Check Point DDoS Protector

Check Point DDoS Protector User Guide Software Version - 6.07 6 March 2013

2013 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=12676 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date 4 March2013 Converted from WBM OLH and edited for print documentation. Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Check Point Lights Out Management Administration Guide).

Contents Important Information...3 DDoS Protector Overview...1 Network Flood Protection... 1 Server Flood Protection... 1 Application Layer Protection... 1 Configuring File s...3 Software Update... 3 Support... 3 Configuration... 4 Send Configuration File to Device... 4 Receive from Device... 4 Log File... 4 Software List... 5 Configuring Device s...7 Reboot Device... 7 Device Shutdown... 7 Global s... 7 Device Information... 8 Utilization... 9 SME Utilization... 9 Device Resource Utilization... 9 License Upgrade... 9 Port Mirroring... 10 Port Mirroring and Traffic Rate Port Mirroring... 10 Forwarding Table... 12 Interface Grouping... 13 Physical Interface... 13 L2 Interface... 13 Link Aggregation... 14 Link Aggregation: Trunk Table... 14 Link Aggregation: Port Table... 14 Jumbo Frames Settings... 15 Traffic Exclusion... 16 Session Table... 16 Session Table Global s... 16 Advanced Session Table Global s... 18 Session Table Entries... 19 IP Fragmentation... 20 Device Overload Mechanism... 20 High Availability... 21 High Availability Global s... 21 High Availability Advanced Configuration... 22 Pair Definition... 24 High Availability Monitoring... 24 v

Switch Over... 25 Activate Baseline Sync with Peer Device... 25 Reset Secondary... 25 Tunneling... 25 IP Version Mode... 26 Dynamic Protocols... 26 Dynamic Protocols: General... 26 Dynamic Protocols: FTP... 27 Dynamic Protocols: TFTP... 27 Dynamic Protocols: Rshell... 28 Dynamic Protocols: Rexec... 28 Dynamic Protocols: H.225... 29 Dynamic Protocols: SIP... 29 Configuring Router s... 31 IP Router... 31 Operating s... 31 Interface s... 31 Routing Table... 33 ARP Table... 34 Configuring DDoS Protector s... 35 DoS Signatures... 35 Application Security... 35 DoS Shield... 36 Filters... 36 Attacks... 42 Exclude Attacks... 48 Denial of Service... 49 Behavioral DoS... 49 DNS Protection... 58 SYN Protection... 71 Out-of-State... 76 Connection Limit... 78 HTTP Mitigator... 81 Authentication tables... 87 DNS Authentication Table... 87 TCP Authentication table... 88 HTTP Authentication table... 88 Server Protection... 89 Protected Servers... 89 White List... 91 Black List... 93 Network Protection Policies... 96 Policies Resources Utilization... 98 Global... 99 Suspend Table... 99 Reporting... 101 Reporting Global s... 101 Top Ten Attacks... 103 Data Report... 103 Security Log... 104 Packet Trace... 105 Attack Database... 106 vi

Table of Contents Attack Database Version... 106 Attack Database Send to Device... 107 Activate Latest Changes... 107 Packet Anomalies... 107 Packet Anomalies Attacks... 107 Service Discovery... 110 Service Discovery Global s... 110 Service Discovery Profiles... 111 Restore Default Configuration... 112 Configuring Services s... 115 Tuning... 115 Security... 115 Device Tuning... 118 Memory Check... 119 Classifier Tuning... 120 SYN Protection Tuning... 121 Diagnostics Tuning... 122 Diagnostics... 122 Capture... 122 Trace... 123 Trace Files... 126 Diagnostics Policies... 127 Syslog Reporting... 128 Daylight Saving... 130 Management Interfaces... 131 Telnet... 131 Web Server... 132 SSL... 133 SSH... 133 Event Log... 134 Network Time Protocol (NTP)... 134 RADIUS... 135 SMTP... 136 DNS Client s... 137 Configuration Auditing... 138 Event Scheduler... 138 Configuring Security s... 141 Management Ports... 141 Ports Access... 141 SNMP... 142 SNMP Global s... 142 SNMP: User Table... 142 SNMP: Community Table... 143 SNMP: Groups Table... 144 SNMP: Access Table... 144 SNMP: View Table... 145 SNMP Notify Table... 145 SNMP Target s... 146 SNMP: Target Address... 147 Ping Physical Ports Table... 148 Users... 148 Certificates... 150 vii

Certificates Table... 150 Exporting PKI Components... 151 Importing a PKI Component... 151 Certificate Default Values... 152 Configuring Classes s... 153 View Active Networks... 153 Modify... 153 Modify Networks... 153 Modify Services... 154 Modify Application Port Groups... 161 Modify Physical Port Groups... 161 Modify VLAN Tag Groups... 162 Modify MAC Groups... 163 View Active... 163 View Active Networks... 163 View Active Services... 163 Viewing Application Port Groups... 164 View Active Physical Port Groups... 164 View Active VLAN Tag Groups... 164 View Active MAC Groups... 164 Activate Latest Changes... 164 Configuring Performance s... 165 Element Statistics... 165 IP Packet Statistics... 165 SNMP... 165 IP Router... 166 Accelerator Utilization... 168 viii

Chapter 1 DDoS Protector Overview Check Point DDoS Protector appliances block denial-of-service (DoS) attacks within seconds with multi-layered protection and up to 12-Gbps performance. Modern distributed DoS (DDoS) attacks use new techniques to exploit areas that traditional security solutions are not equipped to protect. These attacks can cause serious network downtime to businesses that rely on networks and Web services to operate. DDoS protector extends company security perimeters to block destructive DDoS attacks before they cause damage. Network Flood Protection DDoS Protector uses behavioral analysis to provide network-flood-attack protection. After baselining normal daily and weekly patterns for network traffic, DDoS Protector identifies abnormal traffic especially spikes from network floods. Server Flood Protection DDoS Protector protects against misuse of application resources. With its automatic signaturegeneration capability, DDoS Protector automatically generates new signatures to mitigate suspected attacks, and uses predefined signatures to prevent known bad behavior. DDoS Protector also prevents misuse of TCP/IP stack by fending off SYN-flood attacks using SYN cookies. Application Layer Protection DDoS Protector blocks automated tools and fake users with challenge/response techniques, while transparently redirecting legitimate users to the desired destinations. DDoS Protector Web Based Management User Guide 1

Chapter 2 Configuring File s Software Update Check Point may release updated versions of the device software. Upload these updated versions to benefit from enhanced functionality and performance. The password is provided with the new software documentation. Note: If the upload is not successful, the current device software does not change. If the download is successful, reset the device to implement the new version. To upload software 1. Select File > Software Update. 2. In the Password field, enter the password received with the new software version. Note: The password is case-sensitive. 3. In the Software version field, type the software version number as specified in the new software documentation. 4. In the File field, enter the filepath. Alternatively, click Browse to navigate to the file. 5. Select the Enable New Version check box. 6. Click Set. 7. Select Device > Reboot Device. 8. Click Set. Support In case of problems, debugging is required. When debugging is required, DDoS Protector generates a separate file. This file is delivered in text format and it aggregates all the CLI commands needed by the Check Point Support Center. The file also includes an output of various CLI commands, such as printout of the Client table, ARP table and others. You can download this file using the Support command, which is then sent to the Check Point Support Center. To download the support file 1. Select File > Support. 2. Click Download. DDoS Protector Web Based Management User Guide 3

Configuring File s Configuration Send Configuration File to Device Use the Send to Device pane to send a configuration file to the device. To send the configuration file to a device 1. Select File > Configuration > Send to Device. 2. Select the upload mode: Replace configuration file, Append commands to configuration file, or Append commands to configuration file with reboot. 3. Enter the name of the Configuration file, or click Browse to navigate to the file. 4. Click Set. 5. Select Device > Reboot Device and then Set to apply the changes in the configuration. Receive from Device The Receive from Device window enables you to download the configuration file. To download the configuration file 1. Select File > Configuration > Receive from Device. 2. Select whether to include private keys. 3. Click Set. Note: When downloading a configuration file using WBM, the configuration file cannot be uploaded to a device that was configured to use SNMPv3 only. Log File Log File: Show The Configuration Error Log window enables you to view the configuration errors. The report of configuration errors presented in this log file is automatically generated by the device. To view the log file Select File > Configuration > Logfile > Show. Log File: Clear The Clear Error Log window enables you to clear the information contained in the Show Log file. To clear the error log 1. Select File > Configuration > Logfile > Clear. 2. Click Set. Log File: Download The Download Error Log window enables you to download the latest log file that contains configuration errors. Once the file is downloaded, you can view it. To download the error log 1. Select File > Configuration > Logfile > Download. 2. Click Set. DDoS Protector Web Based Management User Guide 4

Configuring File s Software List The device can hold two different software versions at the same time and their respective configuration files. You can set which one of the existing versions is currently active. In addition, you can delete the inactive version. To update the device software 1. Select File > Software List. 2. In order to filter the software list, enter or select a parameter and click Reset Filter. 3. Select the version that you want to delete and click Delete. 4. Select Device > Reboot Device and Set. Name Index Valid Active Version The name of the version that you have selected. The index of the version in the Software List. The version validity. The status of the version. The version number. DDoS Protector Web Based Management User Guide 5

Chapter 3 Configuring Device s Reboot Device This feature resets (restarts) the device. This may be necessary after completing the configuration of some features, such as Device Tuning. The changes are updated and reflected in the device only after the reset. To reboot the device 1. Select Device > Reboot Device. 2. Click Set. Device Shutdown To shut down a device 1. Select Device > Device Shutdown. 2. Click Shutdown. Global s To set the global device parameters 1. Select Device > Global s. 2. Configure the parameters, and click Set. Name Location Contact Person System Up Time System Time System Date Bootp Server Address The general description of the device. The user-assigned name of the device, which is displayed in the windows describing the device. The geographic location of the device. The person or people responsible for the device. The time elapsed since the last reset. The current user-defined device time, in hh:mm:ss format. The current user-defined device date, in dd/mm/yyyy format. The IP address of the BootP server. The device forwards BootP requests to the BootP server and acts as a Bootp relay. DDoS Protector Web Based Management User Guide 7

Configuring Device s BootP Threshold How many seconds the device will wait before relaying requests to the BootP server. This delay allows local BootP Servers to answer first. Device Information Use the Device Information pane to view information about the device. To access the device information pane Select Device > Device Information. The following parameters are displayed: Type Platform Device Ports Ports Config HW Version SW Version Build Throughput License Version State APSolute OS Network Driver RAM Size Flash Size Hard Disk(s) Registered Date Time Up Time The device type The hardware platform type, for example On-Demand Switch. The device name The number of ports on the device. The port configurations. The hardware version. The software version. The software build date, time, and version number. The throughput license (limit) The version state, for example "Final. The APSolute OS build date, time, and version number. The Network driver version. The amount of RAM, in GB. The size of the flash (permanent) memory, in MB. The number of hard disks installed. Whether the device is registered or not. The date of version. The time of version. The amount of time that the device has been up. DDoS Protector Web Based Management User Guide 8

Configuring Device s Base MAC Active Boot Secondary Boot Power Supply DoS Mitigator SME The MAC address of the first port on the device. The active boot version. The secondary boot version. The power supply status. The DoS Mitigator type. The SME type. Utilization SME Utilization The Engines utilization pane displays values relating to the utilization of internal hardware components. The information is intended only for advanced tuning and debugging by the Check Point Support Center. Device Resource Utilization To view device resource utilization statistics Select Device > Utilization > General. The following parameters are displayed: Resource Utilization RS Resource Utilization RE Resource Utilization Last 5 sec. Average Utilization Last 60 sec. Average Utilization The percentage of the device s CPU currently utilized. The percentage of the device s routing services (RS) resource currently utilized. The percentage of the device s routing engine (RE) resource currently utilized. The average utilization of resources in the last 5 seconds. The average utilization of resources in the last 60 seconds. License Upgrade The License Upgrade window enables you to upgrade the software license. To upgrade the software license 1. Select Device > License Upgrade. 2. Enter your new license key, located on your CD case. (The earlier license key is displayed.) DDoS Protector Web Based Management User Guide 9

Configuring Device s 3. Enter your throughput license key. (The earlier throughput license key is displayed.) Note: The license code is case sensitive. 4. Click Set. 5. In the Reset the Device window, click Set to perform the reset. The reset may take a few minutes. Port Mirroring Port Mirroring and Traffic Rate Port Mirroring Port Mirroring enables the device to mirror traffic from one physical port on the device to another physical port on the device. This is useful when a monitoring device is connected to one of the ports on the device. You can choose to mirror either received and transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether received broadcast packets should be mirrored or not. To avoid high bandwidth DoS and DDoS attacks, you can perform traffic rate port mirroring mirror the traffic arriving to DDoS Protector to a dedicated sniffer port. This allows collecting packet data in an event of an attack. The mirroring is performed only when the device is under attack, and is based on a predefined traffic threshold. To set the device to operate in port mirroring mode 1. Select Device > Port Mirroring > Table. 2. Click Create. 3. Configure the parameters, and click Set. Input Port Output Port Receive\Transmit The port from which the traffic is mirrored. The port to which traffic is mirrored. The direction of traffic to be mirrored. Transmit and Receive, Receive Only, Transmit Only DDoS Protector Web Based Management User Guide 10

Configuring Device s Promiscuous Mode Backup Port Mode Threshold This parameter enables you to either copy all traffic from the input port to the output port or to copy only the traffic that is destined to the input port. Enabled Setting this parameter to enabled means that all traffic is copied to the Output Port. Disabled Setting this parameter to Disabled means that only traffic destined to the Input port is copied. Default: Enabled. A backup port for the output. Define the relevant mode, either: Enabled Port Mirroring is continuously enabled. Traffic Rate Port Mirroring is defined according to the Traffic Rate over the network (PPS or Kbps) therefore the Threshold must be defined. The threshold value. Global s To set the Port Mirroring Global s 1. Select Device > Port Mirroring > Global s. 2. Configure the parameters, and click Set. Traffic Threshold Units Thresholds Interval The Traffic Threshold units, according to which to detect attacks. PPS The amount of Packets per Second being sent over the network. kbps The number of kbps that can pass through the Input port before the mirroring process begins. If the number of kbps on the traffic interface port is higher than the threshold value, it means that there is an attack and the traffic is mirrored to the output port for the period of time configured by Threshold Interval. The number of seconds in which the mirroring process takes place. Default: 30 sec. DDoS Protector Web Based Management User Guide 11

Configuring Device s Reset Traffic Rate Threshold The Port Mirroring Reset Traffic Rate Threshold window enables you to set the device to record the traffic that exceeds the predefined limit within a new threshold interval. To reset the Traffic Rate Threshold 1. Select Device > Port Mirroring > Reset Traffic Rate. 2. Click Set. Forwarding Table You can configure scanning ports using the Static Forwarding mode. In the Static Forwarding mode, DDoS Protector functions as in promiscuous mode in the network, which means that the device acts as completely transparent network element. Scanning ports have a one-to-one forwarding ratio, where the traffic that comes from the receiving port is always sent out from its corresponding transmitting port. The ports are paired, meaning one port receives traffic while another transmits traffic. The ports are defined in the Forwarding Table. Note: When using the SYN Flood Protection filters, you must set the inbound and the outbound traffic to operate in the Process mode. You can assign the same Destination Port to more than one Source Port. For example, you can define that Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3. To configure promiscuous ports 1. Select Device > Forwarding Table. 2. Click Create. 3. Configure the parameters, and click Set. Source Destination Operation Failure Mode Port Type The user-defined source port for received traffic. The user-defined destination port for transmitted traffic. The operation mode that can be assigned to a pair of ports: Process or Switch. The failure mode. Fail-Open, Fail-Close The port type. Source, Destination Note: When you assign the same Destination Port to more than one Source Port, you must set the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that direction is ignored. For example, Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3. In that case, for the traffic in the opposite direction, the Source Port is 3 and the Destination Port must be defined (typically it is 1 or 2). DDoS Protector Web Based Management User Guide 12

Configuring Device s Interface Grouping When installing DDoS Protector between two L2 switches operating with multiple links (with Link Aggregation, for example), a link failure of one L2 switch would not be detected by the remote L2 switch, as DDoS Protector would continue to keep the link up. Interface Grouping shuts both endpoints of a link once a failure is detected on one of the endpoints. The endpoints of the links are set by the Static Forwarding table. Interface Grouping is configured globally per device. To enable interface grouping 1. Select Device > Forwarding Table. 2. From the Interface Grouping drop-down list, select Enable. Physical Interface The Physical Interface window enables you to change the physical attributes of each port individually. To update the ports physical attributes 1. Select Device > Physical Interface. 2. Configure the parameters, and click Set. Port Index Speed Duplex Auto Negotiate The index number of the port. The traffic speed of the port. Ethernet, Fast Ethernet, Giga Ethernet Whether the port allows both inbound and outbound traffic (Full Duplex) or one way only (Half Duplex) Automatically detects and configures the speed and duplex required for the interface. L2 Interface The L2 Interface window enables you to configure the administrative status and view settings for each interface. To configure the administrative status of an interface 1. Select Device > L2 Interface. 2. Select the relevant interface. 3. From the Interface Admin Status drop-down list, select the required status of the interface. up, down. 4. Click Set. DDoS Protector Web Based Management User Guide 13

Configuring Device s Link Aggregation Link Aggregation: Trunk Table The Port Trunking feature allows for defining up to seven trunks. Up to eight (8) physical links can be aggregated in to one trunk. All trunk configurations are static. The Trunk Table, which is read-only, enables you to view the Trunk Index settings that were defined in the Port Table. To view the link aggregation trunk table Select Device > Link Aggregation>Trunk Table. The following parameters are displayed: Trunk Index Trunk MAC Address Trunk Status Displays the trunk index. Displays the MAC Address assigned to the trunk Individual (False) No ports are attached to this trunk. Aggregated (True) Ports attached to this trunk. Link Aggregation: Port Table The Port Table enables you to attach ports to a trunk. Note: Only ports that are connected (Link Up) and operating in full duplex mode can be attached to a trunk. To set the link aggregation port table parameters 1. Select Device > Link Aggregation > Port Table. 2. Select the port index to edit. 3. Configure the parameters, and click Set. Port Index Port MAC Trunk Index (Read-only) The physical port index. (Read-only) The MAC address assigned to the port. The trunk to which the port is attached Unattached DDoS Protector Web Based Management User Guide 14

Configuring Device s Port Status (Read-only) Individual The Port is not attached to any trunk. Aggregate The Port is attached to a trunk. Jumbo Frames Settings You can specify whether jumbo frames bypass the device or are discarded available only on x412 platforms. To configure the jumbo-frame settings 1. Select Device > Jumbo Frames. 2. Configure the parameters, and click Set. Jumbo Frames Mechanism Status Jumbo Frames Bypass enable The device inspects frames up to 9216 bytes. disable The device discards frames that are larger than 1550 bytes. Default: disable Notes: Changing the configuration of this option takes effect only after a device reset. When this option is enabled, all DDoS Protector monitoring and protection modules support monitoring, inspection, detection, and mitigation of traffic and attacks on packets up to 9216 bytes. For example, when this option is enabled, TCP Authentication using Transparent Proxy supports an additional maximum segment size (MSS) value to improve performance of the protected networks. enable Frames of 1550 9216 bytes bypass the device without any inspection or monitoring. disable The device discards frames that are larger than 1550 bytes. Default: disable Notes: Changing the configuration of the option takes effect only after a device reset. When the option is enabled on an x412 platform, there may be some negative effect on the following features: Packet Anomalies, Black and White Lists, and BDoS real-time DDoS Protector Web Based Management User Guide 15

Configuring Device s signatures. When the option is enabled on an x06 platform, there may be some negative effect on Black and White lists. When the option is enabled, TCP SYN Protection may not behave as expected because the third packet in the TCP three-way-handshake can include data and be in itself a jumbo frame. When the option is enabled, some protections that rely on the DDoS Protector session table might produce falsenegatives and drop traffic when all the session traffic bypasses the device in both directions for a period longer than Session Aging Time. Traffic Exclusion This feature is available only on x412 platforms. You can specify whether the device passes through all traffic that matches no network policy configured on the device regardless of any other protection configured. If Traffic Exclusion is enabled, to inspect traffic that matches a Server Protection policy, you must configure the Server Protection policy as a subset of the Network Protection policy. To configure traffic exclusion 1. Select Device > Traffic Exclusion. 2. From the Traffic Exclusion Status drop-down list, select Enable or Disable, and click Set. Default: Enable. Session Table Session Table Global s DDoS Protector includes a Session table, which tracks sessions bridged and forwarded by the device. To set the parameters for the session table 1. Select Device > Session Table > Global s. 2. Configure the parameters, and click Set. Session Table Status Idle TCP-Session Aging Time Specifies whether the device uses the Session table. Default: Enabled The time, in seconds, that the Session table keeps idle TCP sessions. 1 7200 Default: 100 DDoS Protector Web Based Management User Guide 16

Configuring Device s Idle UDP-Session Aging Time Idle SCTP-Session Aging Time Idle ICMP-Session Aging Time Idle GRE-Session Aging Time Idle Other-Protocol-Session Aging Time Session Table No Aging Mode Session Table Lookup Mode The time, in seconds, that the Session table keeps idle UDP sessions. 1 7200 Default: 100 The time, in seconds, that the Session table keeps idle SCTP sessions. 1 7200 Default: 100 The time, in seconds, that the Session table keeps idle ICMP sessions. 1 7200 Default: 100 The time, in seconds, that the Session table keeps idle GRE sessions. 1 7200 Default: 100 The time, in seconds, that the Session table keeps idle sessions of protocols other than TCP, UDP, SCTP, ICMP, or GRE. 1 7200 Default: 100 Enables or disables session table aging mode. If enabled, the Session Table and Flow Table will not be aged. This parameter can be only configured if Session Table lookup mode is L4 Dest Port. The layer of address information that is used to categorize packets in the Session table. Full L4 An entry exists in the Session table for each source IP, source port, destination IP, and destination port combination of packets passing through the device. L4 Destination Port Enables traffic to be recorded based only on the TCP/UDP destination port. This mode uses minimal Session table resources (only one entry for each port that is secured). Default: Full L4 Caution: Check Point recommends that you always use the Full L4 option. When Session Table Lookup Mode is Layer 4 Destination Port, the following Protections do not work: Connection Rate Limit, HTTP Mitigator, HTTP Replies Signatures, Out-of-State protection. DDoS Protector Web Based Management User Guide 17

Configuring Device s Remove Session Table Entry at Session End Remove Session Entry at Session End Time (This option is supported only if Remove Session Entry at Session End is enabled.) Send Reset To Server Status Specifies whether the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session within the Remove Session Entry at Session End Timeout period. Default: Enabled When Remove Session Entry at Session End is enabled, the time, in seconds, after which the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session. 1 60 Default: 5 Specifies whether the DDoS Protector device sends a RST packet to the destination of aged TCP sessions. Enabled DDoS Protector sends reset a RST packet to the destination and cleans the entry in the DDoS Protector Session table. Disabled DDoS Protector ages the session normally (using short SYN timeout, but the destination might hold the session for quite some time. Default: Disabled Advanced Session Table Global s To set the session table advanced configuration parameters 1. Select Device > Session Table > Advanced Configuration. 2. Configure the parameters, and click Set. Session-Table-Full Action Incomplete TCP-Handshake Timeout The action that the device takes when the Session table is at full capacity. Bypass New Sessions The device bypasses new sessions until the Session table has room for new entries. Block New Sessions The device blocks new sessions until the Session table has room for new entries. Default: Bypass New Sessions How long, in seconds, the device waits for the three-way handshake to be achieved for a new TCP session. When the timeout elapses, the device deletes the session and, if the Send Reset To Server option is enabled, sends a reset packet DDoS Protector Web Based Management User Guide 18

Configuring Device s to the server. 0 The device uses the specified Session Aging Time. 1 10 The TCP Handshake Timeout in seconds. Default: 10 Session Table Entries To set the number of Session Table entries to be shown 1. Select Device > Session Table > View Table Query Results. 2. In the Maximum Displayed Entries text box, enter the number of Session table entries to be shown. To set the session table query filters 1. Select Device > Session Table > View Table Query Results. 2. Click Create. 3. Configure the parameters, and click Set. Name Source IP Source IP mask Dest IP Dest IP mask Source Port Dest Port A unique name of the filter. The source IP within the defined subnet. The source IP used to define the subnet that you want to present in the Session Table. The destination IP within the defined subnet. The destination IP used to define the subnet that you want to present in the Session Table. The session source port. The session destination port. DDoS Protector Web Based Management User Guide 19

