes: • • • • • Forwarding Method is set to L2 rewrite. containing the load balancing hash table. GRE encapsulation is not supported for the communication between Radware device and a cache server. Service ID is set to standard (HTTP). which endeavors to provide uniform cache resource allocation in a mixed environment where the same cache servers farm is accessed by Radware devices and Cisco devices.0 protocol specifies interactions between one or more Cisco routers as well as one or more web-caches. otherwise it ignores the packet from the server. The purpose of the interaction is to establish and maintain the transparent redirection of selected traffic types flowing through a group of routers. the cache with the lowest IP sends a "Redirect Assign" packet. The cache sends another "here I am" packet and to complete the connection. CID sends an "I see you" packet back to the cache. If the source IP of the cache server who sent the packet configured as a server in the WCCP farm. The protocol does not specify any interaction between the web-caches within a group or between a web cache and a web-server. the CID sends an "I see you" packet.Cache Load Balancing Web Cache Coordination Protocol (WCCP) 2 WCCP V2. When a cache server wants to join a caching farm it sends a "here I am" packet. Chapter 4 . CID supports WCCP version 2 only Notes: • • CID User Guide 4-75 . Only one farm can support WCCP. The WCCP address of cache servers should be configured to the actual CID interface address. and then apply the dedicated WCCP settings. Configure the cache servers as part of a server farm. and not the farm VIP Define a farm policy to intercept the client's traffic and forward it to the WCCP farm.Basic Application Switching • • • • • Set Dispatch method to: WCCP. Set Check Connectivity Status to: Disabled. This protocol does not specify any interaction between the Web caches within a group or between a Web cache and a Web server. 4-76 CID User Guide .0 specifies interactions between one or more Cisco routers and one or more Web caches. Define the Dispatch Method as WCCP. and not the farm VIP.02 and later support WCCP v2.0 is configured as part of the server farm configuration. 2. GRE encapsulation is not supported for the communication between Radware device and a cache server. CID WCCP v2. To apply WCCP. from the CID Edit Farm window. cache servers must be configured as part of a server farm. Disable the Check Connectivity Status.Cache Load Balancing Enhanced Cache Coordination WCCP (Web Cache Coordination Protocol) v2. WCCP can be supported by a single farm only.0 in the same manner as Cisco router support. Notes: WCCP Configuration Guidelines: WCCP v2. Selected traffic is redirected to a group of Web caches with the aim of optimizing resource usage and lowering response times. CID versions 2. The purpose of the interaction is to establish and maintain the transparent redirection of selected traffic types flowing through a group of routers. The WCCP address of a cache server must be configured to the CID interface address. and involves these steps: 1.0 configuration is done in Web Based Management and is implemented as follows: • • • • • • • • Forwarding Method is set to L2 Rewrite Service ID is set to Standard (HTTP) Redirection is with hash assignment WCCP is applied to a single farm. to provide a uniform cache resource allocation in a mixed environment where the same cache servers farm is accessed by both Radware devices and Cisco devices. Chapter 4 . Local Triangulation. This section includes the following topics: • • • What is Local Triangulation?. page 4-78 Configuring CID with Local Triangulation. page 4-85 CID User Guide 4-77 .Basic Application Switching Section 4-5 Local Triangulation Section 4-5. explains how response time maybe reduced by using Local Triangulation and how to configure CID with Local Triangulation. page 4-80 Local Triangulation with Transparent Servers. CID selects the best server for the required service. The response from servers to clients is sent directly to the client. the inbound traffic must flow through CID as in the regular configuration. since most of the incoming requests are rather small and outbound traffic typically represents the bulk of data exchanged between clients and servers. That improves the response time. The traffic passing through CID is reduced. or can be located behind the router. Clients initiated traffic must flow through CID in order to direct it to the selected server. The client can be located at the same network as CID and the servers. CID 1 2 3 Clients Servers Figure 4-9 Local Triangulation Network Setup 4-78 CID User Guide . without passing through CID. Figure 4-9 illustrates an example of Local Triangulation configuration.Local Triangulation What is Local Triangulation? The Local Triangulation feature provides the ability to send server’s responses to a request for service directly to the client. Sending responses that way reduces the number of hops through which the reply packet passes. When working in the Local Triangulation mode. without passing through CID.When a new request for service arrives. Traffic from servers to clients can go directly to the client. Local Triangulation is effective for one-leg topologies. The server responds directly to client with the CID Virtual IP.Chapter 4 . and reduces traffic on the CID interface. CID forwards packets to servers with a destination IP of the farm. CID determines the tag that is used according to the destination IP of the packet after CID has made all the required modifications to the packet. A loopback address is a valid IP address assigned to a server but the server does not respond to ARP requests destined to the loopback address. For more information regarding loopback adapter configuration. CID User Guide 4-79 . consult the manufacturer of the server's OS. The address assigned to the loopback adapter is the Virtual IP address. Local Triangulation is dependent on the operating systems installed on the farm’s servers. hence these packets are tagged according to the tag in the configuration of the IP interface associated with the farm IP. eliminating the need for server-to-client traffic to flow through the CID. see Table 4-2 on page 22. Setting up of loopback interfaces is described in Chapter B.Basic Application Switching Using Local Triangulation requires a server configuration with a loopback adapter. For example. when using Local Triangulation. Loopback Interfaces. Note: Local Triangulation is supported only when the CID Content Based Rule is set to Address Mode. 4-80 CID User Guide . 2. Setting up farm servers to operate in the Local Triangulation mode. Local Triangulation Configuration Guidelines: Configuring the Local Triangulation mode involves the following steps: 1. Enabling this feature in the servers themselves. Tip: You can add both Local Triangulation type servers and Regular type servers to the same farm.Local Triangulation Configuring CID with Local Triangulation Farm servers can be configured to operate as Local Triangulation type servers. • Servers support non-transparent proxy.1.1.20 Server 1 10.1.CID with Local Triangulation The example shown in Figure 4-10 illustrates a CID configuration that enables content servers to return cached pages directly to the client.1.Basic Application Switching Example .1. CID Virtual IP Address 10. All connections can be made to the same switch.10 Router 10.1.1.100.1 10.100 P1 Network Server 10.1. CID User Guide 4-81 .1.1.100.1. without having to pass through CID on the way to the client.1.1. • Servers are configured with loopback adaptor with an IP address which is the same as the CID virtual IP. • The virtual IP address of CID is 10.3 Server 2 10. • Network side subnet and server side subnet are on the same LAN.1. • Clients use a proxy server with IP address 10.2 Internet Figure 4-10 Local Triangulation with Returned Cache Pages Properties: • CID is installed in a one-leg topology.1.Chapter 4 .1.1.4 Clients 10.1. Local Triangulation • Clients use HTTP traffic on port 80.20 F-1 1 Remote g.1. Add a default gateway: d. The Set-Up window appears. From the Set-Up window. 3.1.10. From the CID Routing Table window. c. e. Click Ok. select Networking > Routing Table. Connect the device: a. click Add and select a local server. Note: To add servers you must be in Map view and then link them to the device. f. The Edit Route dialog box appears.1. From the Edit Route dialog box. c. 2.0 0.0.0 10.1. In the Set-Up window type the device‘s IP address: 10. The Server window appears. Click Ok to close all windows. Double click the Server icon. Add the servers: a. Configuration: 1. set the following parameters according to the explanations provided: Server Name: Admin Status: Recovery Time: Server 1 Selected 0 4-82 CID User Guide . b.0. b. Double click the CID icon.0. From the CID toolbar. The CID Routing Table window appears. set the following parameters according to the explanations provided: Destination IP Address: Network Mask: Next Hop: IF Number: Metric: Type: 0. From the Server window.0. click Add. 1.100 Select/check. 10. CID User Guide 4-83 . In the same manner. click Add.3 Cleared d. Edit CID window remains open. 4. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: Content Based Rule: Type the farm name. click the Farm tab and then click Add. add a second server by setting the following parameters according to the explanations provided: Server Name: Admin Status: Recovery Time: Warm-up Time: Connection Limit: IP Address: Global Server: Server 2 Selected 0 0 0 10. Address c.Chapter 4 . The CID Farm Server window appears. for example: Farm 1 Disable/uncheck. Click Add and then Ok. b. From the Traffic Redirection window. From the Edit CID window.1. Click Apply. Add a farm: a. From the Edit CID Farm window. The Edit CID Farm window appears.Basic Application Switching Warm-up Time Connection Limit: IP Address: Global Server: 0 0 10.1.1.4 Cleared f.1. 5. e. Add the servers to the farm: a. Click Add and then Ok.1. 100 c. Click Ok. 4-84 CID User Guide .Local Triangulation b. From the Traffic Redirection window.1.1. From the CID Farm Server window. The Farm Policies window appears. b. From the Farm Policies window. Add a second server by setting the following parameters according to the explanations provided: Server Name: Local Triangulation: Transparent Mode: Server 2 Selected Cleared d. select the desired farm and click Farm Policies. Add an HTTP policy: a. set the following parameters according to the explanations provided: Server Name: Local Triangulation: Transparent Mode: Server 1 Selected Cleared c. click Modify Farm Policy and then click HTTP then set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Description: Operational Status: Cluster Farm: http 1 Regular Service http Any Any One way Example Active 10. 6. The Farm Servers window closes. Click Add Policy and then click Ok. Configuration: 1. • Clients use HTTP traffic on port 80.Basic Application Switching Example . set the following parameters according to the explanations provided: Server Name: Local Triangulation: Transparent Mode: Type the server name. • Clients are configured with CID as their default gateway. • Servers support transparent proxy mode (no need to define a loopback adapter). • Clients are not configured to use a proxy server.1. Select. Follow steps 1-7 as explained in: CID with Local Triangulation. Select. • Servers are configured with router 10.1.Chapter 4 .20. CID intercepts client traffic. The network topology is the same as described in Local Triangulation. while responses to clients are transmitted directly from the servers. page 4-77.1. 2.1. CID User Guide 4-85 . page 4-81. Properties: • CID is installed in one-leg topology with default gateway 10.20 as their default gateway. When adding servers in CID Farm Servers window.Local Triangulation with Transparent Servers CID supports the Local Triangulation scheme using non-transparent servers. This configuration is applicable for non-configured clients. describes how CID uses Server Spoofing in order to provide cache servers with the capability to retrieve pages on behalf of the client with the client's source address. Server Spoofing.Server Spoofing Section 4-6 Server Spoofing Section 4-6. This section includes the following topics: • What is Server Spoofing?. page 4-87 4-86 CID User Guide . This type of support for CID is essential to provide cache servers with the capability to retrieve pages on behalf of the client with the client's source address. The destination does not know that the cache server has initiated the request on behalf of the client. The content server sends the request to the destination using the original source address. CID initially directs it to the content server although the reply is destined to the client address. CID intercepts the request to the content server. When a client sends a request.Chapter 4 .Basic Application Switching What is Server Spoofing? Server Spoofing is a process of one device talking to another device using the address of a third device. The content server handles the reply and sends it to the client. CID User Guide 4-87 . When the reply arrives to CID. page 4-89 Client NAT.Network Address Translation Section 4-7 Network Address Translation Section 4-7. page 4-106 4-88 CID User Guide . describes the feature as implemented in CID. This section includes the following topics: • • • • NAT Types. page 4-94 Farm Based NAT. page 4-90 Server Based NAT. Network Address Translation. unlike the ICMP echo message. CID User Guide 4-89 .Basic Application Switching NAT Types Network Address Translation is the ability to hide the IP addresses of the clients from the servers. CID stores the Identifier field of the echo message.Chapter 4 . Therefore. Ping messages are identified by the Identifier field of the ICMP echo message. NAT is used on TCP and UDP packets. Using this feature causes CID to replace the original source IP of a request with the configured NAT IP before forwarding the request to the server. These are the NAT types: • • • • Client Server Server Based Farm Based Full Support for NAT in VLAN Mode As well as in the Router mode. CID supports NAT in VLAN mode. when a packet requires NAT. both containing a port number field . you can NAT packets in a VLAN configuration. This means that if NAT is enabled. ICMP Support for NAT Dynamic NAT needs special support for ICMP ICMP (ping) which is a protocol stack on top of IP (like TCP and UDP). A server. Client NAT provides the following capabilities: • In the installation process. thus providing higher security. CID selects a server and NATs the client IP address and port using the configured NAT address range for a farm or a server. before forwarding the reply to the client. • 4-90 CID User Guide . The reply arriving from the server to CID replaces the NAT address and port with the original client address and port. When no NAT addresses are configured in the NAT Addresses Table. is required on the servers.Network Address Translation Client NAT When client NAT addresses are configured. the NATed IP address range has to be specified. Farm addresses are defined for the Farm Based NAT and the server addresses are defined for the Server Based NAT. Client NAT is not performed. When a client matching to a farm policy approaches a farm. Up to 128 ranges of NAT addresses can be configured. client NAT enables the enforcement of the return path. is able to verify that traffic came through CID. or a firewall in front of the servers. so that no special configuration. for example in order to limit access to the servers. such as default gateway or an explicit route. 1 10.1 Figure 4-11 CID NAT Operation Properties: 1. 3.1. 4.1 and sends it to the client.1.1.1.1.1.Chapter 4 .1.2 Servers 100. When selected.1.1 in this example). sends a request.1 as the destination address.1.1 3 Reply Destination Address: 20. CID User Guide 4-91 .1 2 Load Balancing NAT to Server Source Address: 20.1.1. The server sends a reply to the client using the NAT Address 20.1 Clients 4 Return Destination Address: 10.1.1.1. replaces the destination address 20. CID performs load balancing and selects a server to forward the clients request.1.1 10. which is intercepted by CID.Basic Application Switching Figure 4-11 illustrates an example scheme of a CID NAT operation. Internet Router CID 1 Request Source Address: 10.1.1.1.1 with the clients original address 10.1.1.1. 2.1.1. Client 10. CID replaces clients original source address with a NAT address (20.1.1. CID receives the reply packet. Double click the CID icon. Default: 0. select the Global tab. 4. To enable NAT: 1. Default: 64512. In the Global pane. Configure the NAT Addresses. 2. 6. Enable NAT. select NAT Settings > Edit Settings. The Set-Up window appears. Click Ok to exit all windows. enable/check NAT. 2. Range: >0-128. In the Set-Up window. 4-92 CID User Guide . To change the NAT tuning parameters: 1. From the NAT Settings window. NAT Ports per Address: Specify the number of ports to be used with each IP address. 5. The Set-Up window appears.Network Address Translation NAT Configuration Guidelines: Configuring NAT involves the following steps: 1. Note: CID uses a port range starting at 1024 that ends according to the NAT Ports per Address Value. The NAT Settings window appears. Restart the device to apply the Tuning parameter changes. Range: 1024-64512. set the following parameters according to the explanations provided: NAT Addresses: Specify the number of IP addresses to be used by NAT. Change the NAT Tuning Parameters. 3. Double click the CID icon. 3. Note: Before enabling Client NAT. From the Set-Up window. this parameter must be set to a value higher than zero. 2. 5. From the main window. The CID NAT Addresses window appears.0. The default address is 0. To Addresses: The translated NAT IP address.0. CID User Guide 4-93 . Note: When the feature is globally enabled.0. 2. NAT cannot be enabled globally before the Tuning parameter of the NAT Addresses Table is set to a value higher than 0.0. This can be any legal address. Click NAT Addresses. CID leaves the source address and port as is. If the NAT IP is set to 0. Only the IP address is ever changed. Enter the IP Address.Basic Application Switching To configure NAT addresses: 1.0.Chapter 4 . From the CID NAT Addresses window. However. The Traffic Redirection window appears. click APSolute OS > Traffic Redirection. 3. Click Ok to exit all windows. In the Traffic Redirection window enable/check NAT. it should also be enabled specifically for each required farm or application server. set the following parameters according to the explanations provided: From Address Enables you to configure the NAT for the entire client range or specifically for clients listed for an individual application. 4.0. Redundancy In a redundant CID scenario. You can configure NAT for servers when accessing the Internet. Note: For more information about redundancy. CID performs NAT only when the selected server is up. 2. In farm based NAT. Redundancy 4-94 CID User Guide . see Chapter 6. the same NAT Addresses and farm policies should be configured on both CID devices. as Client NAT entries in the Client Table are not mirrored. Configure NAT for the farm. 3. Configure a farm policy for the farm. CID always performs NAT even if the selected server is down. Client Table mirroring should not be used with Client NAT. The procedure involves these stages: 1.Network Address Translation Server Based NAT When server based NAT is selected. Configure a new virtual farm with no servers. Chapter 4 .2 Figure 4-12 Server Based NAT Configuration CID User Guide 4-95 .1.Basic Application Switching Example .1 10.2 Servers 20. In this configuration clients and contents servers are on the same subnets.1.1 20.1.1.1.1.1.10 Clients 10.20 Port 1 100.1.1.1.10 CID Virtual IP Address: 10.100 Port 2 10. Internet Router 100.1.1.1.1.1.1.Server Based NAT Figure 4-12 illustrates a typical setup for Server Based NAT. Client NAT enables enforcement of the return path so that no special configuration such as default gateway is required on the servers. In the Set-Up window. Connect the device and define the interfaces for ports 1 and 2. c.1.1.Network Address Translation Properties: • Network side and user side are on the same subnets. Double click the CID icon and from the Set-Up window that appears.100.201.0 Onefill Selected 0 f. b. type the IP address for the device: 10.1. From the Set-Up window. cache assigned to a different server.255.1. click Add.0. • Clients are NATed with the following addresses 10. • The virtual IP address of the CID is 10. In the Interface window.10 255.1. select Networking > Routing Table. 2. The Interface window appears. Double click the CID icon again. e.1. b. Click Ok.200 and 10. c. From the Edit Physical Route window. The Edit Physical Route window appears. set the following parameters according to the explanations provided: Destination IP Address: 0. The Set-Up window appears. set the following parameters according to the explanations provided: IF Num: IP Address: Network Mask: Broadcast Type: Forward Broadcast: VLAN Tag: F-2 100. Click Ok. Configuration: 1. d.255.1. The CID window remains open.1. a.0. In the Routing Table window .1. Define the default gateway: a.20. The Routing Table window appears.0 4-96 CID User Guide . • Users are configured with CID at their default gateway. click Add.1. Click Ok.0 100.1. 3.1.0. a.11 Cleared b.0.12 Cleared CID User Guide 4-97 .20 F-1 1 Remote d. Server 2 Selected 0 0 0 10.Basic Application Switching Network Mask: Next Hop: IF Number: Metric: Type: 0.1.Chapter 4 . c. In the same manner. Click Ok. Apply and then click Ok.1.1.1. Click Ok. Note: In order to add servers you must be in Map view and then link the server to the device using the link button. Add two servers. click Add and from the dropdown menu add a local server by setting the following parameters according to the explanations provided: Server Name: Admin Status: Recovery Time Warm-up Time Connection Limit IP Address: Global Server: Server 1 Selected 0 0 0 10. From the CID toolbar. add another server by setting the following parameters according to the explanations provided: Server Name: Admin Status: Recovery Time Warm-up Time Connection Limit IP Address: Global Server: d. From the Traffic Redirection window. From the Edit CID Farm window.Network Address Translation 4. select the desired farm and click Farm Policies. disable the Transform Request option and enable the Reply Direct to Client option. 10.1. From the Server Name parameter. c. click Classes > Networks > Modify > Add. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: (For example) Farm 1 Disable 10.1. b.2 4-98 CID User Guide . The Farm Policies window appears. Add a network: a. Add a farm to the CID: a. then set the following parameters according to the explanations provided: Network Mode: Network Name: From Address: To Address: IP Range Local 10. From the CID Application window. 5. The Edit CID Farm window appears.1. Add the servers to the farm: a. click Ok to apply the setup. From the Edit CID Farm window. b. 6. click the Farms tab and click Add. Add server 1 and click Ok. From the Edit CID window. From the CID Traffic Redirection window. e.100 Selected d. select the Traffic Settings tab. c.1. The Edit CID Farm window appears.1. Click Ok and double click the Farm icon.1.1. From the Edit CID window. add server 2 and click Ok. b. From the Farm Policies window. click Traffic Redirection. select the Farm Servers tab and click Add. The Traffic Redirection window appears. The CID Farm Server window appears. Double click the CID icon. Enable NAT: a. d. Right click on the CID icon and click Reboot. Change the NAT Addresses parameter to 2.The CID Advanced Settings window appears. The Set-Up window appears.Chapter 4 . From the pane that appears.1. b. 7. Click Ok and then Ok again.200 10.Basic Application Switching c. d.1. From the Set-Up window click the Global tab and select Advanced Settings. From the Farm Policies window. 8. set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Description: Operational Status: Cluster Farm: http 1 Regular Service http Local Any One way Type a relevant description Active 10.1. 9. click Edit Settings. Reboot the device: a.1.100 e. c. Create NAT entries: a. Define the NAT Ports.1. From the Traffic Redirection window. then click Update Active Classes. e.200 CID User Guide 4-99 .1. right click Modify Farm Policy and select Add. Click Add Policy and click Ok. Click Ok and then Ok again. click on NAT and select the NAT checkbox. In the Advanced Settings window. then set the following parameters according to the explanations provided: From IP Address: To IP Address: 10. The Advanced Settings window appears. Create another NAT entry as described in the previous step by setting the following parameters according to the explanations provided: From IP Address: To IP Address: Farm Address: Server Address: c.201 10.1.1 4-100 CID User Guide .1.1.201 10.1.1.1.1. Click Ok.1.100 10.11 b.1.Network Address Translation Farm Address: Server Address 10. 10.100 10.1.1.1. 1.1.1.10.1. This example applies for both configured and transparent users.1. • Remote content inspection server is on a different subnet: 101.1.NAT to Remote Servers The example shown in Figure 4-13 illustrates a configuration of NAT to remote servers.1.1.10 Router Port 1 10.1.1.1.100 Client 10. This forces the server to reply to CID because the source IP is the CID NAT.1. • Users are configured to the CID.1.1.Chapter 4 .20 Port 1 10. • Clients sent to the remote server are NATed using IP Address 200.100 Figure 4-13 NAT to Remote Servers Properties: • Network side and users side are on the same subnet. it is required to NAT the session.1.1. Users 101.2 Client 10.Basic Application Switching Example .10 CID VIP Address 10.1 10.1. To avoid direct replies to the client by passing the CID. CID User Guide 4-101 .1. In the Edit Route window.0 0. The CID Routing Table appears. Click Ok. Double click the Server icon. set the following parameters according to the explanations provided Destination IP Address: Network Mask: Next Hop: IF Number: Metric: Type: d.0. c. In the CID Routing Table. b. c.100.0. The Set-Up window appears.0.1. a. From the CID main toolbar. From the Server window.1. From the Set-Up window. click Add and from the dropdown menu add a local server. The Server window appears. Double click the CID icon.0 10. a.Network Address Translation Configuration: 1.0. 2. Define the default gateway: a. b. click Add. Define the interface for Port 1. Add a server: Note: To add a server you must be in Map view and then link the server to the device by using the Link button. The Edit Route window appears. select Networking > Routing Table. b. In the Set-Up window type the IP address for the device: 10. and click Ok. set the following parameters according to the explanations provided: Server Name: Admin Status: Recovery Time: Warm-up Time: Server Selected 0 0 0.20 F-1 1 Remote 4-102 CID User Guide . 3.1.1. 2 c. select the desired farm and click Farm Policies.Chapter 4 . b. From the Traffic Redirection window.1.1. The Farm Policies window appears. b.Basic Application Switching Connection Limit: IP Address: Global Server: 0 10. click Farms > Add. click APSOlute OS >Traffic Redirection. The CID Servers window appears. From the CID main window.1. Add the server to the farm: a. b. add the server and click Ok. The Edit CID Farm window remains open.1.Add a farm to the CID: a. From the Server Name parameter. click Add.100 Selected d. Add a network: a. The Farm window appears. From the Farm window.1. 5. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: (For example) Farm 1 Disable 10. 4. 6. click Classes > Networks > Modify > Add then set the following parameters according to the explanations provided: Network Mode: Network Name: From Address: To Address: IP Range Local 10. Click Ok. In the Farm window. The Traffic Redirection window appears. Click Ok. From the Farm Policies window.1. CID User Guide 4-103 .1. Click Ok and then Ok again and then click Update Active Classes. 10.1. c. In the Traffic Redirection window.10 Cleared d.1. 100 b. d. The Set-Up window appears. b. In the Global pane select NAT Settings then click Edit Settings.1 200.1.1. Enable NAT: a.1.1 4-104 CID User Guide .1. select the NAT tab and enable/check NAT and set the following parameters according to the explanations provided: From IP Address: To Address: 200. then set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Description: Operational Status: Cluster Farm: http 1 Regular Service http Local Any One way NAT to remote servers configuration. set the following parameters according to the explanations provided: NAT Address: NAT Per Ports: Address: 1 64000 a.Network Address Translation 7. b. Active 10. The NAT Settings window appears.1. In the Set-Up window click Global. 8. From the Farm Policies window. The Global pane appears. In NAT Settings window.1. Click Apply and then Ok. Add a new HTTP: a. Click Add Policy and then click Ok. right click Modify Farm Policy and then click Add. c. From the Traffic Redirection window. Double click the CID icon. Basic Application Switching Farm Address: Server Address: c.100 Farm NAT CID User Guide 4-105 .1. Click Apply and then Ok.Chapter 4 . 10.1. There is no need to assign specific servers to the farm. 2. When a reply arrives from the internet (3). 3. Internet Router 3 CID Clients 2 1 4 Servers Figure 4-14 Farm Based NAT Configuration Farm Based NAT Configuration Guidelines: 1. Configure NAT and associate it to the VIP of the farm. Define a new farm with a Virtual IP. Configure a Farm Policy to intercept the servers traffic. and then forwarded to the Internet (2). CID performs NAT even if the selected server is down. a server source address in a request (1) is first NATed. CID replaces the NATed address with the servers' address. and forwards the reply (4) to the server. In this case. 4-106 CID User Guide . Farm Based NAT is effective when NATing servers in a farm when accessing the Internet.Network Address Translation Farm Based NAT When Farm Based NAT is enabled. CHAPTER 5 Chapter 5 - Advanced Features Chapter 5. presents additional advanced features of Content Inspection Director. page 5-65 Section 5-5: DNS and NTP Services. page 5-78 CID User Guide 5-1 . page 5-2 Section 5-2: Content Load Balancing. page 5-19 Section 5-3: Special Protocol Treatment. page 5-45 Section 5-4: SSL Content Check. Advanced Features. This chapter includes the following sections: • • • • • Section 5-1: Flow Management. page 5-7 5-2 CID User Guide . page 5-3 Where to Use Flow Management.Flow Management Section 5-1 Flow Management Section 5-1 Flow Management. each providing a different service. page 5-6 Configuring CID with Flow Management. describes the CID Flow Management feature which leverages the Farm Management capability by sequentially load balancing several server farms. This section includes the following topics: • • • What is Flow Management?. Chapter 5 . The farm selection decision is based on the source IP and MAC addresses. Figure 5-1 illustrates two types of clients: clients arriving from Network A and clients arriving from Network B. examined again and load balanced within a different farm. Traffic flow designed for a packet involves the following process: A packet arrives from the client. and so on.Advanced Features What is Flow Management? The Flow Management capability allows CID to redirect client traffic to two farms or more. is examined by CID. Flow Management is required whenever the first farm in a farm cluster is spoofed. even when the servers are using spoofing. returned from the selected server to CID. load balanced within a farm. that is when a regular farm policy cannot detect the originator of the packet arriving to the device. Network A CID Access Router Internet Network B URL Filters Cache Servers Anti Virus Figure 5-1 Clients from Networks A & B CID User Guide 5-3 . This enables CID to distinguish between clients and servers. Flow Management As shown in Figure 5-2. Network A 1 CID Access Router Internet 8 Network B 2 3 4 5 6 7 URL Filters Cache Servers Anti Virus Figure 5-2 Network A Client Redirection Configuration of this type involves defining an appropriate farm with servers. Adding farms to a farm cluster ensures control of traffic distribution by matching defined polices to the correct farms. Network A clients are registered to a flow cluster including: URL Filters. This may include sending the traffic through multiple farms when a predefined policy applies to a specific traffic condition. Caching and Anti-virus checking. and defining the policies to handle the various traffic types for this farm. 5-4 CID User Guide . Network A clients are sequentially redirected through the farm including these services: URL Filtering. Cache Servers and Anti Virus checking. Advanced Features As shown in Figure 5-3. CID User Guide 5-5 . When using flow management farm policies may not be used in conjunction with flow management. Network B clients are registered to the Caching and Anti-Virus services only. Network A CID Access Router Internet 6 1 Network B 2 3 4 5 URL Filters Cache Servers Anti Virus Figure 5-3 Network B Client Redirection Notes: • • NAT may be used only in the last redirection stage (number 6 in the Figure).Chapter 5 . Clients CID Router Internet Farm 1 Farm 2 Figure 5-4 Flow Management When only the last farm in the cluster is spoofed. 5-6 CID User Guide .Flow Management Where to Use Flow Management The following table shows where to use Flow Management. and then another farm policy is used to redirect Farm1 traffic to Farm2. it is possible to use farm policies in order to redirect the client traffic to the first farm. Farm 1 Non-Spoofed Non-Spoofed Spoofed Spoofed Farm 2 Non-Spoofed Spoofed Non-Spoofed Spoofed Configuration Mode Farm Policies Farm Policies Flow Management Flow Management Figure 5-4 illustrates the general flow management scheme on CID. Advanced Features Configuring CID with Flow Management Two examples of CID configurations with flow management are provided in this section to illustrate the use of various server types: • • Configuration 1: Cache farm and URL filter farm. keeping the client's IP. where all the servers work in the Spoofed Mode. This means that the sessions initiated by the servers are using the IP address of the servers and not the original client's IP). where the servers do not work in the Spoofed Mode.Chapter 5 . Configuration 2: Cache farm and URL filter farm. CID User Guide 5-7 . Flow Management Example . Internet 192. Then the URL filter initiates a new session with the original client’s IP address.203 Figure 5-5 Cache Farm and URL Filter Farm in Spoofed Mode 5-8 CID User Guide .168.1.168.168.1.168.201 URL Filter 192. CID intercepts this request and forwards it to one of the cache servers.168.200 Cache Server 192.1.1.1.254 Clients 192.10-100 CID 192. Initially the traffic is sent to one of the URL filters. based on the availability of the servers and on load balancing decisions.1.202 URL Filter 192.253 Access Router 192.168.254 Cache Server 192.168.Configuration 1: Cache Farm and URL Filter Farm in Spoofed Mode All traffic with source IP of the local network and HTTP protocol are intercepted by CID.1.1.168. From the Set-Up window. a. Define the default gateway.168. set the following parameter according to the explanation provided: Next Hop Router: and click Ok.1. In the Set-Up window. c. In the Virtual LAN window.168. In the Routing Table. From the Content Inspection Director main toolbar. Add servers: Note: To add servers you must be in Map view and then link the server to the device by using the Link button. 4. Click Update and Ok. In the Set-Up window. 3. a. 8. 2. CID User Guide 5-9 . 5. The Interface window appears. select SetUp. 192. and click Ok. Double click the CID icon the Set-Up window appears. select Networking > VLAN.Advanced Features To configure Cache Farm and URL Filter Farm in Spoofed Mode: 1. b. 7. set the IF Number to VLAN 100001 and click Ok. type the IP address: 192. select the existing interface (192.168. click Add and from the dropdown menu select a local server.Chapter 5 . The Server window appears. click Add. 6. select VLAN 100001 and assign (check) ports 1 to 6 to the VLAN. click Networking > Routing Table.1. Right click the CID icon and from the dropdown menu.253) and click Edit. In the Set-Up window.254 9. In the Interface window. In the Edit Physical Route window. Double click the Server icon. The Virtual LAN window appears. The Set-Up window appears. The Edit Physical Route window appears.253.The Routing Table window appears.1. The new server appears on the network map. b. In the same manner. 5-10 CID User Guide .168. d. add the other three servers (192.203). Add a Cache Farm to the CID: a. c.201.168.168. 11.168. add the second server (192.1. click APSOlute OS > Traffic Redirection. 192. 192.1.1 Selected The Edit CID Farm window remains open.1. b. From the Server window.1. 0 0 0 192. e. The Farm window appears. The Traffic Redirection window appears. The CID Farm Servers window appears.168. Bind the Servers to the Cache Farm. From the Server Name dropdown menu.1.168. In the same manner. In the Farm window.200).201) and click Ok. Click Add. In the Traffic Redirection window. and Ok. From the Farm window. choose the first server (192. click Add.1. a. select the Transparent mode checkbox and click Ok. set the following parameters according to the explanations provided: Server Name: Admin Status: Recovery Time: Warm-up Time: Connection Limit: IP Address: Global Server: Server Check to enable. select the Farm tab and then click Add. set the following parameters according to the explanations provided: Farm Name: Multiplexed Farm Port: VIP Address: Admin Status: Cache Farm Disable 1.1. c.200 Do not check. From the main window. 10.1. b.202.Flow Management c. 2 Selected g. 12. Add servers with the following addresses: 192.Chapter 5 . click the Traffic Settings tab and set the following parameters according to the explanations provided: Dispatch method: Content Based Rule: Use URL Table: Transform Request: Server Keeps Client IP: i. then set the following parameters according to the explanations provided: Dispatch Method: Content Based Rule: Use URL Table: Transform Request: Server Keeps Client IP: Cyclic (can be any) Host Name Mode Use URL Table Do not check. Check/select. h. Click Ok.Advanced Features d.1.1. Bind servers to the URL Filter Farm as explained in step 9. Click Ok. f.203.168. After adding the two cache servers.168.1.1. click the Traffic Settings tab. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: URL Filter Farm Disable 1. Add a second farm as explained in step 10. CID User Guide 5-11 .202 and 192. From the Edit CID Farm window. Create a farm cluster: Cyclic (can be any) Host Name Use URL Table Cleared Check/select. e. in the Edit CID Farm window. first it is forwarded to the URL filter farm. In the Cluster Name parameter. Note: You may be prompted to enable BWM and to reboot the CID. From the CID Farm Cluster Policies window. click New Network. click Cluster > Add. b. click the Modify tab and click Add. Click Add again to add the Cache Farm (1.10 192.168. b. From the Cluster tab. The Farm Cluster dialog box appears. From the Edit Policy window. when a packet arrives to the cluster.1.1. From the Traffic Redirection window.1. Create a cluster policy: a.1. c. the packet is sent to the cache server and then to the Internet. if so click Ok and follow instructions. The Edit Policy window appears. highlight the farm cluster you created and click Policies. Now. select the URL Filter Farm (1. From the Edit Network Table dialog box set the following parameters according to the explanations provided: Network Name: Network Mode: From Address: To Address: Local Network IP Range 192. 13. d.Flow Management a.1. After being inspected. c.168.1. The CID Farm Cluster Policies window appears. From the Farm Address parameter. type a relevant name.100 e. set the following parameters according to the explanations provided: Policy Name: Service Type: Service Name: Source: Destination: Farm Cluster: HTTP Traffic Regular Service HTTP Local Network Any Cluster 1 5-12 CID User Guide . d. for example. From the Edit Policy window.1) to the cluster. Cluster1 and click Apply.2) and click Add. The Edit Network Table dialog box appears. Click Update Active Policies. g. CID User Guide 5-13 .Chapter 5 . Click Ok.Advanced Features f. 254 Cache Server 192.1.168..168.1. Initially.168.Flow Management Example .168.1. Then the URL Filter initiates a new session using its own IP address.1.1.168.202 URL Filter 192.1.203 Figure 5-6 Cache Farm and URL Filter Farm in Non-Spoofed Mode 5-14 CID User Guide .1.254 Internet 192. based on the availability of the servers and on load balancing decisions.253 Access Router 192.Configuration 2: Cache Farm and URL Filter Farm in a Non-Spoofed Mode All traffic with the source IP of the local network and HTTP protocol is intercepted by the CID. The CID intercepts this request and forwards it to one of the Cache Servers (using the second farm policy) Figure 5-6 illustrates this type of configuration.168.168.168.201 URL Filter 192.10-100 CID 192.200 Cache Server 192.1. Clients 192. the traffic is sent to one of the URL Filters. Double click on the Server icon. set the following parameter according to the explanation provided: Next Hop Router: d. From the CID main toolbar. 4.1. Add servers: Note: To add a server you must be in a.253 for the IP address and click Ok. In the CID Virtual LAN window table. click Add and from the dropdown menu add a local server.254 CID User Guide 5-15 . 5. set the IF Number to VLAN 100001 and click Ok. The Set-Up window appears. The Interface window appears. click Add. Define the default gateway: a. From the Set-Up window.Advanced Features To configure Cache Farm and URL Filter Farm in a NonSpoofed Mode: 1.253) and click Edit. 8. c. 6. In the Edit Physical Route window.168. Click Update and Ok. 192. In the Interface window. The Interface window appears. In the Routing Table window. 7. Click Ok.168.The Server window appears. select the interface (192.1. In the Set-Up window.168.Chapter 5 . The Virtual LAN window appears. 10. 3. click Networking > Routing Table. type 192.1.The Set-Up window appears. 2. 9. Double click on the CID icon again. The Routing Table window appears. In the Interface window. b. Double click the CID icon. select VLAN 100001 and assign ports 1 to 6 to the VLAN. b. The Edit Phyisical Route window appears. In the Set-Up window select Networking > VLAN. In the Set-Up window click Add. 201).168.203). The Farm window appears.168.1.1. set the following parameters according to the explanations provided Server Name: Admin Status: Recovery Time: Warm-up Time: Connection Limit: IP Address: Global Server: Server Selected 0 0 0 192. The CID Farm Servers window appears. From the main window. 5-16 CID User Guide . From the dropdown menu.168. c. The Farm window remains open.1 Check/select. 192. b. Add a Cache Farm to the CID: a.Flow Management c. The Traffic Redirection window appears. 12.168. 192. Click Add.202. In the same manner. Bind the servers to the Farm: a. c. In the same manner. e. add the other three servers (192.168.1. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: (For example) Farm 1 Disable 1. 11. click Traffic Redirection. add the second server (192. From the Farm window.1.168. click the Farm tab and then click Add. From the Traffic Redirection window. d.1.1. From the Server window. From the Farm window. click Add. and Ok.201.200 Do not check.200). check Transparent Mode and click Ok.1. b.1. choose the first server (192. 202 and 192. by setting the following parameters according to the explanations provided.Advanced Features d. Do not check. 13. Farm Name: Multiplexed for Port: VIP Address: Admin Status: URL Filter Farm Disable 1. click Modify and click Add. 14. 17.2 Check/select.1. From the Farm Policies window. From the Networks Table.203. 19. After adding the two cache servers. Click Ok.168. e. Click Ok. Bind servers to URL Filter Farm as explained in step 9.1. Highlight the URL Filter Farm and click Farm Policies. 15. From the CID Farm Server window. 18.1.1. The Farm Policies window appears. Add the servers with the following addresses: 192. The Networks Table appears. click Classes > Networks.Chapter 5 .168. The Edit Network Table appears. click Traffic Settings then set the following parameters according to the explanations provided: Dispatch Method: Content Based Rule: Use URL Table: Transform Request: Server Keeps Client IP: Cyclic (can be any method) Host Name Use URL Table Cleared Cleared 16. set the following parameters according to the explanations provided: Dispatch Method: Content Based Rule: Use URL Table: Transform Request: Server Keeps Client IP: Cyclic (can be any method) Host Name Use URL Table Do not check. CID User Guide 5-17 . Add a second farm as explained in step 10. 168. right click Modify Farm Policy and then click Add.2 24. Note: This policy intercepts all the HTTP traffic of the clients and sends it to the URL filter. Create another network for the URL Filters as explained previously by setting the following parameters according to the explanations provided:. Click Ok twice to return to the Farm Policy window and click Update Active Classes.1.168.1.1. 5-18 CID User Guide .168.203 22.Flow Management 20. then set the following parameters according to the explanations provided: Policy Name: Service Type: Service: Source Address: Destination Address Direction: Farm Cluster: Clients Regular Service HTTP Local Network Any Oneway 1. 23.202 192. Click Add Policy.10 192.1.168. set the following parameters according to the explanations provided: Network Mode: Network Name: From Address: To Address: IP Range Local Network 192.1. Add a new policy.1.100 21. From the Edit Network Table. From Address: To Address: 192. Chapter 5 - Advanced Features Section 5-2 Content Load Balancing CID optimizes performance of anti virus services, URL filtering service and caching by inspection of the traffic content. CID can perform traffic bypass or direction of relevant traffic only to anti-virus servers, while maintaining high availability and accelerated throughput. Section 5-2 Content Load Balancing, describes the methods for CID load balancing. This section includes the following topics: • • • • • URL Policies, page 5-20 URL Policies with Mime-Type, page 5-21 URL Match, page 5-22 HTTP Match, page 5-23 MIME Type Support, page 5-25 CID User Guide 5-19 Content Load Balancing URL Policies CID allows you to set traffic redirection policies based on the URL content in the HTTP GET request. You can block specific URLs, to make CID avoid retrieving data from the site and reset the connection. You may also configure CID to avoid caching certain sites, and route clients directly to the Internet. The URL Policies window is used to configure those preferred sites. You can select one of three policies for each URL in the Policies table: • Direct: This policy can be used for real-time or non-cacheable pages, for example news and stock quote requests. CID does not send these requests to a cache server; but sends them directly to the Internet, thus saving time and providing a quick response. Block: This policy effectively enforces limited control on clients. When a client requests a particular site that has been blocked, CID disallows the request to that URL. Good examples of this are adult entertainment or gambling sites. Local Server: This policy enables the CID to direct a specific URL to a specific cache server within a certain cache farm. It is a powerful way to enforce limited control on clients. • • URLs can be manually configured or they can be loaded from the list. When implementing URL policies, system administrators are required to set the Content Based Rule to URL Match, to enable the users to configure the URL Policies Table. URL Policy Configuration Guidelines: 1. Add a CID device and assign an IP address (Connect). 2. Add a farm: a. From the main window, click APSolute OS > Traffic Redirection. The Traffic Redirection window appears. b. From the Farms table, double click on the farm. The Farm window appears. c. From the Farm window, click on Traffic Settings and change the Content Based Rule to URL Match. d. Click Ok. 5-20 CID User Guide Chapter 5 - Advanced Features URL Policies with Mime-Type One of the common configurations of CID is Anti-Virus load balancing. In order to improve network performance and accelerate the traffic, CID redirects to the selected anti-virus server only the non-trusted traffic, however the trusted traffic (configured by the user) is sent directly to the internet without scanning. By not scanning images and other trusted data, CID improves the Anti-Virus performance by 500%. When a Content Base Rule is configured to "URL Match" or "HTTP Match" or "Mime-Type" and URL Policies are in use, the URL Policies have precedence over URL Match and HTTP Match. For example - if the user configured a URL Policy for www.radware.com with a "Direct" mode, and also a URL Match - ".gif" with a "Block" mode, a request for www.radware.com/logo.gif would be sent directly to the internet. When a non-trusted file type is configured for a specific file type, and the file type appears in a URL with a direct mode, the file is sent directly to the internet without virus inspection. CID User Guide 5-21 Content Load Balancing URL Match In this mode, the CID analyzes the URL in all client HTTP requests. The URL string of the client request is parsed and decisions are based on whether a match is made to a set of predefined criteria or not. The URL Match policies are configured per cache farm. Each policy instructs the CID to forward the request to a local cache server, forward directly to the Internet, or block the request in case a URL string matches the string in the policy. Also for each cache farm, a “default” policy is created that defines for CID what to do if no matching URL Match polices are found - send direct or to a local cache. For example, a farm can be configured to send all traffic to the Internet by default and a policy can be set to send all requests with “gif” to the local servers. This would cause only the requests for pictures in the.gif format to be redirected to the cache servers. Up to 50 URL Match policies can be configured per farm. 5-22 CID User Guide Chapter 5 - Advanced Features HTTP Match CID can make load balancing decisions based on the HTTP header information. When CID works in the HTTP Match mode, any HTTP header field can be used, allowing CID to search in the HTTP reply packet for any field, such as the user-agent, the accept-language, the host, or the content-type field. When implementing HTTP Match policies, you can set one of three policies for each URL that is listed in the table: • Direct: This policy can be used for sending traffic directly to the Internet, without sending it to the servers. When CID load balances anti-viruses, it searches in the Content-Type field for the trusted files and sends the trusted files directly to the Internet. Block: This policy effectively enforces limited control on clients. When a client requests a particular content that has been blocked, CID disallows the request to that traffic type. URLs can be blocked using this mode. CID searches for the host field of the HTTP header and blocks predefined hosts. CID can also block specific file types, based on the Content-Type field. Local Server: This policy enables CID to direct specific traffic to a specific cache server within a certain cache farm, thus effectively enforcing limited control on clients. When CID servers reverse the cache servers, it is possible to redirect clients to the cache servers based on their language or browser type. • • HTTP Match Configuration Guidelines: Configuring an HTTP Match policy involves two steps: 1. Define the HTTP header field to be searched in the HTTP Match Table, by selecting Match Method: HTTP Match. For example: “user-agent” or “accept-language”. 2. Define the HTTP field value (Token) and the associated policy in case of a match between the HTTP header field and the token value, by selecting Match Method: Token Match. For example: “en”, “se”. CID User Guide 5-23 Content Load Balancing To configure an HTTP match policy: 1. Add a CID device and assign an IP address. 2. Add a farm. 3. From the Traffic Redirection window table, double click on the farm item you want to configure. From the Farm window, click Traffic Settings and change the Content Based Rule to HTTP Match. 4. From the Traffic Redirection window, click Redirection and change the Match Method to HTTP Match. 5. Click Add and add an HTTP Header of Accept-Language. 6. From the Traffic Redirection window, change the Match Method to Token Match and then click Add. 7. Change the mode to Block and for the Token Value type the language code (for example - “en” for English, “it” for Italic). 5-24 CID User Guide Chapter 5 - Advanced Features MIME Type Support Some Content Security servers use security policies based on Multipurpose Internet Mail Extensions Types. A Multi-purpose Internet Mail Extension (MIME) is a specification for formatting non-ASCII messages so that they can be sent over the Internet and displayed by a client-side application (typically e-mail applications, or Web browsers). What is MIME Type Support? CID has unique features to support the load balancing of anti-virus servers with the ability to decide what traffic to redirect to those servers, based on the MIME types. In order to reduce the load on the anti-virus software, CID pre-windows all network traffic, differentiating between trusted and non-trusted files, and sending to the servers only non-trusted traffic. This subsequently eliminates bottlenecks and accelerates content delivery. Many files, such as images, video and sound are unlikely to contain viruses, and CID can send those files directly to the client or Internet without the need to scan them. By doing so, the load on the anti-virus servers is reduced. How MIME Type Support Works When CID load balances anti-virus servers, set the Content Base Rule to “MIME Type”. The traffic flow when using MIME Type support is as follows: • Intercepting Clients Requests: CID intercepts GET requests that arrive from the clients. CID either sends the traffic to one of the anti-virus servers for inspection, or forwards the traffic to the Internet, depending on the File Type used in the GET request. CID redirects all the traffic to the selected anti-virus server (bases on load balancing decisions) excepts Trusted File Types. Inspecting Servers Reply: CID inspects the MIME Type used in the server's reply as appeared in the HTTP header. By the MIME Type contained in the reply, CID can tell if the reply is trusted or not: • A reply to an non-trusted request is always sent to the Content Server (the same server that handled the request). • A trusted reply to a trusted request is sent directly to the client • CID User Guide 5-25 Content Load Balancing • An distrusted reply to a trusted request is sent with RST to the client. If there are retransmissions from the server, they will be discarded. Notes: • • In order to be able to inspect each GET received from the client, CID breaks HTTP 1.1 persistency. The Content Servers must be locally connected to CID, as CID uses their MAC address for forwarding. MIME Type Support Configuration Guidelines: 1. Define ‘trusted’ traffic: You can configure trusted and distrusted file types using the URL Match Table. Trusted file types should be configured with the Direct policy. This configuration influences the behavior of CID for outbound traffic, from the clients to the Internet. 2. Check returned data: You can configure the trusted and distrusted MIME file types using the HTTP Match Table. First specify the relevant HTTP Header that is to be inspected (typically Content-Type), in the HTTP Header Settings window. Then specify the MIME Types in the Token Settings window. MIME Types can be configured with Direct policy (meaning - a trusted MIME Type), or with Block policy (distrusted), which is the default. Up to 15 MIME Types can be configured. Typical MIME Types that are considered trusted are images (MIME Types image/gif, image/ jpeg and image/tiff), video (MIME Types video/mpeg, video/ quicktime, video/x-msvideo and video/x-sgi-movie) and audio (MIME Types audio/mpeg, audio/x-pn-realaudio, audio/x-realaudio and audio/x-wav). Tip: Alternate content-types can be returned per requested file type. It is recommended to configure alternate content-types as well. 5-26 CID User Guide Chapter 5 - Advanced Features Notes: • When configuring the URL Match Table, it is recommended to add values in the format of '.jpg ' (with a space) rather than '.jpg'. This is not required for content-type values (should remain '/jpg'). When configuring values such as '.jpg ' in the URL Match table, it is recommended to configure additional HTTP content-type matches in addition to '/jpg' such as '/jpeg' and '/jpe'. Examples: jpg tif mpeg html /jpg, /jpeg, /jpe /tif, /tiff /mpeg,/mpg,/mpe /htm, /html • Support Dual Interface Servers for MIME Type When using URL Type MIME Type, CID supports multi-interfaces Application Servers, as well as single interface Servers. If an Application Server has two interfaces, you need to define the second address of the server as the alternate server address. Using this feature, CID forwards requests to the IP address of the server (to the “internal interface” of the server). If the reply from the Application Server is sent to CID through another interface of the server, which is associated with the Alternate IP address (server’s “external interface”), the CID forwards the replies to that interface. Using two interfaces enables a better server performance. CID User Guide 5-27 Content Load Balancing Configuring CID with Anti-Virus Servers The following configuration examples show how CID performs content Load Balancing by means of the Anti-Virus servers. The CID configurations presented here enable interception of HTTP, FTP and SMPT traffic for the clients. All FTP and SMTP traffic is load balanced between the anti-virus servers. HTTP traffic is load balanced according to content type. All the examples shown here include support for MIME Type. The difference between the configurations is in the servers’ interface usage: • • • Single Interface Servers with MIME Type Support. Dual Interface Servers with MIME Type Support. Single Interface Servers in Proxy Mode with MIME Type Support. In the following examples CID intercepts all the traffic that passes through its interfaces, and load balances the relevant traffic among the anti-virus servers within the farm. This topology is easy to implement and does not require any changes in the network. In complex networks, where there are several IP networks behind the CID, there is no need to define any static routes, because the CID can configure the network topology using the “VLAN auto learn” feature. 5-28 CID User Guide Chapter 5 - Advanced Features Example - Single Interface Servers with MIME Type Support The example in Figure 5-7 illustrates the configuration of anti-virus servers which use a single interface - all traffic is sent to the interface of the anti-virus server, and is returned from the same interface. Clients 192.168.1.253 CID Access Router 192.168.1.254 Internet Server 1 192.168.1.100 Server 2 192.168.1.101 Figure 5-7 Single Interface Servers with MIME Type Support Configuration: 1. Double click the CID icon. The CID Connect to Device window appears. 2. Type the device‘s IP address (for this example 192.168.1.253) and click Ok. 3. Assign ports to VLAN. a. Double click the CID device icon again.The Set-Up window appears. b. In the Set-Up window, select Networking > VLAN. The CID Virtual LAN window appears. CID User Guide 5-29 Content Load Balancing c. Select VLAN 10001. d. Add (check) ports 1- 4 to the VLAN. e. Click Update and Ok. 4. From the Set-Up window, select the existing interface (192.168.1.253) and click Edit.The Interface window appears. 5. In the Interface window, set the IF Num value to 100001 and then click Ok. 6. Add a static route to the default gateway: a. From the Set-Up window, select Networking >Routing Table. The Routing Table appears. b. Click Add. The Edit Physical Route window appears. c. In the Edit Physical Route window, set the following parameter according to the explanation provided: Next Hop Router: 192.168.1.254 7. Add local servers. a. From the main toolbar, click Add and from the dropdown menu add a local server, by defining the following parameters according to the explanations provided: Server Name: IP Address: Server 1 192.168.1.100 b. Click Add and then click Ok. c. In the same manner, add the second server by defining the following parameters according to the explanations provided: Server Name: IP Address: Server 2 192.168.1.101 d. Click Add and then click Ok. 8. Create a farm: a. From the main window, select APSolute OS >Traffic Redirection. The CID Traffic Redirection window appears. b. In the Traffic Redirection window, select the Farms tab and then click Add. The Farm window appears. 5-30 CID User Guide Chapter 5 - Advanced Features c. In the Farm window, set the following parameters according to the explanations provided Farm Name: VIP Address: Anti_Virus_Farm 1.1.1.1 9. Add the servers to the farm: a. In the Farm window, click Add.The CID Farm Servers window appears, set the following parameters according to the explanations provided: Server Name: Server Address: Transparent Mode: Server 1 192.168.1.100 Selected b. In the same manner, add the second server and click Ok. 10. In the Farm window, select Traffic Settings. The Traffic Settings pane appears. 11. In the Traffic Settings pane, set the following parameters according to the explanations provided: Dispatch Method: Content Based Rule: Use URL Table: Transform Request: Server Keeps Client IP: Cyclic MIME Type Do not use URL Table Cleared Selected 12. In Traffic Redirection window, select Redirection. The Redirection pane appears. 13. In the Redirection pane ensure that the Match Method is set to URL Match. 14. Click Add. The URL Match window appears. 15. In the URL Match window, set the following parameters according to the explanations provided: Farm IP: URL Match Policy: Matching URL: 1.1.1.1 Direct gif, jpeg, avi, mid, tiff CID User Guide 5-31 Content Load Balancing URL Description: Type the relevant URL Description 16. In the Traffic Redirection window, click the Redirection tab. The Redirection pane appears. 17. In the Match Method dropdown menu, select HTTP Match and click Add. The HTTP Match window appears. In the HTTP Header field, type: content-type, and click Ok. 18. In the same manner as explained in step 13 and 14, select the Token Match, Match Method and click Add. The Token Match window appears. 19. In the Token Match window, set the following parameters according to the explanations provided: Farm IP: Mode: Token Value 1.1.1.1 Direct (type in) /extension/gif/jpg/avi/mid 20. In the Traffic Redirection window, select the Farms tab, select the Anti_Virus farm (1.1.1.1) and click Farm Policies. The Farm Policies window appears. 21. Configure classes. a. In the Farm Policies window, click Classes. The Classes window appears. a. In the Classes window, click Networks. The Network Table window appears. b. In the Network Table, click the Modify tab and then click Add. The Edit Network Table appears. c. In the Edit Network Table, set the following parameters according to the explanations provided: Network Name: Network Mode: IP Address: Address Mask: d. Click Ok. Local Net IP Mask 192.168.1.0 255.255.255.0 5-32 CID User Guide Chapter 5 - Advanced Features e. In the Classes window, right click on the Grouped service under Services, and select New Service. The New Service Pane appears f. In the New Service pane set the following parameters according to the explanations provided: Service Name: Basic Services: Virus_Scan Check the protocols supported by the anti-virus: HTTP; SMTP; FTP g. Click Add Service and then Ok. 22. Create a new farm policy: a. In the Farm Policies window, right click Modify Farm Policy and click Add. The Policy pane appears. b. In the Policy pane, set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Virus Scan 1 Grouped Service Virus_Scan Local_net Any Oneway 1.1.1.1 c. Click Add Policy and then click Update Active Classes. d. Click Ok to apply the policy setup and exit the window. CID User Guide 5-33 1.10.1.0) and port 5 and 6 (network 10.1-99 CID 192.1.253 Access Router 192.100 10.2.1. • Connect the anti-virus servers to port 3 and 4 (network 10.1. • Set a static route on the anti-virus server to route network 192. • Set the default gateway of the anti-virus servers to 10.254 Internet 10.168. and the returned traffic is sent to another interface.1.168.10.1.1.0).2.100 10.10.168.1 (to enable the anti-virus server to return the traffic back to the CID). Local Clients 192.168.Content Load Balancing Example .2. All the traffic is sent to one interface of the anti-virus server.2.Dual Interface Servers with MIME Type Support Figure 5-8 shows a configuration example of anti-virus servers with two interfaces that operate as a gateway.0/24 to 10.10.10.10.101 10.10.1.101 Figure 5-8 Dual Interface Gateway Servers with MIME Type Support Properties: • Connect the local network and the access router to ports 1 and 2. 5-34 CID User Guide .10. 253) click Edit.253) and click Ok. The Edit Physical Route window appears. Click Update. select VLAN.168. e. Set the IF Num to 100001 and then click Ok.Advanced Features Configuration: 1. From the Networking menu. Add a static route to the default gateway: a.1 10. In the Set-Up window select the existing interface (192.1. c. and ports 5 & 6 to VLAN 100003. The nterface window appears. Assign ports 3 & 4 to VLAN 100002. The Set-Up window appears. Click Add. Click Add and add VLAN 100002 and VLAN 100003. set the following parameters according to the explanations provided: VLAN 100002: VLAN 100003: 10.Chapter 5 . From the Interface window.254 6. 4.1 5. Double click on the CID deviceicon. b.168. 3.1.10.2. d. Select VLAN 100001 and assign ports 1 and 2 to the VLAN. Click Update and Ok. c. b. Type the device‘s IP address (for this example 192. Add a local server: CID User Guide 5-35 . Create two more interfaces: a. The Set-Up window appears.168. Assign ports to VLAN: a.10. The CID Connect to device window appears.1.1. b. The Virtual LAN window appears. From the Set-Up window select Networking >Routing Table. c.The Interface window appears. Double click on the CID icon. Click Add. 2. The Routing Table appears. Double click on the CID icon. From the Edit Physical Route window set the following parameter according to the explanation provided: Next Hop Router: 192. 1 9. 8.The Farm Servers window appears.100 Selected c.10. Add the second server as explained in the previous step and set these parameters: Server Name: IP Address: Server 2 10. In the Farm window. 7. select APSolute OS > Traffic Redirection.10.1. Add the servers to the farm: a. Click Farm > Add. set the following parameters according to the explanations provided: Farm Name: VIP Address: Anti_Virus_Farm 1.101 10. Click Ok. Create a farm: a.10.101 Click Add and then click Ok.1. From the CID main window. b. click Add and from the dropdown menu add a Local server by defining the following parameters according to the explanations provided: Server Name: IP Address: Server 1 10. From the CID Farm Servers window.10.2.1.1. c. Add the second server. b. 5-36 CID User Guide .1. The Farm window appears. The CID Traffic Redirection window appears.Content Load Balancing a.2. set the following parameters according to the explanations provided: Server Name: Server Address: Transparent Mode: Server 1 192.100 10.100 Click Add and then click Ok.168. From the main toolbar. In the Farm window click Add. The URL Match window appears.Chapter 5 . 12. In the Traffic Settings pane.1.1. In the Redirection pane. ensure that the Match Method is set to URL Match and click Add. select Redirection and Token Match window appears: Farm IP: Mode: Token Value 1. set the Match Method to HTTP Match. From the Redirection tab.1. In the URL match window. 16. The HTTP Match window appears. From the Traffic Redirection window. The Redirection pane appears. mid. In the HTTP Header field type: content-type. 13.1 Direct gif. click Ok.1 Direct (type in) /extension/gif/jpg/avi/mid CID User Guide 5-37 . jpeg. avi. select APSolute OS > Traffic Redirection > Redirection. The Traffic Settings pane appears. Click Ok. From the main window. 14. 11.Advanced Features 10. set following parameters according to the explanations provided: Dispatch Method: Content Based Rule: Use URL Table: Transform Request: Server Spoofing: Trap All Ports: Cyclic MIME Type Do not use URL Table Cleared Selected Cleared Click Ok. 15. set the following parameters according to the explanations provided: Farm IP: URL Match Policy: Matching URL: URL Description: 1.1. tiff Type the relevant URL Description. In the Farm window select Traffic Settings. 