Академический Документы
Профессиональный Документы
Культура Документы
Important Notice
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2008 2009. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the AppDirector, and may not be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Copyright Notices
This product contains code developed by the OpenSSL Project
This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit. (http:/
/www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This code is hereby placed in the public domain.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE*
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
1.
Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3.
Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes software developed by Markus Friedl
This product includes software developed by Theo de Raadt
This product includes software developed by Niels Provos
This product includes software developed by Dug Song
This product includes software developed by Aaron Campbell
This product includes software developed by Damien Miller
This product includes software developed by Kevin Steves
This product includes software developed by Daniel Kouril
This product includes software developed by Wesley Griffin
This product includes software developed by Per Allansson
This product includes software developed by Nils Nordman
This product includes software developed by Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Safety Instructions
CAUTION
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that
involve opening panels or changing components must be performed by qualified service personnel
only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
SERVICING
Do not perform any servicing other than that contained in the operating instructions unless you are
qualified to do so. There are no serviceable parts inside the unit.
HIGH VOLTAGE
Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided
as much as possible and, when inevitable, must be carried out only by a skilled person who is aware
of the hazard involved.
Capacitors inside the instrument may still be charged even if the instrument has been disconnected
from its source of supply.
GROUNDING
Before connecting this device to the power line, the protective earth terminal screws of this device
must be connected to the protective earth in the building installation.
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +
A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used for
replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.
Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be
made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power source
matches the requirements of the instrument. Refer to the Specifications for information about the
correct power rating for the device.
SPECIFICATION CHANGES
Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15 of the FCC Rules and EN55022 Class A, EN 55024; EN 610003-2; EN 61000-3-3 For CE MARK Compliance. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses and can radiate radio
frequency energy and, if not installed and used in accordance with the instruction
manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the
user is required to correct the interference at his own expense.
Special Notice for North American Users:
For North American power connection, select a power supply cord that is UL Listed and CSA Certified
3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [5 A], with a minimum
length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply
cord that is internationally harmonized and marked <HAR>, 3 - conductor, 0,75 mm2 minimum
mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated
250 V, 3 A..
RESTRICT AREA ACCESS
The DC powered equipment should only be installed in a Restricted Access Area.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For North America,
equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16,
110 -17, and 110 -18 and the Canadian Electrical Code, Section 12.
INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or
DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring for each power input.
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,
then an explosion may occur. This is the case for some Lithium batteries and the following is
applicable:
If the battery is placed in an Operator Access Area, there is a marking close to the battery or
a statement in both the operating and service instructions.
If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a
statement in the service instructions.
This equipment is designed to permit connection between the earthed conductor of the DC
supply circuit and the earthing conductor equipment. See Installation Instructions.
2.
All servicing must be undertaken only by qualified service personnel. There are not user
serviceable parts inside the unit.
3.
4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED.
5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label
adjacent to the power inlet, housing the fuse.
6. Do not operate the device in a location where the maximum ambient temperature exceeds
40C/104F.
7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove
and/or check the main power fuse.
CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60
825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001
AC units for Denmark, Finland, Norway, Sweden (marked on product):
Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark
deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket
outlet which is connected to a protective earth. Socket outlets which are not connected to earth
are not to be used!
Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.
Offensichtlich defekte oder beschdigte Gerte drfen nicht angeschlossen, eingeschaltet oder
in Betrieb genommen werden.
Stellen Sie sicher, dass die Belftungsschlitze am Gert nicht blockiert sind.
Ersetzen Sie eine defekte Sicherung ausschlielich mit Sicherungen laut Sicherheitsbeschriftung.
Betreiben Sie das Gert nicht in Rumen mit Temperaturen ber 40C.
Trennen Sie das Netzkabel von der Steckdose bevor Sie die Hauptsicherung prfen oder
austauschen.
Document Conventions
This guide uses the following conventions and symbols:
Item
Description
Additional information
Note:
A suggestion or workaround
Tip:
A statement and instructions
To
An example scenario
Example
Possible damage to equipment, software, or data
Caution:
Possible physical harm to the operator
Warning:
This feature only operates when application
acceleration is disabled
Standard Acceleration
This feature only works operates when application
acceleration is enabled
Enhanced Acceleration
Table of Contents
Important Notice ............................................................................................................ 3
Copyright Notices .......................................................................................................... 3
Safety Instructions ......................................................................................................... 5
Document Conventions ................................................................................................. 8
28
29
31
33
35
35
46
47
48
53
56
57
57
58
61
62
64
65
65
65
66
67
67
68
68
69
71
72
73
75
77
77
82
83
106
107
109
110
110
111
112
114
119
125
128
134
136
140
142
142
147
148
10
170
172
177
181
183
186
187
188
192
195
199
199
203
211
228
234
238
252
264
265
266
266
268
268
268
11
298
299
300
301
311
315
315
319
320
320
321
323
323
323
324
326
328
333
333
333
333
347
348
349
350
352
352
12
376
380
382
382
383
383
384
405
405
405
406
409
422
424
428
430
13
432
433
435
437
450
450
450
452
457
462
465
465
487
499
503
504
509
561
564
569
571
572
572
14
590
591
592
599
15
16
AppDirector by Radware is an Application Delivery Controller (ADC) that provides Layer 4-7 local and
global application delivery and acceleration across Web applications and Database server farms,
ensuring application uptime, global redundancy, and user experience optimization. AppDirector
provides full availability, high performance, and complete security for mission critical applications.
AppDirector is intended for organizations that conduct their business using networked applications,
the Internet, or a private intranet to communicate between offices that are geographically dispersed
or between business partners and end users, as in e-commerce or online banking.
As a result of the reliance on networked/Web applications like ERP, CRM, or Citrix applications, there
has been significant growth in the volume of transactions and in the processing power required to
execute them efficiently. AppDirector relies on a successful combination of a powerful hardware
platform and an application smart service to achieve a high level of availability, performance, and
security. AppDirector is based on Radwares Intelligent Application Switching Architecture, which
provides high speed hardware processing power, along with APSolute OS Application Smart Service.
Throughout this AppDirector User Guide, AppDirectors main capabilities have been delineated into
two non-mutually exclusive options where necessary. They are:
Enhanced Acceleration
For Application acceleration, including SSL offloading, Web compression, caching and TCP
optimization, that provides best Quality of Experience (QoE)
Standard Acceleration
For Optimized Server Utilization and Application Performance
Look out for these labels throughout this User Guide, they are here to help you get the maximum
benefit from AppDirector.
The AppDirector Application Smart Service modules offer these capabilities:
Fault Management
Traffic Shaping
17
AppDirector Modules
AppDirector successfully combines various functional modules. AppDirectors advanced Health
Monitoring module verifies the availability of the entire transaction path and resources. The Traffic
Redirection module works closely with the Health Monitoring module and performs Layer 4-7
switching based on resource availability. Traffic Redirection optimizes server usage by applying
intelligent dispatch load balancing algorithms. If network elements fail (e.g; routers, switches, or
other resources in path to servers, or back-end servers), Traffic Management allows the traffic to
bypass any faulty elements.
The network path can be further optimized by utilizing the Bandwidth Management (BWM) features.
The BWM can be utilized to enforce business priorities and resource utilization across the network.
You can assign a higher priority and guaranteed bandwidth to mission critical applications such as
SAP, ORACLE, etc., while assigning a best effort policy with lowered priorities for bulk traffic such as
FTP, e-mail, and any other non-critical applications.
Numerous application level attacks through firewalls expose an organization's network and
applications to various threats. If left unchecked, these can result in severe damage, either to
intellectual property and/or confidential data theft, or to disruptions of services resulting in lost
revenue. The advanced security module is an integral part of the AppDirector intelligent application
switching process, providing protection against various attacks, worms, and viruses.
Health Monitoring
The Health Monitoring module constantly checks the health of the entire transaction path. This
ensures the availability of all the network elements required for the completion of a successful
transaction, including routers, backend servers and applications. This module enables you to create
any type of Layer 2 - Layer 7 Health Check on any network element. The wide variety of predefined
Health Checks allows you to meet the specific requirements of your network. For more information
on Health Monitoring, see Configuring Health Monitoring, page 331.
Traffic Redirection
The Traffic Redirection module provides Layer 4 - Layer 7 switching capability. This module performs
server selection in a Farm, based on availability, load, and content considerations. For more
information on Traffic Redirection, see Traffic Management and Application Acceleration, page 157.
To select a server within a Farm, AppDirector uses various dispatch algorithms based on the traffic
load of the servers and available server resources. You can also define server persistency, where all
sessions with same predefined characteristics are forwarded to the same server. Traffic Redirection
can be configured with many dispatch methods and settings ensuring optimum utilization of server
resources while monitoring network conditions.
When content is distributed among multiple sites, AppDirector applies a global Traffic Redirection
solution combining advanced load and proximity-based decisions with different redirection methods
optimizing resource usage and providing accelerated content delivery. This enables you to add
network elements without service interruption in a geographically dispersed global context.
18
Acceleration Engine
Enhanced Acceleration
AppDirector assists acceleration with the following attributes:
Reduces web-application latency across the WAN and decreases application response time.
Improves response time by offloading TCP connection handling. It accelerates repetitive content
fetching time by using a cache.
Using compression, reduces WAN bandwidth consumption and accelerates web-pages on low
bandwidth (dial-up, wireless) WAN connections.
Enhanced Acceleration
AppDirector can accelerate SSL traffic and offload servers. AppDirector handles the SSL key
negotiation with the client and encrypting and decrypting of communication. AppDirector serves as a
proxy, terminating the SSL client sessions and opening a separate session to the backend servers.
Enhanced Acceleration
AppDirector is the only ADC solution that provides full support of the TSL standard allowing:
Automatic retrieval and updates of the client authentication configuration according to the TSL
standard.
Verification capabilities for granular control over allowed certificate holders access at network
level.
TCP Optimization
Enhanced Acceleration
AppDirector reorders TCP packets that arrive out of order. This offloads this task from the backend
server.
19
Web Compression
Enhanced Acceleration
AppDirector compresses HTTP traffic to reduce the latency for clients that access web applications
over WAN. Compression reduces the size of the objects and therefore the objects take less time to
download over the WAN. Latency is high for instance, when clients are located a large number of
network hops away from the server, over satellite links, or when bandwidth (and thus transfer rate)
is low. AppDirector supports Compression in software by default. An optional Hardware Compression
module enables AppDirector to handle higher throughput from the web application server.
Web Caching
Enhanced Acceleration
AppDirector improves response time by caching web objects from the server and offloading them to
save resources. AppDirector caches server content according to their cache settings as they appear
in the HTTP headers
Management Tools
The following management tools can be used to manage a single AppDirector device.
Command Line Interface (CLI), using Telnet, SSH, or Serial Console access.
Please consult the latest accompanying Release Notes for this AppDirector version for detailed
management tool support information.
Licenses
The licensing mechanism is used to provide an easy path for adding product capabilities after initial
product purchase. There are several types of license available.
Note: Please also see the Radware Licensing Model for further information.
Capabilities License
This is available on all platforms and allows you to add product specific capabilities (such as Global
Load Balancing) and APSolute OS capabilities (BWM and IPS, DoS). This license is accumulative it
can both enable a product specific capability and APSolute OS capability for example.
For more information on AppDirector and AppDirector Global capabilities, see Radware Devices Used
in Global Solution, page 295.
20
Enhanced Acceleration
This defines the HTTP compression capacity level and enables capacity upgrade (compression
throughput in Mbps) for AppDirector (version 2.0 and up). HTTP Compression license upgrade does
not require device rebooting.
Enhanced Acceleration
AppDirector comes bundled with basic SSL capabilities (maximum number of transactions per
second - TPS) which can be upgraded by license. This license defines the SSL offload capacity level
and enables capacity upgrade (SSL TPS) for AppDirector (version 2.0 and up). The SSL TPS license
upgrade does not require device rebooting.
TSL License
Enhanced Acceleration
This allows you to handle situations where one organization is responsible for the creation,
distribution and management of Digital ID cards (e.g. Government), and other organizations need to
authenticate users based on the Digital IDs (e.g. Tax management, Health Insurance, Financial
institutes, employers, etc.).
Management Interfaces
The following Management interfaces are supported for AppDirector.
SNMP
FTP server
21
Note: Disabling Auto negotiation also disables the cable type Auto sensing feature (MDIX).
Optical cables are not provided by Radware and need to be purchased separately. Some devices use
SC connectivity and LC. Make sure you have the appropriate cable.
The copper cables that Radware provides are intended for management only and should not be used
for other types of traffic. CAT5 certified copper cables must be used.
When connecting to network switches and working with Radware's proprietary redundancy protocol,
ensure that you disable Spanning Tree or at least enable Port Fast on the relevant ports (on the
switch). You can also set the Spanning Tree to operate in fast learning mode on the relevant ports.
IP Allocation Concerns
Ensure that you have the IP addresses allocated and defined in your network for the AppDirector's
interfaces, new servers, NAT IP addresses (if activated on the AppDirector), DNS IP addresses (if
activated on the AppDirector) and for the redundant AppDirector as well.
22
Management Concerns
Radware management uses SNMP communication running on UDP port 161. Ensure that this
communication port is not blocked by your firewall.
Configuration upload/download action uses TFTP protocol. Ensure that TFTP is not blocked by your
firewall and the management station is not NATed toward the Radware device. As TFTP traffic is
initiated from the Radware device to the management station, a relevant firewall rule should be
configured. UDP ports 162 and 69 are used for TFTP.
Radware devices can also use HTTP, HTTPS, Telnet, and SSH for management. If you choose to
activate one of the above, verify that they are not blocked by your firewall. Traffic direction is from
the management system to the Radware device. Radware devices have a console port for terminal
communication. This uses an RS232 cable (provided by Radware).
Technical Support
Radware offers its Certainty Support Program, a suite of technical support packages in various
levels. You can view all programs at: http://www.radware.com/content/support/default.asp.
Once you purchased the relevant Certainty Support package you can either contact Radware via
email (support@radware.com) or via the phone using our worldwide toll free numbers. An updated
list is available at: http://www.radware.com/content/support/support program/contact.asp.
Additional information about the Radware Certainty Support program is available at: http://
www.radware.com/content/document.asp?_v=about&document=2774.
23
24
25
26
Web Based Management (WBM) is the main management interface for Radware products.
Additionally, you can manage your AppDirector with Command Line Interface (CLI).You can connect
AppDirector devices to management interfaces through network physical interfaces or serial ports.
These port types are supported:
For serial port connection: RS-232 up to 115 Kbps (default is 19,200 Kbps).
This table lists the AppDirector physical interfaces and the supporting management interfaces:
Port
SNMP V1, V3
HTTP
Secure Web
Telnet
SSH
RS-232
27
Web
You can use Web Server Parameters to enable and define to which port the WBM should be assigned.
From the Services menu, select Management Interfaces > Web Server > Web. The Web
Server Parameters window appears.
2.
Parameter
Description
Values: Read Write (default) or Read Only. This setting affects both
WBM and Secure WBM.
When WBM Access Level is set to Read Only, users using WBM or
Secure WBM experience the following limitations:
Cannot change the configuration of the device
Cannot view the Community Table or User Table
Have no access to SSH Public Key Table
SSL keys and certificates cannot be viewed
Configuration File cannot be sent to or received from the device
Software update to the device is not allowed
Cannot reset the device
Note: Setting this requires restarting the device.
3.
28
Secure Web
You can define the parameters for obtaining secure HTTP requests.
Parameter
Description
Supported Browsers
WBM is supported with the following Internet browsers:
Firefox
Web Services
To provide customers with the capability to develop enhanced application monitoring, customized
application delivery network management applications and advanced automation tools, Radware
provides a web services interface on AppDirector via APSolute API, an open standards-based SOAP
(XML) API.
AppDirector Web Services operate via HTTP or HTTPS requests, like a regular web browser and
default disabled. They can be enabled via:
Note: Web Services can only be enabled if either web or secure web management interface are
enabled on the device. Changing the Web Services status requires a device reset.
29
From the Services menu, select Management Interfaces > Web Server > Web Services.
The Web Services window appears.
2.
3.
Parameter
Description
Issuing CLI commands and receiving output via a generic SOAP method.
Ability to configure and monitor the devices via SOAP commands that mirror Radware's SNMP
MIB. Commands include:
a.
b.
For scalar MIB parameter: retrieve (get) the value and change (set) the value
For a MIB table entry: create an entry, delete an entry, update one or more parameters of
an entry, retrieve (get) an entry, retrieve (get) the entire table, walk through the table (get
first entry then get next).
API Reference.
Product overview.
30
Development Environments
Languages
Axis 1.3
Java 1.50
Perl
CLI Command
Explanation
appDirector
AppDirector parameters
classes
device
Device Settings
health-monitoring
help
login
logout
manage
net
Network configuration
nslookup
performance
AD performance
ping
reboot
redundancy
Redundancy settings
security
Security settings
services
shutdown
Shutdown
ssh
statistics
system
System parameters
telnet
trace-route
31
A system config command to view the current configuration of the device, formatted as CLI
command lines.
Pasting the output of system config, or part of it, to the CLI of another device, using the
system config set command. This option can be used for easy configuration replication.
Command history.
Configurable prompt.
Ping: Ping other hosts on the network to test availability of those hosts.
AppDirector#trace-route www.radware.com
trace-route to host 209.218.228.203:
1:
50ms
50ms
50ms 212.150.43.130
2:
50ms
50ms
50ms 80.74.101.129
3:
50ms
50ms
50ms 192.116.214.2
4:
5:
50ms
*
50ms
*
50ms 80.74.96.40
Telnet client: To initiate a Telnet session to remote hosts, use CLI command telnet <IP
address>.
SSH client: To initiate a SSH session to remote hosts, use CLI command ssh <IP address>.
DNS Lookup: Uses configured DNS servers to query IP addresses of a host name. This requires
that DNS client is enabled and DNS servers configured. The DNS client also enables using host
names rather than IP addresses in commands such as trace-route, ping, telnet, etc. Use the
command nslookup <hostname>.
32
Configuring Telnet
A Telnet connection offers the convenience of accessing the device from any workstation connected
to the network. To establish a Telnet connection with the device, run the Telnet program on your
workstation and issue the Telnet command, followed by the device IP address:
Parameter
Description
Telnet Port
Telnet Status
Telnet Session
Timeout
Telnet
Authentication
Timeout
Configuring SSH
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel
between two computers. Encryption provides confidentiality and integrity of data. SSH uses publickey cryptography to authenticate the remote computer and allow the remote computer to
authenticate the user, if necessary. As a secure alternative to using Telnet to manage device
configuration, SSH ensures that all data sent over the network is encrypted and secure.
33
Note: When both password and public key are configured for a user, the Authentication Method
configured in the client software will dictate which authentication is selected for this
user.
From the Security menu select Certificates > Import. The Import PKI Components window
appears.
2.
Import the user SSH public key (Entry Type=Key). See Importing Certificates, page 453 for
details.
3.
From the Security menu select Users. The Users Table and Authentication window appears.
4.
Double-click on the existing user or click Create to add a new user. The User Table Update/
Create window appears.
5.
In the SSH public key name drop-down select the relevant key configured in step 2 and click
Set. The SSH public key is configured for this user.
From the Services menu select Management Interfaces > SSH > Server. The Secure Shell
Parameters window appears.
2.
Parameter
Description
SSH Port
SSH Status
SSH Authentication
Timeout
3.
Enter the SSH Port and set the SSH Status to Enable.
4.
34
Parameter
Description
Note: To access the device via a FTP service, the FTP server must be enabled prior to access
Configuring SNMP
The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the
exchange of management information between network devices. SNMP is a part of the Transmission
Control Protocol/Internet Protocol (TCP/IP) protocol suite. Radware devices work with the following
versions of SNMP: SNMPv1, SNMPv2, and SNMPv3.
Network management systems contain two primary elements: Managers and Agents. The Manager
is the console through which the network administrator performs network management functions.
Agents are entities that interface with the device being managed, allowing you to change or retrieve
objects. These objects are arranged in what is referred to as Management Information Base (MIB).
SNMP is the protocol that allows managers and agents to communicate to access these objects.
SNMPv3
SNMPv3 contains two communication layers between manager and agent:
User Security Model (USM), which provides secure communication, including message
integrity and privacy.
Parameter
Description
User Name
Use Authentication
Authentication
Protocol
Authentication
Password
Use Privacy
Privacy Password
35
From the Security menu, select SNMP > Global Parameters. The SNMP Global Parameters
window appears.