Configuring Device s IP Fragmentation In some cases, when the length of the IP packet is too long to be transmitted, the originator of the packet or one of the routers transmitting the packet has to fragment the packet to multiple shorter packets. IP Fragmentation allows the device to forward fragmented IP packets. The device identifies that all the fragments belong to same datagram and treats them accordingly in terms of classification, load balancing and forwarding. The device does not reassemble the original IP packet, but it forwards the fragmented datagrams to their destination, even if the datagrams arrives to the device out of order. Note: In case of asymmetric routing, when the device does not see all fragmented packets, the device drops uncompleted fragments. To set the IP fragmentation parameters 1. Select Device > IP Fragmentation. 2. Configure the parameters, and click Set. Status Queueing-limit Aging Allows you to enable or disable IP Fragmentation. Note: Enabling IP Fragmentation requires reboot. The percentage of IP packets that the device allocates for out of ordered fragmented IP datagrams. 0 100 Default: 25 The amount of time, in seconds, that the device keeps the fragmented datagrams in the queue. 1 255 Default: 1 Device Overload Mechanism In cases when the traffic load goes beyond the processing power limitations of the device, you can allow using of the Overload mechanism. Using of this mechanism maintains a high level of availability and hardware/software stability, reducing traffic delays or packet loss. The Overload mechanism identifies overload conditions, notifies about them, and automatically takes actions that aim to reduce the relevant operations that consume resources. Note: When the device operations are reduced, some of the security functionalities are compromised. DDoS Protector Web Based Management User Guide 20

Configuring Device s To enable the overload mechanism 1. Select Device > Overload Mechanism. 2. Select one of the following: 4. Click Set. Enable to start the Overload mechanism. Disable to stop the Overload mechanism. High Availability High Availability Global s To support high availability (HA), you can configure two compatible DDoS Protector devices to operate in a two-node cluster. To be compatible, both cluster members must be of the same platform, software version, software license, throughput license, and Check Point signature file. One member of the cluster is the primary; the other member of the cluster is the secondary. The primary device is the device that device with the High Availability Pair Definition. When you configure a cluster and submit the configuration, the newly designated primary device configures the required parameters on the designated secondary device. The members of a cluster work in an active-passive architecture. When a cluster is created: The primary and secondary devices negotiate the active/passive status according to the specified triggers and thresholds. If both device environments are nominal, the primary device becomes the active member. The primary device transfers the relevant configuration objects to the secondary device. A secondary device maintains its own configuration for the device users, IP interfaces, routing, and the port-pair Failure Mode (see Forwarding Table). A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users). The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections. If a passive device does not detect the active device according to the specified Heartbeat Timeout, the device switches to the active state (even though the peer might actually be in a nominal situation). The following situations trigger the active device and the passive device to switch states (active to passive and passive to active): All links are identified as down on the active device according to the specified Link Down Timeout and the peer device has at least one link up. Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the specified Idle Line Timeout. You issue the Switch Over command. If the Enable Failback option is enabled (default: disabled), the secondary device switches from active to passive after the secondary device detects that the primary-device situation is nominal. You cannot perform many actions on a secondary device. DDoS Protector Web Based Management User Guide 21

Configuring Device s You can perform only the following actions on a secondary device: Notes: Switch the device state (that is, switch over active to passive and passive to active) Break the cluster if the primary device is unavailable Configure management IP addresses and routing Configure the port-pair Failure Mode. Manage device users Download a device configuration Upload a signature file Download the device log file Download the support log file Reboot Shut down Change the device name Change the device time Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management. By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster. You can initiate a baseline synchronization if a cluster member is passive. When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster, as you require. In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require. When a passive device becomes active, any grace time resets to 0 (for example, the time of the Graceful Startup Mode Startup Timer). To configure the global setting for high availability 1. Select Device > High Availability > Global s. 2. Configure the parameter, and click Set. Mechanism Status Specifies whether the device is a member of a two-node cluster for high availability. High Availability Advanced Configuration Note: For more information on high availability, see Global s. To configure the advanced settings for high availability 1. Select Device > High Availability > Advanced Configuration. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 22

Configuring Device s Baseline Sync Interval Heartbeat Timeout Link Down Timeout Switchover Sustain Timeout Idle Line Detection Status Total BW Threshold Idle Line Timeout Enable Failback The interval, in seconds, that the active device synchronizes the BDoS and HTTP Mitigator baselines. 3600 86,400 Default: 3600 The time, in seconds, that the passive device detects no heartbeat from the active device before the passive device becomes active. 1 10 Default: 5 The time, in seconds, after all links to the active device are identified as being down before the devices switch states. 1 65,535 Default: 1 Note: If a dead link or idle line is detected on both cluster members, there is no switchover. The time, in seconds, after a manual switchover that the cluster members will not change states. 30 3600 Default: 180 Specifies whether the devices switch states due to an idle line detected on the active device. Default: disable Note: If an idle line is detected on both cluster members, there is no switchover. The minimum bandwidth, in Kbit/s, that triggers a switchover when the Idle Line Detection Status is enable. 512 4,294,967,296 Default: 512 Note: If Idle Line Detection Status is disable, this parameter is ignored. The time, in seconds, with line bandwidth below the Total BW Threshold that triggers a switchover when Idle Line Detection Status is enable. 3 65,535 Default: 10 Note: If Idle Line Detection Status is disable, this parameter is ignored. Specifies whether the secondary device can automatically fail back to the primary. Default: disable DDoS Protector Web Based Management User Guide 23

Configuring Device s Pair Definition High Availability Pair Definition Note: For more information on high availability, see Global s. To define a high-availability pair 1. Select Device > High Availability > Pair Definition > Pair s. 2. Configure the parameters, and click Set. MNG-1 Peer IP address MNG-2 Peer IP address Secondary User Name Secondary Password The IP address of the MNG-1 port on the peer device. The IP address of the MNG-2 port on the peer device. The name of the secondary device. The password of the secondary device. Update High Availability Pair Definition Note: For more information on high availability, see Global s. To update a definition of a high-availability pair 1. Select Device > High Availability > Pair Definition > Update Pair. 2. Click Set. High Availability Monitoring You can monitor high-availability parameters. Note: For more information on high availability, see Global s. To monitor high-availability Select Device > High Availability > Monitoring. The following information is displayed: High-Availability Priority High-Availability State High-Availability Protection State Last Successful Baseline Sync Incompatibility Status (primary only) Synchronization IP Interface Peer IP DDoS Protector Web Based Management User Guide 24

Configuring Device s Switch Over Note: For more information on high availability, see Global s. To switch over to the peer device 1. Select Device > High Availability > Switch Over. 2. Click Set. Activate Baseline Sync with Peer Device Note: For more information on high availability, see Global s. To activate a baseline sync with the peer device 1. Select Device > High Availability > Baseline Sync. 2. Click Set. Reset Secondary You can reset the secondary device when the device role is primary Note: For more information on high availability, see Global s. To reset the secondary device 1. Select Device > High Availability > Reset secondary. 2. Click Set. Tunneling Carriers, service providers, and large organizations use various tunneling protocols to transmit data from one location to another. This is done using the IP network so that network elements are unaware of the data encapsulated in the tunnel. Tunneling implies that traffic routing is based on source and destination IP addresses. When tunneling is used, IPS devices and load balancers cannot locate the relevant information because their decisions are based on information located inside the IP packet in a known offset, and the original IP packet is encapsulated in the tunnel. To provide a carrier-grade IPS/DoS solution, DDoS Protector inspects traffic in tunnels, positioning DDoS Protector in peering points and carrier network access points. You can install DDoS Protector in different environments, which might include encapsulated traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators deploy GRE and GTP. DDoS Protector can inspect traffic that may use various encapsulation protocols. In some cases, the external header (tunnel data) is the data that DDoS Protector needs to inspect. In other cases, DDoS Protector needs to inspect the internal data (IP header and even the payload). You can configure DDoS Protector to meet your specific inspection requirements. Note: Changing the configuration of this feature takes effect only after a device reset. To configure tunneling 1. Select Device > Tunneling. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 25

Configuring Device s Apply Black and White List Rules to the Encapsulated Headers Inspect Encapsulated GRE Traffic Inspect Encapsulated GTP Traffic Inspect Encapsulated L2TP Traffic Inspect VLAN (802.1Q) and MPLS Traffic Inspect Encapsulated IP-in- IP Traffic Bypass IPSec Traffic Specifies whether the device apply Black List and White List rules to the encapsulated headers. Default: Disabled Specifies whether the device inspects this type of traffic. Default: Disabled Specifies whether the device inspects this type of traffic. Default: Disabled Specifies whether the device inspects this type of traffic. Default: Disabled Specifies whether the device inspects this type of traffic. Default: Disabled Note: You can configure the device to inspect the traffic using the common Layer 2 tunneling protocols, VLAN (802.1Q) and MPLS. Inspecting these types of L2 tunnels, as part of the protection criteria, is essential in environments such as for Managed Security Service Providers (MSSP). Specifies whether the device inspects this type of traffic. Default: Disabled Specifies whether the device bypasses IPsec traffic (that is, whether the device passes-through IPsec traffic). Default: Enabled IP Version Mode Use the IP Version Mode pane you to set the IP version to IPv4 and IPv6 or only to IPv4. To set the IP version mode 1. Select Device > IP Version Mode. 2. From the drop-down list, select ipv4and6 or ipv4. 3. Click Set. Dynamic Protocols Dynamic Protocols: General Check Point's Classification Engine classifies both static applications and dynamic applications. Dynamic application is an application that has multiple connections belonging to the same session. For example, FTP has Control Session and Data Session, SIP has Signaling sessions, Data sessions (RTP) and the Control sessions (RTCP). DDoS Protector Web Based Management User Guide 26

Configuring Device s In some scenarios, the dynamic sessions should be in the Session Table for a longer time than regular sessions. In VoIP, SIP, and H.255, for example, there may be a period with no traffic, however, the call is still active, and the session should not age. You may configure different aging time for various dynamic applications and configure different policies for different connections of the same session. In FTP, for example, you can set one policy for the FTP data and another policy for the FTP control. Note: The default status for all Dynamic Protocols, other than SIP is enabled. You can set the aging time for the following Dynamic Protocols: FTP TFTP Rshell Rexec H.225 SIP Dynamic Protocols: FTP The FTP Configuration window enables you to configure the control session and data session Aging Time for FTP Dynamic Protocol. Note: When Dynamic Protocol Support is enabled for FTP, it is not possible to limit the bandwidth of a specific file download (using a filter for the RETR command and the file name). To set the FTP dynamic protocol parameters 1. Select Device > Dynamic Protocols > FTP. 2. Configure the parameters, and click Set. Status Control Session Aging Time Data Session Aging Time Specifies whether to enable FTP Dynamic Protocol. The Control Session Aging Time, in seconds. Default: 0 The new value for Data Session Aging Time, in seconds. Default: 0 Dynamic Protocols: TFTP The TFTP Configuration window enables you to configure the data session Aging Time for TFTP Dynamic Protocol. To set the TFTP dynamic protocol parameters 1. Select Device > Dynamic Protocols > TFTP. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 27

Configuring Device s Status Data Session Aging Time Specifies whether to enable TFTP Dynamic Protocol. The Data Session Aging Time, in seconds. Default: 0 Dynamic Protocols: Rshell The Rshell Configuration window enables you to configure the control session and Error session Aging Time for Rshell. To set the Rshell configuration parameters 1. Select Device > Dynamic Protocols > Rshell. 2. Configure the parameters, and click Set. Status Control Session Aging Time Error Session Aging Time Specifies whether to enable Rshell Dynamic Protocol. The Control Session Aging Time, in seconds. Default: 0 The Error Session Aging Time, in seconds. Default: 0 Dynamic Protocols: Rexec The Rexec Configuration window enables you to configure the control session and Error session Aging Time for Rexec. To set the Rexec dynamic protocol parameters 1. Select Device > Dynamic Protocols > Rexec. 2. Configure the parameters, and click Set. Status Control Session Aging Time (sec) Error Session Aging Time (sec) Specifies whether to enable Rexec Dynamic Protocol. The Control Session Aging Time, in seconds. Default: 0 The Error Session Aging Time, in seconds. Default: 0 DDoS Protector Web Based Management User Guide 28

Configuring Device s Dynamic Protocols: H.225 The H.225 Configuration window enables you to configure and control the session and H254 Session Aging Time for H225. To set the H225 configuration parameters 1. Select Device > Dynamic Protocols > H.225 2. Configure the parameters, and click Set. Status Control Session Aging Time Specifies whether to enable H.225 Dynamic Protocol. The Control Session Aging Time, in seconds. Default: 0 H.245 Session Aging Time The H.245 Session Aging Time, in seconds. Default: 0 Dynamic Protocols: SIP The SIP Configuration window enables you to configure the Signaling session, RTCP session, and SIP TCP Segments Aging Time for SIP. Note: Enabling and Disabling Dynamic Protocol Support for SIP requires reboot. To set the SIP dynamic protocol parameters 1. Select Device > Dynamic Protocols > SIP. 2. Configure the parameters, and click Set. Status Signaling Session Aging Time RTCP Session Aging Time SIP TCP Segments Aging Time Specifies whether to enable SIP Dynamic Protocol. The Signalling Session Aging Time, in seconds. Default: 20 The RTCP Session Aging Time, in seconds. Default: 0: When SIP runs over TCP and packets are segmented, the SIP TCP Segments Aging Time parameter indicates how long the device keeps the packet. Default: 5 DDoS Protector Web Based Management User Guide 29

Chapter 4 Configuring Router s IP Router Operating s The IP Router s window enables you to monitor, add, and edit router settings. To set the IP router parameters 1. Select Router > IP Router > Operating s. 2. Configure the parameters, and click Set. Inactive ARP Timeout ARP Proxy ICMP Error Messages The time, in seconds, that inactive ARP cache entries can remain in the ARP table before the device deletes them. If an ARP cache entry is not refreshed within a specified period, it is assumed that there is a problem with that address. Default: 60,000 Specifies whether the device responds to ARP requests for nodes located on a different direct sub-net. (The device responds with its own MAC address.) Enabled The device responds to all ARP requests. Disabled The device responds only to ARP requests for its own IP addresses. Default: Disabled Specifies whether ICMP error messages are generated. Interface s To configure an interface 1. Select Router > IP Router > Interface s. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 31

Configuring Router s IP Address Network Mask If Number Fwd Broadcast Broadcast Addr VlanTag Peer Address The IP address of the interface. The associated subnet mask. The interface identifier. If the interface is a VLAN, the included interfaces are listed in the box in the Edit window. Specifies whether the device forwards incoming broadcasts to this interface. Specifies whether to fill the host ID in the broadcast address with ones or zeros. The VLAN tag to be associated with this IP interface. When multiple VLANs are associated with the same switch port, the switch needs to identify to which VLAN to direct incoming traffic from that specific port. VLAN tagging provides an indication in the Layer 2 header, which enables the switch to make the correct decision. The address of the peer. To update the ICMP interface parameters 1. Select Router > IP Router> Interface s. 2. Click on the IP address of the ICMP interface that you want to update. 3. Configure the parameters, and click Set. IP Address Advert. Address Max Advert. Interval Min Advert. Interval Advert. Lifetime The IP address of the interface. The IP destination address for multicast Router Advertisements sent from the interface. Possible values are the all-systems multicast address, 224.0.0.1, or the limited-broadcast address, 255.255.255.255. The maximum time, in seconds, between multicast Router Advertisements from the interface. Possible values are between the Minimum Advert Interval defined below and 1800 seconds. The minimum time, in seconds, between sending unsolicited multicast Router Advertisements from the interface. Possible values are between 3 seconds and the maximum interval defined above. Default value is 0.75 of the Maximum Interval. The maximum time, in seconds, the advertised addresses are considered valid. Must be no less than Maximum Interval defined above, and no greater than 9000 seconds. Default value is three times the Maximum Advert Interval. DDoS Protector Web Based Management User Guide 32

Configuring Router s Advertise Preference Level Reset to Defaults Enables to advertise the device IP using ICMP Router Advertise. The preference level of the address as a default router address, relative to other router addresses on the same subnet. Resets the ICMP interface parameters to the default values. Routing Table DDoS Protector supports IP routing compliant with RFC1812 router requirements. Dynamic addition and deletion of IP interfaces is supported. This ensures that extremely low latency is maintained. IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP routing protocol, intended to replace RIP in bigger or more complex networks. OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850, with some limitations. To configure a route 1. Select Router > Routing Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Destination Address Network Mask Next Hop Interface Index Type Metric The destination IP address of this router. The destination network mask of this route. The address of the next system of this route, local to the interface. The IF Index of the local interface through which the next hop of this route is reached. How remote routing is handled. remote Forwards packets. reject Discards packets. The number of hops to the destination network. DDoS Protector Web Based Management User Guide 33

Configuring Router s ARP Table The ARP (Address Resolution Protocol) Table window allows you to update and create ARP addresses on the local route. To update an existing ARP 1. Select Router > ARP Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Interface Index IP Address MAC Address Type The interface number on which the station resides. The station's IP address. The station's MAC address. Other Invalid Dynamic The entry is learned from the ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table. Static The entry has been configured by the network management station and is permanent. DDoS Protector Web Based Management User Guide 34

Chapter 5 Configuring DDoS Protector s DoS Signatures Application Security Application Security Global s Application Security is a mechanism that delivers advanced attack detection and prevention capabilities. This mechanism is used by several security modules to provide maximum protection for network elements, hosts, and applications. To set the application security global parameters 1. Select DDoS Protector > DoS Signatures > Application Security > Global s. 2. Configure the parameters, and click Set. Protection Status MAX URI Length MIN fragmented URI packet Size Security Tracking Tables Free-Up Frequency [ms] Unicode Encoding Select enable to start protection. Default: enable. The maximum URI length permitted. If URI is longer than the configured value, this URI is considered as illegitimate and is dropped. Default: 500 The minimum permitted size, in bytes, of an incomplete URI in an HTTP request. A shorter packet length is treated as URI protocol anomaly and is dropped. Default: 50 How often, in milliseconds, the device clears unnecessary entries from the table, and stores information about newly detected security events. Default: 1250 The language encoding (the language and character set) to use for detecting security events. DDoS Protector Web Based Management User Guide 35

Configuring DDoS Protector s Tcp Reassembly Mechanism Status Session-Drop Mechanism Status Specifies whether the device tries to reassemble fragmented TCP packets. Default: enable When enabled, terminates the whole session when a single malicious packet is recognized. Default: enable DoS Shield DoS Shield Global s The DoS Shield Global s window enables you to enable the DoS Shield module and set its global parameters. The DoS Shield mechanism implements the Sampling algorithm, and accommodates traffic flooding targeted to create denial of the network services. Prior to using DoS Shield, you need to enable the DoS Shield module. To configure DoS shield global parameters 1. Select DDoS Protector >DoS Signatures > DoS Shield > Global s. 2. Configure the parameters, and click Set. Protection Status Sampling Rate Sampling Frequency Specifies whether DoS Shield module is enabled. The rate at which packets are sampled and compared to the Dormant Attacks. You can configure a number that indicates per how many packets the sampling is performed. Default: 100 that is, 1 out of 100 packets is checked. How often, in seconds, DoS Shield compares the predefined thresholds for each Dormant Attack to the current value of counters of packets matching the attack. Default: 5 Filters Basic Filters Basic Static Filters The Basic Static Filters window enables you to view the Basic Filter, which constitutes protection against a specific attack, meaning that each Basic Filter has a specific attack signature and protection parameters. The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them. Note: You can create the Advanced Filters using the user-defined Basic Filters only. DDoS Protector Web Based Management User Guide 36

Configuring DDoS Protector s To view the basic static filters 1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > Static. 2. Select the basic static filter for which you want to view the details. Basic User Filters Note: If you edit the parameters of a filter that is bound to an existing policy, you need to activate the latest changes. To create a basic filter 1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > User. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Name Protocol Source App. Port Destination App. Port OMPC Offset OMPC Offset Relative to The name of the filter. The protocol used. IP, UDP, TCP, ICMP The source application ports. The destination application ports. 0-65535 Default: 0 The location in the packet from which the checking of data is started in order to find specific bits in the IP/TCP header. 0-1513 Default: 0 Specifies to which OMPC offset the selected offset is relative. None IP Header IP Data L4 Data Ethernet L4 Header IPV6 Header Default: None DDoS Protector Web Based Management User Guide 37

Configuring DDoS Protector s OMPC Mask OMPC Pattern OMPC Condition OMPC Length Content Offset Distance Content The mask for the OMPC data. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter. The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourbytes, you need complete it with zeros. For example, if OMPC Length is twobytes, OMPC Mask can be:abcd0000. Default: 00000000 The fixed size pattern within the packet that OMPC rule attempts to find. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter. The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourbytes, you need complete it with zeros. For example, if OMPC Length is twobytes, OMPC Pattern can be:abcd0000. Default: 00000000 The OMPC condition can be either N/A, equal, notequal, greaterthan or lessthan. Default: N/A The length of the OMPC (Offset Mask Pattern Condition) data. N/A, onebyte, twobytes, threebytes, fourbytes Default: N/A The location in the packet from which the checking of content is started. 0-1513 Default: 0 A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack. Contains the actual value of the content search. < space >! " # $ % & ' ( ) * +, -. / 0 1 2 3 4 5 6 7 8 9 : ; < = >? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { } ~. DDoS Protector Web Based Management User Guide 38

Configuring DDoS Protector s Content Type Enables the user to search for a specific content type. None URL In the HTTP Request URI. No normalization procedures are taken. Normalized URL To avoid evasion techniques when classifying HTTP-GET requests, the URL content is transformed into its canonical representation, to interpret the URL in the same way the server would. The normalization procedure supports the following cases: Directory referencing by reducing '/./' into '/' or "A/B/../" to "A/"; Changing backslash ('\') to slash ('/'); Changing HEX encoding to ASCII characters. For example the hex value %20 is changed to " " (space). Unicode support, UTF-8 and IIS encoding. Host Name In the HTTP Header Text Anywhere in the packet HTTP Header Field In the HTTP Header Mail Domain In the SMTP Header Mail To In the SMTP Header Mail From In the SMTP Header Mail Subject In the SMTP Header Regular Expression: Anywhere in the packet Header Type HTTP Header field. The "Content" field includes the header field name, and the "Content data" field includes the field value File Type The type of the requested file in the http GET command (jpg, exe, and so on). POP3 User User field in the POP3 Header. Cookie Data HTTP cookie field. The "content" field includes the cookie name, and the "content data" field includes the cookie value FTP Content Scans the data transmitted using FTP, performing normalization of the FTP packets and stripping of telnet opcodes. FTP Command Performs parsing of FTP commands to commands and arguments, while performing normalization of the FTP packets and stripping of telnet opcodes. RPC Reassembles RPC requests over several packets. RPC RFC 1831 standard provides a feature called Record Marking Standard (RM). This feature is used to delimit several RPC requests sent on top of the transport protocol. In case of the stream-oriented protocol (like TCP) RPC uses a kind of fragmentation to delimit between the records. In spite of its original purpose, fragmentation may also divide records in the middle and not only at their boundaries. In some cases, this functionality may be used to evade IPS systems. Default: N/A Note: The following two content types appear in devices with the SME card only. DDoS Protector Web Based Management User Guide 39 HTTP Reply Header The header of the HTTP reply. HTTP Reply Data The data of the HTTP reply.