1.168.0 255.1. Create a new farm policy: a. The Network Table appears.255. In the Network Table set the following parameters according to the explanations provided: Network Name: Network Mode: IP Address: Address Mask: Local Net IP Mask (according to this example) 192. SMTP. 20. From the Traffic Redirection window click Farms . FTP Click Add Service and then Ok.1.0 21. In the Network Table select the Modify tab and then click Add. 18. From the Farm Policies window right click on Modify Farm Policies and click Add and set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Virus Scan 1 Grouped Service Virus_Scan Local_net Any Oneway 5-38 CID User Guide . right click Grouped and select New Service. 22. select the Anti_Virus farm (1. From the Classes window. The Network Table appears. The Farm Policies window appears.Content Load Balancing 17. then set the following parameters according to the explanations provided: Service Name: Basic Services: Virus_Scan Select the protocols supported by the anti-virus: HTTP. In the Farm Policies window click Classes and then Networks.1) and click Farm Policies.255. 19. CID User Guide 5-39 .1 b.Chapter 5 .1.1.Advanced Features Cluster Farm: 1. Click Add Policy and then click Update Active Classes. Now click Ok. 168. Add ports to the VLAN: a. Double click on the CID device icon.254 Internet 192. the clients are not configured.168. Clients CID Access Router 192. a.1.100 Server 2 192.168.253 Server 1 192. 5-40 CID User Guide . Double click on the CID icon again. In this example. Connect the device.168.1. 2.168. b.1. CID intercepts the clients’ requests and transforms them to a proxy form.Single Interface Servers in Proxy Mode with MIME Type Support The example in Figure 5-9 illustrates a configuration where the antivirus servers are also proxy servers and the clients are configured to use these servers.The Set-Up window appears. The CID Connect to device window appears.1.253) and click Ok.101 Figure 5-9 Single Interface Proxy Servers with MIME Type Support Configuration: 1. Type the device‘s IP address (for this example 192.Content Load Balancing Example .1. Add ports 1. From the Set-Up window. select the Farms tab and click Add. Set the IF Num value to 100001 and then click Ok. add the second server by defining the following parameters according to the explanations provided Server Name: IP Address: Server 2 192. Add two servers: a.168.168. Click Add and then click Ok. c.1. Click Ok.: Next Hop: 192. select VLAN.253) and click Edit. The Interface window appears. Add a static route to the default gateway: a. 3. Create a farm: a.100 b. e. CID User Guide 5-41 . select the existing interface (192. In the main window. In the Traffic Redirection window. b.1. c. In the Set-Up window. Click Add. d.Advanced Features b.1. From the main toolbar. b. select APSolute OS > Traffic Redirection. select Networking > Routing Table. The Routing Table appears. In the same manner.168. In the Edit Physical Route window.168. The Traffic Redirection window appears.254 d.Chapter 5 .4 to the VLAN. set the following parameter according to the explanation provided. click Add and from the dropdown menu add a local server by defining the following parameters according to the explanations provided: Server Name: IP Address: Server 1 192. The Virtual LAN window appears. c. From the Networking menu. Select VLAN 10001. The Farm window appears.101 d. Click Add and then click Ok. Click Update and Ok. 4. 5. The Edit Physical Route window appears.1. The CID Farm Servers window appears. The Redirection pane appears. Add the servers to the farm: a. From the Farm window. 7. set the following parameters according to the explanations provided Server Name: Server Address: Transparent Mode: Server 1 192.168. d. Click Ok. select Redirection. Define the content based rules: a. add the second server and click Ok.1.1.1 Direct 5-42 CID User Guide .100 Selected c. click Add.1. From the URL Match window. set the following parameters according to the explanations provided: Farm Name: VIP Address: Anti_Virus_Farm 1. select Traffic Settings then set the following parameters according to the explanations provided: Dispatch Method: Content Based Rule: Use URL Table: Transform Request: Server Keeps Client IP: Cyclic MIME Type Do not use URL Table Cleared Selected b.1. b. In the Traffic Redirection window.1.1 6. In the Redirection pane ensure that the Match Method is set to URL Match and click Add. In the CID Farm Servers window. In the same manner. In the Farm window. c. set the following parameters according to the explanations provided Farm IP: URL Match Policy: 1. From the Farm window. The URL Match window appears.Content Load Balancing c. e. 1.Chapter 5 .0 255. In the Token Match window. select the Farms tab. Set the Match Method to HTTP Match and click Ok. h. set the following parameters according to the explanations provided: Network Name: Network Mode: IP Address: Address Mask: Local Net IP Mask (for this example) 192. In the Traffic Redirection window. select Redirection.1 Direct (type in) /extension/gif/jpg/avi/mid 8. The Farm Policies window appears.1. In the Network Table window. The Network Table window appears. In the HTTP Header field. set the following parameters according to the explanations provided: Farm IP: Mode: Token Value 1. j.255. then set the following parameters according to the explanations provided Service Name: Virus_Scan CID User Guide 5-43 . Click Add. d. In theTraffic Redirection window.255.1. type: content-type and click Ok. mid.1.1) and click Farm Policies. gif. c. g. jpeg. avi. The HTTP Match window appears. The Network Table window appears.1. i. b. and select the Anti_Virus farm (1.Advanced Features Matching URL: URL Description: f. click Redirection . In the Traffic Redirection window. Define Classes: a. right click Grouped and select New Service.168. Select the Modify tab and then click Add. tiff Type the relevant URL Description. Click Classes > Networks. The Token Match window appears. In the CID Classes window Services list. set the Match Method to Token Match.0 e. then set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Virus Scan 1 Grouped Service Virus_Scan Local_net Any Oneway 1.1.Content Load Balancing Basic Services: Check the protocols supported by the anti-virus: Values: HTTP. In the Farm Policies window.1 b. 9. SMTP. Click Add Policy and then click Update Active Classes. Click Add Service and then Ok.1. Create a new farm policy: a. FTP. right click on Modify Farm Policies and click Add. 5-44 CID User Guide . POP3 f. Click Ok. page 5-53 RADIUS Based Classification. explains some advanced features of CID and how these features work in conjunction with CID. page 5-62 CID User Guide 5-45 .Chapter 5 . page 5-46 POP3 Support. page 5-58 HTTP Advanced Features. This section includes the following topics: • • • • FTP Content Management.Advanced Features Section 5-3 Special Protocol Treatment Section 5-3 Special Protocol Treatment. CID intercepts FTP sessions of non-configured client and load balances it to the FTP proxy server farm. By default. on behalf of the client. CID provides special treatment for these servers. This process is transparent for the client. 5-46 CID User Guide . CID supports both passive FTP sessions and active FTP sessions. This transformation allows the FTP proxy server to extract the original destination FTP host and then to open the FTP session to that host. CID transforms the client “username: password” command to "username:password@domain".Special Protocol Treatment FTP Content Management FTP Proxy Support When deploying an FTP (File Transfer Protocol) proxy server for FTP caching or FTP content inspection. 1. • Users are not configured to the CID.1.Advanced Features Figure 5-10 shows a typical FTP Proxy Content Management setup.1. • Configuring ftp-session service supports both passive and active FTP sessions.100 Port 1 10. • The delimiter ('@') is proxy dependent.1.1.1.1.1.100. CID User Guide 5-47 .2 Figure 5-10 FTP Proxy Content Management Configuration Properties: • Network side and users side are on different IP subnets.1 100.1.1. • Content servers work in FTP Proxy mode.1.1 Client 2 10.2 Access Router 100.120 Network Side Port 2 100. Internet FTP Content Servers 100.10 CID Virtual IP Address 10.1.10 Users Side Client 1 10.1. • The virtual IP address of the CID is 10. and may vary.1.1.1.1.Chapter 5 . Add the second IP address: Double click on the CID icon. Double click on the CID icon and from the CID Connect to device window that now appears. The Interface window appears.1.20 F-2 1 Remote e. click Add.Special Protocol Treatment Configuration: 1. In the Set-Up window.0.10 and click Ok. The Edit Physical Route window appears. The Set-Up window appears. Double click on the CID icon. Click Add. In the Edit Physical Route Table window. b.1. The Set-Up window appears. c. Add the default router and a default gateway: a.10 Click Ok to exit all windows.0. The Routing Table window appears. Define two IP Addresses on the CID: a. select Networking > Routing Table. c. type the device‘s IP address: 10.0 100. set the following parameters according to the explanations provided: Destination IP Address: Network Mask: Next Hop: IF Number: Metric: Type: 0.1. d.1.1. 2.1. Click Ok to exit all windows: 3. Add the servers: 5-48 CID User Guide . b. In the Interface window set the following parameters according to the explanations provided: IF Num: IP Address: F-2 100. d.0. From the Routing Table.0 0.0. select Farms. The Farm window appears.Chapter 5 . Click Add and then click Ok. c.1.1. In the Traffic Redirection window list of farms.1. The CID Farm Servers window appears.1. Ensure that the Transparent Mode is enabled. 4. click the Add (+ ) and from the dropdown menu add a local server by defining the following parameters according to the explanations provided: Server Name: IP Address: Server 1 100. In the same manner. c. In the Farm window. set the following parameters according to the explanations provided: Server Name: Server 1 & Server 2 CID User Guide 5-49 .100 Selected Selected d.2 d.1. Add the servers to the farm: a. Add a farm: a. Server Name: IP Address: Server 2 100. In the CID Farm Servers. From the main toolbar.Advanced Features a. select the farm and click Add. From the Traffic Redirection window.1. b. In the Farm pane click Add. The Farm pane appears. click Add.1 b. c. add the second server by defining the following parameters according to the explanations provided. Click Add and then click Ok. 5. In the Farm window. b. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: Transform Request: (For Example) Farm 1 Disabled 10. The Farm window appears. In the Traffic Redirection window list of farms.1. Click the Modify tab and from the Modify pane. Add a local network: a. e. click the Classes button. c. In the Farm Policies window. Add a new policy for HTTP: a. The Traffic Redirection window appears. In the CID Classes window.1. set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: http 1 Regular Service ftp session Users any oneway 5-50 CID User Guide .Special Protocol Treatment Transparent Mode: Server Delimiter: Disabled @ d. From the main toolbar. click Traffic Redirection. In the Farm Policies window. From the pane that appears. select the farm. The Network Table window appears. The Classes window appears. 6. 7. b. then click the Farm Policies button.1 10. right click Modify Farm Policy and select Add. Click Ok and then Ok to return to the Farm Policies window. click Add and then set the following parameters according to the explanations provided: Network Name: Network Mode: From Address: To Address: Local IP Range 10. click Networks. The Farm Policies window appears.1.2 f. Click Add and then Ok. d.1. Click Add Policy and then Ok to exit the window.100 b.Advanced Features Description: Operational Status: Cluster Farm: FTP Proxy Configuration Active 10.1. CID User Guide 5-51 .1.Chapter 5 . Configuration No special configuration is needed by the user in order for CID to support the FTP Address Multiplexing. This mode is in addition to the proxy FTP. CID supports load balancing of FTP sessions where the FTP server. 5-52 CID User Guide . which hosts the Control Session. CID redirects FTP clients to proxy servers that support fully transparent FTP. Transparent FTP Support The Transparent FTP feature supports FTP content servers that intercept FTP sessions transparently and open a session on behalf of the client. refers the FTP client to use a different FTP server for the Data Session using the PASV command.Special Protocol Treatment FTP Address Multiplexing Support Traditional load balancing of FTP sessions supports only cases where the same FTP server controls both the Control Session and Data Session of the File Transfer Protocol. on behalf of the client. Server Delimiter (#) is a configurable parameter that can be set in the Application Servers window. return traffic from the server to the client must traverse through the CID. This is necessary. To intercept POP3. To provide POP3 support. This is done transparently to the client. POP3 sessions are transparently intercepted and redirected to the servers.Chapter 5 . The sessions are intercepted and sent to the IP address of the server. Because the client is unaware of the server's existence.Advanced Features POP3 Support CID supports interception and redirection of POP3 (Post Office Protocol) traffic destined to an anti-virus server. CID transforms the client's “USER” command from USER[username] to: USER[user_name#destination_IP]. configure port 110 (POP3 assigned port) as a port to be intercepted. POP3 Support Configuration Guidelines: • Because redirection is done to the mail server's IP address. the client believes that it is directly connected to the POP3 host on the Internet. so proper IP address translation can be performed. • • CID User Guide 5-53 . opening a POP3 session with the proxy agent of the server. This transformation allows the anti -virus to extract the destination POP3 host and then to open the POP3 session to that host. 2 Figure 5-11 POP3 Interception Configuration 5-54 CID User Guide .1.1.1. and assume that they are directly connected to the POP3 server on the Internet.1.1.1.1.1.120 Network Side Port 2 100.1 Client 2 10. The users are unaware of the proxy server existence. Internet Anti Virus Servers 100.1.1.1.10 Users Side Client 1 10.10 CID Virtual IP Address 10.100 Port 1 10.Special Protocol Treatment Figure 5-11 illustrates a typical configuration for POP3 Interception where CID intercepts and redirects POP3 sessions to a proxy mail server.1.1 Router 100.1. This configuration is used for the load balancing of TrendMicro InterScan e-mail antivirus servers. Add the default router and a default gateway.0 0. CID User Guide 5-55 . 2. a. Define two IP Addresses on the CID: a. click Add. e. Click Ok to exit all windows.0 100. The Set-Up window appears. click Add.10.0. In he Set-Up window.1. set the following parameters according to the explanaitons provided: Destination IP Address: Network Mask: Next Hop: IF Number: Metric: Type: 0. b. In the Edit Physical Route window. c. The Routing Table appears. In the Interface window.0.0.1. click on Networking and select Routing Table. c. Double click on the CID device icon.20 F-2 1 Remote e. The Set-Up window appears. The CID Connect to Device window appears. Click Ok. d. set the following parameters according to the explanations provided: IF Num: IP Address: F-2 100. Click Ok to exit all windows. The Edit Physical Route window appersa.Chapter 5 .1.1. The Interface window appears. Double click on the CID device icon.0.10 f.1. d.1.Advanced Features To configure POP3 Support: 1. Add the second IP address: Double click on the CID icon. From the CID Connect to device window. b. In the Routing Table window. In the Set-Up window. type the device‘s IP address: 10. select the Add menu and from the dropdown menu add a local servers by defining the following parameters according to the explanations provided: Server Name: IP Address: Server 1 100.1. click Farm > Add. c. c. b. In the Farm window. From the CID toolbar.1. Click Add and then click Ok. 5. select the farm and then click Add. Click Add and then click Ok. In the CID Farm Servers window. click Add. In the Traffic Redirection window. Add a farm: a.1.1. The CID Farm Servers window appears.1.1 b. The Farm window appears.1. Add the servers to the map: a.Special Protocol Treatment 3. Add the servers to the farm: a. add the second server by defining the following parameters according to the explanations provided: Server Name: IP Address: Server 2 100. set the following parameters according to the explanations provided Server Name: Server 1 & Server 2 5-56 CID User Guide . c. In the Traffic Redirection window.2 a. b. In the Farm window. set the following parameters according to the explanations provided: Farm Name: Multiplexed for Port: VIP Address: Admin Status: (For Example) Farm 1 Disabled 10. 4. Click Ok.100 Selected Tip: Ensure that Transparent Mode is enabled. The Farm window appears. In the same manner. 6. In the Farm Policies window.1.1. Add a local network: a.1.Advanced Features Transparent Mode: Server Delimiter: Disabled @ d. The Traffic Redirection window appears. set the following parameters according to the explanations provided Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Operational Status: Cluster Farm: POP3 1 Regular Service POP session Users Any Oneway Active 10. right click Modify Farm Policy > Add. Click Ok and then Ok to return to the Farm Policies window. b. From the Traffic Redirection window. Click Add Policy and then Ok to exit the window. The Farm Policies window appears. CID User Guide 5-57 .1.2 d. In the Modify Farm Policy pane.1. select the farm and then click the Farm Policies. Click Add to apply your changes and then Ok. c. 7. b.1 10. then set the following parameters according to the explanations provided Network Name: Network Mode: From Address: To Address: Local IP Range 10. From the main toolbar.Chapter 5 . select APSOlute OS > Traffic Redirection. From the Farm Policies window.1.100 c. Add a new policy for HTTP: a. select > Classes >Networks > Modify > Add. The Modify Farm Policy pane appears. This mode enables CID to trace the data while forwarding the packets between the servers. CID enables you to set Flow Cluster policies according to the RADIUS attributes. CID performs RADIUS Based Classification when working in these modes: • Transparent Mode: The device transparently intercepts RADIUS traffic between the Client and the RADIUS Server.Special Protocol Treatment RADIUS Based Classification The RADIUS service for ISPs allows authentication and storage of the accounting information for dial-in users. CID assigns clients to networks that are added to the Network Table. For general information about this protocol. Chapter D. Note: RADIUS tracking mechanism is transparent to the user. flow clusters. CID then imposes the allocated services according to user IP. it automatically adds the client's IP to a dynamic network that can be classified. and based on the Username and Password. These networks can then be used for defining farm policies. According to this information. 5-58 CID User Guide . the RADIUS sends to the NAS a predefined value in one of the attributes. Proxy Mode: The device acts as a proxy RADIUS between the NAS and the RADIUS server. the CID listens to the communication between the NAS and the RADIUS. CID monitors the traffic and checks the user privileges in the RADIUS messages. CID parses the messages to extract user allocated services and user IP address. • After intercepting the RADIUS messages. Glossary. This mode does not require any configuration. as shown in Figure 5-12. In this case. When same attribute is configured on CID and when CID detects this attribute. BWM policies and so on. whose source IP addresses are dynamically changed each time they dial. RADIUS Based Classification enables CID to provide service to clients. This mode requires configuration of the NAS to use CID as the RADIUS server. but the network topology requires placing CID between the NAS and the RADIUS server. For this reason. the source IP is always the CID IP.Chapter 5 . so the RADIUS can use only one secret. according to the source IP of the received packet (NAS IP).Advanced Features Figure 5-12 illustrates a typical RADIUS configuration. Farm 1 Farm 2 Clients NAS CID Router Internet RADIUS Server Figure 5-12 RADIUS Configuration NAS Secret NAS and RADIUS server share a “secret” that uses a combination of password encryption and response authentication. When CID is used as the RADIUS proxy. the Proxy RADIUS needs to use another table with the following record structure: NAS IP NAS Secret CID User Guide 5-59 . A RADIUS server can be configured to use different secrets. The same applies to a message from a RADIUS to a NAS. the proxy RADIUS decrypts the password using the NAS secret. Values: 1645. select the Proxy RADIUS tab. In the Transparent mode (Sniffing) CID does not alter passwords or Authenticators. In the Proxy RADIUS Rules window. To configure RADIUS Based Classification: 1. The Proxy RADIUS Rules window appears. The values for the radius packet. You can also define a Backup RADIUS Proxy Server. click Rules. The authentication password for the primary radius server. then set the following parameters according to the explanations provided: Main RADIUS IP Address: Main RADIUS Authentication Port No: Main RADIUS Accounting Port No: Main RADIUS Secret: The IP address of the primary radius server for authentication. In the Device Permissions window. Note: These four parameters are mandatory in order to define a RADIUS Proxy server. The access port number of the primary radius server for accounting. 3. and decrypts it using its secret before sending it to the RADIUS server.Special Protocol Treatment When a message arrives from a NAS IP that exists in the NAS/Secret Table. 1812. The access port number of the primary radius server. The Device Permissions window appears. From the main window. set the following parameters according to the explanations provided: Attribute ID: Attribute Value: The relevant Attribute ID. 2. 5-60 CID User Guide . select Device > Device Permissions. 4. the password field remains untouched. If the NAS IP does not exists in the NAS/Secret Table. In the Device Permissions window. regarding the Authenticator field. Chapter 5 .Advanced Features Network: The name of the network the user belongs to. In the Proxy RADIUS NAS Secrets window. set the following parameters according to the explanations provided: NAS IP: NAS Secret: c. Click Add and then Ok. 5. b. The IP address of the NAS. click NAS Secret. 6. The Proxy RADIUS NAS Secrets window appears. Configure the NAS Secrets table: a. The NAS Secret. Click Add > Ok. CID User Guide 5-61 . Inthe Device Permissions window. In a delayed-binding mode. In the Global pane. In the Set-Up window. check the Enhanced URL Retrieval check box. Click Edit Settings. 3. select URL Handling Settings (radio button). The Global pane appears. select Global. 2. From the URL Handling Settings window. This feature can improve caching on certain types of cache servers. 5-62 CID User Guide . 5. The Set-Up window appears. The URL Handling Settings window appears. Double click the CID device icon. 4.Special Protocol Treatment HTTP Advanced Features Enhanced URL Retrieval An HTTP request consists of several headers containing additional information about the session. When the Enhanced URL Retrieval feature is enabled. To enable Enhanced URL Retrieval: 1. the CID makes decisions based on the information contained in other headers of the URL from the origin of its request. the CID makes load-balancing decisions based on the URL in the Host: header. CID User Guide 5-63 . Click Ok to exit all windows.Advanced Features 6.Chapter 5 . using the CONNECT command. Note: CID supports this feature only for non-configured clients in the Address Mode. Otherwise.Special Protocol Treatment Forbidden Request Override Support An HTTP 403 status code (Forbidden) reply. IF the server replies with the HTTP code 200 Ok. the CID forwards all the HTTPS traffic to the servers. therefore as the client may be allowed access to the requested site. HTTPS Before CID forwards HTTPS traffic to the cache server it first tries to send the HTTPS GET request to the server to check if the server is capable to treat HTTPS traffic. CID transparently traps the client's requests and routes them to a selected server. the CID redirects all HTTPS traffic directly to the Internet. CID traps HTTPS sessions (port 443). The 403 code is returned to the client. and is therefore supported by all server vendors that support configured clients. returned to the client. 5-64 CID User Guide . the server may be denied. indicates that the source IP is denied access to the requested site. Proxy SSL CID supports SSL tunneling for intercepted clients. To the server this appears as if the client is a configured client. CID 403 Override support feature negates this problem by automatically routing the client directly to the Internet upon receiving a “403 forbidden” reply from the requested site. but future requests to that site from any client will be forwarded directly to the Internet. encapsulates the session with a HTTP header and opens a session to the server on behalf of the client. This section includes the following topics: • • • What is an SSL Content Check?. page 5-71 CID User Guide 5-65 .Chapter 5 . describes the advanced CID feature which allows the CID to inspect the content of SSL traffic.Advanced Features Section 5-4 SSL Content Check Section 5-4 SSL Content Check. page 5-68 Proxy AV Gateway Configuration. page 5-66 Spoofed AV Gateway Configuration. A configuration of CID in conjunction with one or more CT100 units provides the ability to scan and redirect the decrypted SSL client traffic to the anti-virus gateways. 10-100 HTTPS HTTP Figure 5-13 SSL Content Check General Scheme There are two types of SSL Content Check configuration.168. A configuration of CID in conjunction with one or more CT100 units provides the ability to scan and redirect the decrypted SSL client traffic to the anti-virus gateways.168.168.168.168.1. 5-66 CID User Guide .1. and use the SSL channels for their attacks.1.SSL Content Check What is an SSL Content Check? Hackers take advantage of the fact that encrypted traffic is not usually decrypted/inspected on its way to the destination.253 Users 192.254 Content Inspection Director 192.150 Router 192.1. which are: • • Spoofed AV Gateway Proxy AV Gateway The following sections describe how to configure each type. AV Gateway 192. Figure 5-13 illustrates a generalized network configuration for SSL Content Check.1.200 CT100 192. 3. CID redirects the HTTP session that arrives from the AV gateway. 2. which terminates the client HTTPS handshake. traffic protocols and gateways. with the client’s decrypted HTTP traffic. If the scanning of clients’ HTTP traffic needs to be accelerated. Configuration Guidelines: Setting up a configuration to enable an SSL Content Check involves the following general steps: 1. were N is the number of farms in the CID configuration. 3. CT100 opens a new HTTP session. The farm’s content based rule must be set to IP Address mode. Notes: • • • • • CID User Guide 5-67 . CID performs this sequence of actions: 1. 2. 4. The CT100 unit encrypts the client HTTP traffic and sends it as an HTTPS session.Chapter 5 . 5. CID redirects the client HTTPS traffic to a selected CT100 unit. When configuring farm servers. Configuring the network and port group for the users’ side Adding and configuring farms Adding and configuring farm clusters Configuring content check policies for farms. CID redirects the HTTPS session to the Internet. 4. the Traffic Settings > Transform Request option must be disabled for all Farms which handle HTTPS traffic.Advanced Features When a client initiates an SSL session with a server on the Internet. 6. Radware recommends configuring a separate Farm for the AV Gateway and setting the farm to operate in MIME-type mode. CID redirects the clear HTTP session to a selected AV (anti-virus) gateway for content inspection. Each client session generates N+1 entries in the Client Table. Configuring CID in the VLAN mode requires setting the network default gateway also in CID. back to the CT100 unit. To configure a client SSL Content check in conjunction with the AV gateway that operates in the Spoofed mode. while CID redirects traffic to and from the server based on MAC addresses only. the CT-100 server farm is duplicated as a logical element. CID is configured with 4 farms and 3 policies.SSL Content Check Spoofed AV Gateway Configuration A spoofed AV Gateway retains the client’s IP address. CT100 AV Gateway CT100 Router Content Inspection Director Users HTTPS HTTP Figure 5-14 Traffic Flow in Spoofed AV Gateway As Figure 5-14 shows. Figure 5-14 displays the logical topology of the network in a CID configuration with a Spoofed AV gateway. because CID redirects the original HTTPS traffic twice to the same physical CT100 server. 5-68 CID User Guide . 4. c. Configure the policies for the farm cluster. Click Ok to apply. Farm2 for the AV gateways. d. Cluster HTTPS-CT to include Farm1 and Farm4. Configure the farm clusters: a. c. To configure a policy for the HTTPS traffic. : Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: 1 Filter HTTP Users Any OneWay HTTP-Client Clients’ segment port group b. Configure 4 farms. Cluster HTTP-Client to include Farm2 and Farm4. set the following parameters according to the explanations provided: Index: Service Type: 2 Filter CID User Guide 5-69 . 3. b. 2. Note: Configure Farm4 only if it is required to perform NAT on the traffic accessing the Internet. Farm3 for the CT-100 units.the default gateway of the users. Configure a Network and a Port Group to represent the users’ segment. b. Farm4 for the Router . Cluster HTTP-AV-CT to include Farm2 and Farm3. Farm1 for the CT-100 units. a. c.Chapter 5 .Advanced Features Spoofed AV gateway SSL Content Check .Confiuration Guidelines: 1. a. To configure a policy for client’s regular HTTP traffic. SSL Content Check Service: Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: HTTPS Users Any OneWay HTTPS-CT N/A d. set the following parameters according to the explanations provided: Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: 3 Filter HTTP Users Any OneWay HTTP-AV-CT N/A 5-70 CID User Guide . To configure a policy for the AV Gateway. 1.Advanced Features Proxy AV Gateway Configuration A proxy AV gateway uses its own IP address when forwarding the clients’ traffic to the Internet. the AV gateway should be configured with different IP addresses for the SSL decrypted traffic and for the client’s regular traffic.201 HTTPS HTTP Figure 5-15 HTTPS Traffic Flow in Proxy AV Gateway CID User Guide 5-71 . CID redirects traffic to and from the server. hence the two AV gateway segments as shown in Figure 5-15. based on the IP addressing scheme.Chapter 5 . To operate in the Proxy Mode.168. Figure 5-15 illustrates the HTTPS traffic flow when the AV gateway works in the Proxy Mode. CT100 AV Gateway CT100 3 1’ 2 1 Router Content Inspection Director Users AV Gateway 192. However. • NAT can be included in the farm properties. CT100 AV Gateway CT100 Router Content Inspection Director Users 4 HTTPS HTTP Figure 5-16 HTTP Traffic Flow in Proxy AV Gateway Properties: • Using a Proxy AV gateway requires different farm clusters to be set up for the traffic: one farm for the HTTP traffic and another farm for the HTTPS traffic.SSL Content Check Figure 5-16 illustrates the HTTP traffic flow when the AV Gateway works in the Proxy Mode. • A direct farm/cluster policy cannot be configured to the proxy server. NAT must always be configured at the last Farm in the traffic chain to access the Internet. • Clients must have two configured proxy IP addresses: one for the HTTPS traffic and one for the HTTP traffic. 5-72 CID User Guide . Configure a Network and Port Group to represent the users’ segment. the Traffic Settings > Transform Request option must be disabled for all Farms which handle HTTPS traffic. decrypted HTTPS traffic. b. c. Note: When configuring farm servers. Cluster HTTP-AV to include Farm4. Farm3 for CT-100 units. 3. Configure the policies for client’s HTTPS traffic. Cluster HTTPS-CT to include Farm1. Configure the farm clusters: a. 5. 4. 2. HTTP traffic. Farm4 for AV gateways. a.Advanced Features Configuration Guidelines: To set up a client SSL Content Check in conjunction with an AV Gateway operating in the Proxy Mode. Farm2 for AV gateways. d. Configure a Network to represent the AV Gateway segment. CID is configured with the following policies: • • • • Client’s regular HTTP traffic Client’s HTTPS traffic CT100 to AV Gateway traffic AV Gateway to CT100 traffic To configure an AV gateway proxy SSL Content Check: 1. Cluster HTTP-AV-CT to include Farm2 and Farm3. Configure policy 1 (and 1’) for the HTTPS to CT100 traffic: Index: Service Type: Service: 2 Filter HTTPS CID User Guide 5-73 . d. Configure 4 farms: a. c.Chapter 5 . Farm1 for CT-100 units. Cluster HTTP-Client to include Farm2. b. Configure policy 3 for the AV Gateway to CT100 traffic: Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: f. Configure policy 2 for the CT100 to AV Gateway traffic: Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: 3 Filter HTTP Users Any OneWay HTTP-AV-CT N/A d. AV Gateway (can also be set to: Any) Any OneWay HTTPS-CT N/A b. Click Ok 4 Filter HTTP AV Gateway Any OneWay HTTP-AV-CT N/A 5-74 CID User Guide . Click Ok e. Click Ok c.SSL Content Check Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: Users. 1. Click on the Modify tab and then click Add.255. CID User Guide 5-75 . In the Edit Network Table set the following parameters according to the explanations provided: Network Name: Network Mode: IP Address: Address Mask: Users IP Mask (according to this example) 192.0 e.1. In the Bandwidth Management widow select Classes. From the main window select the CID device icon and select APSolute OS >Bandwidth Management.Advanced Features 6. The Network Table appears. In the Port Groups window select the Physical Ports Group option button. Select Modify Table and click Add. The Bandwidth Management window appears.Chapter 5 . In the Classes window select Networks. c. The Port Groups window appears. b. c. Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: 1 Filter HTTP Users Any OneWay HTTP-AV Clients’ segment port group 7. Configure the policy for the client’s regular HTTP traffic:. b. 8. d. Add a new Port Group to CID: a.255. The Edit Physical Port Group window appears. The Edit Network Table appears. In the Classes window select Port Groups. Create a new Network for CID: a.0 255. The Classes window appears. Click Ok. In the Farm Cluster Policies window click Update Active Policies. The Edit Policy window appears. In the Traffic Redirection window select Cluster. 5-76 CID User Guide . c. f. In the Edit Physical Port Group window. The Traffic Redirection window appears. set the following parameters according to the explanations provided: Group: Assigned Port: CT100 Port F-2 (CT100 port) e. Click Ok. The Farm Cluster Policies window appears. Click Ok. From the Cluster pane select a cluster entry and then click Policies. In the Farm Cluster Policies window select Modify and click Add. In the Port Groups window click Update Modifications and click Ok. f. 9. d. In the Edit Policy window. 10. b. Create a new Farm Cluster Policy for the HTTP Traffic: a. From the main window select the CID icon and then select APSolute OS > Traffic Redirection.SSL Content Check d. Add a Farm Cluster Policy for the HTTPS traffic. set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: Inbound Physical Port Group: HTTP 1 Regular Service HTTP Users Any Oneway HTTP-AV-CT100 CT100 Port e. In the Farm Cluster Policies window select Modify and In the Edit Policy window. set the following parameters according to the explanations provided: Policy Name: Index: Service Type: Service: Source Address: Destination Address: Direction: Cluster Farm: HTTPS 2 Regular Service HTTPS Users Any Oneway HTTPS-CT100 b. • • • CID User Guide 5-77 . Clients must have two configured proxy IP addresses: one for the HTTPS traffic and one for the HTTP traffic. From the Farm Cluster Policies window click Update Active Policies. NAT must always be configured at the last Farm in the traffic chain to access the Internet. Notes: • Using a Proxy AV gateway requires different farm clusters to be set up for the traffic: one farm for the HTTP traffic and another farm for the HTTPS traffic. A direct farm / cluster policy cannot be configured to the proxy server.Advanced Features a. 11. Users can include NAT in the farm properties. However.Chapter 5 . Click Ok. This section includes the following topics: • DNS Services.DNS and NTP Services Section 5-5 DNS and NTP Services Section 5-5 DNS and NTP Services. provides an explantion of DNS and NTP services and how to configure them. page 5-79 5-78 CID User Guide . select DNS. When the DNS client is enabled. To display the DNS table: 1. the device also needs to identify the content server’s IP address. Trace-route and Mail-Traps. DNS Client Each CID has a DNS Client that allows to identify the destination IP address of a specific URL. In the Traffic Redirection window.Chapter 5 . When the DNS client is disabled. 3. In addition. select APSolute OS > Traffic Redirection. IP addresses cannot be resolved. The Traffic Redirection window appears. select the Client DNS checkbox. RADIUS. You can configure CID to operate as DNS client. When CID needs to forward requests directly to the Internet without sending them to a content server. From the main window. Using the pre-defined static table that includes hostnames and IP addresses. Ping. To enable the DNS client. the DNS Client support feature enables directing the configured client to the Internet. CID can be configured with the addresses of two DNS servers to use for resolution. The DNS Client has to be enabled when using the following: • • • • URL policies (CID has to resolve the IP address of the URL) Preferred sites HTTP Page connectivity check NSLOOKUP from the CLI DNS Client also supports the use of hostnames for the following services: NTP.Advanced Features DNS Services DNS Services comprises of the client and the server. The DNS window appears. CID User Guide 5-79 . 2. IP addresses can be resolved in the following ways: • • Using the configured DNS servers to which DNS client sends queries about IP addresses of a hostname. To enable the DNS client. select the DNS tab. select DNS. To display the dynamic DNS table in the CLI. type the address of the primary DNS server that is used to query IP addresses of hostnames. Click Add to apply. 5. The Static DNS Table window appears. To configure a DNS Client: 1. To define the static DNS table: 1. type the address of the backup DNS server that is used to query IP addresses of hostnames in case the primary server is not in service. 7. From the Static DNS Table window. select the Static DNS option. From the DNS window. set the following parameters according to the explanations provided: Host Name: IP Address: The URL name for which you want to set the IP address. 5. Type the Host Name and IP Address and click Add. 6. In the DNS Primary Address text box. 3. Click Ok to apply the setup and exit. type the following command: services dns nslookup <hostname> The DNS table is displayed. 2. 5-80 CID User Guide . 2. click Traffic Redirection. 6. In the DNS pane. The IP address of the URL. 3. select the Client service. From the main window. The DNS pane appears. The new client is listed in the Traffic Redirection table. In the Traffic Redirection window. In the DNS Alternate Address text box. From the Traffic Redirection window. select the Client DNS checkbox. The DNS window appears. The Traffic Redirection window appears. The new client is listed in the Static DNS Table. 4.DNS and NTP Services 4. Click Apply and then Ok. 5. Type the alternative IP address. CID User Guide 5-81 .Chapter 5 . click DNS Settings. The DNS Configuration window appears. 7. set the following parameters according to the explanations provided: DNS Primary Address: DNS Alternate Address: Type the primary IP address for the DNS Client. Check the Client DNS checkbox. 6.Advanced Features 4. In the Traffic Redirection window. In the DNS Configuration window. To configure the DNS Server 1.DNS and NTP Services DNS Server CID supports DNS Server functionality. by assigning pairs of URL and IP addresses. Check the Status checkbox.The DNS Configuration window appears. 7. The DNS Server enables the user to configure a static DNS table. 8. 2. 5. Type the alternative IP address. 4. 5-82 CID User Guide . select DNS . 3. click DNS Settings. 6. set the following parameters according to the explanations provided: DNS Primary Address: DNS Alternate Address: Type the primary IP address for the DNS server. In the Traffic Redirection window. Type the Farm URL and Farm Address in the textboxes and click Add. resolving an IP address of a Farm URL address. In the Traffic Redirection window. Click Apply and then Ok. In the DNS Configuration window. Select the Server service. Check the Server DNS checkbox. The new server is listed in the Traffic Redirection table. This chapter includes the following sections: • • • Section 6-1: CID Redundancy. introduces the redundancy concept of CID. page 6-24 CID User Guide 6-1 .CHAPTER 6 Chapter 6 - Redundancy Chapter 6. which allows you to configure a backup device in the event of main device failure. page 6-2 Section 6-2: Proprietary ARP Redundancy. This chapter also provides example configurations of redundancy. page 6-10 Section 6-3: VRRP Redundancy. Redundancy. page 6-8 6-2 CID User Guide .CID Redundancy Section 6-1 CID Redundancy Section 6-1 CID Redundancy introduces types of redundancy configurations implemented in CID and describes capabilities as well as providing configuration examples. This chapter contains the following topics: • • • • Introducing CID Redundancy. page 6-3 Active / Backup Setup. page 6-5 Interface Grouping. page 6-6 Mirroring. In CID. to provide fault tolerance in the case of a single device's failure. one CID can always know whether another CID is up or down. the IP Addresses of the Main device are managed by the Backup device and are associated with the Backup device’s MAC Address. Using proprietary ARP redundancy. Each pair of CIDs can function in an Active / Backup setup.Chapter 6 . • CID User Guide 6-3 . In Figure 6-1. The teaching process is performed in the following way: once CID interface considers the other CID interface to be down. For example. IP Addresses are associated with the Virtual MAC Addresses that are owned by the Main device. To achieve redundancy between pairs of CID devices. it must assume responsibility for the failed IP address. CID 2 must assume responsibility for IP addresses of CID 1. This way. Two processes are involved in the redundancy scheme: polling and teaching.Redundancy Introducing CID Redundancy Radware recommends to install CID devices in pairs. This is how the takeover takes place. the following methods are supported: • Proprietary ARP: Address Resolution Protocol is used to monitor the other device in pair and to check its availability. at the fail-over time. VRRP: Virtual Router Redundancy Protocol enables maintaining the dynamic redundancy using a virtual router. and are taken over by the Backup device at fail-over time. in Figure 6-1. if CID 1 fails and CID 2 decides to pick up for it. The two CIDs have a mechanism that allows them to poll each other: • • The polling mechanism allows the Backup device to constantly mirror the Main device and to ensure the Main device is alive. The teaching mechanism is used by the Backup device when the Main device is down. the interface addresses of CID 2 are configured to poll the addresses of CID 1 and the interface addresses of CID 1 are configured to poll the addresses of CID 2. With VRRP. physical IP addresses are configured to poll other CID physical IP addresses. CID Redundancy Figure 6-1 illustrates a general redundancy scheme for CID. Internet Router Users Network A Port 1 MAC A Port 1 MAC C CID 1 CID 2 Port 2 MAC B Network B Port 2 MAC D Server 2 Server 2 Figure 6-1 CID Redundancy Scheme 6-4 CID User Guide . When Backup CID detects that the Main CID fails. This device performs regular CID operation. This device acts as a hot standby and does not perform load balancing as long as the Main device is active. the Backup device resumes control for the IP address of its main partner. CID User Guide 6-5 . letting all devices on the network know that the Backup device is now responsible for the services of the Main device. As soon as the Main device is back online. When the Backup device takes control over the services. the main CID device is configured with main Virtual Addresses. the Backup device releases the services. handling all the inbound sessions to the Virtual Addresses and distributing traffic among the servers in the farm.Redundancy Active / Backup Setup In the case of an Active / Backup configuration. it continues to monitor the Main device. The Backup CID periodically verifies that the Main device is available. The Backup CID device is configured with identical Virtual Addresses containing the exact same servers and farm settings.Chapter 6 . If there were IP addresses configured on the port that went down. when any of the ports associated with a VLAN is down. it intentionally brings all other active ports down. Notes: • • Backup Interface Grouping The Backup device takes control only if *all* the interfaces of the Main device are out of service. Interface Grouping is triggered only when all ports on a Switched IP VLAN are down. CID employs a mechanism called Interface Grouping.When Backup Interface Grouping is not activated. and the switches are cross-connected. but the Backup device cannot communicate to the Main and so the Backup takes over. the Backup device takes over only when all IP interfaces defined in its Redundancy Table fail. the Backup device takes 6-6 CID User Guide . because of a cable failure.CID Redundancy Interface Grouping To provide a complete solution for redundancy against all failures. switch port failure. Interface Grouping is triggered. nothing happens and normal operation continues. Using Regular VLAN. If there were no IP addresses configured on the port that went down. CID performs the following tasks: • • • CID examines the configuration to see if any IP addresses were configured on the port that just went down. This solves the following problem: if an active and a backup device. If CID notices that one of its physical ports is down. Using Switched IP VLAN. When the cable cross-connecting the switches fails. Respectively. When the Backup Interface Grouping parameter is enabled. this is communicated to the main device and so the interface grouping is not triggered. CID deactivates all other active ports. the Backup device releases those interfaces only when all the Main device's interfaces are up. each connected to a switch. This causes downtime in the service. or other problems. When a physical port on CID goes down. hub failure. select the device for which you want to define the advanced parameters. To enable Interface Grouping. select the Interface Grouping checkbox and click Ok. From the main window.Chapter 6 . click Link. In the Device Name dropdown list. In the Redundancies window. select the main device icon. CID User Guide 6-7 . then hold the Shift (or Ctrl) key. 3. the Backup device releases the interface once all the interfaces of the Main device are available. To enable Interface Grouping and Backup Interface Grouping: 1. The Advanced Redundancy dialog box appears. click Add. The Redundancies window appears. 4.Redundancy control once one interface of the Main device (defined in the Redundancy Table) is out of service. and select the backup device icon. Respectively. 2. select the Backup Interface Grouping checkbox and click Ok. To enable Backup Interface Grouping. 5. When enabling Mirroring on a Backup CID. ensuring that the request for service is forwarded to the same server in the farm which handled the session before the Main device failure. click Mirroring. Mirroring should not be used in conjunction with the Dynamic Session ID Tacking feature. 1. Default: Disabled. If the Main device fails. select the two devices by holding down the shift button and click Link. by sending a snapshot of the Client Table information contained on the Main device to the Backup device. In the Mirroring window. • Mirroring Configuration Guidelines: Mirroring parameters must be configured both on the main device and on the backup device. this feature should not be activated with HTTP applications where sessions are short and a reload mechanism is built-in or transparent. Mirroring is recommended for use with very state sensitive and long term sessions. 2. the device must be reset. SSL ID tracking so on. Server NAT and Outbound NAT sessions are not mirrored. In the Redundancies window. From the device map. However. This includes Dynamic session ID Persistency. Notes: • • When setting up mirroring. The Redundancies window appears. the Backup device seamlessly resumes the sessions. This implies that such sessions have to be re-established after a redundancy take over. Setting up Mirroring affects the general CID performance. The Mirroring window appears 3.CID Redundancy Mirroring Mirroring enables a redundant Backup device to maintain a copy of the dynamic tables of the Main device. set the following parameters according to the explanations provided: Client Table Mirroring: Enables or disables the Client Table mirroring. It is not recommended to use mirroring in conjunction with Layer 7 features that requires Delayed Bind. it is recommended to use the same CID software version for the main and for the backup devices. such as Telnet or FTP. Layer 7 Policies. 6-8 CID User Guide . Default: 100%.Chapter 6 . In each of the above parameters. set the following sub parameters according to the explanations provided: % of Table to Backup: The percentage of Client Table / Proximity Table to send to the Backup device. Default: 10 seconds.Redundancy Proximity Table Mirroring: Enables or disables the mirroring of the Proximity Table (Available in CID-NP only). CID User Guide 6-9 . Click Ok to apply the setup and close the dialog box. The newest percentage is always sent to the backup device. Default: Disabled. Mirror Update Time: How often the Main device sends information to the Backup device. 4. Proprietary ARP Redundancy Section 6-2 Proprietary ARP Redundancy Section 6-2 Proprietary ARP Redundancy presents the redundancy methods which use the Address Resolution Protocol. This section includes the following topics: • • Proprietary ARP. page 6-12 6-10 CID User Guide . page 6-11 Backup Fake ARP. Timeout The number of polling attempts that are made before the Backup device takes over. see Table 6-1. If the Main device fails.Redundancy Proprietary ARP The proprietary method. This ensures that all traffic destined to the IP Addresses of the Main device arrives to the Backup device. using the ARP protocol. Default: 12. CID User Guide 6-11 .Chapter 6 . When the Main device fails. the teaching process is realized when the Backup device sends broadcast ARPs informing its network neighbors that the IP Addresses of the Main device are now associated with its own MAC Addresses. the Backup device manages the polling process by continuously polling the Main device. the Backup device takes control and continues seamlessly operating between clients and servers that had been established on the primary device. Default: 3. With Proprietary ARP redundancy. Table 6-1 ARP Polling Parameters Parameter Polling Interval Description How often the Backup device polls the Main device (in seconds). the CID platform employs the Address Resolution Protocol (ARP) to check the availability of the partner. The ARP method ensures that the Radware device is available and that the network connections between the devices are up. 2. The Redundancies window appears. the Backup device takes control.Proprietary ARP Redundancy Backup Fake ARP When two CID devices are working in the redundant mode. 6-12 CID User Guide . click Add. The fake ARP might confuse some Layer 3 switches. the Backup device also publishes that the IP addresses of the main correspond to the MAC addresses of the Main device. The main sends gratuitous ARP to all local stations informing them that the main device IP addresses now correspond to the MAC addresses of the Main device. Once the Backup device detects that the Main device fails. the Backup device constantly monitors the health of the Main device. The Advanced Redundancy window appears. The Backup device sends gratuitous ARP to all local stations informing that the main device IP addresses now correspond to the MAC addresses of the Backup device. click Link. In order to speed up this process. which means that the Backup device now owns the IP addresses of the Main device. this behavior must be set using the Backup device in VLAN parameter. From the main window. and select the Backup device. Backup Device in VLAN Using Redundancy with Bridging. In such case. This is a fake ARP. as one device (the backup) publishes the other device (the main). it uses the same technique. then hold the Shift (or Ctrl) key. The Backup Fake ARP option is enabled by default and can be disabled if needed. This process ensures smooth redundancy from the main device to the backup. rather than by the MAC in the information part of the packet. When the Main device is operational again. select the Main device (icon). To enable Backup Fake ARP and Backup Device in VLAN: 1. the backup device must remain completely silent on the network in order to avoid broadcast storms. as they update their ARP Tables by the source MAC of the packet. In the Redundancies window. Chapter 6 . CID User Guide 6-13 . select the Backup device in VLAN checkbox and click Ok. To enable Backup Fake ARP. select the Backup Fake ARP checkbox and click Ok. To enable Backup device in VLAN. 4. 5. select the device for which you want to set the advanced parameters.Redundancy 3. From the Device Name dropdown list. 2 Figure 6-2 Proprietary Redundancy with Routing 6-14 CID User Guide .1.Proprietary Redundancy with Routing Figure 6-2 illustrates the scheme for a proprietary redundancy configuration with routing.1 Server 2 10.1.1.1.1.10 CID 1 CID 2 Virtual IP Address Regular 100.1.11 Server 1 10.1.Proprietary ARP Redundancy Example .1.100 Port 1 100.11 Port 1 100.11 Port 2 100.1.20 Users Port 1 100.1.1.1.1.1. Internet Router 100.1.1. 1. select the Main device icon. click Link. and to Backup on backup CID.2 are assigned to the farm that is managed by CID. for each IP Interface where redundancy is provided. These are read-only fields. Insert as many entries as needed. These are read-only fields. 5. 2. set Farm 1 with Server 1 and Server 2 on CID 1 and on CID 2. To set Redundancy Mode.Chapter 6 .1.1. Add Main device and backup device to the APSolute Insite map Insite map.1. 6.1 and 10. In the Main Device area you can view the name and IP address of the main device. • Virtual IP addresses served by the CIDs: the 100.10.1. From the Relation Type dropdown list. Set the default gateway of the servers to the IP address of Main CID using 10. The Redundancies window appears.1.1.1. 4. click APSolute OS >Traffic Redirection > select the farm> Edit > Traffic Settings and set the Redundancy Mode parameter of the farm to Primary on Main CID. In the Backup Device area you can view the name and IP address of the backup device. then hold the Shift (or Ctrl) key. select IP Active-Backup.1. From the main window. In the network design of this example. Add Server 1 and Server 2 to the map. 3.1. and select the Backup device icon.10 Backup Device 10.1.11 CID User Guide 6-15 .100 addresses are usually handled by CID 1.Configuration Guidelines: 1.1. set IP addresses and routing as needed. click Add to define which IP addresses of the Backup device corresponds to IP addresses of the Main device. Proprietary Redundancy with Routing .Redundancy Properties: • Network Side and server side are different on different subnets. • Servers 10. add: Main Device 10. In the Redundancies window. Note: Make sure that CID settings on the Main and Backup devices are corresponding. In the Redundancies window. The configuration file of the Main device is used. The old configuration in the backup device is deleted. select Backup Interface Grouping. every farm which is active on the main device is set as backup on the backup device. To trigger an automatic configuration update of the secondary device in a redundant configuration. from the Redundancies window. In the Redundancies window.1.1. 9. see page 6-8. similarly for Virtual DNS Addressees.1.1.11 7. 6-16 CID User Guide . Select the Backup Fake ARP checkbox. 10. Set up mirroring. click Copy Configuration. When needed. Then the file is sent to the backup device. see page 6-7. 11. Click Ok to accept your preferences and exit the window. see page 6-12. For example. see page 6-7. click Add and set Polling Interval and Timeout for each entry.10 100. and is modified as needed. Note: The Copy Configuration button is enabled only when at least one IP Interface is set for redundancy. The redundancy relation is visually displayed on the map. 8. and so on. click Advanced Settings and set for each device: For the Main device: For the Backup device: Select Interface Grouping.Proprietary ARP Redundancy 100. 1.1 Server 2 100.Proprietary Redundancy with Bridging The example in Figure 6-3 illustrates the scheme for proprietary redundancy with bridging.x Port 1 CID 1 CID 2 Port 2 IP VLAN Interface 100.1.1.1.20 Network Side Port 1 Virtual IP Address 100.Chapter 6 .2 Figure 6-3 Proprietary Redundancy with Bridging CID User Guide 6-17 .1.1.11 Port 2 Server Side Server 1 100.Redundancy Example .1.1.1.1.1. Internet Router 100.10 IP VLAN Interface 100.1.100 Users 100.1.1. click Add to define which IP addresses of the Backup device corresponds to IP addresses of the Main device. and to Backup on backup CID.1. Proprietary Redundancy with Bridging . In the Main Device area you can view the name and IP address of the main device. 4.Configuration Guidelines: 1. Add Main device and backup device to the APSolute Insite map. 2. click Add and set Polling Interval and Timeout for each entry.10. In the Redundancies window.1. In the network design for this example.Proprietary ARP Redundancy Properties: • Network side and server side are on the same IP subnet. The Redundancies window appears. • The virtual IP address of the CID is 100.1.10 Backup Device 100. add: Main Device 100.1. click APSolute OS >Traffic Redirection > Edit CID Farm > Traffic Settings and set the Redundancy Mode parameter of the farm to Primary on Main CID.1.100. Add Server 1 and Server 2 to the map.11 7. click Link. select IP Active-Backup.1. Insert as many entries as needed. In the Backup Device area you can view the name and IP address of the backup device. select the Main device. 6. 6-18 CID User Guide .1. From the main window. From the Relation Type dropdown list. 3. then hold the Shift (or Ctrl) key. These are read-only fields.1. In the Redundancies window. for each IP Interface where redundancy is provided. These are read-only fields. set IP addresses and routing as needed. set Farm 1 with Server 1 and Server 2 on CID 1 and on CID 2. Set the default gateway of the servers to the IP address of Main CID using 100. and select the Backup device. To set Redundancy Mode. 5. from the Redundancies window. 10. see page 6-7. Note: The Copy Configuration button is enabled only when at least one IP Interface is set for redundancy. select Backup Interface Grouping. The configuration file of the Main device is used. see page 6-8. and is modified as needed. Note: Make sure that CID settings on the Main and Backup devices are corresponding. see page 6-7. CID User Guide 6-19 . To trigger an automatic configuration update of the secondary device in a redundant configuration.Chapter 6 . every farm which is active on the main device is set as backup on the backup device.Redundancy 8. Select the Backup Device in VLAN checkbox and the Backup Fake ARP checkbox. The redundancy relation is visually displayed on the map. 11. For example. 9. Then the file is sent to the backup device. Set up mirroring. see page 6-12. Click Ok to accept your preferences and exit the window. click Advanced Settings and set for each device: For the Main device: For the Backup device: Select Interface Grouping. click Copy Configuration. similarly for Virtual DNS Addressees. When needed. The old configuration in the backup device is deleted. In the Redundancies window. and so on. 1.Proprietary Parallel Redundancy with Routing The example in Figure 6-4 illustrates a scheme for proprietary parallel redundancy with routing.3 Server 4 10.4 Figure 6-4 Proprietary Parallel Redundancy with Routing 6-20 CID User Guide .10 CID 2 Port 1 100.1.100 Backup Backup 100.1.11 Server 1 10.1.1.1.1.1.Proprietary ARP Redundancy Example .1.1.1.10 CID 1 Virtual Addresses Regular 100.1.1.1.101 Regular Port 2 10. Internet Router 100.1.1 Server 2 10.1.1.1.1.1.1.1.11 Port 2 10.2 Server 3 10.20 Users Port 1 100. 1.Chapter 6 .1.100 address is usually handled by CID 1. Set the default gateway of the servers that belong to active farms of CID 2 (Server 3 and Server 4) to the IP address of CID 2 using 10.1.1.11.1. and therefore is unable to send it back to the client correctly. but CID 2 takes over the failing CID 1 and handles the traffic correctly.2 are assigned to the farms that are managed by CID 1. Each CID has its own group of servers. For example. 3.1. This is because the server can have only one of the CIDs configured as its default router. while the 100. Add Server 1 and Server 2 to the map.3 and 10.10. set IP addresses and routing as needed. Add Main device and backup device to the APSolute Insite map. Set the default gateway of the servers that belong to active farms of CID 1 (Server 1 and Server 2) to the IP address of CID 1 using 10. the traffic to the farm is managed by CID 2.Configuration Guidelines: 1. If CID 1 fails and its farm is configured as a backup farm on CID 2.1.4 are assigned to the farms managed by CID 2. click APSolute OS > Traffic Redirection > Edit > Traffic Settings and set the Redundancy CID User Guide 6-21 . CID 1 does not hold the information of the sessions that are sent to the farms of CID 2.1.1.1. To set Redundancy Mode.1 and 10.1. • Virtual IP Addresses served by the CIDs: the 100.1.1. • Servers 10.1. set Farm 1 with Server 1 and Server 2 on CID 1 and on CID 2.101 address is handled by CID 2. 2.1. The server still sends the traffic to its default router. Servers 10. Note: If a server is configured in an active farm on CID 1. Proprietay Parallel Redundancy with Routing .1.Redundancy Properties: • Network side and server side are on different subsets. it cannot be configured as a server in an active farm on CID 2. set the Backup Direction as required (Device 1 Backs Up Device 2.1. 9. 6. In the network design of this example.11 100. click Add and set the Polling Interval and Timeout for each entry. The Redundancies window appears.1. Set the Redundancy Mode of the farm to Primary on CID 2. 6-22 CID User Guide . or Both). select IP Active-Active. Device 2 Backs Up Device 1. and to Backup on backup CID.1.1. 5. and select the Backup device icon click Link.11 8.1. for each IP Interface where redundancy is provided. In the Redundancies window.10 CID 2 10. In the Active 1 Device and Active 2 Device areas you can view the name and IP address of the redundant devices. Insert as many entries as needed. For a symmetric configuration set Both. add: CID 1 10. click Add to define which IP addresses of CID 1 corresponds to IP addresses of CID 2.10 100. Add Server 3 and Server 4 to the map. For each entry.Proprietary ARP Redundancy 4.1. Mode parameter of the farm to Primary on Main CID. and to Backup on the CID 1. From the Relation Type dropdown list. then hold the Shift (or Ctrl) key. These are readonly fields. In the Redundancies window.1. select the Main device icon. From the main window. set Farm 2 with Server3 and Server 4 on CID 1 and on CID 2. 7.1. see page 6-8. 12. For example. The redundancy relation is visually displayed on the map. From the Redundancies window. select Backup Interface Grouping.Chapter 6 . and as a backup device for other farms): For CID 1 & CID 2: Select Interface Grouping. Note: Make sure that CID settings on the devices are corresponding. see page 67. Click Ok to accept your preferences and exit the window. Set up mirroring. click Advanced Settings and set for each device (Now both devices act as a main device for some of the farms. see page 6-7. see page 6-12. 11. CID User Guide 6-23 . Select the Backup Fake ARP checkbox. When needed.Redundancy 10. and so on. similarly for Virtual DNS Addressees. every farm that is active on CID 1 is set as backup on CID 2 and vice versa. page 6-41 6-24 CID User Guide . page 6-30 Direct Server Connection with VRRP. This section includes the following topics: • • • Introducing VRRP. page 6-25 VRRP Redundancy Notes.VRRP Redundancy Section 6-3 VRRP Redundancy Section 6-3 VRRP Redundancy describes the CID method of redundancy using the Virtual Router Redundancy Protocol. a VR is required for each interface of CID. Each VR has a VRMAC. to indicate that it is online. In a standard CID setup. the physical address of the external side of CID and the farm address are associated with VR-I. to indicate it is the Main device. the main device for the VR is the device with the highest priority. and does not need to be configured manually. Typically. and associate the appropriate IP addresses with each VR. A VR has a Virtual Router Identifier (VRID) and one or more IP addresses associated with it. For the server side of CID. VRRP is based on the Virtual Router (VR) concept. For a typical Main-Backup scenario. You need to configure all VRs on each CID device. the main device constantly sends advertisements to other VRRP routers. 2 VRs are required: VR-I VR-S For the Internet side of CID. The VRMAC address is determined by the VRID. and a lower value on the backup device. that is the device with the next highest priority for that VR. When the advertisements stop. Typically.Redundancy Introducing VRRP VRRP (Virtual Router Redundancy Protocol) is a standard protocol that enables dynamic router redundancy. which is a MAC address associated with the VR. This means that if the Main device fails. You need to set a priority for each VR on each CID. The physical address of the server side of the CID is associated with VR-S. The priorities for all VRs on the main CID may be 255. and traffic is forwarded to it. is associated to the IP address of the main CID and to the farm IP Address. it is possible to set up more than one redundant CID to backup a main CID with hierarchy.Chapter 6 . A new Main device is then selected for this VR. Using VRRP. VRRP ensures that the Backup device takes over. Each device has a priority for a VR. CID User Guide 6-25 . This saves the need for a MAC address update in case of a failover. the main device is assumed to be inactive. the same VR is configured on multiple devices to achieve redundancy between them for the VR. Using VRRP. The Edit VRRP Table window appears. The Redundancies window now displays the VRRP settings. 5. 2. From the device map. select VRRP from the Mode drop downlist. Click Ok. The Multiple Device Links window appears. In the Redundancies window appears. 6-26 CID User Guide . To assign virtual routers to both the Master and Backup devices. select the two device icons by holding down the Shift button and click Link. In the Multiple Device Links window select from the tree which device is going to be the main device backed up by - 3. click Add.VRRP Redundancy To configure VRRP Redundancy: 1. 4. The Redundancies window appears. Text Authentication. Enables or disables the administrative status of this VR. Default: 100. Default: F-1. Value range:1-255. Default: No Authentication.Redundancy 6. Value range: No Authentication. Authentication Key: Advertisement Interval: Password up to 8 characters in length. Assign priority. CID User Guide 6-27 . Value range:1-255.Chapter 6 . In the Edit VRRP Table window. The virtual router’s identification number. Primary IP: Authentication Type: The primary IP address. Default: 1 second. Select the required authentication. Default: Disabled. Define the frequency for packet checks. Note: The highest priority must be assigned to the primary VR. The device adds a default value unless the user defines one. set the following parameters according to the explanations provided: Interface: VR ID: Enable Virtual Router: (checkbox) Priority: The Interface Number. insert an entry for each IP address that you want to associate with each configured VR. the Associated IP Address window appears. When the device with the higher priority resumes functioning. In the Redundancies window define which IP Addresses are backed-up with VRRP. The False mode is only applicable when more than two devices share a VR. CID and farm IP addresses are associated with the VR used for the external side of the device. that is the takeover procedure for the VR when a device fails and then resumes functioning. 