2.
3.
Parameter
Description
SNMP Port
SNMP Status
From the Security menu select SNMP > User Table. The User Table window appears.
2.
3.
Parameter
Description
User Name
Authentication Protocol
4.
36
Authentication Password
Privacy Protocol
Privacy Password
SNMP Access
The Access table binds the groups, views, and security models. It grants permissions to the groups,
based on the SNMP version. You can define the access rights for each group and security model in
the VACM Group Access window. Objects can be accessed for a read, write, or notify action based on
the Read View Name, Write View Name, and Notify View Name parameters.
These parameters depend on the specified security model. The Read, Write, and Notify permissions
are configured for Family View names, which are defined in the VACM MIB View window, (see VACM
MIB View, page 37).
Parameter
Description
Group Name
Security Model
Security Level
ReadView Name
Name of one or more entries in View Tree Family Table. Specifies which
objects in the MIB tree are readable by this group.
37
4.
Parameter
Description
WriteView Name
Name of one or more entries in View Tree Family Table. Specifies which
objects in the MIB tree are writable by this group.
NotifyView Name
Name of one or more entries in View Tree Family Table. Specifies which
objects in MIB tree can be accessed in notifications (traps) by this group.
From the Security menu, select SNMP > Target Address Table. The SNMP Target Address
Table window appears.
2.
Click Create. The SNMP Target Address Table Create window appears.
3.
Parameter
Description
Name
Address-Port
Tag List
A list of tags separated by spaces. The tags contained in the list can
may be either tags from the Notify table or Transport tags from the
Community table.
Parameters
Mask
Tip: The SNMP Target Address window also allows you to access the SNMP Target parameters
window (see SNMP Target, page 39).
38
SNMP Target
The Target Parameters Table window contains parameters to be used in generating a message.
Entries in this table are referenced in the Target Address Table window.
Parameter
Description
Name
Select the SNMP version that represents the required Security Model.
Security models are predefined sets of permissions that can be used by
the groups. These sets are defined according to the SNMP versions. By
selecting the SNMP version for this parameter, you determine the
permissions set to be used.
Values: Any, SNMPv1 (Default), or User Based (SNMPv3).
Security Name
Security Level
39
4.
Parameter
Description
Index
Community Name
Security Name
Transport Tag
Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps can be sent. Target addresses identified by
this tag are defined in the target address table. If this string is empty,
addresses are not checked when an SNMP request is received or when
a trap is sent. If this string is not empty, the transport tag must be
contained in the value of the tag list of at least one entry in the
target address table.
From the Security menu, select SNMP >Notify Table. The SNMP Notify Table window appears.
2.
3.
Parameter
Description
Name
Tag
This string selects one or more entries in the Target Address table. All
entries whose tag list contains this tag are selected for reception of
notifications.
40
Parameter
Description
User Name
administrator
Authentication Protocol
MD5
Authentication Password
password
Privacy Protocol
DES
Privacy Password
password
Parameter
Description
Group Name
admin
Security Model
USM
Security Level
AuthPrivate
iso
iso
iso
41
Parameter
Description
Security Model
USM
Security Name
administrator
Group Name
admin
b.
c.
To create additional users with the same access rights, open the Users window, and add a
new user. The new user can be cloned from the existing logged in user or from a different
user (see Defining SNMP Users, page 36).
To associate a new user with a group, from the SNMP window, click Add and associate the
new user with a group.
To restrict SNMPv1 and SNMPv2 access to the device, remove the "public" community entry
from the Community window (see page 39).
From the main APSolute Insite window, select Device >Add Radware Device > AppDirector.
The AppDirector icon appears in Site Explorer and/or on the map (depending on the view
selected).
2.
Double-click the AppDirector device icon. The Connect AppDirector Device window appears.
3.
Enter the Device IP Address, and select the SNMPv3 checkbox. The SNMPv3 pane appears.
4.
5.
6.
From the Device menu, select Device Permissions. The Device Permissions window appears.
7.
Click SNMP. The SNMP pane appears containing the following configuration options: Targets,
Views, Users, Community, Access.
8.
9.
42
Parameter
Description
Name
Secure Traps
Message Processing
Model
SNMP Ver 3
Security Model
User Based
Parameter
Description
Security Name
Administrator
Security Level
Auth Private
Parameter
Description
Name
Admins_NMS
Target Address
10.204.100.18
Target Port
162
Target Mask
Tag List
V3Traps
Parameters
Secure Traps
14. Click OK to apply the setup, and OK again to close all windows.
15. From the Options menu select Events & Traps. The Events & Traps window appears.
Parameter
Description
Security Model
Security Name
Group Name
43
From the Security menu, select SNMP > View Table. The SNMP View Table window appears.
2.
3.
Parameter
View Name
Description
Name of this entry.
The MIB view is a sub-set of MIB. You can bind a community name/
username with a MIB view when configuring an agent, to control the
MIB objects that NMS can access.
You can configure the objects in the MIB view as excluded or included;
excluded indicates that not all the nodes on the subtree are included in
the current MIB view, and included indicates that the current MIB
includes all the nodes on the subtree.
Subtree
Subtree Mask
Type
4.
44
Notes:
>> If the number of bits in the subtree mask is greater than the number of nodes of the
OID, the excessive bits of the subtree mask will be ignored during subtree mask-OID
matching.
>> If the number of bits in the subtree mask is smaller than the number of nodes of the
OID, the short bits of the subtree mask will be set to 1 during subtree mask-OID
matching.
>> If no subtree mask is specified, the default subtree mask (all ones) will be used for
mask-OID matching.
Parameter
Description
SNMP Version
User/Community Name
Passwords
Use Authentication
Authentication Password
Use Privacy
Privacy Password
Permissions
Read
Write
Notify
Note: The Configuration file of the device, that contains SNMPv3 users with authentication,
can only be used by the specific device that the users configured. When exporting the
configuration file to another device, passwords need to be re-entered, since passwords
(of SNMPv3 users) cannot be exported from one device to another. Therefore there must
be at least one user in the user table (to change the password) in case the configuration
file is uploaded to another device. Note that this is according to SNMPv3 RFC.
45
Upgrades, page 46
Upgrades
You can upgrade all Radware devices to newer versions with a straightforward FLASH process.
Depending on the maintenance contract, you are either eligible for new versions with new features,
or for maintenance versions only.
Performing an AppDirector device upgrade involves two steps:
Radware releases updated versions of AppDirector software that can be uploaded. You can upgrade
a device using one of these methods:
WBM
CLI
APSolute Insite
A device upgrade enables new features and functions without altering the existing configuration.
New software versions require a password. This can be obtained from the Radware corporate
website. You must obtain this password before you load the upgrade file onto the device. If you do
not supply the correct password during upgrade, you cannot proceed. A maintenance-only upgrade
does not require a password. The password is based on the software version file and on the Base
MAC Address of the AppDirector unit.
Notes:
>> Before upgrading, save the existing configuration file.
>> Before upgrading, refer to the appropriate Release Notes.
>> When downgrading to a software version not supporting the current device license, the
license is lost. Contact Radware for more information.
46
Software Versions
In WBM, click File > Software List. Select the inactive version (Inactive Field has value False),
and change the Active parameters to True. Click Set to record your preferences. You are
prompted to reboot the device.
Notes:
>> Each software version has its own configuration file
>> You can download a new software version by using WBM. For versions using the File
System, the software file is in TAR format and for previous versions, it appears in binary
(BIN) format.
Password
Software version
File
7. If you are upgrading or downgrading to a different major version, enter your case-sensitive
password in the Password field. For instructions on obtaining a password, see step 3 above.
47
In the Software version field, enter the software version that you wrote down in step 1. Note:
the software version also appears in the name of the software update file; for example,
appdirector-ods1-2_00_01.tar is the file for version 2.00.01.
9.
In the File field, click Browse and navigate to the software update file that you downloaded and
unzipped. You are looking for a file named: appdirector_[platform]_[major version]_[minor
version]_[bugfix version].tar.
Caution: Configuration changes cannot be performed until any pending reboot has completed.
The configuration file can be received from the device in the following ways:
1.
2.
3.
Note: Commands which require rebooting the device, including BWM Application Classification
Mode, Application Security status etc. Copying and pasting a command from this section
takes effect only after the device is rebooted.
48
Note: The signature is validated only when sending a complete configuration to the device in
Replace mode.
By uploading the file using WBM and selecting the option - Append Commands to
Configuration File in the Upload Configuration File to Device window.
By performing the terminal command
All commands requiring the reboot of the device are implemented first.
The Append and Reboot method is supported using the following options:
a.
By uploading the file using WBM and selecting the option - Append Commands to
Configuration File with Reboot in the Upload Configuration File to Device window.
49
Replace - You can replace the complete configuration file with a new configuration file. This
requires rebooting the device. You can upload the configuration file to the device as follows:
a.
By uploading the file using WBM and selecting the option - Replace Configuration File in
the Upload Configuration File to Device window. When using this option, you can upload a
configuration file to the device in CLI format.
Note: system config upload replace does not support configuration from previous
versions.
The user can clear the file via the following menu:
File > Configuration > Log File > Clear.
The user can download the file via the following menu:
File > Configuration > Log File > Download.
The user can display the file via the following menu:
File > Configuration > Log File > Show.
2.
CLI - The following command is used to view the Configuration Management logfile:
Note:
>> If there is no room on the device's compact flash to store the file, the device does not
log any information within the log file.
>> Each event is also sent via Email, Syslog, SNMP traps and console trap.
50
Parameter
Description
Replace
Configuration File
Append Commands Used when a new configuration file is a text file containing CLI
to Configuration File configuration commands and you want to execute only those commands.
The CLI commands are appended to the device's existing configuration
file and executed.
Append Commands Similar to above except that the device is rebooted after the commands
to Configuration File have been appended to the configuration file.
with Reboot
3. Enter the name of the file you want to send. Alternatively, click Browse to search the directory
tree for the file.
4. Click Set. The file is uploaded to the device.
Parameter
Description
Regular
Peer (Active-Active)
51
Parameter
Description
Backup (ActiveBackup)
4.
5.
Log Files
A server log is a log file (or several files) automatically created and maintained by a server of
activity performed by it.
A typical example is a web server log which maintains a history of page requests. More recent
entries are appended to the end of the file. Information about the request, including client IP
address, request date/time, page requested, HTTP code, bytes served, user agent, and referer are
added. These data can be combined into a single file, or separated into distinct logs, such as an
access log, error log, or referer log. However, server logs do not collect user-specific information.
These files are usually not accessible to general Internet users, only to the webmaster or other
administrative person.
Logfile Clear
The Clear Error Log window allows you to clear data contained in the configuration log file.
From the File menu, select Logfile > Clear. The Clear Error Log window appears.
2.
Logfile Download
The Download Error Log window allows you to download the log file that contains configuration
errors. Once the file is downloaded, you can view it.
52
Note: For users of Radwares APSolute Insite, you can also upgrade your AppDirector device
licence. For further details, see the APSolute Insite User Guide.
53
To upgrade a license
1.
From the Device menu, select License Upgrade. The License Upgrade window appears.
2.
Parameter
Description
License ID
Throughput License ID Manages the device throughput license ID and must be provided to the
Radware ordering department when a new throughput license is
required.
Insert your
Throughput License
Code
Enhanced Acceleration
SSL CPS License ID
54
Parameter
Description
Compression on
server's side License
ID
Insert your
Compression on
server's side License
Code
3. Enter your new license code, located on your CD case (or downloaded from www.radware.com),
in the License Code field.
55
2.
3.
4.
Click Enter. A message is displayed in the command line indicating the license has been
updated.
Note: To upgrade, you must be using Port =10G. The device must be reset.
5.
Type reboot to reset the device, and then type yes to confirm the reset.
Managed Devices
Standard Acceleration
When in Acceleration disabled mode, and using AppXcel devices managed by AppDirector with TCP
splitting, the configuration must be configured in the Managed Devices Table. AppDirector opens a
SSH/Telnet connection to the management IP of each AppXcel configured in its Managed Devices
Table and sends it relevant information regrading the availability and load of backend servers.
From the Device menu, select Manage Devices. The Manage Devices Table window appears.
2.
Parameter
Description
Device Name
Description
Management IP
Management
Application
Management Port
Admin Status
Username
56
Parameter
Description
Password
Connection Status
(Read Only)
#Sent Messages
(Read Only)
#Received Messages
(Read Only)
Resetting Devices
You may have made various changes to configurations and settings and need to reset the device for
these changes to take effect. You can reboot the device at any given time.
Device Shutdown
If you need to shutdown the device (assuming you have the required administrator privileges), use
this procedure.
57
Tuning AppDirector
This section describes interfaces and methods for tuning AppDirector. Use Tuning to determine the
maximum number of entries allowed in the various tables listed. This section includes:
Device Tuning
The Device Tuning window allows you to tune the AppDirector device. The values in the fields are
synchronized and any changes are implemented after the device reset.
From the Services menu, select Tuning > Device. The Device Tuning window appears.
2.
58
Parameter
Description
IP Forwarding Table
(Read Only)
After reset, the limit on the number of entries in the ARP table.
After reset, the limit on the number of entries in the client table.
Parameter
Description
After reset, the limited number of entries for the Hosts Table.
59
Parameter
Description
Displays the number of entries the session the table can hold
after a reset.
Enhanced Acceleration
Acceleration Engine RAM
Percentage For Cache
You can determine the maximum number of entries allowed in the various tables in the following
Device Tuning Table tabs:
AppDirector
BWM
Security Settings
60
Note: Most of the parameters in the BWM and Security Settings tabs described above only
exist in devices with BWM and IPS activated.
You can also define the security parameters for your previously defined security policy. The values in
the fields are synchronized, and any changes are implemented after the device is reset.
Caution: Device Tuning should only be performed after consulting Radware Technical
Support.
Parameter
Description
Description (Read
Only)
Name
This value includes the full name and version identification of the system's
hardware type, software operating-system, and networking software.
System Up Time
(Read Only)
Contact
Bootp Server
Address
Bootp Threshold
Sets the BootP threshold. (The number of seconds that the device will
wait before relaying requests to the BootP server).
The device forwards BootP requests to the BootP server and acts as a
Bootp relay.
Software Version
(Read Only)
61
3.
Parameter
Description
Hardware Version
(Read Only)
Parameter
Description
IP Forwarding Table
(Read Only)
Routing Table
(Read Only)
Hosts Table
(Read Only)
Defines the relationship between host names and Layer 4 Policy entry.
Request Table
(Read Only)
62
Parameter
Description
SNMP Communities
Logical Servers
Default: 20
You can configure the physical servers you have included in your server
farm including:
maximum number of application server connections.
maximum number of frames per second dispatched to the server
since the last reset
number of currently active users attached to server
number of frames per second dispatched to server
number of frames sent to server
Farms
NHRs
VIP NHR
The VIP NHR Table enables you to associate a next hop router, that is
configured in the NHR Table, to a virtual IP address configured on the
device, for example a Server Farm.
63
Parameter
Description
Policy Table
Network Table
Destination Table
Content Table
The device uses content searches in the Layer 7 policies that can be
defined for BWM.
MAC Groups
Maximum number of traffic flows for a single policy. Used only for
bandwidth management per traffic flow.
Protocol Discovery
Reports
Group of Layer 4 ports for UDP and TCP traffic only. Each group is
identified by its unique name. Each group name can be associated with
a number of entries in the Application Port Groups table.
64
Parameter
Description
Client Table
Keeps track of which clients are connected to which servers for each of
the Local Farms.
Contains information about the server selected for each client (Source IP
address) in each farm, defined as a percent of the Client Table size. While
setting Layer 3 Client Table entries, note the number of entries in the
Client Table opened for each new session. For example, if for each
session there are 5 Client Table entries, set the size of the table to 20%.
Parameter
Description
Parameter
Description
Outbound NAT
Addresses
Outbound NAT Ports per Defines number of ports used with each NAT IP address.
Address
Note: Before enabling Outbound NAT, this parameter must be set to a
value higher than zero.
Outbound NAT
Intercept Addresses
65
Security Tuning
Security tables store information about sessions passing through the device and their sizes, which
are correlated to the number of sessions. Some of the tables store Layer 3 information for every
Source-Destination address pair of traffic going through the device. These pairs require an entry for
each combination. Some of the tables need to keep information about Layer-4 sessions, which
means that every combination of Source Address, Source Port, Destination Address and Destination
Port requires its own entry in the table.
Note: Layer-4 tables are usually larger than Layer-3 tables. For example, a typical TCP client,
using HTTP, opens several TCP sessions to the same destination address.
Each Security table has its own Free-Up process, which is responsible for clearing the tables of old
entries that are no longer required, and ensuring that all detected attacks are reported and logged
properly. The Free-Up Frequency for each table determines how often the device clears unnecessary
entries from the table and stores information about newly detected security events in a dedicated
internal alerts buffer. The alerts are then distributed to the logfile, SNMP management station, and
Syslog server, as required by the configuration. The alerts buffer ensures that the device is not
overloaded with alerts distribution.
You can tune the Security tables according to your needs. Descriptions of the Security tables and
their tuning parameters are shown here.
Parameter
Description
Configures how often alerts are read from the internal alerts buffer
and sent to the Log File. If the device is busy, change this value to
1,000 ms. to ensure that all alerts are logged on time.
Target Table
Source Table
DHCP Discover
66
Parameter
Description
IP Reassembly buffers
pool size (MB)
Parameter
Description
Session Passive
Protocol
Records passive protocol port commands, so that all related sessions can
be linked together.
Sufficient memory available for the pending table size updates. Reboot to update the table
sizes: Click Reboot to reboot the device and apply the changes.
# Kbytes are missing for the pending table size updates. Reduce the size of the tables using
dispensable memory to accommodate the required updates: Click tables to access the
Device Tuning windows and adjust the tables according to the amount of memory required.
67
Tuning Statistics
In the Tuning Statistics window you can view and edit the statistics tuning parameters. The changes
take effect after the reset.
From the Services menu select Tuning > Statistics. The Statistics Tuning window appears.
2.
3.
Parameter
Description
Standard Acceleration
The BWM Tuning window allows you to tune and view the Bandwidth Management tables.
From the Services menu, select Tuning > BWM. The BWM Tuning window appears.
2.
68
Parameter
Description
Policy Table
Number of traffic flows for which the device can provide bandwidth
or limit the number of sessions.
Maximum value: 100,000
Number of traffic flows for which the device can provide bandwidth
or limit the number of sessions after reset.
Destination Table
Classifier Tuning
A Classifier packet first flows into the system through the classifier. Its the classifiers duty to decide
what to do with the packet. How the classifier treats packets passing through is governed by the
Bandwidth Management policy that best matches the packet and by these tuning parameters.
From the Classifier Tuning window you can view and edit the Classifier tuning parameters. The
changes take effect after the reset.
Parameter
Description
Network Table
Network Table After Reset Displays number of ranges entered in the table after reset.
Default: 32
Discrete IP Addresses Per
Network
Subnets Per Network After Displays number entries in table for network subnets after reset.
Reset
Default: 32
MAC groups Table
69
Parameter
Filter Table
Description
Displays number of basic filter entries in table.
Default: 32
OR Group Table
Content Table
3.
70
Parameter
Description
SYN Protection Attack Detection Sets number of entries for counting new TCP sessions for
Entries
detecting syn attacks and creating triggers.
SYN Protection Attack Detection Number of entries in the SYN Flood Attack Detection Entries
Entries After Reset
after reset.
SYN Statistics Entries
71
From the Services menu, select Tuning > Security > Application Security. The Application
Security Tuning window appears.
2.
Parameter
Description
Source Table
Target Table
Represents the current size of the table for destination entries. This
table contains attacks detection mechanism, which is based on the
destination addresses of the incoming traffic. If the number of packets
sent to the same destination is above the predefined limit, this is
identified as an attack. The Target Table tuning parameter defines in
how many sessions to check the destination address.
The size of the table for destination entries that you define. The
settings are applied after reset.
Represents the current size of the table for both source and
destination entries, which are counted as one.
The size of the table for both source and destination entries that you
define. The settings are applied after reset.
DHCP Table
The current number of entries in the DHCP Table that contains attacks
detection mechanism based on counting of IP requests for each MAC
address. The requests are made using the Dynamic Host
Configuration Protocol. When the number of IP requests for a
particular MAC address is above the predefined limit, an attack is
identified. The DHCP Discover tuning parameter determines for how
many MAC addresses to check the number of IP requests.