Configuring DDoS Protector s Content Max Length Content Data Content Encoding Content Data Encoding Content Regular Expression Content Data Reg Expression The maximum length to be searched within the selected Content Type. The Content Max Length value must be equal or greater than the Offset value. 0 1513 Default: 0 Refers to the search for the content within the packet. N/A, URL, Text Application Security can search for content in languages other than English, for case sensitive or case insensitive text as well as hexadecimal strings. The value of this field corresponds to the Content Type parameter. None Case Insensitive Case Sensitive HEX International Default: None Application Security can search for data in languages other than English, for case sensitive or case insensitive data as well as hexadecimal strings. The value of this field corresponds to the Content Type parameter. None Case Insensitive Case Sensitive HEX International Default: None Allows you to search for content type anywhere in the packet. Yes No Yes No DDoS Protector Web Based Management User Guide 40

Configuring DDoS Protector s Packet Size Type Session Type Session Type Direction Packet Size Range The content for which the size is measured. L2 The complete packet size is measured, including L2 headers. L3 The L2 Data part of the packet is measured (excluding the L2 headers). L4 The L3 Data part of the packet is measured (excluding the L2/L3 headers). L7 The L4 Data part of the packet is measured (excluding the L2/L3/L4 headers). This parameter enables you to create different basic filter connection types for Dynamic Protocols. For example, you can create a Basic Filter for FTP Data, SIP Video, TFTP Control, and other Dynamic Protocols. Limits the classification according to the direction of the session. Only to request packets, Reply packets, all the packets belonging to the session The range of values for the packet size. Notes: The size is measured per packet only. The size is not applied on reassembled packets. Fragmentation of L4-L7 packets may result with tails that do not contain the L4-L7 headers. The check in such cases is bypassed, as no match to the Type = L4-L7 is detected. Advanced Filters Advanced Filters: Static The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them. Note: You can create the Advanced Filters using the Advanced User Filters. Use the Static Advanced Filter table to view static Advanced Filters. To view the view static Advanced Filters Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > Static. The Advanced Filters Table is displayed with the following parameters: Name Number of Filters The name of the filter. The number of filters for this entry. Note: To view the configuration of a filter, click on it. DDoS Protector Web Based Management User Guide 41

Configuring DDoS Protector s Advanced Filters: User The advanced filter represents a logical AND relation between two or more basic filters. Some attacks have a complex signature comprised of several patterns and content strings. The system requires more than one basic filter to protect against such attacks. Note: Once all associated filters are deleted from the advanced filter, the advanced filter is erased. To create an advanced user filter 1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Advanced Basic Enter the name of the Advanced Filter. Select a Basic Filter from the drop-down list. To add a basic filter to an existing advanced user filter 1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User. 2. Click Create. 3. From the Basic drop-down list, select the basic filter to add to the advanced filter and click Set. To delete an advanced user filter 1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User. 2. Select the advanced filter to delete. 3. Select the checkboxes of all the basic filters in the advanced filter and click Delete. Attacks Static Attacks The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks. The Signature Protection Static Attack Configuration window enables you to edit existing attack parameters. To edit a static attack 1. Select DDoS Protector > DoS Signatures > Attacks > Static. 2. Select a static attack. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 42

Configuring DDoS Protector s ID Attack Name Filter Name Tracking Time Tracking Type (Read-only) The unique identifying number. (Read-only) The name for this attack. The Attack Name is used when DoS Shield sends information about attack status changes. (Read-only) The filter assigned to this attack. The time, in milliseconds, in which the Threshold is measured. When a number of packets that is greater than the threshold value passes through the device, during this defined period, the device recognizes it as an attack. Value: 1000 Specifies how the protection determines which traffic to block or drop when under attack. Drop All Select this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks. Source Count Select this option when the defined attack is sourcebased that is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network. Target Count Select this option when the defined attack is destinationbased, meaning the hacker is attacking a specific destination such as a Web server, for example, Ping Flood and DDoS attacks. Source and Destination Count Select this option when the attack type is a source and destination-based attack that is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks. landattack fragments ncpsdcan dhcp ftpbounce bobo2k Sampling Select this option when the defined attack is based on sampling, that is, a DoS Shield attack. DDoS Protector Web Based Management User Guide 43

Configuring DDoS Protector s Action Mode State Direction Suspend Action The action that the protection takes when an attack is detected. Report Only The packet is forwarded to the defined destination. Drop The packet is discarded. Reset Source Sends a TCP-Reset packet to the packet Source IP. Reset Destination Sends a TCP-Reset packet to the destination address. Reset BiDirectional Sends a TCP reset packet to both, the packet source IP and the packet destination IP. MM7 If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. It contains Transaction ID, Content Length, and Message ID. Enables or disables the Attack Status. There are cases where you may need to temporarily disable an attack from a static group. For example, if you suspect that a certain attack introduces false positives, and you would like to disable that specific attack only. Setting the attack status to Disable, means that the attack is disabled but not removed from the group. A certain protection policy may contain attacks that should be searched only for traffic from client to server or only on traffic from server to client. To provide simple and efficient scanning configuration you can set per attack the traffic direction for which it is relevant. Inbound On traffic from policy Source to policy Destination Outbound On traffic from policy Destination to policy Source In-Out Bound On all traffic between policy Source to policy Destination This functionality allows the user to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time. None Suspend action is disabled for this attack. SrcIP All traffic from the IP address identified as source of this attack will be suspended. SrcIP, DestIP Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended. SrcIP, DestPort Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended. SrcIP, DestIP, DestPort Traffic from the IP address identified as source of this attack to the destination IP and port under attack will be suspended. SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and port identified as source of this attack to the destination IP and port under attack will be suspended. DDoS Protector Web Based Management User Guide 44

Configuring DDoS Protector s Active Threshold Exclude Src Drop Threshold Exclude Dest Term Threshold Packet Trace When this threshold is exceeded, the status of the attack is changed to Currently Active. This is only relevant when the Attack Status was configured as Dormant. The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. When the value for Tracking Type is Drop All, the protection ignores this parameter. The source IP address or network whose packets the protection does not inspect. After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS. When the value for Tracking Type is Drop All, the protection ignores this parameter. The destination IP address or network whose packets the protection does not inspect. When the attack PPS rate drops below this threshold, the protection changes the attack from active mode to inactive mode. When the value for Tracking Type is Drop All, the protection ignores this parameter. Specifies whether the protection sends attack packets to the specified physical port. User Attacks The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks. The Signature Protection User Attack Configuration window enables you to create attack parameters. To create a user attack 1. Select DDoS Protector > DoS Signatures > Attacks > User. 2. Select Create. 3. Configure the parameters, and click Set. ID Attack Name Filter Name The unique identifying number. The name for this attack. The Attack Name is used when DoS Shield sends information about attack status changes. The filter assigned to this attack. DDoS Protector Web Based Management User Guide 45

Configuring DDoS Protector s Tracking Time Tracking Type Action Mode The time, in milliseconds, in which the Threshold is measured. When a number of packets that is greater than the threshold value passes through the device during this defined time period, the device recognizes it as an attack. Value: 1000 Specifies how the protection determines which traffic to block or drop when under attack. Drop All Select this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks. Source Count Select this option when the defined attack is source-based that is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network. Target Count Select this option when the defined attack is destination-based, meaning the hacker is attacking a specific destination such as a Web server, for example, Ping Flood and DDoS attacks. Source and Destination Count Select this option when the attack type is a source and destination-based attack that is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks. landattack fragments ncpsdcan dhcp ftpbounce bobo2k Sampling Select this option when the defined attack is based on sampling, that is, a DoS Shield attack. Default: Sampling The action that the protection takes when an attack is detected. Report Only The packet is forwarded to the defined destination. Drop The packet is discarded. Reset Source Sends a TCP-Reset packet to the packet Source IP. Reset Destination Sends a TCP-Reset packet to the destination address. Reset BiDirectional Sends a TCP reset packet to both, the packet source IP and the packet destination IP. MM7 If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. It contains Transaction ID, Content Length, and Message ID. Default: Drop DDoS Protector Web Based Management User Guide 46

Configuring DDoS Protector s State Direction Suspend Action Active Threshold Exclude Src Enables or disables the Attack Status. There are cases where you may need to temporarily disable an attack from a static group. For example, if you suspect that a certain attack introduces false positives, and you would like to disable that specific attack only. Setting the attack status to Disable, means that the attack is disabled but not removed from the group. Default: Enable. A certain protection policy may contain attacks that should be searched only for traffic from client to server or only on traffic from server to client. To provide simple and efficient scanning configuration you can set, per attack, the traffic direction for which it is relevant. In Bound On traffic from policy Source to policy Destination Out Bound On traffic from policy Destination to policy Source In-Out Bound On all traffic between policy Source to policy Destination This functionality allows the user to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time. None Suspend action is disabled for this attack. SrcIP All traffic from the IP address identified as the source of this attack will be suspended. SrcIP, DestIP Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended. SrcIP, DestPort Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended. SrcIP, DestIP, DestPort Traffic from the IP address identified as source of this attack to the destination IP and port under attack will be suspended. SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and port identified as source of this attack to the destination IP and port under attack will be suspended. Default: None When this threshold is exceeded, the status of the attack is changed to Currently Active. This is only relevant when the Attack Status was configured as Dormant. The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. When the value for Tracking Type is Drop All, the protection ignores this parameter. Default: 50 The source IP address or network whose packets the protection does not inspect. Default: None DDoS Protector Web Based Management User Guide 47

Configuring DDoS Protector s Drop Threshold Exclude Dest Term Threshold Packet Trace After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS. When the value for Tracking Type is Drop All, the protection ignores this parameter. Default: 50 The destination IP address or network whose packets the protection does not inspect. Default: None When the attack PPS rate drops below this threshold, the protection changes the attack from active mode to inactive mode. When the value for Tracking Type is Drop Al., the protection ignores this parameter. Default: 50 Specifies whether the protection sends attack packets to the specified physical port. Default: disable Exclude Attacks Use the Signature Protection Attacks Excluded Addresses Configuration pane to exclude particular attacks from your network definitions. To exclude signature protection attacks 1. Select DDoS Protector > DoS Signatures > Exclude Attacks. 2. Click Create. 3. Configure the parameters, and click Set. Attack ID Attack Name Source Network Destination Network The ID of the attack not to be included in policy. The name of the attack. The source IP address for the excluded attack. The destination IP address for the excluded attack. DDoS Protector Web Based Management User Guide 48

Configuring DDoS Protector s Denial of Service Behavioral DoS Behavioral DoS: Global s Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your networkprotection policy, defends your network from zero-day network-flood attacks. These attacks fill available network bandwidth with irrelevant traffic, denying use of network resources to legitimate users. The attacks originate in the public network and threaten Internet-connected organizations. The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks by identifying the footprint of the anomalous traffic. Network-flood protection types include: TCP floods which include TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and TCP Fragmentation Flood UDP flood ICMP flood IGMP flood Before you configure BDoS Protection profiles, enable BDoS Protection. Note: Changing the setting of this parameter requires a reboot to take effect. To enable Behavioral DoS 1. Select DDoS Protector > Behavioral DoS > Global s. 2. Select Enable from the drop-down list. Advanced Behavioral DoS Profiles Advanced A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to the Behavioral DoS policy. Use the Behavioral DoS Profiles Advanced Configuration pane to configure Behavioral DoS profiles with advanced parameters, which include manual quota settings. Recommended settings for policies that include Behavioral DoS profiles are as follows: Configure policies containing Behavioral DoS profiles using Networks with source = Any, the public network, and destination = Protected Network. It is recommended to create multiple Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS servers segment, Web server segments, Mail servers segments, and so on). This assures optimized learning of normal traffic baselines. It is not recommended to define a network with the Source and Destination set to Any, because the device collects statistics globally with no respect to inbound and outbound directions. This may result in lowered sensitivity to detecting attacks. When the Direction of a policy is set to One Way, the rule prevents incoming attacks only. When a rule s Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection. Note: Check Point recommends that you initially leave the quota fields (for example, TCP In quota) empty so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your DDoS Protector Web Based Management User Guide 49

Configuring DDoS Protector s network performance. The total quota values may exceed 100%, as each value represents the maximum volume per protocol. To configure a behavioral DoS profile with advanced parameters 1. Select DDoS Protector > Denial of Service > Behavioral DoS > Advanced > Profiles Configuration. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Profile Name SYN Flood status TCP Reset Flood status TCP FIN+ACK Flood status TCP SYN+ACK Flood status TCP Fragmented Flood status UDP Flood status IGMP Flood status ICMP Flood status Configuration of the inbound traffic in [Kbit/Sec] The user-defined name for the profile. Specifies whether the profile protects against SYN Flood attacks. Default: inactive Specifies whether the profile protects against TCP Reset Flood attacks. Default: inactive Specifies whether the profile protects against TCP FIN+ACK Flood attacks. Default: inactive Specifies whether the profile protects against TCP SYN+ACK Flood attacks. Default: inactive Specifies whether the profile protects against TCP Fragmented Flood attacks. Default: inactive Specifies whether the profile protects against UDP Flood attacks. Default: inactive Specifies whether the profile protects against IGMP Flood attacks. Default: inactive Specifies whether the profile protects against ICMP Flood attacks. Default: inactive The highest expected volume of inbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings. 0 2,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection. DDoS Protector Web Based Management User Guide 50

Configuring DDoS Protector s Configuration of the outbound traffic in [Kbit/Sec] TCP In quota UDP In quota ICMP In quota IGMP In quota TCP Out quota UDP Out quota ICMP Out quota IGMP Out quota Transparent Optimization process UDP packet rate detection sensitivity The highest expected volume of outbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings. 0 2,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection. The maximum expected percentage of inbound TCP traffic out of the total traffic. The maximum expected percentage of inbound UDP traffic out of the total traffic. The maximum expected percentage of inbound ICMP traffic out of the total traffic. The maximum expected percentage of inbound IGMP traffic out of the total traffic. The maximum expected percentage of outbound TCP traffic out of the total traffic. The maximum expected percentage of outbound UDP traffic out of the total traffic. The maximum expected percentage of outbound ICMP traffic out of the total traffic. The maximum expected percentage of outbound IGMP traffic out of the total traffic. Specifies whether transparent optimization is enabled. Some network environments are more sensitive to dropping packets (for example, VoIP), therefore, it is necessary to minimize the probability that legitimate traffic is dropped by the IPS device. This transparent optimization can occur during the BDoS closed-feedback iterations until a final footprint is generated. Note: When transparent optimization is enabled, the profile does not mitigate the attack until the final footprint is generated, which takes several seconds. Species to what extent the BDoS engine considers the UDP PPS-rate values (baseline and current). This parameter is relevant only for only for BDoS UDP protection. Disable Low Medium High Default: Low DDoS Protector Web Based Management User Guide 51

Configuring DDoS Protector s Packet Trace Status Specifies whether the profile sends attack packets to the specified physical port. Default: disable Behavioral DoS Advanced: Global s The Behavioral DoS Advanced Setting window enables you to set the Learning Response Period upon which baselines are primary weighed as well as enabling the Sampling status and defining the severity level of the Footprint. Note: You must configure network flood protection separately for TCP floods, UDP floods, ICMP floods, and IGMP floods. To set the behavioral DoS advanced settings 1. Select DDoS Protector > Behavioral DoS > Advanced > Global s. 2. Configure the parameters, and click Set. Learning response period Sampling Status Footprint Strictness The initial period from which baselines are primarily weighted. The default and recommended learning response period is one week. If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one-day period for testing purposes only. day, week, month Default: Week Specifies whether the BDoS module uses traffic-statistics sampling during the creation phase of the BDoS footprint. When the BDoS module is trying to generate a real-time signature and there is a high rate of traffic, the device evaluates only a portion of the traffic. The BDoS module tunes the sampling factor automatically, according to the traffic rate. The BDoS module screens all traffic at low traffic rates (below 100K PPS) and only a portion of the traffic at higher rates (above 100K PPS). Default: enable Note: For best performance, Check Point recommends that the parameter be enabled. When Behavioral DoS module detects a new attack, the module generates an attack footprint to block the attack traffic. If the Behavioral DoS module is unable to generate a footprint that meets the footprint-strictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the device cannot generate a footprint. High Enforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives. Medium Enforces at least two Boolean ANDs and no more than two DDoS Protector Web Based Management User Guide 52

Configuring DDoS Protector s Notes: additional Boolean OR values in the footprint. Low Allows any footprint suggested by the Behavioral DoS module. This level achieves the best attack blocking, but increases the probability of false positives. DDoS Protector always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness. See the table below for examples of footprint strictness requirements. Footprint Strictness Examples Footprint Example Strictness Level Low Medium High TTL Yes No No TTL AND Packet Size Yes Yes No TTL AND Packet Size AND Destination Port Yes Yes Yes Behavioral DoS: Learning Reset Use the Behavioral DoS Learning Reset pane to reset the learning period for specific policies or all policies. Behavioral DoS protection learns traffic parameters from the transport layer of incoming packets and generates normative baselines for traffic. The Learning Period setting defines the period based upon which baselines are primarily weighted. When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS Protector immediately initiates a new learning period. Generally, this is done when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes. To reset the policy baseline 1. Select DDoS Protector > Behavioral DoS > Advanced > Learning Reset. 2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies. 3. Click Set. Mitigation Configuration Attack Termination Configuration The DDoS Protector BDoS mechanism assigns various internally defined states for each protection (belonging to the BDoS policy and Protection Type). DDoS Protector Web Based Management User Guide 53

Configuring DDoS Protector s The internally defined states for protections include the following: Normal state Analysis state state 2 Blocking state state 6 Anomaly state state 3 Non-strictness state state 7 Note: DDoS Protector assigns the Non-strictness state when it was not able to generate a DoSattack footprint that meets the specified Footprint Strictness. As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal to Analysis. By default, if DDoS Protector detects anomalous traffic for less than 10 seconds, the protection changes state back to Normal. In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function. When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will consider the attack to have ended (terminated) switching back to the Normal state, never blocking the attack. The advanced mitigation interface for BDoS enables you to extend pre-termination durations so that such traffic is blocked. Note: In a production environment, highly orchestrated and synchronized attacks are unlikely; and the default values in a DDoS Protector device configuration are adequate. To configure attack-termination criteria 1. Select DDoS Protector > Denial of Service > Behavioral DoS > Mitigation Configuration > Attack Termination Configuration. 2. Configure the parameters and click Set. Stability Counter State 2 Stability Counter State 6 Stability Counter State 3 and 7 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Analysis state. DDoS Protector declares the attack to be terminated immediately when this value is 0. 0 30 Default: 0 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. DDoS Protector declares the attack to be terminated immediately when this value is 0. There is no typical use case for reducing the value from the default. 0 300 Default: 10 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the in Anomaly state or the Non-strictness state. DDoS Protector declares the attack to be terminated immediately when this value is 0. 0 300 Default: 10 DDoS Protector Web Based Management User Guide 54

Configuring DDoS Protector s Packet Header Field Selection If the value in the Any Packet Header Field drop-down list in the Early Blocking Configuration Update window is false, you can select specific packet-header fields for early blocking of DoS traffic. Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates. To select packet-header fields for early blocking of DNS DoS traffic 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Packet Header Fields Selection. 2. Select the protection type next to the relevant packet-header field. 3. From the Early Detection Condition drop-down list, select: 4. Click Set. yes DDoS Protector must detect this field to generate a footprint in less than 10 seconds. no DDoS Protector can use this field in the footprint, but it is not enough for early blocking. Early Blocking Configuration In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible even if accuracy is compromised. Using Early Blocking of DoS Traffic configuring thresholds for generating DoS-attack footprints you can shorten the Analysis state and start blocking the relevant traffic. Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates. To configure early blocking of DNS DoS traffic 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Early Blocking Configuration. 2. Select the Protection type you want to configure for early blocking. 3. Configure the parameters and click Set. Any Packet Header Field Specifies the parameters according to which the device blocks DoS traffic early. true the device blocks DoS traffic early based on the specified number of packet-header fields and number of packet-header-field values thresholds. false the device blocks DoS traffic early based on the fields as displayed in the Packet Header Fields Selection window. DDoS Protector Web Based Management User Guide 55

Configuring DDoS Protector s Any Packet Header Field threshold Packet Header Field Values The number anomalous packet-header fields that the device must detect to generate a footprint and change to the Blocking state prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) 1 20 Default (per protection): ICMP 17 IGMP 16 TCP-ACK-FIN 17 TCP-FRAG 17 TCP-RST 17 TCP-SYN 17 TCP-SYN-ACK 17 UDP 20 The number of anomalous packet-header-field values that the device must detect to generate a footprint and change to the Blocking state. 1 500 Default: 500 Behavioral DoS Footprint Bypass You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate. To configure footprint bypass 1. Select DDoS Protector > Behavioral DoS > Advanced > Footprint Bypass. 2. Select the link in the relevant row. 3. Configure the parameters, and click Set. Controller Bypass Field Bypass Status (Read-only) The attack protection for which you are configuring footprint bypass. (Read-only) The bypass type to configure. The bypass option. Bypass The Behavioral DoS module bypasses all possible values of the selected Bypass Field when generating a footprint. Accept The Behavioral DoS module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint. DDoS Protector Web Based Management User Guide 56

Configuring DDoS Protector s Bypass Values If the value of the Bypass Status parameter is Accept, when generating the footprint, the Behavioral DoS mechanism does not use the specified Bypass Values of the corresponding selected Bypass Field. The valid Bypass Values vary according to the selected Bypass Field. Multiple values in the Bypass Values field must be comma-delimited. Behavioral DoS Profiles A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to the Behavioral DoS policy. Use the Behavioral DoS Profiles pane to configure Behavioral DoS profiles with basic parameters. Recommended settings for policies that include Behavioral DoS profiles are as follows: Configure policies containing Behavioral DoS profiles using Networks with source = Any, the public network, and destination = Protected Network. It is recommended to create multiple Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS servers segment, Web server segments, Mail servers segments, and so on). This assures optimized learning of normal traffic baselines. It is not recommended to define a network with the Source and Destination set to Any, because the device collects statistics globally with no respect to inbound and outbound directions. This may result in lowered sensitivity to detecting attacks. When the Direction of a policy is set to One Way, the rule prevents incoming attacks only. When a rule s Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection. To configure a behavioral DoS profile with basic parameters 1. Select DDoS Protector > Denial of Service > Behavioral DoS > Behavioral DoS Profiles. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Profile Name SYN Flood status TCP Reset Flood status TCP FIN+ACK Flood status The user-defined name for the profile. Specifies whether the profile protects against SYN Flood attacks. Default: inactive Specifies whether the profile protects against TCP Reset Flood attacks. Default: inactive Specifies whether the profile protects against TCP FIN+ACK Flood attacks. Default: inactive DDoS Protector Web Based Management User Guide 57

Configuring DDoS Protector s TCP SYN+ACK Flood status TCP Fragmented Flood status UDP Flood status IGMP Flood status ICMP Flood status Configuration of the inbound traffic in [Kbit/Sec] Configuration of the outbound traffic in [Kbit/Sec] Packet Trace Status Specifies whether the profile protects against TCP SYN+ACK Flood attacks. Default: inactive Specifies whether the profile protects against TCP Fragmented Flood attacks. Default: inactive Specifies whether the profile protects against UDP Flood attacks. Default: inactive Specifies whether the profile protects against IGMP Flood attacks. Default: inactive Specifies whether the profile protects against ICMP Flood attacks. Default: inactive The highest expected volume of inbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings. 0 2,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection. The highest expected volume of outbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings. 0 2,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection. Specifies whether the profile sends attack packets to the specified physical port. Default: disable DNS Protection DNS Protection Global s DNS Flood Protection, which you can use in your network-protection policy, defends your network from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant traffic, denying legitimate users DNS lookups. The attacks originate in the public network and threaten Internet-connected organizations. The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood attacks by identifying the footprint of the anomalous traffic. DDoS Protector Web Based Management User Guide 58

Configuring DDoS Protector s DNS Flood Protection types can include the following DNS query types: A MX PTR AAAA Text SOA NAPTR SRV Other DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering with minimal risk of false positives. The default average time for a new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes, and sometimes, hours. Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You can also change the default global device settings for DNS Flood Protection. The DNS Flood Protection global settings apply to all the network protection policies rules with DNS Flood profiles on the device. Note: Changing the setting of this parameter requires a reboot to take effect. To enable DNS Protection 1. Select DDoS Protector > Denial of Service > DNS Protection > Global s. 2. Select enable from the drop-down list. 3. Click Set. Advanced DNS Protection Advanced Profiles Use the DNS Protection Advanced Profiles pane to configure DNS-Flood Protection profiles with advanced parameters. DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and outbound traffic. DNS Protection profiles can be used only in one-way policies. It is recommended to configure policies that include DNS Protection profiles using Networks with source = Any, the public network, and destination = Protected Network. Note: Check Point recommends that you initially leave the quota fields (for example, DNS A quota) so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your network performance. The total quota values may exceed 100%, as each value represents the maximum volume per protocol. To configure a DNS Protection profile with advanced parameters 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles Configuration. 2. Do one of the following: To add an entry, click Create. DDoS Protector Web Based Management User Guide 59