9. Protocol: Name of the IP protocol for CID (not configurable). Default: True. Click Ok to save your settings and return to the Redundancies window. Typically. click Associated IP. the device with the next highest priority takes control of the VR. as well as Virtual DNS Addresses. In the Associated IP Addresses window. False (device with lower priority retains control of the VR). 7.VRRP Redundancy Preemption Mode: Define the mode. Note: The router that owns the IP address associated with the VR is an exception to this definition. Values: True (higher priority device takes over). When a device with a certain priority fails. 8. the Preemption Mode parameter defines whether this device must retake control of the VR from the device with the lower priority. as it always preempts independently of this flag’s setting. Client NAT Addresses must be 6-28 CID User Guide . CID addresses must be associated with the VR used for the internal side of the device. Chapter 6 . 10. depending on the configuration.Redundancy associated either with the VR for the external side of the CID or with the internal one. Click Ok to apply the setup and exit the window. Note: Up to 255 IP Addresses can be associated with a single VRID. CID User Guide 6-29 . a Radware device has IP Addresses which belong to a subnet that the Backup device does not have on the same interface. and each device is backed up by a VRRP router. This is true even for VRIDs on different interfaces. • • • • VRRP is not supported in a VLAN network design. When using interface grouping: • If a certain VRID’s Admin Status is Disabled. • • • 6-30 CID User Guide . the VRID numbers for both devices must also be different.VRRP Redundancy VRRP Redundancy Notes The following notes are provided to assist you with initial use of VRRP. using Regular VLANs. then it is the users’ responsibility to configure the Radware device with a primary IP Address that belongs to a subnet which the Backup device has. Upon creating a VR on a port. Each VRID must be a unique ID number. If on a certain interface. there must be at least one IP interface configured on that physical port. Zero cannot be configured as a VRID number. Ensure that the same parameters are configured in both devices for each VRID. or all copies of that VRID in other devices are disabled as well. If two Radware devices belong in the same subnet. then either all VRIDs in that device are disabled too. excluding designs with server Direct Connection. 11 Port 2 10.1.1. Internet Router 100.Redundancy Example .1.1.11 Server 10.100 Backup Port 1 100.1.1 Server 10.Chapter 6 .10 Port 2 10.10 CID 1 CID 2 Virtual Address Regular 100.1.1.1.1.2 Figure 6-5 Redundant CID Configuration with VRRP CID User Guide 6-31 .1.Redundant CIDs with VRRP The example in Figure 6-5 illustrates the scheme for redundant CID configuration with VRRP.1.1.1.1.1.1.20 Port 1 100. 1. The Set-Up window appears.1. • Virtual IP addresses served by the CIDs are 100. 2.100. To set Redundancy Mode.1. • Servers 10. c.2 are assigned to the farm that is managed by CID 1. and to Backup on CID 2.1. d. a. 4.Configuration Guidelines: 1. Set the default gateway of the server to the IP address of CID 1using 10. In the Set-Up window. Click Add on the left side to add VRs to the master device configuration and set the following parameters according to the explanations provided: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: F-1 100 Selected 255 100. click Traffic Redirection > (select the farm) Edit > Traffic Settings and set the Redundancy Mode parameter of the farm to Primary on CID 1.10 F-2 6-32 CID User Guide .10. select VRRP.1. set IP addresses and routing as appears in Figure 6-5. 3.1. Redundant CIDs with VRRP . The Redundancies window appears. From the Mode dropdown list.1 and 10.1. Set the VRRP for CID 1(Master Device). Add Server 1 and Server 2 to the map. set Farm 1 with Server 1 and Server 2 on CID 1 and on CID 2.1.1.VRRP Redundancy Properties: • Network side and server side are on different subnets. Add CID 1 and CID 2 to the APSolute Insite map.1. usually handled by CID 1. b. Double click on CID 1. • Redundancy is performed using VRRP protocol. select Redundancies. set the backup device VRRP. a. In the Edit VRRP table.1.Redundancy VRID: Enable Virtual Router: Priority: Primary IP: 10 Selected 255 10. Set the VRRP for CID 2 (Backup Device).1. Click Add.1. In the same window.100 (Farm IP Address) F-2 10 IP Address 10.1.1. set the following parameters according to the explanations provided: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: VRID: Enable Virtual Router: Priority: F-1 100 Selected 100 100. In the Associated IP Address window.10 e. The Associated IP Address window appears. Access the Associated IP Addresses Table by clicking on Associated IP.1.10 (CID IP Address) g. f.11 F-2 10 Selected 100 CID User Guide 6-33 . set the following parameters according to the explanations provided: Interface: VRID: IP Address: Interface: VRID: IP Address F-1 100 100.1. 5.Chapter 6 .1. select the Interface Grouping checkbox for the main device. 6. 6-34 CID User Guide . Access the Associated IP Addresses Table by clicking on Associated IP. click Advanced Redundancy.1. The Associated IP Address window appears. The Advanced Redundancy window appears.11 b.1. In the Redundancies window. select the Backup Interface Grouping checkbox for the backup device if required.1.1. c. In the Advanced Redundancy window.10 (Farm IP Address) F-2 10 IP Address 10. 7.1. set the following parameters according to the explanations provided Interface: VRID: IP Address Interface: VRID: IP Address F-1 100 IP Address 100.1. Click Add. From the Advanced Redundancy dialog box.VRRP Redundancy Primary IP: 10. From the Associated IP Address window. 8.10 (CID IP Address) d. Parallel Redundant CIDs with VRRP The example in Figure 6-6 illustrates the scheme for a parallel redundant CID configuration with VRRP.100 Backup Backup 100.1.11 Server 1 10.Chapter 6 . Internet Router 100.1.1.2 Server 3 10.1.1.20 Port 1 100.1.1.3 Server 4 10.1.1.1.1.1.11 Port 2 10.1.1.1.10 CID 2 Port 1 100.4 Figure 6-6 Parallel Redundant CIDs with VRRP CID User Guide 6-35 .Redundancy Example .10 CID 1 Virtual Addresses Regular 100.1 Server 2 10.1.1.1.1.1.1.101 Regular Port 2 10.1. 1.1. The server still sends the traffic to the default router.1. Set the default gateway of the servers that belong to active farms of CID 2 (Server 3 and Server 4) to the IP address of CID 2 using 10.1. for example.1.4 are assigned to the farms managed by CID 2.1.1 and 10. click Traffic Redirection > (select the Farm) Edit > Traffic Settings and set the Redundancy Mode 6-36 CID User Guide . Set the default gateway of the servers that belong to active farms of CID 1 (Server 1 and Server 2) to the IP address of CID 1 using 10. • Servers 10. If CID 1 whose farm was configured as a backup farm on CID 2 fails. 1. 3. Each CID has its own group of servers.1.VRRP Redundancy Properties: • Network side and server side are on different subnets. each device is both active and backup. CID 1.11. Servers 10. Add Server 1 and Server 2 to the map. • Virtual IP Addresses served by the CIDs: the 100. Note: If a server is configured in an active farm on CID 1. To set Redundancy Mode.1. Configuration: This configuration is the same as in Example on page 6-31. Add Main device and backup device to the APSolute Insite map.3 and 10.1.101 address is handled by CID 2.1. Traffic coming from CID 2 is not returned through it but through CID 1.2 are assigned to the farms that managed by CID 1.1.100 address is usually handled by CID 1. This is because the server can have only one of the CIDs configured as its default router.10. while the 100.1. but CID 2 takes over the failing CID 1 and handles the traffic correctly.1. set IP addresses and routing as needed. however in this example. 2.1.1. set Farm 1 with Server 1 and Server 2 on CID 1 and on CID 2. it cannot be configured as a server in an active farm on CID 2. CID 1 does not hold the information of the sessions that are sent to the farms of CID 2 and therefore is unable to send the information back to the client correctly. the traffic to the farm is managed by CID 2.1. parameter of the farm to Primary on Main CID. The Multiple Device Links window appears. click Link. set the following parameters for CID 1 according to the explanations provided: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: VRID: F-1 100 Selected 255 100. In the Multiple Device Links window select from the tree which device is going to be the main device backed up by. and select CID 2. 4. Set the Redundancy Mode of the farm to Primary on CID 2. In the Redundancies window appears.10 F-2 10 CID User Guide 6-37 . select VRRP from the Mode drop downlist. In the Redundancies window CID 1 pane. The Edit VRRP Table window appears. select VRRP. The VRRP parameters appear in the Redundancies window in two panes.Chapter 6 . Click Ok.1.1.10 F-1 101 Selected 100 100. click Add. then hold the Shift (or Ctrl) key. and to Backup on backup CID.Redundancy 4.1. 1. set Farm 2 with Server3 and Server 4 on CID 1 and on CID 2. Add Server 3 and Server 4 to the map.1. 2. From the main window. select CID 1. and to Backup on the CID 1. 3. 5. presenting CID 1 VRRP parameters and CID 2 VRRP parameters. The Redundancies window appears. 11 F-1 101 Selected 100 100.1. Perform the same procedure for CID 2 by setting the following parameters according to the explanations provided: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: VRID: Enable Virtual Router: Priority: Primary IP: F-1 100 Selected 255 100.1.1. Click Ok.1.11 6-38 CID User Guide .10 F-2 11 Selected 100 10.VRRP Redundancy Enable Virtual Router: Priority: Primary IP: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Selected 255 10.11 F-2 10 Selected 255 10.1.1.1. The Edit VRRP Table window closes.10 6. 7.1.1.1. From the Associated IP Address window.1.10 (CID IP Address) CID User Guide 6-39 .1.1. The Associated IP Address window appears. set the following parameters according to the explanations provided Interface: VRID: IP Address Interface: VRID: IP Address Interface: VRID: IP Address Interface: VRID: IP Address Interface: VRID: IP Address F-1 100 IP Address 100.1. Click Ok.10 (CID IP Address) F-1 101 IP Address 100. The Edit VRRP Table window closes.1.1.1.11 (CID IP Address) F-2 10 IP Address 10.Redundancy Interface: VRID: Enable Virtual Router: Priority: Primary IP: F-2 11 Selected 100 10.1. Access the Associated IP Addresses Table by clicking on Associated IP.1.11 8.1.Chapter 6 .101 (Farm IP Address) F-1 100 IP Address 100.1. 10. 9.10 (Farm IP Address) F-1 101 IP Address 100.1. 6-40 CID User Guide . Select the Interface Grouping checkbox. 13. The redundancy configuration is complete.1. Define Interface Grouping.11 (CID IP Address) 11. click Advanced Redundancy.1. Click Ok and Ok again. 12. b. a. From the Redundancies window.VRRP Redundancy Interface: VRID: IP Address F-2 11 IP Address 10. Click Add. The Advanced Redundancy window appears. you need to configure a Regular VLAN including the switch IP VLAN and the CID interface to the external side. When needed. having a cross cable between the switches as well as between CID devices. or connecting each CID to 2 cross-connected switches where the 2 connections are on the same Switched IP VLAN on CID. CID uses routing (Figure 6-7) or bridging (Figure 6-8) between the external network connected to routers or switches. Servers are connected directly to the interfaces of CID. This creates a bridge between the Switched VLAN and the interface to the external side. you must avoid configuration that contains a loop. servers with dual Network Interface Card are directly connected to CID devices. or Fast Ethernet ports). must be avoided. CID User Guide 6-41 .Chapter 6 . multiple CID interfaces can be added to this Regular VLAN. Using bridging. and the internal network connected to servers. either connecting CID and servers or connecting CID to the external subnet. For example. A cross cable is required in order to connect the two CID devices together (using the Giga.Redundancy Direct Server Connection with VRRP VRRP with Switched IP VLAN allows direct connection of servers to CID in conjunction with routing and bridging. Using routing with Layer 2 or Layer 3 switches. In this configuration. • • 6-42 CID User Guide . Servers are connected directly to the interfaces of CID.VRRP Redundancy Figure 6-7 illustrates the scheme for a direct server connection with VRRP and Routing. Routers or switches External Side CID CID Switch IP VLAN on CID-L Switch IP VLAN on CID-R Internal Side Server Server Figure 6-7 Direct Server Connection with VRRP and Routing Configuration Notes: • • This configuration is supported with VRRP and Switched IP VLAN only. This puts all the servers on a single switch. The interfaces to which the servers are connected and the interface used for connecting the CID devices. An IP address should be associated with the Switched IP VLAN in each device. or Fast Ethernet ports). are associated to a Switched IP VLAN. The CID farm and redundancy configurations remain as usual. A cross cable is required in order to connect two CID devices (using Giga. • • CID uses routing between the subnet of the servers and the external subnet.Redundancy • The default gateway for the servers is the IP address of the Switched IP VLAN of the active CID. CID User Guide 6-43 . Note: When using dual NIC.1. This IP should be the default gateway of the servers.1. is the IP address of the Switched IP VLAN of CID1. the default gateway of a server that belongs to an active farm on CID1.20.1.Chapter 6 . When adding or removing ports to a Switch IP VLAN that is already associated to a VRID. the user must set the VRID Admin Status to Down. In the Associated IP Addresses Table window configure the following entries: Interface=100002. This is essential in order to avoid loops in the network.1. make the change and then set the VRID Admin Status to Up again. VRID=10. For example.20 on CID. where the active NIC is determined by ping to the default gateway. Associated IP=10. set a virtual DNS with IP 10. VRRP Redundancy Figure 6-8 illustrates the scheme for a direct server connection with VRRP and Bridging. • • • • 6-44 CID User Guide . Routers or Switches External Side CID Switch IP VLAN on CID-L CID Switch IP VLAN on CID-R Internal Side Server Server Figure 6-8 Direct Server Connection with VRRP and Bridging Configuration Notes: • Only a single Switched IP VLAN can be part of a Regular VLAN. Ensure that the CID devices have an active connection between such ports. CID sends VRRP advertisements only on ports that participate in the Regular VLAN but do not participate in the Switched VLAN. The default gateway of servers must be also used as the default gateway of CID. The number of physical interfaces that can participate in a Regular VLAN (with or without a Switched IP VLAN) is not limited. Both the CID farm configuration and the CID redundancy configuration function as usual. Associate an IP address with the Regular VLAN in each device. Following the configuration change. CID User Guide 6-45 . multiple CID interfaces can be added to this Regular VLAN. with the external side. An IP address should be associated with the Regular VLAN in each device. the VRID Admin Status should be reset to Up again. The interfaces to which the servers are connected and the interface used for connecting the CIDs.Chapter 6 . Only a single Switched IP VLAN can be part of a Regular VLAN. A cross cable is required in order to connect the CID devices (using Giga. When needed. CID sends VRRP advertisements only on ports that participate in the Regular VLAN but do not participate in the Switched VLAN. This puts all the servers on a single switch. The servers’ default gateway must also be used as the default gateway of CID. the VRID Admin Status must first be set to Down. are associated to a Switched IP VLAN. However. the number of physical interfaces that can participate in a Regular VLAN (with or without a Switched IP VLAN) is not limited. Configure a Regular VLAN including the switch IP VLAN and the CID interface towards the external side. Before adding or removing ports to a Switch IP VLAN that is associated to a VRID. CID farm and redundancy configurations remain as usual. or Fast Ethernet ports). Servers are connected directly to the interfaces of CID.Redundancy • • • • • • • • • • Direct server connection with VRRP and Routing is supported with VRRP and Switched VLAN type only. This creates a bridge between the Switched VLAN and the interface. Ensure that the CID devices have an active connection between such ports. Using switched VLAN. Using Switched VLAN as part of a Regular VLAN. Interface grouping is released when all interfaces in a switched VLAN are up and when all other ports in the Regular VLAN are up. the interface grouping operation is modified. grouping takes place only when all interfaces in a Switched VLAN are down. Interface grouping is always part of the CID redundancy mechanism. Enabling the Interface Grouping function on the Main device ensures that if one of the interfaces of the device fails. 6-46 CID User Guide . the grouping takes place only when all interfaces that were configured in a switched VLAN are down.VRRP Redundancy Interface Grouping Used with Direct Connection To support redundant configuration with direct server connectivity. Interface grouping is released when the all interfaces in a switched VLAN are up. or when any other port in the Regular VLAN is down. the device closes all its other interfaces and becomes invisible to the network. Redundancy Example . Internet Router 100.1. VRRP with Switched IP VLAN allows direct connection of servers to CID.1.1.20 Port 1 100.1.1.10 CID 1 Regular 100.11 Port 2 Port 1 100.1.1.1.10 Port 4 Dual NO Port 4 Switched IP VLAN 10.1.1.2 Figure 6-9 Redundant CIDs with VRRP and Direct Connection CID User Guide 6-47 .1.1.1.1.Redundant CIDs with VRRP and Direct Connection The example in Figure 6-9 illustrates the scheme for a redundant CID configuration with VRRP and direct connection.1.1 Users 10.11 CID 2 Server 10.100 Backup Port 2 Port 3 Switched IP VLAN 10.1.Chapter 6 . click Networking > VLAN.100. select Switch. Click Ok. From the main window. click Add. In the Type dropdown list. 2.2 are assigned to the farm managed by CID 1. Type the device‘s IP address: 100.255.0 6-48 CID User Guide .1. c. usually handled by CID 1. The Virtual VLAN window appears. The CID Connect to Device window appears. e.1. Define CID 1: From the main window. d.255.1. a. f. select the IP VLAN Interface 100002 and assign ports 2 and 4.10 255. In the Virtual VLAN window.1.1. • Network side and server side are on different subnets.1. possibly with dual NIC. To configure Redundant CIDs with VRRP and Direct Connection: Active CID Configuration (CID 1): 1.1. Click Ok. In the Interface window.VRRP Redundancy Properties: • Servers are directly connected to CID. double click the CID device icon. In the Set-Up window. double click the CID device icon. In the Set-Up window. set the following parameters according to the explanations provided: IF Num: IP Address: Network Mask: g. 3.10 and click Ok.1.1.1. b. • Redundancy is performed using the VRRP protocol. ensure the Protocol is set to IP. • The virtual IP address served by the CIDs is 100. the Set-Up window appears. Add 2 servers: 100002 10. • Servers 10. Define VLAN on CID 1. The Interface window appears.1 and 10. The Server window appears. From the main toolbar. Click Ok. click Add and from the dropdown menu add a local server.1. Add servers to Farm 1. c. The Farm window appears. The Farm Servers window appears. click Link. Select the CID device icon.100 d. 5. a. e. In the Farm window.1. In the Farm Servers window.1. Add farm to CID 1. set the following parameters for each server: For the first server. set: Server Name: Server Address: Server 1 10. a.1 Add the second server by setting the following parameters according to the explanations provided: Server Name: IP Address: Server 2 10. The Server icon appears in the map area. click Farm Servers > Add.1. In the Farm window.Redundancy a.1. b. Double click on the Server icon. From the CID toolbar. Click Ok.1.1 CID User Guide 6-49 .1. click the Traffic Settings tab and set the Redundancy Mode parameter to Primary. set the following parameters according to the explanations provided: Device: Farm Name: Active Farm: VIP Address: CID 1 Farm 1 Enabled 100.Chapter 6 . b. In the Server window.2 d. and the Server 1 and Server 2 icons. set: Server Name: IP Address: Server 1 10. c. In the Farm window. b.1. 4. set the following parameters for each server: For the first server. 1.10 100002 10 Selected 255 10. 6. From the Redundancies window. d. Select the Interface Grouping checkbox and click Ok. The Advanced Redundancy window appears.1. select Redundancies.2 Regular c. click Add. set the following parameters for CID 1: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: VRID: Enable Virtual Router: Priority: Primary IP: 1 100 Selected 255 100.10 6-50 CID User Guide . select VRRP. Click Ok. In the Redundancies window.VRRP Redundancy Operation Mode: Regular Add the second server by setting the following parameters according to the explanations provided Server Name: Server Address: Operation Mode: Server 2 10. Define the Redundancy for CID1: a. c.1. The Edit VRRP Table dialog box appears. From the Mode dropdown list. click Advanced Redundancy. 8.1. The CID window appears. b. 7.1. The CID Redundancies window appears. In the Set-Up window. Double click the CID icon.1. The CID Connect to Device window appears.10 (CID IP Address) 100002 10 10.11 and click Ok.20.20 on CID. The Associated IP Address window appears. Define VLAN on CID 1.1.Chapter 6 . In the Redundancies window.1.1. b. VRID=10.1. the Set-Up window appears. Note: When using dual NIC.1.1. b.1.Redundancy 9. click Associated IP. Define CID 2. Type the device‘s IP address: 100. set the following parameters according to the explanations provided: Interface: VRID: Associated IP: Interface: VRID: Associated IP: Interface: VRID: Associated IP: 1 100 100. a. From the main window. In the Associated IP Addresses Table window configure the following entries: Interface=100002.1. Backup CID Configuration (CID 2): 1. Associated IP=10. The Virtual VLAN window appears.10 (CID IP Address) 11. a. double click the CID device icon. In the Set-Up window. From the main window. double click the CID icon. where the active NIC is determined by ping to the default gateway.1. 10. CID User Guide 6-51 . This IP should be the default gateway of the servers. set a virtual DNS with IP 10.1. click Networking > VLAN. Click Ok.100 (Farm IP Address) 1 100 100. In the Associated IP Address window.1.1. 2. Click Ok. Select the CID icon.100 d.VRRP Redundancy c. click Add. in the Farm window. Click Ok.11 255. From the Type dropdown list. b.1. For the first server. ensure the Protocol is set to IP. The Farm Servers window appears.255. set the following parameters according to the explanations provided: IF Num: IP Address: Network Mask: 100002 10. a. From the CID window. a.1. From the CID Virtual VLAN window.1. 4. d. select Switch. 3.1. Click Ok. e. click Traffic Settings and set the Redundancy Mode parameter to Backup. In the Edit CID Farm window. set: Server Name: Server Address: Operation Mode: Server 1 10. b. f. set the following parameters according to the explanations provided: Device: Farm Name: Active Farm: VIP Address: CID 2 Farm 2 Enabled 100. From the main toolbar. In the Farm window. Add servers to Farm 2. click Farm Servers > Add. The Farm window appears. and the Server 1 and Server 2 icons. select the IP VLAN Interface 100002 and assign ports 3 and 4. In the Farm Servers window. c. e. Add farm to CID 2. The Edit CID Interface window appears. From the Edit CID Interface window.1.1 Regular 6-52 CID User Guide . click Link.1.0 g.255. set the following parameters for each server. d. select VRRP.1. Double click the CID icon.1.1.10 address of CID 1. The Edit VRRP Table window appears. 5. click Associated IP. set the following parameters for CID 1 according to the explanations provided: Interface: VRID: Enable Virtual Router: Priority: Primary IP: Interface: VRID: Enable Virtual Router: Priority: Primary IP: 1 100 Selected 100 100.Chapter 6 . From the Mode dropdown list. In the Redundancies window.1.11 e.1. select Redundancies. In the Redundancies window.11 100002 10 Selected 100 10.1. Define the Redundancy for CID 2: a.1.1. The Associated IP Address window appears.1 and 10.1. click Add. b.2 Regular Note: The default router of the servers 10. The CID window appears. In the CID window.1.20.1. CID User Guide 6-53 .1. The CID Redundancies window appears. c.1. the default gateway of servers is the Virtual DNS address 10. f. or when using dual NIC.1. Click Ok.2 is the 10.Redundancy Add the second server by setting the following parameters according to the explanations provided: Server Name: Server Address: Operation Mode: Server 2 10. 1.100 (Farm IP Address) 1 100 100.1. Click Ok. with Redundancy Mode on the Backup.VRRP Redundancy g.1.1. configure a virtual DNS with IP address 10.1. When using servers with dual NIC.120 6-54 CID User Guide .1. where active NIC is determined using ping to default gateway.1. i.1.10 (Main CID IP Address) h. In the Associated IP Address window.20. set the following parameters according to the explanations provided Interface: VRID: Associated IP: Interface: VRID: Associated IP: Interface: VRID: Associated IP: 1 100 100.10 (Main CID IP Address) 100002 10 10.1. set the following parameters according to the explanations provided: Interface: VRID: Associated IP: 100002 10 10. In the Associated IP Address pane.1. This chapter includes the following sections: • • • Introducing Health Monitoring. page 7-25 CID User Guide 7-1 .CHAPTER 7 Chapter 7 - Health Monitoring Chapter 7. Health Monitoring. page 7-2 Configuring Health Checks.02. describes the Health Monitoring module included in the Radware APSolute OS 10.21. page 7-5 Health Check Methods. page 7-3 Health Check. page 7-4 Binding and Groups.Introducing Health Monitoring Section 7-1 Introducing Health Monitoring Section 7-1 Introducing Health Monitoring describes the general function of the Health Monitoring module and the basic health monitoring concepts. page 7-3 Checked Element. This section includes the following topics: • • • • • Module. page 7-3 Method. page 7-16 7-2 CID User Guide . CID User Guide 7-3 . The Health Monitoring module determines which network elements are available for service. Traffic management decisions are based mainly on the availability of the load balanced elements and on other resources on the data path. Checked Element A Checked Element is a network element that is managed and load balanced by the Radware device.Chapter 7 . and enables you to create dependencies between health checks of different elements. firewalls. For example. time interval for the test. its timeout. A network element can be tested using one or several Health Checks. implemented on all Radware IAS (Intelligent Application Switching) products. which are not load balanced by the CID. to enable the IAS device to load balance traffic among the available resources. A check configuration includes such parameters as: the check method. and more. The health of a checked element may depend on a network element that the IAS device does not load balance. CID-checked elements are the Farm Servers and NHRs. The module provides flexible configuration for health monitoring of the load balanced elements. Health Check A Health Check defines how to test the health of any network element (not necessarily a Checked Element). These parameters are explained in detail in the Regular Health Check section.Health Monitoring Module The Health Monitoring module. the health of a server managed by CID may depend on the health of a database server or other application servers. and Next Hop Routers (NHRs) that are managed by the IAS device. the number of retries. For example. The module supports various pre-defined and user defined checks. the TCP/UDP port to which the test should be sent. is responsible for checking the health of the network elements such as servers. Introducing Health Monitoring Method Health check methods are applications or protocols that the IAS device uses to check the health of network elements. For example, a method can be Ping, HTTP or other. Although the Health Monitoring module provides a wide array of predefined methods, user defined methods are also supported. In addition, method-specific arguments can be configured for each method. For a complete list of supported health check methods, refer to Health Check Methods, page 7-25. 7-4 CID User Guide Chapter 7 - Health Monitoring Section 7-2 Configuring Health Checks Section 7-2 Configuring Health Checks describes how to configure health monitoring according to health check types. This section includes the following topics: • • • • • • Global Configuration, page 7-6 Health Checks Database, page 7-9 Binding and Groups, page 7-16 Regular Health Check, page 7-19 Group Health Check, page 7-22 Farm Health Check, page 7-23 CID User Guide 7-5 Configuring Health Checks Global Configuration The Health Monitoring module is configured in several ways; using the Health Monitoring feature in APSolute Insite, from Web Based Management or via CLI. Setting up the Health Monitoring module on an IAS device involves the following steps: 1. To enable the Health Monitoring Module; in the Health Monitoring Settings window, set the Health Monitoring parameter to Monitoring Enabled. 2. Set the Connectivity Method of each farm to Disabled. This allows the device to use the results of the Health Monitoring Module to determine the status of the servers in this farm. Note: APSolute Insite supports both farm-oriented and server-oriented Health Monitoring configurations. The farm-oriented configuration automates and simplifies the Health Monitoring configuration process for large configurations containing farms with multiple servers. 7-6 CID User Guide Chapter 7 - Health Monitoring Global Parameters Setup In APSolute Insite, Global parameters setup is done through the Health Monitoring Settings window. To configure Global Health Monitoring: 1. Double click on the CID device icon. The Set-up window appears. 2. In the Setup window select Global. The Global pane appears. 3. In the Global pane check Health Monitoring Settings and then click Edit Settings. The Health Monitoring Settings window appears. 4. In the Health Monitoring Settings window, set the following parameters according to the explanations provided: Health Monitoring: Response Level Samples: Enable the module. Default: Disabled. Define the Response Level for each check. This is the average ratio between the actual response time to the configured Timeout. The Health Monitoring Module enables users to track the round trip time of health checks. The average is calculated over a number of samples as defined in the Response Level Samples parameter (Floating average). A value of 0 in the Response Level Samples parameter disables the feature; any other value between 1-9 defines the number of samples to be used. Response Time Load Balancing is achieved through the use of the Response Time dispatch method. The device load balances the traffic to the “fastest” element until the Load Factors are equal. For more information, see Dispatch Methods, page 4-7. CID User Guide 7-7 Configuring Health Checks SSL Certificate File: This file is used by the device when the Web server requires a Client Certificate during the SSL handshake. Default: Client Certificate generated by the device. SSL Private Key File: This file is used by the device when the Web server requires a key during the SSL handshake. Default: Private Key generated by the device. 5. Click Ok to apply the setup. The window closes. 7-8 CID User Guide Chapter 7 - Health Monitoring Health Checks Database APSolute Insite enables you to configure and view the currently defined health checks in a database, prior to attaching them to a network element. To configure the Health Check database: 1. From main window, select a device and select APSolute OS >Health Monitoring. The Health Checks window appears. 2. In the Health Checks window, click Health Checks DB. The Device Health Check DB window appears. 3. In the Health Check DB window, click Add. The Device Edit Health Check window appears. In this window you can create a new entry for the Health Check DB. 4. Set up the Regular check parameters for the device according to the explanations provided:. Health Check Name: Type the name of the new check. CID User Guide 7-9 Configuring Health Checks Method: From the dropdown list, select the check method. The method can be any of the pre-defined checks, or a TCP User Defined check. For the full description of methods, see Table 7-1 on page 726. Note: When updating a check, the method cannot be changed. Destination Host: Specify the IP address or the host name of the checked element. Notes: • You can specify any IP address other than 0.0.0.0, to enable the testing of any network element (not only checked element) DNS Client must be enabled when host names are defined by the user. • Next Hop IP Router: Type the IP address of the Next Hop Router that should be used for the Health Check. This means that the Health check is sent to the destination MAC address of the IP address configured in this field. You can use this parameter to check the accessibility of a Content Server or a cache server to the Internet (Destination IP Address is somewhere on the Internet, Next Hop IP Address is the Cache Server’s address). The Next Hop IP Address should be on the same network segment as one of the device interfaces. When this field is left blank and the Destination IP Address does not reside on the same subnet, the Health Monitoring module uses the device’s Routing Table to forward the packet. Note: The Next Hop IP Address is not used for ARP checks since ARP checks are performed only on the same broadcast domain. 7-10 CID User Guide Chapter 7 - Health Monitoring Destination Port: The destination TCP/UDP port number to which the health check is sent. In the case that this parameter is not configured the device uses the default port number based on the method. For example: Port 80 for HTTP Define the time interval between checks.This interval defines the health check’s execution interval in seconds. This field accepts only integers, and its value must be greater than the timeout value. Maximum value is 2^32-1 seconds. Values: Default: 10. Define the number of times that a health check must fail before the Health Monitoring module reevaluates the element’s availability status. Note: This field accepts only integers. Define the maximum number of seconds that the device waits for a response to the Health Check. Maximum value is 2^32-2 seconds. Note: This field accepts only integers. The amount of time to pass, since initiating a check, untill CID recognizes this element as heavily loaded and does not send any new sessions to it. Define the response level of the checked element, see page 7-7. If applicable, check to enable this option. Using the Response Time Dispatch Method, this parameter indicates whether the response time of this check participates in measuring response time. Note that average response time is calculated over a number of checks as defined in the Response Level Parameter, see Global Parameters Setup, page 7-7. For more information on this dispatch method, see also. Interval: Retries: Timeout: No New Session Timeout: Response Level: Measure Response Time: CID User Guide 7-11 Configuring Health Checks 5. Click Ok to apply the setup. The Regular health checks you defined are listed in the CID Health Checks table. 6. For each selected method, you can edit the arguments. Click Method Arguments. The Edit Method Arguments window appears with additional configurable parameters for the selected method, see Table 7-1 on page 7-26. Note: Arguments are method-specific. For full list, see Table 7-2 on page 7-35 7. Select or type the relevant values for the arguments and click Ok. The Edit Method Arguments window closes. The information you added appears in the Specific Check Parameters pane in the Edit Health Check window. 8. From the Edit Health Check window, click Ok. The health check is configured and the Edit Health Check window closes. The new health check now appears in the Health Check DB window table. 7-12 CID User Guide Chapter 7 - Health Monitoring 9. From the Health Check DB window, repeat the steps 2-5 to configure each Health Check. CID User Guide 7-13 Configuring Health Checks Action Macro Radware devices support a wide range of health monitoring checks, allowing for highly granular checks and monitoring capabilities. The results of these checks is always a status, either “Active” or “Down”. The Action Macro feature complements this capability and allows performing an action based on the status of a health check. The action is performed by running a predefined macro file, which is bound to the health check. Configuration of the feature involves the following stages: 1. Define the relevant health checks in the Health Checks DB window. 2. Record the macro files you wish to execute upon receiving a trap from the device. 3. Through the Health Check Actions window, available by clicking the Action button in the CID Health Check DB window, bind the health checks and the macro files. To configure an Action macro: 1. From the Health Checks DB window, choose the required health check in the Check Name field and set the Condition (Success or Fail) for that check. 2. Click Action Arguments and in the Macro Action window choose the relevant device and the relevant Macro File (using the Browse button). 3. Set the Action: a. To configure a macro based on the health check result (status), click Action from the Health Check DB window. The Health Check Actions window opens. b. Click Add. The Edit Heath Check Action window opens. c. In the Edit Health Check Action window, set the following parameters according to the explanations provided: Check Name: Select from the checks you defined. 7-14 CID User Guide Chapter 7 - Health Monitoring Condition: Select the health check status to activate the Action macro. Value range: Success; Fail. Default: Success. Action: Select the type of action. Value: Macro. d. To edit the arguments for the selected action, click Action Arguments. The Action window appears. e. In the Action window, set the following parameters according to the explanations provided: Device: File Name: f. Select the relevant device. Select the relevant Macro File. Click Ok and then Ok twice more to exit all the Action windows. The test you configured is updated in the Health Check DB window. 4. Click Ok to apply the setup and exit. The Health Check DB window closes. Note: This feature is an APSolute Iniste feature and is not supported by WBM or CLI. CID User Guide 7-15 Configuring Health Checks Binding and Groups Binding The Health Check defines only how to check elements, so you still need to define which of the Checked Elements are affected by the results of these checks and how the results are to affect them. This is done by the means of Health Check Binding. Health Check Binding describes the relation between the Checked Elements (the load balanced elements) and Health Checks and defines how the Health Checks affect the health of the Checked Elements. For example, when a Health Check is bound to a Checked Element” and the check fails, the status of the Checked Element is changed to “Not in Service” A Health Check is performed even when it is not bound to any Checked Element. If it fails, the device sends notification messages, as configured (SNMP Traps, Syslog messages or mail messages), indicating the failure of the check. A Checked Element may be bound with more than one Health Check. For example, a cache server can be bound to an HTTP check, which verifies that the cache server is functioning, and to another Health Check that makes sure that the database server used by this cache server is also functioning. In addition, a Health Check can be associated with more than one Checked Element, meaning that a single resource affects the status of multiple Checked Elements. For example, a single DB server may influence the health of multiple cache servers. The shared resource (DB server) is tested only once, and the test results affect multiple Checked Elements. When a Health Check fails, the Health Monitoring module reevaluates the status of all Checked Elements bound to the check. Groups You must associate a Health Check to a Checked Element. You can also define whether the check is Mandatory or not, and set the Group Number. 7-16 CID User Guide Chapter 7 - Health Monitoring Non-Mandatory checks in a group are evaluated with a logical OR between them so if there is more than a single Non-Mandatory check in a group, a failure of one check does not fail the server. When several groups are associated with a single Checked Element, they are evaluated with a logical AND between them. Note: When a Group consists of a single check which is defined as Non-Mandatory, then technically it is Mandatory. The Group Number is unique per Checked Element. This means that, for example, Group Number 2 for Server1 and Group Number 2 for Server2 are two separate groups. Using groups enables the creation of complex health conditions for the Checked Elements. For instance, consider a Web server that communicates with one of two database servers and must use one of two routers in order to provide service. This Web server will be bound using three different binding groups: one group contains Health Checks for the two routers (each check is Non-Mandatory), one group contains Health Checks to the database servers (each check is Non-Mandatory) and the third group contains the Health Checks on the Web server. As long as one of the database servers and one of the routers is active, and the Web server health check passes, the Web server is considered active. Otherwise, the Health Monitoring module determines that the Web server cannot provide the required service. Up to 20 binding groups can be defined per Checked Element. Using APSolute Insite, binding is performed by setting regular checks and Group Checks. The Binding Table contains the following parameters: Check Name: The Health Check to be bound to a Checked Element. Possible values: All checks as defined in the Check DB. Checked Element Name: The Checked Element to which the Health Check is bound. Possible values: All defined servers in the Application Server/Firewall/ NHR Table. CID User Guide 7-17 Configuring Health Checks Group: Mandatory: The group number to which the check belongs. The group number is unique per server. Defines if the Health Check is mandatory for the Checked Element’s health. The NonMandatory status for checks within a group is equal to an OR relationship between the Health Checks, while the Mandatory status is equal to an AND condition. Possible values: Mandatory, Non-Mandatory. A Health Check is still performed even if it is not bound to any of the Checked Elements. If the check fails, the device sends notification messages (SNMP Traps, Syslog messages or mail messages, as configured) indicating the failure of the check. Health Check Binding can also be grouped for complex conditioning of tests, using logical AND/OR. For example - Server 1 has the following bindings: Group 0 Check 1 Non Mandatory Group 1 Check 4 Non Mandatory Group 2 Check 7 Mandatory Check 2 Non Mandatory Check 5 Non Mandatory Check 8 Mandatory Check 3 Non Mandatory Check 6 Non Mandatory This equals to: [check1 OR Check 2 OR Check 3] AND [check4 OR Check5 OR Check 6] AND [Check 7 AND Check 8]. This means that in order for Server1 to consider available at least one check of the following must pass – Check1, Check2 or Check3 and at least one check of the following must pass – Check4, Check5 or Check6. Check 8 and check 9 MUST pass. 7-18 CID User Guide The Health Checks window appears. To define a single health check.Chapter 7 . 2. If a check is not bound to any of the Checked Elements. CID User Guide 7-19 . You can add or edit health check parameters through the Check Table. as configured (SNMP Traps. The Checks Table lists the configured health checks. To configure a Regular health check: 1. select APSolute OS > Health Monitoring. If it fails. Syslog messages or mail messages).Health Monitoring Regular Health Check A Regular type Health Check is a check of an individual network element. The device Edit Active Health Check window appears. select Regular and click Add. From the main window. indicating the failure of the check. the device sends notification messages. it is still performed. set the following parameters for the Regular check according to the explanations 7-20 CID User Guide .Configuring Health Checks Using this window. and define the way the results of the Health Check affect the checked Element. 3. you can associate Health Checks to Checked Elements. From Edit Active Health Check window. click Method Arguments. 5. Click Ok. Non-Mandatory. This list displays all elements managed by CID that a Health Check can be associated with. Health Check Name: 4. 6. Possible values: Mandatory. The name of the health check that you define. For more information. Note: Setting the Method Arguments affects the Health Check configuration in the Health Check DB. Click Ok to apply the setup. To view and edit the arguments defined for the Health Check. The Specific Check Parameters field in the Edit Health Check window shows the edited method arguments information. Note: To create a new health check. refer to Method Arguments. Mandatory: Define if the health check is mandatory to determine the checked element’s health. you can use the Health Checks DB configuration described on page 7-9. CID User Guide 7-21 .Chapter 7 . The window closes. Definition of non-mandatory checks within a check group implies an OR relation between the health checks. or click the New Health Check button to open the Edit Health Check window. page 7-35. The IP address shows next to the selected element. The new Regular health check you defined is listed in the Health Checks table. The Edit Method Arguments window closes. while a mandatory status dictates an AND condition.Health Monitoring provided (The remaining parameters of the selected Health Check are displayed as read-only): Check Element: Select the network element to be checked. Select the name from the dropdown list which contains all the checks previously defined in the Health Checks Database. click the Group option and click Add. To configure a Group health check: 1. From the Enable column. From the Element Name dropdown list. Note: You can set up to 20 groups for a Checked Element. Continue to configure new groups or click Ok to exit the window. The device Edit Health Check Group window appears. 3. 2. 6. you can configure groups of regular checks. The health check Group is configured. select the name of the required Health Check Group. select the checks required for this group for this Checked Element. 7-22 CID User Guide . Click Apply. The Regular checks you defined for this Checked Element appear in the Edit Health Check Group table. From the CID Health Checks window.Configuring Health Checks Group Health Check In addition to individual or Regular checks. From the Group Check Name dropdown list. 4. select the name of the network element to check. 5. Chapter 7 . 2. The Traffic Redirection window appears. The Edit Active Health Check window appears. click Add. From the CID Traffic Redirection window. select the Farms tab and from the Farms table that appears select a farm that you want to check and click the Health Monitoring Settings button. From the main window. From the Health Checks Per Farm window. the Farm oriented Health Check automates and simplifies the Health Monitoring configuration process by replicating a defined check for all servers in a farm. From the Edit Active Health Check window. To configure a Farm oriented health check: 1. select from the following options: CID User Guide 7-23 . select APSolute OS > Traffic Redirection. 3. The Health Checks Per Farm window appears.Health Monitoring Farm Health Check Used in large configurations with farms containing multiple servers. 4. Set Health Check attribute for each Server in Farm If you select this option. see Regular Health Check. Click Ok to apply the setup. 7-24 CID User Guide . For the remaining parameters and settings from the Edit Active Health Check window. page 7-19.Configuring Health Checks • • Duplicate this Health Check for all Farm’s servers If you select this option. 6. Note: This feature is an APSolute Insite feature and is not supported by WBM or CLI. the health check you define will be replicated and associated to all the servers of the selected farm. you can manually configure a custom health check for each server of the selected farm. select the name of the check. 5. From the Health check name dropdown list. The new farm check appears in the Health Checks per Farm table. Health Monitoring Section 7-3 Health Check Methods Section 7-3 Health Check Methods describes the methods or protocols that are used in Health Check configuration.Chapter 7 . page 7-26 User Defined Methods. This section includes the following topics: • • Predefined Methods. page 7-39 CID User Guide 7-25 . 7-26 CID User Guide . In case all the users' configured applications are running on the Citrix server.Health Check Methods Predefined Methods Table 7-1 describes the predefined Health Check Methods and their configurable arguments. the Health Monitoring Module sends a "Hello" request to the Citrix server. Citrix ICA Using the Citrix ICA check. This check passes when the Health Monitoring Module identifies the Citrix's reply within the first reply packet. This check uses UDP port 1604 by default. configured by the user. sends the list of applications running on the server. the Health Monitoring Module initiates a connection to the Citrix server. The Citrix server in reply. In case there are no configured applications. The Health Monitoring Module. Arguments: N/A Citrix APP Browsing Using the Citrix Application Browsing check. compares the application available on the server based on the Citrix's reply with a list of up to four applications. Table 7-1 Health Check Methods Method Name ARP Description Module sends an ARP request to the destination address. Configurable Arguments: The user can configure up to four applications running on the server at any given time. the check passes. the Health Monitoring Module completed the handshake. using TCP port 1494 and performs a Citrix handshake. and waits for a reply. Chapter 7 .Health Monitoring Table 7-1 Health Check Methods (cont.) Method Name Diameter Description To check Diameter application availability the Diameter health check initiates a connection to the Diameter server. Arguments: Hostname to Query. and that it matches the specified address. Address to match DNS CID User Guide 7-27 . Then the Diameter connection is disconnected using the DPR or the DPA message.The check passes when the accepted result codes are received from the Diameter server. Module submits a DNS query to the configured destination address and host. The Diameter server defines various Attribute Value Pairs (AVP) and expected attribute values in the response received from the Diameter server. If the IP address parameter is not defined. only the return code of the reply is validated (not the IP address it contains). The module verifies that the reply is received with no errors. The module performs a Diameter handshake (CER/CEA) and sends an LIR message or another application message. Module executes USER and PASS commands on the FTP server. Arguments: Username. It verifies the existence of the file on the FTP server. it creates a FIX packet and sends it to the FIX server (after the TCP handshake). This field is mandatory. The device sends the number of seconds passed since 01/01/1970 in case the user did not configure that field. Password.Health Check Methods Table 7-1 Health Check Methods (cont. This field is mandatory. A successful check is a check where in the reply packet.Used as a standard header field by the FIX protocol. not a data session. TargetCompID . the module executes a SYST command. If all commands were successfully executed. SenderCompID .This text is appended to tag TestReqID (112) that is sent as the message Note: The TestReqID field is a non-mandatory field. but it does not download the file or check its size. Filename 7-28 CID User Guide .) Method Name Fix Description When the module performs the FIX health check. Arguments: • • • • FTP TestReqID . the module terminates the connection. When the login process is successfully completed.Used as a standard header field by the FIX protocol. This field is mandatory. the "TestReqID" value is the same as the one that the user configured. The module uses a control session only. FIX Version . the "SenderCompID" is the configured value of the "TargetCompID" field and vice versa and the FIX version is the same as the configured value.Test Request identification .The FIX version which will be used by the check. 0 format. POST. the module sends an authorized name and user password. Username. Password LDAP Module performs a Bind and Unbind session with the LDAP server.Chapter 7 . use of no-cache. The Bind operation initiates a session between a client and a server and allows the authentication of the client to the server. Arguments: Username. Arguments: Hostname. The request is GET. LDAPS NNTP CID User Guide 7-29 . Module executes a LIST command and verifies that the returned status is valid. text for search within HTTP header and body. The Unbind operation terminates a protocol session. using an anonymous username. The module verifies that the returned status is 200. the user can set another value in the Destination Port field. Password. If the checked server is password protected. The HTTP requests are in HTTP 1. When needed. path. or HEAD.You can also test a specific URL. return code of 200. The module performs the above LDAP health check using secured SSL channel.Health Monitoring Table 7-1 Health Check Methods (cont. and may include a nocache directive.) Method Name HTTP Description Module submits an HTTP request to the destination IP address. HTTP method. and verifies that the returned code is Ok. IMAP4 Module executes a LOGIN command to the IMAP server. proxy or Web format. HTTP return codes (up to 4). Default port for the LDAP health check is the well-known LDAP UDP port 389. indication whether the text should appear or not. HTTP format. Ping Data Size: the size of the ICMP echo request (1 byte to 1024 bytes). Arguments: Username.) Method Name Ping Description The module sends an ICMP echo request to the destination address and waits for an echo reply. 7-30 CID User Guide . When the link is up. and verifies that the request was accepted by the server. Arguments: Username. Arguments: • • Should Ping Fail: whether the reply is received or not. and that the sequence number is correct. When not configured.Health Check Methods Table 7-1 Health Check Methods (cont. the check passes. the default is that the check fails when the server does not reply. Notes: • • Ensure that the RADIUS server is configured to accept RADIUS requests from the Radware device. Password. Secret. which then expects an Access Accept reply. If the "Destination Port Number" parameter is not configured then the device uses UDP port 1813. Password and Secret string. Password RADIUS Accountin g The module sends RADIUS Accounting request with a User Name. and checks that the returned code is OK. the default is 64 bytes. The module checks that the reply was received from the same destination address that the request was sent to. Physical Port Module checks the status of the physical interface. Arguments: Physical port number POP3 Module executes USER and PASS commands on the POP3 server. chat. When an unacceptable response code is received . Health Monitoring Module allows now to perform Health Monitoring checks on SIP servers.) Method Name Radius Authentic ation Description The module sends an Access Request with a User Name. and modify or terminate them. Password and Secret string. CID User Guide 7-31 .the check fails.Chapter 7 . Match Mode: defines whether the content must appear in the reply or must not appear in the reply. The SIP health check is done using the OPTIONS method. The capabilities themselves are not relevant to the health check. SIP works in the application layer of the OSI model (Layer 7). (mandatory) Max Forwards: The default is 1 Acceptable Response Codes: 200 is the default. This method is used to query SIP proxies and end-points as to their capabilities. voice. The module uses port 5060 by default. and verifies that the request was accepted by the server. Content Match: a content that must be matched in the response for it to be considered successful. Arguments: Request URI: The request's destination. Password. Secret. (mandatory) • • • • • From: The user should specify what the "logical name" of the device is. Note: Ensure that the RADIUS server is configured to accept RADIUS requests from the Radware device. what is relevant. gaming etc.Health Monitoring Table 7-1 Health Check Methods (cont. is the "200 OK" response from the server. which then expects an Access Accept reply. SIP TCP The Session Initiation Protocol (SIP) is an IETF standard for initiating an interactive user session that involves multimedia elements such as video. SIP can establish multimedia sessions or Internet telephony calls. Arguments: Username. the farm’s Dispatch Method should be set to Response Time. Arguments: Path on the server. When the returned value is higher than the No New Sessions Value. the check fails. Arguments: SNMP Object ID to be checked. Value. Min. Default: RADWARE.) Method Name SIP UDP RTSP Description Same as SIP TCP. Value. Note: For a device to consider the outcome of the check in the load balancing decisions. Use Results For Load Balancing 7-32 CID User Guide . and validates the value in the reply. Value or higher than the Max. Value. Hostname SMTP Module executes a HELO command to the SMTP server and checks that the returned code is 250. Community. SNMP The module sends an SNMP GET request. but running over the UDP protocol Module executes a DESCRIBE command and expects a return status of 200. Max.Health Check Methods Table 7-1 Health Check Methods (cont. The results of the SNMP check can be used for a load balancing decision. No New Sessions Value. When the returned value is lower than the Min. the bound element is set to No New Sessions. as in Private Parameters Load Balancing Algorithms. Arguments: Server name for the command. Chapter 7 . the device performs a GET request from the checked element. HTTP Return Codes (similar to HTTP Check). Arguments: SSL Versions: V23 or V30. Path. generated by the device. The session is then closed (using a RESET command). for example) CID User Guide 7-33 . it is recommended to use a timeout of 3 to 5 seconds. SSL Private Key File . generated by the device. Default: Private Key. after the session starts. and waits for an SSL Hello reply. Users can also set: • • SSL Certificate File . HTTP Method.Health Monitoring Table 7-1 Health Check Methods (cont.) Method Name SSL Description The module performs an SSL handshake towards the server and. Match Search String. SSLv23 means that the client sends an SSLv2 request to open an SSLv3 session (in Explorer. Arguments: Hostname. SSL Hello Module sends an SSL Hello packet to the server (using SSL3). Default: Client Certificate. Match Mode. SSL v30 means that pure SSLv3 is used. Authorized Username and Password.Used by the device when the Web server requires a key during the SSL handshake.Used by the device when the Web server requires a Client Certificate during the SSL handshake. Note: Since generating SSL keys on the server is a time consuming process. Arguments: Complete TCP Handshake. the application might still be considered as running. for example Ping or ARP. the UDP Port check should always be used in combination with another server availability check. Therefore. HTTP Method. SYN_ACK. Setting this parameter to No results in the TCP handshake flow: SYN.Health Check Methods Table 7-1 Health Check Methods (cont. Arguments: Packet Sequence ID Module checks the availability of the specified UDP port. Setting this parameter to Yes results in the TCP handshake flow: SYN. SSL Private Key File: Used by the device when the Web server requires a key during the SSL handshake. RST. Arguments: Similar to HTTP Check (Hostname. Path. Match Mode. no reply is received. the device performs a GET request from the checked element. HTTP Return Codes) TCP Port Module checks the availability of the specified TCP port. This is due to the nature of UDP: when the UDP application is operational. an ICMP message UDP Port Unreachable is sent. This check does not test the server's availability. Users can set: SSL Certificate File: When the Web server requires a Client Certificate during the SSL handshake. This means that when the server is down. Default: Private Key generated by the device.) Method Name SSL Description Module performs an SSL handshake towards the server and after the session starts. when the UDP application is not operational. Authorized Username and Password. SYN_ACK. Match Search String. 7-34 CID User Guide . but the application's availability within the server. so that the absence of a reply indicates the application’s availability. TCP User Defined UDP Port Module uses a User Defined TCP Health Check. RST. Default: Client Certificate generated by the device. ACK. Sets whether the check sends an ACK packet before the RST packet or not. the equation sign should appear. A “|” sign is used as a delimiter between the arguments. CLI.Health Monitoring Method Arguments You can configure arguments specific to each Health Check Method. you can use the Method Arguments button to view and edit arguments for the selected Method.Chapter 7 . No extra spaces are allowed. and details mandatory arguments. Table 7-2 lists the additional configurable method arguments for each Check Method. When using Web Based Management. / HTTP (2) PATH HOST No Server IP address CID User Guide 7-35 . you can configure the additional arguments using a string with this format: ARG=VAL|ARG=VAL| Following each argument. and more. In APSolute Insite Health Check configuration window. then the required value. default values. Telnet or SSH. Table 7-2 Health Check Method Arguments Method Name (and ID) ARP (11) DNS (10) Argument Name Argument Description Mandatory Additional Info Default No args HOST ADDR Hostname to query Address to be received Username Password Path of file on Web server to be requested Hostname Yes No Validate only the DNS return code FTP (6) USER PASS Yes Yes No Any configured value must begin with a/. N=Do not use pragma: nocache Wildcards not supported Y=Fail check if Y pattern not found. H=HEAD G PRX Y=Use proxy N HTTP. P=POST. N=Fail check if pattern is found N NOCACHE Use pragma: no-cache No MTCH MEXIST Pattern for No content match Content match No pattern should be present or absent USER Username for basic authentication Password for basic authentication No PASS No C1 C2 C3 Valid http code No 1 Valid http code No 2 Valid http code No 3 7-36 CID User Guide . N=Use Web server HTTP Y= Use pragma: nocache.Health Check Methods Table 7-2 Health Check Method Arguments (cont.) Method Name (and ID) Argument Name Argument Description Mandatory Additional Info Default HTTP (2) MTD continued HTTP method No to submit Use proxy HTTP No G=GET. N=Fail when server does not reply =1 .) Method Name (and ID) Argument Name Argument Description Mandatory Additional Info Default HTTP (2) C4 continued IMAP (7) USER PASS PING (0) FAIL Valid http code No 4 Username password Yes Yes Y= Fail when N server replies.1024 bytes 64 Check fails No when reply is received or not received Data size Username Username Password Radius secret Path of file on RTSP server to be requested No Yes Yes Yes Yes Yes DSIZE POP(3) RADIUS (12) USER USER PASS SECRET RTSP (13) PATH HOST SMTP (4) HELO SSL (14) SSLV Hostname to No use in request Argument for SMTP HELO SSL Version No No IP address of server RADWARE V23 or V30 V23 CID User Guide 7-37 .Health Monitoring Table 7-2 Health Check Method Arguments (cont.Chapter 7 . Health Check Methods Table 7-2 Health Check Method Arguments (cont.) Method Name (and ID) TCP Port (1) Argument Name Argument Description Mandatory Additional Info Default no args Packet sequence to submit No Yes TCP User SEQID Defined (8) UDP Port no args 7-38 CID User Guide . The maximum value for Sequence ID is: 429496729. Note: User Defined Checks are available for TCP checks only. To configure a user defined method for health check: 1. and verifies that the received packets contain the matching predefined string. 2.Health Monitoring User Defined Methods if you require a specific Health Check Method that is not provided by the module. Packet sequences are defined in the User Defined Methods Table. you can configure the health check protocol manually. click Add. 3. CID User Guide 7-39 . used later on as an argument in the TCP User Defined health check. The same sequence ID can be used in multiple checks. In the User Defined Methods window. This is done by defining for every packet sequence a stream of send and receive packets. From the Health Checks window. The User Defined Methods window appears. Type the ID number of the entire packet sequence. In the Edit User Defined Methods window.Chapter 7 . set the following parameters according to the explanations provided: Sequence ID: The Sequence ID is a sequence of packets. The module then sends the packets. click User Defined Methods. each with a string to send or receive. The Edit User Defined Methods window appears. All packets with the same Sequence ID belong to the same sequence. Then the user-defined check can be used in Health Checks configuration. Note: The Sequence ID is used as the arguement in the health check. if the String field is defined as "^blue" and the Compare Method value is defined as Regular Expression. taking into account the character ^. then the search will take into account the regular expression signs when searching for the configured string. For example. the Health Monitoring module matches the first expression which starts with the word "blue". If the value of the Compare Method is set to Binary. Type the ID number that identifies the packet within this packet sequence. 7-40 CID User Guide .Health Check Methods Packet ID: This field identifies the order of sending and receiving the packets within this packet sequence. Several packets carrying information can be defined to a user-defined check of the same Sequence ID. If the value of the field is set to Binary. Note: The first Packet ID of each sequence must always be 0 and Packet IDs of a sequence must always be consecutive. the search compares each character found to the ASCII value of the character defined in the String field. Sequence Type: Compare Method: This parameter enables you to define whether this packet is a Send of Recieve packet. If the value of the field is set to Regular Expression. This identifier is unique within a packet sequence. This parameter defines how the Health Monitoring module checks the received packets for a required string. the Health Monitoring module searches for the string ^blue. or being matched against the content of the received TCP segments.Health Monitoring Sequence String: This string is either sent within the packet or expected when the packet is received. which is a very effective method of describing a pattern of characters. For ‘Receive’ type packets.3 regular expressions. The Health Monitoring method of "TCP user defined" allows for definition of binary packet sequences. which are being sent within TCP segments. The string can be up to 80 characters. The content of the packet sequence is denoted as an ASCII string with certain escape sequences used to denote characters which are not considered "printable".Chapter 7 . CID User Guide 7-41 . The Health Monitoring module supports Posix 1002. the string can include a regular expression. Health Check Methods The Health Monitoring method of "TCP user defined" allows for definition of binary packet sequences. inscribed right after the 'x'.the character represented by a 2 digit hexadecimal number.b .x . followed by one of the following characters: . The escape sequences always start with the backslash character ('\').v .7} . then the character represented by an octal number.the ASCII '10' character will be printed (New Line feed) .t . Special cases: 7-42 CID User Guide .the ASCII '7' character will be printed (Bell) . will be printed. consisting of these digits. .the ASCII '11' character will be printed (Vertical Tab) .the ASCII '13' character will be printed (Carriage Return) .a .e .