DHCP Table After Reset The number of entries in the DHCP Table after reset.
Maximal number of
Maximum number of user defined groups that can be defined on the
groups to be defined by device.
user
Maximal number of
Maximum number of user defined groups that can be defined on the
groups to be defined by device after reset.
user after reset
72
Parameter
Description
Maximal number of
attacks to be defined
by user
Maximal number of
attacks to be defined
by user after reset
IP Reassembly buffers
pool size [MB]
IP Reassembly buffers
pool size after reset
[MB]
Maximal number of
entries in NCPF table
Maximal number of
entries in NCPF table
after reset
Maximal number of
Maximum number of entries that can be defined in the Suspend table.
srcIPs in Suspend Table
Maximal number of
Maximum number of entries that can be defined in the Suspend table
srcIPs in Suspend Table after reset.
after reset
Maximal number of
Anti-Scanning IP pairs
Table
Maximal number of
Anti-Scanning IP pairs
Table after reset
Standard Acceleration
Behavioral DoS Tuning Parameters enable you to set the maximal number of Behavioral DoS
policies. The default number of policies for Behavioral DoS is 10. If you wish to configure more, you
must reset the number of policies allowed.
Note: When you update a value for a Behavioral DoS, you can check whether there is enough
free memory for the requested value.
73
From the Services menu, select Tuning > Security > Behavioral DoS. The Behavioral DoS
Tuning Parameters window appears.
2.
3.
74
Parameter
Description
Maximal number of
Behavioral DoS
policies
Maximal number of
Behavioral DoS
policies after reset
Monitoring AppDirector
This section includes notifications features and threshold settings. It includes these topics:
Notifications, page 77
Device Information
This feature helps you to understand the fundamentals of your installed Radware device and
accompanying software.
Note: Please quote this information when you seek assistance from Radware Technical
Support.
Parameter
Description
Name
System Up Time
Type
Platform
Ports
Number of Ports
Ports Config
License Information
Throughput
SSL CPS
Compression
75
Parameter
Description
Version Information
Hardware Version
Software Version
Build
Date and time stamp with the build number of the software.
Version State
APSolute OS
Version
Network Driver
Platform Information
RAM Size (MB)
Hard Disk(s)
Serial Number
Date
Time
Active Boot
Secondary Boot
Power Supply
Enhanced Acceleration
Compression Card
Status
76
Number of Cores
Number of CPUs
Device Monitoring
Device Monitoring provides an overview of the devices configuration from a single window. From the
Device Monitoring window the following information can be viewed and accessed.
Parameter
Description
Farms
Each icon is also a link and clicking on a specific icon displays the
relevant Application Server Table Update window for the selected
server.
Refresh Interval
[sec]
This field defines the rate at which the Device Monitoring window is
refreshed and updated.
Default: 60 seconds.
2. To change the Refresh Rate, enter the required value in the field and click Update.
Notifications
Radware devices provide a choice of event notification methods including:
CLI Traps
Device Log
SNMP Traps
Syslog
Emails
CLI Traps
When connected to any Radware product through a serial cable, the device generates traps when
events occur. For example, if a Next Hop Router fails, AppDirector generates the following error:
77
on - traps are sent via all CLI access protocols (serial, Telnet, SSH)
Event Log
All the events are logged on the device and can be viewed.
From the Services menu, select Logging > Event Log. The Event Log window appears showing
an Event Number and an accompanying description.
Parameter
Description
Event Number
Event Description
2.
Click Event Number to select the event that you wish to display.
3.
To configure the number of results per page, choose from the accompanying dropdown for
50,(default), 25,10 or 100 results per page.
4.
78
SysLog
Any event traps generated by AppDirector can be mirrored to a specified Syslog server, (a device
running the syslog service - syslogd). AppDirector supports sending events to up to 5 Syslog
servers.
Parameter
Description
Syslog Server
Address Or
Hostname
The URL/IP Address of the syslog station, the device running syslog
service.
Syslog Server
Operational Status
Syslog Server
Source Port
Configures the source port with which Syslog packets will be sent.
Syslog Server
Destination Port
Configures the destination port with which Syslog packets will be sent.
Syslog Facility
UUCP
Clock Daemon
Mail System
Security messages
System Daemons
FTP Daemon
Authorization Messages
NTP Daemon
Syslogd Messages
Log Audit
Log Alert
Clock Daemon2
Local Use 0, 1, 2, 3, 4, 5, 6
(default), 7
79
SNMP Traps
This enables you to set the size of the traps log by entries.
From the Services menu, select Logging > SNMP Traps. The Traps Logging window appears.
2.
3.
Parameter
Description
Trap Logging
E-mail Notification
The device can send notifications on events to administrators via email. For each user you can
configure whether it should receive notifications via email (by defining an email address for the
user) and the minimal event severity reported via SNMP traps and email. The user will receive traps
of configured severity and higher. The severity levels are: Info, Warning, Error and Fatal. For email
address and notification severity configuration per user see - Users (link to users configuration).
Note: AppDirector optimizes the mailing process by gathering reports and sending them in a
single notification message once the buffer is full or once a timeout of 60 seconds
expires.
From the Services menu, select Logging > Email Reporting. The Email Error Reporting
window appears.
2.
3.
80
Parameter
Description
Send Emails on
Errors
To Field Text
Parameter
Description
SMTP Server
Alternate SMTP
Server Address
Backup Device Email Sets the email of the Backup AppDirector device. This is used when the
Address
device is configured as an SMTP client.
You can configure AppDirector as an SMTP client, allowing it to send
email messages to specified users. This feature can be used for sending
trap messages. In the User Table, each user is assigned a trap severity
level (Info, Warning, Error, or Fatal) and receives emails according to that
severity level.
For example, a user assigned the severity level Error, receives emails for
events with the severity level Error and Fatal.
Own Email Address
Note: To receive emails about errors, you need to enable features related to mail sending,
such as Send Emails on Errors and for each user set email address and Severity level in
the Users Table.
81
Configuration Auditing
Configuration Auditing is the process of logging every configuration change and activity. When
Configuration Auditing is enabled, the device keeps track of all changes made to the configuration.
When a user creates a new configuration object, the device reports the action, e.g. user created a
new farm or added a server to a farm. The device sends an event in CLI format (if the user created
the object via Web Based Management). If the user modifies the existing entry, the device also
reports the old and new values of the changed parameter. Deletions of objects are reported in the
same CLI format.
Where there is no CLI equivalent to a Web Based Management, the device reports the parameters
MIB Name.
The notification message contains these details:
Configuration Auditing is enabled or disabled per device and it affects all users and all management
interfaces. The default is disabled.
2.
Select enable.
3.
2.
Select disable.
3.
82
AppDirector Thresholds
To optimize AppDirector configuration and resource thresholds, AppDirector can indicate and alert
usage of various tables and other parameters. AppDirector continuously monitors this usage and can
notify you when usage thresholds are exceeded. Threshold warnings are available for the following
tables and parameters.
Parameter
Description
Send Threshold
Warnings
Client Table
Threshold Level
Application Servers
Connection Limit
Threshold Level
Default: 85
Default: 85
When the number of sessions to an application server exceeds 85% of
the Connection Limit configured for that server, a trap is sent.
Physical Servers
Connection Limit
Threshold Level
Farms Capacity
Threshold Level
Client NAT
Threshold Level
Percentage of Client NAT ports usage above which a trap is sent. Default:
85
When 85% of Client NAT ports for any Client NAT address are used, a
trap is sent.
83
Parameter
Description
Outbound NAT
Threshold Level
Session ID
Threshold Level
Requests Threshold
Level
CPU Utilization
Threshold Level
Throughput
Supports configurable overflow alert threshold for licensed throughput
Utilization Threshold utilization. The default for the threshold level is 90%.
Level
(Mbps)
SSL CPS Utilization
Threshold Level
Compression
Supports configurable overflow alert threshold for licensed compression
Utilization Threshold utilization. The default for the threshold level is 90%.
Level (Mbps)
3.
Tunable Tables
The Tunable Tables Usage Statistics window provides you with information regarding the utilization
of various tables in AppDirector.
84
Parameter
Description
Table Name
Current Entries
5 sec Average
60 sec Average
Parameter
Description
NAT Address
Current
Average
Parameter
Description
NAT Address
Current
Average
85
Parameter
Description
Farm Name
Server Address
Current
Average
Server Port
Parameter
Description
Server Name
Current
Average
86
Parameter
Description
Farm Name
Current Connections
Number
Average Connections
Number
2. Select the desired farm name. The Farm Capacity Level Update window appears, which contains
the following read-only parameters.
Parameter
Description
Farm Name
Attached Users
Peak Load
Frame Rate
Distribution Threshold
Reached
Capacity Threshold
Reached
Number of HTTP sessions which arrived for this farm and were
redirected to remote/distributed servers.
Redirected Triangle
(last second)
Number of RTSP sessions which arrived during the last second for this
farm and were redirected to remote/distributed servers.
Current Connections
Number
Average Connections
Number
87
Parameter
Description
Total number of SIP sessions which arrived for this Farm during the last
second.
Layer 2 Feature
ODS1 and
ODS1 XL
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Switch VLAN
No
Yes
Yes
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
Yes
Yes
No
STP 802.1d
No
Yes
Yes
No
From the Device menu, select Physical Interface. The Physical Interface window appears.
2.
88
Parameter
Description
Port Index
Parameter
Description
Speed
Duplex
Whether the port allows both inbound and outbound traffic (Full Duplex)
or one way only (Half Duplex).
Note: According to standards, this parameter can be changed only
for copper ports with a speed lower than Giga Ethernet. Once
this parameter is changed the Auto Negotiate parameter is
set to Off.
Auto Negotiate
Automatically detects and configures the speed and duplex required for
the interface.
3. Select the required port. The Physical Interface Table Update window appears.
4. Update the required fields and click Set. Your configuration is set.
Interface Description
89
Interface Speed
MAC Address
4.
90
ifINOctets
InUcastPkt
InNUcastPkt
ifINDiscards
ifINErrors
ifOutOctets
OutUcastPkt
OutNUcastPkt
ifOutDiscards
ifOutErrors
Virtual LAN
A Virtual LAN (VLAN) is a group of devices on different physical LAN segments or on a single LAN
segment, which can interact with each other as if they were all on the same physical LAN segment.
In other words, a VLAN is a group of PCs, servers and other network resources that behave as if
they were connected to a single, network segment even though they are not, physically. They are
able to share resources and bandwidth as if they were connected to the same section.
Some switches are configured to support single or multiple VLANs. When a switch supports multiple
VLANs, the broadcast domains are not shared between the VLANs.
Unknown unicast frames and broadcast frames are forwarded to all ports.
Note: AppDirector devices support up to 64 regular or switched VLANs and up to 2048 VLAN
IDs.
Regular VLAN
A Regular VLAN can be described as an IP Bridge (a software bridge) between multiple ports that
incorporates all the traffic redirection of passing traffic at all layers (Layer 2-Layer 7). Two protocols
can be used with Regular VLANs:
IP Protocol: The VLAN must be assigned an IP address. All of the traffic between ports is
intercepted transparently by AppDirector. Packets that need intelligent intervention are checked
and modified by AppDirector and then forwarded to the relevant port. Other packets are simply
bridged by AppDirector as if they were on the same wire.
Other Protocol: An Other protocol VLAN cannot be assigned an IP address. This type of VLAN is
used to bridge non-IP traffic through AppDirector. To handle both packets that need intelligent
intervention and non-IP traffic, you can configure IP VLAN and Other VLAN on the same ports.
Switch VLAN
Switch VLAN provides wire-speed VLAN capabilities implemented through the hardware switch fabric
of the AppDirector device. Depending on the protocol defined for the Switch VLAN, frames are
treated accordingly.
Switch VLAN Protocol: Frames arriving at the VLAN port are switched according to Layer 2
information. AppDirector does not intercept this traffic.
IP Protocol: Frames reaching the VLAN port are switched according to Layer 2 information,
except those whose Layer 2 address is the same as the AppDirector port Layer 2 address.
Frames with AppDirector Layer 2 destination are processed by AppDirector and then forwarded.
91
VLAN Configuration
A VLAN configuration procedure involves:
1.
Creating a VLAN
2.
In addition you can change the Ethernet type and mask used by all VLANs.
VLAN Parameters
Here you can configure the VLAN Ethernet type and mask per the device.
From the Device menu, select VLAN Parameters. The VLAN Parameters window appears.
2.
3.
Parameter
Description
To view/create a VLAN
1.
From the Device menu, select VLAN Table. The Virtual LAN Table window appears. The Virtual
LAN Table window appears.
2.
Parameter
Description
Interface Number
Type
Protocol
92
Required VLAN protocol. You can choose IP or Switch VLAN only when
the VLAN type is Switch. Otherwise, the protocol is IP or Other
(default).
Parameter
Description
Up Criterion
Down Criterion
3. To create a new VLAN, click Create. The Virtual LAN Table Create window appears.
4. For editing, in the Virtual LAN Table window, select a VLAN to update.
5. Click Edit. The Virtual LAN Update window appears.
6. Set the parameters.
7. Click Set. Your configuration is set.
93
In the Virtual LAN Table window, in the VLAN Port Table section, click Create. The VLAN Port
Create window appears.
2.
Parameter
Description
The Layer 2 interface you want to attach to the VLAN. Can be port
index, trunk index, or Switch VLAN.
Port Type
Values:
Static: configured by the user.
Dynamic: autoconfigured by the remote server.
Port Interface
Grouping State
3.
Bridging
Once a regular VLAN is defined, AppDirector performs bridging among interfaces assigned to the
same VLAN. Bridging within a VLAN means that AppDirector learns the MAC addresses of frames
arriving from each physical interface, and maintains a list of MAC addresses per interface.
AppDirector enables you to statically add MAC addresses to the interface list.
When a frame arrives from one interface, AppDirector looks for the frame Destination addresses
within its address list according to the following conditions:
If the Destination address is listed in the same interface as the Source address, AppDirector
discards the frame.
If the Destination address is listed in another interface, AppDirector forwards the frame to the
relevant interface.
If the Destination address is not listed in any interface, AppDirector broadcasts the frame to all
interfaces participating in the VLAN.
94
Parameter
Description
Bridge Address
(Read Only)
Forwarding Table
Aging Time
How many seconds learned entries remain in the Forwarding Table. The
counter is reset each time the entry is used. After this time, entries are
deleted from the table.
Minimum: 10 seconds.
Parameter
Description
MAC Address
Port
Port through which node has been learned. Port through which frames are
received from this entry.
Status
Describes how node entry was added to the list, and indicates status
Learned: The entry was automatically learned.
Self: The entry is a device port.
Mgmt: The entry is a static node manually entered using the Edit
button.
Other: Node status cannot be described by above.
95
From the Bridge menu, select Static Forwarding Table. The Static Forwarding Table window
appears.
2.
Click Create. The Static Bridge Forwarding Table Create window appears.
3.
Parameter
Description
Status
4.
VLAN Tagging
VLAN Tagging is an IEEE standard (802.1q) for supporting multiple VLANs associated with the same
switch port. Each VLAN is tagged with a unique identifier to allow the identification of different VLAN
traffic on the same physical port. This protocol allows individual VLANs to communicate with one
another with the use of a Layer 3 router.
AppDirector can rewrite VLAN Tags or retain the tags on packets that pass through it. For
AppDirector to support VLAN Tags, by either forwarding or overwriting them, support for a 802.1q
environment must be enabled. By default VLAN Tags are not supported on AppDirector. When the
status of VLAN Tag support is changed, you need to reboot the device.
Note: If you want 8021q information, you need to capture what is being sent to the
AppDirector on the neighboring switch. Therefore 8021q header information cannot be
displayed in the packet capture.
96
All Health Check packets from AppDirector to Next Hop Routers, including Full Path Health
Monitoring.
ARP requests and responses from AppDirector to the Next Hop Routers.
If an IP interface does not have a VLAN tag configured, then the packets are sent without a tag
(standard Layer 2 MAC header).
Configurable VLAN ID values range from 0 to 4095. AppDirector automatically sets the 802.1p
portion of the tag (the first three bits) to 000. If a packet arrives without a VLAN tag, to a
Destination interface of AppDirector with VLAN tag, AppDirector sets a tag on the packet according
to the Destination local subnet, even if its in retain mode and behaves as in overwrite.
Note: 802.1p is a specification for giving Layer 2 switches the ability to prioritize traffic (and
perform dynamic multicast filtering).
Parameter
Description
Retain
The device preserves existing VLAN tags on the incoming traffic that
passes through the device.
Traffic generated by the device is tagged according to IP Interface
configuration.
97
Parameter
Description
Overwrite (Default) The device performs VLAN Tagging of outgoing traffic in accordance with
IP Interface configurations. AppDirector sets tags for packets according to
the following parameters:
Destination IP of the packet if it is on the same local subnet with
AppDirector OR
MAC address of the firewall that is configured on AppDirector and
through which the packet is sent.
4.
Notes:
>> STP is NOT supported on OnDemand Switch 1 Platforms.
>> Spanning Tree is supported only for IP-Regular and IP-Switch VLANs.
>> When working with STP in redundant configuration, VRRP redundancy mechanism must
be used and the primary device must have the lowest Bridge ID.
From the Bridge menu, select STP > Global Parameters. The STP Global Parameters window
appears.
2.
Parameter
Spanning Tree Mode
Description
Disables Spanning Tree support per VLAN.
Values: Disabled (Default) or Per-VLAN (enabled).
98
Parameter
Description
Value represents the maximum time, in seconds, the device waits for a
BPDU packet before it tries to re-configure.
Values: 6 - 40 seconds.
Default: 20 seconds.
Default Forward Delay Time that the device waits before changing the port`s state.
Time [sec.]
Values: 4 - 30 seconds.
Default: 15 seconds.
Default Port Priority
Value represents port priority. When 2 (or more) ports have same
value, device uses port with lowest MAC address.
Values: 0 - 240 seconds.
Default value: 128 seconds.
Note: Default values will take effect only after a reboot, or when creating new instances.
Notes:
>> Spanning Tree per VLAN is supported only when the VLANs do not share any physical
ports (each VLAN has its own physical ports).
>> Regular VLAN defaults UP/Down criterion are set to Down: 1 port Up: All Ports. To work
affectively with STP redundancy it should be set to Down:All ports Up: 1 Port
99
Parameter
Description
VLAN ID
VLAN to apply these settings to, alternatively you may apply the
settings to multiple VLANs.
Bridge Priority
Maximum Aging Time Maximum time, in seconds, that the device waits for a BPDU packet
[sec.]
before it tries to re-configure.
Values: 6 - 40 seconds. Default: 20 seconds.
Hello Time [sec.]
4.
STP Status
From the Bridge menu, select STP > Ports. The STP Port Information window appears.
2.
Select the relevant port from the table. The STP Port Information Update window reappears.
3.
Parameter
Description
Priority
Represents port priority. When two (or more) ports have the same
value, the device uses the port with the lowest MAC address.
Values: 0 - 240 in multiples of 16.
Default: 128
Path Cost
This sets the spanning tree path cost for this port.
Values: 1 - 65535, defined automatically according to port speed. You
can also change this value.
Note: Default values for costs on the devices ports are influenced by
the port speed.
Port Speed versus Path Cost
100
10Mbps /100
100Mbps /19
1Gbps /4
10Gbps/ 2
Parameter
Mode Fast
Description
When enabled, this port will change its status to forwarding state.
Values: Enabled / Disabled (default).
STP Status
Enables STP support on the selected port. When disabled, the physical
port does not participate in STP.
Values: Enabled (default)/ Disabled
The port trunking feature allows you to define up to seven trunks, (on OnDemand Switch 1, 2 , 3, VL
and XL platforms. Up to eight physical links can be aggregated into one trunk. All trunk
configurations are static. To provide optimal distribution for different scenarios the load sharing
algorithm allows decisions based on source or destination (or both) Layer 2 address (MAC), Layer 3
address (IP), and Layer 4 address (TCP/UDP port numbers). These parameters are used as input for
a hashing function
Link aggregation also provides load balancing where the processing and communications activity is
distributed across several links in a trunk ensuring that no single link is overwhelmed. By taking
multiple LAN connections and treating them as a unified, aggregated link, you can achieve higher
link availability and increased link capacity
Port Trunking is supported according to the IEEE 802.3ad standard for Link Aggregation as follows:
Link Aggregation is supported only on links using the IEEE 802.3 MAC
Link Aggregation is permitted only among links with the same speed and direction. On the
device bandwidth increments are provided in units of 100Mbps and 1Gbps respectively
The failure or replacement of a single link within a Link Aggregation Group will not cause failure
from the perspective of a MAC client.