Configuring DDoS Protector s To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Profile Name Expected QPS DNS A Flood status DNS A quota DNS MX Flood status DNS MX quota DNS PTR Flood status DNS PTR quota DNS AAAA Flood status DNS AAAA quota DNS TEXT Flood status DNS TEXT quota The user-defined name for the profile. The expected rate, in queries per second, of DNS queries. Specifies whether this profile protects against DNS A Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS A traffic out of the total DNS traffic. Specifies whether this profile protects against DNS MX Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS MX traffic out of the total DNS traffic. Specifies whether this profile protects against DNS PTR Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS PTR traffic out of the total DNS traffic. Specifies whether this profile protects against DNS AAAA Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS AAAA traffic out of the total DNS traffic. Specifies whether this profile protects against DNS TEXT Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS TEXT traffic out of the total DNS traffic. DDoS Protector Web Based Management User Guide 60

Configuring DDoS Protector s DNS SOA Flood status DNS SOA quota DNS NAPTR Flood status DNS NAPTR quota DNS SRV Flood status DNS SRV quota DNS OTHER Flood status DNS OTHER quota Max Allowed QPS Signature Rate limit Target Packet Trace Status Specifies whether this profile protects against DNS SQA Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS SQA traffic out of the total DNS traffic. Specifies whether this profile protects against DNS NAPTER Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS NAPTER traffic out of the total DNS traffic. Specifies whether this profile protects against DNS SRV Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS SRV traffic out of the total DNS traffic. Specifies whether this profile protects against DNS OTHER Flood attacks. inactive, active Default: inactive The maximum expected percentage of other DNS traffic (that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS traffic. The maximum allowed rate of DNS queries per second. 0 4,000,000 Default: 0 Note: When Manual Triggers Status is set to enable, the Manual Triggers Max QPS Target value overrides this value. The percentage of the DNS traffic that matches the real-time signature that the profile will not mitigate above the baseline. 0 100 Default: 0 Specifies whether the DDoS Protector device sends attack packets to the specified physical port. Default: disable DDoS Protector Web Based Management User Guide 61

Configuring DDoS Protector s Action Manual Triggers Status Manual Triggers Activation Threshold Manual Triggers Termination Threshold Manual Triggers Max QPS Target Manual Triggers Activation Period Manual Triggers Termination Period Manual Triggers Escalation Period The action that the profile takes on DNS traffic during an attack. Block and Report, Report Only Default: Block and Report Specifies whether the profile uses user-defined DNS QPS thresholds instead of the learned baselines. Default: disable The minimum number of queries per second after the specified Activation Period on a single connection that causes the device to consider there to be an attack. When the device detects an attack, it issues an appropriate alert and drops the DNS packets that exceed the threshold. Packets that do not exceed the threshold bypass the DDoS Protector device. 0 4,000,000 Default: 0 The maximum number of queries per second after the specified Termination Period on a single connection that cause the device to consider the attack to have ended. 0 4,000,000 Default: 0 Note: The Termination Threshold must be less than or equal to the Activation Threshold. The maximum allowed rate of DNS queries per second. 0 4,000,000 Default: 0 The number of consecutive seconds that the DNS traffic on a single connection exceeds the Activation Threshold that causes the device to consider there to be an attack. 0 30 Default: 3 The time, in seconds, that the DNS traffic on a single connection is continuously below the Termination Threshold, which causes the device to consider the attack to have ended. 0 30 Default: 3 The time, in seconds, that the device waits before escalating to the next specified Mitigation Action. 0 30 Default: 3 DDoS Protector Web Based Management User Guide 62

Configuring DDoS Protector s DNS Protection Advanced Global s The DNS Protection Advanced Setting window enables you to set the learning response period upon which baselines are primary weighed as well as enabling the sampling status and defining the severity level of the footprint. To configure the DNS Protection advanced global parameters 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Global s. 2. Configure the parameters, and click Set. Learning Response Period Sampling Status Footprint Strictness The initial period from which baselines are primarily weighted. The default and recommended learning response period is one week. If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one-day period for testing purposes only. day, week, month Default: week Specifies whether the DNS Flood Protection module uses trafficstatistics sampling during the creation phase of the footprint. enable Traffic statistics are aggregated through sampling algorithm, which improves overall performance of the DNS Flood Protection module. Although the decision engine is tuned according to the sampling error, the chances for false positive decisions are increased. disable Traffic statistic are aggregated without sampling. Default: enable When the DNS Flood Protection module detects a new attack, the module generates an attack footprint to block the attack traffic. If the module is unable to generate a footprint that meets the footprintstrictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the module cannot generate a footprint. Notes: high Enforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives. medium Enforces at least two Boolean ANDs and no more than two additional Boolean OR values in the footprint. low Allows any footprint suggested by the DNS Flood Protection module. This level achieves the best attack blocking, but increases the probability of false positives. DDoS Protector Web Based Management User Guide 63

Configuring DDoS Protector s The DNS Flood Protection module always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness. See the table below for examples of footprint strictness requirements. Footprint Strictness Examples Footprint Example Strictness Level Low Medium High DNS Query Yes No No DNS Query AND DNS ID Yes Yes No DNS Query AND DNS ID AND Packet Size Yes Yes Yes DNS Protection Learning Reset Use the DNS Protection Learning Reset pane to reset the learning period for specific policies or all policies. DNS Flood protection learns traffic parameters from the transport layer of incoming packets and generates normative baselines for traffic. The Learning Period setting defines the period based upon which baselines are primarily weighted. When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS Protector immediately initiates a new learning period. Generally, this is done when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes. To reset the policy baseline 1. Select DDoS Protector > Behavioral DoS > Advanced > Learning Reset. 2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies. 3. Click Set. Mitigation Configuration Attack Termination Configuration The DNS Protection mechanism assigns various internally defined states for each protection (belonging to the DNS protection policy and protection type). The internally defined states for protections include the following: Normal state Analysis state state 2 Blocking state state 6 Anomaly state state 3 DDoS Protector Web Based Management User Guide 64

Configuring DDoS Protector s As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal to Analysis. By default, if DDoS Protector detects anomalous traffic for less than 10 seconds, the protection changes state back to Normal. In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function. When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will consider the attack to have ended (terminated) switching back to the Normal state, never blocking the attack. The advanced mitigation interface enables you to extend pre-termination durations so that such traffic is blocked. Note: In a production environment, highly orchestrated and synchronized attacks are unlikely; and the default values in a DDoS Protector device configuration are adequate. To configure attack-termination criteria 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Attack Termination Configuration. 2. Configure the parameters and click Set. Stability Counter State 2 Stability Counter State 6 Stability Counter State 3 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Analysis state. DDoS Protector declares the attack to be terminated immediately when this value is 0. 0 30 Default: 0 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. DDoS Protector declares the attack to be terminated immediately when this value is 0. There is no typical use case for reducing the value from the default. 0 300 Default: 10 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the in Anomaly state. DDoS Protector declares the attack to be terminated immediately when this value is 0. 0 300 Default: 10 Methods When the protection is enabled and the device detects that a DNS-flood attack has started, the device implements the Mitigation Actions in escalating order in the order that they appear in the group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after a certain Escalation Period), the device implements the next more-severe enabled Mitigation Action, and so on. As the most severe Mitigation Action, the device always implements the Collective Rate Limit, which limits the rate of all DNS queries to the protected server. DDoS Protector Web Based Management User Guide 65

Configuring DDoS Protector s To configure DNS Protection mitigation methods 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Methods. 2. Configure the parameters and click Set. Signature challenge mitigation status Signature rate-limit mitigation status Collective challenge mitigation status Collective rate-limit mitigation status Specifies whether the device challenges suspect DNS queries that match the real-time signature. Default: enable Note: DDoS Protector challenges only A and AAAA query types. Specifies whether the device limits the rate of DNS queries that match the real-time signature. Default: enable Specifies whether the device challenges all unauthenticated DNS queries to the protected server. Default: enable Note: DDoS Protector challenges only A and AAAA query types. (Read-only) The device limits the rate of all DNS queries to the protected server. Value: enable Packet Header Field Selection If the value in the Any Packet Header Field drop-down list in the Early Blocking Configuration Update window is false, you can select specific packet-header fields for early blocking of DoS traffic. Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates. To select packet-header fields for early blocking of DNS DoS traffic 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Packet Header Fields Selection. 2. Select the protection type next to the relevant packet-header field. 3. From the Early Detection Condition drop-down list, select: 4. Click Set. yes DDoS Protector must detect this field to generate a footprint in less than 10 seconds. no DDoS Protector can use this field in the footprint, but it is not enough for early blocking. Early Blocking Configuration In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible even if accuracy is compromised. Using Early Blocking of DoS Traffic configuring thresholds for generating DoS-attack footprints you can shorten the Analysis state and start blocking the relevant traffic. DDoS Protector Web Based Management User Guide 66

Configuring DDoS Protector s Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates. To configure early blocking of DNS DoS traffic 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Early Blocking Configuration. 2. Select the Protection type you want to configure for early blocking. 3. Configure the parameters and click Set. Any Packet Header Field Any Packet Header Field threshold Packet Header Field Values Specifies the parameters according to which the device blocks DoS traffic early. true the device blocks DoS traffic early based on the specified number of packet-header fields and number of packet-header-field values thresholds. false the device blocks DoS traffic early based on the fields as displayed in the Packet Header Fields Selection window. The number anomalous packet-header fields that the device must detect to generate a footprint and change to the Blocking state prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) 1 20 Default (per protection): ICMP 17 IGMP 16 TCP-ACK-FIN 17 TCP-FRAG 17 TCP-RST 17 TCP-SYN 17 TCP-SYN-ACK 17 UDP 20 The number of anomalous packet-header-field values that the device must detect to generate a footprint and change to the Blocking state. 1 500 Default: 500 DDoS Protector Web Based Management User Guide 67

Configuring DDoS Protector s SDM Challenge Response Configuration To configure SDM challenge response 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > SDM. 2. Configure the parameter and click Set. SDM Protocol Compliance Checks Status Specifies whether the device checks each DNS query for DNS protocol compliance and drops the non-compliant queries. Default: disable DNS Footprint Bypass You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate. To configure DNS footprint bypass 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Footprint Bypass. 2. Click the controller name of the DNS query type for which you want to configure footprint bypass. 3. Configure the parameters and click Set. Controller Bypass Field Bypass Status Bypass Values (Read-only) The selected DNS query type for which you are configuring footprint bypass. (Read-only) The selected Bypass Field to configure. The bypass option. bypass The DNS Flood Protection module bypasses all possible values of the selected Bypass Field when generating a footprint. accept The DNS Flood Protection module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint. Used if the value of the Bypass Status parameter is Accept. DNS Flood Protection bypasses only the values of a selected Bypass Type, while it may use all other values. These values vary according to the Bypass Field selected. The values in the field must be comma-delimited. DDoS Protector Web Based Management User Guide 68

Configuring DDoS Protector s DNS Protection Profile Use the DNS Protection Profiles pane to configure DNS-Flood Protection profiles with basic parameters. DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and outbound traffic. DNS Protection profiles can be used only in one-way policies. It is recommended to configure policies that include DNS Protection profiles using Networks with source = Any, the public network, and destination = Protected Network. Note: Check Point recommends that you initially leave the quota fields (for example, DNS A quota) so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your network performance. The total quota values may exceed 100%, as each value represents the maximum volume per protocol. To configure a DNS Protection profile with basic parameters 1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles Configuration. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Profile Name Expected QPS DNS A Flood status DNS A quota DNS MX Flood status DNS MX quota DNS PTR Flood status The user-defined name for the profile. The expected rate, in queries per second, of DNS queries. Specifies whether this profile protects against DNS A Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS A traffic out of the total DNS traffic. Specifies whether this profile protects against DNS MX Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS MX traffic out of the total DNS traffic. Specifies whether this profile protects against DNS PTR Flood attacks. inactive, active Default: inactive DDoS Protector Web Based Management User Guide 69

Configuring DDoS Protector s DNS PTR quota DNS AAAA Flood status DNS AAAA quota DNS TEXT Flood status DNS TEXT quota DNS SOA Flood status DNS SOA quota DNS NAPTR Flood status DNS NAPTR quota DNS SRV Flood status DNS SRV quota DNS OTHER Flood status The maximum expected percentage of DNS PTR traffic out of the total DNS traffic. Specifies whether this profile protects against DNS AAAA Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS AAAA traffic out of the total DNS traffic. Specifies whether this profile protects against DNS TEXT Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS TEXT traffic out of the total DNS traffic. Specifies whether this profile protects against DNS SQA Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS SQA traffic out of the total DNS traffic. Specifies whether this profile protects against DNS NAPTER Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS NAPTER traffic out of the total DNS traffic. Specifies whether this profile protects against DNS SRV Flood attacks. inactive, active Default: inactive The maximum expected percentage of DNS SRV traffic out of the total DNS traffic. Specifies whether this profile protects against DNS OTHER Flood attacks. inactive, active Default: inactive DNS OTHER quota The maximum expected percentage of other DNS traffic (that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS traffic. DDoS Protector Web Based Management User Guide 70

Configuring DDoS Protector s Max Allowed QPS Signature Rate limit Target Packet Trace Status Action The maximum allowed rate of DNS queries per second, when the Manual Triggers option is not enabled. 0 4,000,000 Default: 0 Note: When the Manual Triggers option is enabled (see DNS Protection Advanced Profiles), the Manual Triggers Max QPS Target value overrides this value. The percentage of the DNS traffic that matches the real-time signature that the profile will not mitigate above the baseline. 0 100 Default: 0 Specifies whether the DDoS Protector device sends attack packets to the specified physical port. Default: disable The action that the profile takes on DNS traffic during an attack. Block and Report, Report Only Default: Block and Report SYN Protection SYN Protection: Global s A SYN flood attack is usually aimed at specific servers with the intention of consuming the server s resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements. Before you configure SYN profiles for the network-protection policy, ensure the following: SYN Protection is enabled the SYN Flood Protection global parameters are configured. The Session table Lookup Mode is Full Layer 4. To enable SYN Flood Protection 1. Select DDoS Protector > Denial of Service > SYN Protection. 2. From the drop-down list, select enable. 3. Click Set. Note: Changing the setting of this parameter requires a reboot to take effect. SYN Protection: Advanced s The SYN Protection Advanced Settings window exposes the advanced SYN Protection tuning parameters. To set the SYN protection advanced parameters 1. Select DDoS Protector > Denial of Service > SYN Protection > Advanced s. 2. Configure the parameters and click Set. DDoS Protector Web Based Management User Guide 71

Configuring DDoS Protector s Tracking time The time, in seconds, that the device tracks the number of SYN packets directed to same destination. DDoS Protector uses the value to determine when to activate and deactivate SYN Protections. 1 10 Default: 5 Attacks SYN Static Attacks Predefined SYN Protections, referred to as SYN Static Attacks, are available for the most common applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are predefined by Check Point. Use the SYN Protection Static Attack Configuration pane to change the thresholds for these attacks. You cannot delete SYN Static Attacks. Caution: DDoS Protector x06 does not support physical-port classification for SYN Protection. When triggered, all traffic that matches the attacked destination classified by destination IP address, Layer 4 port number, and optionally a VLAN tag will be challenged, regardless or the physical port identification. That is, even if the attack is carried out through a specific physical port, all traffic from all ports that matches the other parameters will be challenged. To edit a static attack 1. Select DDoS Protector > SYN Protection > Attacks > Static. 2. Click on the name of an attack that you want to edit. 3. Configure the parameters, and click Set. ID Attack Name ApplicationPortGroup Activation Threshold Termination Threshold (Read-only) The ID number assigned to the protection. A name for easy identification of the attack for configuration and reporting. (Read-only) The group of TCP ports that represent the application that you want to protect. If the average rate of SYN packets received at a certain destination is higher than this threshold, the protection is activated. 1 150,000 Default: 2500 If the average rate of SYN packets received at a certain destination for the duration of the tracking period drops below this threshold, the protection is stopped. 1 150,000 Default: 1500 DDoS Protector Web Based Management User Guide 72

Configuring DDoS Protector s Attack Type Risk (Read-only) Specifies whether the SYN protection is a predefined (static) or user-defined (user) protection. The risk level assigned to this attack for reporting purposes. low medium high SYN: User Attacks After you define SYN flood protections, you can add them to SYN profiles. Caution: DDoS Protector x06 does not support physical-port classification for SYN Protection. When triggered, all traffic that matches the attacked destination classified by destination IP address, Layer 4 port number, and optionally a VLAN tag will be challenged, regardless or the physical port identification. That is, even if the attack is carried out through a specific physical port, all traffic from all ports that matches the other parameters will be challenged. To edit a static attack 1. Select DDoS Protector > SYN Protection > Attacks > Static. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. ID Attack Name ApplicationPortGroup Activation Threshold Termination Threshold The ID number assigned to the protection. Enter 0 to cause the device to generate a valid ID. A name for easy identification of the attack for configuration and reporting. The group of TCP ports that represent the application that you want to protect. Specify an existing group, or leave the field empty to select any port. If the average rate of SYN packets received at a certain destination is higher than this threshold, the protection is activated. 1 150,000 Default: 2500 If the average rate of SYN packets received at a certain destination for the duration of the tracking period drops below this threshold, the protection is stopped. 1 150,000 Default: 1500 DDoS Protector Web Based Management User Guide 73

Configuring DDoS Protector s Risk The risk level assigned to this attack for reporting purposes. low medium high Profiles SYN Static Profiles The SYN Profiles window enables you to create a new SYN Profile. First, you need to create a profile, and then add the attacks you wish to protect against. The profile may then be included in the SYN Protection Policy. To create a new SYN profile 1. Select DDoS Protector > SYN Protection > Profiles > Profile Attacks. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. SYN Profile SYN Attack The name for the profile. From the drop-down list, select the type of attacks to include in this profile. SYN Protection Profiles s Us the SYN Protection Profiles s pane to specify the authentication parameters of an existing profile. To specify the authentication parameters of a profile 1. Select DDoS Protector > SYN Protection > Profiles > Profiles s. 2. Click the profile in the Profile Name column. 3. Configure the parameters, and click Set. Profile Name Authentication Method (Read-only) The name of the profile. The Authentication Method that the device uses at the transport layer. When the device is installed in and ingress-only topology, select the Safe-Reset method. DDoS Protector Web Based Management User Guide 74

Configuring DDoS Protector s transparent-proxy When the device receives a SYN packet, the device replies with a SYN ACK packet with a cookie in the Sequence Number field. If the response is an ACK that contains the cookie, the device considers the session to be legitimate. Then, the device opens a connection with the destination and acts as transparent proxy between the source and the destination. safe-reset When the device receives a SYN packet, the device responds with an ACK packet with an invalid Sequence Number field as a cookie. If the client responds with RST and the cookie, the device discards the packet, adds the source IP address to the TCP Authentication Table. The next SYN packet from the same source passes through the device, and the session is approved for the server. The device saves the source IP address for a specified time. Typically, you specify this method when the network policy rule handles only ingress traffic. Default: Transparent Proxy Use HTTP Authentication HTTP Authentication Method Specifies whether the device authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method. enable The device authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method. disable The device handles HTTP traffic using the specified TCP Authentication Method. Default: disable The method that the profile uses to authenticates HTTP traffic at the application layer. Redirect The device authenticates HTTP traffic using a 302-Redirect response code. JavaScript The device authenticates HTTP traffic using a JavaScript object generated by the device. Default: 302-Redirect Notes: Some attack tools are capable of handling 302-redirect responses. The HTTP Redirect HTTP Authentication Method is not effective against attacks that use those tools. The JavaScript HTTP Authentication Method requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios. Limitations when using the JavaScript HTTP Authentication Method: If the browser does not support JavaScript calls, the browser will not answer the challenge. When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DDoS Protector JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: DDoS Protector Web Based Management User Guide 75

Configuring DDoS Protector s The request in bold below accesses a secure server: <script> settimeout(function(){ var js=document.createelement("script"); js.src="http://mysite.site.com.domain/service/appmy.jsp?dlid =12345"; document.getelementsbytagname("head")[0].appendchild(js); },1000); </script> The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect. Out-of-State Out-of-State Global s Out of State Protection detects out-of-state packets to provide additional protection for applicationlevel attacks. To configure global stateful inspection parameters 1. Select DDoS Protector > Denial of Service > Out-of-State > Global s. 2. From the Protection Status drop-down list, choose enable. 3. Click Set and confirm reset. 4. Configure the parameters, and click Set. Protection Status Startup Mode StartUp Timer Specifies whether or not Out-of-State inspection protection is enabled. The behavior of the device after startup. Out-of-State Protection cannot be applied to existing traffic; therefore, the device can either drop existing traffic and apply Out-of-State Protection to all new traffic, or suspend Out-of-State Protection for a period of time, which is used to learn traffic and sessions. On Start the protection immediately. Existing sessions are dropped and only new sessions are allowed. Off Do not protect. Graceful Start the protection while maintaining existing sessions for the time specified by the StartUp Timer parameter. Default: Graceful For Graceful startup mode, this parameter specifies the time, in seconds, after startup when the device ignores Out-of-State Protection and registers all sessions in the Session table, including those whose initiation was not registered (for example, SYN with TCP). After this time, the device drops new sessions whose initiation was not registered (for example, SYN with TCP). DDoS Protector Web Based Management User Guide 76

Configuring DDoS Protector s 0 65,535 Default: 1800 Operational State Specifies whether the device starts and stops Out-of-State Protection without rebooting the device. Out-of-State Profiles Out of State Protection detects out-of-state packets to provide additional protection for applicationlevel attacks. Caution: In cases of overlapping network policies configured with Out-of-State profiles, attacks triggered on both policies are reported twice, once per policy. Therefore, there might be some inconsistencies in the DDoS Protector counter values for discarded traffic. Caution: The DDoS Protector x06 platform uses two CPUs to handle the activation and termination of Out of State protection. DDoS Protector issues an Occurred trap when half the threshold is reached on one CPU, and DDoS Protector does not issue Start or Term (terminated) traps. There is a small chance that DDoS Protector will report Out-of-State security events even if the specified thresholds have not been reached. To configure an Out of State Protection profile 1. Select DDoS Protector > Denial of Service > Out-of-State > Profiles. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Profile Name Activation Threshold Termination Threshold SYN-ACK Allow status The name of the profile. The rate, in PPS, of out-of-state packets above which the profile considers the packets to be part of a flood attack. When the device detects an attack, it issues an appropriate alert and drops the out-of-state packets that exceed the threshold. Packets that do not exceed the threshold bypass the DDoS Protector device. 1 250,000 Default: 5000 The rate, in PPS, of out-of-state packets below which the profile considers the flood attack to have stopped, and the device resumes normal operation. 1 250,000 Default: 4000 enable When the device receives a SYN-ACK packet for which the device has received no corresponding SYN packet, the device opens a session for the packet and processes it. This option supports asymmetric environments, when the first packet that the device receives DDoS Protector Web Based Management User Guide 77

Configuring DDoS Protector s is the SYN-ACK. Disable When the device receives a SYN-ACK packet for which the device has received no corresponding SYN packet, the device drops the packet and counts it in the Activation Threshold and Termination Threshold. Default: enable Packet Trace status Profile Risk Profile Action Specifies whether the profile sends out-of-state packets to the specified physical port. Default: disable The risk for reporting purposes assigned to the attack that the profile detects. info, low, medium, high Default: low The action that the profile takes when it encounters out-of-state packets. Block and Report, Report Only Default: Block and Report Connection Limit Connection Limit: Profiles The Connection Limit Profiles window enables you to create Connection Limit profiles. Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports. DDoS Protector counts the number of TCP connections, or UDP sessions, opened per client, per server, or per client plus server combination, for traffic that matches a Connection Limit policy attack definition. Once the number of connections per second reaches the specified threshold, any session/connection over the threshold is dropped, unless the action mode defined for this attack is Report Only. You can also define whether to suspend the source IP address, dropping traffic from this source for a number of seconds according to the Suspend table parameters. Recommended settings for policies that include Connection Limit profiles: Configure policies containing Connection Limit profiles using Networks only with source = Any, the public network, and destination = Protected Network. You can define segments using VLAN tag, and physical ports. It is not recommended to define networks when the Source and Destination are set to any. Policies containing Connection Limit profiles can be configured with Direction set to either oneway or twoway. Before you configure a Connection Limit profile, ensure the following: Connection Limit protection is enabled. The Session table Lookup Mode is Full Layer 4. (Recommended) The required Connection Limit attacks are configured. A Connection Limit profile should include all the Connection Limit Attacks that you want to apply in a network protection policy. DDoS Protector Web Based Management User Guide 78