{0. The content of the packet sequence is denoted as an ASCII string with certain escape sequences used to denote characters which are not considered "printable".r .if the backslash is followed by 3 octal digits. will be printed.the ASCII '14' character will be printed (Shift Out) .the ASCII '15' character will be printed (Shift In) .the ASCII '12' character will be printed (Form Feed) . which are being sent within TCP segments. or being matched against the content of the received TCP segments.the ASCII '33' character will be printed (Space) .n .f . CID User Guide 7-43 . The new method is listed in the User Defined Methods window. repeat steps 2-3.Chapter 7 . for example. it will be printed verbatim. 5. if you wish to have a backslash character in a binary string ('\'). Click Ok. 6. 4. it will be discarded. If the backslash character is followed by any character other than the ones listed above. Sequence Description: The textual description of the specific packet in the sequence. Click Ok to apply the parameters. The User Defined Methods window closes. Hence. To configure all the user defined methods. it must be escaped: '\\'.Health Monitoring • • If the backslash character is the last character of the string. The Edit User Defined Methods window closes. Note: Once a sequence is configured it is not possible to change the Sequence Type from send to receive or vice-versa. Send SMTP Message. page 7-45 Group Health Check. page 7-54 7-44 CID User Guide . page 7-49 User Defined TCP Check.Configuration Examples Section 7-4 Configuration Examples Section 7-3 Health Check Methods provides several examples illustrating the variety of Health check configurations. page 7-52 User-Defined TCP Check. The following examples are included in this section: • • • • Health Check for Multiple Logical Servers. add two servers: 10.2 Figure 7-1 Health Monitoring of Multiple Logical Servers Properties: • There are 2 servers in this configuration. CID pings each physical server every 5 seconds.1. 2.1.Health Monitoring Example .1 and 10.1.1 CID VIP-H 100. FTP and RTSP. • CID checks the servers using HTTP Page.1. define 3 farms: • VIP-H for HTTP • VIP-F for FTP • VIP-R for RTSP For each farm.1.1. The Farm Table window appears. CID User Guide 7-45 .1. Internet Server 10. FTP and RTP. and issues each application check every 20 seconds.2. select APSolute OS >Traffic Redirection > Farm Parameters.1.1. From the Farm Table window.101 VIP-F 100.Chapter 7 .1. each server providing these services: HTTP. Configuration: 1. • In order to minimize load on the servers.103 Server 10.1.1.1. From the main window.102 VIP-R 100.1.Health Check for Multiple Logical Servers The example in Figure 7-1 illustrates a configuration where a single physical server check determines the status of multiple logical servers. For the first server.1. In Traffic Redirection > Farm Parameters.HTTP HTTP 10.FTP FTP 10.FTP 10. In the Health Monitoring Health Check DB window.1 20 www. open the Check Table window and click Insert. For the second server set the following parameters according to the explanations provided: Check Name: Destination IP Address: Server2 . 7-46 CID User Guide . In the Health Monitoring Health Check DB window. set the following parameters according to the explanations provided: Check Name: Method Name: Destination IP Address: Interval: Username: Password: Server1 . set the following parameters according to the explanations provided: Check Name: Method Name: Destination IP Address: Interval: Hostname: Path: Server1 .1.1.radware.1.1. 5.1. In Health Monitoring > Global Parameters.2 6.Configuration Examples 3.com / Insert more parameters as required.1 20 User1 secret b. ensure that the relevant farm's Connectivity Method is set to Disabled. For the first server. verify that the Health Monitoring parameter is set to Monitoring Module. Set the second set of check parameters for the servers: a. open the Check Table window and click Insert. Define the first set of check parameters for the servers: a. 4. Define the third set of check parameters for the servers: a.asf / b.2 7. From Health Monitoring > Check Table. set the following parameters according to the explanations provided: Check Name: Destination IP Address: Server2 .Health Monitoring b.RTSP 10. set the following parameters according to the explanations provided: Check Name: Method Name: Destination IP Address: Interval: Server1 .1. For the first server. set the following parameters according to the explanations provided: Check Name: Method Name: Destination IP Address: Interval: Hostname: Path: Server1 . For the first server.1. Define the third set of check parameters for the servers: a.2 8.Chapter 7 .1. open the Check Table window and click Insert.1.HTTP 10.1.RTSP RTSP 10.1. In the Health Monitoring Health Check DB window.1. open the Check Table window and click Insert.1.1 5 CID User Guide 7-47 .1 20 /movies/disney. In the same manner for the second server.Physical Ping 10. In the same manner for the second server. set the following parameters according to the explanations provided: Check Name: Destination IP Address: Server2 . set the following parameters according to the explanations provided: Check Name: Destination IP Address: Server2 . 7-48 CID User Guide . 9.2 Note: The Interval for this check is shorter than for the previous checks.1.1. a single ping is sent to each server every 5 seconds. From the Regular Checks Table. In the same manner for the second server. and each of the application tests is sent for each server every 20 seconds.Configuration Examples b.Physical 10. configure the following: Server Name VIP-F – server1 VIP-F – server1 VIP-F – server2 VIP-F – server2 VIP-H – server1 VIP-H – server1 VIP-H – server2 VIP-H – server2 VIP-R – server1 VIP-R – server1 VIP-R – server2 VIP-R – server2 Check Name Server1 – FTP Server1– Physical Server2 – FTP Server2 – Physical Server1 – HTTP Server1– Physical Server2 –HTTP Server2 – Physical Server1 – RTSP Server1– Physical Server2 – RTSP Server2 – Physical Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Mandatory Using this configuration. with a search string.1. If both database servers are down. • For each Web server. CID User Guide 7-49 .1. at least one database server should function.1.2 CID VIP 100.1.Group Health Check The example in Figure 7-2 illustrates a health check configuration with the use of groups.100 DB Server 10.1.1. each of the Web servers is considered to be out of service.1.1. Note: Unrelated or default value parameters are omitted.1. DB Server 10.Chapter 7 .50 Web Server 10.Health Monitoring Example .1.1 Internet Web Server 10.51 Figure 7-2 Group Health Check Properties: • CID checks the Web servers using the HTTP Check Method. For the first Web server. From the main window select.Configuration Examples Configuration: 1. From Health Monitoring >Health Check DB Table.1.1.com /index. set the following parameters according to the explanations provided: Check Name: Destination IP Address: Web Server 2 – HTTP 10.2 7. 4.1. For the second Web server. From the Farm Table window. Configure 2 Web servers: a. set the following parameters according to the explanations provided: Server Farm: Web Server 1: Web Server 2: 100. click Insert. From Traffic Redirection > Farm Parameters.1.1.1. The Farm Table window appears. verify that Health Monitoring is set to Monitoring Module (page 7-7).1 10. set the following parameters according to the explanations provided: Check Name: Method Name: Destination IP Address: Destination Port: Host Name: Path: Match String: Match Mode: Web Server 1 – HTTP HTTP 10. APSolute OS > Traffic Redirection > Farm Parameters.1.2 3. 2.radware. 5. From Health Monitoring > Global Parameters.html Enter Username: String Exists b. Configure 2 Database servers: 7-50 CID User Guide .1.1.1 80 www.1.100 10. ensure that the relevant farm's Connectivity Method is set to Disabled. 6. From the Group Check Table.Chapter 7 .Ping Database Server 2 .1.Ping Mandatory Mandatory Non-Mandatory Non-Mandatory Mandatory Non-Mandatory Non-Mandatory 9.HTTP Database Server 1 .Ping Database Server 2 .Ping Web Server 2 .HTTP Database Server 1 . set the following parameters according to the explanations provided: Check Name: Destination IP Address: Database Server 1 – Ping 10.HTTP Database Server 1 .Health Monitoring a.1.Ping Group 1 2 Farm1 – Web Server 2 Web Server 2 .Ping Database Server 2 . From the Regular Check Table. set: Server Name Farm1 – Web Server 1 Farm1 – Web Server 1 Farm1 – Web Server 1 Farm1 – Web Server 2 Farm1 – Web Server 2 Farm1 – Web Server 2 Check Name Web Server 1 .HTTP Database Server 1 .50 a.1.1. For the second Database server.51 8.Ping 1 2 CID User Guide 7-51 . For the first Database server. set: Element Name Farm1 – Web Server 1 Selected Checks Web Server 1 . set the following parameters according to the explanations provided: Check Name: Destination IP Address: Database Server 2 – Ping 10.Ping Database Server 2 . \r \n ^250 +. From the User Defined Methods.* SendQUIT\r\n ^221 +. This packet sequence checks an SMTP Server by sending an E-mail message.* Receive OK for sender address Send recipient’s address to server Receive OK on recipient Send DATA statement to server Receive OK on DATA statement 0 0 4 5 Receive Send 0 0 0 0 6 7 8 9 Receive Send Receive Send From: Send mail message <sender@a.* RCPT TO: <user@company. Configuration: 1.User Defined TCP Check This example describes a Packet Sequence configuration and use. define the following sequence: Seq 0 0 0 0 Pkt 0 1 2 3 Type Receive Send Receive Send String Description Receive mail server welcome message Send HELO to mail server Receive OK status from mail server ^220 +.Configuration Examples Example .* HELO radware\r\n ^250 +.c om>\r\n 250 +.com>\r \nSubject: test message\r\text\r\n.* DATA\r\n ^354 +.com>\r server \n ^250 +.* MAIL FROM: Send the sender's address to <sender@a.* Receive OK for the mail message Send QUIT to server Receive OK for QUIT 0 0 0 10 11 12 Receive Send Receive 7-52 CID User Guide . Health Monitoring Note that on Receive type packets. it is recommended to look for the return code as required. then set the following parameters according to the explanations provided: Check Name: Method Name: Destination IP Address: Destination Port: Sequence ID: Send Email TCP User Defined Mail-server-IP 25 0 3. followed by “. Use the Regular Check Table to associate the check to the appropriate server. This Packet Sequence checks an SMTP Server by sending an email message. CID User Guide 7-53 .*” indicating that the rest of the packet is irrelevant. click Insert. This is an advanced example. From the Health Check DB window.Chapter 7 . 2. describing a Packet Sequence configuration and use. 0 0 1 2 Send Receive HELO radware\r\n ^220 +.Send SMTP Message Configuration: Note: Compare Method is set to Regular Expression in all the sequences. Receive OK status from mail server.com>\r\n ^220 +. Send HELO to mail server.User-Defined TCP Check.* RCPT TO: <user@compan y.com >\r\n ^220 +. Send the sender‘s address to the server. Receive OK for sender address.* 0 3 Send MAIL FROM: <sender@a. Receive OK on recipient Send DATA statement to server. Use the Packet Sequence Table to define the following sequence: Table 7-3 Packet Sequence Table Seq 0 PKT 0 Type Receive String ^220 +.Configuration Examples Example .* 0 0 4 5 Receive Send 0 6 Receive 0 7 Send DATA\r\n 7-54 CID User Guide . 1. Send recipients address to server.* Description Receive mail server welcome message. *" indicating that the rest of the packet is irrelevant 2.* QUIT\r\n ^221 +.\r\n ^250 +.Chapter 7 . In the Check Table window (Health Monitoring/Check Table).* Description Receive Ok on Data statement Send mail message 0 0 0 10 11 12 Receive Send Receive Receive OK for mail message.* From: <
[email protected] >\r\nSubject: test message\r\text\r \n. Send QUIT to server Receive OK for Quit Note: that on Receive type packets. followed by ". it is recommended to look for the return code as required. click Insert to define the following check parameters (unrelated or default value parameters are omitted): Check Name Method Name Destination IP Address Destination Port Sequence ID Send Email TCP User Defined Mail-server-IP 25 0 CID User Guide 7-55 .Health Monitoring Table 7-3 Packet Sequence Table Seq 0 0 PKT 8 9 Type Receive Send String ^354 +. Configuration Examples 7-56 CID User Guide . page 8-33 Section 8-5: Interface Classification. page 8-18 Section 8-4: Protocol Discovery. page 8-37 CID User Guide 8-1 . page 8-7 Section 8-3: Bandwidth Management Classes.CHAPTER 8 Chapter 8 - Bandwidth Management This chapter includes the following sections: • • • • • Section 8-1: Introduction to Bandwidth Management. page 8-2 Section 8-2: Bandwidth Management Policies. describes the Bandwidth Management module and explains how you can gain full control over the available bandwidth. page 8-3 8-2 CID User Guide . Introduction to Bandwidth Management.Introduction to Bandwidth Management Section 8-1 Introduction to Bandwidth Management Section 8-1. This section includes the following topics: • What is Bandwidth Management. Prioritize the packet: This allows the mechanism to prioritize services. A comprehensive set of user-configurable policies controls how the device identifies and acts upon each packet. ensuring that other mission critical operations are not affected and continue to enjoy the bandwidth and service level required to guarantee smooth business operation. while taking the bandwidth used by each application into account. • • CID User Guide 8-3 . Using the Bandwidth Management module. or segment. At the same time. Bandwidth Management allows you to assign HTTP traffic a higher priority than SMTP traffic. For example. user. Forward the packet in “real time”: This means that the packet bypasses the entire bandwidth management system and is immediately forwarded by the device. The end result is effectively the same as if bandwidth management was not enabled at all. applications can be prioritized according to a wide array of criteria.Bandwidth Management What is Bandwidth Management The Bandwidth Management module includes a feature set that allows you to have full control over the available bandwidth. Using these features. Carriers can also ensure that a customer's Service License Agreement (SLA) is not compromised due to a DoS attack launched on another customer. the device can do one of three things: • Discard the packet:This allows the Bandwidth Management module to provide a very robust and granular packet filtering mechanism. When a packet is matched. which in turn may have higher priority than FTP traffic. Radware devices can classify traffic according to predefined criteria and enforce a set of actions on that traffic. a Bandwidth Management solution can track the actual bandwidth used by each application and either ensure a guaranteed bandwidth for a certain application and/or set limits as to how much each classified traffic pattern can utilize. DefensePro‘s Bandwidth Management capability allows you to define policies that restrict or maintain the bandwidth that can be sent or received by each application.Chapter 8 . Controlling the maximal bandwidth of corporate resources that can be consumed by DoS attacks limits the attack spread. The number of queues is equal to the number of policies in the policy database. Each policy gets its own queue. all packets are classified by session. page 8-12). with 0 being the highest priority and 7 the lowest. The scheduler operates through one of two algorithms: Cyclic and CBQ (Class-Based Queuing). This means that there could be 100 queues (if there are 100 policies). with each queue having a label from 0-7. and so on. they can be given a minimum (guaranteed) allotted bandwidth number. Scheduler Algorithm The scheduler takes packets from the many queues and forwards them. The queue is then assigned a priority from 0-7. As policies are configured. which has twice the priority of a 2 queue. policies cannot be configured with an associated bandwidth. In other words. a 0 queue has twice the priority of a 1 queue. every single packet must be individually classified. the scheduler gives each priority a preference ratio of 2:1 over the immediately adjacent lower priority. The CBQ algorithm has the same packet-forwarding pattern as the WFQ algorithm. With the Cyclic algorithm. it is placed into a queue. Application Classification Application Classification is defined as Per Packet or Per Session. in Kbps (see Guaranteed Bandwidth. The CBQ algorithm is aware of a predefined bandwidth configured per policy. but each queue is labeled with one of the 8 priorities 0-7.Introduction to Bandwidth Management If the packet is to be prioritized. An intricate algorithm is used to classify all packets in a session until a “best fit” policy is found. with one significant difference. In this mode. Note: Unless CBQ is used. If Application Classification is defined as Per Packet. If Application Classification is defined as Per Session. The scheduler systematically goes through queues of the same priority when it is time to forward a packet with this priority. the device classifies every packet that flows through it. fully classifying the 8-4 CID User Guide . This protects the queues from becoming completely full. If the queues are approaching full capacity. and the packet selection is entirely random. Notes: • When the direction of the policy is set to Session. it is not possible to configure policies’ direction to Session. This not only allows for traffic classification according to application. see page 8-9. Diffserv: The device classifies packets only by the DSCP (Differentiated Services Code Point) value. and not every single packet. which causes less disruption across all TCP sessions and also protects UDP packets. Random Early Detection The Random Early Detection (RED) algorithm can be used to protect queues from overflowing that may cause serious session disruption.Bandwidth Management session. The algorithm draws from the inherent retransmission and flow control characteristics of TCP. random TCP packets are intercepted and dropped. ToS: The device classifies packets only by the ToS (Type of Service) bit value. but also saves some overhead for the classifier. see page 8-9. In case the Application Classification is set to Per Packet. If the RED algorithm is deployed. as it only needs to classify sessions. the status of the queues is monitored. Radware's bandwidth management mechanism can deploy RED in two forms: CID User Guide 8-5 . all packets belonging to the same session are classified accordingly.Chapter 8 . it is not possible to change the Application Classification from Per Session to Per Packet. Once the session is fully classified. Only TCP packets are dropped. • Classification Modes The following classification modes are available: • • • Policies: The device classifies each packet or session by matching it to policies configured by the user. . 8-6 CID User Guide . Weighted RED (WRED): The RED algorithm is deployed per queue (instead of for all the packets in all the queues) and the priority of the queue has an effect on whether or not a packet gets dropped.Introduction to Bandwidth Management • • Global RED: Global RED monitors the capacity of all the queues (i. the global set of queues) and randomly discards TCP packets before the classifier sees them.e. page 8-8 Bandwidth Management Classification Criteria.Chapter 8 . This section includes the following topics: • • • • What is Bandwidth Management Policy. Bandwidth Management Policies. describes how to define Bandwidth Management policies. page 8-12 Policy Index. page 8-9 Bandwidth Management Rules. page 8-15 CID User Guide 8-7 .Bandwidth Management Section 8-2 Bandwidth Management Policies Section 8-2. As these policies are adjusted. which is what the device uses to sort the packets that flow through it. A policy consists of a set of conditions (classification criteria) and a set of actions that are applied when the conditions are met.Bandwidth Management Policies What is Bandwidth Management Policy The policy mechanism enables you to classify traffic passing through the Radware device and enforce on it bandwidth management. 8-8 CID User Guide . The policy database is made up of two sections. The activation basically updates the active policy database. the changes do not take effect unless the inactive database is activated. The temporary or inactive policy database contains policies that can be altered and configured without affecting the current operation of the device. active and inactive. Chapter 8 . • TwoWay CID User Guide 8-9 . or IP subnet addresses. The default value is any. Destination: Defines the destination of the traffic. You should first configure the networks. • Direction: Defines the direction of the traffic and has the following values: OneWay Setting the direction to OneWay enables asymmetric Bandwidth Management. the classifier searches for traffic in one direction only and the device classifies only one direction of the traffic. type the IP address of the interface in the Destination box. which covers traffic from any source. Note: To limit or block access to the device's interface. When a policy is set to OneWay. The default value is any.Bandwidth Management Bandwidth Management Classification Criteria A policy includes the following traffic classification criteria: • Source: Defines the source of the traffic. which covers traffic to any destination. When a policy is set to TwoWay. The source can be a specific IP address or a network. Can be specific IPs. a range of IP addresses. A network is a collection of ranges and/or subnets. the return traffic is not classified. the classifier searches for traffic in both directions and the device replaces the source and destination IP addresses and ports (in case the policy is a Layer 4 or Layer 7 Policy) of the return traffic. destination port Aport User B is not permitted to establish a new session with A. However. even if the policy is set to "two way".Bandwidth Management Policies Session TCP/UDP traffic . and a destination IP. IP_B. IP_A. with source port X and destination port 80 is classified. Non TCP/UDP traffic . with source IP IP_B and destination IP IP_A. as well as the reply traffic with source IP BIP to destination IP AIP. source port Bport to destination IP AIP. Examples: If you have the following rule: • Source: IP_A • Destination: IP_B • Service: HTTP • Direction: One Way Only traffic with a source IP. User B is not permitted to establish a new session with A. as long as it uses the same IP protocol as the packet that opened the session from A to B. 8-10 CID User Guide . If you have the following rule: • Source: NET_A • Destination: Bet_B • Service: HTTP • Direction: Two ways A packet with a Source IP belonging to NET_A and a destination IP belonging to NET_B requesting an HTTP request are matched.Any session opened by user A (with source IP AIP and source port Aport) to user B (with destination IP BIP and destination port Bport) is allowed. a packet with a Source IP belonging to NET_B and a destination IP belonging to NET_A requesting an HTTP request are not matched. The return packet. with source port x and destination port 80 would not be classified.Any session opened by user A (with source IP AIP) to user B (with destination IP BIP) using a specific IP protocol is allowed. as well as the reply traffic with source IP BIP. The available options are: • None • Client (source IP) • Session (source IP and port) • Connection (source IP and destination IP) • FullL4Session (source and destination IP and port) • SessionCookie (must configure cookie identifier) Cookie Field Identifier: A string that identifies the cookie field whose value must be used to determine the different traffic flows. Available Services are very granular. Using the field.Bandwidth Management • • • • • • Service: Defines the traffic type. bit patterns at any offset in the packet. Note: This is required only when Traffic Flow Identification is set to SessionCookie. whether the traffic flow identification is SessionCookie or any other parameter. Traffic Flow Identification: Defines what type of traffic flow is to be limited via this policy. VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID tags. In such a case. The default value is none. The Service configured per policy can allow the policy to consider other aspects of the packet. such as the protocol (IP/TCP/UDP). The Bandwidth Management module keeps track of new requests per second per traffic flow. TCP/UDP port numbers. Max Number of HTTP Requests per Second: This parameter limits the number of HTTP requests per second per traffic flow. Inbound Physical Port Group: Classifies only traffic received on physical interfaces of the device. and actual content (such as URLs or Cookies) deep in the upper layers of the packet.Chapter 8 . arriving from the same user per second. the Bandwidth Management classifier searches for the Cookie Field Identifier followed by “=” and classifies flows according to the value. you can limit the number of HTTP GET/POST and HEAD requests. CID User Guide 8-11 . which covers all protocols. Enables you to set different policies for identical traffic classes that are received on different interfaces of the device. as described above. an RST packet is sent to both client and server. In TCP traffic. The maximum bandwidth configured for the entire device. Block: All packets are dropped. overrides per-policy bandwidth configurations. an RST packet is sent to the client.Bandwidth Management Policies Bandwidth Management Rules Once the traffic is classified and matched to a policy. Action The action determines the access given to traffic. Priority If the action associated with the policy is “forward”. Block and Reset: All packets are dropped. In other words. In TCP traffic. Guaranteed Bandwidth If the scheduler is configured to use the CBQ algorithm. the policy can be assigned a minimum (guaranteed) bandwidth. Possible values include: • • • • Forward: The connection is accepted and traffic is forwarded to its destination. the Bandwidth Management rules can be applied to the policy. 8-12 CID User Guide . the sum of the guaranteed bandwidth for all the policies cannot be higher than the total device bandwidth. This is the default value. Block and Bi-directional Reset: All packets are dropped. then the packet is classified according to the configured priority. The scheduler will not allow packets that were classified through this policy to exceed this allotted bandwidth. There are nine available options: Real-time forwarding and priorities 0 through 7. unless borrowing is enabled. Bandwidth that is not utilized by a specific policy in a group is allocated proportionally to the other policies. CID User Guide 8-13 . The combination of Guaranteed Bandwidth and Borrowing Limit fields value causes the bandwidth allotted to a policy to behave as follows: Guaranteed Bandwidth 0 X 0 X X Borrowing Limit 0 0 Y Y (Y>X) X Policy Bandwidth Burstable with no limit. minimum of X guaranteed. Define policy groups. minimum of X guaranteed. Non-burstable. no minimum guaranteed.Chapter 8 . no minimum guaranteed. The total bandwidth available for a policy group is the sum of the Guaranteed Bandwidth values of all policies in the group. Burstable to Y. the scheduler can borrow bandwidth from queues that can spare it. Burstable to Y. Burstable with no limit. If enabled. Allowing policies to borrow from each other prevents starvation and utilizes the bandwidth more efficiently. 2. to forward packets from queues that have exceeded (or are about to exceed) their allotted amount of bandwidth.Bandwidth Management Borrowing Limit Borrowing can be enabled when the scheduler operates through the CBQ algorithm. Policy Groups You can define several bandwidth borrowing domains on a device by organizing policies in groups. Only policies that participate in a specific group can share bandwidth. X guaranteed. Policy Group Configuration Guidelines: 1. Set the Global Bandwidth Management parameter Dynamic Borrowing to Enable. and the Dynamic Borrowing global parameter must be enabled. such as HTTP GET. Post. or HEAD per Cookie. MAX Requests Per Second When the Traffic Flow Max BW parameter is configured. Perform Update policies command. Define the device policies. the device can track and limit the number of requests. the bandwidth for this port must be set to 2 Mbps. if a device’s Fast Ethernet port is connected to a router that supports up to 2 Mbps. The Borrowing Limit parameter must be set to 0 for all the policies in the group. The default setting is according to physical size 100 Mbps). select the policy group to which it belongs. the maximum bandwidth available for allocation per each physical port must be configured (for example. Max Concurrent Sessions The maximum number of concurrent sessions allowed for a client IP. and the Traffic Flow Identification parameter is set to Session Cookie. 8-14 CID User Guide .Bandwidth Management Policies 3. For each policy. The bandwidth limitation is ignored as the policy is able to borrow unused bandwidth from other policies in the group. Note: This option is not available if the Traffic Flow Identifier is set to Session or FullL4Session. Notes: • Whenever bandwidth borrowing and/or prioritization is applied. • Traffic Flow Max BW The maximum bandwidth allowed per traffic flow. 4. Configure Guaranteed Bandwidth with the desired value and Borrowing Limit as 0. the last configured policy is the “default” policy. Report Blocked Packets: The device sends reports about the blocked packets via Syslog / emails and traps. in descending order. Report Blocked Packets Report Blocked Packets enables you to define whether blocked traffic is reported. Policy Index The Policy Index or order is a number that determines the order of the policy in the entire policy database. or an enterprise may assign high priority to mail traffic between 08:00-10:00. When the classifier receives a packet. In other words. Using this logic. It enables the device to mark the matched packet with a range of bits. Security Event: Enables reporting of blocked packets to the Application Security logs.Bandwidth Management Packet Marking Packet Marking refers to Differentiated Services Code Point (DSCP) or Diffserv. Once a policy is matched. but allow it after school hours.Chapter 8 . Activation/Inactivation Schedule Sometimes it is required in the networks that specific policies in a network must remain inactive during certain hours of the day. the very last policy configured should be the policy that is enforced on all packets that do not match any other policies. it tries to find a policy that matches the packet. For example. the process is stopped. CID User Guide 8-15 . Note: It is recommended to configure the most frequently used policies first. a school library may want to block instant messaging during school hours. or a certain policy is activated in the middle of the night. The classifier searches the policy database starting with policy #1. The following configuration options are available: • • • Disable: Disables the capability. 3. To apply an event to a policy: 1. The new event appears in the Events table. How often the event occurs: once. then you must configure the date on which the event occurs. Time (HHMM): 4. In the Bandwidth Management window. The Edit Policy window appears. select APSolute OS > BWManagement. The Event Scheduler window appears. In the Event Scheduler window. If the Frequency selected is weekly. then the Time value is the same for all the configured days in which the event occurs. you can create events which can then be attached to a policy's configurations. daily or weekly. In the main window. 8-16 CID User Guide . you must configure on which day the event occurs. Click Add. 2. In the main window.Bandwidth Management Policies You can schedule the activation and inactivation of specific Bandwidth Management policies. set the following parameters according to the explanations provided: Name: Frequency: Days: The name of the event. click Modify > Add. The Bandwidth Management window appears. The time on the designated day. The Bandwidth Management window appears. Using the Event Scheduler. Note: In case multiple days are selected. 2. Date (DDMMYYYY): If the Frequency selected is once. Default value: 12:00 am (0000). Events define the date and time in which an action must be performed. To define events in the Event Scheduler: 1. click Policy Scheduler. In the Bandwidth Management window. select APSolute OS > BWManagement. click Schedule Table and define a new event (see page 8-16). select the event that you want to apply to this policy and click Ok. select the event that you want to inactivate and click Ok. 5. To inactivate a specific event for this policy. 4. To create a new event. CID User Guide 8-17 . from the Activation Schedule dropdown list. 6. In the Edit Policy window. To activate a specific event for this policy.Chapter 8 . click Advanced.Bandwidth Management 3. from the Activation Schedule dropdown list. The Advanced pane appears. Bandwidth Management Classes. A service enables flexibility for the classifier as it provides the system with a large number of possibilities for packet identification. page 8-25 Port Groups.Bandwidth Management Classes Section 8-3 Bandwidth Management Classes Section 8-3. explains how to define a service. page 8-19 Networks. page 8-27 8-18 CID User Guide . This section includes the following topics: • • • • Services. page 8-26 VLAN Tag Groups. This provides tremendous flexibility for the classifier as it essentially gives the system a large number of possibilities for packet identification. • CID User Guide 8-19 . TCP. This can help in locating specific bits in the IP header. The port configuration can also allow for a range of ports to be configured. an advanced filter. the source port that a packet should carry to match the filter. Offset Mask Pattern Condition (OMPC): The OMPC is a means by which any bit pattern can be located for a match at any offset in the packet. For example. When configuring TCP or UDP protocol.Bandwidth Management Services A very advanced and granular set of services can be configured within the Bandwidth Management system. UDP and ICMP. Services are configured separately from policies. As each policy is configured. Basic Filters The basic building block of a Service is a basic filter.Chapter 8 . all IP packets (including TCP and UDP) are considered. for HTTP. the packet needs to match the configured protocol (and ports) AND the OMPC. The Service associated with a policy in the policy database can be a basic filter. The possible choices are IP. for example. A basic filter is made up of the following components: • Protocol: The specific protocol that the packet should carry. the protocol would be configured as TCP and the destination port as 80. or a filter group. it can be associated with a configured Service. if an OMPC is configured. It is not mandatory to configure an OMPC per filter. • Source Port (From-To): Similar to the destination port. some additional parameters are also available: • Destination Port (From-To): Destination port number for the selected protocol. If the protocol is configured as “IP”. However. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful. HEAD. starting at the configured offset. regular expression. and F3 have been individually configured. all three filters (F1. By allowing a filter to take the actual content of a packet/session into account. with a logical OR between them. mail from. mail subject. A Filter Group is a combination of basic filters and advanced filters. In this case. for example. If the content type is “text”. and F3) must match the packet being classified. or POST method. If the content type is “URL”. To continue the example above. mail domain. F2. a text pattern can be searched for at any offset in the packet. Let's assume filters F1. Advanced Filters and Filter Groups An Advanced Filter is a combination of basic filters with a logical AND between them. F2. if a content rule exists in the filter. AND the configured content rule. The service editor allows you to choose between multiple types of configurable content: URL. hostname. However. the configured OMPC (if one exists). since the GET/HEAD/POST is in a fixed location in the HTTP header. filter group FG1 can be defined as: FG1 = {AF1 OR F4 OR F6} 8-20 CID User Guide . Like Impacts. file type.Bandwidth Management Classes Content When the configured protocol is TCP or UDP. Like OMPCs. it is possible to search for any text string in the packet. mail to. Advanced filter AF1 can be defined as: AF1= {F1 AND F2 AND F3} In order for AF1 to be a match. the classifier gains a powerful way to recognize and classify an even wider array of packets and sessions. then the packet needs to match the configured protocol (and ports). then the session is assumed to be HTTP with a GET. the configured offset is meaningless. The classifier searches the URL following the GET/HEAD/POST to find a match for the configured text. and text. HTTP URLs are perfect examples of how a text search can aid in classifying a session. the configuration of content rules is not mandatory. HTTP header field. then the entire packet is searched for the content text. cookie. Predefined Services for Bandwidth Management Table 8-1 lists the predefined Bandwidth Management filters for each service. Radware devices are preconfigured with a set of basic filters and group filters that represent applications commonly found in most networks. Oracle7) Oracle SQL*Net v2/Net 8-based traffic (Oracle7.8i.8. Table 8-1 Predefined Bandwidth Management Filters Service Name ERP/CRM sap Database mssql mssqlmonitor mssql-server oracle oracle-v1 oracle-v2 oracle-server 1 oracleserver2 Description Filter Name Basic Microsoft SQL service group SQL monitoring traffic SQL server traffic Oracle database application service group Oracle sql* Net v1-based traffic (v6. or basic filter F6 have to match the packet being classified.Bandwidth Management In order for filter group FG1 to be a match.Chapter 8 .9i) Oracle Server (e-business solutions) on port 1525 Oracle Server (e-business solutions) ON PORT 1527 Group Basic Basic Group Basic Basic Basic Basic CID User Guide 8-21 . basic filter F4. either advanced filter AF1. Bandwidth Management Classes Table 8-1 Predefined Bandwidth Management Filters Service Name oracleserver3 Description Oracle Server (e-business solutions) on port 1529 Filter Name Basic Thin Client or Server Based citrix Citrix connectivity application service group. citrix-ica citrix-rtmp citrix-rtmp citrix-ima citrix-maclient citrix-admin Peer-to-Peer p2p edonkey gnutella fasttrack Kaaza Peer-2-Peer applications File sharing application File sharing and distribution network User-to-User Media Exchange Kaaza File Sharing Application (Note: Music City Morpheous and Grokster also classify as Kazza) Group Basic Basic Basic Basic Citrix Independent Computer Architecture (ICA) Citrix RTMP Citrix RTMP Citrix Integrated Management Architecture Citrix MA Client Citrix Admin Basic Basic Basic Basic Basic Basic Group 8-22 CID User Guide . Enables any type of client to access applications across any type of network connection. both FTP commands and data Web traffic Web traffic on port 8080 Secure Web traffic Internet Control Message Protocol IP traffic Usenet NetNews Transfer Protocol Basic Basic Basic Basic Basic Basic Basic Basic AOL Instant Messenger ICQ MSN Messenger Chat Service Yahoo Messenger Yahoo Messenger on port 5000 Yahoo Messenger on port 5050 Yahoo Messenger on port 5100 Basic Basic Basic Group Basic Basic Basic CID User Guide 8-23 .Chapter 8 .Bandwidth Management Table 8-1 Predefined Bandwidth Management Filters Service Name Internet dns ftp-session http http-alt https icmp ip nntp telnet tftp udp Instant Messaging aol-msg icq msn-msg yahoo-msg yahoo-msg1 yahoo-msg2 yahoo-msg3 Email Description Filter Name Domain Name Server protocol File Transfer Protocol service . Bandwidth Management Classes Table 8-1 Predefined Bandwidth Management Filters Service Name mail smtp imap pop3 Description Filter Name Group Basic Basic Basic 8-24 CID User Guide . 0/255.0. CID User Guide 8-25 . A Network can be configured separately and individual elements of the Network list can then be used in the individual policy.1. Configuration Guidelines To configure a Network: • In the main window. this makes the Network “name” a logical pointer to all ranges configured with that name.0 and network “net2” can be from 10.1.1. Essentially.Chapter 8 . This allows a Network with the name “net1” to actually encompass multiple disjointed IP address ranges. network “net1” can be 10.1. The Bandwidth Management module allows multiple Networks to have the same configured “name”. The Network list allows either configuration. For example.7.0.0. select APSolute OS > Classes > Networks > Modify > Add. This further facilitates the configuration and management of the system. An entry in the Network list is known as a configured “name” and can be either an IP/Mask combination or an IP range. and is identified by a name.1 to 10.Bandwidth Management Networks What is a Network? A Network a logical entity that consists of a group of IP addresses linked together by a network IP and subnet or a range of IP addresses (from-to).0. For example. you can allow HTTP access to the main server only to traffic entering the device via physical interface 3. This provides greater flexibility in configuration. Configuration Guidelines To configure Port Groups: • In the main window. select APSolute OS > Classes > Port Groups > Physical Port Groups. 8-26 CID User Guide . You should first configure Port Groups.Bandwidth Management Classes Port Groups Port Groups enable you to set different policies for identical traffic classes that are received on different interfaces of the device. you can allow SMTP access to the internet only to traffic tagged with a VLAN Tag with a specific value. For example. CID User Guide 8-27 . Configuration Guidelines To configure VLAN Groups: 1. In the main window.Chapter 8 .Bandwidth Management VLAN Tag Groups VLAN Tag Groups allow you to set different policies for identical traffic classes that are received with different values of 802.1q VLAN Tags. You must first configure VLAN Tag Groups. This provides greater flexibility in configuration. select APSolute OS > Classes > Port Groups > VLAN Tag Groups. Bandwidth Management Configuration The example configuration for Bandwidth Management addresses the following tasks: • • • • Limit FTP traffic to servers (20. click VLAN Tag Groups. 6. 2. Click Ok to apply the setup and close the window.1. In the Bandwidth Management window.Bandwidth Management Classes Example . Prevent the infection of an e-mail virus on the network named “Love Letter”. enter a new group: FTP ports. 5.x. Select the port 5 and port 7 checkboxes. d.3.17) incoming via physical port 5 or 7 to 300 Kbps. In the Bandwidth Management window. In the BWM Global Parameters window. The Bandwidth Management window appears. The Edit Physical Port Group window appears. The Port Groups window appears.10. 20. b.10. set the following parameters according to the explanations provided: Classification Mode: Application Classification: Scheduling Algorithm: Policies Per Session CBQ 4. and 20. In the Port Groups window. Click Ok. select APSolute OS > BWManagement.3. Limit HTTP traffic to and from internal network 10. Configuration 1. In the Port Groups window.1. Configure the required Physical Port Group: a. click Port Groups.10. Configure the required VLAN Tag Groups: a. f. click Physical Port Groups. In the main window. c. Guarantee 2 Mbps to Citrix traffic running on VLAN 2 and VLAN 7. 3. e. click Access Control & BWM Parameters.7. In the Groups text box. 8-28 CID User Guide .x to 1 Mbps. The BWM Global Parameters window appears. Select the Modify Table tab and click Add.x. In the Edit VLAN Tag Groups window.17 To Address: The same as the From Address. Click Ok and then click Update Modifications. create two separate entries for the Citrix VLAN by setting the following parameters according to the explanations provided: Group Name: Group Mode: VLAN Tag: Citrix VLAN Discrete 2 (first) 7 (second) d. set the following parameters according to the explanations provided: Network Name: Network Mode: From Address: FTP Servers IP Range Create three separate entries for the FTP Servers with the following IP addresses: 20. e.Chapter 8 .10. add the second network by setting the following parameters according to the explanations provided: Network Name: Internal CID User Guide 8-29 .1.10. Add two networks: a. c. In the Classes window. In the Bandwidth Management window. In the same manner.3 20. b. In the Edit Network Table window. d. 7.10.7 20. The Classes window appears. The Edit Network Table window appears. c. click Classes. Select the Modify tab and click Add. The Edit VLAN Tag Groups window appears.3. click Networks. Select the Modify Table tab and click Add. The Network Table window appears.1.Bandwidth Management b. The Classes window appears. add the following four policies according to the explanations provided: To limit FTP traffic to FTP servers via ports 5 and 7 to 300 Kbps: Policy Name: Service Type: Service: Source: Destination: Direction: Action: Priority: FTP Regular FTP Any FTP Servers Oneway Forward 4 8-30 CID User Guide .0. Click Ok to apply the setup and close the window. The Edit Policy window appears. Click Add Service and then click Update Active Classes. click Modify and then click Add. Configure the Basic Filter to identify the e-mail virus: a. Click Add Regular. In the Bandwidth Management window. The New Service pane appears. c. click Classes. 8. Configure the Policies: a. set the following parameters according to the explanations provided Service Name: Protocol: Content Type: Content: Love Letter TCP Mail Subject Love Letter d. In the New Service pane. b.Bandwidth Management Classes Network Mode: From Address: To Address: IP Mask 10.0.0. 9. b.0.0 255. In the Bandwidth Management window. In the Edit Policy window.0 f. Bandwidth Management Inbound Physical Group: Borrowing Limit: FTP Ports 300 To guarantee 2 Mbps to Citrix traffic running on VLAN 2 and 7: Policy Name: Service Type: Service: Source: Destination: Direction: Action: Priority: Generated Bandwidth: Citrix Group Citrix Any FTP Servers Twoway Forward 2 2000 To limit HTTP traffic to the local network to 1 Mbps: Policy Name: Service Type: Service: Source: Destination: Direction: Action: Priority: Inbound Physical Group: Borrowing Limit: HTTP Regular HTTP Any Internal Twoway Forward 3 FTP Ports 1000 To block the “Love-Letter” e-mail virus: CID User Guide 8-31 .Chapter 8 . Bandwidth Management Classes Policy Name: Service Type: Service: Source: Destination: Direction: Action: Virus Love Letter Regular Love Letter Any Any Twoway Block 10. 8-32 CID User Guide . Click Ok to apply the setup and close the window. page 8-34 Protocol Discovery Policies.Bandwidth Management Section 8-4 Protocol Discovery Section 8-4. Protocol Discovery.Chapter 8 . This section includes the following topics: • • What is Protocol Discovery. describes the Protocol Discovery feature that allows you to recognize the different applications running on your network by creating Protocol Discovery Policies. page 8-35 CID User Guide 8-33 . The Protocol Discovery feature provides a full view of the different protocols running on the network. This feature can be activated on the entire network or on separate subnetworks by defining Protocol Discovery policies. 8-34 CID User Guide .Protocol Discovery What is Protocol Discovery To use the Bandwidth Management module in an optimal way. network administrators must be aware of the different applications running on their network and the amount of bandwidth they consume. 3. a range of IP addresses.Bandwidth Management Protocol Discovery Policies A Protocol Discovery policy consists of a set of traffic classification criteria which includes: • Source: Defines the source of the traffic. Enables you to set different policies for identical traffic classes that are received on different device interfaces. VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID tags. router). set the parameters according the traffic classification criteria explained above. Source MAC Address Group: Enables you to discover applications and protocols present in the traffic sent by a transparent network device (firewall. It can be a specific IP address or a network. 4. It can be One Way (from Source to Destination) or Two Way. In the Edit Protocol Policy window. Inbound Physical Port Group: Classifies only traffic received on certain interfaces of the device. Destination: Defines the destination of the traffic. • • • • • • Protocol Discovery Configuration Guidelines To configure the Protocol Discovery: 1. In the Protocol Discovery Policies window. A network is a collection of ranges and/or subnets. Direction: Defines the direction of the traffic. The Bandwidth Management window appears. The default value is any. click Add. It can be specific IPs. Destination MAC Group: Enables to discover applications and protocols present in the traffic sent to a transparent network device (firewall. In the Bandwidth Management window. You should first configure the Networks. The Edit Protocol Policy window appears. 2. which covers traffic from any source. which covers traffic to any destination. select APSolute OS > Bandwidth Management. In the main window. router).Chapter 8 . The default value is any. The Protocol Discovery Policies window appears. CID User Guide 8-35 . click Protocol Policies. or an IP subnet address. In the Protocol Discovery Policies window. To view the results: 1.Protocol Discovery 5. 2. 8-36 CID User Guide . click View Protocol Statistics. Configure the Protocol Discovery as explained above in steps 1-2. Click Ok to accept your changes and close the window. The Protocol Statistics window appears. This section includes the following topics: • • Port Bandwidth. describes the process of interface classification which is designed to enhance Bandwidth performance.Chapter 8 . page 8-39 CID User Guide 8-37 . Interface Classification.Bandwidth Management Section 8-5 Interface Classification Section 8-5. page 8-38 Interface Classification. To define a port’s maximum available bandwidth: 1. F2. By default. Right-click the required port (F1. This can be configured via the BWM Port Bandwidth table.Interface Classification Port Bandwidth In order to optimize the queuing algorithm. Configuring the maximum throughput is the only way of determining if the link is saturated. the maximum available throughput is determined by the port type . select the CID device icon and click the Panel View icon from the main toolbar. 2.100 Mbps for FE ports and 1Gbps for Giga ports. The Interface Parameters window appears. 3. set the Available Bandwidth parameter for the selected port in Kbps and click Ok. In the main window. In the Interface Parameters window. 8-38 CID User Guide . The panel view appears. it is essential for the Bandwidth Management module to be aware of the maximum available ports’ bandwidth. and so on) and select Interface Parameters. The queuing mechanism only starts functioning upon link saturation. select APSolute OS > Bandwidth Management. CID User Guide 8-39 .Chapter 8 . In the Interface Classification window. The Bandwidth Management window appears. In the main window. 2. The direction of the flow through each port. click Interface Classification. Click Ok to record your changes and close the window.Bandwidth Management Interface Classification To increase performance. 4. or Twoway . valuable processing time can be saved while enabling a simpler method of configuring the device. 5.the traffic flows both ways through both ports. To cancel Interface Classification by VLAN: 1. the Bandwidth Management module can be configured to exclude traffic running through certain physical ports and/ or VLANs from the classification effort. The number of the required port for outbound traffic. The Bandwidth Management window appears. 3. select Cancel Classification by Port and set the following parameters according to the explanations provided: Inbound Port: Outbound Port: Direction: The number of the required port for inbound traffic. You may cancel classification according to Port or according to VLAN. Values can be Oneway the traffic flows in through the Inbound Port and out through the Outbound Port. Click Add to add your parameter settings to the table. select APSolute OS > Bandwidth Management. In this way. In the Bandwidth Management window. To cancel Interface Classification by port: 1. In the main window.The Interface Classification window appears. The Interface Classification window appears. 8-40 CID User Guide . click Interface Classification. In the Bandwidth Management window. Select the checkboxes for the VLANs for which you want to cancel classification. 3.Interface Classification 2. In the Interface Classification window. Click Ok to record your changes and close the window. 5. select Cancel Classification per VLAN. 4. page 9-43 Section 9-4: DoS/DDoS. as well as an explanation of the signatures database and Radware Security Update Service (SUS). page 9-25 Section 9-3: Intrusions. page 9-171 Section 9-11: Evasion Techniques. This chapter contains the following sections: • • • • • • • • • • • Section 9-1: Security Overview. page 9-123 Section 9-8: Protocol Anomalies. page 9-2 Section 9-2: Managing the Signatures Database. Security provides a general overview of the APSolute OS Security modules and sub-modules. page 9-72 Section 9-5: Behavioral DoS. page 9-156 Section 9-10: Session Table. page 9-106 Section 9-7: SYN Flood Protection. page 9-176 Section 9-12: Security Events and Reports. page 9-142 Section 9-9: Anti-Scanning.CHAPTER 9 Chapter 9 - Security Chapter 9. page 9-184 CID User Guide 9-1 . This section includes the following topics: • • • • • • Security Introduction. page 9-10 Enabling Protection and Setting Up General Security Parameters. page 9-23 9-2 CID User Guide . page 9-6 Setting Up Security Policies in the Connect and Protect Table.Security Overview Section 9-1 Security Overview Section 10-1 introduces CID security and presents an overview of the security modules. page 9-12 Defining Connectivity. page 9-3 Security Modules. page 9-19 Suspend Table. protecting against viruses.Chapter 9 . and anomalies. worms. with advanced mitigation tools that focus on: • • • • • Intrusions DoS Anomalies SYN Flood Anti-Scanning Detecting The security modules detect known and unknown attacks.Security Security Introduction Radware’s CID isolates. Protection is provided for CID User Guide 9-3 . CID provides secure Internet connectivity with high performance. Known attack detection is applied by defining Protection Policies. CID performs deep packet inspection at multi-Gigabit speed to provide security from the network layer up to the application layer. Unknown attacks are detected using protocol anomaly inspection. The protocol anomaly inspection can detect anomalies on layer 3. detects. The security modules detect IP and UPI protocol anomalies using the Anomaly module/tool. maintaining the legitimate traffic of end users and customers. A profile binds together network addresses and physical ports with a profile of attack protection. The system implements a multi-layer approach to security that combines several mechanisms for attack detection. The security modules use a constantly updated signatures database for attack detection. and blocks application attacks at multi-Gigabit speed. and 7 protocols. Protecting The security modules protect network and application level resources against attacks destined for the internal IP addresses of the network elements or attacks destined for the device. Known attacks are detected by searching for attack signatures within the scanned packets. 4. DoS attacks and intrusions. physical interface. SNMP Traps. looking for open TCP or UDP ports on the target machine. total attack traffic. worms and malicious attack signatures to safeguard your applications. operating systems. and so on. attacks per IP address. either by dropping the malicious packets or by resetting the connection. The attack attempts are blocked by terminating the sessions as they are recognized. for example. date and time of attack. it reports the security event. protecting against the latest security exploits including viruses. Event information is registered internally via the device log file and alerts table. you can produce advanced statistic reports. Blocking this scanning prevents attacks from being launched. or externally via the Syslog channel. Using Configware Insite. Radware Security Update Service is available on a one-year or multiyear subscription basis for all CID and APSolute OS Security customers. 9-4 CID User Guide . Hackers perform scanning prior to launching an attack. Both source and destination reset options are supported. Reporting When a security module detects an attack. Preventing The security modules enable real-time prevention of attacks within the defined network. An event consists of complete traffic information. TCP/UDP port numbers.Security Overview applications. network and users. top attacks. including source and destination IP addresses. network equipment. The security modules also protect against network port scanning using the Anti-Scanning module/tool. Radware Security Update Service on the Web Radware's Security Update Service delivers immediate and ongoing security filter updates. and more. and resources behind the device. or e-mails. Security Note: For up-to-date security information.asp CID User Guide 9-5 .Chapter 9 .com/content/ support/securityzone/serviceinfo/default.radware. see the Radware Security Zone on the Radware website: http://www. DoS Shield samples traffic flowing through the device and limits the bandwidth of traffic that was recognized as DoS attack using predefined action. Application level attacks are aimed at mission critical applications. which are targeted to damage various network resources and disable the attacked system. 9-6 CID User Guide . they overload networks or servers. such as FTP or RPC. The CID Intrusions module provides protection against application specific attacks. for example. E-mail attacks. DoS/DDoS When hackers send mass volumes of traffic. Attacks on services. and therefore cannot be blocked by access control devices. sending worms via E-mail. thus causing denied access for real users. This is known as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. These attacks include the following categories: • • • Web Server attacks aiming to damage or exploit web servers. Most attacks target web applications.Security Overview Security Modules CID Security comprises the following modules: • • • • • Intrusions DoS/DDoS SYN Floods Anomalies Anti-Scanning Intrusions Intrusion prevention is a security technology that attempts to identify potential intrusions into computer systems and prevent their damage by blocking attacks. These attacks threaten application integrity and bring networks and applications down. UDP floods and TCP-SYN floods that consume network bandwidth and prevent normal transport of the legitimate traffic. CID DoS protection module provides real time DoS protection through the use of an advanced sampling mechanism. provides organizations with extensive Denial of Service (DoS) detection and protection capabilities while maintaining high network throughput.Chapter 9 . The attacks’ signatures are looking for known flood tools by recognizing unique bit patterns within the sample traffic. TCP and ICMP. irrespective of the tools that are used to launch the attack. CID User Guide 9-7 . SYN Floods A SYN flood attack is a denial of service attack where the attacker sends a huge amount of please-start-a-connection packets and no follow up packets. This protection service utilizes a mechanism called SYN Cookies that performs delayed binding (terminates TCP sessions) and inserts a certain signature into the TCP sequence field. describes the process of protection against Denial of Service attacks provided by the CID DoS Shield module. which are part of the CID attack database. In case there is no match the packet is forwarded to the network. Radware's security scheme. If a match is found. This mechanism compares sampled traffic with a list of attacks signatures (attacks in Dormant state). its status changes to Currently Active. CID provides protection against any type of SYN flood attack. This unique mechanism facilitates DoS and DDoS protection for high capacity networks. implemented by the DoS Shield module which is part of the APSolute OS architecture. Usually DoS attacks include ICMP floods. Once the activation threshold of an attack in the Dormant state is met. DoS Shield. which means that each and every packet is matched with the signature file of this Currently Active attack. the packet is dropped.Security The Denial of Service (DoS) attacks are intended to compromise the availability of a computing resource. This module provides protection against flooding of UDP. hackers may use evasion techniques. The Protocol Anomaly attacks are detected and blocked using the Protocol Anomaly Protection mechanism. This mechanism guarantees that only legitimate requests are sent to the servers. such as splitting packets and sending attacks in fragments. CID only processes requests that include the signature that was inserted previously. but no data packets are sent afterwords. 9-8 CID User Guide . are terminated by the CID and do not flood the servers. The reports regarding the current attacks appear in the Active Triggers table. The SYN Flood attack is performed by sending a SYN packet without completing the TCP three-way handshake. Another type of SYN Flood attack is done by completing the TCP three-way handshake. The attacks are detected and blocked by means of SYN Flood Protection Policies. After the completion of the three-way handshake. An attack that contains fragmented packets is called Protocol Anomaly attack.Security Overview SYN Flood Protection is a service intended to protect the hosts located behind the device and the device itself from SYN flood attacks by performing delayed binding. aimed to consume servers’ resources. as well as the CID itself. Anomalies To avoid detection. Radware provides complete protection against both types of SYN Flood attacks. while half open TCP connections. The Anomalies module provides protection using two sub-groups: • • Protocol Anomaly Protection HTTP Anomaly Protection Protection against Protocol Anomaly attacks is achieved by dropping the malicious packets. Chapter 9 . or backdoor. This module provides protection against network and port scanning by protecting against known scanning tools and scanning tools awaiting the positive reply (SYN-ACK for TCP or UDP reply). The Anti-Scanning module provides a mechanism aimed at preventing hackers from gaining this information by blocking and altering server replies sent to the hacker. application. The filters in this group block all traffic returned from the scanned server. An open port represents a service.Security Anti-Scanning Prior to launching an attack. Ports that are unintentionally left open can create a serious security problem. a hacker normally tries to identify which TCP and UDP ports are open. CID User Guide 9-9 . Figure 9-1 Connect and Protect Table Configuring a security policy may be divided into three stages: enabling security. First. and protecting. Security profiles aggregate attack groups and attacks.Security Overview Setting Up Security Policies in the Connect and Protect Table Radware Security works with protection policies that are defined in the Connect and Protect Table. A security policy contains security profiles that are activated within predefined ranges of ports/VLANs or within a predefined network. You can set one or more profiles for each security module and associate the protection profile with a policy. 9-10 CID User Guide . Figure 9-1 shows the Connect and Protect Table. connecting. Each row in the Connect and Protect Table represents a policy. which is a definition of the actions that CID performs when an attack is recognized. You can define the Action mode for each policy. you create a security policy and assign protection profiles to the policy. You may add protection profiles to the policy from any or all of the security modules. Define the Action parameter for this policy in case an attack is detected: Block: The packet is identified as an attack. Enable security by configuring the security modules and defining the general security parameters (see page 9-12). When you change the Action parameter of a security module using Web Based Management. The action taken to prevent the attack is the one that was defined in the Block Action parameter of each security module.Security Security Policies Configuration Guidelines: 1. open the APSolute OS menu and select Security. you can set security services according to the module breakdown: • Set up the Intrusion module parameters. see page 9-156 5. as the delayed binding mechanism with embedded SYN Cookies cannot be bypassed. see page 9-123 • Set up the Anomaly module parameters. Define the Protection according to the protection module. see page 9-72 • Set up the SYN Flood module parameters. 4. The Connect & Protect Table window appears. For each connectivity row.Chapter 9 . the Action mode may appear as Mixed. see page 9-47 • Set the DoS/DDoS module parameters. From the main APSolute Insite window. see page 9-142 • Set up the Anti-Scanning module parameters. Forward: Mixed: Note: The Action mode settings do not apply to SYN Protection (see page 9-123). 2. 3. CID User Guide 9-11 . The packet is forwarded to the defined destination. Configure connectivity by defining either port groups/VLANs or IP address ranges per row in the Connect and Protect Table (see page 9-19). Security Overview Enabling Protection and Setting Up General Security Parameters The Radware security solution takes a multi-layer approach to security that combines several mechanisms for attack detection with advanced security modules. SYN Flood Protection. The security modules are configured in the Connect and Protect Table. including Intrusions. Figure 9-2 Security Settings Window You can set the following general security settings in the Security Parameters window: • • • Application Security DoS Shield Protocol Anomaly Protection 9-12 CID User Guide . Anomalies. and the mechanisms for attack detection are configured in the Security Settings window (Figure 92). and Anti-Scanning. DoS/DDoS. The Security Settings window appears. The language encoding (the language and character set) to use for detecting security events. The Modules pane contains the following parameters: Start Protection Encoding Select Enable to start protection. This mechanism is used by the following security modules to provide maximum protection for network elements. right-click the CID icon and select SetUp. b. From the main APSolute Insite window. d. In the top right-hand corner of the Connect & Protect Table window.Security Application Security Parameters Application Security is a mechanism that provides advanced attack detection and prevention capabilities. you must enable the Application Security mechanism and set its parameters. Anti-Scanning. select Security Settings and click Edit Settings. b. Attacks DB Version CID User Guide 9-13 . In the SetUp window. and AntiScanning. To start Application Security protection: 1. click the Global tab. Or: a. The Connect & Protect Table window appears.Chapter 9 . The Security Settings window appears. c. In the Global pane. open the APSolute OS menu and select Security. Anomalies. Default: Enable. Note: Before using Intrusions. DoS/DDoS. and applications: Intrusions. hosts. The Global pane appears. To open the Security Settings window: a. The version number of the current attack loaded on the device. From the main APSolute Insite window. click the Settings button. checking the traffic on a packetby-packet basis. and Application Security for DoS/DDoS. The SetUp window appears. Anomalies. You will be prompted to reboot the device. terminates the whole session when a single malicious packet is recognized. Click Ok to reboot CID. Click Ok. 3. You can start using the Intrusions. Note: Prior to configuring the DoS/DDoS security module. Anomalies. and Anti-Scanning security modules. To enable DoS Shield and set its general parameters: 1. DoS Shield Parameters The DoS Shield mechanism implements the sampling algorithm and accommodates traffic flooding targeted to create denial of network services. 4. This parameter is valid only for signaturebased attacks (Application Security and DoS Shield). The device will scan traffic only for attacks with a risk level equal or higher than the value of this parameter. check Session-Drop Mechanism Status.Security Overview Session-Drop Mechanism Status Minimum Risk Level When enabled. To open the Security Settings window: 9-14 CID User Guide . DoS/ DDoS. This mechanism is included in the DoS/DDoS security module. you must enable DoS Shield and set its general parameters. To terminate the whole session if a single malicious packet is recognized.An IPS attack for which the Risk parameter is set to Info is an IDS signature. Select the Start Protection checkbox. 