Note: AppDirector does not support the Link Aggregation Control Protocol (LACP), only a static
trunks configuration.
MAC Client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one conversation must be transmitted
through the same physical link. The algorithm for assigning frames to a conversation depends on the
application environment. Radware devices can define conversations upon Layer 2, 3, or 4
information, or on combined layers.
101
From the Device menu, select Link Aggregation > Global Configuration. The Distribution
Method window appears.
2.
Parameter
Description
Layer 2
Layer 3
Layer 4
3.
102
Parameter
Description
Trunk Index
Trunk Status
Parameter
Description
Trunk Index
103
Notes:
>> The same algorithm must be applied on the other switch in the trunk.
>> OnDemand Switch 1 and VL implement link aggregation via software and not at the
switch level, (these platforms do not include a Layer 2 switch hardware component).
Therefore, you cannot define trunks as participants in port mirroring, on these
platforms.
Trunk Management
You can define a management trunk (T-MNG) that only includes the management ports (MNG-1 and
MNG-2). The management ports cannot be a part of any other trunk. Using the management trunk
provides redundancy at the physical level for connectivity to the management network.
One link is active while the other is in backup mode. Failure of the active link seamlessly activates
the backup.
Port Mirroring
Port Mirroring enables the AppDirector device to duplicate traffic from one physical port on the
device to another physical port on the same device. This is useful, for example, when an Intrusion
Detection System (IDS) device is connected to one of the ports on the AppDirector device.
You can configure port mirroring for received traffic only, for transmitted traffic only, or for both. You
can also decide whether to mirror the received broadcast packets.
From the Device menu select Port Mirroring. The Port Mirroring Table window appears.
2.
3.
Parameter
Description
Input Port
Output Port
Receive\Transmit
104
Parameter
Description
Promiscuous Mode
You can either copy all traffic from the input port to the output port or
to copy only traffic destined for the input port. Select either:
Enabled (default): All traffic is copied to the Output Port.
Disabled: Only traffic destined to the Input port is copied.
Note: The difference between enable / disable status is the ARP
packet. If you set Promiscuous mode to enable, you can
receive ARP packets with MAC address FF-FF-FF-FF-FF-FF or
you can receive ARP packets without the MAC address FFFF-FF-FF-FF-FF.
Notes:
>> Device Port mirroring is not supported with VLAN or OnDemand Switch 1.
>> OnDemand Switch 2 supports port mirroring of up to 4 ports.
>> For OnDemand Switches 2 and 3, the trunk cannot be a port mirroring destination but
can be a source. For OnDemand Switches VL and 1, trunks cannot participate at all in
port mirroring.
>> When mirroring traffic from a port which is part of a Switch VLAN, since traffic between
hosts on this VLAN is switched by the ASICs of the device, this traffic is not mirrored.
>> When mirroring traffic is received on a physical port, which is part of a Switch VLAN, and
if the mirrored port is configured to mirror Received Broadcast packets then these
packets are mirrored from all ports on the Switch VLAN.
>> Traffic generated by the device itself, such as Connectivity Checks or management
traffic, is not mirrored by Port Mirroring.
>> Using Regular VLAN, traffic with destination multicast MAC is not always mirrored.
>> You can copy traffic from one Input Port to up to two Output Ports, or from many Input
Ports into one Output Port.
105
Interface IP Addresses
IP addresses can have up to 32-bit binary numbers with each 32-bit IP address consisting of two
sub-addresses; one identifying the network, and the other identifying the host of the network, with
an imaginary boundary separating the two. The location of the boundary between the network and
host portions of an IP address is determined through the use of a subnet mask. A subnet mask is
another 32-bit binary number that acts like a filter when it is applied to the 32-bit IP address. By
comparing a subnet mask with an IP address, systems determine which portion of the IP address
relates to the network and which to the host. Anywhere the subnet mask has a bit set to "1", the
underlying bit in the IP address is part of the network address. Anywhere the subnet mask is set to
"0", the related bit in the IP address is part of the host address.
AppDirector performs routing between all IP interfaces defined on its Layer 2 interfaces (ports,
trunks, VLANs).
IP Interface Parameters
The IP Interface Parameters window allows you to configure the Interface and ICMP Interface
parameters.
From the Router menu select IP Router > Interface Parameters. The IP Interface
Parameters window appears.
2.
3.
4.
106
Parameter
Description
IP Address
IF Number
Network Mask
FWD Broadcast
Formerly known as Free World Dialup or Voice over IP. This parameter
decides whether the device forwards incoming broadcasts to this
interface.
Broadcast Addr
VLAN Tag
When multiple VLANs are associated with the same switch port, the
switch needs to identify to which VLAN to direct incoming traffic from
that specific port. VLAN tagging provides an indication in the Layer 2
header, which enables the switch to make the correct decision. Enter
the Tag to be associated with this IP Interface.
Peer Address
The IP address for the same layer 2 interface on the redundancy peer
device. This is mandatory if you want to synchronize configuration
between main and backup devices.
Parameter
Description
IP Address
Advert Address
Max Advert.
Interval
Min Advert.
Interval
Advert. Lifetime
Advertise
Preference Level
Reset to Defaults
Routing
Routing is the ability to forward IP packets to their Destination using an IP Routing Table. This table
stores information about the Destinations and how they can be reached. By default, all networks
directly attached to AppDirector are registered in the IP Routing Table. Other entries can either be
statically configured or dynamically created through the routing protocol.
AppDirector forwards IP packets to their destination using an IP Routing Table. This table stores
information about the destinations and how they can be reached. By default, all networks directly
attached to AppDirector are registered in the IP Routing Table. Other entries can either be statically
configured or dynamically created through the routing protocol.
When AppDirector forwards an IP packet, the IP Routing Table is used to determine the NextHop IP address and the Next-Hop interface.
107
For a direct delivery (the Destination is a neighboring node), the Next-Hop MAC address is the
Destination MAC address for the IP packet.
For indirect delivery (Destination is not a neighboring node), the Next-Hop MAC address is the IP
router address according to the IP Routing Table.
The Destination IP address does not change from Source to Destination. The Destination MAC
(Layer 2 information) is manipulated to move a packet across networks.
The MAC of the Destination host is applied once the packet arrives on the Destination network.
From the Router menu, select IP Router > Operating Parameters. The Adjusting Operating
Parameters window appears.
2.
Parameter
Description
ARP Proxy
Here, a network host answers ARP queries for the network address
that it does not have configured on the receiving interface. Proxying
ARP requests on behalf of another host effectively directs all LAN
traffic destined for that host to the proxying host. The "captured"
traffic is then routed to the destination host via another interface.
Values: Enable (Default), Disable
3.
108
Routing Table
AppDirector supports IP routing. Dynamic addition and deletion of IP interfaces is supported. This
ensures that extremely low latency is maintained. The IP router supports RIP 1, RIP 2, and OSPF
routing protocols OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850, with some
limitations. The Routing Table allows you to configure static routing and define the default gateway.
To configure routing
1. From the Router menu, select Routing Table. The Routing Table window appears.
2. Set the parameters.
Parameter
Description
Destination IP
Address
Network Mask
Next Hop
Interface Index
Interface Index number for local interface or VLAN through which the
next hop of this route is reached.
Metric
Type
109
ARP Table
The ARP table contains the IP address and corresponding MAC address (physical address) of each
network element connected to the device. Through the ARP Table, you can monitor, set and edit ARP
addresses on the local router.
From the Router menu, select ARP Table. The ARP Table window appears.
2.
Parameter
Description
Interface Index
IP Address
MAC Address
Type
Entry type:
Other: Not Dynamic or Static
Invalid: Invalidates ARP entry and effectively deletes it.
Dynamic: Entry is learned from ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the
table.
Static: Entry has been configured by the network management
station and is permanent.
3.
NHRs
Each host or router handling a packet examines the Destination Address in the IP header, computes
the next hop that will bring the packet one step closer to its destination, and delivers the packet to
the next hop, where the process is repeated. A Next Hop Router (NHR) is a network element used
for outbound traffic in AppDirector Multi Homing configurations. NAT addresses can be associated
with Next Hop Routers (NHRs), similar to the way VIPs are associated with NHRs. The NHR Table
window enables you to list the device's next hop routers.
From the Router menu, select NHR Table. The NHR Table window appears.
2.
110
Parameter
Description
NHR IP Address
Parameter
Description
Admin Status
Port Number
Oper Status
Check Method
Method that device uses to verify the NHR's health via the Health
Monitoring Module, Ping or Disable.
Check Interval
Check Retries
3. For creating new NHR Table entries, click Create. The NHR Table Create window appears as
above without NHR MAC Address, Device MAC Address, Port Number and Oper Status.
4. Click Set. Your configuration is set.
VIP NHR
The VIP NHR Table window enables you to associate a next hop router, configured in the NHR Table,
to a virtual IP address configured on the device.
Parameter
Description
Virtual IP Address
NHR IP Address
No Route Action
Determines action if both primary and backup next hop routers are
offline. Values:
Discard: The packets are discarded.
Use Regular Routing: Packets are forwarded using Routing Table.
111
Parameter
Description
NHR Weight
Backup NHR
Weight
Backup NHR IP
Address
3.
Click Set. The Virtual IP address is associated with the relevant NHR.
From the Router menu, select RIP > Parameters. The RIP Parameters window appears.
2.
112
Parameter
Description
Administrative
Status
Parameter
Description
RIP Advertisement
Interval [seconds]
Parameter
IP Address
Description
The IP Address of this system on the indicated subnet.
(Read Only when updating)
Incoming RIP
Status
on/off
Outgoing RIP
Default Metric
Metric for default route entry in RIP updates originated on this interface.
0 (Zero) indicates that no default route can be originated; here, a
default route through another router is propagated.
Virtual Distance
Virtual number of hops assigned to the interface. This enables finetuning of the RIP routing algorithm.
113
Parameter
Description
Auto Send
3.
Click Set. The changes are reflected in the RIP Interface Table list.
From the Router menu select OSPF > Operating Parameters. The OSPF Operating
Parameters window appears.
2.
Parameter
Description
Administrative
Status
3.
114
Router ID
Controls the redistribution of routes from RIP into OSPF. When this
parameter is enabled, all routes inserted into the IP routing table via
SNMP are advertised into OSPF as external routes.
Parameter
Description
IP Address
Interface Type
OSPF interface type. Broadcast LANs are broadcast type, x.25 and
Frame Relay are NBMA type, and point-to-point LANs are Point to Point
type.
Administrative
Status
Administrative status of the OSPF in the router. Enabled means that the
OSPF process is active on at least one interface. Disabled means the
process is not active on any interfaces.
IfRtrPriority
Priority of this interface. Value 0 means that this router is not eligible to
become the designated router on the current network. If more than one
router has the same priority then router ID is used.
Hello Interval
RtrDeadInterval
Number of seconds router's Hello packets have not been seen before
router's neighbors declare the router down. The Time Before Declare
Router Dead value must be a multiple of the Hello Interval. All routers
attached to a common network must have a Time Before Declare
Router Dead value.
Interface State
Designated Route
Backup Designated
Router
IfAuthKey
AuthType
115
Select the OSPF interfaceIP Interface. The OSPF Interface Metrics Table Update window
appears.
2.
3.
Parameter
Description
IP Address
Metric
The metric of using this type of service on this interface. The default
value of the TOS 0 Metric is 10.
Parameter
Description
IP Address
Interface Type
OSPF interface type. Broadcast LANs are broadcast type, x.25 and
Frame Relay are NBMA type, and point-to-point LANs are Point to
Point type.
Administrative
Status
IfRtrPriority
Priority of this interface. Value 0 means that this router is not eligible
to become the designated router on the current network. If more
than one router has the same priority then router ID is used.
Hello Interval
RtrDeadInterval
Number of seconds router's Hello packets have not been seen before
router's neighbors declare the router down. The Time Before Declare
Router Dead value must be a multiple of the Hello Interval. All
routers attached to a common network must have a Time Before
Declare Router Dead value.
Interface State
116
Designated Route
Backup Designated
Router
Parameter
Description
IfAuthKey
AuthType
Parameter
Description
Area ID
Import AS Extern
Number of AS
Border Routers
(Update mode
only)
Area LSA Count
(Update mode
only)
Area LSA
Checksum Sum
(Update mode
only)
3. When updating Area Parameters, in the OSPF Area Parameters Table window, select the Area
ID.
4. When creating Area Parameters, in the OSPF Area Parameters Table window, select Create.
5. Click Set. Your changes are recorded.
117
From the Router menu, select OSPF > Link State Database. The OSPF Link State Database
window appears.
2.
Parameter
Description
Area ID
Type
Each link state advertisement has a specific format. The link can be a
Router Link, Network Link, External Link, Summary Link or Stub Link.
Link State ID
Router ID
Sequence
Number for link. Use this to detect old and duplicate link state
advertisements. The larger the sequence number the more recent the
advertisement.
3.
When updating Link State Database, in the OSPF Link State Database window, select the Area
ID.
4.
When creating Link State Database, in the OSPF Link State Database window, select Create.
5.
118
Parameter
Description
Neighbor's
Address
Address Less
Index
Router ID
Options
Priority
Note: On addressless links, this will not be 0.0.0.0, but the address
of another of the neighbor's interfaces.
3. When updating OSPF Neighbor Table, in the OSPF Neighbor Table window, select the
Neighbors Address.
4. When creating OSPF Neighbor Table, in the OSPF Neighbor Table window, select Create.
5. Click Set. Your configuration is set.
119
From the Router menu select BGP Route Injection > Router BGP Parameters. The Router
BGP Parameters window appears.
2.
Parameter
Description
Local Autonomous
System Number
3.
All members of a peer group must share identical outbound announcement policies (such as
distribute-list, filter-list, and route-map), except for default-originate, which is handled on a perpeer basis even for peer group members.
You can customize the inbound update policy for any member of a peer group.
A peer group must be either internal (with internal BGP (iBGP) members) or external (with
external BGP (eBGP) members). Members of an external peer group have different autonomous
system (AS) numbers.
Notes:
The total number of BGP peers and the configurable limit and the maximum number of
established BGP peers that are supported on a router depends on many variables, such as:
>> Total number of routes in the BGP table
>> Level of stability of the routes
>> Number of routes sent to each peer
>> Similarity between routes sent to different neighbors
120
Peer Table
BGP neighbors, or peers, are established by manual configuration between routers to create a TCP
session on port 179. A BGP speaker will periodically send 19-byte keep-alive messages to maintain
the connection (every 60 seconds by default). Among routing protocols, BGP is unique in using TCP
as its transport protocol.
The BGP Peer Table reflects information about BGP peer connections, such as their status and
current activity.
Parameter
Description
Peer IP Address
Admin Status
Connect Retry
Interval
Peer Statistics
The routing tables managed by a BGP implementation are adjusted continually to reflect changes in
the network, such as links breaking and being restored or routers going down and coming back up.
In the network as a whole it is normal for these changes to happen almost continuously, but for any
particular router or link changes are supposed to be relatively infrequent. Therefore AppDirector
users need to monitor the BGP statistics from the BGP Peer table.
121
From the Router menu select BGP Route Injection > Statistics. The Statistics window
appears.
2.
Select the Peer IP Address. The BGP Peer Table Statistics Update window appears.
3.
Parameter
Description
Peer IP Address
Admin Status
Connection State
122
Remote AS
Peer Identifier
Local Address
Local Port
In/Out Updates
In/Out Total
Messages
Last Error
The last error code and subcode seen by this peer on this connection.
If no error has occurred, this field is zero. Otherwise, the first byte of
this two byte OCTET STRING contains the error code, and the second
byte contains the subcode.
FSM Established
Transitions
The total number of times the BGP FSM transitioned into the
established state.
Parameter
Description
FSM Established
Time
This timer indicates how long (in seconds) this peer has been in the
established state or how long since this peer was last in the
established state. It is set to zero when a new peer is configured or
the router is booted.
Connect Retry
Interval (sec)
Hold Time
Configured
Time interval in seconds for the Hold Time configured for this BGP
speaker with this peer. This value is placed in an OPEN message sent
to this peer by this BGP speaker, and is compared with the Hold Time
field in an OPEN message received from the peer when determining
the Hold Time (bgpPeerHoldTime) with the peer. This value must not
be less than three seconds if it is not zero (0) in which case the Hold
Time is NOT to be established with the peer. The suggested value for
this timer is 90 seconds
Keep Alive
Configured
Time interval in seconds for the KeepAlive timer configured for this
BGP speaker with this peer. The value of this object will only
determine the KEEPALIVE messages' frequency relative to the value
specified in bgpPeerHoldTimeConfigured; the actual time interval for
the KEEPALIVE messages is indicated by bgpPeerKeepAlive. A
reasonable maximum value for this timer would be configured to be
one third of that of bgpPeerHoldTimeConfigured. If the value of this
object is zero (0), no periodical KEEPALIVE messages are sent to the
peer after the BGP connection has been established. The suggested
value for this timer is 30 seconds.
In Update Elapsed
Time (sec.)
Elapsed time in seconds since the last BGP UPDATE message was
received from the peer. Each time bgpPeerInUpdates is incremented,
the value of this object is set to zero (0)
Redundancy
This section introduces AppDirector redundancy capabilities and includes the following topics:
123
Router
Users
Network A
Port 1
MAC A
virtual IP 1
AppDirector 1
Port 2
MAC B
Port 1
MAC C
IP A 1
IP B 1
IP A 2
virtual IP
AppDirector 2
Port 2
MAC D
IP B 2
Network B
Server 1
Server 2
Radware recommends installing AppDirector devices in pairs to provide fault tolerance in the case of
a single device failure. Each pair of AppDirectors can function in an active/backup setup or active/
active setup.
To achieve redundancy between pairs of AppDirector devices, the following methods are supported:
VRRP: Working with Virtual Router Redundancy Protocol enables dynamic redundancy to be
maintained using a logical entity called a virtual router. (VRRP was initially developed to provide
high availability for routers, hence the name virtual router. However, this protocol can be
supported by a wide range of devices that are not routers as it is not a routing protocol - it does
not advertise IP routes or affect the routing table in any way). With VRRP, IP addresses are
associated with the Virtual MAC addresses that are owned by the main device, and are taken
over by the backup device at fail-over time.
Proprietary ARP: Working with Address Resolution Protocol enables monitoring of the other
device in a pair and checking its availability. Using Proprietary ARP redundancy, at the failover
time, the IP addresses of the main device are managed by the backup device and are associated
with the backup devices MAC address.
Note: Radware recommends using VRRP as described above for AppDirector redundancy.
124
Network Configurations
The network configuration affects the redundancy configuration. The following network
configurations are supported by AppDirector.
Routing
Client side and server side (as shown here) are on different networks.
125
Bridging
Client side and server side (as shown here) are on the same network. The physical port connected to
the client side and the physical port connected to the server side must belong to the same Regular
VLAN to achieve bridge configuration.
Notes:
>> This type of configuration can be supported only when using VRRP redundancy
mechanism.
>> RSTP (Rapid Spanning Tree Protocol) should be configured on AppDirector devices to
prevent loops. (This type of configuration requires using a Switch VLAN on the
AppDirector devices).
>> These types of configurations are not supported on OnDemand Switches VL and 1
platforms.
Here, the servers are either directly connected to both AppDirector devices (dual-NIC servers) or to
two switches that are connected to both AppDirector devices. On the client side, full redundancy is
achieved by either connecting each AppDirector to a different upstream router or connecting each
AppDirector to the two upstream routers (or Layer 3 switches) that run STP.
For these types of configurations, AppDirector needs the following routing configuration
126
One of the physical ports used for inter-AppDirector connectivity and the physical port to which
the client side is connected are attached to an IP Switch VLAN (shown in Figure 3 - Fully
redundant routing network configuration, page 127). This allows the primary AppDirector to
continue to be active and receive client traffic even when its direct connection to the router (or
the router itself) fails.
One of the physical ports used for inter-AppDirector connectivity and the physical port to which
the server side is connected are attached to another IP Switch VLAN (blue marking on Figure 3).
This allows the primary AppDirector to continue to be active and see the servers even when its
direct connection to the servers or their switch (or the switch itself) fails.