Configuring DDoS Protector s To configure a new Connection Limit profile 1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles. 2. Click Create. 3. In the Connection Limiting Profile text box, type the name of the Connection Limit profile. 4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to include in the profile. 5. Click Set. To add a Connection Limit Attack to a Connection Limit profile 1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles. 2. Click the profile link in the table. 3. Click Create. 4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to include in the profile. Connection Limit: Attacks The Connection Limit Attacks window enables you to define a Connection Limit Attack. Configure Connection Limit Attacks to add to Connection Limit profiles for network protection. Note: Connection Limit Attacks are also referred to as Connection Limit protections. To configure a Connection Limit Attack 1. Select DDoS Protector > Connection Limit > Attacks. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. ID Attack Name Destination App. Port Protocol Threshold (Read-only) The ID number assigned to the Connection Limit protection. A descriptive name for easy identification of the attack in configuration and reporting. A group of Layer4 ports that represent the application you want to protect. The Layer 4 protocol of the application you want to protect. tcp, udp Default: tcp The maximum number of new TCP connections, or new UDP sessions, per second, allowed for each source, destination, or source-and-destination pair. All additional sessions are dropped. When the threshold is reached, attacks are identified and a security event generated. Default: 5 DDoS Protector Web Based Management User Guide 79

Configuring DDoS Protector s Tracking Type Action Mode Risk Suspend Action Packet Trace The counting rule for tracking sessions. Source and Target Count Sessions are counted per source IP and destination IP address combination. Source Count Sessions are counted per source IP address. Target Count Sessions are counted per destination IP address. Default: Source Count Note: When Tracking Type is Target Count, the Suspend Action can only be None. The action when an attack is detected. Drop The packet is discarded. Report-only The packet is forwarded to the destination IP address. Reset Source Sends a TCP-Reset packet to the packet source IP address. Default: Drop The risk assigned to this attack for reporting purposes. High, Info, Low, Medium Default: Medium Specifies which session traffic the device suspends for the attack duration (see Suspend Table). None Suspend action is disabled for this attack. SrcIP All traffic from the IP address identified as the source of this attack is suspended. SrcIP\, DestIP Traffic from the IP address identified as the source of this attack to the destination IP address under attack is suspended. SrcIP\, DestPort Traffic from the IP address identified as the source of this attack to the application (Destination port) under attack is suspended. SrcIP\, DestIP\, DestPort Traffic from the IP address identified as the source of this attack to the destination IP address and port under attack is suspended. SrcIP\, DestIP\, SrcPort\, DestPort Traffic from the IP address and port identified as the source of this attack to the destination IP address and port under attack is suspended. Default: None Note: When Tracking Type is Target Count, the Suspend Action can only be None. Specifies whether the DDoS Protector device sends attack packets to the specified physical port. DDoS Protector Web Based Management User Guide 80

Configuring DDoS Protector s HTTP Mitigator HTTP Mitigator Global Setting The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then, using fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and identifies the malicious sources. To configure the HTTP mitigator 1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Global Settings. 2. Configure the parameters, and click Set. Protection Status Learning period before activation Learning Mode Learning Sensitivity Specifies whether the HTTP Mitigator is enabled on the device. HTTP flood protection must be enabled to set HTTP flood protection parameters. Default: enable The time, in days, the HTTP Mitigator takes to collect the data needed to establish the baseline that HTTP Mitigation uses. 0 65,536 Default: 7 The learning mode of the HTTP Mitigator. Continuous Only The learning process about the traffic environment is continuous. Automatic The HTTP Mitigator can switch to 24x7 learning when it detects a recurring pattern per hour of the day of the week in a period of 4, 8, or 12 weeks (based on sensitivity). The period from which the HTTP Mitigator establishes baselines. Select the time unit based on the site characteristics. For example, if the site traffic fluctuates during the course of a day, but fluctuates the same way each day, select Day, but if there are significant fluctuations between the days of the week, select Week. Day, Week, Month Default: Week DDoS Protector Web Based Management User Guide 81

Configuring DDoS Protector s Advanced HTTP Mitigator Advanced Mitigation Configuration Check Point recommends that only advanced users modify the values in the HTTP Mitigator Advanced Mitigation Configuration pane. To perform advanced configuration for the manual mitigation mode 1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Mitigation Configuration. 2. Configure the parameters, and click Set. Mitigation Failure Condition Clear Authentication List On Negative Feedback The number of automatic attempts that the device makes before announcing an anomaly state, meaning the device cannot mitigate the attack. 1 100 Default: 3 Specifies whether the device clears the authentication table (which is a white list) every time a challenge state fails to block the attack. enable, disable Default: disable HTTP Mitigator Advanced Profiles Use the HTTP Mitigator Advanced Profiles pane to configure an HTTP Flood Mitigation profile with advanced parameters. HTTP Flood Mitigation profiles defend the applications in your network against server flooding. Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service. Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests. Before you configure an HTTP Flood profile, ensure that HTTP mitigation is enabled and the global parameters are configured. To configure an HTTP Flood Mitigation profile with advanced parameters 1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Profiles Configuration. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 82

Configuring DDoS Protector s Profile Name Sensitivity Action User Defined Attack Triggers Get and POST Request-Rate Trigger Other Request-type Request-Rate Trigger The name of the profile. When User-Defined Attack Triggers are not used, this parameter specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines. minor low medium high Default: medium The action that the profile takes when the profile detects suspicious traffic. Block and Report Blocks and reports on the suspicious traffic. Report Only Reports the suspicious traffic. Default: Block and Report Specifies whether the profile uses static, user-defined thresholds to identify when an attack is in progress or checks the server traffic and compares the traffic behavior to the baseline to identify when an attack is in progress. inactive, active Default: inactive The maximum number of GET and POST requests allowed, per server per second. 0 The profile ignores the threshold. 1 4,294,967,296 Default: 0 The maximum number of requests that are not GET or POST (for example, HEAD, PUT, and so on) allowed, per server per second. 0 The profile ignores the threshold. 1 4,294,967,296 Default: 0 Caution: If Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is enable too but the rate does not exceed the threshold. The high DDoS Protector Web Based Management User Guide 83

Configuring DDoS Protector s outbound HTTP bandwidth consumption may cause the Outbound HTTP BW Trigger mechanism to consider the attack to be an anomaly, and the profile will not mitigate it. Outbound HTTP BW Trigger Request-per-Source Trigger Request-per- Connection Trigger Request-Rate Threshold Request-per- Connection Threshold Packet Trace Source Challenge Status The maximum allowed bandwidth, in kilobits per second, of HTTP responses. 0 The profile ignores the threshold. 1 4,294,967,296 Default: 0 The maximum number of requests allowed per source IP per second. 0 The profile ignores the threshold. 1 4,294,967,296 Default: 5 The maximum number of requests allowed from the same connection. Value: 0 The profile ignores the threshold. 1 4,294,967,296 Default: 5 The number of HTTP requests per second from a source that causes the profile to consider the source to be suspicious. 1 65,535 Default: 5 The number of HTTP requests for a connection that causes the profile to consider the source to be suspicious. 1 65,535 Default: 5 Specifies whether the profile sends attack packets to the specified physical port. enable, disable Default: disable Note: A change to this parameter takes effect only after you update policies. Specifies whether the profile challenges HTTP sources that match the real-time signature. enable, disable Default: enable DDoS Protector Web Based Management User Guide 84

Configuring DDoS Protector s Collective Challenge Status Source Blocking Status Challenge Mode Other Requests Decision Engine Specifies whether the profile challenges all HTTP traffic toward the protected server. enable, disable Default: enable Specifies whether the profile blocks all traffic from the suspect sources. enable, disable Default: enable Specifies how the profile challenges suspect HTTP sources. HTTP Redirect The device authenticates HTTP traffic using a 302- Redirect response code. JavaScript The device authenticates HTTP traffic using a JavaScript object generated by the device. Default: HTTP Redirect Notes: Some attack tools are capable of handling 302-redirect responses. The HTTP Redirect Challenge Mode is not effective against attacks that use those tools. The JavaScript Challenge Mode requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios. Limitations when using the JavaScript Challenge Mode: If the browser does not support JavaScript calls, the browser will not answer the challenge. When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DDoS Protector JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server: <script> settimeout(function(){ var js=document.createelement("script"); js.src="http://mysite.site.com.domain/service/appmy.jsp?dl id=12345"; documentational"head")[0].appends); },1000); </script> The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect. Specifies whether the profile identifies an HTTP flood attack when the rate of requests that are not GET or POST requests exceeds the learned baseline. DDoS Protector Web Based Management User Guide 85

Configuring DDoS Protector s enable, disable Default: enable Caution: If Outbound BW Decision Engine is enable and Other Requests Decision Engine is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound BW Decision Engine is enable and Other Requests Decision Engine is enable too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP Bandwidth mechanism to consider the attack to be an anomaly, and the profile will not mitigate it. Requests per source Decision Engine Get and POST global requests Decision Engine Outbound BW Decision Engine Requests per connection Decision Engine Specifies whether the profile identifies an HTTP flood attack when the rate of requests per source exceeds the learned baseline. enable, disable Default: enable Specifies whether the profile identifies an HTTP flood attack when the rate of GET and POST requests exceeds the learned baseline. enable, disable Default: enable Specifies whether the profile identifies an HTTP flood attack when the outbound HTTP bandwidth exceeds the learned baseline. enable, disable Default: enable Specifies whether the profile identifies an HTTP flood attack when the rate of requests per connection exceeds the learned baseline. enable, disable Default: enable HTTP Mitigator Profiles Use the HTTP Mitigator Profiles pane to configure a basic HTTP Flood Mitigation profile. Note: To configure an HTTP Flood Mitigation profile with advanced parameters, use the HTTP Mitigator Advanced Profiles pane. For more information, see HTTP Mitigator Advanced Profiles. HTTP Flood Mitigation profiles defend the applications in your network against server flooding. Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service. Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests. Before you configure an HTTP Flood Mitigation profile, ensure that HTTP mitigation is enabled and the global parameters are configured. DDoS Protector Web Based Management User Guide 86

Configuring DDoS Protector s To configure a basic HTTP Flood Mitigation profile 1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Profiles. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Profile Name Sensitivity Action Packet Trace The name of the profile. Specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines. minor low medium high Default: medium The action that the profile takes when the profile detects suspicious traffic. Block and Report Blocks and reports on the suspicious traffic. Report Only Reports the suspicious traffic. Default: Block and Report Specifies whether the profile sends attack packets to the specified physical port. enable, disable Default: disable Note: A change to this parameter takes effect only after you update policies. Authentication tables DNS Authentication Table The DNS authentication table holds the DNS source addresses. To set the DNS authentication table parameters 1. Select DDoS Protector > Authentication table > DNS. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 87

Configuring DDoS Protector s Authentication table status Authentication table aging Authentication table utilization Clean Table Specifies whether the device uses the DNS authentication table (which is a white list) during a DNS challenge state. enable, disable The time, in minutes, that the device keeps idle sources in the DNS Authentication table. 1 60 Default: 20 Note: You can enter a value even if DNS Flood Protection is not enabled, and the value will persist. The percentage of the table that is full. Select the checkbox to clear the authentication table. TCP Authentication table The TCP authentication table holds the TCP source addresses. To set the TCP authentication table parameters 1. Select DDoS Protector > Authentication table > TCP. 2. Configure the parameters, and click Set. Authentication table aging Authentication table utilization Clean Table The time, in seconds, that the device keeps idle sources in the TCP Authentication table. 60 3600 Default: 1200 (Read-only) The percentage of the table that is currently full. Select the checkbox to clear the authentication table. HTTP Authentication table The HTTP authentication table holds the number of source-destination couples for protected HTTP servers. For example, if there are two attacks towards two HTTP servers and the source addresses are the same, for those two servers, there will be two entries for the source in the table. To set the HTTP authentication table parameters 1. Select DDoS Protector > Authentication table > HTTP. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 88

Configuring DDoS Protector s Authentication table aging Authentication table utilization Clean Table The time, in seconds, that the device keeps idle sources in the HTTP Authentication table. 60 3600 Default: 1200 (Read-only) The percentage of the table that is currently full. Select the checkbox to clear the authentication table. Server Protection Protected Servers The Server Protection table contains the protected servers and the actions that DDoS Protector takes when an attack on a protected server is detected. You can add servers manually to the Server Protection table or the Service Discovery mechanism adds discovered servers to the table. The name of a discovered server in the Server Protection table is in the following format: <Number>_<NetworkProtectionPolicyName> where: <Number> is a number that the DDoS Protector device generates serially. <NetworkProtectionPolicyName> is the Network Protection policy that discovered the server. Example: 234_MyNetPolicyN To configure a protected server 1. Select DDoS Protector > Server Protection > Protected Servers. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Name IP HTTP mitigator Profile The name of the server. Maximum characters: 30 The IP address of the protected server The HTTP-flood-mitigator profile that the device activates against an attack. DDoS Protector Web Based Management User Guide 89

Configuring DDoS Protector s State Server Status Discoverer Policy active The server protection is active. inactive The server protection is inactive, but the DDoS Protector device maintains baselines and the configuration of the associated HTTP profile. Default: active The status of the server, especially in the context of the Service Discovery mechanism. Notes: static The server is a static member of the Server Protection table, and it is protected if the State is active. If the server is a discovered server, the Service Discovery mechanism does not revalidate the server. ignored The server is ignored, with no protection from the device. The DDoS Protector device maintains no baselines or associated HTTP profile configuration for the server. discovered The Service Discovery mechanism discovered the server, and it is protected if the State is active. The Service Discovery mechanism revalidates the server according to the specified Revalidation Time. revalidating For internal use only. The Service Discovery mechanism is currently checking again whether the server meets the Tracking- Time Responses-per-Minute criteria. in evaluation For internal use only. The Service Discovery mechanism is currently checking whether the server meets the Tracking-Time Responses-per-Minute criteria. For server entries that you create, you can only specify the Server Status static or ignored. You can change the Server Status from discovered only to static or ignored. You cannot change the Server Status once you specify ignored. You can delete the server entry if required. Specifies the Network Protection policy with a Service Discovery profile that added the server to the Server Protection table. Note: You can modify a Discoverer Policy only for a server whose Server Status is discovered. DDoS Protector Web Based Management User Guide 90

Configuring DDoS Protector s White List DDoS Protector exempts packets that match an active White List policy from specified inspection processes. For each protection, you can set the direction of the bypass. For example, sessions initiated from the white list IP address are bypassed, while sessions initiated toward the IP address are inspected as usual. Note: Since IP addresses belonging to the White list are not inspected, certain protections are not applied for the opposite direction. For example, with SYN protection this can cause servers to not be added to known destinations due to ACK packets not being inspected. Caution: DDoS Protector continues to block packets from a source or destination that is part of an active attack even after you add the source or destination to the White List per protection. To configure a white list policy 1. Select DDoS Protector > White List. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. State Name SrcNetwork DstNetwork SrcPortGroup Specifies whether the policy is active. You can select inactive to deactivate the policy without removing it from the list. active, inactive Default: active The user-defined name for the policy. The source of the packets that the policy uses. A Network class An IP address any The destination of the packets that the policy uses. A Network class An IP address any The source Application Port class or application-port number that the policy uses. An Application Port class An application-port number DDoS Protector Web Based Management User Guide 91

Configuring DDoS Protector s Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE. DstPortGroup PhysicalPortGroup VLANTag Protocol Direction The destination Application Port class or application-port number that the policy uses. An Application Port class An application-port number Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE. The Physical Port class or physical port that the policy uses. A Physical Port class The physical ports on the device The VLAN Tag class that the policy uses. A VLAN Tag class The protocol of the traffic that the policy uses. Any GRE ICMP ICMPv6 IGMP SCTP TCP UDP L2TP GTP IP in IP Default: Any The direction of the traffic to which the policy relates. This parameter relates to L4 sessions only. one-direct The protection applies to sessions originating from sources to destinations that match the network definitions of the policy. bi-direct The protection applies to sessions that match the network definitions of the policy regardless of their direction. Default: one-direct DDoS Protector Web Based Management User Guide 92

Configuring DDoS Protector s All Modules Bypass SYN Protection Bypass Anti-Scanning Bypass Signature Protection Bypass HTTP Mitigator Bypass The user-defined description for the policy up to 19 characters. Specifies whether the policy includes all specific protection modules. active The specified Classification criteria determine the traffic that is exempt from security inspection. inactive The specified source (that is, the source Network class or source IP address) and specified protection modules determine the traffic that is exempt from security inspection. Default: active Performance is better when All Modules Bypass is active rather than having the having the modules enabled individually. When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses SYN Protection inspection. active, inactive Default: active When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Anti-Scanning inspection. active, inactive Default: active When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Signature Protection inspection. active, inactive Default: active When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses HTTP Flood inspection. active, inactive Default: active Black List DDoS Protector drops packets that match an active Black List rule. The Black List comprises the traffic that the device always blocks without inspection. You use the Black List as policy exceptions for security policies. The device black-lists packets if all the criteria for the policy evaluate to true. You enable or disable the Packet Trace feature for all the Black List rules on the device. When the Packet Trace feature is enabled for Black Lists, the DDoS Protector device sends blacklisted packets to the specified physical port. To configure the Packet Trace status 1. Select DDoS Protector > Black List. 2. From the Packet Trace Status drop-down list, select enable or disable. 3. Click Set. DDoS Protector Web Based Management User Guide 93

Configuring DDoS Protector s To configure a Black List rule 1. Select DDoS Protector > Black List. 2. Click Create. 3. Configure the parameters and click Set. State Name SrcNetwork DstNetwork SrcPortGroup DstPortGroup Specifies whether the rule is active. You can select inactive to deactivate the rule without removing it from the list. active, inactive Default: active The user-defined name for the rule. The source of the packets that the rule uses. A Network class An IP address any The destination of the packets that the rule uses. A Network class An IP address any The source Application Port class or application-port number that the rule uses. An Application Port class An application-port number Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE. The destination Application Port class or application-port number that the rule uses. An Application Port class An application-port number Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE. DDoS Protector Web Based Management User Guide 94

Configuring DDoS Protector s PhysicalPortGroup VLANTag Protocol Direction Report Action Entry Expiration Timer (Hours) The Physical Port class or physical port that the rule uses. A Physical Port class The physical ports on the device The VLAN Tag class that the rule uses. A VLAN Tag class The protocol of the traffic that the rule uses. Any GRE ICMP ICMPv6 IGMP SCTP TCP UDP L2TP GTP IP in IP Default: Any The direction of the traffic to which the rule relates. This parameter relates to L4 sessions only. one-direct The protection applies to sessions originating from sources to destinations that match the network definitions of the rule. bi-direct The protection applies to sessions that match the network definitions of the rule regardless of their direction. Default: one-direct The report action that the device takes when it encounters a packet that matches the rule. Value: report The device issues a trap when it encounters a blacklisted packet. no-report The device issues no trap when it encounters a blacklisted packet. The user-defined description for the rule up to 19 characters. Specifies the hours and minutes remaining for the rule. DDoS Protector Web Based Management User Guide 95

Configuring DDoS Protector s Entry Expiration Timer (Minutes) Dynamic The maximum Expiration Timer is two hours. The Expiration Timer can be used only with dynamic Black List rules. The Expiration Timer for a static Black List rule must be set to 0 (zero hours and zero minutes). When the rule expires (that is, when the Entry Expiration Timer elapses), the rule disappears from the Black List Policy table when the table refreshes. Specifies whether the rule implements the Expiration Timer. Default: Disabled Note: Changing the configuration of this option takes effect only after you update policies Network Protection Policies The Network Protection policy protects your configured networks using protection profiles. Before you configure Network Protection policy and profiles, ensure that you have enabled all the required protections and configured the corresponding global protection parameters. Each Network Protection consists of two parts: The classification that defines the protected network segment. The action to be applied when an attack is detected on the matching network segment. The action defines the protection profiles to be applied to the network segment, and whether the malicious traffic should be blocked. Malicious traffic is always reported. To configure a Network Protection policy 1. Select DDoS Protector > Policies > Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Name Direction The name of the Network Protection policy. The direction of the traffic to which the policy relates. oneway The protection applies to sessions originating from sources to destinations that match the network definitions of the policy. twoway The protection applies to sessions that match the network definitions of the policy regardless of their direction. Default: One Way DDoS Protector Web Based Management User Guide 96

Configuring DDoS Protector s Source Address Destination Address Inbound Physical Port Group Vlan Tag Group State Action Signatures Profile Connection Limit Profile The source of the packets that the rule uses. A Network class configured in the Classes menu An IP address any Any IP address Default: any The destination of the packets that the rule uses. A Network class configured in the Classes menu An IP address any Any IP address Default: any The Physical Port class or physical port that the rule uses. A Physical Port class configured in the Classes menu The physical ports on the device None The VLAN Tag class that the rule uses. A VLAN Tag class configured in the Classes menu None Specifies whether the policy is enabled. active, inactive Default: active The default action for all attacks under this policy. Block and Report The malicious traffic is terminated and a security event is generated and logged. Report Only The malicious traffic is forwarded to its destination and a security event is generated and logged. Default: Block and Report Note: Signature-specific actions override the default action for the policy. The Signature Protection profile applied to the network segment defined in this policy. The Connection Limit profile applied to the network segment defined in this policy. DDoS Protector Web Based Management User Guide 97

Configuring DDoS Protector s Out-Of-State Profile Behavioral Dos Profile SYN Protection Profile DNS protection Profile Packet Trace Packet Trace configuration on policy takes precedence Service Discovery Profile The Out-of-State profile applied to the network segment defined in this policy. The BDoS profile applied to the network segment defined in this policy. The SYN Flood profile applied to the network segment defined in this policy. The DNS Protection profile applied to the network segment defined in this policy. Specifies whether the policy sends attack packets to the specified physical port. enable, disable Default: disable Specifies whether the configuration of the Packet Trace feature here, on this policy, takes precedence over the configuration of the Packet Trace feature in the associated profiles. enable, disable Default: disable Caution: A change to this parameter takes effect only after you update policies. The Service Discovery profile that the Network Protection policy uses to identify HTTP servers to protect. Leave the field empty if you do not want to implement the Service Discovery feature. For more information, see Service Discovery Global s and Restore Default Configuration, which describes the default profiles. Policies Resources Utilization The Policies Resources Utilization pane is supported only on x412 platforms. You can view statistics relating the user-defined policies to the utilization of the DME. The values that the device exposes are the calculated according to the configured values even before running the Update Policies command. To view statistics relating the user-defined policies to the utilization of the DoS Mitigation Engine Select DDoS Protector > Policies > Resources View. If any of the following values is close to the maximum, the resources for the device are exhausted: Total Number of Policies The total number of policies in the context of the DME, which is double the number of network policies configured in the device. DDoS Protector Web Based Management User Guide 98

Configuring DDoS Protector s Sub Policies Utilization HW Entries Utilization The percentage of DME resource utilization from the entries of sub-policies. In the context of the DME, a sub-policy is a combination of the following: Source-IP-address range Destination-IP-address range VLAN-tag range The percentage of resource utilization from the HW entries in the context of the DME. Policies Resources Utilization table Policy Name Direction Num of HW Entries Num of Sub-Policies The name of the policy. The direction of the policy. inbound, outbound The number of DME hardware entries that the policy uses. The number of DME sub-policy entries that the policy uses. Global Suspend Table Suspend Table s The Suspend Table allows you to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time. The period for which a source is suspended is set according to the following algorithm: The first time a source is suspended, the suspension time is according to the Minimal Aging Time configured for the Suspend Table. Each time the same source is suspended again, the suspension length is doubled, until it reaches the Maximum Aging Time set for the Suspend Table. Once the suspension length has reached the maximum length allowed, it will remain constant for each additional suspension. The Suspend Table s window enables you to set the tuning parameters for the Suspend Table. To set the suspend table parameters 1. Select DDoS Protector > Global > Suspend Table s. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 99

Configuring DDoS Protector s Suspend Table min time Suspend Table max time Suspend Table max same source entries The time, in seconds, for which the DDoS Protector device suspends first-time offending source IP addresses. Default: 10 The maximal time, in seconds, for which the DDoS Protector device suspends a specific source. Each time the DDoS Protector device suspends the same source, the suspension length doubles until it reaches the Maximal Aging Timeout. Default: 600 The number of times the DDoS Protector device suspends the same source IP address before the DDoS Protector device suspends all traffic from that source IP address regardless of the specified Suspend Action. For example, if the value for this parameter is 4 and the specified Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the DDoS Protector device suspends all traffic from a source IP address that had an entry in the Suspend list more than four times, even if the destination IP address, source port, and destination ports were different for the previous updates to the Suspend table. This parameter is irrelevant when the specified Suspend Action is SrcIP. 0 The device does not implement the feature. 1 10 Default: 0 Suspend Table Pane Use the Suspend Table pane to view and monitor attacks that are currently in the Suspend Table. To view the suspend table Select DDoS Protector > Global > Suspend Table > Table. The following parameters are displayed: Source IP Dest IP Dest Port Protocol The IP address from which traffic was suspended. The IP address to which traffic was suspended (0.0.0.0 means traffic to all destinations was suspended). The application port to which traffic was suspended (0 means all ports). TCP, UDP DDoS Protector Web Based Management User Guide 100