2. • High • Medium • Low • Info . 5. 4.Chapter 9 . meaning 1 out of 101 packets is checked. Click Ok. 5. click the Settings button. The Global pane appears. Reopen the Security Settings window (as explained in step 1). You can configure the number of packets for which sampling is performed. set the following parameters according to the explanations provided: Packet Sampling Rate: The rate at which packets are sampled and compared to the Dormant Attacks. CID User Guide 9-15 . You will be prompted to reboot the device. b. The SetUp window appears. In the top right-hand corner of the Connect & Protect Table window. The default value is 101. From the main APSolute Insite window.Security 2. In the Modules pane of the Security Settings window. right-click the CID icon and select SetUp. a. Click Ok to reboot CID. In the Modules pane of Security Settings window. The Connect & Protect Table window appears. 6. In the SetUp window. In the Global pane. c. The Security Settings window appears. click the Global tab. 3. Or: a. select Security Settings and click Edit Settings. b. From the main APSolute Insite window. open the APSolute OS menu and select Security. check Start DoS Shield Protection. The Security Settings window appears. If the Sampling Time is too long. 4. enable Start Protection. To enable Behavioral DoS: 1. Note: Prior to configuring the Behavioral DoS shield module you must enable it . In the main window. You can start using the DoS/DDoS security module. The Connect and Protect Table appears. The Security Settings window appears. 2. From the Security Settings window. In the Connect and Protect Table. The default value is 5 seconds. Click Ok. in the Behavioral DoS field. or within a predefined network. it is impossible to detect attacks in a timely manner.Security Overview Sampling Time (seconds): Defines how often DoS Shield compares the predefined thresholds for each Dormant Attack to the current value of counters of packets matching the attack. 7. regular traffic bursts might trigger attacks. meaning that there are frequent comparisons of counters to thresholds. click Security. double click on Settings. 3. Behavioral DoS is now enabled. Restart the device. Behavioral DoS The B-DoS security policy contains security profiles that are activated within predefined ranges of ports/VLANs. 9-16 CID User Guide . OR from the main window double-click the device icon and then select Global > Security Settings > Edit Settings. Note: If the Sampling Time is very short. c. you must enable the Application Security mechanism and set its parameters (see page 9-13). The Security Settings window appears. open the APSolute OS menu and select Security. To open the Security Settings window: a. The default value is 512 Bytes. In the SetUp window. The default value is 500 characters. click the Settings button.Security Protocol Anomaly Protection Parameters The Protocol Anomaly Protection parameters are the general parameters of the Anomalies security module. Min Fragment Size: CID User Guide 9-17 . Or: a. A shorter packet length is treated as an IP protocol anomaly and is dropped. The SetUp window appears. right-click the CID icon and select SetUp. The Security Settings window appears. set the following parameters according to the explanations provided: Max URI Length: The maximum URI length permitted. In the Modules pane of the Security Settings. If the URI is longer than the configured value. Note: Before using Anomalies. 2. b. In the top right-hand corner of the Connect & Protect Table window. The minimum size of a fragmented IP packet permitted. The Connect & Protect Table window appears. The Global pane appears. b. To set Protocol Anomaly Protection parameters: 1.Chapter 9 . In the Global pane. it is considered illegitimate and is dropped. select Security Settings and click Edit Settings. From the main APSolute Insite window. click the Global tab. From the main APSolute Insite window. Security Overview Min Fragmented URI Packet Size: The minimum permitted size of an incomplete URI in an HTTP request. A shorter packet length is treated as a URI protocol anomaly and is dropped. 3. 9-18 CID User Guide . Click Ok. The Security Settings window closes. The default value is 50 characters. you must initially define connectivity. In the Group box. Anti-Scanning).Security Defining Connectivity When creating a security policy. The Port Groups window appears. 3. you can set connectivity and security services according to the module breakdown (Intrusions. double-click inside the Port/VLAN column. 2. 5. For each row. The Settings pane appears. 6. From the main APSolute Insite window. From the main APSolute Insite window. The Settings pane appears. In the Settings pane. The Edit Physical Port Group window appears.Chapter 9 . 3. Check the ports to be associated with the new group. Policies are represented by rows in the Connect & Protect Table. double-click inside the Port/VLAN column. 4. In the Connect & Protect Table window. CID User Guide 9-19 . In the Connect and Protect Table window. enter a name for the new group. DoS/DDoS. SYN Flood. The Connect & Protect Table window appears. 2. Click Ok. right-click the CID device icon and select APSolute OS > Security. The new port group is created. The Connect & Protect Table window appears. select the port group name from the Port Group drop-down list. In the Settings pane. Click Port Group Table. Anomalies. Configuring Port Groups Port groups allow you to define which ports are to be scanned. right-click the CID device icon and select APSolute OS > Security. To add ports to an existing Port Groups: 1. click Add Port Group. This is performed by defining either port groups/VLANs or IP address ranges for each policy in the Connect & Protect Table. To create a new port group: 1. 4. set the following parameters according to the explanations provided: Group Name Group Mode A user-defined name for the VLAN group. 6. as defined in the interface parameters of the device. Click Ok. range: A group of sequential VLAN tag numbers. To define which VLANs are to be scanned: 1. The VLAN mode may be one of the following: • discrete: An individual VLAN tag. click Add VLAN Tag Group. 8. Select the table entry for the group that you would like to modify. right-click the CID device icon and select APSolute OS > Security. From the main APSolute Insite window. The Settings pane appears. 3. The port group is updated. 4. Click the Modify Table tab. Check the ports that you would like to add to the group. The Edit VLAN Tag Group window appears. 7. In the Settings pane. 9. • VLAN Tag VLAN Tag From The VLAN tag number. The Edit Physical Port Group window appears. Click Edit. as defined in the interface parameters of the device. In the Edit VLAN Tag Groups window. Configuring VLANs You can define which VLANs are to be scanned. 2. 9-20 CID User Guide . Set VLAN Tag if Group Mode is set to discrete. The first VLAN tag in the range. The Modify Table pane appears. The Connect & Protect Table window appears. double-click inside the Port/ VLAN column. Set VLAN Tag From if Group Mode is set to range. In the Connect and Protect Table.Security Overview 5. In the Connect & Protect Table window. The Edit Network Table window appears. 5. 5. 3. From the main APSolute Insite window. The Settings pane appears. From the main APSolute Insite window. In the Connect & Protect Table window. CID User Guide 9-21 . The Connect & Protect Table window appears. click Add Network. To define a network from the predefined list: 1. Your preferences are recorded.Security VLAN Tag To: The last VLAN tag in the range. 2. The Settings pane appears. double-click inside the Networks column. Set VLAN Tag To if Group Mode is set to range. set the following parameters according to the explanations provided: Network Name: Network Mode: A user-defined name for the network. In the Settings pane. 4. Configuring Networks You can set the network IP address range that is to be scanned. right-click the CID device icon and select APSolute OS > Security. The network mode may be one of the following: • • From Address: To Address: IP Mask IP Range The first address in the range. The Connect & Protect Table window appears.Chapter 9 . In the Edit Network Table window. The last address in the range. The Edit VLAN Tag Groups window closes. Click Ok. Click Ok. double-click inside the Networks column. right-click the CID device icon and select APSolute OS > Security. To configure a new network: 1. 2. 4. In the Settings pane. Click Apply. Your preferences are recorded. The last address in the range. which may be one. set the following parameters according to the explanations provided: From: To: Check Packets: The first address in the range.Security Overview 3. The profile inspection direction. 9-22 CID User Guide .way or two-way. The Attack Configuration window appears. CID User Guide 9-23 . 2.Security Suspend Table The Suspend Table allows you in addition to defining the action to be taken for attacks also to set the device to suspend traffic from the IP address that was the source of the attack for a defined period of time. click on an Intrusions box. From the main window. The maximum amount of entries allowed from the source IP. 3. the following parameters are displayed: Minimal Aging Timeout Maximal Aging Timeout Maximum Entries with Same Source IP The length of time the source IPs are suspended. To configure suspend action for an attack: 1. The Suspend Action is available as an option for the attack types: • • • • Intrusions Anomalies Anti-Scanning DoS/DDoS To view the Suspend Table: 1. The Suspend Table window appears. The Connect & Protect Table window appears.Chapter 9 . From the main window. In the Connect and Protect Table. In the All Intrusions Attacks list select an Attack and click Edit. The maximum length of time a source IP can be suspended. select APSolute OS > Security. In the Suspend Table window. The Settings pane appears. 2. select APSolute OS > Suspend Table. SrcPort. DestPort: 9-24 CID User Guide . Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended. Traffic from the IP address identified as source of this attack to the destination IP and port under attack will be suspended Traffic from the IP address and port identified as source of this attack to the destination IP and port under attack will be suspended SrcIP. DestIP: SrcIP.Security Overview 4. which contains the following options: None: SrcIP: Suspend action is disabled for this attack. DestIP. DestPort: SrcIP. In the Attack Configuration window select the Suspend Action dropdown list. All traffic from the IP address identified as source of this attack will be suspended. DestIP. DestPort: SrcIP. page 9-36 CID User Guide 9-25 . This section includes the following topics: • • Protection Profiles and Groups Supplied by Radware.Chapter 9 .Security Section 9-2 Managing the Signatures Database Section 9-2. Managing the Signatures Database. page 9-26 Security Signatures File Update. explains the signature database feature and how to configure it. Table 9-1 Radware Supplied Protection Profiles Profile Corporate Gateway Description This profile is designed to protect the corporate network gateway. This profile is designed to protect the corporate DMZ network. Each attack group includes a number of attack signatures that are grouped together according to their common characteristics. Using the predefined groups and profiles. you can easily create new protection policies in the Connect and Protect Table. The groups are included in the protection profiles that are applied to the protection policies in the Connect and Protect Table. attacks that affect network stability. intrusions that affect the firewall. providing maximum protection for specific types of networks. These attacks are included in the predefined groups and profiles that are also supplied by Radware. Table 9-1 presents profiles supplied by Radware.Managing the Signatures Database Protection Profiles and Groups Supplied by Radware Radware provides you with the Signatures database that contains signatures of the predefined attacks. The specific aim is to protect against web server and web application vulnerabilities. The specific aim is to block all possible intrusions that pass through the firewall. Corporate DMZ Corporate DMZ Mail Corporate DMZ Web 9-26 CID User Guide . This profile is designed to protect the corporate DMZ network web servers. The specific aim is to protect the generic network services provided to the Internet and to the local area network. and attacks that aid intruders in collecting information. This profile is designed to protect the corporate DMZ network mail servers. Protection profiles can contain various groups or attacks. Chapter 9 . This profile is designed to protect the LAN in university-type networks. backbone networks. the workstations are not very trustworthy. Table 9-2 Radware Supplied Attack Groups Attack Group Top-N Description The "Top-N" group contains signatures of attacks that have the highest activity in the wild. attacks are likely to originate from the workstations in the local area network. The signature subset in "Top-N" can be compiled of various services and can later be moved to (or from) an appropriate group. In this type of network. The specific aim is to protect only against the really malicious attacks that affect the Internet in general and to reduce the interruption of Internet freedom provided to Internet users. The specific aim is to protect against spreading worms among the clients of a local area network and to protect against the vulnerabilities that could affect workstations in such a network. CID User Guide 9-27 .Security Table 9-1 Radware Supplied Protection Profiles Profile Corporate LAN Description This profile is designed to protect the corporate LAN network. and ISP dial-in networks. This group is updated whenever Radware's SOC finds it necessary. This profile is designed to protect carrier networks. Therefore. Carrier / POP University LAN Table 9-2 provides descriptions of the Radware attack groups. Filter groups are defined to inspect the traffic in any direction and to prevent the information gathering that can be the basis for the intrusion itself. and information disclosure attacks. Command injection allows command execution on the affected host with the privileges of the web server. IIS Apache HTTP-MISC Web 9-28 CID User Guide . Signatures in this group protect against HTTP implementation attacks. default server attacks. exploitation of various web applications. The "IIS" group contains signatures of attacks that exploit the vulnerabilities found in the Microsoft IIS Web Service. The "HTTP-MISC" group contains signatures of attacks that exploit vulnerabilities found in miscellaneous web services. ISAPI extension attacks. and network-aware worms. Signatures in this group prevent the command's injection into web applications. and vulnerabilities found in Apache modules. Signatures in this group protect against HTTP implementation attacks. default web page attacks. The types of worms in this group include: massmailing worms.Managing the Signatures Database Table 9-2 Radware Supplied Attack Groups (cont. and SSL attacks. Signatures in this group protect against HTTP implementation attacks. The "Web" group contains signatures of attacks that perform command injection into web services.) Attack Group Worms Description The "Worms" group contains signatures of attacks classified as Internet worms. vulnerability exploiting worms. The "HTTP-Apache" group contains signatures of attacks that exploit the vulnerabilities found in Apache HTTP and other modules. Signatures in the "Worms" group stop the propagation of the worms listed in the group. The "ColdFusion" group contains signatures of attacks that exploit vulnerabilities in the ColdFusion web service. Signatures in this group prevent the cross-site scripting on the affected host that can lead to information theft and web session hijacking. which may compromise the affected host. a script is injected into a dynamic HTML page. using the users' local environment credentials without them being aware of it. Signatures in this group prevent the SQL queries' injection via web applications. The "SQLInjection" group contains signatures of attacks that perform SQL database modifications. The "XSS" group contains signatures of attacks that perform cross-site scripting in web applications. Signatures in this group prevent the exploitation of vulnerabilities found in ColdFusion web service. the page is redirected to malicious sites. A successful SQL query injection may lead to information disclosure. XSS SQLInjection ColdFusion CID User Guide 9-29 . In cross-site scripting. and data corruption.Security Table 9-2 Radware Supplied Attack Groups (cont.) Attack Group CGI Description The "CGI" group contains signatures of attacks that exploit CGI vulnerabilities in web applications. When viewed by other users. Signatures in this group prevent the exploitation of vulnerabilities found in CGI scripts that could allow an attacker to compromise the affected host. data modification.Chapter 9 . Signatures in this group prevent the exploitation of vulnerabilities found in SQL implementations from miscellaneous vendors. Signatures in this group prevent the exploitation of vulnerabilities found in FTP implementations from miscellaneous vendors. The "SMTP_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous SMTP servers. Signatures in this group prevent the exploitation of vulnerabilities found in SMTP implementation from miscellaneous vendors and prevent the propagation of Internet worms.Managing the Signatures Database Table 9-2 Radware Supplied Attack Groups (cont. Signatures in this group prevent the successful exploitation of vulnerabilities found in FrontPage web service.) Attack Group FrontPage Description The "FrontPage" group contains signatures of attacks that exploit vulnerabilities in the FrontPage Web Service. Signatures in this group prevent the exploitation of vulnerabilities found in Telnet implementations from miscellaneous vendors. The "FTP_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous FTP servers. SMTP_AS Telnet_AS FTP_AS SQL_AS 9-30 CID User Guide . which may compromise the affected host. The "Telnet_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous Telnet servers. The "SQL_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous SQL servers. Signatures in this group prevent the exploitation of vulnerabilities found in IMAP implementations from miscellaneous vendors.Chapter 9 . DNS_AS POP3_AS IMAP_AS RPC-Unix ICMP_AS CID User Guide 9-31 . Signatures in this group prevent the exploitation of vulnerabilities found in NetBIOS implementations. The "IMAP_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous IMAP servers.Security Table 9-2 Radware Supplied Attack Groups (cont. Signatures in this group prevent the exploitation of vulnerabilities found in POP3 implementations from miscellaneous vendors. Signatures in this group prevent the exploitation of vulnerabilities found in ICMP implementations from miscellaneous vendors. The "ICMP_AS" group contains signatures of attacks that exploit vulnerabilities in ICMP services.) Attack Group NetBIOS Description The "NetBIOS" group contains signatures of attacks that exploit vulnerabilities in NetBIOS service. The "DNS_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous DNS servers. The "RPC-Unix" group contains signatures of attacks that exploit vulnerabilities in the Sun RPC service. The "POP3_AS" group contains signatures of attacks that exploit vulnerabilities in miscellaneous POP3 servers. Signatures in this group prevent the exploitation of vulnerabilities found in DNS implementations from miscellaneous vendors. Signatures in this group prevent the exploitation of vulnerabilities found in Sun RPC implementations from miscellaneous vendors. Signatures in this group prevent the exploitation of vulnerabilities found in Finger implementations from miscellaneous vendors and prevent information gathering attempts. Exploitation of vulnerabilities found in those services compromise the affected host. Signatures in this group prevent attempted buffer overflow exploitation in those services that do not fit the other service groups. The "Brute-Force" group contains signatures of password brute force attacks in miscellaneous services. The "Buffer_Overflow" group contains signatures of attacks that exploit various services by overflowing the declared buffer. The "SNMP_AS" group contains signatures of attacks that exploit vulnerabilities or bad configuration in SNMP service. Buffer_Overflow SNMP_AS Brute-Force DoS 9-32 CID User Guide .Managing the Signatures Database Table 9-2 Radware Supplied Attack Groups (cont. Signatures in this group prevent access to SNMP services with public community strings and protect from exploitation of vulnerabilities found in SNMP implementations. The "DoS" group contains signatures of denial-of-service attacks on miscellaneous services and protocol implementations. Signatures in this group prevent the password-guessing attacks (brute force) in miscellaneous services. Signatures in this group prevent the DoS attacks against miscellaneous services and protocols.) Attack Group Finger Description The "Finger" group contains signatures of attacks that exploit vulnerabilities in Finger service. ) Attack Group Backdoors_Inbound Description The "Backdoors_ Inbound" group contains signatures of backdoor communication that enters the infected host. SIP (Simple Initiation Protocol) is a protocol used to stream live video and audio data. VoIP. Signatures in this group prevent outbound backdoor communication and prevent the backdoor from being controlled remotely. for example.Security Table 9-2 Radware Supplied Attack Groups (cont. Signatures in this group prevent inbound backdoor communication and prevent the backdoor from being controlled remotely. The group may include various types of attacks and attacks from miscellaneous groups. The "Backdoors_ Outbound" group contains signatures of backdoor communication that exits the infected host. The "Protocol_Anomalies" group contains signatures of miscellaneous protocol misbehaviors.Chapter 9 . Signatures in this group prevent the outdated attacks that are no longer valid. The filters in this group protect SIP-based application vulnerabilities. The "Archive" group contains signatures of miscellaneous outdated attacks. Signatures in this group prevent the usage of miscellaneous protocol anomalies that could indicate a new exploitation of protocol vulnerability or a DoS attack. Backdoors_Outbound Protocol_Anomalies Archive SIP CID User Guide 9-33 . as well as vulnerabilities and generic protections of the SIP protocol itself. The “SIP” group contains filters for protection against SIP threats. Managing the Signatures Database Table 9-2 Radware Supplied Attack Groups (cont.) Attack Group Oracle Description The “Oracle” group contains filters for protection against Oracle server related threats. Oracle is a common database server software. Threats against Oracle servers can cause data manipulation, data loss, theft of sensitive of data, and other serious consequences. The filters that are found in this group protect against known DCE-RPC threats. The "NetBIOS" group contains signatures of attacks that exploit vulnerabilities in NetBIOS service. Signatures in this group prevent the exploitation of vulnerabilities found in NetBIOS implementations. The “Command Execution” group contains filters for various vulnerabilities that allow a remote attacker to execute commands on a target system. By executing these commands with higher than normal permissions, the attacker can disrupt network services, modify important files, and completely compromise the target system. The vulnerabilities that allow command execution cover various services and operating systems, and generally constitute an extremely high risk to system and network integrity. The “Router” group contains filters to protect against known vulnerabilities in network routing devices. The vulnerabilities can allow a remote attacker to disrupt network services and create a denial of service condition. In some cases, successful exploitation may give an attacker access to sensitive parts of the network by modifying security settings or changing routing rules. NetBIOS Command Execution Routers 9-34 CID User Guide Chapter 9 - Security Table 9-2 Radware Supplied Attack Groups (cont.) Attack Group MS-RPC Description The “MS-RPC” group contains filters for protection against threats traveling over Microsoft’s DCE-RPC protocol. DCE-RPC is a common Internet protocol, which can be exploited in different ways, thereby causing various types of damage. The filters in this group protect against known DCE-RPC threats. Note: Groups can change according to the Signatures File version. CID User Guide 9-35 Managing the Signatures Database Security Signatures File Update For constant updates of the signatures database, CID Security uses the Signatures File Update feature. All devices are updated using the latest signatures file, which is a database that contains a list of updated attacks. To guarantee maximum protection for your network, you must update the signatures file per device. During the update process, APSolute Insite connects to the Radware website to check if you can get the file for the specified device. Note: To get the Security Update Service, you must purchase it separately. An updated signatures file can be found every Monday on the Radware Security Zone (http://www.radware.com/content/security/attack/ weeklyupdates.asp). In addition to weekly updates, the website is updated on an ongoing basis and an emergency update can be performed, when required. Updating the Signatures file can be performed in the following ways: • Manual updating: If you have an updated file that was downloaded manually from the Radware website, you can upload the signatures file to CID manually. Manual downloading and updating: You can download the update file from the Radware website and perform the manual update using this file. Automatic downloading and updating: You can schedule automatic downloads and updates of the signatures file. • • Tip: To provide the best protection for your network, it is recommended to set automatic daily updates. Manual Update If you have an updated file that was downloaded manually from the Radware website, you can upload the signatures file to CID manually. 9-36 CID User Guide Chapter 9 - Security To update the signatures file manually: 1. From the main APSolute Insite window, open the APSolute OS menu and select Security Updates > Upload Attacks File. The Upload Attacks window appears, displaying a list of devices that have a Service Agreement. 2. In the Upload Attacks table, check the devices to which you want to send the signatures database update. Note: You must choose only the devices that have an Application Security Signature File Update Service Agreement with Radware Support. 3. Click Browse and navigate to the signature file that you downloaded from the Radware Security Zone (http:// www.radware.com/content/security/attack/weeklyupdates.asp). 4. Click Send Attacks File To Selected Devices. An upload progress bar and progress message are displayed for each selected device. 5. Click Ok. The selected devices are updated. Downloading and Updating You can download the update file from the Radware website and upload the file to CID. CID User Guide 9-37 Managing the Signatures Database To download a signature file update from the Radware website and upload it to your CID: 1. From the main APSolute Insite window, open the APSolute OS menu and select Security Updates > Upload Attacks File. The Upload Attacks window appears, displaying a list of devices that have a Service Agreement. 2. In the Upload Attacks table, check the device for which you want to update the signatures file. 3. Click Check Now to check if a signature update file is available on the Radware website. If the file is available, you will be prompted to download it. 4. Click Browse and navigate to the signature file that you downloaded. 5. Click Send Attacks File To Selected Devices. An upload progress bar and progress message are displayed for each selected device. 6. Click Ok. The selected devices are updated. Scheduled Downloading and Updating You can schedule automatic signature file downloads. Once the upgrade files are downloaded, you can update the signatures file. You can edit or remove the signatures file update settings from the Scheduler window. To access the Scheduler window, open APSolute Insite’s Tools menu and select Scheduler. In addition, you can send an email notification as part of the Automatic Signature File Update procedure. The email notification mechanism automatically sends an email in the following cases: • • The Signatures file has been downloaded to the APSolute Insite station. The Signatures file has been downloaded to the APSolute Insite station and installed on the device. A single email is sent per device informing the System Administrator of the action performed by APSolute Insite. 9-38 CID User Guide Chapter 9 - Security To schedule automatic signature file downloads and updates: 1. From the main APSolute Insite window, open the APSolute OS menu and select Security Updates > Attacks Update Settings. The Edit Task window appears. 2. In the Time Settings area, specify the Start Hour. Note: The End Hour option must not be enabled for this task. 3. In the Frequency Settings area, select the Daily, Weekly, or Minutes. 4. If you selected Weekly, check the day on which the update is to be performed. 5. If you selected Minutes, type the number of minutes in the Minutes text box. 6. Click Next. A second Edit Task window appears, displaying a table of all devices in the network site. CID User Guide 9-39 Managing the Signatures Database 7. For each device, select the attacks update procedure according to the explanations provided: Download and Install: The Application Security Signature file is automatically downloaded and installed on the device according to the predefined schedule. The Application Security Signature file is automatically downloaded according to the predefined schedule. You need to install the file in order to use it. No files are automatically downloaded for this device. Download: Ignore: Note: Select only devices that have an Application Security Signature File Update Service Agreement with Radware Support. 8. To receive email notifications about the attack update procedures: a. Check Signature File Update Email Notification. b. Click Email Recipients. The Email Recipients window appears. c. For each email notification recipient, enter the email address in the Recipients Email field and click Add. Click Ok to return to the Edit Task window. d. If APSolute Insite is installed behind the proxy in your network, select Behind the Proxy, and set the IP address and port of the proxy server. e. Click Finish. The Edit Task window closes. The task appears in the Scheduler window (Tools > Scheduler). f. From the main menu, open the Options menu and select Preferences. The Management Preferences window appears. g. In the Management Preferences window, click the Traps and SMTP tab. The Traps and SMTP pane appears. h. In the Traps and SMTP pane, set the following parameters according to the explanations provided: User Email Address: Enter the mail address of the APSolute Insite station. 9-40 CID User Guide Chapter 9 - Security SMTP Server Enter the address of the SMTP server to which Address: the APSolute Insite station sends the notification emails. Traps Automatic Save: Traps Auto Save File: Check this box to allow logging of SNMP traps in a dedicated log file. Enter the complete path and file name of the log file. The format of the email messages is as follows: • When the Download and Install procedure is configured: Email subject: Attacks File Update Status Email body: "Attacks Signature File downloaded and installed for device: <Device Type:Device IP:MAC Address>" • When the Download procedure is configured: Email subject: Attacks File Update Status Email body: "Attacks Signature File downloaded for device: <Device Type:Device IP:MAC Address>" 9. If you selected Download in step 7 above, from the main window open the APSolute OS menu and select Security > Upload Attacks File. The Upload Attacks window appears. Or: If you selected Download and Install in step 7 above, you are done. Signature file updates will be downloaded and installed automatically. 10. Select the Updates button. The Upload Attacks window appears, displaying the list of devices that have Service Agreement. CID User Guide 9-41 Managing the Signatures Database 11. In the Upload Attacks table, check the devices to which you want to send the signatures database update. Note: Select only devices that have an Application Security Signature File Update Service Agreement with Radware Support. 12. Click Browse and navigate to the signature file that you downloaded from the Radware Security Zone (http:// www.radware.com/content/security/attack/weeklyupdates.asp). 13. Click Send Attacks File to Selected Devices. An upload progress bar and progress message are displayed for each selected device. 14. Click Ok. The selected devices are updated. 9-42 CID User Guide Chapter 9 - Security Section 9-3 Intrusions Section 10-3 explains how to protect against intrusions into your network. This section includes the following topics: • • • • • • • Introduction to Intrusions, page 9-44 Intrusion Prevention Profiles, page 9-46 Setting Up Intrusion Prevention Using Profiles and Groups, page 947 Defining Intrusion Prevention with User-Defined Settings, page 948 Setting Up Attacks and Filters, page 9-49 Custom Attack Groups, page 9-64 Creating a New User-Defined Intrusion Prevention Profile, page 966 CID User Guide 9-43 Intrusions Introduction to Intrusions The Intrusions Prevention module provides advanced intrusion detection and prevention capabilities. The Intrusions module provides maximum protection for network elements, hosts, and applications by preventing various intrusion attempts including worms, Trojan horses, buffer overflow, and other application oriented attacks. Types of Attacks Attack recognition is performed by comparing each packet to the set of signatures stored in the Signatures database. The attacks handled by the Intrusions module can be divided into the following types: • • • Network-Oriented Attacks Operating-System Oriented Attacks Application-Oriented Attacks Network-Oriented Attacks Network-based attacks use network layer packets, such as IP, TCP, UDP, or ICMP packets to either learn about or damage a destination host. Examples include malformed packets that can cause a server to crash, such as Ping of Death, or a ping packet in which the source address is the same as the destination address, like in Land Attack. Operating System Oriented Attacks Operating System (OS)-oriented attacks are designed to break into the server by exploiting vulnerabilities in the server’s operating system. The target of the OS-oriented attack is usually to disable application server functionality by damaging its flow or one of its resources. The Application Security module protects against the following OS-oriented attacks: 9-44 CID User Guide Chapter 9 - Security • • • Simple server attacks attempt to exploit the known vulnerabilities of a server's operating system, for example, by utilizing the vulnerabilities of the default installations of known software applications. Enabling the web-related protection policies in the Intrusion Prevention module protects your web servers from such attacks. For example, the Welchia worm uses TCP port 135 to infect a host, exploiting vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface, which is an MS Windows vulnerability. Advanced attacks attempt to gain access via backdoors left open in the system for the administrators' use or via Trojan horses, which are hidden parts of the code, providing the attacker access to restricted areas. Intrusion Prevention protects against these attacks by enabling backdoor-related protection policies (for example, Back Orifice). A Buffer Overflow occurs when a program or process tries to store in a buffer (temporary data storage area) more data than it was designed to hold. Buffers are designed to contain a finite amount of data, and the extra information might overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Application-Oriented Attacks Application-oriented attacks are designed to break into application servers. Such attacks can be recognized by searching for known signatures of each application in the packets, for example, a specific path or a particular command that appears in a packet. Attacks of the application-oriented type attempt to exploit vulnerabilities in the applications. Intrusion Prevention protects against these attacks by enabling web-related protection policies. For example: • • SQL Injection Attacks Cross-Site Scripting Attacks CID User Guide 9-45 Intrusions Intrusion Prevention Profiles An Intrusion Prevention Profile is a mechanism that scans the traffic of a particular network and physical port. The traffic classification is performed within the predefined network range with preconfigured traffic direction. All packets that pass through this range are examined by means of various protectors called Attacks. Intrusion prevention profiles are applied to attack groups. An attack group uses attacks as building blocks. Attacks contain filters. Each filter represents a signature for blocking a single attack. Intrusion prevention profiles can only use attacks that are organized in attack groups. An attack group represents a logical OR relation between its attacks. Radware provides a comprehensive signatures database with attack signatures divided into attack groups according to types of protection. For example, all attack signatures designed to harm IIS web servers are grouped under the IIS Attack Group. An intrusion prevention profile is built over a single attack group and defines the network conditions on which the attack is scanned. Each intrusion prevention profile can be assigned to a policy. The policy specifies network, physical inbound port parameters, and direction. Radware provides a list of predefined protection profiles that are designed to meet the requirements of various network conditions. 9-46 CID User Guide Chapter 9 - Security Setting Up Intrusion Prevention Using Profiles and Groups Radware supplies a set of predefined attack profiles and attack groups that provide constant protection against all recent attacks (see Protection Profiles and Groups Supplied by Radware, page 9-26). You can use these prevention profiles to define protection policies. Most of the existing intrusions can be prevented using Radware profiles. Intrusion Prevention Configuration Guidelines using Radware Defined Profiles: 1. Enable the Intrusion Prevention security module and define the general parameters (see page 9-12). 2. From the main APSolute Insite window, open the APSolute OS menu and select Security. The Connect & Protect Table window appears. 3. In the Connect & Protect Table, double-click inside the Intrusions column. The Settings pane appears. 4. From the Intrusion Prevention Profiles list, select the predefined intrusion prevention profiles and apply them to the policy in the Connect & Protect Table. CID User Guide 9-47 Intrusions Defining Intrusion Prevention with User-Defined Settings In addition to the Radware defined profiles and groups, you can create custom prevention profiles, custom attack groups, and custom attacks that are based on custom filters. For new users, it is recommended to define intrusion prevention profiles using Radware-defined attack groups only. Intrusion Prevention Configuration Guidelines using UserDefined Profiles: 1. Enable Intrusion Prevention and define the general parameters (page 9-12). 2. Define custom attacks (see page 9-49). 3. Define custom attack groups (see page 9-64). 4. Define Intrusion prevention profile and apply it to the policy in the Connect and Protect Table (see page 9-66). 9-48 CID User Guide page 9-25). The filter’s main purpose is to match the specific packet within the traffic scanned by this filter and the attack signature from the Radware Attack Signatures database (see Managing the Signatures Database. Filters are detectors that scan and classify the predefined traffic. Figure 9-3 Custom Attack Configuration Each filter (Figure 9-4) contains one specific signature.Chapter 9 .Security Setting Up Attacks and Filters An attack (Figure 9-3) is a building block of the intrusion prevention profile. Each attack contains one or more protection filters and a mechanism that determines which packets are malicious and how CID treats those packets. CID User Guide 9-49 . or in other words. the scanning process represents a logical AND relation between the filters involved. Each attack is bound to a “Tracking” function that defines how the packet is handled when it is matched with the signature. An attack’s settings parameters define how the malicious packet is tracked and treated once its signature is recognized. When more than one filter is used. Note: For each custom attack. you must define custom filters. This means that the classification mechanisms of all filters applied to the same attack are involved in the scanning process. There are two types of match functions: 9-50 CID User Guide . the traffic is checked for all the signatures defined in the attack’s filters.Intrusions Figure 9-4 Filter Configuration Window An attack can employ one or more filters. You cannot use filters from other attacks when you define a custom attack. The main purpose of these functions is to determine whether the packet is harmful and to take an appropriate action. for example. The “Threshold” or “Counter” functions. Sets the amount of time (in milliseconds) in which the Threshold is measured. for example. MS Blast. ICMP flood attacks and DoS attacks. Table 9-3 Attack Configuration Parameters Parameter Attack Name Tracking Time Description A user-defined name for this attack.Chapter 9 . the device recognizes it as an attack. When a number of packets that is greater than the Threshold value passes through the device. Table 9-3 presents attack configuration parameters. This is because the packet may be legitimate unless the number of packets over a period of time exceeds a threshold that defines “reasonable” behavior for such traffic. maximum 30 characters. The signature’s match to the packet is considered an indicator for the attack. Only packets that exceed the threshold within a predefined time slot are dropped. CID User Guide 9-51 . which assume that the signature match alone is not enough for detecting a packet as offensive. Default value: 1000 Threshold Sets the maximum number of attack packets that are allowed in each Tracking Time unit. The attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period.Security • • The “Immediate” type that makes decisions based on a single packet. and the packet is dropped (“Drop All”). during this defined time period. Default value: 10. Select this option when the defined attack is destination-based. and is not characterized by a single packet but rather by repeated packets. Default: Drop All 9-52 CID User Guide . when under an attack of this type. For example: Code Red and Nimda attacks. the packet is dropped.Intrusions Table 9-3 Attack Configuration Parameters (cont. Select this option when the defined attack is destination-based. Select this option when each packet of the defined attack is harmful. • Sampling: A DoS shield attack. Values can be: • Drop All: Once the first packet is identified as harmful.) Parameter Tracking Type Description Defines how the device decides which traffic to block or drop. • Source & Target Count: Sessions are counted per source IP and destination IP combination. and is not characterized by a single packet but rather by repeated packets. • Source Count: Sessions are counted per source IP. Select this option when the defined attack is destination-based. • Target Count: Sessions are counted per destination IP. and is not characterized by a single packet but rather by repeated packets. Inspection can be of incoming traffic. one of the following actions can be taken: •Report Only: The packet is forwarded to the defined destination.Chapter 9 . the packet source IP and the packet destination IP. • High • Medium • Low • Info . outgoing traffic. Default: Drop Risk The severity of the damage that the attack can cause to your system. •Reset Source: Sends a TCP-Reset packet to the packet Source IP. or both. Default value: Medium Direction This parameter sets the attacks inspection direction.) Parameter Action Mode Description When an attack is detected. •Drop: The packet is discarded. •Reset Bi-directional: Sends a TCP-Reset packet to both. CID User Guide 9-53 . •Reset Destination: Sends a TCP-Reset packet to the destination address.Security Table 9-3 Attack Configuration Parameters (cont.An IPS attack for which the Risk parameter is set to Info is in fact an IDS signature. DestIP. 9-54 CID User Guide . Any value other than Drop All is used for attacks that match a pattern of legitimate traffic. DestIP. UDP Flood attacks. A value of Drop All (or 0) means that all packets must be blocked. DestPort: Traffic from the IP address identified as the source of the attack to the destination IP and port under attack will be suspended. SrcIP.) Parameter Suspend Action Description This parameter sets the action to take in response to an attack: None: Suspend action is disabled for this attack. SrcIP: All traffic from the IP address identified as the source of the attack will be suspended. SrcIP. SrcIP. for example. SrcIP.Intrusions Table 9-3 Attack Configuration Parameters (cont. SrcPort. DestPort: Traffic from the IP address and port identified as the source of the attack to the destination IP and port under attack will be suspended Drop Threshold (Kbps) The number of packets matching the attack that can be forwarded in each second when the attack is Active. DestPort: Traffic from the IP address identified as the source of the attack to the application (destination port) under attack will be suspended. DestIP: Traffic from the IP address identified as the source of the attack to the destination IP under attack will be suspended. Select Enable to activate the policy. 2. double-click inside the Intrusions column. 3. enter the name of the filter. 11. In the Connect & Protect Table window. In the Filter Description text box. as explained in Table 9-6 on page 58. as explained in Table 9-3 on page 51. To create a new attack: 1. The Attack Configuration window appears. Set the OMPC parameters. The Settings pane appears. In the Settings pane. 12.Security Table 9-3 Attack Configuration Parameters (cont. In the Filter Name text box. Click Add New. Define the content parameters. enter the name of the new attack. Click Ok three times to return to the main window. From the main window. a notification message is sent indicating that the attack may be over. 5. this threshold is not exceeded. Default: Enable. select APSolute OS > Security. as explained in Table 9-5 on page 56. 6.) Parameter Termination Threshold (Kbps) Description If. Typically. 10. 4. You can also select "Do Not Alert" (or 0).Chapter 9 . for the duration of the Attack Aging Period. click Custom Attack. 9. as explained in Table 9-7 on page 59. Set the attack parameters. this threshold is higher than the Termination Alert Threshold and lower than the Activation Threshold. The Filter Configuration window appears. enter a description of the filter. 8. The Connect & Protect Table window appears. In the Attack Name text box. State Filters A list of user-defined filters (see page 9-81). Set the protocol parameters. CID User Guide 9-55 . 7. Default value: IP. Each group is identified by its unique name.65535. or ICMP. Application Port Groups The group of Layer 4 ports for UDP and TCP traffic only. UDP. Table 9-5 Protocol Parameters Parameter Protocol Description The protocol used: IP. Table 9-4 Description Parameters Parameter Attack Name Description Description The name of the attack as you define it.Intrusions Filter Parameters The parameters of each filter are divided into the following categories: • • • • Description Parameters Protocol Definition Parameters OMPC (Bit pattern) Definition Parameters Content Definition Parameters Description Parameters Description parameters (Table 9-4) are the user-defined descriptions of the custom attack. The values can be: 0 . A description of the attack. Protocol Definition Parameters Protocol definition parameters (Table 9-5) define transmission protocol. 9-56 CID User Guide . TCP. Each group name can be associated with a number of entries in the Application Port Groups table. Define the last port in the range. 2. 3. The OMPC rule looks for a fixed size pattern of up to four bytes that uses fixed offset masking. The Application Port Groups window appears. The Modify pane appears. use the same group name for all the ranges that you want to include in one group. Intended for UDP and TCP traffic only. In the Filter Configuration window. In the Application Port Groups window.) Parameter Destination Port Group Description Intended for UDP and TCP traffic only. click Modify.Security Table 9-5 Protocol Parameters (cont. Port Group. This is useful only for attack recognition where the attack CID User Guide 9-57 . 4. A new row appears in the Application Port Groups table. A user-defined group name. To associate a number of ranges with the same port group. click App. Source Port Group To define a new application port group: 1. Select from the list of groups configured in the Application Port Groups table. In the Modify pane. Select from the list of groups configured in the Application Port Groups table. OMPC (Bit pattern) Definition Parameters Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define a rule for pattern lookups. click Add and set the following parameters according to the explanations provided: Name: From Port: To Port: Notes: • • To define a group with a single port. Click Ok. Define the first port in the range. set the same value for the From Port and To Port parameters.Chapter 9 . a-f). TwoBytes. if OMPC Length is twoBytes. OMPC Pattern The fixed size pattern within the packet that the OMPC rule attempts to find. or lessThan. Default value: 00000000. Default value: 0. equal. notEqual. 9-58 CID User Guide . you need complete it with zeros. OMPC Condition The OMPC condition can be either N/A. Default value: N/A. or FourBytes. Default value: N/A. Offset The location in the packet from which the checking of data is started in order to find specific bits in the IP/TCP header. If the OMPC Length value is lower than fourBytes. Possible values: a combination of hexadecimal numbers (0-9.Intrusions signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. The OMPC parameters are presented in Table 9-6. OMPC Pattern can be: abcd0000. OneByte. The OMPC Pattern parameter definition must contain eight symbols. greaterThan. The value can be: 0 .1513. Table 9-6 OMPC Definition Parameters Parameter OMPC Length Description The length of the OMPC data can be N/A. For example. ThreeBytes. The value must be defined according to the OMPC Length parameter. Security Table 9-6 OMPC Definition Parameters (cont. IP Header. IP Data.Chapter 9 . Default value: None. CID User Guide 9-59 . The value must be defined according to the OMPC Length parameter. Table 9-7 Content Definition Parameters Parameter Content Type Description Enables the user to search for one of the following specific content types: N/A: Not available. a-f). Content Definition Parameters The Content parameters (Table 9-7) define the rule for a text/content string lookup. The OMPC Mask parameter definition must contain 8 symbols. L4 Header. Default value: 00000000. If the OMPC Length value is lower than fourBytes. Possible values: a combination of hexadecimal numbers (0-9. For example. OMPC Offset Relative to Indicates to which OMPC offset the selected offset is relative to. you need complete it with zeros. Ethernet. OMPC Mask can be: abcd0000. if OMPC Length is twoBytes. This rule is intended for attack recognition where the attack signature is a text/content string within the packet payload. L4 Data.) Parameter OMPC Mask Description The mask for the OMPC data. You can set the following parameters: None. Host Name: In the HTTP header. • Changing HEX encoding to ASCII characters. Mail Domain: In the SMTP header. and the content data field includes the Cookie value. • Unicode support. the URL content is transformed into its canonical representation to interpret the URL in the same way the server would. Cookie Data: HTTP Cookie field. Regular Expression: Anywhere in the packet. • Changing backslash ('\') to slash ('/'). 9-60 CID User Guide . URL: In the HTTP request URI. Mail Subject: In the SMTP header.) Parameter Content Type (cont.Intrusions Table 9-7 Content Definition Parameters (cont. Normalized URL: To avoid evasion techniques when classifying HTTP-GET requests. Mail From: In the SMTP header. UTF-8. The Content field includes the header field name. for example./' into '/' or "A/B/. The content field includes the Cookie name. Mail To: In the SMTP header. the hex value%20 is changed to " " (space). No normalization procedures are taken.) Description Header Type: HTTP header field. and the Content data field includes the field value. and IIS encoding. The normalization procedure supports the following cases: • Directory referencing by reducing '/./" to "A/". CID User Guide 9-61 . In spite of its original purpose.) Description File Type: The type of the requested file in the http GET command (jpg. performing normalization of the FTP packets and stripping of Telnet opcodes. Default value: N/A. Text: Anywhere in the packet. FTP Command: Performs parsing of FTP commands to commands and arguments.Security Table 9-7 Content Definition Parameters (cont. In case of the stream-oriented protocol (like TCP).) Parameter Content Type (cont. and so on). while performing normalization of the FTP packets and stripping of Telnet opcodes. RPC RFC 1831 standard provides a feature called Record Marking Standard (RM). exe. this functionality may be used to evade IPS systems. RPC uses a kind of fragmentation to delimit between the records. RPC: Reassembles RPC requests over several packets.Chapter 9 . FTP Content: Scans the data transmitted using FTP. In some cases. This feature is used to delimit several RPC requests sent on top of the transport protocol. POP3 User: User field in the POP3 header. fragmentation may also divide records in the middle and not only at their boundaries. Content Offset Content Encoding Application Security can search for content in languages other than English. Values for this parameter include: • None • Case Insensitive • Case Sensitive • HEX • International Note: The value of this field corresponds to the Content Type parameter. / 0 1 2 3 4 5 6 7 8 9 : . -. < = > ? @ A B C D E FGHIJKLMNOPQRSTUVWXYZ[ \]^_`abcdefghijklmnopqrstuvw xyz{|}~. • Text: For text in all packets. The value can be: 0 . as well as hexadecimal strings. • URL: HTTP Get packets are scanned for their URL data. for case sensitive or case insensitive text. Content The actual value of the content search. The offset location is measured from the beginning of the UDP or TCP header.Intrusions Table 9-7 Content Definition Parameters (cont. Default value: 0.1513.) Parameter Content Data Description The type of content to be searched within the packet: • N/A: Not available. Default value: None. 9-62 CID User Guide . Possible values: < space >! " # $ % & ' ( ) * + . The location in the packet from which the content is checked. Distance Range A range that defines the allowed distance between two content characters. as well as hexadecimal strings. If the distance is beyond the specified range.) Parameter Content Language Description Contains the language (characters set) in which the content is written. Content Max Length The maximum length to be searched within the selected Content Type. it is recognized as an attack.Security Table 9-7 Content Definition Parameters (cont. The value can be: 0 . CID User Guide 9-63 . Content Data Encoding Application Security can search for data in languages other than English. Note: The Content Max Length value must be equal to or greater than the Offset value. Default value: None. Values for this parameter include: • None • Case Insensitive • Case Sensitive • HEX • International Note: The value of this field corresponds to the Content Type parameter.Chapter 9 . for case sensitive or case insensitive data.1513. Default language: English. Default value: 0. The Connect & Protect Table window appears. From the main APSolute Insite window. open the APSolute OS menu and select Security. For example. The predefined attack groups are divided according to types of protection. The right panel of the Attack Group Configuration window (Figure 9-5) contains a list of all existing groups. The attacks that affect performance or are probable to false positive are gathered in the Unassigned group and can be activated either by adding an attack to an existing group or to a user-defined group. all attack signatures designed to harm IIS web servers are grouped under the IIS Attack Group. You can also add user-defined attack groups using predefined attacks or user-defined attacks. Groups can be activated within a protection profile. 9-64 CID User Guide .Intrusions Custom Attack Groups The custom attack group represents a logical OR relation between two or more attacks. Figure 9-5 Attack Group Configuration Window Radware provides you with a set of predefined custom attack groups as part of the Signatures file. To add a new custom attack group: 1. except for the Unassigned group. Security 2. click Custom Group. 5. 4. In the Connect and Protect Table window. double-click inside the Intrusions column. Select the attacks you want to include in this group and move them to the Selected Attacks pane by clicking the Add button. CID User Guide 9-65 . 3.Chapter 9 . In the Group Name text box. The Settings pane appears. enter the new user-defined name for the attack group. The Attack Group Configuration window appears. In the Settings pane. From the main window. The Connect & Protect Table window appears. 4. The Settings pane appears. 6. select APSolute OS > Security. The New Intrusion Prevention Profile window appears. double-click in the Intrusions column. 3. select attack groups and move them to the new profile by clicking the Add button. Editing Attack Groups To edit an attack group: 1. The Settings pane appears. select APSolute OS > Security. Edit the parameters of the group (see Custom Attack Groups. page 9-64).Intrusions Creating a New User-Defined Intrusion Prevention Profile You can either select from the Radware predefined intrusion prevention profiles or create your own custom profiles. select the attack group you want to edit and click Edit. The new profile appears in the Intrusion Prevention Profile pane. 5. Click Ok. 7. select the policy to which you want to apply the new intrusion prevention profile and click Apply. In the Connect & Protect Table window. From the All Intrusion Attacks list. In the Settings pane. enter a name for your new profile. 2. 2. 4. The Attack Group Configuration window appears. In the All Intrusion Attacks pane. The Connect & Protect Table window appears. click New Profile. 3. In the Connect & Protect Table window. In the New Intrusion Prevention Profile window. double-click in the Intrusions column. 9-66 CID User Guide . In the Connect & Protect Table. From the main window. To create a new user-defined intrusion prevention profile: 1. The name of the new profile appears in the selected cell. CID User Guide 9-67 .Chapter 9 . Click Ok. Your preferences are recorded.Security 5. Upon successful execution. Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood DoS attack against windowsupdate. the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server™ 2003 Impact A remote attacker could exploit these vulnerabilities to execute arbitrary code with Local System privileges or to cause a denial-of-service condition. This worm exploits known vulnerabilities in the Microsoft DCom Remote Procedure Call (RPC) Interface. Protection is obtained by adding two custom attacks and grouping them together. Access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies.exe from the compromised host.0 Microsoft Windows NT 4.Configuring an Intrusion Prevention Profile for Protection Against MSBlast Worm The MSBlast (W32/Blaster) worm was first detected on August 11th 2003.com. Affected Products The MSBlast worm affects the following Microsoft products: • • • • • Microsoft Windows NT® 4. 9-68 CID User Guide .Intrusions Example . a TCP session to port 135 is used to execute the attack. In the course of propagation. Once this file is retrieved. the worm attempts to retrieve a copy of the file msblast. b. CID User Guide 9-69 . From the main window. Create the first basic attack: a. blast_shell TCP http http Not Applicable Not Applicable 0000000 0000000 0 None Text Case Sensitive msblast. Click Add New. 2. e.Security To create the MSBlast Worm Protection Policy: 1. In the Filter Configuration window. enter the following values: Filter Name: Protocol: Destination Port Group: Source Port Group: OMPC Length: OMPC Condition: OMPC Pattern: Mask: OMPC Offset: OMPC Offset Relative to: Content Type: Content Encoding: Content: Content Offset: Content Max Length: Content Data Encoding: f. In the Attack Name field. d. The Settings pane appears. The Connect & Protect Table window appears. The Attack Configuration window appears. click Custom Attack. enter blast_shell.exe 0 0 Not Applicable Click Ok twice to return to the Connect & Protect Table window. double-click inside the Intrusions column. c. select APSolute OS > Security. In the Settings pane. The Filter Configuration window appears. In the Connect & Protect Table window.Chapter 9 . Click Ok twice to return to the Connect & Protect Table window. enter blast_shell. double-click inside the Intrusions column. Click Add New. In the Attack Name field. Create a new custom attack group: 9-70 CID User Guide . The Filter Configuration window appears. b. click Custom Attack. Create the second custom attack: a. The Attack Configuration window appears. In the Filter Configuration window. enter the following values:. In the Connect & Protect Table window. c. The Settings pane appears. 4. In the Settings pane. d. Filter Name: Protocol: Destination Port Group: Source Port Group: OMPC Length: OMPC Condition: OMPC Pattern: Mask: OMPC Offset: OMPC Offset Relative to: Content Type: Content Encoding: Content: Content Offset: Content Max. e. Length: Content Encoding: Content Data Encoding: blast_rpc TCP http http Not Applicable Not Applicable 0000000 0000000 0 None Text Hex 1F7457759580BFBB927F895A1 ACEB1DE 0 0 HEX Not Applicable f.Intrusions 3. enter virus_custom. select the custom attacks that you created and click the Add button to move them to the Selected Attacks list.Security a. The Attack Group Configuration window appears. d. CID User Guide 9-71 . In the Connect & Protect Table window. In the Group Name text box. c. Virus_custom appears in the All Intrusions Attack list. Click Ok. b. click Custom Group.Chapter 9 . From the All Attacks lists. page 9-73 DoS/DDoS Protection Services. page 9-75 Setting Up DoS Shield Using Radware Profiles. page 9-81 Introduction to Application Security. page 9-94 9-72 CID User Guide . DoS/DDoS. page 9-74 Introduction to DoS Shield. page 9-80 Defining DoS Shield with User-Defined Settings. This section includes the following topics: • • • • • • • • Introducing DoS/DDoS. page 9-92 Setting Up Application Security for DoS/DDoS Using Profiles and Groups. introduces the mechanism of DoS/DDoS protection profiles and explains how to configure them. page 9-93 Defining Application Security Profiles with User-Defined Settings.DoS/DDoS Section 9-4 DoS/DDoS Section 9-4. A basic DoS attack floods the network with TCP. such as UDP. TCP. thus causing denied access for real users. Land Attack. or ICMP packets that are generated by common tools available on the Internet. and ICMP. CID User Guide 9-73 . This is known as Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. which creates a Connection Attack by completing a TCP handshake without any data traffic. such as buffer overflows. Ping of Death.Chapter 9 . Another challenge when mitigating DoS attacks is to deal with hackers. UDP. thereby preventing denial of service.Security Introducing DoS/DDoS Radware’s security scheme provides organizations with extensive Denial of Service (DoS) detection and protection capabilities while maintaining high network throughput. and so on. When hackers send mass volumes of traffic. they overload networks or servers. such as Naphta. who are becoming increasingly sophisticated. These attacks exploit a server or network vulnerability. DoS occurs as a result of various types of flooding caused by hackers. hackers may also use new techniques and tools. Basic SYN attacks can be accommodated by detecting incomplete TCP requests. Another type of DoS attack can be caused by one or few packet attacks. However. The DoS/DDoS module provides protection against packet flooding. the DoS Shield module sets the relevant attack filter for packet-by-packet inspection. Select Application Security Profiles. DoS/DDoS Configuration Guidelines: 1. double-click inside the DoS/DDoS column. The Settings pane appears. named DOS. This service utilizes an advanced sampling mechanism. 9-74 CID User Guide . which significantly reduces the device CPU load compared to packet-bypacket scanning. The packet-by-packet scanning service is based on the DoS protection group. page 9-94). From the main window. select APSolute OS > Security. 2. Application Security Profiles: Packet-by-packet scanning service that provides protection against DoS attacks. UDP. which causes a denial of service effect. • The sampling-based service provides optimized performance in high throughput networks. Once an attack is detected.DoS/DDoS DoS/DDoS Protection Services To provide protection against denial of service. This protection is provided for TCP. using signaturebased packet-by-packet scanning. Using DoS/DDoS Profiles The two types of profiles used in the DoS/DDoS security module are Application Security Profiles and DoS Shield Profiles. 3. the DoS/DDoS module incorporates two different services that mitigate DoS attacks: • DoS Shield Profiles: Sampling-based service that provides protection against packet flooding. In the Connect & Protect Table window. the settings pane appears (see Defining Application Security Profiles with User-Defined Settings. The Connect & Protect Table window appears. and ICMP floods. If no match is found. An attack becomes a threat to the network when it starts to consume large amounts of the network's bandwidth. The DoS Shield module detects the occurrence of such events with an advanced sampling algorithm and takes automatic action to solve the problem. This concept is based on the fact that sporadic attacks that consume negligible amounts of bandwidth can be tolerated by most of the networks and do not require any counter action. An attack in Dormant state can become active only if the number of packets that enter your network exceeds the predefined limit. The combination of a unique sampling scheme with the strong computing power of the Application Switch platform provides maximum security at maximum speed.Chapter 9 . Dormant state indicates that the sampling mechanism is used for recognition prior to action activation. The DoS Shield mechanism involves two mechanisms working in parallel. When an attack is detected as active. The DoS Shield counts packets matching the Dormant and Active states. the status of the attack changes to Active. a portion of the packets is sent to be compared with Dormant attacks and the rest of the packets are simply CID User Guide 9-75 . Active state indicates that the action must be implemented on each packet that matches the attack signature without sampling. this attack is handled by the second mechanism. Each packet passing through the device is compared to the list of currently active attacks. Samples of the traffic are compared with the list of attacks in Dormant state. When a pre-configured number of packets is reached.Security Introduction to DoS Shield To prevent denial of service. One statistically monitors the traffic to check if any of the attacks in Dormant state is active. How the DoS Shield Module Works The DoS Shield mechanism is based on working with two attack states: Dormant and Active. DoS Shield samples traffic flowing through the device and limits the bandwidth of traffic that was recognized as a DoS attack using predefined action. 