Bridge Configuration
The physical port used for inter-AppDirector connectivity and the physical port to which the
server side is connected are attached to an IP Switch VLAN (blue marking on Figure 4). This
allows the primary AppDirector to continue to be active and see the servers even when its direct
connection to the servers or their switch (or the switch itself) fails.
The physical port to which the client side is connected and the server side Switch VLAN are
attached to a Regular VLAN (green marking on Figure 4).
127
Configuration Guidelines
The configuration needed in redundant environments depends on the following factors:
Note: A fully redundant network environment only affects the required inter-AppDirector
connectivity and Layer 2 configuration as described in Fully redundant network
configuration section. The rest of the redundancy configuration parameters are affected
by the factors mentioned above.
This chapter provides configuration guidelines for the different cases above.
128
Parameters
Global Parameters
Primary
Secondary
Redundancy Admin
Status
VRRP
Same as primary
Interface Grouping
Enable
Same as primary
Backup Interface
Grouping
Enable
Same as primary
Backup in VLAN
Same as primary
Same as primary
129
Parameters
VRID Internet Side
Primary
Secondary
VRID
Same as primary
If Index
Same as primary
Primary IP
100.1.1.10
Same as primary
Priority
200
100
Preempt Mode
Same as primary
Associated IPs
100.1.1.100,
Same as primary
100.1.1.10
Outbound NAT
addresses, if relevant
VRID Server Side
VRID
Same as primary
If Index
Same as primary
Primary IP
20.1.1.10
Same as primary
Priority
200
100
Preempt Mode
Same as primary
Associated IPs
20.1.1.10
Same as primary
Mirroring Status
Disabled (if
preemption is
enabled).
Enabled
Enabled (if
preemption is
disabled).
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as Primary
Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution
130
Note: Using the Active/Active setup, each server can provide service to Virtual IPs that are
active on one device. A server cannot provide service to multiple Virtual IPs where one
Virtual IP is active on one device, while another Virtual IP is active on another device.
Parameters
Global Parameters
AppDirector 1
AppDirector 2
Redundancy Admin
Status
VRRP
Same as AppDirector 1
Interface Grouping
Enable
Same as AppDirector 1
Backup Interface
Grouping
Enable
Same as AppDirector 1
Backup in VLAN
Same as primary
Same as primary
131
Parameters
VRID Internet Side
for VIP active on
AppDirector 1
AppDirector 1
AppDirector 2
VRID
Same as AppDirector 1
If Index
Same as AppDirector 1
Primary IP
100.1.1.10
Same as AppDirector 1
Priority
200
100
Preempt Mode
Same as AppDirector 1
Associated IPs
100.1.1.100,
Same as AppDirector 1
100.1.1.10
Outbound NAT addresses
(if relevant)
VRID Server Side
for VIP active on
AppDirector 1
VRID
Same as AppDirector 1
If Index
Same as AppDirector 1
Primary IP
20.1.1.10
Same as AppDirector 1
Priority
200
100
Preempt Mode
Same as AppDirector 1
Associated IPs
20.1.1.10
Same as AppDirector 1
VRID
Same as AppDirector 1
If Index
Same as AppDirector 1
Primary IP
30.1.1.10
Same as AppDirector 1
Priority
100
200
Preempt Mode
Same as AppDirector 1
Associated IPs
30.1.1.10
Same as AppDirector 1
Mirroring Status
Disabled (if
preemption is
enabled).
Enabled
Enabled (if
preemption is
disabled).
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as AppDirector 1
Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution
132
Parameters
Global Parameters
VRID
Primary
Secondary
Redundancy Admin
Status
VRRP
Same as primary
Interface Grouping
Enable
Same as primary
Backup Interface
Grouping
Enable
Same as primary
Backup in VLAN
Block Broadcast
Same as primary
Enable
Same as primary
VRID
Same as primary
If Index
1001
Same as primary
Primary IP
100.1.1.10
Same as primary
Priority
200
100
Preempt Mode
Same as primary
Associated IPs
100.1.1.100,
Same as primary
100.1.1.10
133
Parameters
Mirroring
Mirroring Status
Primary
Secondary
Disabled (if
preemption is
enabled).
Enabled
Enabled (if
preemption is
disabled).
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as Primary
Session ID Table
134
Parameter
Description
Ensures that if one port fails, the others are also taken down. When it
is enabled, the backup device takes over only when all the interfaces of
the main device are down.
Default: Disabled
Defines whether device can send ARP requests (when device is the
backup device) with active interface grouping.
Send (Default)
Avoid
Backup Device in
VLAN
Backup Fake ARP: Enables the backup device to perform a fake ARP.
Default: Enabled
Note: In networks with layer 3 switches, the Fake ARP will confuse the
switch during the redundancy process. In this case, disable this option.
Backup Interface
Grouping
When it is enabled the backup will take over only when IP interfaces
defined in its Redundancy Table fail.
Respectively, it will release those interfaces only when all the main's
interfaces are up.
135
Parameter
Description
VRRP Advertise
Interval [msec.]
VRRP Automated
AppDirector can automatically add a new Virtual IP configured on the
Configuration Updates device to the VRRP Associated IP Addresses table.
When the Automated VVRP Configuration feature is enabled and a layer
4 policy is configured that uses a new Virtual IP, this IP is automatically
associated with the VRID defined for the AppDirector interface that
belongs to the same subnet as the Virtual IP.
Messages are sent to the device log announcing that a Virtual IP was
automatically associated to a specific VRID and interface.
Values: Enabled or Disabled (Default).
Force Down Ports
Time
Enhanced Acceleration
Failure Action
3.
Ensure that IP Redundancy Admin Status is enabled, unless the network is a one-legged
configuration.
4.
5.
Failover Decision
Failover is a backup operational mode in which the functions of a system component (such as a
processor, server, network, or database, for example) are assumed by secondary system
components when the primary component becomes unavailable through either failure or scheduled
136
Interface Grouping
When AppDirector notices that one of its physical ports is down, if Interface Grouping is enabled, it
intentionally brings all other active ports down.
When an interface (physical port, trunk or VLAN) on AppDirector goes down, due to a cable failure,
switch port failure, hub failure, or other problems, AppDirector performs the following:
1. AppDirector examines the configuration to see if any IP addresses were configured on the
interface that went down.
2. If there were IP addresses configured on the interface, AppDirector deactivates all other active
interfaces.
3. If no IP addresses were configured on the interface, nothing occurs and normal operation
continues.
Notes:
>> You can configure per physical port whether it triggers Interface Grouping or not
(Selective Interface Grouping).
>> A trunk or VLAN failure always triggers Interface Grouping, but for each VLAN you can
configure per physical port whether it affects VLAN status for Interface Grouping or not
(see Adding Physical Ports to a VLAN).
>> The dedicated management ports failure will not trigger Interface Grouping.
137
Up/Down Criterion: Per VLAN you can configure when the VLAN is considered up/down based
on the number of its ports that are up/down.
Port Interface Grouping State: For each port that is attached to a VLAN you can configure
whether its status will be included or excluded from Up/Down Criterion calculations.
138
Parameter
Description
Port Number
Port Status
Enhanced Acceleration
AppDirector can also initiate failover on Application Acceleration capability failure, either Application
Acceleration Engine or hardware SSL Acceleration card or hardware Compression card.
When such a failure occurs on the active AppDirector, the device enters the same mode as Interface
Grouping and failover occurs.
139
Configure an IP interface on each device for the direct connection port and address used as the
Mirroring Device Address for the other device.
Exclude physical port used for inter-device communication from Interface grouping.
Use a trunk (link aggregation) for direct connection between two devices.
Notes:
>> Mirroring is not supported when delayed binding is used with L7 Persistent Switching
Mode and configured to either overwrite or maintain.
>> Mirroring is supported for the Layer 7 Persistent Switching Mode named First.
>> Client entries that are not mirrored are RADIUS client entries.
Mirroring can handle long and short sessions and support HTTP traffic. The following are mirrored:
Proximity table
From the AppDirector menu, select Redundancy > Mirroring > Active Device Parameters.
The Mirroring: Active Device Parameters window appears.
2.
Parameter
Description
140
Parameter
Description
Mirroring Status
Parameter
Active Device IP
Description
IP address of the device to mirror from.
Notes:
>> When setting up Mirroring, Radware recommends using the same AppDirector software
version for the main and backup devices.
>> Setting up Mirroring affects the general device performance.
>> Radware recommends that mirroring is used for Stateful Failover with the VRRP
redundancy mechanism.
141
Parameter
Description
The period of time for which the port must be down. The values can be
either 0 (the feature is disabled), or between 2 and 60 seconds. When
enabled, the value to be used depends on how long it takes the switch
to clear its MAC tables.
Notes:
>> Upon failovers, printouts displayed for ports down and up have extra 2 seconds delay (in
addition to the value set in force-port-down-time).
>> This capability is supported only for one VLAN per device.
>> This capability will not function when VRRP is not enabled and there is no VLAN
configured as part of the VRRP interfaces.
142
Parameter
Description
If Index
Interface number.
Default: F-1
VR ID
VR MAC
State
The virtual MAC address of the virtual router. Although this object can
be derived from the 'vrrpOperVrId' object, it is defined so that it is
easily obtainable by a management application and can be included in
VRRP-related SNMP traps.
The current state of the virtual router.
Values:
Initialize: indicates that virtual router is waiting for a startup event.
Master: virtual router is forwarding packets for IP addresses that
are associated with this router.
Backup: virtual router is monitoring the availability of the master
router.
143
Parameter
Description
Admin Status
Priority
144
Address Count
Master IP
Parameter
Description
Primary IP
Auth Type
Auth Key
Advertise Interval
Preempt Mode
Up Time
This is the value of the `sysUpTime' object when this virtual router (i.e.,
the `vrrpOperState') transitioned out of `initialized'.
Preferred State
The preferred state of the virtual router. This field affects the
configuration of the peer device's parallel VRRP entry.
Values:
Backup - indicates that the peer's VRRP entry should have a higher
priority.
Master - which indicates that the peer's VRRP entry should have a
lower priority.
145
Parameter
Description
VRIDs Up/Down
All Down: Sets Admin Status for all VRIDs to Down. This shuts
down the main device.
All Up: Sets the Admin status of all VRIDs to Up. So that the main
AppDirector is immediately activated and takes control from the
backup device.
No Change (Default): There is no change in the Admin Status.
2.
Associated IP Addresses
The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the
static default routed environment. VRRP specifies an election protocol that dynamically assigns
responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling
the IP address(es) associated with a virtual router is called the Master, and forwards packets sent to
these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility
should the Master become unavailable. Any of the virtual router's IP addresses on a LAN can then be
used as the default first hops router by end-hosts.
You use the Associated IP Addresses window to configure the VRRP.
From the AppDirector menu, select Redundancy > VRRP > Associated IP Addresses. The
Associated IP Addresses window appears.
2.
3.
Parameter
Description
If Index
VR ID
Associated IP
4.
146
Proprietary Redundancy
Radware proprietary redundancy mechanism uses ARP (Address Resolution Protocol) to ensure that
the backup AppDirector is available and that the network connections between the main and backup
devices are up and that failover is achieved when primary device fails.
The backup device manages the polling process by continuously polling the main device, using the
ARP protocol. If the main device fails, the teaching process is realized when the backup device sends
broadcast ARPs informing its network neighbors that the IP addresses of the main device are now
associated with its own MAC addresses. This ensures that all traffic destined to the IP addresses of
the main device arrives to the backup device.
IP Redundancy
In redundancy configurations both AppDirectors, the main and the backup, must be defined to work
with virtual and physical addresses. The virtual IP addresses are defined on the backup AppDirector
in the same manner as on the main AppDirector and the main device makes sure that the backup
AppDirector supports virtual addresses. Different physical IP addresses are used for the main and
backup devices, and an additional configuration is required on the redundant AppDirector to support
backup for the physical IP addresses of the main device.
The IP Redundancy Table window allows you to setup IP router redundancy: The IP Redundancy
Table is relevant for proprietary redundancy only.
Parameter
Description
Interface IP Address
Operating Status
147
Parameter
Description
4.
Click Set. Your changes are recorded. This procedure must be repeated for every back-up
interface.
Note: To allow the backup device to poll the main device, it must be aware of the main device
IP interfaces that its IP interfaces are backing up.
Configuration Synchronization
In a redundant configuration, master and slave devices require consistent configuration. Online
configuration synchronization helps to prevent a tedious error-prone manual process to ensure that
the configuration is synchronized between a pair of redundant devices.
This feature provides a mechanism where the configuration created on one device is updated
automatically and synchronously on its redundancy peer. This way, the device configurations are
guaranteed to be always synchronized, without requiring manual intervention.
This capability operates in a master/slave mode where the master device is the only one that can be
configured by the administrator and the slave device is configured by the master device only.
Automatic configuration synchronization is achieved by providing an online update of the slave
device for all configuration operations performed on the master device.
Notes:
>> The redundancy configuration is updated on the slave device according to the
recommended configuration in the Configuration Guidelines section.
>> This capability is only supported for a pair of devices using VRRP in an Active-backup
scenario.
Master/Slave Roles
The roles of the devices are set manually and never change dynamically in contrast to the VRRP
active ownership.
The configuration synchronization roles are independent of the device redundancy operation
mode (Active/Backup). You need to set the primary device as configuration master.
The configuration synchronization will consider the VRRP status when rebooting the slave device
(after configuration changes that require reboot). If the configuration slave is the VRRP active
device, then reboot is suppressed to avoid unnecessary failover that will cause connection
disruption. The master will wait for the VRRP role to switch over and only then issue a reboot.
148
Example
A
Master
IP: 1.1.1.1, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.2
Slave
IP: 1.1.1.2, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.1
Notes:
>> Verify that all above steps before enabling configuration synchronization on your
devices.
>> The master device checks all the above conditions (except number 5 which is the
administrators responsibility) and will not start synchronization if one of these
conditions is not satisfied.
Starting to Configure
149
Notes:
>> For each IP interface configured on the master device a Peer IP address must be
configured (to be used as IP interface on the slave device).
>> You can monitor synchronization state on the Master device. The state should show InSync. See Configuration Synchronization Monitoring, page 153.
>> Configurations requiring reboot will only take effect on the slave after you have rebooted
the Master device (and it will then automatically reboot the slave).
There are additional configuration synchronization parameters that can be modified, see
Configuration Synchronization Settings, page 150.
The configuration synchronization status and statistics can be constantly monitored, see
Configuration Synchronization Monitoring, page 153.
From the main menu, select Redundancy > Configuration Synchronization > Settings. The
Configuration Synchronization Settings window appears.
2.
Parameter
Device Role
Description
The role that this device plays in configuration synchronization:
None (default): the device does not participate in configuration
synchronization
Master: only this device is configurable and it synchronizes the slave
device
Slave: this device receives its configuration from the Master device,
only change of its role in configuration synchronization and reboot
can be performed on a device in Slave mode
Synchronization
Session Password
The password used to establish an SSH session between the devices for
configuration synchronization.
The same value must be configured in both devices (master and slave) to
allow session establishment.
150
Parameter
Description
Connection
Preference
Alternate
Connection
Preference
You can decide whether to allow the slave device to be rebooted. Due to
configuration changes requiring reboot, the slave device is in active state
(redundancy wise).
Default: Disabled.
The interval at which a master device sends keep alive messages to slave
to maintain connectivity.
Slave Response
Timeout (When
device has Master
role)
If the slave device does not answer either connection attempt or keep
alive message within this timeout, it is considered to be disconnected.
Slave Reboot
Timeout (When
device has Master
role)
If the slave device does not answer connection attempt after it was
rebooted within this timeout, it is considered to be disconnected.
Default: 15 sec.
Default: 20 sec.
151
Parameter
Description
Peer Disconnect
Alert Delay (When
device has either
Master or Slave
role)
A trap that alerts on a slave disconnection will be sent only after the slave
has been disconnected for this period (to avert flip-flops).
Master
Communication
Timeout (When
device has Slave
role)
If the slave device does not receive communication from a master for this
timeout, the master is considered disconnected.
Default: 60 sec.
3.
152
Exclude
Management IP
(When device has
Master role)
Exclude Secured
Management
Settings (When
device has Master
role)
Parameter
Description
Synchronization State
153
Parameter
Description
Incompatibility Status
The reason the master and slave are incompatible. Applies only to
master device and only if current state is incompatible or disconnected.
Values:
Hardware platform
Memory size
License
Software version
Initial configuration (applies to disconnected state - the slave will
refuse to connect in this case)
Slave compatibility is not established
Notes:
If there is more than one reason, then the first reason detected is
displayed.
Slave compatibility is not established when configuration
synchronization is not activated.
Synchronization IP
Interface
The current IP interface used for the communication with the peer
device. If the devices are disconnected - null=0.0.0.0
Peer IP
Configuration Timestamp
The last time the configuration was successfully propagated from the
master to the slave.
Availability Status
The last time that the configuration was successfully propagated from
the master to the slave.
The configuration synchronization can be either individual or full
synchronization.
Default: 0
154
Parameter
Description
Discrete Synchronization
Attempts
Full Synchronization
Operations
Number of Successful
Connections
Synchronization Failures
Disconnections
The number of times that the peer was disconnected since last
enablement or reboot (the later).
Default: 0
Slave Configuration
version (Master only)
155
From the main menu, select Redundancy > Configuration Synchronization > Monitoring
> Reset Slave. The Reset Slave Device window appears.
2.
Click Set (for Reboot Slave (master only). The slave device is reset.
Reconnect
From a device that has Master role, the administrator can force a reconnect to the slave device. This
should be used when you have changed the interface through which you want the config-sync
connection to be established.
From the main menu, select Redundancy > Configuration Synchronization > Monitoring
> Reconnect. The Reconnect window appears.
2.
Click Set (for Reconnect to Slave (master only). The slave is reconnected.
156
The following workflow helps you to understand how to configure traffic management and
acceleration for AppDirector and distinguishes between Acceleration enabled and disabled
functionalities.
157
AppDirector load balances traffic to application servers that provide various application services,
such as FTP, Web, Mail, ERP, CRM, Streaming, VoIP, etc.
To receive the requested service, user traffic is directed to a homogenous and redundant group of
servers. This is managed by AppDirector, which decides:
158
To which group of servers to direct the request to provide the service required by the client.
To which server within the required group to direct the traffic to optimize the service provided
and to ensure its operation.
The main elements involved in configuring server load balancing on AppDirector are:
1. Farm - A group of application servers that provide the same service. A farm can provide multiple
services and a server can be part of multiple farms.
2. Virtual IP (VIP) - A single point of entry through which clients can access a variety of services.
3. Layer 7 Policy - a set of rules that allow to select a farm based on application data (Layer 7).
4. Layer 4 Policy - a set of rules that allow to select a farm based on layer 4 and layer 7 data if
required (by linking to a Layer 7 policy) and activate application acceleration capabilities. The
layer 4 data used to classify traffic via L4 Polices is:
a.
b.
Destination IP (VIP)
Layer 4 Protocol (TCP, UDP, ICMP, SCTP, Any or Other)
c.
Layer 4 Port
d.
Source IP Range
When traffic reaches the services point of entry (VIP) AppDirector Matches the Layer 4 data in the
packet to Layer 4 policies configured on the device until the best match is found. Once a matching
Layer 4 Policy is found the device processes the traffic according to the services required for this
Layer 4 Policy. As an example the following actions are performed for HTTPS traffic processing:
1. SSL processing is performed by AppDirector, if required, to off-load it from the servers.
2. If HTTP caching is enabled, AppDirector can respond from the cache, to off-load it from servers
if the requested object is in the cache. In this case steps 3-5 are not relevant.
3. If a Layer 7 policy is attached, the device processes the application request searching for the
Layer 7 policy criteria to select the target farm, if not the target farm is the one directly attached
to the Layer 4 policy.
4. Traffic is forwarded to the server best able to deliver the requested service within the target
farm.
5. If HTTP caching is enabled, cache objects from the response according to configuration.
6. HTTP response can be compressed if required.
7. Response is SSL encrypted before being sent to client.
Configuring Farms
This section describes how to configure Farms for AppDirector operations. Topics include:
Farm Parameters
A server farm is a group of networked servers that provide the same service. Servers contained in a
server farm can be placed in different physical locations, belong to different vendors, or have
different capacities. Differences between servers within a farm are transparent to clients. If all the
servers within a group provide the same service managed by the AppDirector device, this group can
be defined as an AppDirector server farm. A server providing multiple services can be used in
multiple farms. For example, Server 3 (S3), as shown in this figure, provides Web service in one
farm and FTP service in another server farm.