Configuring DDoS Protector s Module Classification Object Type Classification Object Name The internal, higher-level module that identified the entry in the Suspend Table. The internal, classification-object Type that identified the entry in the Suspend Table. Policy, Server Protection The internal, lower-level classification module that identified the entry in the Suspend Table, for example: Connection Limit. Reporting Reporting Global s Use the Reporting Global s pane to enable DDoS Protector reporting channels and set the polling time parameters of the Alert Table and the Log File. To define global reporting parameters 1. Select DDoS Protector > Reporting > Global s. 2. Configure the parameters, and click Set. Report Interval Max Alerts per Report Report Per-Attack Aggregation Threshold SNMP Traps Sending Syslog Sending The frequency, in seconds, at which the reports are sent though the reporting channels. 1 65,535 Default: 5 The maximum number of attack events that can appear in each report (sent within the reporting interval). 1 2000 Default: 1000 The number of events for a specific attack during a reporting interval, before the events are aggregated to a report. When the number of the generated events exceeds the Aggregation Threshold value, the IP address value for the event is displayed as 0.0.0.0, which specifies any IP address. 1 65,535 Default: 5 When enabled, the device uses the traps reporting channel. Default: enable When enabled, the device uses the syslog reporting channel. Default: disable DDoS Protector Web Based Management User Guide 101

Configuring DDoS Protector s Terminal Echo Email Sending SNMP Traps Sending Risk Email Sending Risk Terminal Echo Risk Syslog Sending Risk Destination UDP When enabled, the device uses the Terminal Echo reporting channel. Default: disable When enabled, the device uses the e-mail reporting channel. Default: disable The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. info low medium high Default: low The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. info low medium high Default: low The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. info low medium high Default: low The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. info low medium high Default: low The port used for packet reporting. DDoS Protector Web Based Management User Guide 102

Configuring DDoS Protector s Port 1 65,535 Default: 2088 Security Log Status When enabled, the device uses the security logging reporting channel. Top Ten Attacks Predefined attack reports help you to explore Security attack patterns over time. Check Point has created predefined reports for specific types of attack analysis. Attacks can be ranked by volume and by type. Predefined reports also include reports for groups of attacks, or attacks relating to a specific module. Predefined reports allow you to focus attention on specific threats. Attack information is pre-sorted, with the most important security event information plotted in easily read charts, for your convenience. To generate a predefined report 1. Select DDoS Protector > Reporting > Top Ten Attacks. 2. Configure the parameters, and click Set. Choose type Seconds Select the type of attack report you want. Top Attacks Displays the top ten attacks, according to packet count per attack. Top Attack Sources Displays the top attacks according to attack sources per IP address. Top Attack Destinations Displays the top attacks according to attack destinations per IP address. Top Attacks by Category Displays the top ten attack groups (Intrusions, DoS, Anomalies, SYN Floods, and Anti-Scanning), calculated according to packet count per group. Top Attacks by Risk Displays the attacks ranked by severity of risk: i.e. High/Medium/Low by displaying a breakdown of all attack over a set period of time according to the attack severity. The number of seconds (retroactive from the current time) for the report. Data Report Data Reporting Target Addresses The device can store up to 10 target addresses for data reporting. To create a target address for data reporting 1. Select DDoS Protector > Reporting > Data Report > Address. 2. Click Create. 3. In the ip-address text box, enter the IP address. DDoS Protector Web Based Management User Guide 103

Configuring DDoS Protector s 4. Configure the parameters, and click Set. To delete a target address for data reporting 1. Select DDoS Protector > Reporting > Data Report > Address. 2. Select the check box in the relevant row, and click Delete. Security Log Security Log Show All events and alerts are logged in an all-purpose cyclic log file. The log file can be obtained at any time. The size of log file is limited. When the number of entries is beyond the permitted limit, the oldest entries are overwritten. You are notified regarding the status of the log file utilization. The notifications appear when the file is 80% utilized and 100% utilized. To view alerts 1. Select DDoS Protector > Reporting > Security Log > Show. 2. Click on the Attack Index number. The following parameters are displayed. Attack Index Attack Name Attack Source Address Attack Destination Address Last Action Attack Time Date Attack context Source Port The number of the entry in the table. The name of the attack that was detected. The IP address from which the attack arrived. The IP address to which the attack is destined. The current status of the event. Occurred Each packet matched with signatures is reported as an attack and must be dropped. In that case, the Tracking Type that is activated is Drop All. Started/terminated When the number of packets that match with signatures, goes beyond the predefined threshold within the Tracking Time, the reported Attack Status is started. When the amount of packets that match with signatures is below the predefined threshold, the reported Attack Status becomes terminated. In that case, the Tracking Type that is activated is Target, or Target & Source. The time that the report was generated. The date that the report was generated. The context in which the attack was recognized. TCP/UDP source port. DDoS Protector Web Based Management User Guide 104

Configuring DDoS Protector s Destination Port Protocol VLAN Tag Physical Interface ID Context Service Policy Name Packet Count KByte Count Report Mode Risk TCP/UDP destination port. The transmission protocol used. TCP, UDP, ICMP, IP The VLAN tag. The actual port on the device from which the attack arrived. A unique identifier of the attack. The context. The security service that detected the attack: Application Security, DOS Shield, Generic. The policy that was used to detect the attack. The number of packets in the attack since the latest trap was sent The number of Kbytes that were dropped/forwarded. Drop The packet is discarded. Forward The packet is forwarded to the defined destination. Reset Source Sends TCP-Reset packet to the packet Source IP. Reset Destination Sends TCP-Reset packet to the destination address. Default Takes the Action Mode parameter defined in the Application Security Global s window. How dangerous the attack is: High, Low, Medium, Not Available. Security Log Clear The Security Log Clear window enables you to clear the previously created log. To clear the log 1. Select DDoS Protector > Reporting > Security Log > Clear. 2. Click Set. Packet Trace To configure packet trace 1. Select DDoS Protector > Reporting > Packet Trace. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 105

Configuring DDoS Protector s Enable Packet Trace on Physical Port Max Packet Rate Packet Length Specifies whether the feature is disabled or enables the feature and specifies the physical port to which the DDoS Protector device sends identified attack traffic (when the Packet Trace feature is enabled in the policy rule or profile). none The Packet Trace feature is disabled. The physical, inspection ports (that is, excluding the management ports) Default: none Caution: A change to this parameter takes effect only after you update policies. Note: DDoS Protector x06 models support the Packet Trace functionality only for dropped traffic. The maximum number of packets per second that the Packet Trace feature sends. 1 200,000 Default: 50,000 Caution: A change to this parameter takes effect only after you update policies. The maximum length, in bytes, of dropped packets that the Packet Trace feature sends. DDoS Protector can limit the size of Packet Trace sent packets only for dropped packets. That is, when a rule is configured with Report Only (as opposed to Block), the Packet Trace feature sends the whole packets. 64 1550 Default: 1550 Caution: A change to this parameter takes effect only after you update policies. Tip: If you are interested only in the packet headers of the dropped packets, to conserve resources, modify the minimal value, 64. Attack Database Attack Database Version The Attack Database Version window is a read-only window that shows the version of the current attack database. To view the attack database version Select DDoS Protector > Attack Database > Version. DDoS Protector Web Based Management User Guide 106

Configuring DDoS Protector s Attack Database Send to Device The DoS Signatures module uses the Signature File Update feature to update the signatures database. The update of the Signature file is performed per device using the Send Attack Database to Device window. You can download an updated DoS Signature file from the Check Point Security Updates Center, and load it to the device. To view the signature file (attack database) version 1. Select DDoS Protector > Attack Database > Send to Device. 2. In the File field, type the name of the file, or click Browse to navigate to the relevant file. Activate Latest Changes If you edit the parameters of a basic filter or an advanced filter, which is bound to the existing policy, you need to update the policy with the recent changes. To activate the latest changes 1. Select DDoS Protector > Update Policies. 2. Click Set. Packet Anomalies Packet Anomalies Attacks Packet Anomaly protection detects and provides protection against packet anomalies. Generally, whenever a packet matching one of the predefined checks arrives it is automatically blocked, discarded, and reported. However, you may wish to allow certain anomalous traffic to flow through the device without inspection. The Packet Anomalies Table window enables you to allow certain packets to pass through the device without inspection as well as defining the risk factor. When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends anomalous packets to the specified physical port. You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on the device. To configure the Packet Trace status 1. Select DDoS Protector > Packet Anomalies > Table. 2. From the Packet Trace Status drop-down list, select enable or disable. 3. Click Set. To configure the packet anomalies parameters 1. Select DDoS Protector > Packet Anomalies > Table. 2. Select the relevant ID from the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 107

Configuring DDoS Protector s ID Name Risk Action Report Action (Read-only) The ID number for the packet-anomaly protection. (Read-only) The name of the packet-anomaly protection. The risk associated with the trap for the specific anomaly. Info, Low, Medium, High Default: Info The action that the device takes when the packet anomaly is detected. The action is only for the specified packet-anomaly protection. block The device discards the anomalous packets and issues a trap. report The device issues a trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules. no-report The device issues no trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules. The action that the DDoS Protector device takes on the anomalous packets when the specified Action is report or no-report. The Report Action is only for the specified packet-anomaly protection. bypass The anomalous packets bypass the device. process The DDoS Protector modules process the anomalous packets. If the anomalous packets are part of an attack, DDoS Protector can mitigate the attack. Note: You cannot select process for the following packet-anomaly protections: 104 Invalid IP Header or Total Length 107 Inconsistent IPv6 Headers 131 Invalid L4 Header Length Default Configuration of Packet-Anomaly Protections Anomaly Unrecognized L2 Format (This anomaly is available only on x412 platforms. This anomaly cannot be sampled.) Incorrect IPv4 Checksum (This anomaly is available only Packets with more than two VLAN tags, L2 broadcast, or L2 multicast traffic. ID: 100 Default Action: No Report Default Report Action: Process Default Risk: Info The IP packet header checksum does not match the packet header. DDoS Protector Web Based Management User Guide 108

Configuring DDoS Protector s on x412 platforms. This anomaly cannot be sampled.) Invalid IPv4 Header or Total Length ID: 103 Default Action: Drop Default Report Action: Bypass Default Risk: Info The IP packet header length does not match the actual header length, or the IP packet total length does not match the actual packet length. ID: 104 Default Action: Drop Report Action: Bypass Default Risk: Info TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1. ID: 105 Default Action: Report Default Report Action: Process Default Risk: Info Inconsistent IPv6 Headers Inconsistent IPv6 headers. ID: 107 Default Action: Drop Report Action: Bypass You cannot select Process for this packetanomaly protection Default Risk: Info IPv6 Hop Limit Reached IPv6 hop limit is not greater than 1. ID: 108 Default Action: Report Default Report Action: Process Default Risk: Info Unsupported L4 Protocol Invalid TCP Flags Traffic other than UDP, TCP, ICMP, or IGMP. ID: 110 Default Action: No Report Default Report Action: Process Default Risk: Info The TCP flags combination is not according to the standard. ID: 113 Default Action: Drop Default Report Action: Bypass Default Risk: Info DDoS Protector Web Based Management User Guide 109

Configuring DDoS Protector s Source or Dest. Address same as Local Host Source Address same as Dest Address (Land Attack) L4 Source or Dest. Port Zero Invalid L4 Header Length The IP packet source address or destination address is equal to the local host. ID: 119 Default Action: Drop Default Report Action: Bypass Default Risk: Info The source IP address and the destination IP address in the packet header are the same. This is referred to as a LAND, Land, or LanD attack. ID: 120 Default Action: Drop Default Report Action: Bypass Default Risk: Info The Layer 4 source port or destination port equals zero. ID: 125 Default Action: Drop Default Report Action: Bypass Default Risk: Info The length of the Layer 4, TCP/UDP/SCTP header is invalid. ID: 131 Default Action: Report Report Action: Bypass You cannot select Process for this packetanomaly protection Default Risk: Info Service Discovery Service Discovery Global s Use the Service Discovery feature in a Network Protection policy to identify HTTP servers in a specified network and protect the discovered servers with the default HTTP-flood-mitigator profile. The Service Discovery mechanism discovers HTTP servers by identifying HTTP responses. Therefore, in order to use Service Discovery, the DDoS Protector device needs to be in a topology where it can inspect both HTTP requests and HTTP responses. The details of the discovered servers are contained in the Server Protection table. When a discovered server is no longer active for a specified period, the Service Discovery mechanism can remove the server from the table. To implement the Service Discovery feature, when you configure a Network Protection policy, you specify the Service Discovery profile to use in the policy. To configure the global parameters of the Service Discovery feature 1. Select DDoS Protector > Service Discovery > Global s. DDoS Protector Web Based Management User Guide 110

Configuring DDoS Protector s 2. Configure the following parameters, and click Set. Mechanism Status Tracking Time Revalidation Time Specifies whether the DDoS Protector device uses Service Discovery feature. enable, disable Default: enable The time, in minutes, that the Service Discovery mechanism tracks a server sending HTTP responses. The Service Discovery mechanism uses the Tracking Time and the specified number of HTTP responses during the Tracking Time to determine whether to protect the server. 1 60 Default: 5 Specifies how often, in days, the Service Discovery mechanism revalidates the discovered servers. 1 365 disable Once identified, the Service Discovery mechanism never revalidates a server to protect. Default: 7 Service Discovery Profiles To implement the Service Discovery feature, when you configure a Network Protection policy, you specify the Service Discovery profile to use in the policy. Check Point DDoS Protector configures a default Service Discovery profile, ServiceDiscovery_Default. You can modify ServiceDiscovery_Default profile. You can also configure additional Service Discovery profiles to use in your Network Protection policies. Note: The Service Discovery profile can be specified in multiple Network Protection policies, which may have overlapping network ranges. The Service Discovery mechanism protects the discovered server only with the first policy that matches. To configure a Service Discovery profile 1. Select the DDoS Protector > Service Discovery > Profiles. 2. Do one of the following: To create a new entry, click Create. To modify an existing entry, click the entry. 3. Configure the following parameters, and click Set. Profile Name The name of the Service Discovery profile. Maximum characters: 30 DDoS Protector Web Based Management User Guide 111

Configuring DDoS Protector s HTTP Profile Responses per Minute Automatic Removal The HTTP-flood mitigator profile for the server. Default: HTTP_Default Notes: The server is protected with the profile configuration that exists when the server is added to the Server Protection table. If the configuration of the profile changes, the new configuration protects only the subsequently added/discovered servers. The profile configuration includes the parameters Action and Packet Trace, but the DDoS Protector device ignores the values. Instead, the device uses the Action and Packet Trace values that are configured in the Network Protection policy. The average number of HTTP responses per minute during the Tracking Time (specified globally) that causes the Service Discovery mechanism to protect the server. If the total value is reached before the Tracking Time elapses (Responses per Minute Tracking Time), the Service Discovery mechanism adds the server to the Server Protection table immediately. 1 5000 Default: 100 Specifies whether the Service Discovery mechanism removes the server from the Server Protection table if, after the Revalidation Time the server does not meet the Tracking-Time Responses-per-Minute criteria. Yes, No Default: No Restore Default Configuration DDoS Protector supports default protection profiles, which you can use in your Network Protection policies and are used in the default Network Protection policy. You cannot delete the default protection profiles, but you can change their parameters. The Restore Default Configuration action reconfigures the default protection profiles in existing Network Protection policies with the default values, and then reboots the device. You can run the Restore Default Configuration action in the Restore Default Configuration pane. DDoS Protector supports default profiles for the following protections: DoS Signatures Uses the Dos-All profile as the default profile. You can use the Dos-All profile in your Network Protection policies or you can use no DoS Shield protection. You cannot modify the profile. BDoS Supports the NetFlood_Default default protection profile. By default, the profile is enabled. DNS Supports the DNSFlood_Default default protection profile. By default, the profile is enabled. SYN Protection Supports the SYNFlood_Default default protection profile. By default, the profile is enabled, and includes all static SYN-protection attacks (that is, FTP Control, HTTP, HTTPS, IMAP, POP3, RPC, RTSP, SMTP, and Telnet). OOS Protection Supports the OOSFlood_Default default protection profile. By default, the profile is enabled. DDoS Protector Web Based Management User Guide 112

Configuring DDoS Protector s Notes: For BDoS, DNS, SYN, Out-of-State protections, you can also create your own protection profiles, and use them instead of the default protection profiles. The Restore Default Configuration action does not affect user-defined protection profiles. Since BDoS and DNS baselines are not part of the profiles, BDoS and DNS protections keep their values during the Restore Default Configuration operation. To restore the default configuration 1. Select DDoS Protector > Restore Default Configuration. 2. Click Set. DDoS Protector Web Based Management User Guide 113

Chapter 6 Configuring Services s Tuning Security Application Security Tuning The Security Tables store information about sessions passing through the device and their sizes, which are correlated to the actual amount of sessions. In the Application Security Tuning window, you can view and edit the application security tuning parameters. The changes take effect after the reset. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To tune DDoS Protector application security tables 1. Select Services > Tuning > Security > Application Security. 2. To change current settings, enter new values in the after reset fields. 3. Click Set. Maximal number of http-flood suspects sources Maximal number of attacks to be defined by user Maximal number of srcips in Suspend Table Maximal number of Server Protection servers Table The maximum number of suspect sources in HTTP Mitigation policies. 1000 500,000 Default: 100,000 The maximum number of attack entries in the User Attacks Database Table. The Attacks Database Table contains attacks provided by Check Point as well as attacks defined by the user. The maximum number of hosts that the Suspend table is able to block simultaneously. 1000 100,000 Default: 10,000 The maximum number of entries in the Server Protection policy. 100 10,000 Default: 350 DDoS Protector Web Based Management User Guide 115

Configuring Services s Counters Source Table Counters Target Table Counters Source & Target Table Counters DHCP Table Counters Reports for all counters Maximal number of entries in NCPF table The maximum number of sessions in which a source address is tracked. Some attack signatures use thresholds per source for activation. The Counter Source Table counts the number of times traffic from a specific source matches a signature. When the number of packets sent from a particular source exceeds the predefined limit, it is identified as an attack. 100 65,536 Default: 65,536 The maximum number of sessions in which a Destination address is tracked. Some attack signatures use thresholds per destination for activation. The Counter Target Table counts the number of times traffic to a specific destination matches a signature. When the number of packets sent to a particular destination exceeds the predefined limit, it is identified as an attack. 100 65,536 Default: 65,536 The maximum number of sessions in which Source and Destination addresses are tracked. Some signatures use thresholds per source and destination for activation. The Counter Source & Target Table counts the number of times traffic from a specific source to a specific destination matches a signature. When the number of packets sent from a particular source to a particular destination exceeds the predefined limit, it is identified as an attack. 100 65,536 Default: 65,536 The number of MAC addresses to check for IP requests. The DHCP Discover table detects attacks by counting the IP requests for each MAC address. The requests are made using Dynamic Host Configuration Protocol. When the number of IP requests for a particular MAC address exceeds the predefined limit, it is identified as an attack. 100 64,000 Default: 100 The maximum number of entries for reports on active concurrent Tracking Signatures attacks. 100 64,000 Default: 20,000 The maximal number of entries in the New Count Per Filter table, which the DoS shield mechanism uses. Values 100 16,000 Default 10,000 DDoS Protector Web Based Management User Guide 116

Configuring Services s Authentication Table Tuning Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To tune the authentication table 1. Select Services > Tuning > Security > Authentication tables. 2. To change current settings, enter new values in the after reset fields. 3. Click Set. HTTP Authentication Table Size TCP Authentication Table Size The number of sources in the HTTP Authentication table. DDoS Protector uses the HTTP Authentication table in HTTP Flood profiles and the HTTP Authentication feature in a SYN Protection profile. 500,000 2,000,000 Default: 2,000,000 The number of sources in the TCP Authentication table. DDoS Protector uses the TCP Authentication table for the Safe Reset Authentication Method feature in SYN Protection profiles. 500,000 2,000,000 Default: 2,000,000 Note: For x412 platforms, the value is fixed at the default 2,000,000, and cannot be tuned. Behavioral DoS The Behavioral DoS Tuning window enables you to set the maximal number of Behavioral DoS policies. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. Note: Each time you update a value for a Behavioral DoS, it is possible to check whether there is enough free memory for the requested value. This may be done from the Memory Check window. To set the maximal number of behavioral DoS policies 1. Select Services > Tuning > Security > Behavioral DoS. 2. To change the current setting, enter a new value in the after reset field. 1 100. Default: 10. 3. Click Set. DDoS Protector Web Based Management User Guide 117

Configuring Services s DNS Protection Tuning s In the DNS Protection Tuning s window, you can view and edit the DNS Flood Protection tuning parameters. The changes take effect after the reset. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To tune DNS Protection tables 1. Select Services > Tuning > Security > DNS Protection. 2. To change current settings, enter new values in the after reset fields. 3. Click Set. Maximal number of DNS Protection policies SDM Table Size The maximum number of configurable DNS Flood Protection policies. 1 100 Default: 10 The size of the SDM table. small, medium, large Default: medium Device Tuning The Device Tuning window allows you to view and edit the device tuning parameters. The changes take effect after the reset. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To tune DDoS Protector 1. Select Services > Tuning > Device. 2. To change current settings, enter new values in the after reset fields. 3. Click Set. IP Fragmentation Table The maximum number of IP fragments that the device stores. 1 256,000 Default: 1240 DDoS Protector Web Based Management User Guide 118

Configuring Services s Session Table Session Resets Table Routing Table Pending Table SIP Call Table TCP Segmentation Table The maximum number of sessions that the device can track. Values per model: x06 20 2,000,000 x412 20 4,000,000 Default per model: x06 1,800,000 x412 2,885,000 The maximum number of sessions that the device tracks to send RESET when Send Reset To Server is enabled in the Session table. 1 10,000 Default: 1000 The maximum number of entries in the Routing table. 20 32,767 Default: 64 The maximum number of new simultaneous dynamic sessions the device can open. 16 16,000 Default: 1024 The maximum number of SIP calls the device can track. 16 256,000 Default: 1024 The maximum number of TCP Segments. This parameter is used when SIP Protocol is enabled and SIP is running over TCP. 1 32,768 Default: 256 Memory Check DDoS Protector pre-checks the feasibility of values in configured tables. This eliminates the chance of causing a memory allocation problem. Each time you update a value for a certain table, it is possible to check whether there is enough free memory for the requested value. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To check the device memory 1. Select Services > Tuning > Memory Check. 2. Click Perform Test. This tests whether the device has sufficient memory to allocate the values for the updated tables. 3. If there is enough memory, click Reboot to update the device with the new values. DDoS Protector Web Based Management User Guide 119

Configuring Services s Classifier Tuning The Classifiers Tuning window enables you to view and edit the Classifier tuning parameters. The changes take effect after the reset. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To set the classifier tuning parameters 1. Select Services > Tuning > Classifier. 2. To change current settings, enter new values in the after reset fields. 3. Click Set. Network Table Discrete IP Addresses Per Network Subnets Per Network MAC Groups Table Filter Table AND Group Table OR Group Table The maximum number of entries in the table for ranges. 32 10,000 Default: 256 The maximum number of entries in the table for IP addresses that are allocated to a network. 16 1024 Default: 64 The maximum number of entries in the table for network subnets. 16 256 Default: 64 The maximum number of entries in the table for MAC groups. 16 2048 Default: 128 The maximum number of entries in the table for basic filters. 512 2048 Default: 512 The maximum number of entries in the advanced filters table for AND groups. 256 2048 Default: 256 The maximum number of entries in the advanced filters table for OR groups. 256 2048 Default: 256 DDoS Protector Web Based Management User Guide 120