9-76 CID User Guide . When the Warning Threshold is met. the attack state changes to Active. You can control the sampling rate by setting the number of packets that pass through the device before a packet is examined against the list of attacks in Dormant state (see Packet Sampling Rate in Figure 9-6). At that point. You can configure a Warning Threshold and an Activation Threshold for each attack. At the end of each Sampling Time. You can also configure the duration of the sampling period during which the different thresholds are checked (see Sampling Time in Figure 9-6). the counter value is normalized and compared to the thresholds configured for the attack. a warning message is sent notifying about the attack. samples of the traffic are copied and inspected against each entry in the list of Dormant attacks to detect possible attacks. DoS Shield Traffic Flow When traffic arrives at the device. without being inspected against the list of Dormant attacks.DoS/DDoS forwarded to the network. each packet passing through the device is inspected against the attack and the forwarding limit is executed. a counter is incremented. Whenever traffic matches an Attack filter. When the Activation Threshold is met. the following actions are possible: • • Bandwidth of traffic (kbps) that match a Currently Active Attack is limited when forwarding packets to the network.Chapter 9 . The status of a Currently Active Attack reverts to Dormant when the amount of traffic matching the attack filter is smaller than the Attack CID User Guide 9-77 .Security Incoming Packet Sampling All packets Copy of Sampled Packets Match Compare to Dormant Attacks No Match No Operation No Match Activation Threshold Passed Match Compare to Currently Active Attacks List No Match Match Activate Attacks Pre-Configured Action Forward the Packet to the Destination Port Figure 9-6 DoS Shield Traffic Flow Diagram When an attack is activated. When the forwarding limit is 0. all packets that match the Currently Active Attack are blocked. You can also preconfigure an attack as Currently Active. The Overload Mechanism is activated when the device CPU utilization reaches 80%. CPU utilization is measured every second. The attacks’ status then reverts to Dormant and. The Overload Mechanism is designed as an integral part of the DoS Shield module. the device behavior is affected by the Overload Mechanism. Only the excess traffic is affected by the operation of the Overload Mechanism. see page 9-14. enabling to cascade two or more devices so that each device removes excessive traffic according to its capacity. the counters for the attack must not cross the Termination Threshold during the configured Sampling Time periods. 9-78 CID User Guide . every packet passing through the device is always matched against that attack filter. When the traffic load approaches the device's maximum processing capacity. SYN Protection. For possible configuration options. and so on).DoS/DDoS Termination Threshold for a duration of the Aging Period for that attack. regardless of the Attack Termination Threshold. It is not recommended to use the Overload Mechanism when other modules are also activated (IPS. its termination is reported to the management station. BWM. DoS Overload Mechanism The Overload Mechanism is designed to protect the device from becoming a network bottleneck. In order for the attack to be considered over. Notes: • • • • The Overload Mechanism is enabled when it is set to Forward Excess Traffic. and therefore must be used in case DoS Shield is the only active module. The Aging Period allows you to set a number of Sampling Time periods. In that case. it starts forwarding the excess packets without the DoS Shield module inspection. where all traffic is processed and forwarded by the master CPU. Overload Mechanism in Application Switch 4 CID 3020 is based on AS-4 platform. the mechanism is activated. Both platforms share similar architecture. This means that all modules are bypassed and no policies can be enforced on the excessive traffic.Security Overload Mechanism in Application Switch 1 and 2 CID 200/202 are based on AS1 platform. Once the master CPU load reaches 80% or the NPs are overloaded. CID 1000 is based on AS2 platform. The device starts to forward all traffic through the NPs without sending it to the master CPU for inspection by DoS Shield. The overload is measured per master CPU and NP load. where traffic is first classified by the network processors (NPs).Chapter 9 . All the other security modules continue to operCIDate and filter traffic according to their policies' settings. CID User Guide 9-79 . When the master CPU reaches 80% utilization. select DoS Shield Profiles. 3. select APSolute OS > Security. Note: You can view all the information about an attack in the Attack Dynamic Information table. 4. From the main window. In the Connect & Protect Table window. The Settings pane appears. double-click inside the DoS/DDoS column. 2.DoS/DDoS Setting Up DoS Shield Using Radware Profiles Radware supplies a set of predefined attack profiles and attack groups that provide constant protection against all recent attacks (see Protection Profiles and Groups Supplied by Radware. 5. Most of the existing DoS attacks can be prevented using Radware profiles. page 9-26). Enable DoS Shield protection and set the general parameters (see page 9-14). In the DoS Prevention Profiles pane. In the Settings pane. see page 9-84. DoS Shield Configuration Guidelines using Radware defined profiles: 1. You can use these prevention profiles to define protection policies (see Setting Up Security Policies in the Connect and Protect Table. The Connect & Protect Table window appears. page 910). 9-80 CID User Guide . select the predefined profiles and apply them to the policy in the Connect & Protect Table window. page 9-25). Each attack contains one or more protection filters and a mechanism that determines which packets are malicious and how CID treats those packets. Each filter (Figure 9-7) contains one specific signature. DoS Shield Configuration Guidelines using user-defined profiles: 1. The parameters that are part of the Sampling (Figure 9-6) process can be configured using the DoS Shield mechanism. 2. Define the DoS Shield attacks (see page 9-81). you can add user-defined attacks to the database. Create a new DoS Shield profile and apply the new profile to the policy in the Connect and Protect Table (see page 9-90). For new users. Filters are detectors that scan and classify the predefined traffic. These attacks provide constant protection against all recent DoS attacks. it is recommended to define DoS Shield prevention profiles using Radware-defined attacks only. Most of the existing DoS attacks can be prevented using Radware attacks.Security Defining DoS Shield with User-Defined Settings The Dormant Attacks database consists of attacks supplied by Radware. 3. Enable DoS Shield protection and set the general parameters (see page 9-14). CID User Guide 9-81 . In addition to the Radware-defined attacks.Chapter 9 . Each attack includes protection filters that are configured to detect and block malicious packets. Defining DoS Shield Attacks and Filters An Attack is a building block of the DoS Shield profile. You can use these attacks to define prevention profiles. The filter’s main purpose is to match the specific packet within the traffic scanned by this filter and the attack signature from the Radware Attack Signatures database (see Managing the Signatures Database. the traffic is checked for all the signatures defined in the attack’s filters. An attack can employ one or more filters. you must define custom filters. Note: For each custom attack.DoS/DDoS Figure 9-7 Filter Configuration The Signatures database contains attacks provided by Radware. This means that the classification mechanisms of all filters applied to the same attack are involved in the scanning process. the scanning process represents a logical AND relation between the filters involved. The main purpose of these 9-82 CID User Guide . You can add user-defined attacks to reflect the specific needs of your network or edit the existing attacks. or in other words. An attack’s settings parameters define how the malicious packet is tracked and treated once its signature is recognized. You cannot use filters from other attacks when you define a custom attack. When more than one filter is used. Each attack is bound to a "Tracking" function that defines how the packet is handled when it is matched with the signature. The “Threshold” or “Counter” functions. The signature’s match to the packet is considered an indicator for the attack. Only packets that exceed the threshold within a predefined time slot are dropped.Security functions is to determine whether the packet is harmful and to apply an appropriate action. for example. and the packet is dropped (“Drop All”). • CID User Guide 9-83 . MS Blast. which assume that the signature match alone is not enough for detecting a packet as offensive. ICMP flood attacks and DoS attacks. There are two types of match functions: • The “Immediate” type that makes decisions based on a single packet. This is because the packet may be legitimate unless the number of packets over a period of time exceeds a threshold that defines “reasonable” behavior for such traffic.Chapter 9 . for example. the device recognizes it as an attack. Table 9-8 Attack Configuration Parameters Parameter Attack Name Tracking Time Description A user-defined name for this attack. Default value: 1000 Threshold Sets the maximum number of attack packets that are allowed in each Tracking Time unit. When a number of packets that is greater than the Threshold value passes through the device. maximum 30 characters. 9-84 CID User Guide .DoS/DDoS Table 9-8 describes the attack’s parameters. during this defined time period. Sets the amount of time (in milliseconds) in which the Threshold is measured. Default value: 10. The attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. when under an attack of this type. Select this option when the defined attack is destination-based. • Source Count: Sessions are counted per source IP. Select this option when the defined attack is destination-based. and is not characterized by a single packet but rather by repeated packets. • Target Count: Sessions are counted per destination IP. • Sampling: A DoS shield attack. the packet is dropped.Chapter 9 .Security Table 9-8 Attack Configuration Parameters (cont. Select this option when each packet of the defined attack is harmful. and is not characterized by a single packet but rather by repeated packets.) Parameter Tracking Type Description Defines how the device decides which traffic to block or drop. Select this option when the defined attack is destination-based. Default: Drop All CID User Guide 9-85 . Values can be: • Drop All: Once the first packet is identified as harmful. • Source & Target Count: Sessions are counted per source IP and destination IP combination. For example: Code Red and Nimda attacks. and is not characterized by a single packet but rather by repeated packets. • High • Medium • Low • Info . 9-86 CID User Guide .) Parameter Action Mode Description When an attack is detected. one of the following actions can be taken: •Report Only: The packet is forwarded to the defined destination. Default value: Medium Direction This parameter sets the attacks inspection direction. •Reset Source: Sends a TCP-Reset packet to the packet Source IP. •Drop: The packet is discarded. Inspection can be of incoming traffic.DoS/DDoS Table 9-8 Attack Configuration Parameters (cont. •Reset Bi-directional: Sends a TCP-Reset packet to both. Default: Drop Risk The severity of the damage that the attack can cause to your system. •Reset Destination: Sends a TCP-Reset packet to the destination address. outgoing traffic.An IPS attack for which the Risk parameter is set to Info is in fact an IDS signature. or both. the packet source IP and the packet destination IP. CID User Guide 9-87 . SrcIP: All traffic from the IP address identified as the source of the attack will be suspended. DestPort: Traffic from the IP address identified as the source of the attack to the destination IP and port under attack will be suspended. SrcIP. Any value other than Drop All is used for attacks that match a pattern of legitimate traffic. DestIP. SrcIP. DestIP. UDP Flood attacks.Security Table 9-8 Attack Configuration Parameters (cont. DestPort: Traffic from the IP address and port identified as the source of the attack to the destination IP and port under attack will be suspended Drop Threshold (Kbps) The number of packets matching the attack that can be forwarded in each second when the attack is Active. SrcIP. SrcPort. for example. A value of Drop All (or 0) means that all packets must be blocked. SrcIP.) Parameter Suspend Action Description This parameter sets the action to take in response to an attack: None: Suspend action is disabled for this attack.Chapter 9 . DestIP: Traffic from the IP address identified as the source of the attack to the destination IP under attack will be suspended. DestPort: Traffic from the IP address identified as the source of the attack to the application (destination port) under attack will be suspended. State Filters A list of user-defined filters (see page 9-81). 7. You cannot use filters from other attacks when you define a custom attack. You can also select "Do Not Alert" (or 0). Default: Enable. select DoS Shield Profiles. 3. The Filter Configuration window appears. In the Connect & Protect Table window. The Connect & Protect Table window appears.) Parameter Termination Threshold (Kbps) Description If. To add new user-defined filters to this attack.DoS/DDoS Table 9-8 Attack Configuration Parameters (cont. Typically. select APSolute OS > Security. 9-88 CID User Guide . a notification message is sent indicating that the attack may be over. Select Enable to activate the policy. you must define custom filters. In the Settings pane. The Settings pane appears. 9. set the parameters as explained in Table 9-8. In the Filter Name text box. as explained in Table 9-5 on page 56. for the duration of the Attack Aging Period. define the OMPC parameters. Note: For each custom attack. this threshold is higher than the Termination Alert Threshold and lower than the Activation Threshold. In the Protocol parameters pane. define the protocol parameters. From the main window. To add a new attack: 1. 2. 5. The Attack Configuration window appears. In the OMPC parameters pane. Click Custom Attack. 6. 4. In the Attack Configuration window. as explained in Table 9-6 on page 58. this threshold is not exceeded. double-click inside the DoS/DDoS column. 8. type the name of the filter. click Add New. as explained in Table 9-7 on page 59. The Application Port Groups window appears. In the Content parameters pane. CID User Guide 9-89 . 11. and the new attack appears in the All DoS Attacks List. The Custom DoS Filter window closes. type the description of the filter. To define a new application port group: 1. and the new filter appears in the Filters box of the Custom DoS Attack window. 13.Chapter 9 . 12. 2. click Modify. In the Application Port Groups window.Security 10. Filter Parameters The parameters of each filter are divided into the following categories: • • • • Description Parameters Protocol Definition Parameters OMPC (Bit pattern) Definition Parameters Content Definition Parameters Description Parameters Description parameters (Table 9-4) are the user-defined descriptions of the custom attack. The Modify pane appears. In the Filter Configuration window. define the content parameters. Click Ok. The Edit Attacks Table window closes. In the Filter Description text box. Protocol Definition Parameters Protocol definition parameters (Table 9-5) define transmission protocol. click Application Port Group. A user-defined group name. click Add and define the following parameters according to the explanations provided: Name: From Port: To Port: Notes: • • To define a group with a single port. This rule is intended for attack recognition where the attack signature is a text/content string within the packet payload. Creating a New DoS Shield Profile You can create a new profile using attacks provided by Radware or using custom attacks.DoS/DDoS 3. Define the first port in the range. OMPC (Bit pattern) Definition Parameters Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define a rule for pattern lookups. 9-90 CID User Guide . that uses fixed offset masking. To associate a number of ranges with the same port group. A new row appears in the Application Port Groups table. In the Modify pane. The OMPC parameters are presented in Table 9-6. The OMPC rule looks for a fixed size pattern of up to four bytes. set the same value for the From Port and To Port parameters. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. Content Definition Parameters The Content parameters (Table 9-7) define the rule for a text/content string lookup. Click Ok. Define the last port in the range. use the same group name for all the ranges that you want to include in one group. 4. 2. In the Connect & Protect Table window. 5. In the Settings pane. 3. click New Profile. In the Settings pane. The New Profile window appears. select DoS Shield Profiles. and the new profile appears in the DoS Prevention Profiles pane. From the main window. 4. In the Connect & Protect Table window. The Settings pane appears. 7. In the All DoS Attacks List pane. The name of the new profile appears in the selected cell. type the name of the new profile and click Ok. select the policy to which you want to apply the new DoS Shield profile and click Apply. 6. select APSolute OS > Security.Security To define a new DoS Shield profile: 1. The New Profile window closes. double-click inside the DoS/DDoS column. In the Profile Name text box. select the attack(s) that you want to add to the new profile and click Add. The Connect & Protect Table window appears. The selected attack appears in the DoS Prevention Profiles pane. CID User Guide 9-91 .Chapter 9 . Another example is the Land attack. providing maximum protection for network elements. which can cause certain servers to crash. 9-92 CID User Guide . The profiles use various attacks that find the malicious packets and make decisions in accordance with the predefined settings. Application Security profiles are predefined traffic detectors that scan the incoming traffic in order to identify known attack signatures. in which a single packet may cause routers to stop forwarding traffic until reset occurs. where a packet is sent with the same source and destination ports. These profiles deliver advanced detection and prevention capabilities. and applications. Examples of such attacks include the Cisco vulnerabilities and exploits. Application Security provides protection against one-packet or multiple-packet attacks that cause denial of service. hosts.DoS/DDoS Introduction to Application Security Application Security profiles are incorporated in the mechanism of protection and prevention against the denial of service attacks. The Settings pane appears. Enable Application Security and define the general parameters (see page 9-12). double-click inside the DoS/DDoS column. 2. The Connect & Protect Table window appears. 3. page 9-26).Security Setting Up Application Security for DoS/DDoS Using Profiles and Groups Radware supplies a set of predefined attack profiles and attack groups that provide constant protection against all recent attacks (see Protection Profiles and Groups Supplied by Radware. In the Connect & Protect Table window. From the DoS Prevention Profiles list.Chapter 9 . 5. Most of the existing attacks can be prevented using Radware profiles. click Security. 4. select the predefined profiles and apply them to the policy in the Connect & Protect Table window. 6. In the Settings pane. page 910). You can use these prevention profiles to define protection policies (see Setting Up Security Policies in the Connect and Protect Table. Select the predefined profiles and apply them to the policy in the Connect & Protect Table. In the main window. CID User Guide 9-93 . select DoS Shield Profiles. Application Security Profiles Configuration Guidelines using Radware-Defined Profiles: 1. you can create custom prevention profiles. 3. it is recommended to define profiles using Radware defined attack groups only. For new users. and custom attacks that are based on custom filters.DoS/DDoS Defining Application Security Profiles with User-Defined Settings In addition to the Radware-defined profiles and groups. 9-94 CID User Guide . Define custom attack groups (see page 9-64). custom attack groups. Enable Application Security and define the general parameters (see page 9-12). Define custom attacks (see page 9-49). 4. Define the Application Security profile and apply it to the policy in the Connect & Protect Table window (see page 9-66). Application Security Configuration Guidelines Using UserDefined Settings: 1. 2. and the packet is dropped ("Drop All") for example. ICMP flood attacks and DoS attacks. The filter’s main purpose is to match the specific packet within the traffic scanned by this filter and the attack signature from the Radware Attack Signatures database (see Managing the Signatures Database. An attack can employ one or more filters. Each filter (Figure 9-4) contains one specific signature. MS Blast. Only packets that exceed the threshold within a predefined time slot are dropped. • CID User Guide 9-95 . These functions assume that the signature match alone is not enough for detecting a packet as offensive. Each attack is bound to a “Tracking” function that defines how the packet is handled when it is matched with the signature.Security Setting Up Attacks and Filters An attack (Figure 9-3) is a building block of the Application Security profile. You cannot use filters from other attacks when you define a custom attack. or in other words. There are two types of match functions: • The “Immediate” type that makes decisions based on a single packet. page 9-25). for example. Note: For each custom attack you must define custom filters. An attack’s settings parameters define how the malicious packet is tracked and treated once its signature is recognized. This means that the classification mechanisms of all filters applied to the same attack are involved in the scanning process. the scanning process represents a logical AND relation between the filters involved. The “Threshold” or “Counter” functions. Each attack contains one or more protection filters and a mechanism that determines which packets are malicious and how CID treats those packets.Chapter 9 . When more than one filter is used. The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action. This is because the packet may be legitimate unless the number of packets over a period of time exceeds a threshold that defines "reasonable" behavior for such traffic. The signature’s match to the packet is considered an indicator for the attack. the traffic is checked for all the signatures defined in the attack’s filters. Filters are detectors that scan and classify the predefined traffic. Table 9-9 Attack Configuration Parameters Parameter Attack Name Tracking Time Description A user-defined name for this attack. Sets the amount of time (in milliseconds) in which the Threshold is measured. the device recognizes it as an attack. maximum 30 characters.DoS/DDoS Table 9-10 presents attack’s configuration parameters. Default value: 10. Default value: 1000 Threshold Sets the maximum number of attack packets that are allowed in each Tracking Time unit. When a number of packets that is greater than the Threshold value passes through the device. The attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. 9-96 CID User Guide . during this defined time period. Select this option when the defined attack is destination-based. • Target Count: Sessions are counted per destination IP. For example: Code Red and Nimda attacks. Values can be: • Drop All: Once the first packet is identified as harmful. Default: Drop All CID User Guide 9-97 . • Source & Target Count: Sessions are counted per source IP and destination IP combination. when under an attack of this type.Chapter 9 . Select this option when each packet of the defined attack is harmful. • Sampling: A DoS shield attack.Security Table 9-9 Attack Configuration Parameters (cont. the packet is dropped.) Parameter Tracking Type Description Defines how the device decides which traffic to block or drop. • Source Count: Sessions are counted per source IP. Select this option when the defined attack is destination-based. and is not characterized by a single packet but rather by repeated packets. Select this option when the defined attack is destination-based. and is not characterized by a single packet but rather by repeated packets. and is not characterized by a single packet but rather by repeated packets. •Reset Destination: Sends a TCP-Reset packet to the destination address. • High • Medium • Low • Info . the packet source IP and the packet destination IP. 9-98 CID User Guide . •Reset Source: Sends a TCP-Reset packet to the packet Source IP.) Parameter Action Mode Description When an attack is detected.An IPS attack for which the Risk parameter is set to Info is in fact an IDS signature. Inspection can be of incoming traffic. •Reset Bi-directional: Sends a TCP-Reset packet to both. Default: Drop Risk The severity of the damage that the attack can cause to your system. one of the following actions can be taken: •Report Only: The packet is forwarded to the defined destination. Default value: Medium Direction This parameter sets the attacks inspection direction.DoS/DDoS Table 9-9 Attack Configuration Parameters (cont. •Drop: The packet is discarded. or both. outgoing traffic. SrcIP.) Parameter Suspend Action Description This parameter sets the action to take in response to an attack: None: Suspend action is disabled for this attack. for example. DestPort: Traffic from the IP address identified as the source of the attack to the destination IP and port under attack will be suspended. DestIP: Traffic from the IP address identified as the source of the attack to the destination IP under attack will be suspended. DestIP. CID User Guide 9-99 . SrcIP. SrcIP. SrcPort. DestIP. UDP Flood attacks.Security Table 9-9 Attack Configuration Parameters (cont. DestPort: Traffic from the IP address identified as the source of the attack to the application (destination port) under attack will be suspended. SrcIP.Chapter 9 . DestPort: Traffic from the IP address and port identified as the source of the attack to the destination IP and port under attack will be suspended Drop Threshold (Kbps) The number of packets matching the attack that can be forwarded in each second when the attack is Active. Any value other than Drop All is used for attacks that match a pattern of legitimate traffic. A value of Drop All (or 0) means that all packets must be blocked. SrcIP: All traffic from the IP address identified as the source of the attack will be suspended. The Settings pane appears. Default: Enable. select DoS Shield Profiles. In the Settings pane. a notification message is sent indicating that the attack may be over. Typically. Set the attack parameters. double-click inside the DoS/DDoS column. for the duration of the Attack Aging Period. 9. In the Settings pane. In the Attack Name text box. click Add New. In the Attack Configuration window.) Parameter Termination Threshold (Kbps) Description If. 9-100 CID User Guide . In the Connect & Protect Table window. From the main APSolute Insite window. To create a new attack: 1. The Connect & Protect Table window appears. 5. You can also select "Do Not Alert" (or 0). 4. 3. this threshold is higher than the Termination Alert Threshold and lower than the Activation Threshold.DoS/DDoS Table 9-9 Attack Configuration Parameters (cont. The Attack Configuration window appears. click Custom Attack. State Filters A list of user-defined filters (see page 9-81). 8. 6. define the protocol parameters. In the Filter Name text box. type the name of the filter. enter the name of the new attack. as explained in Table 9-10 on page 996. as explained in Table 9-5 on page 56. this threshold is not exceeded. 2. Select Enable to activate the policy. 7. The Filter Configuration window appears. open the APSolute OS menu and select Security. In the Protocol parameters pane. 3. as explained in Table 9-7 on page 59. In the Content parameters pane. In the OMPC parameters pane. In the Filter Configuration window. define the content parameters. 11. The Filter Configuration window appears. The Attack Configuration window closes. click Custom Attack. CID User Guide 9-101 . In the Settings pane. In the Connect & Protect Table window. Port Group. Click Ok. type the description of the filter.Chapter 9 . define the OMPC parameters. as explained in Table 9-6 on page 58. double-click inside the Dos/DDos column. 4. The Application Port Groups window appears. The Settings pane appears. In the Attack Configuration window. Filter Parameters The parameters of each filter are divided into the following categories: • • • • Description Parameters Protocol Definition Parameters OMPC (Bit pattern) Definition Parameters Content Definition Parameters Description Parameters Description parameters (Table 9-4) are the user-defined descriptions of the custom attack. To define a new application port group: 1. From the main APSolute Insite window. click Add New. 12. click App. 2. 5. In the Filter Description text box. open the APSolute OS menu and select Security. Protocol Definition Parameters Protocol definition parameters (Table 9-5) define transmission protocol. The new attack now appears in the Custom Group window. The Attack Configuration window appears. 13.Security 10. The Connect & Protect Table window appears. OMPC (Bit pattern) Definition Parameters Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define a rule for pattern lookups. 7. The last port in the range. A new row appears in the Application Port Groups table. In the Application Port Group window. 9. use the same group name for all the ranges that you want to include in the group. click Add. set the following parameters according to the explanations provided: Name: From Port: To Port: Notes: • • To define a group with a single port. A user-defined group name. In the Modify pane. The first port in the range. In the Edit Application Port Groups window. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset.DoS/DDoS 6. The Modify pane appears. This rule is intended for attack recognition where the attack signature is a text/content string within the packet payload. Click Ok. Content Definition Parameters The Content parameters (Table 9-7) define the rule for a text/content string lookup. 9-102 CID User Guide . The right panel of the Attack Group Configuration window (Figure 9-8) contains a list of all existing groups. that uses fixed offset masking. 8. To associate a number of ranges with the same port group. The OMPC parameters are described in Table 9-6. The OMPC rule looks for a fixed size pattern of up to four bytes. Custom Attack Groups The custom attack group represents a logical OR relation between two or more attacks. assign the same value to From Port and To Port. The Edit Application Port Groups window appears. click Modify. 3.Security Figure 9-8 Attack Group Configuration Window Radware provides you with a set of predefined custom attack groups as part of the Signatures file. The Attack Configuration window appears. 2. CID User Guide 9-103 . For example. The attacks that affect performance or are probable to false positive are gathered in the unassigned group and can be activated either by adding an attack to an existing group or to a user-defined group. From the main APSolute Insite window. You can also add user-defined attack groups using predefined attacks or user-defined attacks. all attack signatures designed to harm IIS web servers are grouped under the IIS Attack Group. The predefined attack groups are divided according to types of protection. open the APSolute OS menu and select Security. In the Settings pane. Groups can be activated within a protection profile. double-click inside the DoS/DDoS column. select DoS Shield Profiles. 4. The Connect & Protect Table window appears. To add a new custom attack group: 1. In the Connect & Protect Table window. click Custom Group. except for the Unassigned group.Chapter 9 . In the Settings pane. The Settings pane appears. select the attacks you want to include in the group and move them to the Selected Attacks pane by clicking the Add button. 5. enter the new user-defined name for the attack group. enter a name for your new profile and click Ok. 7. In the All DoS Attacks pane. select the attack group(s) that you want to add to the new profile and click Add. Creating a User-Defined Application Security Profile You can either select from the Radware predefined Application Security profiles or create your own custom profiles. In the Settings pane. Click Ok to return to the Connect & Protect Table window. click New Profile. 4. The new profile appears in the DoS Prevention Profiles pane of the Connect & Protect Table window. 6. In the Connect & Protect Table window. 6. double-click inside the DoS/DDoS column. 9-104 CID User Guide . In the Attack Name field. To create a user-defined application security profile: 1. The Settings pane appears. From the All Dos Attacks list. The Connect & Protect Table window appears. open the APSolute OS menu and select Security. The name of the new profile appears in the selected cell. In the New DoS Profile window. select the policy to which you want to apply the new DoS profile and click Apply. The selected group appears in the DoS Prevention Profiles pane. In the Connect and Protect Table window. 3. 2. The New DoS Profile window appears.DoS/DDoS 5. From the main APSolute Insite window. The Attack Configuration window appears. Your preferences are recorded. open the APSolute OS menu and select Security. page 9-64).Chapter 9 . 3. From the All DoS Attacks list. 2. The Settings pane appears. Click Ok. double-click inside the DoS/DDoS column. select the attack group that you want to edit and click Edit Attack. CID User Guide 9-105 . The Connect & Protect Table window appears.Security Editing Attacks To edit an attack: 1. In the Connect & Protect Table window. 5. Edit the parameters of the group (see Custom Attack Groups. 4. From the main APSolute Insite window. page 9-112 Bypass Footprints. • • • • • Introduction to Behavioral DoS. page 9-109 Behavioral DoS Advanced Settings. page 9-107 Behavioral DoS Global Parameters. which is designed to detect and prevent network flood attacks. page 9-115 Bypass Footprints.Behavioral DoS Section 9-5 Behavioral DoS Section 9-5. Behavioral DoS. presents the B-DoS (Behavioral DoS) module. page 9-115 9-106 CID User Guide . The Behavioral DoS module detects statistical traffic anomalies and creates an accurate attack footprint (signature) which are based on heuristic protocol information analysis. and activates the feedback module in order to optimize the signature and reduce false positives. Network Flood protection types include: • • • • • SYN Flood TCP Flood UDP Flood ICMP Flood IGMP Flood The Behavioral DoS Module The B-DoS module learns the network traffic base lines for each protocol type (i. The next step is identifying the attack footprint.ICMP and IGMP). The B-DoS module detects and prevents network attacks from the public network by detecting traffic anomalies and prevents unknown flood attacks by identifying the footprint of the anomalous traffic.Security Introduction to Behavioral DoS The Behavioral DoS (B-DoS) module is designed to provide traffic anomaly detection and on-the-fly signature creation for immediate DoS attack protection.e. The B-DoS module then configures a filter to protect the network according to the policy settings. the feedback mechanism is also responsible for removing the attack signature.. TCP. The BDoS module is designed to protect against Network Flood Attacks. resulting in cleaning the links from excessive traffic efficiently. In the case the attack is over. The SYN flood protection provided by the B-DoS module is nonintrusive and detects attacks on the fly. which cause a great deal of irrelevant traffic to fill available network bandwidth. denying use of network resources to legitimate users. which is translated into an attack signature. This ensures very accurate attack filtering with very low false-positives.Chapter 9 . CID User Guide 9-107 . UDP. and then detects the attack by alerting traffic anomalies compared to the learned baselines. radware. Flood attacks usually take place for minutes or hours. The average time for a new signature creation may vary between 10 and 30 seconds. please click on the following link: http:// www.Behavioral DoS Notes: • Note that the B-DoS module is based on anomalous traffic detection and signature creation on the fly.com/content/document.asp?_v=about&document=6560 • 9-108 CID User Guide . For more information about the B-DoS module underlying technology. Defining Bandwidth Settings. 2. Defining Bandwidth Settings In order to create a B-DoS security policy you must first define the Bandwidth settings for Behavioral DoS inbound and outbound traffic. To enable Behavioral DoS: 1. 4. CID User Guide 9-109 . Behavioral DoS Profiles Policies. A B-DoS security policy contains security profiles that are activated within predefined ranges of ports/VLANs. In the Connect and Protect Table. however these settings are recommended for expert users only. or within a predefined network. page 9-109 2. Behavioral Dos Global Configuration Guidelines: 1. click APSolute OS > Security.Security Behavioral DoS Global Parameters Each row in the Connect & Protect Table represents a policy. The Connect and Protect Table is divided into sections including the section for B-DoS. The Security Settings window appears. In the Behavioral DoS field select the Start Protection checkbox.Chapter 9 . Radware recommends that you maintain the Advanced parameters with their default values. Enable Behavioral DoS In order to start protection. double-click on Settings. page 9-110 Note: Behavioral DoS also includes advanced user settings. B-DoS must first be enabled. In the main window. 3. B-DoS can be enabled globally or per profile. The Connect and Protect Table appears. Restart the device. Behavioral DoS is now enabled. To create a basic Behavioral DoS Policy: 1. the Behavioral DoS Profiles pane appears. Create a new profile: 9-110 CID User Guide . Behavioral DoS Profiles Policies A Behavioral DoS security policy contains security profiles that are activated within predefined ranges of ports/VLANs. First. you create a security policy and then you can assign protection profiles to the policy. Default value: 50. The Connect and Protect Table appears. Define the Bandwidth Settings. click APSolute OS > Security.000 Kbit/s • 4.Behavioral DoS To define Bandwidth Settings: 1. In the main window. Click Apply > Ok. Click inside the Behavioral DoS column. The Behavioral DoS Settings window appears. or within a predefined network. page 9-109 2. Default value: 50. The value should be the lower of the bandwidth of the circuit or the assigned outbound bandwidth from your Internet Service Provider. Select a profile and click Behavioral DoS Settings. The value should be the lower of the bandwidth of the circuit or the assigned inbound bandwidth from your Internet Service Provider. Set the following parameters according to the explanations provided: Bandwidth Settings: • In: Available bandwidth for inbound traffic.000 Kbit/s Out: Available bandwidth for outbound traffic. 3. 2. Click Ok. The New Behavioral DoS Profile window appears. select Behavioral DoS from the All Behavioral DoS Attacks tree and click the Add mover arrow. which includes the following checkboxes: • TCP • TCP SYN • UDP • ICMP • IGMP 5. 3. Click Apply > Update Policies.Chapter 9 . The Behavioral DoS attack is added to your profile. Select the type of attacks to protect against for this policy and click Ok. In the main window. select APSolute OS > Security. Click Ok. 4. c. The Behavioral DoS Profiles Settings pane appears. In the Behavioral DoS profiles. CID User Guide 9-111 . In the Settings pane.Security a. Click New Profile. in the New Behavioral DoS window enter the profile name. Note: Radware recommends that you include all attacks in your policy. The new policy now appears in the Connect and Protect Table. 6. d. The Edit Behavioral DoS Profile window appears. Click anywhere in the Behavioral DoS column. b. The Connect and Protect Table appears. select Behavioral DoS and then click Edit. 3. In the Behavioral DoS settings pane. Define the Learning Response Period. page 9-113. When the baseline for the policy is reset. page 9-114. In the Behavioral DoS Settings window select either: Day. The Behavioral DoS Settings window appears. 2. page 9-113. Week or Month from the dropdown list. 2. Note: The advanced user settings are recommended for expert users only. 4. default normal baselines are set and then CID immediately initiates a new learning period. Set the Footprint Strictness level. The Learning Period setting defines the period based upon which baselines are primarily weighed. Radware recommends that you maintain the advanced parameters with their default values. 3.Behavioral DoS Behavioral DoS Advanced Settings The B-DoS Advanced Settings allow you to set the Learning Response Period upon which baselines are primary weighed. Learning Response Period Network Flood protection learns traffic parameters from the transport layer of incoming and outgoing packets and generates normative baselines for traffic. page 9-112. Click Behavioral DoS Settings. Set the Sample level. and enable the sampling status and define the strictness level of the Footprint. Generally. Click Reset Baseline Learned Statistics. To set the Learning Response Period and Reset the Baseline: 1. 9-112 CID User Guide . Set Quota Settings. this is done when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes. Advanced Behavioral DoS Settings Configuration Guidelines: 1. the baseline traffic statistics are cleared. When down sampling is enabled the system screens only part of the traffic. To define the Quotas Settings: 1. Sampling Status The Sampling status allows you to aggregate Traffic Statistics in order to improve performance levels. The down sampling mechanism dynamically selects the most appropriate portion of traffic that need to be examined in order to preserve the system’s resources while maintaining minimal sampling error.Security 4. Quota Settings The B-DoS quota limits are the percentage of total inbound and outbound bandwidth that a specific protocol is permitted to use. In the Behavioral DoS Settings window. In the Behavioral DoS Settings pane. To set the Sampling Status: 1. Click Apply > Ok. Note: It is recommended to use default quotas initially and adjust quota values based on experience with your network’s performance.Chapter 9 . 2. CID User Guide 9-113 . High sampling errors increase the chances for false positive detections. In the Behavioral DoS Settings pane. Click Behavioral DoS Settings. click Behavioral DoS Settings. set the incoming and outgoing values for each protocol. The Behavioral DoS Settings window appears. The Behavioral DoS Settings window appears. In the Behavioral DoS Settings window from the Samplings dropdown list select one of the following accordingly: Enabled Traffic statistics are aggregated through sampling algorithm which improves overall performance of the CID protection system. Disabled Traffic statistics are aggregated without sampling. The Behavioral DoS Settings window appears.Behavioral DoS 2. By setting the strictness to Low the device will perform best attacks blocking. however the false positive ratio is increased. click Behavioral DoS Settings. In the Behavioral DoS Settings pane. 2. when a new attack is detected the B-DoS module generates an attack signature to block the traffic anomaly created by the attack. Note: The risk for false postives is increased when the decision engine is tuned according to the sampling error. Default level. In the Behavioral DoS Settings window click on the Footprint Strictness Level dropdown box and define the strictness level: High By setting the strictness to High the false-positive ratio is reduced to minimum. To set Footprint Strictness Levels: 1. Medium Low 9-114 CID User Guide . however there may be a higher chance that attacks will not be blocked. 3. Click Apply and Ok. Footprint Strictness Level Using the footprint strictness level. You can configure CID to detect and block network flood attacks by defining attack footprints.Chapter 9 . In the Edit Flood Attack window. Click Ok > Apply. 2. CID automatically detects the footprints and generates filters to protect against the attack. The Edit (Attack Type) Flood Attack window appears. Bypass Footprints Flood attacks commonly disrupt networks by using all or most available network bandwidth. select the bypass type and click Edit. page 9-117. Click Edit. 3. CID User Guide 9-115 . Attack Footprints are selected fields in the packet header or payload. See Footprint Bypass Fields. To set Bypass FootPrints: 1. For an explanation of the bypass types and values for each attack group. In the Behavioral DoS Settings pane. select the attack from the All Behavioral DoS Attacks column.Security 3. The Edit Field Parameters window appears. These values vary according to the footprint selected. See Table 9-10: Footprint Bypass Values. Status 9-116 CID User Guide . Accept: Allows footprint types.Behavioral DoS 4. B-DoS module bypasses all possible values of the selected filter type when creating filters. page 9-117. Value B-DoS module bypasses selected values only of a selected footprint. set the following parameters according to the explanations provided: Bypass Type The footprint type being bypassed. which prevents traffic from being blocked based on the value of the bypassed footprint. In the Edit Field Parameters window. Bypass: Bypasses certain footprint types. Enter the value for the Bypass type. while blocking all other values. 255.(2^16-1) 0.(2^16-1) No Values 0 .255. UDP TCP Range + NR No values NR NR + NR 0 .0.(2^16-1) 0 .255.(2^32-1) + + + + + + + NR NR NR NR + + NR NR NR + + + NR NR NR NR + Values cannot be configured 1 0 .0. presents the Footprint bypass types and values for each attack group Table 9-10 Footprint Bypass Values Footprint Type Transport layer checksum TCP Sequence Number IP ID Number DNS ID DNS Qname checksum DNS Qcount Source Port Source IP ICM P + IGM P + Default Bypass Values Values cannot be configured. 255 ToS + + + + 1 .255 CID User Guide 9-117 .Chapter 9 . Footprint Bypass Values.0.(2^16-1) 0 .Security Footprint Bypass Fields Table 9-10. 62.Behavioral DoS Table 9-10 Footprint Bypass Values Footprint Type Packet Size ICM P + IGM P + Default Bypass Values ICMP: 74 (60 L3) TCP Syn: 60. 74.0 255. 60 L3) TCP ACK: 60 (46 L3) TCP ACK + FIN: 60 (46 L3) TCP RST: 60 (46 L3) Fragment Destination Port Destination IP + + + + NR + + + + + nr + Values cannot be configured No Values 0 .(2^16-1) 0.255.0.255. 66. 255 0-255 UDP TCP Range + + 0 .(2^16-1) ICMP/IGMP Message Type TTL NR + NR + + + + + 0-255 9-118 CID User Guide . 48.0. 52.(46. it is identified as an attack and any session/connection that is over the threshold is dropped (unless the action for this attack is Report Only). This capability mitigates any kind of TCP or UDP flood attack whether it is half-open attack (SYN-attack).Security Section 9-6 Connection Limit The Dos-Shield module provides protection against known DOS attacks. Connection limiting attacks are defined for groups of TCP or UDP application ports. To protect against unknown flooding attacks. CID User Guide 9-119 . Once the number of sessions/connections per second reaches the threshold set for an attack belonging to this policy. the device counts the number of TCP sessions or UDP connections opened per client. To implement this functionality. The source IP address can be suspended if traffic from this source is dropped for a number of seconds according to Suspend Table definitions. connection attack or request attack. CID implements the connection limit capability. per server or per client and server combination (according to attack definition). the device allows configuration of connection limiting policies. profiles and attacks.Chapter 9 . For traffic that matches a connection limiting policy. 2. select APSolute OS > Security. select Connection Limit Profiles. In the Connection Limit Profiles pane. The attack is now added to the profile. Click Apply > Update Policies. The Connect and Protect Table appears. double click anywhere in the DoS/DDoS column. A group of Layer 4 ports that represent the application to protect. Select an attack from the All Connection Limiting Attacks tree and click Add. 2. The Connect and Protect Table appears.TCP or UDP. select APSolute OS > Security. Layer 4 protocol of the application to protect .The Connection Limit Profiles pane appears. The DoS/DDoS Settings pane appears. In the Connect and Protect Table. 3.Connection Limit Creating Connection Limiting Policies To create a new connection limiting policy using a predefined attack: 1. In the Connect and Protect Table. From the main window. 5.The Connection Limiting Profiles pane appears. From the main window. The DoS/DDoS Settings pane appears. which contains the following parameters: Attack Name: Enter a user defined name for easy identification of the attack in configuration and reporting. To create a user defined custom attack: 1. Click Ok. click New Profile and enter a user defined name for your new profile. In the Connection Limiting Profiles pane. In the DoS/DDoS Settings pane. click Custom Attack. double-click anywhere in the DoS/DDoS column. 4. select Connection Limiting Profiles. Application Port: Protocol: 9-120 CID User Guide . The Connection Limiting Attack Configuration window appears. 6. 4. In the DoS/DDoS Settings pane. 3. CID User Guide 9-121 .Security Packet Report: Enable or disables packet reporting for this attack. The number of sessions per second is higher than the threshold.Chapter 9 . • • Risk: Define the risk level for this attack. An alert with status = terminated is sent when the attack stops. The number of sessions per second goes under the threshold. The following reports are generated for connection limit: • When the activation threshold of a connection limit attack is reached an alert with status = started is sent. Alerts with status = on-going are sent periodically while the attack is On. Connection Limit Suspend Action: The suspended status of source IP addresses identified as the source of the flooding attack. The new user defined custom attack appears in the All Connection Limiting Attacks tree. • Note: When tracking type is target count. A profile can now be added to the attack. 5. SrcIP: All traffic from the source IP identified as source of this attack is suspended (available if Tracking Type is Source count or Source & Target count). Set the parameters according to the explanations provided and click Ok. Suspend Action can only be None. SrcIP-DstIP: All traffic between the source and destination IP combination for which the attack was identified is suspended (available if Tracking Type is Source & Target count only). The options are: • • None: No suspend action is to be taken. 9-122 CID User Guide . SYN Flood Protection. page 9-130 Creating Custom SYN Attacks. This section includes the following topics: • • • • • • Introduction to SYN Flood Protection.Chapter 9 . page 9-129 SYN Flood Protection General Settings. page 9-134 Configuring SYN Flood Protection Policies. page 9-124 Before Setting Up SYN Flood Protection. page 9-136 SYN Flood Reporting. page 9-140 CID User Guide 9-123 . describes how the mechanism of SYN Flood Protection works and how to configure it.Security Section 9-7 SYN Flood Protection Section 9-7. SYN Flood Protection Introduction to SYN Flood Protection SYN Flood Protection is a service intended to protect the hosts located behind the device and the device itself from SYN flood attacks by performing delayed binding. The subsequent session fetches the information that was requested in the original session. The SYN Flood attack is performed by sending a SYN packet without completing the TCP three-way handshake. The reports regarding the current attacks appear in the Active Triggers table. How Delayed Binding Works Delayed Binding is a process in which the device alters fields. is it returned to the client via the original session. A SYN Flood attack is a DoS attack where the attacker sends a huge amount of please-start-a-connection packets and then does not send any follow-up packets. but without sending data packets thereafter. 9-124 CID User Guide . such as the sequence number of the TCP stream from the client to the destination server. and only when that information is gathered. Radware provides complete protection against both types of SYN Flood attacks. Another type of SYN Flood attack is done by completing the TCP three-way handshake. These attacks are detected and blocked by means of SYN Flood Protection Policies. See Figure 9-9. CID User Guide 9-125 . Figure 9-9 illustrates the delayed binding process.Chapter 9 . which represents the connection with the first segment from the client’s side. The device sends a SYN-ACK packet back to the client. including the following steps: 1. the device activates a protection mechanism known as SYN Cookies. A client initiates a request by sending a SYN packet. The SYN packet includes the destination port number and a TCP sequence number.Security Client CID Server 1 SYN 2 SYN-ACK 3 ACK 4 HTTP-GET New Client Entry SYN SYN-ACK ACK HTTP-GET Figure 9-9 Delayed Binding Process Once a SYN Flood attack is identified. The sequence number is created in such a manner that it encodes a timestamp and relevant SYN packet data in the SYN-ACK packet sent to the client. 2. The device creates a special initial TCP sequence number. two problems may arise: • Third parties can use the SYN-ACK replies to launch attacks on selected sites by adopting the selected site's address as the Source IP address of the attack. When the GET request is sent to the device with the SYN Cookie. no memory resources on the device (for example. The client sends an ACK packet to the device. the device makes a load-balancing decision. Once the TCP handshake is completed. • 9-126 CID User Guide . the client sends a data packet. the device selects the destination server and initiates the three-way TCP handshake with it.SYN Flood Protection 3. If required. If the client response found in the SYN Cookie is legitimate. 4. The benefit of SYN Cookies over "usual" delayed bind is that when SYN Cookies are used. it sends a SYN-ACK packet with an embedded Cookie. The device has to alter information such as the sequence number and the source address from one session to another. When a device is under SYN attack. Then. in this example: HTTP-GET. The SYN-ACK packets create a storm of reflected traffic that consumes bandwidth and may block legitimate traffic. the device uses the SYN Cookie to verify legitimate client responses. SYN Cookies can be used for any TCP port or application where "usual" delayed bind is typically used for HTTP sessions. The core of delayed binding is the ability to handle two sessions and pass the information between them. Session Table entries) are allocated for sessions before the three-way handshake is complete. SYN-ACK Reflection Attacks Prevention SYN-ACK Reflection Attacks Prevention is intended to prevent reflection of SYN attacks and reduce SYN-ACK packet storms that are created as a response to DoS attacks. When a client responds with an ACK packet. the device creates a new client entry. the device verifies the SYN Cookie. in order to prompt the client to continue the session. This assures that device memory resources are not overloaded due to the SYN attack. In case of DoS SYN attacks. the device ignores any additional SYN packets arriving from the specific IP address that is the source of the attack. 2. The threshold is user-defined (recommended values are preconfigured as defaults) (see Table 9-11). This mechanism works in the following way: 1. Once the limiting action is applied. The time interval for this threshold is set per second. Note: Device behavior in the case of a Distributed SYN attack remains unchanged. 3. 5.Security SYN-ACK Reflection Attacks Prevention responds to the challenge of the DoS SYN reflection attack by limiting the amount of SYN-ACK packets sent to a specific IP address. CID User Guide 9-127 . The limiting action is applied when the amount of SYN-ACK packets exceeds the defined threshold. The threshold represents the number of incomplete TCP sessions and is calculated by comparing each source IP address and the total number of SYN packets that arrived to the device with the number of completed TCP sessions. The limitation of SYN-ACK packets does not affect the SYN attack detection (start/stop) mechanism. 4.Chapter 9 . 9-128 CID User Guide . 4. View the SYN Flood Order (see page 9-132).SYN Flood Protection SYN Flood Protection Configuration Guidelines: 1. 3. 5. 2. Enable the Session Table (see page 9-129). Set the Session Table Lookup mode to Layer 4 (see page 9-129). Create a new custom SYN Attack Profile (see page 9-134). Enable SYN Flood Protection and set SYN Flood General parameters (see page 9-130). enter the following values: Session Table Status: Session Table Lookup Mode: Enabled Full Layer 4 5. right-click the CID icon and select SetUp. 4. click Global. From the main APSolute Insite window. In the SetUp window. 3. To enable Layer 4: 1. select Session Table Settings and click Edit Settings. In the Session Table Settings window. 2. CID User Guide 9-129 . The Session Table Settings window appears.Chapter 9 .Security Before Setting Up SYN Flood Protection Before activating the SYN Flood Protection module. Click Ok to exit all windows. you need to configure the Session Table to operate at Layer 4. In the Global pane. you must set the inbound and outbound traffic to operate in the Process mode. Note: When using the SYN Flood Protection Filters (that are part of the Security module). The SetUp window appears. as SYN attack detection can take effect only when the device operates at Layer 4. The Global pane appears. 9-130 CID User Guide . Range: 1-10. Default value: Enabled.SYN Flood Protection SYN Flood Protection General Settings Once you configure the Session Table to operate in the Layer 4 mode. Standby means that you can activate the SYN Flood Protection module without rebooting the device. Default value: 30%. Range: 0-10 (0 means no timeout). Default value: 5. Range: 1-100%. the attack is reported periodically. SYN Protection Timeout Timeout to complete the TCP three-way handshake. SYN Protection Tracking Time The number of seconds in which the number of SYN packets directed to the same destination must be below the value of the Deactivation Threshold (see page 9-136) that stops the protection of the destination. A value of 0 means no report is available. Table 9-11 SYN Flood Protection General Parameters Parameter SYN Flood Protection Status Description Enables/disables SYN Flood protection. Default value: 5 seconds. you can enable SYN Flood protection and configure its general parameters. Attack Periodic Report Threshold If the percentage of incomplete sessions for a destination protected by a policy is above this threshold. 000. • Disable: The mechanism is disabled.Security Table 9-11 SYN Flood Protection General Parameters (cont. The destinations are defined during the Connectivity setting of the Connect and Protect Table (see Defining Connectivity. Default value: 1.000. Range: 1 .100. Note: Only destinations defined using IP addresses and Layer 4 ports are relevant for SYN Flood protection policies. Range: 1-100. Default value: 100. Default value: 5. SYN-ACK Reflection SrcIP Sampling per second The number of SYN packets per second that are sampled and their Source IP is monitored. SYN-ACK Reflection Maximum SYN Cookies per Source The limiting threshold that represents the maximum number of incompleted TCP sessions per Source IP per second that are answered.) Parameter SYN-ACK Reflection Protection Mode Description Activate the SYN-ACK Reflection Attack Prevention mechanism using the following modes: • Enable: The Prevention mode. Statistics Max Destinations per Policy For each policy. Any session exceeding this frequency is ignored. the maximum number of destinations that can be reflected in the statistics report. Range: 0-10000. Default value: Disable. CID User Guide 9-131 . page 9-19). • Report Only: The Report-only mode (no prevention).Chapter 9 . click Global. The SYN Flood Protection Settings window appears. The SetUp window appears. In the SetUp window. The SetUp window appears. The Global pane appears. 2. In the Global pane. select SYN Flood Protection Settings and click Edit Settings. right-click the CID icon and select SetUp. To view the SYN Flood order: 1. Range: 1-1000. Viewing SYN Flood Order Clicking View SYN Order allows you to view the index order in which the device processes the SYN Flood profiles. To enable SYN Flood protection and configure the general parameters: 1. From the main APSolute Insite window. Displaying Statistics of Policy A list of all the SYN Flood protection policies defined on the device. Default value: 60. select SYN Flood Protection Settings and click Edit Settings. 3. right-click the CID icon and select SetUp. 9-132 CID User Guide . 2. 3. click Global. The SYN Flood Protection Settings window appears. In the SetUp window. From the main APSolute Insite window. 4.SYN Flood Protection Table 9-11 SYN Flood Protection General Parameters (cont. The Global pane appears.) Parameter Statistics Time Period Description The number of seconds used to calculate average values for SYN protection statistics. In the Global pane. Set the parameters as explained in Table 9-11 and click Apply and Ok. Security 4. click View SYN Order. In the SYN Flood Settings pane. The SYN Protection Policies window appears. as shown below: Figure 9-10 SYN Protection Policies CID User Guide 9-133 .Chapter 9 . 6. The Connect & Protect Table window appears. 4. open the APSolute Insite menu and select Security. 9-134 CID User Guide . Figure 9-11 SYN Attack Configuration Window To create a custom SYN attack: 1. click Modify. The Application Port Group window appears. enter the name of the custom SYN attack. Each group is identified by its unique name. The Modify pane appears. Each group name can be associated with a number of entries in the Application Port Group table. you can create user-defined attacks. click Custom Attack.65535. In the Application Name field. The Settings pane appears. In the Settings pane. double-click inside the SYN Floods column. 3. In the Application Port Group window. The values can be: 0 . In the Connect & Protect Table window. 2. Click App. In addition. From the main APSolute Insite window. Port Group. 5.SYN Flood Protection Creating Custom SYN Attacks Radware provides you with a set of predefined SYN attacks. displaying the group of Layer 4 ports for UDP and TCP traffic. The SYN Attack Configuration window appears. 12. enter a description of the attack.Security 7. 11. assign the same value to From Port and To Port. In the Modify pane. To associate a number of ranges with the same group. A new row appears in the Application Port Group table. The last port in the range. The Application Port Group window closes. The first port in the range. Click Ok. 8. 10.Chapter 9 . A user-defined group name for the application port. and a new user-defined attack appears in the All Regular Filters pane of the Connect & Protect Table window. select a group that was defined in the Application Port Groups table. The SYN Attack Configuration window closes. Click Ok. From the Destination App. use the same group name for all the ranges that you want to include in the group. 9. Click Ok. CID User Guide 9-135 . click Add and set the following parameters according to the explanations provided: Name: From Port: To Port: Notes: • • To define a group with a single port. In the Attack Description field. Port Group drop-down list. Request: session is completed when the first data request packet arrives (following a SYN/ SYN-ACK/ACK packet exchange). you can create a new SYN policy. set the following parameters according to the explanations provided:.SYN Flood Protection Configuring SYN Flood Protection Policies Once you have created a custom attack. This defines the order in which the device processes the SYN Attack Profiles. The Connect & Protect Table window appears. select the attack you wish to add. From the All Regular Filters list. 2. In the Connect & Protect Table window. double-click inside the SYN Floods column. Policy Index: Enter the Index number. To add a predefined SYN Attack to the Selected SYN Attacks: 1. 5. Verification Type: • 9-136 CID User Guide . 4. Click Add. In the SYN Policy Details window. The SYN Policy Details window appears. The list contains attacks that have been selected to participate in the policy. The Settings pane appears. open the APSolute Insite menu and select Security. Define the process of completing the TCP session: • Ack: session is completed when the Ack packet arrives (following a SYN/SYN-ACK packet exchange). From the main APSolute Insite window. 3. This is done by adding the custom attack to the list of the Selected SYN Flood attacks and configuring policy parameters. Default value: 1500. If the number of packets that arrive at the same destination is below the Deactivation Threshold. Note: When the Session Table is 80% full. the SYN Flood protection policy is deactivated and the traffic is no longer protected. If the Activation Threshold goes beyond the predefined number.Security Protection Mode: Select either: • • Enabled: Activates full SYN Flood protection. Default value: 2500. The minimum number of SYN packets per second that can arrive at the same destination. Click Ok.Chapter 9 . the traffic is recognized as an attack and the packets are terminated. • Activation Threshold: The maximum number of SYN packets that are allowed to arrive at the same destination per second. Enable or disable counting of the statistics for the destinations defined in this policy. The selected attack appears in the Selected SYN Application Ports list. Deactivation Threshold: Count Statistics (checkbox): 6. triggered policies act as Enabled and reply to all new sessions with Cookies. CID User Guide 9-137 . Triggered: Activates SYN Flood protection only when an attack is identified. Disabled: SYN Flood protection is disabled. A specific destination IP included in the policy. you can view SYN Statistics prior to configuring the thresholds. thus helping you to define reliable thresholds in custom policies. Protected (No Attack).SYN Flood Protection Viewing the SYN Statistics To make the process of defining policy thresholds easier. From the main APSolute Insite window. complete sessions. 2. open the APSolute Insite window and select Security. The current status of the attack. A specific RX port included in the policy. Possible values: Protected (Under Attack). The number of SYNs within the last second. 3. double-click inside the SYN Floods column. The SYN Floods Statistics window appears. Active Time (Secs): SYNs Last Sec: 9-138 CID User Guide . To view the statistics of SYN policies: 1. click SYN Floods Statistics. Not Protected. In the Settings pane. The Connect & Protect Table window appears. A specific destination port included in the policy. In the Connect & Protect Table window. Activity time of this entry in the table. Monitoring (No Attack). and other data. The Settings pane appears. set the following parameters according to the explanations provided: Policy Name: Dest IP: Dest Port: RX Port: Attack Status: The name of the policy which traffic data is collected and analyzed. In the SYN Floods Statistics window. 