159
Web Farm
S1
S2
FTP Farm
S3
S4
S5
S6
From the AppDirector menu, select Farms > Farm Table. The Farms Table window appears.
Select the desired farm name. The Farm Table Update window appears.
2.
Parameter
Description
Farm Name
Admin Status
Dispatch Method
160
Parameter
Description
Dispatch Method
(continued)
Sessions Mode
Regular: All sessions from the same client IP to the same service
(VIP + Protocol + port) are forwarded to the same server.
Entry Per Session: All sessions from the same client IP to the
same service (VIP + Protocol + port) are forwarded to the same
server, but each session is recorded in the client table providing
more accurate minimum-user load balancing.
Remove on Session End - EPS: After TCP client session ends, the
client's entry is removed from the Client Table ends after 5-6
seconds. This automatically enables Entry Per Session.
Remove on Session End - SPS: After TCP client session ends, the
client's entry is immediately removed from the Client Table after
5-6 seconds. This automatically enables Server Per Session.
Bandwidth Limit
161
Parameter
Description
Connectivity Checks
Connectivity Check
Method
Connectivity Check
Retries
Connectivity Check
Interval
Connectivity Check
Port
Extended Check
Frequency
Authorized Username
Authorized Password
Home Page
With the "HTTP pages" check method, this defines the default web
page retrieved from servers. If this web page is unavailable, the
server is considered down.
Connection Denials
(Read-Only)
Operational Status
(Read Only)
Values: FTP, HTTP, SMTP, DNS, NNTP, HTTPS, RTSP, RADIUS or any
port number you enter manually. For example, HTTP automatically
checks port 80.
Active when:
(Farm Admin Status is Enabled) AND (at least one farm server is
Active).
162
Parameter
Description
Connection Management
Close Session At
Aging
Specifies when a TCP session is aged whether you want the device to
send RESET to client, server or both.
Values:
Server side - Gracefully close the client-side connection when it ages.
Client side - Gracefully close the client-side connection when it ages
out the persistency entry from the client table.
Client & Server side - When Client Aging expires for a specific
session, AppDirector removes the Client Table entry for this session
and sends a RESET to the server to close the associated port.
(Applicable to TCP sessions only).
Disabled
Connection Limit
Exception
Reset Client on
Server Failure
Client NAT
Client NAT Address
Range
Range of NAT addresses, based on the NAT Address Table, to be used for
this farm. A client with an IP address within the Client NAT Range,
approaching the farm, is NATed according to the selected NAT Address
Range. Also see Client NAT Addresses, page 276.
163
Parameter
Description
When using Client NAT, the source IP address is replaced by NAT address,
so that server cannot know the identity of the original client.
To solve this problem AppDirector can insert an X-Forwarded-For header
with the identity of the original client in the traffic forwarded to server.
Default: Disabled
HTTP Persistency
Insert Cookie for
HTTP Persistency
SSL Persistency
SSL ID Tracking:
SSL ID Aging
The amount of time a non-active client is kept in the client table (in
seconds). As long as a client is kept in the client table, the client is
connected to the same server.
You can configure this as part of the farm configuration. The default value
is 120 seconds. Allowed values are from 1 second to 65,535 seconds.
RADIUS Persistency
RADIUS Attribute
Radius Secret
164
Used for the RADIUS Connectivity Check on the Farm. When the farm is a
Radius Server Farm, the Radius secret must be configured to allow access
to the farm.
Parameter
Description
RADIUS Proxy
Attribute
SIP Persistency
Hash Parameter for To maintain client-server persistency in SIP sessions, the device searches
SIP
the Call-ID header in SIP and selects an available server based on a static
hash algorithm performed on the Call ID.
If the farm is part of a Layer 4 Policy, the input function for the Hash is
the requested URL.
Default: Call-ID
No Service Page
No Service Page
HTTP Code
This parameter allows you to configure the code to be used for the
"Sorry" page response sent when this farm is unavailable.
Values:
100 Continue
200 OK (Default)
202 Accepted
204 No Content
401 Unauthorized
403 Forbidden
Backend SSL
Backend SSL State
This parameter allows you to override the SSL policy back-end SSL
settings and forward traffic to the back-end servers in clear text. This
capability is required when SSL offloading is required on the front-end,
but on the back-end some of the Layer 7 services require back-end SSL
encryption.
Values:
Override to Clear text
Respect SSL Policy (default)
165
Parameter
Description
Standard Acceleration
Transparent Server
Support
4.
166
Content Checks
Parameter
Description
Farm Name
From the Farm Name drop down list field select a farm name.
200 OK
202 Accepted
204 No Content
401 Unauthorized
403 Forbidden
6. Click Set. The HTTP Code is added to the Acceptable HTTP Code Table
Note: You must also have at least one code on the list. The maximum number of codes or
farms is 10.
Content Checks
This defines strings whose existences or absence from retrieved HTTP page indicate a healthy
server. AppDirector examines the HTTP header of the server response and considers responses with
the user-defined HTTP status code to indicate a healthy server.
You can configure HTTP status codes to be used as acceptable responses. By default, an HTTP code
of 200 indicates service availability.
Servers and applications can pass health checks but if the content is not accurate, (for example,
corrupt or misplaced files), AppDirector can also check for content accuracy. There are several
methods including:
167
using an application-level health check by using an HTTP GET request for a URL of customer
choice, the load balancer can check the returned Web page for accuracy.
For other applications, such as FTP, the load balancer can download a file and compute the
checksum to check accuracy.
From the AppDirector menu, select Farms > Content Checks. The Content Checks window
appears.
2.
When creating, click Create. The Content Checks Create window appears.
3.
When updating, select required farm. The Content Checks window appears
4.
Parameter
Description
Farm Name
Search String
Check Mode
5.
<HTML>
<HEAD>
<TITLE>Service Unavailable</TITLE>
</HEAD>
<BODY>
<P ALIGN=center><FONT SIZE=+2><br><br>
Service is currently unavailable. Please try again later.
</FONT>
</P>
</BODY>
</HTML>
168
Notes:
>> Setting content for the page activates this feature. By default, no content is displayed
for a farm. To remove this feature, select the farm and select Delete.
>> You should set this page if you want a user to get a message when the service is not
available and if there is no answer to the DNS.
>> If a "No Service Page" is defined for a farm bound to a DNS Host Name Entry (as for
farm www.farm123data.com), the device will reply with a DNS answer even if all servers
of the farm are down.
169
Configuring Servers
This section discusses server configuration and includes these topics:
AppDirector works with farm servers; logical entities that are associated with application services
provided by the physical servers that run these applications. Adding and configuring servers in an
AppDirector farm requires configuring the physical server parameters, then the farm parameters
and finally the application parameters.
Every service is hosted on the physical server, and should be defined in the system. For each
service, you can define a logical entity (a farm server) and attach it to the farm that provides this
service. Configuring farm servers means organizing servers according to how you use their services.
Physical Servers
When you add hardware elements to the network and define them as servers, every service is
hosted on the physical server, and should be defined in the system.
Before setting up a physical server, you must establish IP connectivity of the server to AppDirector
and to the host.
A physical server that provides multiple services may participate in multiple farms. In each farm,
this physical server is represented by a unique farm server that provides one specific service. Each
service is associated with a farm, and you can define its load balancing scheme and customized
Health Checks. In this way, if one of the services provided by a physical server is not available, other
services can still be used.
From the AppDirector menu, select Servers > Physical Servers. The Physical Servers window
appears.
2.
Select the server you want to edit. The Physical Servers Update window appears.
170
Parameter
Description
Server Name
Admin Status
Recovery Time
Warmup Time
(seconds)
Time, in seconds, after the server is up, during which clients are slowly
sent to this physical server at an increasing rate so that the server can
reach its capacity gradually. AppDirector internally raises the server
weight for this period of time, until the server's weight is the preconfigured weight).
If the Warm-up Time parameter is set to 0 (default), the server
performs activation at full weight immediately upon a change in
operational status from inactive to active after waiting the Recovery
Time.
Default: 0 seconds
Note: Not applicable for farm servers where load balancing decision is
made using the Cyclic Dispatch Method.
171
Parameter
Description
Connection Limit
4.
Peak Load
Attach Users
Frames Rate
Frames Load
The limit for the maximal number of client sessions which can be
opened on this server has been reached.
Application/Farm Servers
AppDirector works with server farms rather than with individual servers. An AppDirector farm is a
group of networked servers that provide the same service. Utilizing multiple servers organized in a
farm accelerates the service response time and improves overall performance.
An application server (also called farm server) is identified by the name of the farm it belongs to, the
IP address of the server and the server port. The server name is mandatory and identifies the
physical server providing the service. A single application server can be included in a farm several
times, with a different Server Port number for each instance. For example, an HTTP web server
might use ports 8080, 8081, and 8082.
From the AppDirector menu, select Servers > Application Servers > Table. The Server Table
window appears.
2.
172
Parameter
Description
Server Name
Farm Name
Server Address
Server Port
Server Description
A free text field where you can type a description for each server.
Maximum Length: 80 characters.
The server description is not saved in the configuration file. If you export
the configuration file and upload it, the server description is not saved.
Admin Status
Admin Status is the user defined management status of the server that
you can change at any stage of servers configuration or operation. The
following options are available:
Disabled: The server is not active. When setting the Admin Status to
Disabled, AppDirector removes all entries relevant to this server from
the Client Table, stops sending new requests to this server, and
disconnects all connected clients.
173
Parameter
Description
Forwarding Parameters
Type
Redirect To URL
The URL to which traffic is redirected when HTTP, RTSP or SIP redirection
by name is performed (Redirection by Name must be configured in the
farm redirection settings).
This option is available for:
Global License
Redirect to Self capability.
Farm Name for Local This allows you to configure the farm whose load and availability should
Farm
be the load and availability of this server. This parameter is mandatory
for servers of type Local Farm and it is not configurable for any other
type of server. You must configure the correct Farm Name in the local
farm server. If no Farm Name is configured the server is Not In Service.
174
Parameter
Description
Load Balancing Parameters
Weight
Response Threshold This defines the number of milliseconds where the server may reply to
the GET command. When the server's reply takes longer, the status of
the logical server is set to No New Sessions.
Default: 0
Bandwidth Limit
Connection Limit
175
Parameter
Description
Redundancy Parameters
Operation Mode
Backup Preemption
Determines when the failover mode between the server and its specific
backup address, after the specific backup server took over.
Enabled (default): Once the server becomes active again, it takes
over from the specific backup server.
Disabled: Specific backup server remains active as long as it is
available, even after this server recovers from failure.
Notes:
This is relevant only when a Backup Server Address is configured.
Backup Server
Address
Client NAT
Client NAT
Defines the Client NAT IP range to be used for NATting sessions to this
server. Also see Client NAT Quick Setup, page 277.
Notes:
>> For Local Farm servers, the server IP address must be the Layer 4 Policy VIP that points
to the local farm.
>> FTP traffic cannot be load balanced between multiple instances of the application. The
Server Port parameter of an FTP server must be set to 0.
176
Dispatch Methods
Dispatch Methods are the load balancing algorithms that determine how client requests are
distributed between servers in a farm. AppDirector receives requests for service from clients and
decides to which server to direct each request. During this process, AppDirector finds the best
server to provide the requested service. The criterion according to which AppDirector selects the
best server is defined by the Dispatch Method.
You can define the Dispatch Method during the process of AppDirector Farm configuration, according
to the farm characteristics and users needs. This may differ between applications, depending on the
service that the particular farm provides. For example, the number of users is a significant factor for
a Web farm, while the amount of traffic can be more important for an FTP farm. The following
Dispatch Methods are available:
Cyclic
When this is selected, AppDirector forwards traffic dynamically to each sever in a round-robin
fashion.
Weighted Cyclic
This method combines the Cyclic dispatch method with server weight considerations. The weight of
a server in a farm is the servers priority, or the servers importance. You can define that a particular
server in a farm has more weight than other servers. Therefore, more requests for service are
forwarded to this server than to servers with a lower weight.
When the Weighted Cyclic dispatch method is selected, AppDirector distributes clients requests for
service in the round-robin manner, taking into consideration the weight of servers in that farm.
Explicitly, every new session is distributed to the next server up to the server weight. For example, if
one server has a weight of 2 and another server has weight of 5, the first two sessions are sent to
#1, the next five are sent to #2, sessions eight and nine are sent to #1 again, and ten to fourteen
are sent to #1 etc. For more information about servers weight, see Configuring Servers, page 170.
Note: The number of sessions is defined by the number of active Client Table entries that
contain information about the sessions in which this server participates (see Client Table
Management, page 264).
177
Note: Traffic is defined as packets per second (pps) from AppDirector to the server and from
the server to AppDirector (back to the client), as recorded in AppDirectors Client Table
for all traffic forwarded to that server.
Response Time
This method allows AppDirector to select the fastest server in the farm. When this method is used,
the load balancing process is based on choosing the least loaded server as calculated by the
Response Level measured by the Health Monitoring module.
The Health Monitoring module enables users to track the round trip time of Health Checks. The
device keeps a Response Level indicator for each check. The Response Level is the average ratio
between the response time and the configured Timeout.
This average is calculated over a number of samples as defined in the Response Level Samples
parameter. A value of 0 in the Response Level Samples parameter disables the parameter; any other
value between 1-9 defines the number of samples. The Response Level Samples parameter can be
used in the Health Checks in which the Measure Response Time parameter is enabled. Server weight
is also considered.
Note: If all servers in the farm have the same response level, AppDirector will choose one of
the servers all the time according to its IP address.
Enable the Health Monitoring module for this farm, and set the Response Level Samples
parameter and the Measure Response Time parameter for each Health Check.
2.
Hashing
When this method is applied, AppDirector selects a server for a session using a static Hash function.
This method enables AppDirector to repeatedly direct requests from the same client to the same
server within a farm even after the client entry has aged, as long as the server is still in service. This
Dispatch Method also provides support for reverse proxy Web farms, avoiding data replication
among the proxy servers.
178
Note: When a Hash result indicates to use a server with the status of Not in Service, a second
Hash is used to select an available server for the session.
Parameter
Description
Server SNMP Port used to poll the relevant statuses from the servers.
Default: 161
Note: When using these Dispatch Methods, you need to configure the Private Scheme. In this
scheme, you can set the weight of the statistics parameters.
179
From the AppDirector menu, select SNMP Based Dispatch > Private Parameters. The
Private Parameters window appears.
2.
Parameter
Description
Serial Number
Serial no. of the scheme. Scheme no. 1 is used for dispatch method
private-1, etc.
Var 1 Object ID
Var 1 Weight
Var 2 Object ID
Var 2 Weight
Retries
Community
Var 1 Mode
Var 2 Mode
3.
When updating Private Parameters, select the desired server. The Private Parameters Update
window appears which contains the above parameters:
180
Parameter
Description
Serial Number
Check Period
Incoming Traffic
Weight
Outgoing Traffic
Weight
Response Weight
Retries
Community
3. When updating Windows NT Parameters, select the desired server. The Windows NT Parameters
Update window appears which contains the above parameters.
4. Click Set. The algorithm is set.
Local Triangulation
The Local Triangulation mode provides the ability to send servers responses directly to the client.
Sending responses that way reduces the number of hops through which the reply packet passes,
improving the response time. In addition, the traffic passing through AppDirector is reduced, since
most incoming requests are rather small and outbound traffic represents the bulk of data exchanged
between clients and servers.
181
Note: Layer 7 Switching, which requires Delayed Binding, is not supported when using Local
Triangulation. When using Delayed Binding, AppDirector acts as a reverse proxy
between clients and server.
Note: AppDirector determines the VLAN tag that is used according to the destination IP of the
packet after AppDirector has made all the required modifications to the packet. When
using Local Triangulation, AppDirector forwards packets to servers with the destination
IP of the farm. However, the tag must be set according to the subnet of the servers.
2.
Farm servers can be configured to operate as Local Triangulation type servers. You can add Local
Triangulation type servers and Regular type servers to the same farm. Local Triangulation is
effective for one-leg topologies and reduces traffic on the AppDirector interface. The process of
defining Local Triangulation is dependent on the operating system installed on the farm servers.
Setting up Local Triangulation on the physical servers requires adding a loopback adapter. A
loopback address is a valid IP address assigned to a server. The server does not respond to ARP
requests destined to the loopback address. The address assigned to the loopback adapter is the
address of the Virtual IP. The server responds directly to the client with the AppDirector virtual
address, eliminating the need for server-to-client traffic to flow through AppDirector.
182
Layer 4 Policies
A Layer 4 Policy allows you to set a single point of entry, i.e., a single Virtual IP address, for a variety
of application services, allowing different groups of users to receive services according to their
individual needs.
All the VIPs managed by AppDirector are defined under Layer 4 Policies. When AppDirector receives
the first packet of a session destined to a Virtual IP address, it searches for a Layer 4 Policy that
matches the Layer 4 Protocol, Destination port, Source IP, etc. Then, based on this information,
AppDirector selects the farm allocated to this service and the best server for the task from that
farm, and forwards the packet to that server.
Note: For FTP, there is no need to create a port 20 Layer 4 policy for the active FTP-data
connections. AppDirector handles active and passive data connections to the same VIP
as the FTP-control Layer 4 policy automatically. FTP-data exists as an application if a
direct active FTP-data connection to a port other than 20 occurs.
In addition to farm selection, the Layer 4 policy also defines application acceleration policies to be
applied on traffic matching the Layer 4 policy, when required. Application acceleration policies
include SSL offload configuration, compression and caching rules and HTTP multiplexing activation.
Parameter
Description
Policy Classifiers
Virtual IP
183
Parameter
Description
Layer 4 Protocol
The Layer 4 protocol for which the policy provides services. Values
include:
TCP (Default)
UDP
ICMP
SCTP
Any: Any IP protocol, including TCP, UDP and ICMP
Other: Any IP traffic that is not TCP, UDP or ICMP
Layer 4 Port
Application
The Application parameter allows using custom TCP or UDP ports for
applications that require special handling, such as HTTP, HTTPS, FTP,
SIP, etc. For example, use port 2100 for FTP Control Channel.
For well-known protocols, such as 80 for HTTP, there is no need to
specify the application.
For Virtual IP Interface configuration, the Application parameter must
be set to Virtual IP Interface.
Applications supported include:
Any (Default)
RTSP
FTP Control
TS COOKIE
HTTP
RADIUS
HTTPS
TCP
PING
TPTP
REXEC
UDP
RSH
Virtual IP Interface
SCTP
SIP
Source IP To
Last address of range of client IPs for which policy provides services.
Segment Name
Policy Actions
Farm Name
184
Parameter
Description
HTTP Policy
Enhanced Acceleration
TCP Policy
SSL Policy
Caching Policy
Compression Policy
Client Authentication
Policy
185
Parameter
Description
Policy Settings
Redundancy Status
Policy DefinedBy
Standard Acceleration
Backend Encryption
Port
4.
Sets the port to which an AppXcel device sends the backend host
encrypted traffic. The Backend Encryption Port must be set to the
same value as the Server Port in the Tunnel that is defined on AppXcel.
AppDirector searches its Layer 4 Policies to find an entry that matches the traffic
First AppDirector searches for a full match between the Destination IP, Destination IP Protocol
and Destination Port fields of the incoming packet parameters and Layer 4 Policy Virtual IP,
Layer 4 Protocol, and Layer 4 Port parameters.
2.
If no match is found, AppDirector re-scans the Layer 4 Policies again, looking for a full match
between the Destination IP address and Destination IP Protocol fields of the incoming packet,
and Layer 4 Policy Virtual IP and Layer 4 Protocol parameter, which include TCP, UDP, ICMP, Any
or Other.
3.
If no match is found, AppDirector re-scans the Layer 4 Policies looking for a match between the
Destination IP address of the incoming packet and the Layer 4 Policy Virtual IP parameter.
4.
5.
If the entry is matched, AppDirector performs an additional search in the Layer 4 Policies Table,
checking whether the incoming packets Source IP fits into the Layer 4 client IP address range.
6.
7.
186
Note: The order of configured policies has no impact; the most specific policy is always
matched, using the above logic.
Parameter
Description
Virtual IP
Layer 4 Protocol
Layer 4 Port
Source IP From
Starting address of range of client IPs for which policy provides services.
Total Matches
Last Second
Matches
3. Click a Virtual IP of the desired policy. The Layer 4 Policy Statistics Update window appears
with the statistics on the policy.