Configuring Services s Application port Groups Content Table The maximum number of entries in the table for application port groups. 32 2000 Default: 512 The maximum number of content entries in the table. 16 4096 Default: 256 SYN Protection Tuning The SYN Protection Tuning window enables you to view and edit the SYN Protection Tuning parameters. The changes take effect after the reset. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To tune SYN Protection tables 1. Select Services > Tuning > SYN Protection. 2. To change current settings, enter new values in the after reset fields. 3. Click Set. SYN Protection Table SYN Protection Requests Table SYN Protection Attack Detection Entries The number of entries in the SYN Protection Table that stores data regarding the delayed binding process. An entry in the table exists from the time the client completes the handshake until the handshake is complete. The number of entries in the SYN Protection Table after reset. 10 500,000 Default: 200,000 The number of entries in SYN Protection Requests Table that stores the ACK or data packet that the client sends, until the handshake with the server is complete and the packet is sent to the server. The number of entries in SYN Protection Requests Table after reset. 10 500,000 Default: 200,000 The number of entries in the table that stores active triggers that is, the destination IP addresses/ports from which the device identifies an ongoing attack. 1000 20,000 Default: 1000 DDoS Protector Web Based Management User Guide 121

Configuring Services s SYN Statistics Entries The number of entries in the SYN Flood Statistics table. 1000 20,000 Default: 1000 Diagnostics Tuning The Diagnostics Tools Tuning window enables you to set the number of Diagnostics policy entries in the tuning table in order to save memory and limit the policy size. The changes take effect after the reset. Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center. To set the tuning parameters 1. Select Services > Tuning > Diagnostics. 2. To change the current setting, enter the new value in the after reset field. 3. Click Set. Diagnostics Policies Table The number of Diagnostics policies in the table. Diagnostics Capture Diagnostics Capture s The Traffic Capture tool captures packets that enter the device, leave the device, or both. The captured traffic is in TCPDUMP format. You can download the captured packets, and analyze the traffic using Unix snoop or various tools. For remote administration and debugging, you can also send captured traffic to a terminal (CLI, Telnet, and SSH). You can specify where the device captures packets to get a better understanding of the traffic flow especially if the device manipulates the packets due to NAT, traffic from a VIP to a real server, and so on. The Traffic Capture tool truncates packets longer than 1619 bytes (regardless of the configuration for jumbo frames). Caution: Enabling this feature may cause severe performance degradation. The Traffic Capture tool uses the following format for packet capture files: capture_<device Name>_ddMMyyyy_hhmmss_<file number>.cap To configure the Capture Tool 1. Select Services > Diagnostics > Capture > s. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 122

Configuring Services s Status Output To File Output To Terminal Capture Point Capture Rate Specifies whether the Capture Tool is enabled. Enabled, Disabled Default: Disabled Note: When the device reboots, the status of the Capture Tool reverts to Disabled. The location of the stored captured data. RAM Drive and Flash The device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DDoS Protector uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on. RAM Drive The device stores the data in RAM. None The device does not store the data in RAM or flash, but you can view the data using a terminal. Specifies whether the device sends captured data to the terminal. Enabled, Disabled Default: Disabled Specifies where the device captures the data. On Packet Arrive The device captures packets when they enter the device. On Packet Send The device captures packets when they leave the device. Both The device captures packets when they enter the device and when they leave the device. The capture rate, in packets per second. Trace Debug: Trace s The Trace-Log tool provides data on the traffic flow within the device. The feature is intended for debugging purposes only. Enabling this feature may cause severe performance degradation. DDoS Protector uses the following format for Trace-Log files: trace_log_<device Name>_ddMMyyyy_hhmmss_<file number>.txt DDoS Protector Web Based Management User Guide 123

Configuring Services s To configure the Trace-Log tool 1. Select Services > Diagnostics > Trace-Log > s. 2. Configure the parameters, and click Set. Status Output To File Output To Terminal Output To Syslog Server Specifies whether the Trace-Log tool is enabled. Enabled, Disabled Default: Disabled Specifies the location of the stored data. RAM Drive and Flash The device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DDoS Protector uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on. RAM Drive The device stores the data in RAM. None The device does not store the data. Specifies whether the device sends Trace-Log data to the terminal. Enabled, Disabled Default: Disabled Specifies whether the device sends Trace-Log data to a syslog server. Enabled, Disabled Default: Disabled Debug: Message Format Use the Diagnostics Trace-Log Message Format pane to specify which parameters appear in the Trace-Log message. To configure the diagnostics Trace-Log message format 1. Select Services > Diagnostics > Trace-Log > Message Format. 2. Configure the parameters, and click Set. Date Time Specifies whether the date that the message was generated is included in the Trace-Log message. Specifies whether the time that the message was generated is included in the Trace-Log message. DDoS Protector Web Based Management User Guide 124

Configuring Services s Platform Name File Name Line Number Packet Id Module Name Task Name Specifies whether the platform MIB name is included in the Trace-Log message. Specifies whether the output file name is included in the Trace-Log message. Specifies whether the line number in the source code is included in the Trace- Log message. Specifies whether an ID assigned by the device to each packet is included in the Trace-Log message. This enables you see the order of the packets. Specifies whether the name of the traced module is included in the Trace-Log message. Specifies whether the name of the specific task of the d module is included in the Trace-Log message. Trace: Modules To help pinpoint the source of a problem, you can specify which DDoS Protector modules the Trace- Log feature works on and the log severity per module. For example, you can specify that the Trace- Log feature traces only the Health Monitoring module to understand why a specific health check fails. To configure the parameters of the Trace-Log modules 1. Select Services > Diagnostics > Trace-Log > Modules. The table in the pane comprises the following columns: Name The name of the module. CDE GENERIC LCD VSDR Status The current status of the traced module. Severity The lowest severity of the events that the Trace-Log includes for this module. Emergency Alert Critical Error Warning Notice Info Debug 2. Click the relevant link. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 125

Configuring Services s Name Status Severity (Read-only) The name of the traced module. Specifies whether the Trace-Log feature is enabled for the module. The lowest severity of the events that the Trace-Log includes for this module. Emergency Alert Critical Error Warning Notice Info Debug Note: The default varies according to module. Trace Files DDoS Protector can store the output of the diagnostic tools in RAM and in the CompactFlash. If the device is configured to store the output in the CompactFlash, when the data size in RAM reaches its limit, the device appends the data chunk from RAM to the file on the CompactFlash drive. For each enabled diagnostic tool, DDoS Protector uses two temporary files. When one temporary file reaches the limit (1 MB), DDoS Protector stores the information in the second temporary file. When the second temporary file reaches the limit (1 MB), DDoS Protector overwrites the first file, and so on. When you download a CompactFlash file, the file contains both temporary files. Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or CompactFlash. To download or delete Trace-Log data 1. Select Services > Diagnostics > Files. The pane contains two tables, Files On RAM Drive and Files On Main Flash. Each table comprises the following columns: File Name The name of the file. File Size The file size, in bytes. Action The action that you can take on the data stored. download Starts the download process of the selected data. Follow the on-screen instructions. delete Deletes the selected file. 2. From the Action column, select the action, Download or Delete, and follow the instructions. DDoS Protector Web Based Management User Guide 126

Configuring Services s Diagnostics Policies In most cases, there is no need to capture all the traffic passing through the device. Using diagnostic policies, the device can classify the traffic and store only the required information. Note: To reuse the policy, edit the policy and set it again. To configure a diagnostics policy 1. Select Services > Diagnostics > Policies. 2. Click Create. 3. Configure the parameters, and click Set. Name Index VLAN Tag Group Destination Source Outbound Port Group Inbound Port Group Service Type The user-defined name of the policy up to 20 characters. The number of the policy in the order in which the diagnostics tools classifies (that is, captures) the packets. Default: 1 The user-defined description of the policy. The VLAN Tag group whose packets the policy classifies (that is, captures). The destination IP address or predefined class object whose packets the policy classifies (that is, captures). Default: any The diagnostics tool classifies (that is, captures) packets with any destination address. The source IP address or predefined class object whose packets the policy classifies (that is, captures). Default: any The diagnostics tool classifies (that is, captures) packets with any source address. The port group whose outbound packets the policy classifies (that is, captures). Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled. The port group whose inbound packets the policy classifies (that is, captures). The service type whose packets the policy classifies (that is, captures). DDoS Protector Web Based Management User Guide 127

Configuring Services s Service Destination MAC Group Source MAC Group Maximal Number of Packets Maximal Packet Length Capture Status Trace-Log Status The service whose packets the policy classifies (that is, captures). None Basic Filter AND Group OR Group Default: None The Destination MAC group whose packets the policy classifies (that is, captures). The Source MAC group whose packets the policy classifies (that is, captures). The maximal number of packets the policy captures. Once the policy captures the specified number of packets, it stops capturing traffic. In some cases, the policy captures fewer packets than the configured value. This happens when the device is configured to drop packets. The maximal length for a packet the policy captures. Specifies whether the packet-capture feature is enabled in the policy. Enabled, Disabled Default: Disabled Specifies whether the Trace-Log feature is enabled in the policy. Enabled, Disabled Default: Disabled Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled. Syslog Reporting Event traps can be mirrored to up to five syslog servers. For each DDoS Protector device, you can configure the appropriate information. Any traps generated by the device will be mirrored to the specified syslog servers. You can also use additional notification settings, such as Facility and Severity. Facility specifies the type of device of the sender. Severity specifies the importance or impact of the reported event. The user-defined Facility value is used when the device sends syslog messages; the Severity value is determined dynamically by the device for each message that is sent. To enable syslog messages 1. Select Services > Syslog Reporting. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 128

Configuring Services s Syslog Server Syslog Server Operational Status Syslog Server Source Port Syslog Server Destination Port Syslog Server Facility The IP address or hostname of the device running the syslog service (syslogd). Specifies whether the syslog server is enabled. Default: Enabled The syslog source port. Default: 514 Note: Port 0 specifies a random port. The syslog destination port. Default: 514 The type of device of the sender. This is sent with syslog messages. You can use this parameter to do the following: Distinguish between different devices Define rules that split messages Authorization Messages Clock Daemon Clock Daemon2 FTP Daemon Kernel Messages Line Printer Subsystem Local 0 Local 1 Local 2 Local 3 Local 4 Local 5 Local 6 Local 7 Log Alert Log Audit Mail System Network News Subsystem NTP Daemon Syslogd Messages DDoS Protector Web Based Management User Guide 129

Configuring Services s System Daemons User Level Messages UUCP Default: Local Use 6 Syslog Server Protocol Syslog Server CA Certificate he protocol that the device uses to send syslog messages. UDP The device sends syslog messages using UDP. That is, the device sends syslog messages with no verification of message delivery. TCP The device sends syslog messages using TCP. That is, the device verifies the message delivery. The device holds undelivered messages in a backlog. As soon as the connection to the syslog server is re-established, the device sends them. If the backlog is full (100 messages, nonconfigurable), the device replaces lower-priority messages with higher-priority messages (FIFO). TLS The device sends syslog messages using TCP with Transport Layer Security (TLS) and uses the CA certificate specified in the CA Certificate Name field. That is, the device verifies message delivery. The device holds undelivered messages in a backlog. As soon as the connection to the syslog server is re-established, the device sends them. If the backlog is full (100 messages, non-configurable), the device replaces lower-priority messages with higher-priority messages (FIFO). Default: UDP Note: Report notification of lost syslog messages to your network administrator. The name of the CA certificate in the Certificate Table that the device uses to send syslog messages when TLS is selected in the Syslog Server Protocol field. Daylight Saving DDoS Protector supports daylight savings time. You can configure the daylight-savings-time start and end dates and times. During daylight savings time, the device automatically adds one hour to the system clock. The device also indicates whether it is on standard time or daylight saving time. Note: When the system clock is manually configured, the system time is changed only when daylight saving time starts or ends. When daylight saving time is enabled during the daylight saving time period, the device does not change the system time. To configure daylight saving 1. Select Services > Daylight Saving. 2. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 130

Configuring Services s Daylight Saving Admin Status Daylight Saving Begins[dd/mm:hh] Daylight Saving Ends[dd/mm:hh] Daylight Saving Designations Enables or disables daylight saving time. Default: disabled The start date and time for daylight saving time. The end date and time for daylight saving time. Specifies whether the device is on standard time or daylight saving time. Management Interfaces Telnet You can access the DDoS Protector via Telnet. Use the Telnet s pane to configure connectivity. To configure Telnet connectivity 1. Select Services > Management Interfaces > Telnet. 2. Configure the parameters, and click Set. Telnet Port Telnet Status Telnet Session Timeout Telnet Authentication Timeout The TCP port used by the Telnet. Default: 23 Specifies whether to enable Telnet access to the device. Default: Disabled The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates. 1 120 Default: 5 Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore, the actual timeout can be up to 10 seconds longer than the configured time. The timeout, in seconds, required to complete the authentication process. 10 60 Default: 30 DDoS Protector Web Based Management User Guide 131

Configuring Services s Web Server Web Server s Use the Web Server s pane configure Web server connectivity for Web Based Management (WBM). To configure the Web server connectivity 1. Select Services > Management Interfaces > Web Server > Web. 2. Configure the parameters, and click Set. Web Server Port Web Server Status Web Help Location Web Access Level The port to which WBM is assigned. Default: 80 Specifies whether to enable access to the Web server. The location (path) of the Web help files. readwrite, readonly Secure Web s Use the Secure Web Server s pane configure secure Web server connectivity for Web Based Management (WBM). To configure secure Web parameters 1. Select Services > Management Interfaces > Web Server > Secure Web. 2. Configure the parameters, and click Set. Secured Web Port Secured Web Status Secured Web Certificate File The port through which HTTPS gets requests. Default: 443 Specifies whether to enable secured access to the Web server. The Certificate file that is used by secure web for encryption. DDoS Protector Web Based Management User Guide 132

Configuring Services s Web Services Use the Web Services pane enable or disable Web Services. To enable or disable Web Services 1. Select Services > Management Interfaces > Web Server > Web Services. 2. From the drop-down list, select enable or disable, as required. 3. Click Set. SSL Weak Ciphers To specify whether the device allows management connections over secure protocols with ciphers shorter than 128 bits 1. Select Services > Management Interfaces> SSL > Weak Ciphers. 2. From the Accept Weak Ciphers SSL Status drop-down list, select enable or disable, as required. Default: enable. 3. Click Set. SSH Secure Shell s SSH (Secure Shell) is a protocol for secure remote connections and network services, over an insecure network. Using this feature enables a secure alternative to Telnet connection, while enabling configuration of the device through the Web Based Management. To set the SSH server connection parameters 1. Select Services > Management Interfaces> SSH >Server. 2. Enter the SSH Port and set the SSH Status to Enable. 3. Click Set. SSH Port SSH Status The source port for the SSH server connection. Default: 22 Specifies whether to enable SSH access to the device. Default: Disabled DDoS Protector Web Based Management User Guide 133

Configuring Services s SSH Session Timeout SSH Authentication Timeout The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates. 1 120 Default: 5 Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore the actual timeout can be up to 10 seconds longer than the configured time. The timeout, in seconds, required to complete the authentication process. 10 60 Default: 10 Event Log You can view a log of the events on the device. To view the event log Select Services > Event Log. To clear the event log 1. Select Services > Event Log. 2. Under the Clear Event Log text, click Set. Network Time Protocol (NTP) Network Time Protocol enables you to synchronize devices by distributing an accurate clock across the network. To configure the NTP parameters 1. Select Services > NTP. 2. Configure the parameters, and click Set. NTP polling Interval NTP Timezone NTP Server Port The interval, in seconds, between time queries sent to the NTP server. Default: 172,800 The offset from GMT for the device. -12:00 through +12:00 Default: 00:00 The access port number for the NTP server. DDoS Protector Web Based Management User Guide 134

Configuring Services s Default: 123 NTP Server Name NTP Status The address or URL of the NTP server. Note: If you specify a URL, the DNS Server feature must be enabled and configured. Specifies whether the NTP client is enabled. enable, disable Default: disable RADIUS DDoS Protector provides additional security by authenticating the users who access a device for management purposes. With RADIUS authentication, you can use RADIUS servers to determine whether a user is allowed to access device management using CLI, Telnet, SSH or Web Based Management. You can also select whether to use the device User Table when RADIUS servers are not available. Caution: The DDoS Protector managed devices must have access to the RADIUS server and must allow device access. To configure RADIUS authentication for device management 1. Select Services > Radius. 2. Configure the parameters and click Set. Main Radius IP Address Main Radius Port No. Main Radius Secret Backup Radius IP Address Backup Radius Port No. Backup Radius Secret The IP address of the primary RADIUS server. The access port number of the primary RADIUS server. 1645, 1812 Default: 1645 The authentication password for the primary RADIUS server. The IP address of the backup RADIUS server. The access port number of the backup RADIUS server. 1645, 1812 Default: 1645 The authentication password for the backup RADIUS server. DDoS Protector Web Based Management User Guide 135

Configuring Services s Radius Timeout Radius Retries Radius Client Life time The time, in seconds, that the device waits for a reply from the RADIUS server before a retry, or, if the Retries value is exceeded, before the device acknowledges that the server is off line. Default: 1 The number of connection retries to the RADIUS server, after the RADIUS server does not respond to the first connection attempt. After the specified number of Retries, if all connection attempts have failed (Timeout), the backup RADIUS server is used. Default: 2 The time, in seconds, for the client authentication. After the client lifetime expires, the device re-authenticates the user. Default: 30 SMTP You can configure the device to send information messages via e-mail to device users. This feature can be used for sending trap information via e-mail. When you configure device users, you can specify whether an individual user should receive notifications via e-mail and the minimal event severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity and higher. The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP notifications are enabled globally for the device. Notes: The device optimizes the mailing process by gathering security and system events, which it sends in a single notification message when the buffer is full, or when a timeout of 60 seconds expires. To receive e-mails about errors, you need to set email address and Severity level in the Users Table for each user. To configure the SMTP client 1. Select Services > SMTP. 2. Configure the parameters, and click Set. SMTP Primary Server Address SMTP Alternate Server Address The IP address of the SMTP server. An IP address of an alternative SMTP Server. The alternate SMTP server is used when SMTP connection cannot be established successfully with the main SMTP server, or when main SMTP server closed the connection. The device tries to establish connection to the main SMTP server, and starts re-using it when available. DDoS Protector Web Based Management User Guide 136

Configuring Services s Own Email Address SMTP Status Send emails On Errors The mail address that appears in the Sender field of e-mail messages generated by the device, for example device1@domain.com. Specifies whether the e-mail client is enabled, which supports features that are related to sending e-mail messages. Default: disable Specifies whether the device sends notifications via e-mail. Default: Disabled DNS Client s You can configure DDoS Protector to operate as a Domain Name Service (DNS) client. When the DNS client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must configure servers for which DDoS Protector will send out queries for host name resolving. You can set the DNS parameters and define the primary and the alternate DNS servers for dynamic DNS. In addition, you can set static DNS parameters. To define DNS servers 1. Select Services > DNS. 2. Configure the parameters, and click Set. DNS Client Primary DNS server Alternate DNS Server Specifies whether the DDoS Protector device operates as a DNS client to resolve IP addresses. Enabled, Disabled Default: Disabled The IP address of the primary DNS server to which DDoS Protector sends queries. The IP address of the alternative DNS to which DDoS Protector sends queries. To set static DNS 1. Select Services > DNS. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 137

Configuring Services s Host Name IP Address The domain name for the specified IP address. The IP address for the specified domain name. Configuration Auditing Configuration Auditing is the process of logging every configuration change and activity into a special logging server. When Configuration Auditing is enabled, the device keeps track of all the changes made to the configuration by sending a SNMP trap and syslog message (if syslog is enabled and configured). Configuration Auditing can be enabled or disabled for all users and all management interfaces. To prevent overloading the device and prevent degraded performance, the feature is disabled by default. To enable configuration auditing 1. Select Services > Auditing. 2. Select enable. 3. Click Set. To disable configuration auditing 1. Select Services > Auditing. 2. Select disable. 3. Click Set. Event Scheduler Sometimes, it is necessary for a specific policy to be inactive during certain hours of the day or activate in the middle of the night. For example, a school library may want to block instant messaging during school hours but allow instant messages after school hours. Or, an enterprise may give high priority for mail traffic between 08:00 10:00. Using the Event Scheduler, you can create event schedules. An event schedule can be a daily, weekly, or one-time event. To configure an event schedule 1. Select Services > Event Scheduler. The Event Scheduler window is displayed. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 138

Configuring Services s Name Frequency Time(HHMM) Days Date(DDMMYYYY) A user-defined name for the event. The frequency of the event. Once, Daily, Weekly The time on the designated day or days. If you specify multiple days, the time for the event is the same for all the specified days. Default: 0000 12:00 AM The day or days on which the event occurs when the specified Frequency is Weekly. If the Frequency is not Weekly, the Days(SMTWTFS) checkboxes must be cleared. The date on which the event occurs when the specified Frequency is Once. If the Frequency is not Once, the value in the Date(DDMMYYYY) text box must be 00000000. DDoS Protector Web Based Management User Guide 139

Chapter 7 Configuring Security s Management Ports Use the Management Ports Table pane to enable or disable access to a management port. To set the management ports 1. Select Security > Management Ports. 2. Select a port. 3. Configure the parameters, and click Set. Port Number SNMP TELNET SSH WEB SSL (Read-only) The identifier of the selected management port. Specifies whether the port allows access with SNMP. Specifies whether the port allows access with Telnet. Specifies whether the port allows access with SSH. Specifies whether the port allows access with HTTP. Specifies whether the port allows access with SSL. Ports Access You can specify how unbound UDP and TCP ports respond to SYN packets. To set the port unreachable status 1. Select Security > Ports Access. 2. From the Port Unreachable Status drop-down list, select the required value, as follows: Enabled Unbound TCP ports answer SYN packets with an RST. Unbound UDP ports answer SYN packets with a port-unreachable message. Disabled The device drops SYN or UDP packets without sending a reply. When the device uses this option, the device does not expose itself to the network. Default: Enabled 3. Click Set. DDoS Protector Web Based Management User Guide 141

Configuring Security s SNMP SNMP Global s DDoS Protector devices work with SNMPv1, SNMPv2, and SNMPv3. Use the SNMP Global s pane to configure the SNMP global parameters. To configure the SNMP global parameters 1. Select Security > SNMP > Global s. 2. Configure the parameters, and click Set. Supported SNMP Versions Supported SNMP Versions After Reset SNMP Port SNMP Status (Read-only) The SNMP versions currently supported. The SNMP versions that will be supported by the SNMP agent after resetting the device. Select the checkboxes of the SNMP version to support. The UDP port on which the agent listens for SNMP requests. The status of the SNMP agent. Default: Enabled SNMP: User Table Use the User Based Security Model pane to define users that can connect to the device and store the access parameters for each SNMP user. Note: The Configuration file of the device, which contains SNMPv3 users with authentication, can only be used by the specific device that the users configured. When exporting the configuration file to another device, the passwords need to be re-entered, since passwords (of SNMPv3 users) cannot be exported from one device to another. Therefore, there must be at least one user in the user table (to be able to change the password) in case the configuration file is uploaded to another device. To configure a new user 1. Select Security > SNMP > User Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 142

Configuring Security s User Name Authentication Protocol Authentication Password Privacy Protocol Privacy Password The name of the new user. The algorithm used for authentication. A password required in case authentication is used. The algorithm used for encryption. A password used to identify the user. SNMP: Community Table You can map community strings into user names and vice versa using the SNMP Community Table. This table restricts the range of addresses from which SNMP requests are accepted and to which traps may be sent. The SNMP Community Table is used only for SNMP versions 1 and 2. To configure the SNMP community table 1. Select Security > SNMP > Community Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Index Community Name Security Name Transport Tag A descriptive name for this entry. The community string. The user name associated with the community string. Specifies a set of target addresses from which the SNMP accepts SNMP requests and to which traps may be sent. The target addresses identified by this tag are defined in the Target Address Table. If this string is empty, addresses are not checked when an SNMP request is received or when a trap is sent. If this string is not empty, the transport tag must be contained in the value of the tag list of at least one entry in the Target Address Table. DDoS Protector Web Based Management User Guide 143

Configuring Security s SNMP: Groups Table You can associate users with groups in the Groups Table. Access rights are defined for groups of users. To configure the groups table 1. Select Security > SNMP > Groups Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Security Model Security Name Group Name The security model to be associated with this group. A relevant security name. The access control policy for a group of users. SNMP: Access Table You can define the access rights for each group and security model in the VACM Group Access window. To configure the parameters of the SNMP access table 1. Select Security > SNMP > Access Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Group Name Security Model The name of your group. SNMPv1 SNMPv2c User Based DDoS Protector Web Based Management User Guide 144