4. The SYN Statistics table provides information on the number of SYNs. The average number of SYNs per second. Valid Sess/Sec Peak: Attack Start: Attack Term: CID User Guide 9-139 . The average number of valid sessions per second. Last attack detection time and date.Chapter 9 . Last attack termination time and date. The highest value of valid sessions per second during the statistical analysis period. The highest value of SYNs per second during the statistical analysis period.Security Valid Sess Last Sec: SYNs/Sec Avg: Valid Sess/Sec Avg: SYNs/Sec Peak: The number of valid sessions within the last second. The number of seconds from the moment the attack was recognized. The number of ACKs that were recognized in the last second. The physical port on the device through which the attack enters. Table 9-12 Active Triggers Table Parameters Parameter Type Description The type of the identified attack: • SYN Flood Trigger: The identified attack belongs to one of the policies with the Protection mode of Trigger. • SYN Protection Total: Displays in each field the sum of all other attacks (triggers and enabled. The number of SYNs that were recognized in the last second. IP Address L4 Port RX Port Active Time Last Sec SYN counter Last Sec Verified counter 9-140 CID User Guide . Table 9-12 presents the parameters of the Active Triggers table.) • SYN ACK Reflection: The identified attack is a SYN ACK Reflection attack. The Source IP for SYN ACK Reflection: attacks and destination IP for all other attacks. The destination L 4 port (relevant only for SYN Flood Trigger attacks). • SYN Enabled Policies: This attack entry will include the sum of all attacks that match the policies with the Protection mode enabled.SYN Flood Protection SYN Flood Reporting You can view active SYN Flood attacks via the Active Triggers table. Chapter 9 . From the main APSolute Insite window. CID User Guide 9-141 . Note: If Application Security or DoS modules are enabled. In the Connect & Protect Table window. SYN Flood Protection events are created. Average Verified counter Total SYN Total Dropped sessions To view the Active Triggers Table: 1. The Active Triggers Table appears. click Active Triggers. The average of the ACKs that were recognized from the moment the attack began. double-click inside the SYN Floods column. open the APSolute OS menu and select Security. The total number of unverified sessions for this trigger. The Connect & Protect Table window appears. In the Settings pane.Security Table 9-12 Active Triggers Table Parameters Parameter Average SYN counter Description The average of the SYNs that were recognized from the moment the attack began. The Settings pane appears. 2. 3. The total number of SYN packets for this trigger. Defining Anomalies with User-Defined Settings. page 9-156. Protocol Anomalies. page 9-143. Anti-Scanning. 9-142 CID User Guide . page 9-145. provides information about protection against the protocol Anomalies. This section includes the following topics: • • • • Anomalies Introduction. page 9-144.Protocol Anomalies Section 9-8 Protocol Anomalies Section 9-8. Setting Up the Anomalies Module Using Predefined Profiles. the packet may contain fragmented URI. the size of the fragmented packets exceeds the boundaries of the predefined length. When the size of the URI packet exceeds the lower boundary of the predefined length. hackers may use evasion techniques.Chapter 9 . such as splitting packets and sending attacks in fragments. When the size of the URI packet exceeds the higher boundary of the predefined length.Security Anomalies Introduction To avoid IDS. Protocol Anomaly attacks are detected and blocked using the Protocol Anomaly Protection mechanism. An attack that contains fragmented packets is called a Protocol Anomaly attack. This attack enables hackers to insert malicious data into the web server. Protocol Anomalies The Protocol Anomalies group contains signatures of miscellaneous protocol misbehaviors. In a Protocol Anomaly attack. Protocol Anomaly attacks are recognized by the packet’s size. Protection against Protocol Anomaly attacks is achieved by dropping the suspect packets. The Anomalies Module The Anomalies module provides protection using the following sub-groups: • • Protocol Anomaly protection HTTP Anomaly protection • MIN fragmented URI packet size parameters • MAX URI Length parameter CID User Guide 9-143 . HTTP Anomalies Hackers split the URL across multiple packets. the buffer overflow is indicated. Signatures in this group prevent the usage of miscellaneous Protocol Anomalies that could indicate a new exploitation of a protocol vulnerability or a DoS attack. double-click inside the Anomalies column. 5. In the Connect & Protect Table window. 9-144 CID User Guide . open the APSolute OS menu and select Security. 4. The Settings pane appears. In the Anomaly Flood Profiles pane.Protocol Anomalies Setting Up the Anomalies Module Using Predefined Profiles Radware supplies a set of predefined attack profiles and attack groups that provide constant protection against all recent attacks (see Protection Profiles and Groups Supplied by Radware. Enable Anomalies (see page 9-145). The Connect & Protect Table window appears. Most of the existing anomalies can be prevented using Radware groups. You can use these prevention profiles to define protection policies. From the main window. Anomalies Configuration Guidelines using Radware-Defined Attacks: 1. 2. 3. Configure Protocol Anomaly Protection parameters (see page 916). page 9-26). select the predefined profiles and apply them to the policy in the Connect & Protect Table. Note: For each custom attack. Anomalies Configuration Guidelines using User-Defined Attacks: 1. You cannot use filters from other attacks when you define a custom attack. it is recommended to define prevention profiles using Radware-defined attack groups only. custom attack groups. CID User Guide 9-145 . 4.Chapter 9 . Each attack contains one or more protection filters and a mechanism that determines which packets are malicious and how CID treats those packets. Enable Anomalies (see page 9-145). When more than one filter is used. 5. 3.Security Defining Anomalies with User-Defined Settings In addition to the Radware-defined profiles and groups. you must define custom filters. Define Attack Groups (see page 9-64). The filter’s main purpose is to match the specific packet within the traffic scanned by this filter and the attack signature from the Radware Attack Signatures database (see Managing the Signatures Database. Define Anomaly Flood Prevention Profile and apply it to the Connect and Protect Table (see page 9-154). Filters are detectors that scan and classify the predefined traffic. 2. For new users. Define attacks (see page 9-145). and custom attacks that are based on custom filters. you can create custom prevention profiles. An attack can employ one or more filters. the traffic is checked for all the signatures defined in the attack’s filters. Each filter (Figure 9-4) contains one specific signature. Setting Up Attacks and Filters An Attack (Figure 9-3) is a building block of the prevention profile. Configure Protocol Anomaly Protection parameters (see page 916). the scanning process represents a logical AND relation between the filters. or in other words. page 9-25). This means that the classification mechanisms of all filters applied to the same attack are involved in the scanning process. When a number of packets that is greater than the Threshold value passes through the device. ICMP flood attacks and DoS attacks. The signature’s match to the packet is considered an indicator for the attack. Table 9-13 Attack Configuration Parameters Parameter Attack Name Tracking Time Description A user-defined name for this attack. for example.Protocol Anomalies An attack’s settings parameters define how the malicious packet is tracked and treated once its signature is recognized. There are two types of match functions: • The "Immediate" type that makes decisions based on a single packet. and the packet is dropped ("Drop All"). The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action. for example. The "Threshold" or "Counter" functions. Default value: 1000 9-146 CID User Guide . the device recognizes it as an attack. This is because the packet may be legitimate unless the number of packets over a period of time exceeds a threshold that defines a "reasonable" behavior for such traffic. • Table 9-13 presents the attack configuration parameters. maximum 30 characters. Each attack is bound to a "Tracking" function that defines how the packet is handled when it is matched with the signature. Only packets that exceed the threshold within a predefined time slot are dropped. during this defined time period. MS Blast. which assume that the signature match alone is not enough for detecting a packet as offensive. Sets the amount of time (in milliseconds) in which the Threshold is measured. Security Table 9-13 Attack Configuration Parameters (cont. • Target Count: Sessions are counted per destination IP. the packet is dropped. Values can be: • Drop All: Once the first packet is identified as harmful. The attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. For example: Code Red and Nimda attacks. • Sampling: A DoS shield attack. and is not characterized by a single packet but rather by repeated packets. when under an attack of this type. • Source & Target Count: Sessions are counted per source IP and destination IP combination. Tracking Type Defines how the device decides which traffic to block or drop. • Source Count: Sessions are counted per source IP.Chapter 9 . Select this option when the defined attack is destination-based. Default value: 10. and is not characterized by a single packet but rather by repeated packets.) Parameter Threshold Description Sets the maximum number of attack packets that are allowed in each Tracking Time unit. Select this option when the defined attack is destination-based. Default: Drop All CID User Guide 9-147 . Select this option when each packet of the defined attack is harmful. and is not characterized by a single packet but rather by repeated packets. Select this option when the defined attack is destination-based. Inspection can be of incoming traffic. 9-148 CID User Guide .An IPS attack for which the Risk parameter is set to Info is in fact an IDS signature. • High • Medium • Low • Info . or both. •Reset Source: Sends a TCP-Reset packet to the packet Source IP. outgoing traffic. Default value: Medium Direction This parameter sets the attacks inspection direction.) Parameter Action Mode Description When an attack is detected. •Drop: The packet is discarded. the packet source IP and the packet destination IP. one of the following actions can be taken: •Report Only: The packet is forwarded to the defined destination. Default: Drop Risk The severity of the damage that the attack can cause to your system. •Reset Bi-directional: Sends a TCP-Reset packet to both. •Reset Destination: Sends a TCP-Reset packet to the destination address.Protocol Anomalies Table 9-13 Attack Configuration Parameters (cont. DestIP. SrcIP. DestPort: Traffic from the IP address identified as the source of the attack to the destination IP and port under attack will be suspended.) Parameter Suspend Action Description This parameter sets the action to take in response to an attack: None: Suspend action is disabled for this attack. DestPort: Traffic from the IP address and port identified as the source of the attack to the destination IP and port under attack will be suspended Drop Threshold (Kbps) The number of packets matching the attack that can be forwarded in each second when the attack is Active.Security Table 9-13 Attack Configuration Parameters (cont. for example. SrcIP. A value of Drop All (or 0) means that all packets must be blocked. DestIP: Traffic from the IP address identified as the source of the attack to the destination IP under attack will be suspended. UDP Flood attacks. DestIP. SrcIP: All traffic from the IP address identified as the source of the attack will be suspended. SrcPort. CID User Guide 9-149 .Chapter 9 . SrcIP. Any value other than Drop All is used for attacks that match a pattern of legitimate traffic. DestPort: Traffic from the IP address identified as the source of the attack to the application (destination port) under attack will be suspended. SrcIP. enter the name of the new attack. as explained in Table 9-5 on page 56. this threshold is not exceeded. 6. In the Filter Name field. The Attack Configuration window appears. From the main APSolute Insite window. this threshold is higher than the Termination Alert Threshold and lower than the Activation Threshold. click Add New. In the Protocol parameters pane. In the OMPC parameters pane. a notification message is sent indicating that the attack may be over. To create a new attack: 1. Select Enable to activate the policy. In the Attack Configuration window. The Filter Configuration window appears. 5. enter the name of the filter. 3. In the Attack Name field. open the APSolute OS menu and select Security. Default: Enable. The Settings pane appears. You can also select "Do Not Alert" (or 0). Typically. as explained in Table 9-6 on page 58.) Parameter Termination Threshold (Kbps) Description If. 9-150 CID User Guide . In the Connect & Protect Table window. The Connect & Protect Table window appears. for the duration of the Attack Aging Period. 2. 8. 7.Protocol Anomalies Table 9-13 Attack Configuration Parameters (cont. double-click inside the Anomalies column. click Custom Attack. In the Settings pane. Set the attack parameters. as explained in Table 9-13 on page 146. 9. 4. define the OMPC parameters. State Filters A list of user-defined filters (see page 9-81). define the protocol parameters. Security 10. Click Ok. CID User Guide 9-151 . Protocol Definition Parameters Protocol definition parameters (Table 9-5) define transmission protocol.Chapter 9 . In the Filter Description field. 2. enter the description of the filter. In the Content parameters pane. In the Application Port Group window. The Modify pane appears. The Attack Configuration window closes. Filter Parameters The parameters of each filter are divided into the following categories: • • • • Description Parameters Protocol Definition Parameters OMPC (Bit pattern) Definition Parameters Content Definition Parameters Description Parameters Description parameters (Table 9-4) are the user-defined descriptions of the custom attack. The Application Port Group window appears. click Modify. Port Group. To define a new application port group: 1. click App. 11. 12. In the Filter Configuration window. define the content parameters. as explained in Table 9-7 on page 59. A user-defined group name. The OMPC rule looks for a fixed size pattern of up to four bytes. In the Modify pane. Click Ok. set the same value for the From Port and To Port parameters. that uses fixed offset masking. To associate a number of ranges with the same port group. 4. 9-152 CID User Guide . OMPC (Bit pattern) Definition Parameters Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define a rule for pattern lookups. A new row appears in the Application Port Groups table. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. This rule is intended for attack recognition where the attack signature is a text/content string within the packet payload. Define the first port in the range. Define the last port in the range. use the same group name for all the ranges that you want to include in one group.Protocol Anomalies 3. Content Definition Parameters The Content parameters (Table 9-7) define the rule for a text/content string lookup. The OMPC parameters are presented in Table 9-6. click Add and set the following parameters according to the explanations provided: Name: From Port: To Port: Notes: • • To define a group with a single port. Security Custom Attack Groups The custom attack group represents a logical OR relation between two or more attacks. To add a new custom attack group: 1. Groups can be activated within a protection profile. You can also add user-defined attack groups using predefined attacks or user-defined attacks. all attack signatures designed to harm IIS web servers are grouped under the IIS Attack Group. For example. The Connect & Protect Table window appears. CID User Guide 9-153 . From the main APSolute Insite window. except for the Unassigned group. Figure 9-12 Attack Group Configuration Window Radware provides you with a set of predefined custom attack groups as part of the Signatures file. The attacks that affect performance or are probable to false positive are gathered in the unassigned group and can be activated either by adding an attack to an existing group or to a user-defined group. The right panel of the Attack Group Configuration window (Figure 9-12) contains a list of all existing groups. The predefined attack groups are divided according to types of protection. open the APSolute OS menu and select Security.Chapter 9 . 9-154 CID User Guide . enter the new user-defined name for the attack group. click Custom Group. The New Anomaly Profile window appears. In the All Anomaly Attacks pane. The Connect & Protect Table window appears. The Attack Group Configuration window appears. Creating User-Defined Profiles You can either select from the Radware predefined anomaly prevention profiles or create your own custom profiles. Click Ok. Select the attacks you want to include in the group and move them to the Selected Attacks pane by clicking the Add button. 6. In the Settings pane. In the Settings pane. To create a new user-defined anomaly profile: 1. 4. The new profile appears in the Anomaly Flood Profiles pane. In the Connect & Protect Table. select the policy to which you want to apply the new anomaly profile and click Apply.Protocol Anomalies 2. The name of the new profile appears in the selected cell. 3. From the main APSolute Insite window. 4. The Settings pane appears. In the Profile Name field. click New Profile. open the APSolute OS menu and select Security. In the Group Name field. 3. double-click inside the Anomalies column. In the Connect & Protect Table window. double-click inside the Anomalies column. select the anomaly attacks that you want to include in your anomaly profile and move them to the profile by clicking the Add button. The Settings pane appears. In the Connect & Protect Table window. 5. 5. enter a name for your new anomaly profile and click Ok. 2. 6. The Attack Group Configuration window appears. The Connect & Protect Table window appears. 2.Chapter 9 . open the APSolute OS menu and select Security. From the main APSolute Insite window.Security Editing Attack Groups To edit an attack group: 1. page 9-64). Click Ok. CID User Guide 9-155 . 3. The Settings pane appears. 5. Your preferences are recorded. double-click inside the Anomalies column. 4. select the attack group you want to edit and click Edit. In the Connect & Protect Table window. Edit the parameters of the group (see Custom Attack Groups. From the All Anomaly Attacks list. provides information on how hackers perform scanning prior to an attack and how to prevent it. Anti-Scanning. page 9-159 9-156 CID User Guide .Anti-Scanning Section 9-9 Anti-Scanning Section 9-9. page 9-157 Setting Up Anti-Scanning Using Profiles and Groups. page 9-158 Defining Anti-Scanning with User-Defined Settings. This section includes the following topics: • • • Introduction to Anti-Scanning. An open port represents a service. application. hackers usually try to identify what TCP and UDP ports are open. Open ports that were left open unintentionally can create a serious security problem. Application Security provides a mechanism intended to prevent hackers from gaining this information by blocking and altering server replies sent to the hacker.Security Introduction to Anti-Scanning Prior to launching an attack. Network Scanning Legitimate traffic is sent to a recipient in order to learn about the system and the applications. These signatures protect the network from the scanning tools that attempt to scan your network. Anti-Scanning Module The Anti-Scanning module provides protection against network and port scanning. As the packets sent by the attacker are legitimate. The Scanning Tool contains signatures of miscellaneous network scanning tools. analyzing the whole flow of traffic is the only way to detect the scanning. intending to perpetrate future attacks.Chapter 9 . CID User Guide 9-157 . or backdoor. open the APSolute OS menu and select Security. page 910). 4. In the Connect & Protect Table window. From the main APSolute Insite window. page 9-26). Anti-Scanning Configuration Guidelines using RadwareDefined Attacks: 1. The Settings pane appears. select the predefined antiscanning profiles and apply them to the policy in the Connect & Protect Table. In the Anti-Scanning Profiles pane. Radware profiles provide protection against network and port scanning. In most cases. click inside the AntiScanning column. 3. The Connect & Protect Table window appears. 2. 9-158 CID User Guide . You can use these prevention profiles to define protection policies (see Setting Up Security Policies in the Connect and Protect Table.Anti-Scanning Setting Up Anti-Scanning Using Profiles and Groups Radware supplies a set of predefined attack profiles and attack groups that provide constant protection against all recent attacks (see Protection Profiles and Groups Supplied by Radware. Enable Anti-Scanning and set the general parameters (see page 913). Define the Anti-Scanning profile and apply it to the Connect and Protect Table (see page 9-169). For new users. Enable Anti-Scanning and set the general parameters (see page 913). you can create custom prevention profiles. 2. and custom attacks that are based on custom filters. CID User Guide 9-159 . 3. Define attacks (see page 9-49). Anti-Scanning Configuration Guidelines using User-Defined Attacks: 1. Define Attack Groups (see page 9-64). custom attack groups. it is recommended to define anti-scanning profiles using Radware-defined attack groups only.Chapter 9 . 4.Security Defining Anti-Scanning with User-Defined Settings In addition to the Radware-defined profiles and groups. Only packets that exceed the threshold within a predefined time slot are dropped. You cannot use filters from other attacks when you define a custom attack. the traffic is checked for all the signatures defined in the attack’s filters. Each attack contains one or more protection filters and a mechanism that determines which packets are malicious and how CID treats those packets. There are two types of match functions: • The "Immediate" type that makes decisions based on a single packet. An attack’s settings parameters define how the malicious packet is tracked and treated once its signature is recognized. or in other words. for example. for example. The filter’s main purpose is to match the specific packet within the traffic scanned by this filter and the attack signature from the Radware Attack Signatures database (see Managing the Signatures Database. The signature’s match to the packet is considered an indicator for the attack. MS Blast.Anti-Scanning Setting Up Attacks and Filters An Attack (Figure 9-3) is a building block of the anti-scanning profile. Filters are detectors that scan and classify the predefined traffic. and the packet is dropped ("Drop All"). When more than one filter is used. Note: For each custom attack. you must define custom filters. • 9-160 CID User Guide . The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action. This means that the classification mechanisms of all filters applied to the same attack are involved in the scanning process. page 9-25). Each filter (Figure 9-4) contains one specific signature. the scanning process represents a logical AND relation between the filters. The "Threshold" or "Counter" functions. This is because the packet may be legitimate unless the number of packets over a period of time exceeds a threshold that defines "reasonable" behavior for such traffic. Each attack is bound to a "Tracking" function that defines how the packet is handled when it is matched with the signature. An attack can employ one or more filters. ICMP flood attacks and DoS attacks. which assume that the signature match alone is not enough for detecting a packet as offensive. the device recognizes it as an attack. during this defined time period.Chapter 9 .Security Table 9-14 presents attack’s configuration parameters. When a number of packets that is greater than the Threshold value passes through the device. . CID User Guide 9-161 . Table 9-14 Attack Configuration Parameters Parameter Attack Name Tracking Time Description A user-defined name for this attack. maximum 30 characters. Default value: 1000 Threshold Sets the maximum number of attack packets that are allowed in each Tracking Time unit. Sets the amount of time (in milliseconds) in which the Threshold is measured. The attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. Default value: 10. and is not characterized by a single packet but rather by repeated packets.Anti-Scanning Table 9-14 Attack Configuration Parameters (cont. and is not characterized by a single packet but rather by repeated packets. • Source Count: Sessions are counted per source IP. Values can be: • Drop All: Once the first packet is identified as harmful. Select this option when each packet of the defined attack is harmful. Default: Drop All 9-162 CID User Guide . • Source & Target Count: Sessions are counted per source IP and destination IP combination. • Target Count: Sessions are counted per destination IP. Select this option when the defined attack is destination-based. For example: Code Red and Nimda attacks. when under an attack of this type. Select this option when the defined attack is destination-based. Select this option when the defined attack is destination-based. the packet is dropped. • Sampling: A DoS shield attack. and is not characterized by a single packet but rather by repeated packets.) Parameter Tracking Type Description Defines how the device decides which traffic to block or drop. •Drop: The packet is discarded. • High • Medium • Low • Info .An IPS attack for which the Risk parameter is set to Info is in fact an IDS signature.) Parameter Action Mode Description When an attack is detected. •Reset Destination: Sends a TCP-Reset packet to the destination address. or both. CID User Guide 9-163 . •Reset Bi-directional: Sends a TCP-Reset packet to both.Chapter 9 . Default value: Medium Direction This parameter sets the attacks inspection direction. Inspection can be of incoming traffic. •Reset Source: Sends a TCP-Reset packet to the packet Source IP.Security Table 9-14 Attack Configuration Parameters (cont. outgoing traffic. Default: Drop Risk The severity of the damage that the attack can cause to your system. the packet source IP and the packet destination IP. one of the following actions can be taken: •Report Only: The packet is forwarded to the defined destination. DestIP. DestPort: Traffic from the IP address and port identified as the source of the attack to the destination IP and port under attack will be suspended Drop Threshold (Kbps) The number of packets matching the attack that can be forwarded in each second when the attack is Active. DestPort: Traffic from the IP address identified as the source of the attack to the application (destination port) under attack will be suspended. DestIP. SrcPort. UDP Flood attacks. for example. DestIP: Traffic from the IP address identified as the source of the attack to the destination IP under attack will be suspended.) Parameter Suspend Action Description This parameter sets the action to take in response to an attack: None: Suspend action is disabled for this attack.Anti-Scanning Table 9-14 Attack Configuration Parameters (cont. 9-164 CID User Guide . SrcIP. Any value other than Drop All is used for attacks that match a pattern of legitimate traffic. DestPort: Traffic from the IP address identified as the source of the attack to the destination IP and port under attack will be suspended. SrcIP. SrcIP. A value of Drop All (or 0) means that all packets must be blocked. SrcIP: All traffic from the IP address identified as the source of the attack will be suspended. SrcIP. Typically. 7. In the Attack Name field. 5. 9. In the OMPC parameters pane. 4. 8. define the OMPC parameters. You can also select "Do Not Alert" (or 0). 6. In the Protocol parameters pane. open the APSolute Insite menu and select Security. 3. as explained in Table 9-6 on page 58. CID User Guide 9-165 . In the Attack Configuration window. The Settings pane appears. Select Enable to activate the policy. this threshold is not exceeded.Chapter 9 . The Attack Configuration window appears. for the duration of the Attack Aging Period. define the protocol parameters. as explained in Table 9-13 on page 146.Security Table 9-14 Attack Configuration Parameters (cont.) Parameter Termination Threshold (Kbps) Description If. as explained in Table 9-5 on page 56. To create a new attack: 1. The Connect & Protect Table window appears. In the Settings pane. State Filters A list of user-defined filters (see page 9-81). click Custom Attack. In the Filter Name text box. 2. this threshold is higher than the Termination Alert Threshold and lower than the Activation Threshold. a notification message is sent indicating that the attack may be over. The Filter Configuration window appears. In the Connect & Protect Table window. Set the attack parameters. From the main APSolute Insite window. type the name of the filter. enter the name of the new attack. double-click inside the Anti-Scanning column. Default: Enable. click Add New. 2. The Application Port Groups window appears. as explained in Table 9-7 on page 59. The Attack Configuration window closes. Click Ok. click Custom Attack. double-click inside the Anti-Scanning column. Port Group. In the Attack Configuration window. click Add New. 12. In the Filter Configuration window. 6. In the Connect & Protect Table window. In the Filter Description text box. The Connect & Protect Table window appears.Anti-Scanning 10. define the content parameters. click Modify. type the description of the filter. click App. 4. open the APSolute Insite menu and select Security. Protocol Definition Parameters Protocol definition parameters (Table 9-5) define transmission protocol. 11. The Attack Configuration window appears. 3. 9-166 CID User Guide . From the main APSolute Insite window. The Modify pane appears. In the Application Port Groups window. The new attack now appears in the Custom Attack Group window (see page 9-64. Filter Parameters The parameters of each filter are divided into the following categories: • • • • Description Parameters Protocol Definition Parameters OMPC (Bit pattern) Definition Parameters Content Definition Parameters Description Parameters Description parameters (Table 9-4) are the user-defined descriptions of the custom attack. The Settings pane appears. The Filter Configuration window appears. In the Content parameters pane. To define a new application port group: 1. 5. In the Settings pane. 9. The OMPC rule looks for a fixed size pattern of up to four bytes. assign the same value to From Port and To Port. The Edit Application Port Groups window appears. This is useful only for attack recognition where the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. set the following parameters according to the explanations provided: Name: From Port: To Port: Notes: • • To define a group with a single port. The first port in the range. This rule is intended for attack recognition where the attack signature is a text/content string within the packet payload. To associate a number of ranges with the same port group. In the Edit Application Port Groups window. click Add.Security 7. In the Modify pane. A new row appears in the Application Port Group table. Content Definition Parameters The Content parameters (Table 9-7) define the rule for a text/content string lookup. The OMPC parameters are presented in Table 9-6. use the same group name for all the ranges that you want to include in the group. 8.Chapter 9 . The last port in the range. OMPC (Bit pattern) Definition Parameters Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define a rule for pattern lookups. CID User Guide 9-167 . Click Ok. A user-defined group name. that uses fixed offset masking. The predefined attack groups are divided according to types of protection. open the APSolute OS menu and select Security. Figure 9-13 Attack Group Configuration Window Radware provides you with a set of predefined custom attack groups as part of the Signatures file. 9-168 CID User Guide . For example. The Connect & Protect Table window appears. all attack signatures designed to harm IIS web servers are grouped under the IIS Attack Group. The attacks that affect performance or are probable to false positive are gathered in the Unassigned group and can be activated either by adding an attack to an existing group or to a user-defined group. Groups can be activated within a protection profile. The right panel of the Attack Group Configuration window (Figure 9-13) contains a list of all existing groups. From the main APSolute Insite window. You can also add user-defined attack groups using predefined attacks or user-defined attacks.Anti-Scanning Custom Attack Groups The custom attack group represents a logical OR relation between two or more attacks. To add a new custom attack group: 1. except for the Unassigned group. To create a new user-defined anti-scanning profile: 1. click New Profile. select the policy to which you want to apply the new anti-scanning profile and click Apply. 5. The new profile appears in the Anti-Scanning Profiles pane. From the main APSolute Insite window. In the All Anti-Scanning Attacks pane. open the APSolute OS menu and select Security. Creating User-Defined Profiles You can either select from the Radware predefined anti-scanning profiles or create your own custom profiles. 4. In the Connect & Protect Table window. double-click inside the Anti-Scanning column. 2. In the Connect & Protect Table window. In the Profile Name field. 6.Security 2. The Settings pane appears. In the Connect & Protect Table window. The New Anti-Scanning Profile window appears. The Connect & Protect Table window appears. double-click inside the Anti-Scanning column. In the Group Name field. 4. 3. In the Settings pane. The Settings pane appears. click Custom Group. 5. 3.Chapter 9 . select the attacks that you want to include in the group and move them to the Selected Attacks pane by clicking Add button. CID User Guide 9-169 . The name of the new profile appears in the selected cell. enter the new user-defined name for the attack group. The Attack Group Configuration window appears. From the All Attacks list. select the attack groups that you would like to include in your anti-scanning profile and move them to the new profile by clicking the Add button. In the Settings pane. enter a name for your new antiscanning profile. Your preferences are recorded. 5.Anti-Scanning Editing Attacks To edit an attack: 1. open the APSolute OS menu and select Security. Edit the parameters of the group (see Custom Attack Groups. The Settings pane appears. In the All Anti-Scanning Attacks list. 3. The Connect & Protect Table window appears. select the attack that you want to edit and click Edit. The Attack Group Configuration window appears. From the main APSolute Insite window. In the Connect & Protect Table window. double-click inside the Anti-Scanning column. 2. 9-170 CID User Guide . Click Ok. page 9-64). 4. Session Table. page 9-173 Configuring the Session Table. page 9-172 Session Table Lookup Mode. explains how the device’s Session Table records session information.Chapter 9 .Security Section 9-10 Session Table Section 9-10. page 9-174 CID User Guide 9-171 . This section includes the following topics: • • • What is the Session Table. When bandwidth management Layer 7 policies are applied to traffic running through the device. the network processors cannot be activated for this session and the master CPU has to process all the packets in the session.Session Table What is the Session Table The Session Table records session information and is used in the following situations: • To achieve full CID AS4 performance. • • 9-172 CID User Guide . This architecture is based on a master CPU that takes one decision in each session and a dedicated network processor for Layer 4-7 acceleration. The Session Table is required in these cases because of the Application Switch 4 distributed processing architecture. such as SYN Protection. To support stateful features for traffic. If the session is not recorded in the Session Table. Note: The Session Table is disabled by default. The following modes are supported: • Full Layer 3: An entry exists in the Session Table for each Source IP and destination IP combination of packets passing through the device. This mode can be used for CID in Static Forwarding mode with Application Security and/or DoS Shield activated. This mode is the default mode for the Session Table and is recommended when traffic classification on Layer 4 or 7 is required.Security Session Table Lookup Mode The Session Table Lookup mode indicates what layer of address information is used to categorize packets in the Session Table. • Layer 4 Dest Port: Enables traffic to be recorded based only on the TCP/UDP destination port. Note: To achieve accelerated CID performance. the Session Table must be enabled. This mode is recommended for higher performance. unless traffic classification on Layer 4 or 7 is required. Full Layer 4: An entry exists in the Session Table for each Source IP. destination IP. Note: Packets must be categorized with the Full Layer 4 Session Table Lookup mode when SYN Protection is used. This mode uses minimal Session Table resources (only one entry for each port that is secured). source port. When SYN Flood Protection is used. it is recommended to categorize packets with the Layer 4 Dest Port mode only. • CID User Guide 9-173 .Chapter 9 . and destination port combination of packets passing through the device. the Session Table may be disabled. Default value: 100 seconds. destination IP. If the device does not need to provide high performance for routed or bridged traffic. This mode can be used for CID in Static Forwarding mode with Application Security and/or DoS Shield activated. This mode is the default mode for the Session Table and is recommended when traffic classification on Layer 4 or 7 is required. This mode uses minimal Session Table resources (only one entry for each port that is secured). Indicates what layer of address information is used to categorize packets in the Session Table. • Full Layer4: An entry exists in the Session Table for each Source IP. and destination port combination of packets passing through the device. Table 9-15 Session Table Parameters Parameter Session Table Aging Time Session Table Status Description The amount of time a non-active session is kept in the Session Table (in seconds). Session Table Lookup Mode 9-174 CID User Guide . source port. This mode is recommended for higher performance. • L4 Dest Port: Enables traffic to be recorded based only on the TCP/UDP destination port. the Session Table is enabled by default. On Application Switch 4. The following modes are supported: • Full Layer3: An entry exists in the Session Table for each Source IP and destination IP combination of packets passing through the device.Session Table Configuring the Session Table Table 9-15 presents the Session Table parameters. unless traffic classification on Layer 4 or 7 is required. select Session Table Settings and click Edit Settings.) Parameter Remove Session Table Entry at Session End Send Reset To Server Status Description Removes sessions from the Session Table when the session ends (only valid for Full Layer 4 Lookup mode). click the Global tab.Security Table 9-15 Session Table Parameters (cont. In the Session Table Settings window.Chapter 9 . The SetUp window appears. set the parameters as explained in Table 9-15 and click Ok. right-click the CID icon and select SetUp. 2. however. CID User Guide 9-175 . The Global pane appears. The Session Table Settings window appears. In the Global pane. Recommended to free resources when the Aging Time of the Session Table is set at a high value. To configure the Session Table parameters: 1. In the SetUp window. From the main APSolute Insite window. 4. Checks whether the Session Table sends a reset packet to the server if no data is transmitted through the session because it can be a SYN attack. it can cause slight performance degradation. 3. page 9-178 TCP Reassembly.Evasion Techniques Section 9-11 Evasion Techniques Section 9-11. page 9-177 IP Reassembly and Min IP Fragmentation. page 9-182 9-176 CID User Guide . describes how the device provides protection against evasion techniques in the SSL secured traffic. and TCP traffic. This section includes the following topics: • • • Introduction to Evasion Techniques. IP traffic. Evasion Techniques. Security Introduction to Evasion Techniques An Evasion Technique is an attempt to hide the attack that is aimed at harming your servers or operating system. the hacker makes an effort to bypass your Intrusion Protection System (IPS) or Intrusion Detection System (IDS). CID User Guide 9-177 . Therefore. The methods that the hacker uses to avoid the preventing of attacks with IPS/IDS are called Evasion Techniques.Chapter 9 . The hacker that sends malicious attacks is aware of the protection used in your organization for specific types of traffic. Anomalies. Min IP Fragmentation: CID detects abnormally small IP fragments and applies a predefined Action mode to them. When used by a hacker. open the APSolute OS menu and select Security. Hackers (or a host operating system) may split an attack over two or more IP fragments that belong to the same IP packet. It is mentioned in the event that a fragment has been identified as an attack. There is no report of a specific attack.Evasion Techniques IP Reassembly and Min IP Fragmentation CID provides protection against IP traffic evasion techniques. To provide protection for the fragmented IP traffic. CID performs signature-based recognition of IP attacks. the IP signature-based detection engine is bypassed. IP Reassembly is effective for attack signatures in Intrusions. 9-178 CID User Guide . Anti-Scanning. In the Connect & Protect Table window. The action is based on the last fragment received. 2. the predefined action is taken. The device continues to forward the fragment and only if an attack is detected. The result of this action is the bypassing of the signature-based detection engine. Signature lookup is performed on a packet-by-packet basis. As a result. From the main APSolute Insite window. • Configured To configure IP fragments: 1. CID enables assembling IP fragments into a complete IP packet and searching for attack signatures split among two or more IP fragments. and Application Security for DoS. Fragmenting of a packet may happen either intentionally by a hacker or by an application due to Layer 2 MTU constraints. Fragments of an IP packet are assembled until the packet is complete. The Security Settings window appears. click Settings. The Connect & Protect Table window appears. CID uses the following mechanisms: • IP Reassembly: CID assembles the IP fragments into a complete IP packet and looks for attack signatures split among two or more IP fragments. this technique is called Evasion. Deny: The overlapping is defined as an attack. in seconds. Default value: Disabled. CID drops the fragments. In the Security Settings window. CID User Guide 9-179 . click IP Fragments. during which CID keeps fragments of the same IP packet in case not all the fragments of this packet have been received yet. The IP Fragments window appears. Default value: 3. 4. After this period. and the IP packet fragment is forwarded to its destination. and the predefined IP Reassembly Overlap Action mode is used to prevent it. In the IP Fragments window.Chapter 9 . IP Reassembly Overlap status: Sets the data overlapping status within IP fragments. IP Reassembly aging time [sec]: The maximum period of time. • Default value: Allow.Security 3. Overlapping may also indicate an attack evasion technique. set the following parameters according to the explanations provided: IP Reassembly Status: Enables/Disables the IP Reassembly feature. The values are: • Allow: The overlapping is not identified as an attack. Reset Destination: A TCPReset packet is sent to the destination address. 9-180 CID User Guide . Forward: The packet is forwarded to the defined destination. Drop: The fragment is discarded. Reset Bi-directional: TCPReset packets are sent to both the packet Source IP and the packet destination IP. Possible values: • • Drop: The packet is discarded. Reset Source: A TCP-Reset packet is sent to the packet source IP.Evasion Techniques IP Reassembly Overlap Action Mode: The Action mode settings when IP Reassembly Overlap status is set to ‘Deny’: • Report Only: The fragment is forwarded to the defined destination. • • • • Default value: Report Only. Default value: Forward. IP Reassembly no memory Action Mode: The device action when the device lacks memory resources to perform IP reassembly. Default value: Disable. Reset Destination: A TCPReset packet is sent to the destination address. Reset Bi-directional: TCPReset packets are sent to both the packet Source IP and the packet destination IP. A shorter packet length is treated as an IP protocol anomaly and is dropped.Security Min IP Fragment protection status: Enables/Disables the Min IP Fragment protection feature. CID User Guide 9-181 .Chapter 9 . Min IP Fragment Action Mode: Action mode settings when Min IP Fragment Protection is set to Enable: • Report Only: The fragment is forwarded to the defined destination. Reset Source: A TCP-Reset packet is sent to the packet source IP. Drop: The fragment is discarded. Min IP Fragment protection can be enabled when the IP Reassembly feature is Enabled or Disabled. Note: There is no dependency between the IP Reassembly feature and the Min IP Fragment protection feature. Default value: 512. MIN Fragment Size: The minimum permitted size of a fragmented IP packet. • • • • Default value: Drop. Possible values: 1-65535 Bytes. Anomalies. TCP Reassembly is applied on TCP data portions and on application data according to the Content Type in the filter. The Security Settings window appears. 2. For example. open the APSolute OS menu and select Security. and reassembles the specific field over several packets. click Settings. From the main APSolute Insite window. viruses. such as worms. To prevent the appearance of application level attacks. In such cases. and Application Security for DoS. 9-182 CID User Guide . Application level attacks.Evasion Techniques TCP Reassembly CID detects and prevents TCP traffic evasion techniques. TCP Reassembly is performed for consecutive packets only. when applying an HTTP URL filter on the traffic. To support Content Type (Level 7) filters. When an attack is located. TCP Reassembly is effective for attack signatures in Intrusions. the TCP Reassembly feature performs protocol parsing according to the content field. Notes: • • The TCP Reassembly feature is supported on SME platforms only. the device extracts the URI field from each HTTP-GET packet within a TCP session. it is reported by name. Anti-Scanning. Trojans. The device sends the reassembled datagram as evidence of the attack. CID inspects Level 7 attack signatures within a TCP stream regardless of the actual location of the signature in the data stream. the signature detection engine may be bypassed. No indication is provided whether the attack was detected on a reassembled stream. In the Connect & Protect Table window. To enable TCP Reassembly: 1. As the detection engine is signature-based. and buffer overflow. there may be cases where the attack signature is split among two or more packets within a TCP application flow. The Connect & Protect Table window appears. require deep packet inspection capability in order to be detected while being transferred over network protocol. The TCP Reassembly feature is enabled. select TCP Reassembly Status.Security 3. From the Application Security Parameters area.Chapter 9 . CID User Guide 9-183 . Security Events and Reports Section 9-12 Security Events and Reports Section 9-12. page 9-197 9-184 CID User Guide . describes security events and how to configure devices to use reporting channels. In addition. page 9-190 Security Reports. This section includes the following topics: • • • Events and Event Reporting. page 9-185 Reporting Channels. this section provides information about security reports. Security Events and Reports. You can configure each device to alert you whenever a security event takes place. This level is defined by the Report Aggregation Threshold parameter. Security Terminal Echo. When an attack is detected. The SetUp window appears.Chapter 9 . right-click the CID device icon and select SetUp. the device creates a security event that includes the information relevant to this specific attack. and the reported IP addresses provide partial information of the overall picture. You can get the source/destination IP address information for each event up to the Reporting Aggregation level. Once an event has been created. The events including source/ destination IP values are indicated with Status field value set to "Sample. Syslog messages can be sent to a Syslog station. you can set the device to report detected attacks according to the various risk levels. CID User Guide 9-185 . 2. SNMP traps can be sent to APSolute Insite and a management station. Enabling Reporting Channels You can enable the reporting channels used by Radware devices to receive information about security events. In the SetUp window. the device reports it using several optional channels: • • • • • Security Logs. Note: You need to enable and configure each reporting channel before using it.Security Events and Event Reporting A security event is an attack or a protocol anomaly. From the main APSolute Insite window. E-mail messages can be sent to specific users. click the Global tab. To enable the reporting channels for security reports: 1." Note: Counter-based attacks and DoS attacks may have more occurrences. The Global pane appears. which are saved in a flash. In addition. or Low. Report all attacks with risk value set to High or Medium.0. 6. 8. select the levels according to the explanations provided: High: Medium: Low: Report all attacks with risk value set to High. 4. Medium. Event Parameters Devices send various types of information about a security event (attack). 9-186 CID User Guide . In the Max Alerts Per Report text box. from the drop-down menus of the reporting channels. select Security Settings and click Edit Settings. enable the reporting channels that you want to use by selecting the appropriate checkboxes. Report all attacks with risk value set to High. Your preferences are recorded." 7. Click Ok. In the Reporting pane. In the Reporting Interval text box. Note: When the number of generated events exceeds the Report Aggregation Threshold value. In the Report Aggregation Threshold text box. type the number of seconds that defines the frequency at which reports are sent through the reporting channels. which indicates "Any. The Security Settings window appears. In the Global pane. 5. To generate reports using risk levels.0. the IP value of the event appears as 0. type the number of alerts that defines the maximum number of security events that can appear in each report (sent within the Reporting Interval).Security Events and Reports 3. type the number of events for a specific attack that are gathered during a Reporting Interval before the events are aggregated to a report.0. 9. or low. The actual port on the device from which the attack arrived. The date and time when the report was generated. The IP address to which the attack is destined. Intrusion. AntiScanning. • Drop: The packet is discarded. Category Protocol Source Address Source Port Destination Address Destination Port Radware Attack ID Packet Count CID User Guide 9-187 .Chapter 9 . • Reset Source: Sends a TCP-Reset packet to the packet source IP. The category of the attack: Anomalies. The transmission protocol used to send the attack: TCP/UDP/ICMP/IP.Security Table 9-16 summarizes the parameters of an event. TCP/UDP destination port. The IP address from which the attack arrived. DOS. The name of the detected attack. Radware’s unique identifier of the attack. Table 9-16 Event Parameters Parameter Risk Date/Time Attack Name Physical Port Action Description The attack severity level: high. • Reset Destination: Sends a TCP-Reset packet to the destination address. The number of packets in the attack. TCP/UDP source port. The reported action can be: • Forward: The packet is forwarded to its destination. medium. Anomalies. For Intrusions. The current status of the event. When the number of packets that match the signatures is below the predefined threshold. • Started/Terminated: When the number of packets that match the signatures exceeds the predefined threshold within the Tracking Time. the following statuses can appear: • Occurred: Each packet matched with signatures is reported as an attack and must be dropped. • Ongoing: The status that reports on the counterattack within the period of time when the attack takes place. 9-188 CID User Guide . Anti-Scanning. SYN Flood attacks. and Application Security for DoS/DDoS attacks. the reported Attack Status becomes Terminated.) Parameter Packet Bandwidth Status Description The bandwidth of the attack since the latest trap was sent (KByte).Security Events and Reports Table 9-16 Event Parameters (cont. which is between Started and Terminated. the reported Attack Status is Started. according to which you can generate reports for each customer by using the customer's VLAN Tag value. • Active: When the number of packets that match the signatures goes beyond the predefined Activation Threshold. CID User Guide 9-189 . and a value of "0" is always set. Note: CID on Application Switch 4 does not support VLAN Tagging. VLAN Tag information. • De-ac: The Deactivation status is reported when the attack is terminated. Device IP VLAN Tag The IP of the device with which the attack is associated. A value of "0" in this field indicates that the VLAN Tag is not available. • Block: When the number of packets that match the signatures goes beyond the predefined Drop Threshold.Security Table 9-16 Event Parameters (cont. • De-al: The Deactivation Alert status is reported when the attack is about to be terminated.) Parameter Description For DoS Shield attacks.Chapter 9 . the following statuses can appear: • Alert: When the number of packets that match the signatures goes beyond the predefined Warning Threshold. Define access parameters. Note: After configuring the device to send SNMP traps. Optionally. see page 2-41. d.Security Events and Reports Reporting Channels CID supports the following reporting channels: • • • • Traps Email Traps Logs Syslog Messages Sending Traps Traps can be sent from the device to any computer that you choose. This table restricts the range of addresses from which SNMP requests are accepted and to which traps may be sent. see page 2-42. configure its IP address into the Target Address table. Define the target parameters. map user names to communities and vice versa using the SNMP Community Table. Define target addresses. you can designate that specific users are allowed access to the traps. see page 2-35. to ensure that the management station receives traps. e. Security Traps Configuration Guidelines: 1. Specify the type of SNMP notification a target receives. b. see page 2-44. enable the device to start sending traps. see page 2-42 9-190 CID User Guide . for example to the management station. In the Community Table. For example. c. Enable the management station to receive traps: a. You can specify SNMP parameters and select which type of notification it receives. You must enable the device to send SNMP traps to other computers. by defining the computers as targets. Trap Notification is set up through the device’s Target Address table. such as message processing security level and model. 3. Enable traps reporting. Radware Traps Service records them automatically. 4. see page 9-191. open the Options menu and select Preferences. refer to the APSolute Insite Guide. ensure that Traps Sending is enabled. select the Trap and SMTP pane. Click Apply to enable.Chapter 9 . To enable the device to send one trap per event: 1. From the main APSolute Insite window. From the main window. CID User Guide 9-191 . Select One Trap to generate only one trap per event. Recording Security Traps Once you have configured the device to send traps. To enable the device to send traps: 1. 3. see page 9-185. select APSolute OS > Security. Define the graphical representation of the security reports in APSolute Insite. In the Connect & Protect Table window. 2. see page 9-192. The Management Preferences window appears. 2. 3. View traps at the management station. In the Management Preferences window. Start Sending Traps Once you define all the notification and target parameters. The Connect & Protect Table window appears. enable the device to start sending traps. The Security Reporting window appears. Enable the device to start sending traps. 6. In the Application Security Parameters area (at top). Ensure that you provide the IP address for your SMTP server. click Settings.Security 2. see page 9191. 5. Record security traps on the management station. The IP address that triggered the trap. The date that the trap was generated. Trap severity ratings include. Traps are numbered in the order that they are generated. in increasing order of severity: Informational. Refer to the APSolute Insite User Guide for more on Security Reports. From the main APSolute Insite window. open the Options menu and select Events & Traps. The time that the trap was generated. 3. To stop recording security traps: 1. 2.Security Events and Reports Security traps are recorded in a local database. displaying the following information: Trap number: The chronological order number of the trap. Severity: Date: Time: Source: Information: Notes: • • Traps from multiple devices can be viewed simultaneously in the Events and Traps window. Error. The information from the database is used to create Security Reports. the CID’s IP address. The Traps and Events window appears. Warning. Open your computer’s Control Panel (Start > Settings > Control Panel). and Fatal. Radware Traps Service continues to record traps until instructed to stop. 4. To view traps received by the management station: 1. 9-192 CID User Guide . In the Services window. Double-click Services. for example. The trap’s severity level. You can access trap data related to security events via Security Reports. The Services window appears. Description of the trap. Open the Administrative Tools directory. right-click Radware Traps Service and select Stop. In the Security Settings window.Chapter 9 . The Reporting pane appears. You are notified regarding the status of the Log File utilization. When the number of entries is beyond the permitted limit. they are logged in an all-purpose cyclic Log File. set the following parameters according to the explanations provided: Send Emails on Errors: One Trap: Select if you want to send an e-mail alert when an operational error occurs at the device. select APSolute OS > Security. but it is limited in size. The Connect & Protect Table window appears. click the Reporting tab. select Device > Traps and SMTP. In the Reporting pane. CID User Guide 9-193 . From the main window. In the main window. 6. click Settings. The Security Settings window appears. Click Ok to enable. 4. 7. Generate only one trap per event. configure one or more devices to perform logging. 3. The Traps and SMTP window appears. 2. The notifications appear when the file is 80% utilized and 100% utilized. check Email Sending. The device’s Log File can be accessed at any time. the oldest entries are overwritten. 5.Security Email Traps E-mail traps can be sent to specific users in a similar manner to the way in which SNMP traps are sent. To start the logging process. In the Traps and SMTP window. To enable the device to send email traps: 1. In the Connect & Protect Table window. Logging When the device recognizes security events. Optionally. To download the Log File at the management station: 1. 9-194 CID User Guide . The Connect & Protect Table window appears. The Security Parameters windows appears. In the File Name field. 4. The Security Settings window appears. 3. In the Connect & Protect Table window. In the Connect and Protect Table window. select APSolute OS > Security. 6. Click Ok. check Logging. click Settings. The Connect & Protect Table window appears 2. From the main window. The Download Log File window appears. The Reporting pane appears. 4. 3. click the Reporting tab. Select the External TFTP Server IP Address box to specify the IP address for an external TFTP server. Click Browse to select the directory where you want to save the file. 2. In the main window. 5. The Connect & Protect Table window appears. In the Connect & Protect Table window.Security Events and Reports To configure a device to perform event logging: 1. click Settings. 7. From the main APSolute Insite window. enter the name you wish to assign to the file. In the Security Settings window. open the APSolute OS menu and select Security. Note: Information in the log file can be viewed by downloading it at the management station into a file. enable Clear Log File After Receive to clear the log file once the download is completed. clear the checkbox. 5. To use the default TFTP server. 6. click TFTP Log. In the Reporting pane. open the APSolute OS menu and select Security. and the status of the download is displayed. If you select Advanced. From the Select Fields section.Chapter 9 . Tip: You can access logged security events via Security Reports (see Security Reports. page 9-197). Click Receive. select the checkboxes to define fields displayed in the report. The range of Destination IPs to which the attacks are targeted that you want to appear in the report. click Advanced Settings. The Log File is downloaded. In the Attack Reports window. select categories by which the report is filtered: Attack: The attack that you want to appear in the report. Click Create Top 10 Graph and choose an item from the dropdown list to create a graph of the 10 most frequently mentioned items in the report. 12. CID User Guide 9-195 . 10. The range of Source IPs from which the attacks arrived that you want to appear in the report. Select one of the options. to set the format for exporting the Log File. The range of dates in which the attacks were recognized by the device. 8. or Advanced. Excel. You can select the attack from the drop-down list that contains all the attacks that were recognized by the device. Source IP: Destination IP: Attack Date: 9. If the Attack checkbox is not selected. the report includes all the attacks. The Attack Reports window appears.Security 7. 11. HTML. Click Ok to close the Attacks Reports window. Click Ok. 3.Security Events and Reports Syslog Messages Syslog messages can be sent to a syslog station in a similar manner to the way SNMP traps are sent. To configure the device to send syslog messages: 1. 2. In the Syslog Reporting area. open the Device menu and select Traps and SMTP. 4. 9-196 CID User Guide . enter the IP address of the device running the syslog service (syslog) in the Syslog Station Address field. Select the Syslog Operation checkbox to enable syslog reporting. From the main APSolute Insite window. The Traps and SMTP window appears. the attack risk level. The same information is displayed in two different views. plot. and switch to the Reports view to see the relevant information in a graphical view. The Security Reporting module allows you to view information in eight different views. Geographical Security Map. Attacks Log and Packet Data View: Displays both the Attacks Log and Packet Capture Data in a split screen view. as well as a unified filtering and reporting mechanism. types of attacks. Multi Device Dashboard. such as user-defined Reports. You can also choose to apply a viewing filter in the Reports view and then switch to Attacks Log to display the information after the filtering process. You can view attack activity over time.Security Security Reports Security Reports enable reporting capabilities. Geographical Map: Displays a geographical map of the world with indications of the sources of attacks. which enable you to understand attack activity and its impact on your network. you can display a Top 10 Attacks report in the Events Log. including all trap parameters. • CID User Guide 9-197 . as well as data correlation capabilities between the Security Reports and Attacks Log. and attack sources and destinations. Attacks Log and Reports Split View: Displays both the Attacks Log and Reports in a split screen view. and tools. The Security Reporting module allows you to view filters and create predefined/user-defined reports. views. Attacks Log View: Displays the Attacks Event log. For example. including: • • • • • Dashboard View: Displays the Security Radar and dashboard pie charts. the predefined reports list is used for both the Events Log and Reports view. attack bandwidth.Chapter 9 . The applied view filters affect both simultaneously. Reports View: Displays the different Security Reports in a graphical view (bar. The reports are presented by graphs. Each view filter can be defined by the user and can be used for both the Events Log and Reports view. and so on). enhanced data management in the Attack Log. In addition. Each view filter can be used for both the Attacks Log and Attack Reports views. Security Monitoring Tools Each of the monitoring tools focuses on different types of analysis requirements. When the device detects an attack. the device starts sending information about security events to the management station via SNMP Traps. 9-198 CID User Guide . For detailed information on Security Reports. or group of devices. you can display a Top 10 Attacks report in the Attacks Log.” A security event fits predefined attack profiles. Once reporting channels are configured. refer to the APSolute Insite User Guide. This information is then used to create Security Reports that provide the information about the security events. Attack Description. In addition. in order to generate data for the reports. The devices monitor attack activity.Security Events and Reports • • Attacks Log and Attack Description View: Displays both the Attacks Log and Attack Description in a split screen view. the security model logs data about a “security event. and Packet Data in a split screen view. Attacks Log and Attack Information View: Displays the Attacks Log. How Data Is Gathered You must initially select a device. The management station (running APSolute Insite) stores the security event data and packet information in a local database. and switch to the Attack Reports view to see the same information in a graphical view. the predefined reports list is used for both the Attacks Log and Attack Reports views. For example. page 10-31 Section 10-5: Specifications. This chapter includes the following sections: • • • • • • • Section 10-1: Introduction to Intelligent Application Switches.CHAPTER 10 Application Switching Platforms Chapter 10 . Section 10-2: Physical Description. page 10-26 Section 10-4: Device Interfaces. page 10-11 Section 10-3: Device Installation. page 10-37 Section 10-6: Serial Cable Pin Assignment.provides an explanation of Radwares Application Swithching Platforms. page 10-2.. page 10-44 Section 10-7: Trouble Shooting. Serial Cable Pin Assignment and a trouble shooting section. Device Interfaces. page 10-46 CID User Guide 10-1 . list of specifications. page 10-3 Application Switch 2. page 10-6 Application Switch 5. page 10-4 Application Switch 3. page 10-9 10-2 CID User Guide . page 10-5 Application Switch 4.Introduction to Intelligent Application Switches Section 10-1 Introduction to Intelligent Application Switches Each Radware device is built on top of Radware’s Intelligent Application Switching Architecture combining high speed hardware processing power with SynApps Application Aware Services for total IP Application performance across layers 4-7. Radware’s Application Switching Platforms consist of the following Application Switches: • • • • • Application Switch 1. CPU processing power and APSolute OS 'Application Aware' Services to deliver performance and service to address all IP application requirements across network layers 4-7. Application Switch 1. powering APSolute OS application services for optimized resource utilization and maximum application performance. Wire Speed Forwarding and Central Processing Power With switching ASICs on the port levels. Application Switch 1 is the first platform to bridge the gap between your IT infrastructure and IP Applications for comprehensive control of all critical operations across the enterprise. Designed to guarantee application availability. Layer 3 -7 operations are powered by the Motorola PowerPC 755 central processing unit.Application Switching Platforms Application Switch 1 Figure 10-1 Application Switch 1 Application Switch 1 (Figure 10-1) combines ASIC-based switching.Chapter 10 . ensures wire speed forwarding speeds across the 2 Gigabit and/or 8 Fast Ethernet ports available in the 1U device. security and performance. CID User Guide 10-3 . Fusing accelerated processing speeds with the ability to optimize routing decisions based on specific applications. performance and security across all IP applications. Application Switch 2 guarantees complete reliability. based on a Motorola PowerPC 7410 CPU. for complete control over enterprise operations.Introduction to Intelligent Application Switches Application Switch 2 Figure 10-2 Application Switch 2 Application Switch 2 (Figure 10-2) enables wire speed forwarding across 5 GBIC ports and 16 Fast Ethernet Ports or 7 GBIC ports. 