187
HTTP Policies
Serving high numbers of concurrent users requires Web Servers to handle large volumes of
connections, which can exhaust Server connection capacity, and affect clients Quality of Experience
(QoE). To lower the connections volumes AppDirector offers the option for multiplexing HTTP
connections, thus serving multiple clients over much smaller number of server connection and
ensuring short response time by Server's, which leads to improving clients QoE.
Since HTTP policy is compulsory in most Layer 4 policies (any policy that is port 80 or 443 or
application HTTP or HTTPS), there is a "Default" HTTP policy that you can configure that is attached
to any new Layer 4 policy created.
During persistent Layer 7 Switching, AppDirector constantly inspects all HTTP requests and ensures
that an appropriate farm/server handles each request. This is transparent to the client and saves
system resources because AppDirector keeps a single TCP connection with the client. The process
includes the following steps:
1.
2.
AppDirector performs a TCP handshake with the client to receive the HTTP request.
3.
AppDirector analyzes the GET requests data and selects a farm/server according to the first
request.
4.
AppDirector initiates a TCP handshake with the server and forwards the traffic to it.
5.
6.
When a new farm or server is required, AppDirector opens a new TCP connection with the
server.
Note: Persistent Layer 7 Switching sessions are not mirrored to a redundant AppDirector.
188
How to handle back-end connections when performing Layer 7 processing on HTTP 1.1
traffic (multiple requests per connection on the client side) - Layer 7 Persistent Switching
Whether to activate HTTP multiplexing
Parameter
Description
Policy Name
(Mandatory)
Classification
189
Parameter
Description
POST Classification
Input
Defines whether AppDirector inspects the HTTP header or body for the
content-based farm selection.
HTTP POST Classification Input can have the following values:
Header (Default): Information only from HTTP Header is used for
farm selection using Layer 7 Policies. This mode can be used when
all requests, including POST, are classified according to the HTTP
Header only, not by message body.
Body: For POST requests, message body is used for farm selection
using Layer 7 Policies. This is recommended when traffic needs to be
classified according to information in the message body only, as it
provides better performance (as only the relevant part of the request
is classified).
Header and Body: For POST requests, message body and header
are used.
Note: For all HTTP methods except POST, only the HTTP header is
used.
Bytes of Request to
Read
Specifies how deep into the HTTP request AppDirector searches for the
content specified in the predefined Layer 7 Policy methods.
By default, AppDirector searches for defined methods until the end of the
HTTP Header.
Default: 3.5 Kbytes
Maximum: 64 Kbytes
Note: This parameter is also related to the response (when learning
DSIDs).
HTTP Normalization
190
Parameter
Description
Connection Handling
Layer 7 Persistent
Switching Mode
191
Parameter
Description
Multiplex Back-End
Connections
Back-End
Connection Close
idle timeout
3.
Note:
>> AppDirector does not send X-Forwarded-For to the server when the HTTP policy is set to
First. This does not apply when it is set to Maintain.
>> In First switching mode, the backend connection uses HTTP 1.1 with keep-alive enabled.
TCP Policies
Configuring TCP policies enables you to provide connection pooling for generic TCP protocols (nonHTTP).
In a connection pooled environment, a pool of server connections is maintained for servicing client
connections. When a client requests a connection, an unused connection is selected from the server
pool and used to service the request. When the client request is complete, the server connection is
returned to the pool and the client connection dropped.
This has the effect of reducing the overhead imposed by establishing and tearing down the TCP
connection with the server, improving the responsiveness of the application.
192
Notes:
>> This feature cannot work for HTTP as this requires additional Layer 7 protocol
intervention. For HTTP, AppDirector provides HTTP-level multiplexing activated via HTTP
Policy.
>> When enabling back-end connection pooling for a Layer 4 policy, you must configure
Client NAT on the farms attached to that Layer 4 policy. For details, see Client NAT,
page 275.
>> Layer 7 farm selection and server persistency is not available for generic TCP.
>> To associate a TCP Policy with a Layer 4 Policy, the Layer 4 Policy protocol should be TCP
and the Application should be either TCP or generic SSL.
>> When a generic SSL Application is selected, an SSL Policy also needs to be attached to
the Layer 4 Policy to allow SSL offloading.
Parameter
Description
Policy Name
Back-End Connection
Idle Timeout
(seconds)
193
SSL Offloading utilizes a strategy implemented within an organizations data center to handle the
encryption, decryption and verification of Secure Sockets Layer (SSL) transmissions across a
business network. SSL acceleration is the method used for offloading the processor-intensive public
key encryption algorithms involved in SSL transactions to a dedicated device thereby freeing up
server resources that can be devoted to other tasks. AppDirector acts as proxy and offloads all SSL
operations, leaving the software servers to process the clear text which is significantly less intense.
The offloading process also provides added security to business networks by identifying malicious
traffic disguised as normal SSL encrypted files. Because offloading devices are devoted to SSL
activities, they have a better ability to discover these hidden attacks than normal intrusion
prevention systems.
SSL Offloading serves 4 main purposes that contribute together to establishing a secure
communication channel:
Authentication: Each communicating partner should be able to verify that the other is who it
claims to be and not an impostor.
Integrity: Protocol should automatically or easily detect any tampering with the transmission.
Non-repudiation: Sender should not be able to claim that they did not send what the receiver
received.
Notes:
>> SSL can encapsulate any protocol and AppDirector can support this. However, some
supporting capabilities for SSL offloading leverage HTTP protocol capabilities and are
therefore are not available when AppDirector is used for generic protocol SSL offloading.
>> Protocols that include special commands for SSL initiation and behavior (FTP, POP3 or
SMTP), require special support and are not guaranteed to work flawlessly in any SSL
environment.
>> The HTTP protocol provides widespread support for SSL offloading but some HTTP
dependent features cannot be used with Generic-SSL over other protocols.
>> For non-HTTP traffic, a generic offloading capability is supported including encryption
and decryption but not parsing or other services. You can select this option from the
Layer 4 Policy application parameter. See Layer 4 Policies, page 183.
194
SSL Policies
When AppDirector manages SSL encrypted traffic, the necessary certificates and ciphers must be
defined to allow SSL handshake.
Parameter
Description
Policy Name
(Mandatory)
Certificate
(Mandatory)
Cipher Suite
(Mandatory)
195
Parameter
Description
Cipher Suite
(Mandatory)
continued
RSA:AES-128:SHA1: Cipher suite using RSA key exchange, 128bit AES for encryption and SHA1 hash for MAC.
RSA:AES-256:SHA1: Cipher suite using RSA key exchange, 256bit AES for encryption and SHA1 hash for MAC.
MSIE Export56: 56 bit export version of Microsoft Internet
Browser v 5.
User Defined - AppDirector supports all ciphers supported by the
accepted OpenSSL format and more information can be found in
OpenSSL documentation.
Note: For a comprehensive list of all front-end and back-end ciphers
used by AppDirector, see Complete List of the Content Of All
Cipher Suites (Front-end and Back-end), page 593.
User-Defined Ciphers
If the predefined list does not suit your needs, you can specify allowed
ciphers. The OpenSSL convention for specifying ciphers must be
followed. This field is non-active even if defined unless User Defined
is selected in Cipher Suite.
Intermediate
Certificate
Enables you to define the port where the backend server is listening.
When changing from HTTPS (port 443) to HTTP (port 80) traffic often
needs to be sent to a different port to where it was originally destined.
Default: 80
Note: If the Back End listening port is not configured, the Layer 4
policy port is used to access the back end servers.
196
Parameter
Description
Protocol Redirection
HTTP Redirection
Conversion State
3. Please use the following comprehensive Cipher Suite table when configuring your SSL policy.
4. For passing SSL information in Headers, click ... alongside this field. The Passing SSL
information to Back-End servers in HTTP Headers dialog window opens.
197
Notes:
>> When using Generic-SSL offloading, you cannot use HTTP headers to forward data to
servers.
>> "You cannot create an SSL policy where both Front-end and Back-end SSL State
parameters are disabled.
5.
Mark the Information Type that you wish to select and the accompanying Header Name field is
enabled for you to add or edit the appropriate header name. Select from:
Parameter
Description
Cipher Suite
Defines which Cipher suite is to be used during the SSL handshake. The
cipher suite used by the client, for example RC4-MD5.
SSL Version
Cipher Bits
The number of bits used for encryption by the cipher, for example 128
Bit
Add Front-End
HTTPS Header
Adds a special header to requests sent to the server signaling them that
an SSL offloading device is being used. Servers that support this will
send redirect messages (HTTP 302) with the location set to HTTPS
instead of HTTP (see HTTP Redirection Conversion State parameter
above for more information).
Example
When working with HTTPS to a backend Outlook Web-Access (OWA)
server the responses are not presented properly in a Firefox browser.
This can be worked around using AppDirector SSL information headers
and adding the Add Front-End HTTPS Header to the SSL policy.
The dialog window is shown here.
6.
198
199
Authentication Setup
1. An Administrator sets up an Organizational CA. As part of this process, the CA has a self-signed
(or 3rd party) Certificate installed on it to identify it.
2. The CA server generates Client Certificates for the Clients. Clients install certificates into their
Browser repository.
3. To create trust between the CA and the Authentication Server (AppDirector), the Client CA
certificate is imported into AppDirector.
4. The Administrator then sets up an OCSP server (may be the same CA, or a central OCSP of a few
organizational CAs).
5. An OCSP URL for sending the OCSP validation requests is set up on the OCSP server
6. The OCSP URL is updated as a field inside the Client Certificate and/or AppDirector.
7. Optionally, the OCSP server receives a certificate for signing OCSP responses or the OCSP
certificate is imported into AppDirector to validate OCSP response
9. CRLs are generated by Clients CA and updated regularly for the OCSP server.
As part of the SSL handshake, the Client sends a Client Certificate to AppDirector.
2.
AppDirector matches the Client CA issuer field against the Client CA that is trusted according
to its configuration.
3.
4.
AppDirector then sends an OCSP validation request to the OCSP server URL.
5.
The OCSP Server generates a response (valid/invalid), signs it with its own certificates and
returns it to AppDirector.
6.
7.
To authenticate the clients identity a CA certificate has to be imported into AppDirector. This CA
certificate is used when the AppDirector receives a client certificate and attempts to validate it. The
client certificate is valid only when its issuer conforms to the CA certificate that was imported into
the AppDirector. Client certificates must be installed on the client browsers by the organization or by
the clients. You can check if a valid client's certificate was revoked by the CA by configuring
AppDirector to check its status using OCSP (Online Certificate Status Protocol).
From the AppDirector menu, select Layer 4 Traffic Redirection > Authentication > Client
Authentication Policies. The Authentication Policies window appears.
2.
200
Parameter
Description
Policy Name
Trusted CA
Parameter
Description
CA Required
Redirection URL
Defines the URL to redirect clients to when Client Authentication fails and
you wish to notify this to users in a graceful way rather than by default
browser message.
Default: Empty
CA Depth
Pass Certificate info Allows forwarding Client Certificate information to the application servers
in Headers
using HTTP headers. For more information see Certificate Information
Headers, page 202.
Certificate
Validation Policy
Certificate Validation
Certificate
Revocation Check
Defines whether AppDirector verifies that the client's certificate has not
been revoked by the CA (Certificate Authority) before completing the SSL/
TLS handshake. The revocation check can be performed using OCSP.
Values: OCSP / Disable (default).
Response Time
Deviation (sec)
Verify Certificate
Chain
When enabled, an OCSP request is sent for every certificate in the chain,
When disabled, an OCSP request is sent to client certificate only.
OCSP URI
Precedence
OCSP URI
201
Parameter
Description
Response Allowed
Signing Algorithm
Defines the time for which validated OCSP responses are cached. Since
CA servers update the CRLs on the OCSP parochially (every 12 hours or
24 hours), there is no need to overload the OCSP server with repetitive
OCSP requests for the same certificate. The Caching is per Client
Authentication or TSL Authentication policy and entries are not shared
between policies. The OCSP cache time is defined in minutes.
Values: 0 (default) - 180000 minutes
Note: When set to 0, OCSP Cache is disabled.
Send Nonce
3.
4.
In the required Layer 4 policy, select the Client Authentication policy that you configured.
To purge Cache
1.
Select policy name from the drop down list with policies names.
2.
Notes:
>> With Generic-SSL offloading, you cannot use HTTP headers to forward data to servers.
>> With each Certificate of Client CA you can bind multiple CA Certificates to a single Client
Authentication policy by concatenating multiple certificates into a single import
operation. To use multiple client CA certificates on the same Client Authentication policy:
open the CAs PEM certificate files with a text editor and copy the content. In the
AppDirector certificate import, paste the certificates text into the text box together one
after the other. During the import they are concatenated.
202
Multi line format is equivalent to esc_ctrl, esc_msb, sep_multiline, spc_eq and lname.
Comments start with /* and end with */.
Single line format is equivalent to specifying the esc_2253, esc_ctrl, esc_msb, utf8,
dump_nostr, dump_der, use_quote, sep_comma_plus_spc, spc_eq, and sname options.
Comments start with //.
2. Information Character Set - ASCII/Unicode - When Using ASCII encoding for sending certificate
details AppDirector uses slash (/) as delimiter between information fields. When using Unicode
encoding for sending the certificates details AppDirector uses commas (,) as delimiter.
Once you click OK, the window generates the argument list separated by the | delimiter.
When Pass Certificate Info in Headers is used, AppDirector can pass required fields of the client
certificate to the web server in the GET requests. An application on the web server then extracts this
information from the GET request's HTTP headers and uses it for proprietary purposes.
A client certificate field is passed on, as is, to the web server. If, for any reason, a field carries no
information, then that field is not passed on to the web server. However, if a field carries some
information, but one or more sub fields do not carry any, for example, the E= sub field in the
Subject field, then that field (Subject) is copied to the HTTP header as is.
To configure AppDirector support for forwarding Client Certificate fields to the back-end web server,
see To configure AppDirector Client Authentication Policy, page 200.
In practice, the TSL standard handles situations where one organization is responsible for the
creation, distribution and management of electronic ID cards (e.g. Government), and other
organizations need to authenticate users based on the e-IDs (e.g. Tax management, Health
203
TSL Structure
The TSL contains four major components, structured as follows:
List of recognized Services provided by each TSP: indicates the service(s) provided by these
TSPs and the current recognition status of these service(s);
204
TSL Information
The TSL contains structured information. Some of the information is necessary to identify the TSL
itself or to facilitate its search: a first category of these fields such as TSL tag (to facilitate locating
the TSL with a search engine), scheme information (such as version identifier, scheme operator
name, etc.), are used as header information, to be able identify the correct TSL to be used.
The other data that forms part of the TSL body includes a sequence of fields holding information on
the TSPs that the scheme oversees. Additionally, for each TSP, a sequence of fields holds information
on the service(s) provided by that TSP. For each service, a sequence of fields holds information on
the status history of that service.
Finally, a signature is computed over all fields of the TSL. The logic of the list is that, once the
assessment scheme operator has accredited, or become aware of the existence of, a TSP and of its
services, for each of them the current status, as determined according to the scheme rules, is
indicated in the TSL.
Trusting a TSL
A TSL is a signed electronic document. To verify the signature, relying parties need to be able to
access the applicable public key. Since the scheme issuing the TSL is more hierarchical than the
TSPs governed by that scheme, the authenticity of the public key should not be certified by any TSP
inside or outside the scheme. Providing the scheme's public key is a similar problem to providing the
public key of a CA service. The key used for signing the TSL must have a public-key certificate
published.
On every TSL file import (manual/automatic) a list of validations are performed to ensure its
integrity and currency. These include File signature verification and sequential number progress.
205
From the AppDirector menu, select Layer 4 Traffic Redirection > Authentication > TSL File
Import. The TSL File Import window appears.
2.
In the File field, click Browse and locate the file that you want to import. Alternatively, click
Browse to search the directory tree for the file.
3.
Click Import. An Import Finished message appears and a Create Chain button appears.
4.
Click Create Chain. The TSL Files Chain window appears. See Configuring TSL Files Chain,
page 206.
From the AppDirector menu, select Layer 4 Traffic Redirection > Authentication > TSL
Files Chain. The TSL Files Chain window appears.
2.
Parameter
Description
Chain Name
TSL Parameters
TSL Root CA
Name of the TSL Root certificate to be used from the certificate table. The
TSL Root Certificate should be first imported into the Certificates Table.
For more information about importing certificates see Importing
Certificates, page 453.
Values: Null (default), TSL Root Certificate.
Original File
206
Name of the original manually uploaded TSL file. For more information
about uploading the original TSL file to AppDirector see TSL File Import,
page 205.
Parameter
Description
Automatic Update
Hours
Defined time (hours and minutes) when AppDirector checks and fetches
an updated TSL File, ( e.g. 02:00).
Values: HH:MM (in 24hr format with multiple values separated by
commas without spaces).
Examples:
14:35 will make the update run at 2:35 PM
02:00,14:15, 18:00 will make the updates run at 2:00AM, 2:15PM
and 6:00PM
Notes:
Setting the Update to none causes automatic updates to be turned
off.
When you change the time, by NTP or daylight saving (see Time
Settings, page 440), TSL updates set before the change will still
occur, ignoring this time change in the pre-scheduled update.
However, after one upgrade, they will reschedule according to the
correct clock.
TSL Proxy
Proxy URI
Proxy Username
Proxy Password
Parameter
Description
Chain Name
TSL Parameters
TSL Root CA
Name of the current used TSL Root certificate from the certificate table.
This is the current TSL file chain in use that was added manually or the
one replaced via the new TSL file.
Values: Null (default), TSL Root Certificate.
Original File
Active File
After initial definition is performed, this field shows the name of the
active TSL file at any time. This is not visible during initial configuration.
207
Parameter
Description
Automatic Update
Hours
Last time the TSL file was manually or automatically updated. (DD-MMYYYY HH:MM format).
TSL File Active Until Time in which Active TSL file becomes obsolete (in DD-MM-YYYY HH:MM
format). At this time AppDirector will generate an SNMP alert to notify the
situation but will continue to work with the obsolete file's configuration.
An additional alert will be issued on every update interval.
If a TSL file includes a new TSL root that should replace the defined TSL
Root at a given time, this field will show the name of the new TSL Root
Certificate, (the Next Root TSL file).
Next TSL Root valid If a TSL file includes a new TSL root that should replace the defined TSL
date
Root at a given time, this field will show the time in which the new TSL
Root Certificate will become active for signing new TSL files.
4.
Once an initial TSL configuration has been created, it will now contain the update time and the
location from which to take the next TSL file (Primary and Secondary URIs for next update are
embedded in the origin TSL file). As per update schedule, AppDirector requests a TSL update
from the TSL URL
2.
3.
4.
The TSL Files are parsed by the Authentication server and the following elements are extracted:
Certificates off all trusted Client CAs (with their OCSP URLS)
At the specified update time, a new TSL file will be fetched and verified.
AppDirector supports TSL update fetching over the HTTP protocol. If the fetch fails, a connection to
the secondary URL is attempted (up to three times to each URL). If all retrieval attempts fail, a trap
is sent by AppDirector.
208
Parameter
Description
Policy Name
CA Required
209
Parameter
Description
Redirection URL
CA Depth
Certificate Validation
Policy
Select TSL Files Chain to be used in this TLS Policy. The TSL File Chain
must be configured prior to configuring the TSL Policy. See Configuring
TSL Files Repository, page 211 for more information.
OCSP Parameters
OCSP Cache Time
Defines the time for which validated OCSP responses are cached. Since
CA servers update the CRLs on the OCSP parochially (every 12 hours or
24 hours), there is no need to overload the OCSP server with repetitive
OCSP requests for the same certificate. The Cache is per Client
Authentication or TSL Authentication policy and entries are not shared
between policies. The OCSP cache time is defined in minutes.
Values: 0 (default) - 180000 minutes
Note: When set to 0, OCSP Cache is disabled.
Response Allowed
Signing Algorithm
Response Time
Deviation (sec)
Send Nonce
The OCSP cache purge operation is used for clearing OCSP cached
responses. OCSP cache purging is done per client authentication policy
or for all client authentication policies.
Select policy name from drop down with policies names.
3.
210
All fields/extensions that appear in policy must appear in the certificate (AND)
One of the values defined for each field/extension should match the value that appear in this
field/extension in the certificate (OR), In case of multiple values in the extensions data,
AppDirector will look for ANY OF the extensions values within the values defined in the CVP.