Configuring Security s Security Level ReadView Name WriteView Name NotifyView Name No Authentication Auth Not Private Auth Private The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree are readable by this group. The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree are writable by this group. The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree can be accessed in notifications (traps) by this group. SNMP: View Table The View Table window allows you to define subsets of the MIB tree for use in the Access Table. Different entries may have the same name. The union of all entries with the same name defines the subset of the MIB tree and can be referenced in the Access Table through its name. To set the view table parameters 1. Select Security > SNMP > View Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. View Name Subtree Subtree Mask Type The name of this entry. The object ID of a subtree of the MIB. The subtree mask. Specifies whether objects defined in this entry should be included or excluded in the MIB view. Default: included SNMP Notify Table Use the Notify Table pane to select management targets that receive notifications and the type of notification to be sent to each selected management target. The Tag parameter identifies a set of target addresses. An entry in the SNMP - Target Address table that contains a tag specified in the Notify table receives notifications. DDoS Protector Web Based Management User Guide 145

Configuring Security s To configure SNMP notification settings 1. Select Security > SNMP > Notify Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Name Tag A descriptive name for this entry, for example, the type of notification. A string that defines the target addresses that are sent this notification. All the target addresses that have this tag in their tag list are sent this notification. SNMP Target s The Target s table defines message-processing and security parameters that are used in sending notifications to a particular management target. Entries in the Target s table are referenced in the Target Address table. To set the target parameters 1. Select Security > SNMP > Target s Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Name Message Processing The name of the target parameters entry. Maximum characters: 32 SNMPv1, SNMPv2c, SNMPv3 Default: SNMPv1 DDoS Protector Web Based Management User Guide 146

Configuring Security s Security Model Security Name Security Level The SNMP version that represents the required Security Model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. SNMPv1 SNMPv2c User Based That is, SNMPv3 Default: SNMPv1 If the User Based security model is used, the security name identifies the user that is used when the notification is generated. For other security models, the security name identifies the SNMP community used when the notification is generated. Specifies whether the trap is authenticated and encrypted before it is sent. noauthnopriv No authentication or privacy are required. authnopriv Authentication is required, but privacy is not required. authpriv Both authentication and privacy are required. Default: No Authentication SNMP: Target Address In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the Transport Tag of an entry in the community table is not empty it must be included in one or more entries in the Target Address Table. To set the SNMP target parameters 1. Select Security > SNMP > Target Address Table. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Name Address- Port The name of the target address entry. The IP address of the management station and TCP port to be used as the target of SNMP traps. The format of the values is <IP address >-<TCP port>, where <TCP port> must be 162. For example, if the value for Address-Port is 1.2.3.4-162, 1.2.3.4 is the DDoS Protector Web Based Management User Guide 147

Configuring Security s IP address of the management station and 162 is the port number for SNMP traps. Tag List Mask s Specifies sets of target addresses. Tags are separated by spaces. The tags contained in the list may be tags from the Notify table or Transport tags from the Community table. Each tag can appear in more than one tag list. When a significant event occurs on the network device, the tag list identifies the targets to which a notification is sent. A subnet mask of the management station. The set of target parameters to be used when sending SNMP Traps. Target parameters are defined in the Target s table. Ping Physical Ports Table You can define which physical interfaces can be pinged. When a ping is sent to an interface for which ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings. To configure physical ports to allow ping 1. Select Security > Ping Physical Ports Table. 2. Select a Port Number link. 3. In the Ping Device field, select Enable or Disable, as required. 4. Click Set. Users You can configure a list of users who are authorized to access that device through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing is enabled, users can receive e-mail notifications of changes made to the device. To configure the user-access authenticating method 1. Select Security > Users. 2. From the Authentication Method drop-down list, configure the parameter, and click Set. Authentication Method The method for of authenticating a user s access to the device. Local User Table The device uses the User Table to authenticate access. Radius and Local User Table The device uses the RADIUS servers to authenticate access. If the request to the RADIUS server times out, the device uses the User Table to authenticate access. Default: Local User Table DDoS Protector Web Based Management User Guide 148

Configuring Security s To configure the users table 1. Select Security > Users. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. User Name Password Email Address Severity Trace Status User Access Level SSH public key name The name of the user. The text password for the user. The e-mail address of the user to which notifications will be sent. The minimum severity level of traps sent to this user. None The user receives no traps. Info The user receives traps with severity info or higher. Warning The user receives Warning, Error, and Fatal traps. Error The user receives Error and Fatal traps. Fatal The user receives Fatal traps only. Default: None When enabled, the specified user receives notifications of configuration changes made in the device. Every time the value of a configurable variable changes, information about all the variables in the same MIB entry is reported to the specified users. The device gathers reports and sends them in a single notification message when the buffer is full or when the timeout of 60 seconds expires. The notification message contains the following details: Name of the MIB variable that was changed. New value of the variable. Time of configuration change. Configuration tool that was used. User name, when applicable. The user s level of access to the WBM and CLI. readwrite, readonly, none Default: readwrite The name of the SSH public key. DDoS Protector Web Based Management User Guide 149

Configuring Security s Certificates Certificates Table Use the Certificates Table pane to manage keys and certificates. Create and Delete functionality is available only when you are connected with a secure protocol, such as HTTPS. To update an entry 1. Select Security > Certificates > Table. 2. Click the entry name. 3. To create a new certificate, click Create. 4. Configure the parameters, and click Set. To create an entry 1. Select Security > Certificates > Table. 2. Click Create. 3. Configure the parameters, and click Set. Name Entry Type The name of the entry. Key Signing Request Certificate Intermediate CA Certificate Certificate of Client CA Key Size 512, 1024, 2048 Key Passphrase Common Name Locality State or Province Organization Organization Unit Country Name The key password (the same that you use to export the key from the web server). The domain name of the organization. For example, www.checkpoint.com The name of the city. The state or province. The name of the organization. The department/unit within the organization. The country of residence. DDoS Protector Web Based Management User Guide 150

Configuring Security s Certificate Expiry Email Certificate Validity (Read-only) The date of expiry in DDD MMM dd hh:mm:ss yyyy format. Example: SAT SEP 01 08:29:40 2012 Default email address for the organization. The number of days for which the certificate is valid. To delete an entry 1. Select Security > Certificates > Table. 2. Select the checkbox in the row with the entry. 3. Click Delete. Exporting PKI Components You can export Public Key Infrastructure (PKI) components when you are connected with a secure protocol, such as HTTPS. To export a PKI component 1. Select Security > Certificates > Export. 2. Configure the parameters, and click Show to view the component details, or click Export, to export the component from the device. A dialog message is displayed asking if you want to open or save the component file. If you click Open, the file will be opened in a browser window. If you click Save, you will be prompted to save the file. Name Type Format Passphrase Text The name of component. Key Certificate Certificate and Key (Read-only) The format for the specified Type. The password (the same that you use to export the key from the Web server). The certificate text, which you can enter. Importing a PKI Component You can import Public Key Infrastructure (PKI) components when you are connected with a secure protocol, such as HTTPS. To import a PKI component 1. Select Security > Certificates > Export. 2. Configure the parameters, and click Import. DDoS Protector Web Based Management User Guide 151

Configuring Security s Name Type Format Passphrase Text Certificate File The name of component. Key Certificate Certificate and Key Intermediate CA Certificate Certificate of Client CA SSH Public Key (Read-only) The format for the specified Type. The password (the same that you use to export the key from the Web server). The certificate text, which you can enter. Browse to the certificate file to import. Certificate Default Values The certificate is a digitally signed indicator that identifies the server or user. This is usually provided in the form of an electronic key or value. You can set the default values to your specifications. To configure default values for certificates 1. Select Security > Certificates > Default Values. 2. Configure the parameters, and click Set. Certificate Common Certificate Locality Certificate State Or Province Certificate Organization Certificate Organization Unit Certificate Country Name Certificate Email The domain name of the organization. For example, www.checkpoint.com. The name of the city. The state or province. The name of the organization. The department/unit within the organization The country of residence. The default email address for the organization. DDoS Protector Web Based Management User Guide 152

Chapter 8 Configuring Classes s View Active Networks You can view the active network classes that are configured on the device. To view the active network class configuration Select Classes > View Active > Networks. Modify Modify Networks You can view active networks, as well as configure new ones. You can define networks that are used by the device (active) and you can define networks that are kept in a separate database until they are required (inactive). You can add, modify, and delete these networks according to your requirements. A network class is identified by a name and defined by a network address and mask, or by a range of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2 can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2 can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration. Using classes allows you to define a network comprised of multiple subnets and/or IP ranges, all identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and 10.1.1.1 to 10.1.1.7. You can use network classes in the following: Black lists White lists Network-protection policies to match source or destination traffic To configure a network class 1. Select Classes > Modify Networks. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 153

Configuring Classes s Name Sub Index Address (For an IP Mask entry only) Mask (For an IP Mask entry only) From IP (For an IP Range entry only) To IP (For an IP Range entry only) Mode The name of the network class. The network name is case-sensitive. The network name cannot be an IP address. When you define multiple network classes with the same name, you must assign each instance a different sub-index number. The numbers do not need to be sequential or in order. The network address. The mask of the subnet, which you can enter in either of the following ways: A subnet mask in dotted decimal notation for example, 255.0.0.0 or 255.255.0.0. An IP prefix, that is, the number of mask bits for example, 8 or 16. The first IP address in the range. The last IP address in the range. Specifies whether the network is defined by a subnet and mask, or by an IP range. IP Mask, IP Range Modify Services Modify Basic Filters Table Use Services to filter traffic. Services classify traffic based on criteria for Layers 3 7. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). DDoS Protector supports a long list of predefined basic filters. A basic filter includes attributes that specify parameters such as protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the filter can include a text string. DDoS Protector Web Based Management User Guide 154

Configuring Classes s A basic filter includes the following components: Protocol The specific protocol that the packet should carry. The choices are IP, TCP, UDP, ICMP, NonIP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and UDP) will be considered. When configuring TCP or UDP, the following additional parameters are available: Destination Port (From-To) Destination port number for that protocol. For example, for HTTP, the protocol would be configured as TCP and the destination port as 80. The port configuration can also allow for a range of ports to be configured. Source Port (From-To) Similar to the destination port, the source port that a packet should carry in order to match the filter can be configured. Offset Mask Pattern Condition (OMPC) The OMPC is a means by which any bit pattern can be located for a match at any offset in the packet. This can aid in locating specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there should be an OMPC match in addition to a protocol (and source/destination port) match. In other words, if an OMPC is configured, the packet needs to match the configured protocol (and ports) and the OMPC. Content Specifications When the protocol of a basic filter is TCP or UDP, you can search for any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect examples of how a text search can help in classifying a session. You can choose from the many types of configurable content for example, URL, hostname, HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so on. When the content type is URL, for example, the module assumes the session to be HTTP with a GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to find a match for the configured text. In this case, the configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module searches the entire packet for the content text, starting at the configured offset. By allowing a filter to take actual content of a packet/session into account, the module can recognize and classify a wider array of packets and sessions. Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if one exists) and the Content Rule. Note: If you edit the parameters of the filter, which is bound to the existing policy, you need to activate the latest changes. To configure a basic filter 1. Select Classes > Modify > Services > Basic Filters. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 155

Configuring Classes s Name Protocol Source App.port Destination App. Port OMPC Offset OMPC Offset Relative to The name of the filter. IP TCP UDP ICMP NonIP ICMPV6 SCTP Default: IP The Layer-4 source port or source-port range for TCP, UDP, or SCTP traffic. A value in the range 0 65,535; value ranges (for example, 30 400) greater than the Source Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp The Layer-4 destination port or destination-port range for TCP, UDP, or SCTP traffic. values in the range 0 65,535; value ranges (for example, 30 400) greater than the Destination Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp The location in the packet where the data starts being checked for specific bits in the IP or TCP header. 0 1513 Default: 0 Specifies to which OMPC offset the selected offset is relative. None IPv4 Header IPv6 Header IP Data L4 Data ASN1 Ethernet L4 Header Default: None DDoS Protector Web Based Management User Guide 156

Configuring Classes s OMPC Mask OMPC Pattern OMPC Condition OMPC Length Content Offset Distance Content The mask for OMPC data. The value must be defined according to the OMPC Length parameter. Must comprise eight hexadecimal symbols Default: 00000000 The fixed-size pattern within the packet that the OMPC rule attempts to find. The value must be defined according to the OMPC Length parameter. The OMPC Pattern must contain eight hexadecimal symbols. If the value for the OMPC Length parameter is smaller than Four Bytes, you need to pad the OMPC Pattern with zeros. For example, if OMPC Length is two bytes, the OMPC Pattern can be abcd0000. Must comprise eight hexadecimal symbols Default: 00000000 None Equal Not Equal Greater Than Less Than Default: None None One Byte Two Bytes Three Bytes Four Bytes Default: None The location in the packet at which the checking of content starts. 0 1513 Default: 0 A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack. The value of the content search. < space >! " # $ % & ' ( ) * +, -. / 0 1 2 3 4 5 6 7 8 9 : ; < = >? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { } ~ DDoS Protector Web Based Management User Guide 157

Configuring Classes s Content Type Content End Offset Content Data The specific content type to search for. None URL A URL in the HTTP request URI. Text Text anywhere in the packet. Hostname A hostname in the HTTP header. The host names in the Hostname List of an L7 Policy are not algorithmically related to a host name configured for a basic filter. Header Field A header field in the HTTP header. Expression Text anywhere in the packet represented by a regular expression specified in the Content field. Mail Domain The Mail Domain in the SMTP header. Mail To The Mail To SMTP header. Mail From The Mail From SMTP header. Mail Subject The Mail Subject SMTP header. File Type The type of the requested file in the HTTP GET command (for example, JPG, EXE, and so on). Cookie The HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value. Normalized URL A normalized URL in the HTTP request URI. POP3 User The POP3 User field in the POP3 header. URI Length Filters according to URI length. FTP Command Parses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes. FTP Content Scans the data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes. Generic Url The generic URL in the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Generic Header In the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Generic Cookie In the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Default: None The location in the packet at which the checking of content ends. 0 1513 Default: 0 Refers to the search for the content within the packet. DDoS Protector Web Based Management User Guide 158

Configuring Classes s Content Coding Content Data Coding Session Type Session Type Direction The encoding type of the content to search for (as specified in the Content field). None Case Insensitive Case Sensitive HEX International Default: None Note: The value of this field corresponds to the Content Type parameter. The encoding type of the content data to search for (as specified in the Content Data field). None Case Insensitive Case Sensitive HEX International Default: None Note: The value of this field corresponds to the Content Type parameter. A description of the filter. The specific session type to search for. None, Ftp Control, Ftp Data, Ftp All, Tftp Control, Tftp Data, Tftp All, Rshell Control, Rshell Data, Rshell All, Rexec Control, Rexec Errors, Rexec All, H225 Control, H245 session, H225 All, SIP Signal, SIP Media Control, SIP Audio, SIP All Default: None The specific direction of the specified session type to search for. All, Request, Reply Default: None AND Groups An AND Group filter is a combination of basic filters with a logical AND between them. Example: The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is userdefined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3). DDoS Protector Web Based Management User Guide 159

Configuring Classes s Notes: You cannot modify or delete predefined AND Groups. In case you edit the parameters of the AND group, which is bound to the existing policy, you need to activate the latest changes. To configure an AND group 1. Select Classes > Modify Services > AND Group. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. AND Group Name Basic Filter Name The name of the AND Group The basic filter for this AND Group. Modify OR Group Table An OR Group Filter is a combination of basic filters and/or AND filters with a logical OR between them. DDoS Protector supports a set of predefined, static OR Groups. The predefined OR Groups are based on the predefined basic filters. Example: The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is userdefined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6. Notes: You cannot modify or delete predefined OR Groups. In case you edit the parameters of the OR group, which is bound to the existing policy, you need to activate the latest changes. To add a new OR group 1. Select Classes > Modify Services > OR Groups. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. OR Group Name Filter Name The name of the OR Group. The filter for this OR Group, which can be a Basic filter or an AND Group. DDoS Protector Web Based Management User Guide 160

Configuring Classes s Filter Type Static The OR Group is predefined. Regular The OR Group is user-defined. Modify Application Port Groups Application classes are groups of Layer-4 ports for UDP and TCP traffic. Each class is identified by its unique name, and you can define multiple Layer-4 ports in a single class. You cannot modify the predefined application classes for standard applications; however, you can add entries for the class. You can add and modify user-defined classes to the Application Port Group table. To view the application port groups parameters 1. Select Classes > Modify > Appl. Port Groups. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Name From Port To Port The name of the Application Port Group. To associate a number of ranges with the same port group, use the same name for all the ranges that you want to include in the group. Each range appears as a separate row with the same name in the Application Port Group table. The first port in the range. The last port in the range. To define a group with a single port, set the same value for the From Port and To Port fields. Modify Physical Port Groups You can define network segments using definitions of physical ports. Use physical port classes to classify traffic according to physical ports in security policy rules. To configure a physical port groups 1. Select Classes > Modify > Port Groups. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. DDoS Protector Web Based Management User Guide 161

Configuring Classes s Group Name Inbound Port The name of the Port Group.. The inbound port associated with the Port Group. Modify VLAN Tag Groups You can define network segments using VLAN tags. Use VLAN tag classes (groups) to classify traffic according to VLAN tags in security policy rules. Each DDoS Protector device supports a maximum 64 VLAN Tag groups. Each VLAN Tag group can contain a maximum 32 discrete tags and 32 ranges. That is, in effect, each managed device supports up to 64 2 definitions. To configure a VLAN tag class 1. Select Classes > Modify > VLAN Tag Groups. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Group Name VLAN Tag (for Discrete mode only) VLAN Tag From (for Range Group Mode only) VLAN Tag To (for Range Group Mode only) Group Mode The name of the VLAN tag group. The VLAN tag number. The first VLAN tag in the range. You cannot modify this field after creating the VLAN group. The last VLAN tag in the range. The VLAN mode. Discrete An individual VLAN tag, as defined in the interface parameters of the device. Range A group of sequential VLAN tag numbers, as defined in the interface parameters of the device. DDoS Protector Web Based Management User Guide 162

Configuring Classes s Modify MAC Groups MAC groups identify traffic whose source or destination is a transparent network device. To configure a MAC address class 1. Select Classes > Modify MAC Groups. 2. Do one of the following: To add an entry, click Create. To edit an entry, click the entry link in the table. 3. Configure the parameters, and click Set. Group Name MAC Address The name of the MAC address group. The MAC address associated with the group. View Active View Active Networks You can view the active network classes that are configured on the device. To view the active network class configuration Select Classes > View Active > Networks. View Active Services View Active Services The Basic Filter constitutes protection against a specific attack, meaning that each Basic Filter has a specific attack signature and protection parameters. To view the parameters of the basic filter 1. Select Classes > View Active > Services > Basic Filters. 2. Select the name of the filter whose parameters you want to view. The AND Group represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them. Note: You can create the AND Groups using the user-defined Basic Filters only. To view the parameters of the AND group 1. Select Classes > View Active > Services > AND Groups. 2. Select the name of the filter whose parameters you want to view. The OR Group represents a logical OR between two or more Basic Filters or AND Groups. DDoS Protector Web Based Management User Guide 163

Configuring Classes s To view the active OR group table 1. Select Classes > View Active > Services > OR Groups. 2. Select the name of the filter whose parameters you want to view. Viewing Application Port Groups You can view the active Application Port Group classes that are configured on the device. To view the active application port groups Select Classes > View Active > Appl. Port Groups. View Active Physical Port Groups You can view the active Application Port Group classes that are configured on the device. To view the active physical port groups Select Classes > View Active > Port Groups. View Active VLAN Tag Groups You can view the active VLAN Tag Group classes that are configured on the device. To view the active VLAN tag groups Select Classes > View Active > VLAN Tag Groups. View Active MAC Groups You can view the active MAC Group classes that are configured on the device. To view the active MAC groups Select Classes > View Active > MAC Groups. Activate Latest Changes Use the Activate Latest Changes pane to activate all the latest changes made to configuration of the device. To activate latest policy changes 1. Select Classes > Update Policies. 2. Click Set. DDoS Protector Web Based Management User Guide 164

Chapter 9 Configuring Performance s Element Statistics IP Packet Statistics To view the IP packet statistics Select Performance > Element Statistics > IP. The following parameters are displayed: IP Receives IP Header Errors IP Discarded IP Successfully Delivered IP Out Requests IP Out Discards The total number of input datagrams received from interfaces, including those received in error. The number of input datagrams discarded due to header error due to errors in their IP headers, including bad checksums, version number mismatch, their format errors, time-to-live exceeded, errors discovered in processing their options, and so on. The total number of input datagrams discarded. Note: This counter does not include any datagrams discarded while awaiting re-assembly. The total number of input datagrams successfully delivered to IP userprotocols (including ICMP). The total number of IP datagrams, which local IP user-protocols (including ICMP) supplied to IP in requests for transmission. The total number of IP datagrams, which local IP user-protocols (including ICMP) supplied to IP in requests for transmission. SNMP To view the SNMP element statistics Select Performance > Element Statistics > SNMP; the following parameters are displayed: DDoS Protector Web Based Management User Guide 165

Configuring Performance s SNMP Received Packets SNMP Sent Packets SNMP successful 'Get' requests SNMP successful 'Set' requests SNMP 'get' requests SNMP 'get-next' requests SNMP 'set' requests SNMP Out TooBig SNMP Out NoSuchName SNMP Out BadValue SNMP Out GenErrs SNMP Out Get-Responses SNMP Out Traps The total number of messages delivered to the SNMP entity from the transport service. The total number of SNMP messages that were passed from the SNMP protocol entity to the transport service. The total number of MIB objects that have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs. The total number of MIB objects that have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs. The total number of SNMP Get-Request PDUs processed PDUs that have been accepted and processed by the SNMP protocol entity. The total number of SNMP Get-Request PDUs that have been accepted and processed by the SNMP protocol entity. The total number of SNMP Set-Request PDUs that have been accepted and processed by the SNMP protocol entity. The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is toobig. The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status is nosuchname. The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is badvalue. The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is generr. The total number of SNMP Get-Response PDUs that have been generated by the SNMP protocol entity. The total number of SNMP Trap PDUs that have been generated by the SNMP protocol entity. IP Router To view the IP router element statistics Select Performance > Element Statistics > IP Router. The following parameters are displayed: DDoS Protector Web Based Management User Guide 166

Configuring Performance s IP Forwarded IP Unknown Protocol IP Out No Routes IP Fragments Received IP Fragments successfully reassembled IP Fragments failed reassembly IP datagrams successfully fragmented IP datagrams discarded - failed fragmentation IP datagram fragments generated Valid routing entries discarded IP Fragments successfully reassembled The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities, which do not act as IP Gateways, this counter will include only those packets that were Source - Routed via this entity, and the Source - Route option processing was successful. The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. The number of IP datagrams discarded because no route could be found to transmit them to their destination. This counter includes any packets counted in ipforwdatagrams that meet this no-route criterion. Note that this includes any datagrams, which a host cannot route because all of its default gateways are down. Note: This counter includes any packets counted in ipforwdatagrams, which meet this `no-route' criterion. It also includes any datagrams that a host cannot route because all of its default gateways are down. The number of IP fragments received which needed to be reassembled at this entity. The number of IP datagrams successfully re-assembled. The number of failures detected by the IP re-assembly algorithm (for whatever reason: timed out, errors, etc). Note: This is not necessarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. The number of IP datagrams that have been successfully fragmented at this entity. The number of IP datagrams that have been discarded because they needed to be fragmented at this entity but could not be, e.g., because their Do not Fragment flag was set. The number of IP datagram fragments that have been generated as a result of fragmentation at this entity. N/A The number of IP datagrams successfully re-assembled. DDoS Protector Web Based Management User Guide 167

Accelerator Utilization Use the Accelerator Utilization pane to view the utilization for each accelerator. To view the accelerator utilization Select Performance > Element Statistics > Accelerator. The following parameters are displayed: Accelerator CPU Forwarding Other Idle The name of the accelerator. The accelerator named Flow_Accelerator_0 is one logical accelerator that uses several CPU cores. The accelerator named HW Classifier is the string-matching engine (SME). The CPU number for the accelerator. The percentage of CPU cycles used. The percentage of CPU resources used for other tasks such as aging and so on. The percentage of free CPU resources. DDoS Protector Web Based Management User Guide 168