10-4 CID User Guide . Application Switch 2 is powered by a multi-layered switching architecture combined with comprehensive APSolute OS 'Application Aware' services. web requests and content. nonblocking traffic throughputs across a 19.2 GB backplane and strong central processing. to address the widest set of protocols and service requirements across network layers 4-7. boosting IP application performance to Gigabit Speeds. AS3 affords complete control over mission critical applications and explosive transactions across the most demanding networking environments. availability and reliability of services at multi-gigabit speeds. Application Switch 3 features 44Gb connectivity and multi-Gigabit network processors. Multi-Gigabit Switching Architecture Driving Intelligent Application Switching performance to up to 3-Gigabit speeds. providing for the first time businesses with a comprehensive solution for ensuring the integrity of applications carried over high-bandwidth networks. Application Switch 3 delivers APSolute OS security.Chapter 10 .Application Switching Platforms Application Switch 3 Figure 10-3 Application Switch 3 Application Switch 3 (Figure 10-3) provides an innovative three-tiered architecture that couples enhanced performance and power with 10Gb connectivity. bullet-proofing any IP or Web Service application running on the network. CID User Guide 10-5 . Application Switch 4 non-blocking 44 Gigabit switching is based on a multi-layered distributed switching architecture using switching ASICs that ensures wire speed switching for the 8 1Gigabit ports (GBICs) and 12 copper 1Gigabit ports. It allows execution of health checks at short intervals.3GHz. Main CPU – RISC Processor Application Switch 4 RISC processor Motorola PPC 7457 1.Introduction to Intelligent Application Switches Application Switch 4 Figure 10-4 Application Switch 4 Application Switch 4 (Figure 10-4) provides 44 Gbps Switching Fabric and High Port Density. performance of complex layer 7 switching algorithms 10-6 CID User Guide . is the fastest processor in the market. Dual Power Supplies Application Switch 4 can be ordered with hot swappable dual activeactive AC or DC power supplies.000 parallel string searches and a high end Power PC RISC processor for scheduling and running the parallel search algorithms.Dedicated ASIC Based Security Hardware Accelerator Radware StringMatch Engine is a dedicated hardware card designed specifically to provide accelerated deep packet inspection and attack's signature matching. handling all tasks related to packet processing and traffic forwarding. This revolutionary architecture provides Application Switch 4 with the strongest processing power for layer 7 switching. work in parallel and are capable of processing multiple packets simultaneously to provide accelerated layer 4-7 switching speed. Application Switch 4 software constantly checks the status of each CID User Guide 10-7 . 3-tier processing architecture. The StringMatch Engine consists of up to 8 ASICs enabling 256. Radware StringMatch Engine . all layer 4-7 packet processing is performed by the network processors. The StringMatch engine provides 9 Gigabit of free-range searches and 16 Gigabit of fixed offset searches for unmatched performance.Chapter 10 . which provide higher level of redundancy which is often required by high end enterprises. carriers and data centers. State of the Art Network Processors The two network processors designed specifically to handle sessions/ packets. In Application Switch 4. This parallel processing allows the RISC processor to perform complex layer 7 algorithms without affecting or being affected by the volumes of traffic forwarded by the network processors.Application Switching Platforms and to conduct management tasks without any degradation of the device performance. When DIP Switch 8 is up.Introduction to Intelligent Application Switches power supply and sends a trap to APSolute Insight management application if any type of failure is detected. When DIP Switch 8 is down. this means there is a single PS. 10-8 CID User Guide . this means that there are two PS. In order for the application to recognise the secondary supply (so that the application is able to check the status of the power supply and notify in cases of failures) DIP Switch number 8 should be toggled. Note: In order to add an additional PS simply plug the additional power supply to its correct location and it will begin to work immedeatly. all layer 4-7 packet processing is performed by the four network processors. Main CPU Processor Application Switch 5 RISC processor Motorola PPC 7457 1. 3-tier processing architecture. This parallel processing allows the RISC processor to perform complex layer 7 algorithms without affecting or being affected by the volumes of traffic forwarded by the network processors. This revolutionary architecture provides Application Switch 5 with the strongest processing power for layer 7 switching. 9 Gigabit ports (SFP) and 8 copper 1Gigabit ports.Chapter 10 . CID User Guide 10-9 . is the fastest processor in the market. Application Switch 5 non-blocking switch is based on a multi-layered distributed switching architecture using switching ASICs that ensures wire speed switching for the 2 10G ports.7GHz. In Application Switch 5. performance of complex layer 7 switching algorithms and to conduct management tasks without any degradation of the device performance. It allows execution of health checks at short intervals.Application Switching Platforms Application Switch 5 Figure 10-5 Application Switch 5 Application Switch 5 (Figure 10-5) provides 74 Gbps switching with high port density. Note: In order to add an additional PS simply plug the additional power supply to its correct location and it will begin to work immedeatly. 10-10 CID User Guide . which provide higher level of redundancy which is often required by high end enterprises.Introduction to Intelligent Application Switches State of the Art Network Processors Four network processors are designed specifically to handle sessions / packets. this means that there are two PS. handling all tasks related to packet processing and traffic forwarding. work in parallel and are capable of processing multiple packets simultaneously to provide accelerated layer 4-7 switching speed. When DIP Switch 8 is up. In order for the application to recognise the secondary supply (so that the application is able to check the status of the power supply and notify in cases of failures) DIP Switch number 8 should be toggled. When DIP Switch 8 is down. allowing the master CPU to process only the L4-7 decisions. this means there is a single PS. Dual Power Supplies Application Switch 5 can be ordered with hot swappable dual activeactive AC or DC power supplies. Employing the Network processors allows fast forwarding of packets and reducing the load from the master CPU processors and by that. Application Switch 5 software constantly checks the status of each power supply and sends a trap to Configware Insight management application if any type of failure is detected. carriers and data centers. Application Switching Platforms Section 10-2 Physical Description Section 10-2. is designed to get the user familiar with the devices and provides instructions on the installation procedure as well as offering an explanation of how to configure the device IP Host Parameters. page 10-12 CID User Guide 10-11 . Physical Description. This section includes the following topics: • Application Switches Physical Description.Chapter 10 . Physical Description Application Switches Physical Description The Application Switches Physical Description. 10-12 CID User Guide . includes a diagram of each device including a description of the devices features. Chapter 10 . The lower LED indicates that the application is currently running.Application Switching Platforms Application Switch 1 Figure 10-6 Application Switch 1 .Front Panel View Table 1: AS 1 Front Panel Description Feature Reset: Description Allows you to reset the device Mode: Allows you to change the display mode of the Port LEDs. This LED is off when the application is still loading or has failed. CID User Guide 10-13 . Upper LED: Lower LED: The upper LED indicates that the device is powered. Physical Description Table 1: AS 1 Front Panel Description Feature Description This display indicates the display mode of the Port LEDs as follows: From top line. Mode LNK Indication On . ACT 10-14 CID User Guide . left to right: Mode LNK: FE: COL: ERR: ACT: FD: TX: RX: Indication LNK . The LED indicates the following information according to display mode.Link Status Ethernet Mode (for fast ethernet ports only) Collisions Errors ACTIVITY Duplex Mode Transmission Activity Receiving Activity RS-232C Console Port Gigabit Ethernet Port and LED.Physical connection detected Off .No physical connection detected. Flashing indicates that data is being transferred via the port. Switch “Up” means Boot 2 is active CID User Guide 10-15 .Chapter 10 . The status LEDs for the 8 fast Ethernet Ports Table 2: AS 1 . Switch “Down” Boot 1 is active.Indicates collisions are occurring On .Indicates half Duplex mode. Off . On .Application Switching Platforms Table 1: AS 1 Front Panel Description Feature Mode FD: COL: ERR TX RX Description Indication On . Flashing indicates that the port is transmitting data Flashing indicates that the port is receiving data.Indicates Full Duplex mode.indicates errors are occurring.Back Panel Description Feature Power Socket Power Switch Act Boot Description The socket to which the power cable is connected On / Off power DipSwitch 1 (First left) this switch determines the active boot on the device. indicates that the fans are not operational.Front Panel Table 3: AS 2 Front Panel Description Feature Description These LEDs indicate the status of the following: PWR: The device is powered. Gigabit Ethernet Port (1-5) and LED.No physical connection detected.Port is transmitting data Lit Red .Physical connection detected. This LED is off when the application is still loading or has failed. The LED indicates the following information: Upper LED: On . Off . FAN: When lit.Receive loss or no physical connection Lower LED: Lit Green . RST: Reset button.Transmission faults 10-16 CID User Guide . Lit Red .Port is receiving data. SYS: The application is currently running. Middle LED: Lit Green .Physical Description Application Switch 2 Figure 10-7 Application Switch 2 . Activity FE .Link Status ACT . The LEDs indicate the display mode of the Fast Ethernet Ports. Off . ACT Flashing indicates that data is being transferred via the port.Indicates 10BaseT mode. CID User Guide 10-17 .Ethernet Mode FD .Indicates 100BaseT mode.Indicates half Duplex mode.Application Switching Platforms Table 3: AS 2 Front Panel Description Feature Description Mode: Allows you to change the display mode of the Fast Ethernet Port LEDs.No physical connection detected.Duplex Mode The Status LEDs for the Fast Ethernet Ports.Chapter 10 . Off . FD On . Fast Ethernet Ports F1-F16 Reset: Resets the device.Physical connection detected. Mode Indication LNK On .Indicates Full Duplex mode. LNK . FE On . Off . Each Port LED indicates the following information according to display mode. Switch “Down” Boot 1 is active. Switch “Up” Boot 2 is active RS-232C Console Port for out-of-band management Insertion point for Compact Flash Card RS-232C Compact Flash 10-18 CID User Guide .Physical Description Table 4: AS 2 Back Panel Description Feature Power Socket Power Switch Act Boot Description The socket to which the power cable is connected On / Off power DipSwitch 1 (First left) this switch determines the active boot on the device. This LED is off when the application is still loading or has failed. SYS: The application is currently running. Off . indicates that the fans are not operational.No physical connection detected.Chapter 10 .Receive loss or no physical connection Lower LED: Lit Green .Port is receiving data.Physical connection detected.Port is transmitting data Lit Red . RST: Reset button The 10 Gigabit Ethernet Port and LEDs. Middle LED: Lit Green . Lit Red . FAN: When lit.Transmission faults CID User Guide 10-19 . The LED indicates the following information: Upper LED: On .Front Panel View Table 5: AS 3 Front Panel Description Feature Description These LEDs indicate the status of the following: PWR: The device is powered.Application Switching Platforms Application Switch 3 Figure 10-8 Application Switch 3 . Indicates that data is being transferred via the port in 100BaseT mode Lit Yellow . The LED indicates the following information: Upper LED: On .Physical Description Table 5: AS 3 Front Panel Description Feature Description Gigabit Ethernet Ports (G1-G8) and LEDs. Reset: Resets the device. Table 6: AS 3 Back Panel Description Feature Power Socket Power Switch Description The socket to which the power cable is connected On / Off power 10-20 CID User Guide .Indicates that data is being transferred via the port in 10BaseT mode Off indicates no link.Port is transmitting data Lit Red .Receive loss or no physical connection Lower LED: Lit Green .Port is receiving data Lit Red .Physical connection detected Off .Indicates 100BaseT mode.Transmission faults Fast Ethernet Ports (F1-F16) and LEDs Left LED: Lit green .No physical connection detected Middle LED: Lit Green .Indicates 10BaseT mode Flashing yellow . Flashing green . RS-232C Compact Flash CID User Guide 10-21 . Switch “Up” device reboots from internal flash. RS-232C Console Port for out-of-band management. Insertion point for Compact Flash Card.Application Switching Platforms Table 6: AS 3 Back Panel Description Feature Act Boot Description DipSwitch 1 (First left) this switch forces the device to use the internal flash application version after a reboot has occurred.Chapter 10 . Switch “Down” device reboots from compact flash (default). Indicates 10BaseT mode Flashing yellow .Physical Description Application Switch 4 Figure 10-9 Application Switch 4 Front Panel View Table 7: AS 4 Front Panel Description Feature Description Gigabit Ethernet Ports (G1-G8) and LEDs.Indicates that data is being transferred via the port in 100BaseT mode Lit Yellow . The LED indicates the following information: When the LED is illuminated this indicates that the port is connected. Flashing green . 10-22 CID User Guide .Indicates that data is being transferred via the port in 10BaseT mode Off indicates no link. Fast Ethernet Ports (F1-F16) and LEDs Left LED: Lit green . When the LED is flashing this indicates that there is activity on this port.Indicates 100BaseT mode. Application Switching Platforms Table 7: AS 4 Front Panel Description Feature Description On the Copper ports – G1 to G12 you have two LEDs on each port. Switch “Down” device reboots from compact flash (default).Chapter 10 . The left LED indicated Link/ Activity or No Link and the right LED indicated the speed on the port. Insertion point for Compact Flash Card. RS-232C Compact Flash Ethernet Port CID User Guide 10-23 . Table 8: AS 4 Back Panel Description Feature Power Socket Power Switch Act Boot Description The socket to which the power cable is connected On / Off power DipSwitch 1 (First left) this switch forces the device to use the internal flash application version after a reboot has occurred. Ethernet Port (for debugging purposes only Radware R&D only). RS-232C Console Port for out-of-band management. Switch “Up” device reboots from internal flash. Gigabit Ethernet Ports (G1-G9) and LEDs. 10-24 CID User Guide . On the Copper ports – G1 to G12 you have two LEDs on each port. The LED indicates the following information: When the LED is illuminated this indicates that the port is connected. The left LED indicated Link/ Activity or No Link and the right LED indicated the speed on the port. The LED indicates the following information: When the LED is illuminated this indicates that the port is connected. When the LED is flashing this indicates that there is activity on this port. When the LED is flashing this indicates that there is activity on this port.Physical Description Application Switch 5 Figure 10-10 Application Switch 5 Front Panel View Table 9: AS 5 Front Panel Description Feature Description Gigabit Ethernet Ports (XG-1 / XG-2) and LEDs. Switch “Up” device reboots from internal flash. Table 10: AS 5 Back Panel Description Feature Power Socket Power Switch Act Boot Description The socket to which the power cable is connected On / Off power DipSwitch 1 (First left) this switch forces the device to use the internal flash application version after a reboot has occurred.Application Switching Platforms Table 9: AS 5 Front Panel Description Feature Description Reset: Resets the device. Insertion point for Compact Flash Card.Chapter 10 . RS-232C Console Port for out-of-band management. Switch “Down” device reboots from compact flash (default). Ethernet Port (for debugging purposes only Radware R&D only). RS-232C Compact Flash Ethernet Port CID User Guide 10-25 . page 10-28 Connecting the Device to Your Network. This section includes the following topics: • • • Checking the Contents. page 10-27 Mounting the Device. page 10-29 10-26 CID User Guide . Device Installation. mounting the device and connecting the device to your network.Device Installation Section 10-3 Device Installation Section 10-3. explains the process of Installation including checking the contents. CID User Guide 10-27 . One power cable (only for countries using 110v power supply). Two cross cables (Application Switching I and Application Switch 2 platforms only). open the box and check that the following components are included: • • • • • • Radware device.Chapter 10 . Note: If any of the above items are missing please consult your Radware agent. APSolute Insite Software CD ROM.Application Switching Platforms Checking the Contents Before beginning the hardware installation. A set of monitoring brackets. One serial cable. Attach the device to the rack with the mounting screws. 2. Note: After mounting the device. using the screws provided.Device Installation Mounting the Device Radware’s devices can be either rack-mounted or mounted on a tabletop. ensure that there is sufficient airflow surrounding the device To rack-mount the device: 1. Attach one bracket to each side of the device. The package includes brackets to enable rack-mounting of the device. 10-28 CID User Guide . Note: For Compact Application Switch a separate rack mountable tray must be ordered from Radware. Rubber feet are attached to the bottom of the device to enable tabletop mounting. To make the ASCII terminal connection: 1. located on the rear panel of the device. LAN Connections To connect the AC power connection: 1. Connect the other end of the serial port connector cable to your computer. The New Connection Properties dialog box is displayed. Verify that the parameters are set as follows: Bits per second: Data bits: Parity: Stop bits: Flow Control: 19200 8 None 1 None CID User Guide 10-29 . select the File menu. Connect the power cable to the main socket. ASCII Terminal (Serial) Connection 3. 3.Application Switching Platforms Connecting the Device to Your Network After you have mounted the device. Connect the power cable to the grounded AC outlet. Click Configure. Access Hyper Terminal. From the Hyper Terminal opening window. 4. 5. then Properties Or Click the Properties icon from the toolbar. AC Power Connection 2. Connect the serial port connector the front panel. connect the cables. To connect the device the following connections must be completed in the following order: 1. 2.Chapter 10 . 6. 2. The Properties dialog box containing the Port Settings tab is displayed. 10 GBaseLR fiber optic cable. LAN Connections The cables used for LAN Connections differ as follows: Fast Ethernet Port: Gigabit Ethernet Port: 10 Gigabit Ethernet Port: Standard UTP or STP Ethernet cable. Connect the other end of the cable to the LAN switch. 2. the PWR and System Ok indicators on the front panel are lit continuously. 1000BaseSX fiber optic cable . located on the front panel. Connect the cable to the port interface. 10-30 CID User Guide . RJ45 connector. To connect a device port to a LAN: 1. Turn on the power to the unit.Device Installation 7. When the device is connected and operating properly. Note: ASl version 2 and ASll can use both cross and straight cables when Auto Negotiation is enabled.SC connector. Chapter 10 .Introduction. page 10-32 CID User Guide 10-31 .Application Switching Platforms Section 10-4 Device Interfaces Section 10-4. provides an explanation of the device interfaces and how to configure them. This section includes the following topics: • Interfaces . Device Interfaces. numbering starts with the Gigabit Ethernet ports. numbering is left-to-right. then Gigabit Ethernet ports and last the 10 Gigabit Ethernet port.Device Interfaces Interfaces .Introduction Radware Application Switch platforms may have as few as 8 network interfaces and as many as 24. This port is for R&D debugging purposes only. 10-32 CID User Guide . the numbering of the Ethernet interfaces on each platform starts with the Fast Ethernet ports. It has no other use. for Example: • On an Application Switch 2 platform with 16FE and 5GE ports. interface index for the FE ports is 1 to 16. • Displaying Interface Status and Properties The status and settings for interfaces can be viewed via all management tools: To display the interfaces: • • From the CLI use the command: net l2-interface From Web-Based Management click on Device menu and choose L2 Interface option. Within the different port types. for the GE ports is 17 to 21. if present. Note: On the back of the device there is an ethernet port. If there are no Fast Ethernet ports. duplex mode or auto-negotiation) via the command line interface (in web-based management and Insite interface description makes it easier to understand interface-index convention). On an Application Switch 2 platform with 7GE ports. Interface Numbering Conventions By convention. interface index for the GE ports is 1 to 7. It is helpful to understand interfaceindexing conventions before you perform configuration tasks such as displaying interface status and setting physical parameters (such as speed. 3=1000Gbps) (this parameter cannot be changed for Gigabit Ethernet ports). • -d for duplex mode (1=Half. Operational status of the interfaces is displayed graphically (green for up and red for down). To view more information about each interface right-click on desired interface and choose Interface Parameters. Duplex mode (available only when Auto negotiation mode is off). 2=Off) • -s for speed (1=10Mbps. Setting Interface Properties Properties that are configurable on the interfaces include: • • • Auto-negotiation mode.Chapter 10 . From APSolute Insite right-click on Device and select the Zoom In option. 2=Full) CID User Guide 10-33 . A graphic representation of the device front panel will be displayed. To set interface properties: • From the Command Line Interface use the following command: net physical-interface set <port index> <-switch value> where switch can have the following values: • -a for auto negotiation (1=On. To display current settings for the interfaces: • • • From the CLI use the following command net physical-interface From Web-Based Management click on the Device menu and choose the Physical Interface option. A graphic representation of the device front panel will be displayed. To view the settings of each interface right-click on desired interface and choose Physical Settings.Application Switching Platforms • From APSolute Insite right-click on device and select the Zoom In option. Port Speed (available only when Auto negotiation mode is off). 2=100Mbps. asp for more information regarding boot code compatibility with older firmware versions and configurations. it may become necessary to upgrade a device's Boot Code to support new firmware. Check Boot Prom matrix: http://www. 2. whenever a new boot version is required you must update it manually prior to downloading the new software version. Boot Version Update As Radware's product line develops.if the new software version includes new boot version. On Application Switch 2 and Application Switch 3 new boot version are updated automatically during the software download process . you can configure the device to boot from the secondary PROM (the one with the new boot code) using a DIP switch. For Application Switch 2 you will be prompted to change the position of the dip-switch that defines which boot is used. On Application Switch 1. Radware application switch units are supplied with two boot PROMs. Click on the interface whose properties you wish to change. Perform changes and click Set. The information below provides the steps for upgrading and switching a device's boot code. press any key to stop the auto boot.radware. Once the process is completed. The following message appears: 10-34 CID User Guide . From APSolute Insite right-click on the device and select the Zoom In option. To change the settings of an interface right-click on desired interface and choose Physical Settings. Obtain the file with the new boot version from Radware Technical Support. The second PROM can be flash upgraded through the CLI only to a newer version. To upgrade the Boot version manually: 1.com/content/support/software/ bootprom/default. Change parameters and click Ok. Type "u" to download new boot version. A graphic representation of the device front panel will be displayed. Reboot the device.Device Interfaces • • From Web-Based Management click on Device menu and select the Physical Interface option. only one of which is used for the active boot process. the position of the Dipswitch needs to be changed (Application Switches I and II only). >" 5. 4." The Application Switch platform has two boot EPROMs.Chapter 10 . Looking at the rear of the open device. which is the default position. type "@" when prompted with "Download completed boot flash address 0x1c000000 boot flash number 0 update done. labeled "Boot1" and "Boot2". Before changing the position of the dip-switch turn the power off. Send the new boot file to the device using the Xmodem protocol. The new boot version is written into the non-active boot. the switch for the boot selection is located above the right corner of the power supply. For port use: "com1". the boot selection switch is the first switch from the left and is labeled "Act. Boot" and with the number "1. With the switch in the down position. the device uses Boot1. "com2" or Enter to choose the default ("com1")): com1 baud rate (valid baudrate) or Enter to choose the current: 19200 Please download program using XMODEM. sets the device to use Boot2. CID User Guide 10-35 . In order to start using the non-active boot. labeled with the number "1. In order to boot the device with the existing boot." • Devices with internal DIP switch: The device has to be powered off and opened up to access the Dip-switch. Locating the active boot selection switch: • Devices with an external Dip-switch at the rear of the device: Looking at the rear panel of the device. The active boot selection switch is the first switch from the left of the eight switches. Changing the switch to the up position.Application Switching Platforms >u port ( "com1". 3. whenever a new boot version is required you must replace the boot EPROM prior to downloading the new software version .Device Interfaces 6. After the dip-switch position is changed.asp?_v=about&document=3961).see CAS Boot EPROM Replacement document (http://www.com/content/ document. Note: On Compact Application Switch. 10-36 CID User Guide .radware. turn the power on. page 10-38 Gigabit Ethernet Specifications. page 10-42 CID User Guide 10-37 .Application Switching Platforms Section 10-5 Specifications Section 10-5. includes a table which provides the specifications for Application Switching Platforms. Specifications.Chapter 10 . This section includes the following topics: • • Specification Table. Tier Three Tier Backplane Memory Flash 9.Tier Two .Specifications Specification Table Feature System Architecture AS1 AS2 AS3 AS4 A5 Two .2Gbps 44Gbps 16MB Internal 8MB internal + 16MB compact flash 8MB internal + 32MB compact flash 8MB internal + 64MB compact flash 8MB internal + 64MB compact flash RAM 128256MB 128256MB 256512MB + 5121024MB 1024 mb 2048 mb for network processor s Master 512 or 512 or 1024 or 1024 NP 512 or 512 or 1024 or 1024 Network Interfaces Fast Ethernet (10/ 100BaseT) 8 or none 16 or none 16 12 (10/100/100) copper ports 8x10/100/ 1000 10-38 CID User Guide .Tier Three Tier Three .6Gbps 19. one stop bit. 8 bits. 2 XFP 9-pin female RS232 connector DCE Setup: 19200 bps. one stop bit. no parity. no parity. 8 bits.Application Switching Platforms Feature Gigabit Ethernet AS1 2 or none (SFP fiber optic or copper) none 9-pin female RS-232 connector DCE Setup: 19200 bps. no parity. 8 bits.240v 50-60Hz single or dual power supply Or 38-72VDC single / double CID User Guide 10-39 . one stop bit. one stop bit. no parity. Power Power Supply Autorange 90v 264v 50-60Hz Or 3872VDC Autorange 90v 264v 50-60Hz single or dual power supply Or 3872VDC single / double Autorange 90v 264v 50-60Hz single or dual power supply Auto-range 100v. AS3 7 (SFP fiber optic or copper) 1 (optical module) 9-pin female RS-232 connector DCE Setup: 19200 bps.fiber optic or copper) 10 Gigabit Ethernet Out of Band Management None 9-pin female RS-232 connector DCE Setup: 19200 bps. one stop bit.240v 50-60Hz single or dual power supply Or 38-72VDC single / double Auto-range 100v. no parity. AS2 5 or 7 (GBIC fiber optic or copper) none 9-pin female RS-232 connector DCE Setup: 19200 bps. 8 bits. 8 bits.Chapter 10 . AS4 A5 9 SFP 8 (SFP . 6 kg (with dual power supply) Environmental 10-40 CID User Guide .5 kg 6.45 BTU/h (with String Match) 45 BTU/h 378.85 kg 5.86 BTU/h 358.8 Watt 78 Watt without SME 108 Watt with SME Heat dissipation 157.51 BTU/h (with String Match) AS4 A5 110.32 BTU\h Dimensions Width 432 mm 432 mm 432 mm 432 mm 440 mm Depth 475 mm 455 mm 485 mm 485 mm 486 mm Height 44 mm (1U) 44 mm (1U) 88 mm (2U) for dual power supply 44 mm (1U) 88 mm (2U) for dual power supply 7 kg 88 mm 88 mm Weigh 3.3 kg 0.Specifications Feature Power consumption AS1 35Watt AS2 44Watt 59Watt (with String Match) AS3 60Watt 105Watt (with String Match) 204.27 BTU/h 201.08 BTU/h 150. Application Switching Platforms Feature Operating Temperature AS1 0-40C AS2 0-40C AS3 0-40C 0-40C AS4 A5 0-40C Humidity (noncondensing) Certifications Safety 20% to 80% 20% to 80% 20% to 80% 20% to 80% 20% to 80% EN 60950 UL 1950 CSA 22. class A EN 55024 FCC. class A EN 55024 FCC. 950 EN 60950 UL 1950 CSA 22. class A EN 55022. part 15B. 950 EN 60950 UL 1950 CSA 22. 950 EN 60950 UL 1950 CSA 22. class B CID User Guide 10-41 . class B EN 55022. part 15B. class A EN 55022.2 No. part 15B.Chapter 10 .2 No. class A EN 55022. part 15B. 950 EN 60950 UL 1950 CSA 22. class B EN 55024 FCC. class A EN 55024 FCC.2 No.2 No.2 No. 950 Electromagne tic Emission EN 55022. class B EN 55024 FCC. part 15B. Specifications Gigabit Ethernet Specifications GBICs supported in AS1 1000Base-LX (Single-Mode) Finisar • FTRJ-1319P1BNL 1000Base-SX (Multi-Mode) Agilent • Finisar • FTRJ-8519P1BNL HFBR-5710LP GBICs supported in AS2 1000Base-LX (Single-Mode) Finisar • FTR-1319-3D 1000Base-SX (Multi-Mode) Stratos Lightwave • Finisar • FTR-8519-3D MGBC-20-4-1-SV 1000BaseT 3.3V DLink • DGS-711 10-42 CID User Guide . Chapter 10 . Revision 4 requires 5v Gbics and revision 3 requires 3.Application Switching Platforms 5V Finisar • FCM-8520-3 Note: There are two revisions of Application Switch 2. GBICs supported in AS3 1000Base-LX (Single-Mode) Finisar • FTRJ-1319P1BNL 1000Base-SX (Multi-Mode) Agilent • Finisar • FTRJ-8519P1BNL HFBR-5710LP 1000BaseT dataMate • DM7041-L CID User Guide 10-43 . Revision 4 can be identified by the title “CN2” on the label on the back panel of the device. and revision 3 has the title “CN1”.3v Gbics. Serial Cable Pin Assignment. 10-44 CID User Guide . provides a PC Serial Port to Radware Device Pinout table.Serial Cable Pin Assignment Section 10-6 Serial Cable Pin Assignment Section 10-6. Chapter 10 .Application Switching Platforms Table 10-1 PC Serial Port to Radware Device Pinout Standard PC DB9 Serial Port (DTE) Signal CD RxD TxD DTR GND DSR RTS CTS RI DB9M Pin 1 2 3 4 5 6 7 8 9 DB9F to DB9M Straight Cable DB9F Pin 1 2 3 4 5 6 7 8 9 Directio n DB9M Pin 1 2 3 4 5 6 7 8 9 2 3 5 Radware Device ASCII Port (DCE) DB9F Pin Signal RxD TxD GND - CID User Guide 10-45 . • The device Power LED is lit. Check that the serial cable is properly connected to the device.· Ensure that the On/ Off switch located on the back panel of the device is in the On position. including speed. Possible Solution Check the following:· • Verify that the power lead is correctly connected to the mains supply and to the device. • 10-46 CID User Guide . please contact Radware Technical Support.. Check that the serial port parameters. are correctly configured. please contact Radware Technical Support. Note: Most cases of suspected hardware problems are usually incorrectly identified and may be software related. Trouble Shooting.Trouble Shooting. however the there is no console response. Outcome If all the previously described requirements are met and the device power LED remains unlit. Section 10-7.provides Hardware Troubleshooting . Table 10-2 Trouble Shooting Problem After powering up the device the power LED remains unlit. • If the problem persists. Section 10-7 Trouble Shooting. please contact Radware Technical Support. If fatal error messages appear on the terminal and no product prompt appears this indicates an incomplete boot process.Chapter 10 . AS2 Flash Management. Possible Solution Connect to device serial port and open terminal connection.The following process should be implemented to eliminate possible causes: 1. Stop during boot countdown and erase configuration (q1 command) 2. check in the release notes if the product matches the running boot version.If during the boot process the following message appears in the console window: FATAL ERROR: tRootTask: RSFLEG_write: is failed This indicates a possible problem with Flash Management Contact Radware Technical Support. update boot . If not. Outcome If the problem persists. Reboot ("@") and fill in connectivity data (IP address) in Startup Configuration window.Should the problem persist. CID User Guide 10-47 .Application Switching Platforms Table 10-2 Trouble Shooting Problem The Device LEDs are lit however the device does not communicate via the LAN ports. If the problem still occurs please contact Radware Technical support. contact Radware Technical Support. 2. Verify that the correct speed and duplex mode is configured on both Radware device and the device connected to its ports. Upload the boot image again. Table 10-2 Trouble Shooting Problem Boot upgrade failure· • If after the boot upload is complete (via XModem) a write protection error message appears on the ASCII terminal. Device Port Communication failure. Change the position of dipswitch #1 ) 2. Verify that dip-switch # 1 was moved (not # 8 by mistake) Outcome In the event a “Write Protection Error” appears again. the device still boots up with the older version Possible Solution In this event implement the following steps: 1. 3. this indicates dip-switch failure. or both. Change the configuration of the ports on Radware device or connected device. Check that correct cable was used.To change port settings. followed by reboot. • If after a successful boot image upload and change of the dip-switch # 1 position. If the correct dip-switch was moved.If the device fails to communicate through one or more of its LAN ports. In this event check the following: 1. Please contact Radware Technical Support. 10-48 CID User Guide .Trouble Shooting. Application Switching Platforms CID User Guide 10-49 .Chapter 10 . Trouble Shooting. 10-50 CID User Guide . as well as a list of CID limitations. provides advice regarding some commonly encountered problems. page A-2 Section A-2: CID Limitations.APPENDIX A Chapter A - Troubleshooting Troubleshooting. This Appendix contains the following sections: • • Section A-1: Troubleshooting Topics. page A-5 CID User Guide A-1 . This table size can be increased in the Device Tuning window of the CID. By default.Troubleshooting Topics Section A-1 Troubleshooting Topics • Client Table Size: If the Client Table overflow messages are encountered with the ASCII terminal or Configware. • For a CID with 64. the Client Table size can reach 500. this size can be increased to higher numbers to accommodate specific applications: • For a CID with 64 MB memory. However. This problem is caused by missing entries in the Routing Table window and a Default Gateway entry that needs to be configured properly. • • • • • A-2 CID User Guide .000 entries. For the main device ensure that: • Interface Grouping is enabled (under CID > Global Configuration). during the initial IP Address configuration.000 entries. You can also set the default router using the ASCII terminal. the Client Table size is 20.0. mask set to 0.0. the Client Table size can reach 200. the client table size is too small for the application.0. users are sometimes unable access the Internet. ensure that: • Redundancy is enabled for the backup CID (under CID > Redundancy > Global Configuration). 128 or 256 MB memory.000 entries. VLAN Type: CID transparent VLAN works only in the Regular type VLAN. the default router of the CID must always be set. VLAN Mode: When using the device in VLAN mode. Redundancy: When operating two redundant CID units. Default Router: To ensure that the CID can access the Internet. and the next hop as the IP address of one of the next hop routers. • Redundant interfaces are configured in the Redundancy Table (under CID > Redundancy > IP Redundancy Table). You can set the default router by adding an entry to the CID Routing Table and defining the destination IP network. the CID will not trap the nonconfigured clients. • At least one server in the farm is active. Session Tracking: While serving configured clients and a session tracking is necessary. In order to intercept a transparent client. Unless all these conditions are met. CID User Guide A-3 . Hence. the CID URL re-balancing does not work properly. because of the logic conflics. ensure that the NAT addresses cover the Client Table entries. Note that any device tuning requires you to reset the device.Troubleshooting • • • • • • • • Redundancy and VLAN: When operating two redundant CID units in VLAN mode. ensure that the Main (not backup) device is configured first. Caching: While working with standard cache servers it is required the traffic from the server to the client passes through the CID. Using this mode the device handles the clients as 'sticky' clients. In order to trap traffic other than HTTP. Each NAT IP handles up to 64K sessions. although the device was configured to a farm of cache servers. you must add an intercepted port. for example RTSP port = 554. when tuning the Client Table to more than 64K entries it is necessary to use more than one NAT IP. Multiple Farms: When using more than one farm. URL Re-balancing: When using the URL entry connection limit. Non-configured Clients: The CID device does not intercept nonconfigured clients. Trapping: When CID servers do no trap non-configured clients.Appendix A . it is required to update the Farm Tuning prior to the farm configuration. • The CID farm is enabled. and MMS port = 1774. it is required to first set a policy. ensure that: • The Networks Table is set. it is recommended to use the Source Hashing Dispatch Method. NAT: While using NAT. Troubleshooting Topics • Pinging: If. the problem is between the device and the workstation. you can ping the physical interface. or the pinging to the physical interface was disabled. A-4 CID User Guide . there is a problem with the content inspection server and not the device. the reason may be that the device does not have access to an available cache server in the farm. • If the interface replies and the device receives the ping request. the CID device does not reply. If the farm does not respond to the ping. when pinging the farm. The device requires at least one available cache server in the farm in order to reply. • If there is no reply from the device. Appendix A . only a single connection can be opened. Table A-1 Table Size Limitations Table URL Table Client Table (128 MB platform) Client Table (64 MB platform) Farm Table Alias Table Farm Policies Table Networks Table Size 65K 500K 200K 10K 60K 20K 128K CID User Guide A-5 . For Telnet. Table Size Limitations Table A-1 lists the maximum allowed sizes for each CID table.Troubleshooting Section A-2 CID Limitations • • The URL Match and HTTP Match modes are valid only per server and not per farm and only function for non-configured clients. CID Limitations A-6 CID User Guide . and instructs how to configure the alias IP addresses for each loopback interface. Loopback addresses are required on servers when using CID network configuration with local triangulation. page B-9 CID User Guide B-1 . page B-6 Solaris. Definitions are provided for loopback configuration on these operating systems: • • • • • AIX. Loopback Interfaces.APPENDIX B Chapter B - Loopback Interfaces Appendix B. page B-5 Linux. page B-4 HP-UX. page B-8 Windows NT. describes the setup of loopback interfaces on the popularly used operating systems. 1.1. so traffic from the server to the client can go directly back to the client through the router.1. which is the same as the CID Farm IP address (virtual IP address).2 Server 3: 10.1.1. Each server has the network router (10.1.Loopback Interface Figure B-1 illustrates the loopback configuration example.1 Loopback: 10. B-2 CID User Guide .1.100 Def router: 10.1.20) configured as the default router.1.1.1.Example .1. the CID load balances among the servers: • • • Server 1: 10.1.1.20 Figure B-1 Loopback Interface Example In the Figure B-1 example.100 IP: 10.20 Server 3 IP: 10.20 Router IP: 10.3 Each server has a loopback alias of 10.1.100 Def router: 10.1.1.1.1.1.20 Server 2 IP: 10.1.1.1.1.1.1.1. without passing through the CID.1.1.1.1 Server 2: 10.1.10 Server 1 IP: 10.1.1.2 Loopback: 10.3 Loopback: 10.100 Def router: 10.100.1. CID Farm IP: 10. The server then sends the reply directly to the default gateway. and are configured as Local Triangulation participants. For more information. saving the need to go through CID. page 4-80. CID User Guide B-3 . using the predefined loopback IP (farm IP). see Local Triangulation.Loopback Interfaces Servers are defined in the CID.Appendix B . CID selects the least busy server as its destination and forwards the request to it. along with their IP addresses. When Internet traffic from clients arrives at a CID farm. the loopback alias will be automatically configured.AIX Section B-1 AIX For loopback on the AIX operating system. so that each time the server is reset.1.0.100 netmask 255. the command is: Ifconfig lo0 alias 10.0.1. the command syntax is: ifconfig lo0 alias <CID virtual IP> netmask <netmask> This command sets the first alias of the loopback interface “lo0” to have the same IP address as the IP address of the CID Virtual IP (VIP). the command should be inserted in a boot-up script. Therefore.0 This command should be executed on all servers. For the example network as shown in Figure B-1. Note: Resetting the server erases the configuration. B-4 CID User Guide . the command is: Ifconfig lo0 10. the loopback alias will be automatically configured.Appendix B .Loopback Interfaces Section B-2 HP-UX For loopback on the HP-UX operating system. Note: Resetting the server erases the configuration. CID User Guide B-5 . so that each time the server is reset. the command should be inserted in a boot-up script.100 This command should be executed on all servers.1. the command syntax is: Ifconfig lo0 <CID virtual IP> This command sets the alias of the loopback interface “lo0” to have the same IP address as the IP address of the CID Virtual IP (VIP).1. For the example network as shown in Figure B-1. Therefore. 0 up Various Linux operating systems.255. the loopback alias will be automatically configured.1. This command should be executed on all servers. to stop the loopback from answering to ARP queries. To access startup scripts. /sbin/sysctl -w net.ipv4. (assuming standard class A masks).0.1 and above): 1.hidden=1 This runs the kernel commands across reboots and enables the kernel configuration of all hidden network devices needed to configure the loopback interface properties.all. Edit /etc/rc.local and add the following lines to the end of the file: /sbin/sysctl -w net.0 (kernel 2. To gain administrative access.conf. Note: Resetting the server erases the configuration.conf. for example RedHat Linux Enterprise 3. the command syntax is: Ifconfig lo:1 <CID virtual IP> netmask <netmask> up This command sets the first alias of the loopback interface "lo" to have the same IP address as the IP address of the CID Virtual IP (VIP). To configure loopback in RedHat Linux Enterprise 3.d/rc.255. the command is: Ifconfig lo:1 10.lo.1. may require that the netmask be 255.0. the command is: su to root 2. Therefore. so that each time the server is reset.255. the command is: cd /etc/sysconfig/network-scripts This is where the network startup scripts are stored. Also included in the command is the proper network mask.hidden=1 This hides the loopback device.Linux Section B-3 Linux For loopback on the Linux operating system. For the example network as shown in Figure B-1.0. 3.The loopback configuration is activated by the server reset. the command should be inserted in a boot-up script. B-6 CID User Guide .ipv4.100 netmask 255. 255. The device must be set to lo:1 (lo:1 is used as an example.. netmask.bg/~ja/#hidden. see http://www. Note: Netmask must be set to: /32 (255. To copy the generic loopback interface configuration template to a loopback interface instance lo:1.255. it could lo:x. For more information.Appendix B .n) 6. CID User Guide B-7 . Edit the file: ifcfg-lo:1 and make necessary changes to the IP address. the command is: cp ifcfg-lo ifcfg-lo:1 5.ssi.Loopback Interfaces 4. x=1. the command is: sysctl -p A patch has to be installed on the Linux server to disable the loopback interface from replying to ARP requests. To activate the changes to the kernel without rebooting.255). network and broadcast addresses.. For the example network as shown in Figure B-1. the loopback alias will be automatically configured.1. Note: Resetting the server erases the configuration. the command is: Ifconfig lo0:1 10.Solaris Section B-4 Solaris For loopback on the Sun’s Solaris operating system. so that each time the server is reset.100 127. the command syntax is: Ifconfig lo0:1 <CID virtual IP> 127.0. B-8 CID User Guide .1 up This command should be executed on all servers. Therefore.1.1 up This command sets the alias of the loopback interface “lo0” to have the same IP address as the IP address of the CID Virtual IP (VIP).0.0. the command should be inserted in a boot-up script.0. CID User Guide B-9 . Right click Network Neighborhood and select Properties. After the loopback adapter has been properly installed. 2. Alternatively. 3. click the Adapters tab. 10. Loopback in Windows NT Configuration Guidelines 7. 4. select 802. Add a new a loopback adapter. Reset the server. The list of available adapters appears. From the Adapters tab. Configure the loopback adapter with the appropriate IP address. The Network Properties window closes. Click Ok.Appendix B . From the Network window. In the Frame Type field. 8. You are prompted to provide the NT disk or the NT source files. you can get to network properties by choosing Network from the Control Panel. 9.3. The MS Loopback Adapter Setup dialog box appears. 7. From the Adapters list. NT will prompt you to configure the loopback adapter with an IP address by displaying the Microsoft TCP/IP Properties dialog box. Create a batch file or service to ensure that the necessary adjustments are made after every server reset. These steps are detailed in the procedure below: To add and configure a loopback adapter in Windows NT: 1. 5. 8. Check the server’s routing table and make adjustments if necessary. Choose the location and continue. select MS Loopback Adapter. 11. click Add.Loopback Interfaces Section B-5 Windows NT Setting up the loopback interface in Windows NT is not straightforward and can sometimes create unpredictable behavior. Note: Your NT server may automatically know where the source files are and skip this section. 6. click Close. Click Ok. Once it has rebooted. This should be the same as the CID Farm IP. Deleting Unnecessary Routes After you add and configure the loopback adapter. as described on page B-11. One route points to the server’s physical IP address. NT completes the configuration. Note: The loopback configuration is activated by the server reset.Windows NT 9. B-10 CID User Guide . while the other route points to the loopback IP address. but do NOT configure a default gateway. You can identify extraneous routes in the server’s IP Routing Table which you can access using the route print command. Reset the server. 12. Configure the Loopback IP. 13. login and go to a command prompt (DOS prompt). choose the loopback adapter. Adjust the IP Routing Table. In the Microsoft TCP/IP Properties dialog box. These routes usually appear in pairs (for the same destination network. it is likely that the server’s IP Routing Table contains one or more unnecessary routes which you must delete. Configure an appropriate mask. 11. then prompts to be reset. otherwise the Local Triangulation mode may not function properly. These duplicate entries pointing to the loopback IP address as the gateway must be removed. These are the non-multicast/broadcast routes which have the same gateway address as the IP address of the loopback interface. 10. usually the server’s local network). Appendix B . The appropriate entry must be readded using the following command: route add <network address> mask <net mask> <gateway address> Note: Resetting the server erases the Routing Table changes. please contact the Radware Technical Support.Loopback Interfaces To adjust the Routing Table following loopback configuration: To remove the table entry for extraneous route. To operate the batch file as a service. use this command: Route delete <network address> This will remove both table entries. use the NT resource kit. CID User Guide B-11 . If the above command is unsuccessful. For further assistance. Therefore. use this command: route delete <network address> mask <net mask> <gateway address> where <gateway address> is the same as the loopback interface. a batch file or service should be installed to ensure these changes are re-applied after a reset. Windows NT B-12 CID User Guide . These symbols indicate the beginning and end of a string. These symbols mean "zero or more". as follows: • • • • "^The": Matches any string that starts with "The" "of despair$": Matches a string that ends in the substring "of despair" "^abc$": A string that starts and ends with "abc" – this can only be "abc" "notice": A string that has the text "notice" within it.APPENDIX C Chapter C - Regular Expressions Appendix C. "one or more". respectively. Regular Expressions. and '?' indicate the number of times a character or a sequence of characters may occur. Symbols '*'. provides an overview of the basic syntax of regular expressions used in CID modules. '+'. CID User Guide C-1 . this means that the pattern may occur anywhere within the string – and is not "hooked" to any of the edges. in the Health Monitoring Module. for example in the DNS Regexp Hostame table. and "zero or one" respectively. '^' and '$'. If neither of the two characters is used (as in the last example). The first number of a range must always be specified.}": Matches a string that has at least two ”b”'s ("abb". "abbb".). etc. "ab{3. for example: "{0. "{1. Symbols '*'.) "ab?": There might be one or no ”b” "a?b+$": A possible ”a” followed by one or more ”b”'s ending a string Bounds can also be used. To quantify a sequence of characters. etc. "(a|b)*c" is a string that has a sequence of alternating ”a”’s and ”b”'s ending with ”c”. "a(bc){1. etc.) "ab+": Same. "ab{2.5}": Matches a string that has one to five copies of ”bc”. Bounds are defined inside the brace brackets and indicate ranges in the number of occurrences: • • • "ab{2}": Matches a string that has an ”a” followed by exactly two ”b”'s ("abb"). "(b|cd)ef" is a string that includes either "bef" or "cdef". or "abbbbb").Regular Expressions For example: • • • • "ab*": Matches a string that has an a followed by zero or more b's ("a".[0-9]": Matches a string that has an a followed by a single character and a digit. respectively.5}": Matches a string that has from three to five ”b”'s ("abbb". and '?' denote the same as bounds "{0. they must be defined within parentheses: • • "a(bc)*": Matches a string that has an ”a” followed by zero or more copies of the sequence "bc".}" and "{0. "ab". not "{. "abbbb".}".Appendix C .') stands for any single character: • "a. '+'.2}". but there is at least one ”b” ("ab". A period ('. "abbbb". "abbb". The '|' symbol is an OR operator: • • • "hi|hello": Matches a string that includes either "hi" or "hello". C-2 CID User Guide .2}").1}". [a-zA-Z0-9]$": A string that ends in a comma. lose their special meanings. This includes the backslash character itself.{3}$": A string with exactly 3 characters Bracket expressions specify which characters are allowed in a single position of a string: • • • • • "[ab]": Matches a string that has either an ”a” or a ”b” (identical to "a|b") "[a-d]": A string that has lowercase letters 'a' through 'd' (identical to "a|b|c|d" and "[abcd]"). to denote they have a special meaning. Use a '^' as the first symbol in a bracket expression. To take the characters "^. Remember that bracket expressions are an exception to the above rule. between two percent signs. all special characters. For example: "%[^a-zA-Z]%" matches a string with a character that is not a letter. For example.Regular Expressions • "^. CID User Guide C-3 . including the backslash ('\').Appendix C .]" matches precisely any of the characters within the brackets. Within brackets. they must follow a backslash ('\'). "^[a-zA-Z]": A string that starts with a letter "[0-9]%": A string that has a single digit before a percent sign ". followed by an alphanumeric character You can also list the characters which you do not want to appear in the string. "[*\+?{}.[$()|*+?{\" literally. Regular Expressions C-4 CID User Guide .Appendix C . page D-6 CID User Guide D-1 . and the list of common abbreviations.APPENDIX D Chapter D - Glossary Appendix D. The Glossary contains the following sections • • Commonly Used Terms. Glossary. page D-2 List of Abbreviations. provides the descriptions of the terms that are frequently used in this guide. Note: This address is used only for statically configured users. IP Routing is performed between CID IP interfaces. should be configured to the CID virtual address. that is the Farm Address. IP Interface An IP interface on CID is comprised of two components: an IP address and an associated interface. these statistics enhance the monitoring and utilization of the network. which have a single IP address. The associated interface is either a physical interface or a virtual interface (VLAN). This placement is required by the role of CID in the network . are dynamically learned. The Client Table and URL Table that contain information regarding clients and URLs. all traffic must travel physically through the CID. Traps are initiated in case of special events. Through analysis and diagnostics. Except for the setup that involves local triangulation or transparent proxy. CID was designed to intercept HTTP requests and to redirect them to a content inspection server farm. The first assumption in designing a CID network is that the CID resides on the path between the clients and the Internet and content inspection servers. defined on the CID.Commonly Used Terms Section D-1 Commonly Used Terms Advanced Monitoring and Statistics CID provides a range of statistics. This address is the access IP address for the content inspection servers. This includes traffic from the users to the Internet and from the content inspection server farm back to the users. and numerous URL based statistics. such as Current Server Load. D-2 CID User Guide . Users who are statically configured to use a content inspection server. while Bridging is performed within an IP interface that contains an IP address associated with a VLAN.CID needs to intercept the outgoing client requests and to manipulate the packets returning from the content inspection servers to the clients. Current Attached Clients per Server. Content Inspection Server Farm A set of content inspection servers. In the Fast Ethernet platform. with MD5 encrypted passwords to the RADIUS authentication server and act on responses sent back by the server. Physical IP Address An IP address assigned to a CID interface. depending on the hardware configuration. CID User Guide D-3 . RADIUS Protocol Remote Authentication Dial-In User Service. typically over port 1812. RADIUS is a client-server authentication and authorization access protocol used to authenticate users attempting to connect to a network device. The RADIUS clients send UDP authentication requests. NNTP servers manage the global network of collected Usenet news groups and include IAS (Internet Access Provider) servers. the CID can have up to 10 physical interfaces. Physical Interface One of the Fast Ethernet or Application Switch ports of the CID. a CID can have either 2 or 4 physical interfaces. The Access Server (BAS) functions as a client. An NNTP client is included as part of any Web browser. User access is either granted or denied to the device based on the response received from the RADIUS servers. NNTP NNTP (Network News Transfer Protocol) is the predominant protocol used by computer clients and servers for managing the notes posted on Usenet news groups. NNTP replaced the original Usenet protocol. passing user information to one or more RADIUS servers. In the Application Switch platform. This address belongs to the CID and is used for SNMP management and for routing purposes.Appendix D . UNIX-to-UNIX Copy Protocol (UUCP). is a standard in [RFCs 2865 and 2866] used for centralizing network authentication of remote access users.Glossary NAS Network-attached storage (NAS) is hard disk storage that is set up with its own network address rather than being attached to the department computer that is serving applications to a network's workstation users. or RADIUS. 255. For example. 2. Finally. Bridging is performed for IP network 192. This means that when two stations communicate within the VLAN.1.255. RTSP. “challenge”. For example. and 4 and is given an IP address of 192.1. the router may send session accounting data back to the RADIUS server for accounting. Virtual IP Address (Farm address) An IP address assigned to the CID that represents a content inspection server farm. The CID can hold a single farm. The RADIUS checks its authentication database and issues a “reject”. Either VLAN can be used depending on the CID configuration requirements.1 (with subnet mask 255.1. they are aware of each other's MAC addresses. 2.0 between CID ports 1. In the case of IP. VLAN types Two types of IP VLANs are commonly encountered when configuring a CID.Commonly Used Terms The authentication process begins when a user initiates a connection with the server.0). Bridging for the defined protocol is performed between the ports that belong to a VLAN. bridging is performed within a VLAN depending on the IP address assigned to that VLAN. and 4. In response to an “accept” message. if D-4 CID User Guide . Virtual Interface (VLAN) A collection of physical interfaces. the CID intercepts and redirects common streaming protocol ports transparently and redirects them to the cache farm. Packets destined to this address are load balanced between the servers of the farm. A VLAN is defined according to protocol. A reject message causes the router to query its own authentication database if configured to do so.1. or “accept” message along with any attributes and values it has been configured to return. MMS (Streaming) Request Interception In addition to HTTP ports. if an IP VLAN contains physical interfaces 1. the BAS grants the user access according to the returned RADIUS attributes with its local authorization information. when the user terminates the connection. Regular: A Regular VLAN provides transparent bridging within the VLAN. For example.1 CID User Guide D-5 . This one MAC address is actually the MAC of the CID. during communication A knows B's MAC address and B knows A's address.Glossary stations A and B are on two different CID ports that belong to the same VLAN. In addition. Broadcast And Unicast: This is a special VLAN which allows bridging using standard proxy ARP techniques.Appendix D . stations on one VLAN port of the CID believe that all stations on other CID ports belonging to this VLAN have the same MAC address. Regular VLAN also supports redundancy and transparent proxy features. It may be necessary to use this VLAN type in CID configurations to ensure that packets are destined to the MAC address of the CID during end station to server communications. List of Abbreviations Section D-2 List of Abbreviations Acronym ARP AS AS AV BGP CID CIDR CSD CW CWIS DGW DHCP DMZ DNS DSL EGP EIGRP FDDI FE FP FTP FW GARP GTLD GUI HTTP HTTPS Meaning Address Resolution Protocol Autonomous System Application Switch Anti Virus Border Gateway Protocol Content Inspection Director Classless Interdomain Routing Cache Server Director ConfigWare Configware Insite Default Gateway Dynamic Host Configuration Protocol Demilitarized Zone Domain Name System Digital Subscriber Loop Exterior Gateway Protocol Enhanced Interior Gateway Protocol Fiber Distributed Digital Interface Fast Ethernet Fire Proof File Transfer Protocol Firewall Gracious Address Resolution Protocol GenericTop Level Domain Graphic User Interface Hypertext Transfer Protocol Hypertext Transfer Protocols Secure D-6 CID User Guide . Glossary HW ICMP IDS IGP IGRP IP ISDN ISO ISP ITM LAN LB LLC LP LRP MAC MAN MED MIME NAP NAS NAT NetBEUI NetBIOS NHR NIC NP NTP NNTP OSI OSPF Hardware Internet Control Message Protocol Intrusion Detection System Interior Gateway Protocol Interior Gateway Routing Protocol Internet Protocol Intergrated Services Digital Network International Standards Organization Internet Services Provider Internet or Intelligent Traffic Management Local Area Network Load Balancer/Balancing Logical Link Control LinkProof Load Reporting Protocol Media Access Control Metropolitan Area Network Multi-Exit Discriminator Multi-Purpose Internet Mail Extension Network Access Point Network Attached Storage Network Address Translation NetBIOS Extended User Interface Network Basic Input/Output System Next Hop Router Network Interface Card Network Proximity Network Time Protocol Network News Transfer Protocol Open Systems Interconnect Open Shortest Path First CID User Guide D-7 .Appendix D . List of Abbreviations OUI PD POP3 PRP QoS RED RFC RIP RND SmartNat SMTP SNMP SONET SSH SSL SW TCP TFTP TLD UDP URL VACM VLAN VLSM VRRP WAN WBM WINS CID WWW Organizational Unique Identifier Peer Director Post Office Protocol 3 Proximity Reporting Protocol Quality of Service Random Early Detection Request for Comment Route Information Protocol Rad Network Devices Smart Network Address Translation Simple Message Transfer Protocol Simple Network Management Protocol Synchronous Optical Network Secure Shell Secure Socket Layer Software Transmission Control Protocol Trivial File Transfer Protocol Top Level Domain User Datagram Protocol Uniform Resource Locator View-based Access Control Model Virtual Local Area Network Variable Length Subnet Masking Virtual Router Redundancy Protocol Wide Area Network Web Based Management Windows Internet Naming Service Web Server Director World Wide Web D-8 CID User Guide . 9-102. in VLAN 3-23 C Cache Load Balancing 4-57 Cache Server Types 4-58 CID Limitations (Appendix A) A-5 Classification 8-37 Classification Modes 8-5 Client NAT 4-28 Client Table 4-37 Client Types 4-57 Configured Clients 4-57 Connection Limit 4-27 Content 8-20 Content Parameters 9-59. B Backup Device in VLAN 6-12 Backup Fake ARP 6-12 Backup Interface Grouping 2-70 Backup Interface Grouping. setup 3-27 CID User Guide 1 . 9-81 Alternate Default Gateway 3-28 Application Classification 8-4 Application Security 9-1 Attacks Dynamic Information 9-196 Port Groups 8-26 Predefined Filters 8-21 Rules 8-12 Services 8-19 VLAN Tag Groups 8-27 Bandwidth Management Module 8-2 Bandwidth Management Policies 8-8 Basic Filters 8-19 Borrowing Limit 8-13 Bridging. Redundancy 6-6 Bandwidth Limit 4-28 Bandwidth Management 8-3 Borrowing Limit 8-13 Classes 8-18 Classification Criteria 8-9 Guaranteed Bandwidth 8-12 Networks 8-25 Policy Groups 8-13 9-152.Index Index A Action 8-12 Action Macro 7-14 Activation/Inactivation Schedule 8-15 Active 9-75 Admin Status 4-28 Advanced CID Features Chapter 5-1 Advanced Filters 8-20. 9-90. 9-167 D Daylight Saving Time Support 2-78 Default Gateway. Multiple Servers 7-45 Health Checks DB 7-9 Health Monitoring 3-28 Checked Element 7-3 Global 7-6 Global Configuration 7-8 Health Check Binding 7-16 Method 7-4 Module 7-3 Health Monitoring TCP Check 7-52 HTTP Advanced Features Forbidden Request Override 5-64 HTTPS 5-64 Proxy SSL 5-64 URL Retrieval 5-62 HTTP Match Policy 5-23 E E-mail Traps 9-193 Events Scheduler 8-16 F Farm Health Check 7-23 Farm Management 5-2 Farm Servers 4-27 Filter Groups 8-20 Flow Management 5-2 Configuration 5-7–5-18 Scheme 5-6 For C-3 FTP Address Multiplexing 2-59. 9-168 Guaranteed Bandwidth 8-12 H Hardware Licenses. 5-46 FTP Support. Advanced 4-52 Health Check. 9-76 Groups 9-64. Transparent 2-59. 5-52 FTP Support 2-54. 9-102. Basic 4-52 Health Check. 9-153. 5-52 I Important Notice 1-I Inbound Physical Port Group 8-11 Intercepted Clients 4-57 Interface G Global Server 4-32 Group Health Check 7-22 2 CID User Guide .Index Destination 8-9 Destination Hashing 4-9 Detecting 9-3 Device Management CLI 2-27 Device Management in CWIS 2-26 Device Notifications 2-75–2-86 Device Security 2-61 Device Tuning 2-72–2-74 Device Upgrading 2-10 Direction 8-9 DNS Services DNS Client 5-79 DNS Server 5-82 Dormant 9-75 DoS Shield 9-75. Farm 7-23 Health Check. Upgrading 2-21 Health Check 3-28 Health Check Binding 7-16 Health Check Methods Arguments 7-35 Predefined 7-26 User Defined 7-39 Health Check. 5-52 N NAT in VLAN mode 4-89 NAT to Remote Servers 4-101 Networks 8-25 O OMPC 9-57. 8-35 Policy Groups 8-13 Policy Index 8-15 POP3 Support. Redundancy 6-6 Introducing CID 1-VII.Index Loopback B-1–B-11 Interface Classification 8-39 Interface Grouping. 6-17 Redundancy with Routing 6-14 Redundancy. 1-1 IP Addressing 3-25 L Log File 9-196 Loopback Loopback Configuration AIX B-4 HP-UX B-5 Linux B-6 Solaris B-8 Windows NT B-9 Loopback Interfaces 10-46 Policies 8-5. 9-102. Configuration 5-53 Port Bandwidth 8-38 Port Groups 8-26 Port Mirroring 3-3 Port Trunking 3-6 Preventing 9-4 Proprietary ARP 6-11 Protocol Discovery 8-33. 8-34 Protocol Discovery Policies 8-35 Proxy AV Gateway. General 6-3 Regular Expressions C-1 Regular Health Check 7-19–7-21 Reporting 9-4 Resetting Devices 2-9 Response Threshold 4-28 Restoring Configuration Files 2-18 RIP Configuration 3-29 M Management Interfaces 2-70 Mirroring 6-8 Multiplexed Server Port 4-34 Multiplexing. FTP Address 2-59. 9-90. 8-15. Configuration 5-71 Proxy SSL 5-64 R RADIUS Authentication 2-60 RADIUS Based Classification Configuration 5-60 General 5-58 Random Early Detection 8-5 Redundancy Methods Backup Fake ARP 6-12 Proprietary ARP 6-11 VRRP 6-24 Redundancy with Bridging 6-12. 9-167 Operation Mode 4-29 P Packet Marking 8-15 Parallel Redundancy with Routing 6-20 Ping Physical Port 2-70 CID User Guide 3 . 9-152. NAS and RADIUS 5-59 Server Weight 4-27 Service 8-11 Services 8-19 Basic Filters 8-19 Signature File Update 9-36 Signatures Database 9-25 SNMP Configuration 2-69 SSL Content Check 5-66 Switched VLAN 3-10 SynApps Models 8-1 Syslog Messages 9-196 V Virtual LAN. 5-52 Traps 9-196 Troubleshooting A-1–A-5 W Warm-up Time 4-32 WBM Device Management 2-48 Weighted Cyclic 4-10 4 CID User Guide .Index Routing 3-26 Routing Information Protocol (RIP) 3-29 Routing Table. Setup 3-27 Types of Attacks 9-6 U Upgrading Boot Versions 2-24 Upgrading devices in WBM 2-21 URL Match Policy 5-22 URL Policies Configuration 5-20 HTTP Match 5-23 URL Match 5-22 URL Retrieval 5-62 S Safety Instructions 1-II Scheduler Algorithm 8-4 Secret. General 3-9 VLAN Tag Group 8-11 VLAN Tag Groups 8-27 VLAN Tagging 3-23 VLAN Types Regular 3-10 Switched 3-10 VRRP. General 6-25 T Telnet and SSH Configuration 2-51 Transparent FTP 2-59.