If field/extension value in policy is defined as "*" (asterisk) it means that the field/extension
should appear in certificate but may have any value.
Parameter
Description
Policy Name
Certificate Field /
Extension Name
The Field name to validate. Select from the values shown in Certificate
Validation Policies Values Formats per Field/Extension., page 213 or
define another extension by writing in its OID.
Default: Version
211
Parameter
Description
Index
The rule index is used as an identifier only and its numeric value has no
other meaning.
Values: 0 (default) - 65000
Optional Extension
3.
2.
Certificate Fields
Only the fields listed in the table are supported.
Notes:
>> Since the match is substring-based, it is not necessary to provide values in full format.
Therefore, if a configured value is a substring of the value given in a certificate, there
will be a match.
>> The matching of certificate fields content is exact, partial strings matches will fail. This
means that to match an issuer or subject, for example, the full DN should be specified
and not CN only. i.e. CompanyCA will fail because it is CN value only, and full DN such
as C=US, O=MyCompany, CN=CompanyCA will match.
212
Field Name
Format
Example
Version
Number (decimal)
Serial number
Hex String
0x5057
Issuer
Subject
Number (decimal)
1024
Signature Algorithm
sha1WithRSAEncryption
md2WithRSAEncryption
md4WithRSAEncryption
md5WithRSAEncryption
sha1WithRSAEncryption
dsaWithSHA
dsaWithSHA1
dsaWithSHA1-old
ecdsa-with-SHA1
mdc2WithRSA
ripemd160WithRSA
sha224WithRSAEncryption
sha256WithRSAEncryption
sha384WithRSAEncryption
sha512WithRSAEncryption
3. Known certificate extensions
213
Extension Name
Format
Example
Hex String
19:71:D3:07:AD:60:88:5C:C3:A0:3F
:AE:B2:52:08:EC:47:CC:11:1B
Key Usage
Digital Signature
Non Repudiation
Key Encipherment
Data Encipherment
Key Agreement
Certificate Sign
CRL Sign, Encipher Only
Decipher Only
Subject Alternative
Name
email:my@other.address, URI:http://
my.url.org
CA:FALSE
CA:FALSE
Hex string
URI:http://my.com/my.crl,URI:http://
oth.com/my.crl
214
OCSP - URI:http://ocsp.my.org/
Extension Name
Extended Key Usage
Format
One or more of the following
values or OIDs (dot notation),
comma separated:
Example
Netscape Server Gated Crypto,
Microsoft Server Gated Crypto,
2.3.4.5
Code Signing
E-mail Protection
Time Stamping
Microsoft Individual Code
Signing
Microsoft Commercial Code
Signing
Microsoft Trust List Signing
Microsoft Server Gated
Crypto
Microsoft Encrypted File
System
Netscape Server Gated
Crypto
TLS Web Server
Authentication
TLS Web Client
Authentication
Netscape Certificate
Type
SSL Client
SSL Client
SSL Server
S/MIME
Object Signing
Unused
SSL CA
S/MIME CA
Object Signing CA
Netscape Base URL
String
Netscape Revocation
URL
String
String
String
String
Netscape Comment
String
215
Extension Name
Format
Subject Information
Access
Proxy Certificate
Information
Number (decimal)
Name Constraints
Permitted:<list of permitted
entities GENERIC NAME format,
separated by semicolon>;
Example
Example
Extension Name: 1.3.36.8.3.3
Extension Value: countryName:DE:organizationName:gematik:Broker:1.2.276.0.76.4.88
216
Application Acceleration
Enhanced Acceleration
This section refers to when Application Acceleration features are enabled and includes these topics:
Compression
Todays Web-based applications which are richer in their textual and visual content still run over
non-optimized HTTP protocol, which was originally designed for dial-up speed applications and one
way transfers of data between two machines, and is therefore less efficient at dealing with the new
types of multi sequence and high bandwidth web traffic. This chatty nature of HTTP and the
growing volume of each transaction, due to the richer content, slow response time considerably and
consume expensive bandwidth.
A Radware hardware-based compression solution can ensure optimal application delivery and
bandwidth savings, as can be seen in figure 4, through compression of web pages such as HTML and
JavaScript in real-time before transmission on the network. This is important especially for small
remote offices and home offices users where bandwidth may be limited. This dynamic HTML
compression accelerates traffic by reducing the payload using an open compression standard (gzip
and Deflate), providing a powerful performance boost since HTML is an ASCII text, which is highly
compressible. The support of industry-standard gzip algorithm (as well the Deflate algorithm)
ensures compatibility with virtually all popular web browsers without requiring any special software
installation on the end-user machine.
AppDirector offers options to control compression behavior. These capabilities include the ability to
define whether objects should be compressed for Browser, Content-Type or URL specific behavior,
and view and use Predefined exceptions of the default compression behavior based on known
Browsers limitations.
217
Caching
Web pages are composed of a series of objects. Many of these objects are static objects that are the
same from page to page. Radware AFE can automatically recognize requests for such objects and
retrieve them directly from the devices local cache without fetching them from the web server. This
capability offloads the server from dealing with unnecessary requests and as the same time
accelerates objects delivery to the end-user.
Caching can also save transformed objects at the cache such as different versions of a given image
that has been compressed and optimized differently for various end users and end users' devices (as
it was explained in the Image optimization section).
Radwares caching is fully compliant with RFC 2616 of HTTP 1.1. It respects all relevant HTTP
Headers (such as: Cache-control, Expires, Authorization, and Pragma), which are the Web
Application means of dictating which content is to be cached and when it should be refreshed.
AppDirector has options to determine its Cache behavior, both in terms of which content to cache,
and in terms of which content to serve to clients from Cache or from Servers. AppDirector Cache
policy includes the option to define per URL caching behavior and cache maximum time, and the
option to better leverage client Browser's cache to improve response times and QoE.
Enhanced Acceleration
From the AppDirector menu, select Global > Tweaks. The Tweaks window appears.
2.
Within the Tweaks window, ensure that you select the Acceleration Engine parameter and mark
as Enabled.
3.
Standard Acceleration
From the AppDirector menu, select Global > Tweaks. The Tweaks window appears.
2.
Within the Tweaks window, ensure that you select the Acceleration Engine parameter and mark
as Disabled.
3.
Caution: You will not be able to upload a configuration file with Application Acceleration Enabled
when the device is in Application Acceleration Disabled mode
218
Acceleration Policies
Enhanced Acceleration
AppDirector provides end-to-end performance acceleration of Web-based applications for all endusers types such as desktops, PDAs and smart-phones. AppDirector also uses advanced and
granular application intelligence (Layer 7 load balancing) for end-to-end business-smart networking.
This section describes the configuration necessary to activate acceleration mechanisms and to finetune HTTP content-based load balancing. It includes the following:
Rule Lists
To assist configurable compression and caching, Radware has developed Rule - Lists (lists of rules)
that match defined patterns on a set of HTTP headers (User Agent, MIME Type) or URI and
determine whether to perform an action (compress or cache). Rule-Lists are scanned for a match
until the first match is found. Therefore, rules priorities that determine rule order are important.
to define name of target rule list from list of existing Rule-lists or new (Destination of Copy)
When Set is pressed, all rules are copied from Source to Destination.
Notes:
>> If rules already exist in the Destination policy, you will receive the following message:
"The target Rule List already contain rules. To avoid accidental
219
From the AppDirector menu, select Layer 4 Traffic Redirection > Copy Rule Lists. The
AppDirector Copy Rule List window appears.
2.
Parameter
Description
Rule-List Type
Define name of new Rule-List to which all rules in Source Rule-List are
copied.
Default: none
Default: none
3.
Caching Policies
AppDirector supports caching of HTTP traffic. Caching improves the overall network performance.
Using caching, backend servers are required to serve less content, which can save on fetching data
and creating dynamic HTML pages.
Caching can also decrease the number of required TCP connections to the backend servers. It allows
a more efficient use of compression features, as AppDirector can cache compressed objects, and
save the need to re-compress the same object for each client request. Caching is memory based.
Once Caching is enabled for one Layer 4 Policy or more, up to 50% of available Acceleration Engine
memory is used for cache. The amount of memory used depends on traffic and the cached objects
and is configurable from 1 % - 50% (default 20%) in the Tuning Table.
Note: If a Caching policy is defined, by default the action is cache all the content.
220
Parameter
Description
Policy Name
(Mandatory)
Minimum Object
Size [Bytes]
Maximum Object
Size [Bytes]
Default: Empty
Default: 1024 bytes
Default: 102,400 bytes
Expiration [seconds] Maximum time that an object is kept, even if the object header is
specified longer. If the object header or configuration via Cache URL RuleList is specified less, it is purged according to its header / configuration.
Default: 86,400 (24 hours)
Leverage Browser
Cache
You can modify caching headers to leverage client side (browser) cache:
For objects marked for caching:
Add/modify objects' HTTP headers to include Cache-control: public, maxage=X.
X is derived from general cache settings or from the URI rule responsible
for caching the specific object.
Values: Enabled/Disabled (default).
Respect Server
Headers
Respect Client
Headers
221
Parameter
Description
URL Exceptions Rule Disable or select from list of Cache URL Rule lists.
List
Default: Disable
Note: You can define Domain without anything in the URL field to
support use-cases of different behavior per domain. However, if
Domain is not defined (Domain_type=none) then the URL field
is mandatory.
Ignore Query
Parameters
3.
4.
In the required Layer4 policy, select the Cache policy that you configured.
To purge cache
1.
From the AppDirector menu, select Layer 4 Traffic Redirection > Caching Policies. The
AppDirector Caching Policy window appears.
2.
3.
222
Parameter
Description
Rule-List Name
There are multiple rule-lists. Each is a policy that contains multiple rules.
Default: none
Rule Priority
Location of the rule in the Rule-List. Since Rule-Lists are scanned for a
match from top (priority 1) to bottom (priority ~65000) this enables you
to set the location of the rule in the rule-list. See Leveraging Rule List
Behavior, page 219.
Rule Name
URL Comparison
Method
URL
Cache
Expiration Time
223
Compression Policies
HTTP Compression is a publicly defined way to compress content (mostly textual) transferred from
Web servers across the world wide Web to browsers. The impact of compression is that the number
of transmitted bytes is reduced and thus a higher performance is gained. HTTP Compression uses
public domain compression algorithms to encode HTML, XML, JavaScript, CSS and other file formats
at the server-side.
AppDirector Compression policy includes 3 levels of optional exceptions. The First level is a list of
known problems (bugs) in commonly used browsers that cause them to mishandle specific types of
compressed content and thus predefined expectations exists to avoid these problems. This list can
be viewed as the in the Browsers Exceptions Rule-List screen as the Predefined Browser Limitation
Rule-List. The Predefined Browser Limitation Rule-List can be customized by copying it using the
Copy Rule-Lists into a new Browser Exceptions rule list. The second level of exceptions provided in
the form a customized Browser exceptions Rule-List that can define compression behavior in term of
browser type (User-Agent) and Content-Type (File type as it appears in Object headers). The third
level of exceptions allows defining very specific compression behavior per URI, similarly to Cache
URL exception Rule-List. Exceptions are evaluated from most granular (URL Exceptions) through to
more gross ones (Browser Exceptions) to the most general ones (Predefined Browser Limitations) to
allow user to use them a narrowing series of filters.
You can configure compression of HTTP content from AppDirector to the client. AppDirector supports
either Gzip or Deflate algorithms. AppDirector has a default compression by software service. The
compression level indicates how much the file is compressed. It does not indicate the compressed
file size, this depends on the file content itself.
From the AppDirector menu, select Layer 4 Traffic Redirection > Compression Policies.
The AppDirector Compression Policy window appears.
2.
Parameter
Description
Policy Name
(Mandatory)
Name of Policy.
Algorithm
Default: Empty
Minimum Content
Length (Bytes)
224
Parameter
Description
Maximum Content
Length (Bytes)
Compression Level
Allow Compression By
Server
This deletes the Accept Encoding Header from requests sent to the
server to prevent it from performing compression.
Values: Disabled (default)/enabled
Use Predefined
Browser Exceptions
Browser Exceptions
Rule List
Define specific URLs (files/folders) for which all other settings should
be overridden and compression or no-compression should be done.
Values: None (default)/Specific URL
Notes:
You can define Domain without anything in the URL field to
support use-cases of different behavior per domain.
However, if the Domain is not defined (Domain_type=none), then
the URL field is mandatory.
225
From the AppDirector menu, select Layer 4 Traffic Redirection > Compression Browsers
Exceptions Rule Lists. The AppDirector Compression Browser Rule List window appears.
2.
Parameter
Description
Rule Priority
Rule Name
User Agent
Comparison Method
User Agent
Content Type
Comparison Method
Content Type
Compress
3.
Note: To manage Rule-Lists efficiently, use the filter boxes at the top of the Rules table.
226
Parameter
Description
Rule-List Name
Rule Priority
Location of the rule in the Rule-List. Since Rule-Lists are scanned for a
match from top (priority 1) to bottom (priority ~65000) this enables to
set the location of the rule in the rule-list. See Leveraging Rule List
Behavior, page 219.
Default: 1
Rule Name
Domain Comparison Allows defining different behavior for specific URLs within different virtual
Method
hosts on the same server. Defines whether used at all (None), or to be
evaluated as a String or Regular Expression
Values: None (default)/Text Match/Regular-Expression
Domain
URL Comparison
Method
URL
Compress
Note: To manage Rule-Lists efficiently, use the filter boxes at the top of the Rules table.
227
Layer 7 Methods
A Layer 7 Method defines a specific criteria (namely the existence or non existence of certain specific
content within the message), evaluated on a specific part of each handled message. Layer 7
Methods are used in load balancing and modification decisions. A condition will evaluate to TRUE
only if all values specified in the method match values appearing in the specified part of the
message. In addition, Layer 7 Methods are used to define the modification required on the traffic
(different Layer 7 method is used to identify the traffic where modification is necessary).
The following table shows the available Layer 7 methods and where they can be used:
Available
for Layer
7 Farm
selection
Modify traffic
(Action)
Insert*,
Replace
URL
Insert,
Remove*,
Replace
File Type
Header Field
Header field
Cookie
Regular
Expression
Insert, Remove,
Replace
Text
Status Line
Status Line
Insert, Replace
Set Cookie
Advanced
URL in request message or HREF in
URL Condition response body
228
Replace
Replace
Available
for Layer
7 Farm
selection
Advanced
URL
Modification
RADIUS
Attribute
Modify traffic
(Action)
Insert, Replace
Note:
>> All content settings of the Methods are case sensitive.
>> * - Only URL methods that have Path argument but no Host argument can be used.
Parameter
Description
Method Name
Method Type
Arguments
Appropriate argument type will appear when clicking the file selection
icon. Select according to Hostname and Path.
4. To define the arguments relevant to the selected method, click the option
The arguments window for the selected Method type appears.
button alongside.
Note: In the case of Advance URL Condition and Advance URL Modification, arguments
appear as fields in the Method Create/Edit window and not as separate windows.
229
Method Type
Method
Specific
Parameters
Description
Example
URL
Host Name
Host Name =
www.a.com
Path = cgi-bin
File Type
TYP=html
Header Field
Header Field
HDR=AcceptLanguage|TKN=en
-us
TKN=en-us
Cookie
Cookie Key
KEY=
server|VAL=red
Cookie Value
VAL=red
Regular
Expression
EXP=.abc
Regular Expression
230
Method Type
Method
Specific
Parameters
Description
Example
Set Cookie
Key
KEY=server
Value
VAL=red
Path
P=cgi-bin
Domain
DMN=service.com
Expire After
Status Line
Status Code
SCD=404
Status Text
SPHS=Not Found
Text
Text
String
TXT=abcdefg
Radius Attribute
Attribute
Number
AN=1
Vendor ID
Vendor
Vendor specific attribute type allows to VT=6
Specific
search for a specific sub-attribute
Attribute Type inside a vendor specific attribute.
Relevant only when Attribute Number
is 26.
Attribute Value Values of type string (ASCII), integer
or IP address only are supported. For
Vendor Specific attributes only values
of type string are supported.
AV=domain.com
231
Method Type
Method
Specific
Parameters
Description
Example
Match Type
Enhanced Acceleration
Advanced URL
Condition
Protocol
e.g. HTTP.
Hostname
Match Type
Port
Path
Path = cgi-bin
232
Method Type
Method
Specific
Parameters
Description
Page Name
Example
Path Match
Type
Advanced URL
Modification
Protocol
e.g. HTTP.
Port
Hostname
ActionType
Path
P=cgi-bin
Page Type
Page Name
5. Select the options as shown in the table above and click Set. You are returned to the main
Method Table window.
6. Click Set. Your configuration is set.
233
Providing content to end users based on language and/or type of browser (PC or mobile).
Providing differentiated service to e-commerce customers based on what they want to buy
(URL).
UDP protocols.
Notes:
>> When performing Layer 7 farm selection for UDP traffic, AppDirector inspects each
packet separately and selects the appropriate farm and server.
>> Layer 7 farm selection is NOT available for dynamic protocols, such as FTP and TFTP.
When AppDirector receives the first packet of a session destined to a Virtual IP address, it
searches for a Layer 4 Policy that matches the Layer 4 Protocol, Destination Port, Source IP, etc.
(see Layer 4 Policies Lookup Mechanism, page 186).
2.
If the matched Layer 4 Policy is for TCP traffic and is linked to a Layer 7 Policy, Delayed Binding
is activated.
3.
AppDirector performs a TCP handshake with the client to receive the application request.
4.
When AppDirector receives enough information, it matches the data in the request with each
one of the entries of the Layer 7 Policy attached to that specific Layer 4 Policy. If traffic is UDP,
the matching process is performed for each packet.
5.
Once a match is found, AppDirector load balances the traffic to the farm defined in the matched
entry. For HTTP, HTTPS and SIP, the action of a Layer 7 policy can be to redirect the traffic,
instead of load balancing it to a farm.
6.
AppDirector selects the best server for the task from the farm providing the requested service.
7.
When traffic is TCP AppDirector initiates a TCP handshake with the server and forwards traffic,
once TCP connection is established. For UDP, AppDirector just forwards the traffic to the selected
server.
234
Note: If no matching Layer 7 Policy entry is found, the session is discarded - if it is TCP, a RST
is sent to client.
Each Layer 7 Policy entry can use up to two Layer 7 criteria, (Layer 7 Methods) such as URL or HTTP
Header, and the criteria is combined with AND logic. Each entry specifies the farm to be used if the
Layer 7 criteria in it matches the request.
Parameter
Description
Policy Name
Policy Index
Order in which policy entries are matched. You cannot update the Index
once it is defined.
First Method
First method used to select a specific farm. Also see Layer 7 Methods,
page 228.
Second Method
Second method used to select a specific farm. Also see Layer 7 Methods,
page 228.
Farm Name
Farm to which the traffic must be load balanced when this entrys criteria
is matched.
Note: You can define an empty string as the farm name. When such
rules are matched, AppDirector resets the TCP connection,
effectively blocking access.
4. A policy can have a number of arguments (optional). To select an Argument, click the option
button alongside. The Arguments for Policy window appears.
5. Select the options as shown in the table below and click Set. You are returned to the main
Layer7 Policy Table window. In the Arguments field, you can view all configured arguments in
string format. Each argument has its own code displayed in string format.
235
Parameter
Description
Arguments
Note: The arguments are case sensitive, meaning that when you configure the Arguments
string directly, the arguments keys must be defined in upper case.
6.
236
Layer 7 Statistics
You can view statistics for Layer 7 Policies. For each policy, you can view the total number of
matched HTTP GET requests and the number of HTTP GET requests per second.
Parameter
Description
Policy Name
Policy Index
Search order of your policy, e.g. one will make the policy appear first.
Total Matches
Note: If the domain name requested in the DNS query received is not known, traffic will be
forwarded (load balanced) to the default farm.
237
For each domain name for which DNS farm selection is required, entries for Host Names must be
configured with the following parameters:
Similarly an entry can be configured for a group of domain names using the Regexp Host Names
table.
When traffic arrives matching the DNS Layer 4 policy, the domain is extracted from the DNS request
for lookup in the Host Names/Regexp Host Names.
If a domain is found and the DNS Action is set to Forward and the query is A, AAAA or PTR, the
request is load balanced to the farm specified in the Host Names entry
If a domain is found but the DNS Action is set to Resolve and the query is A, AAAA or PTR,
AppDirector resolves the DNS query and sends a response, without load balancing it to any backend server.
Note: For an AAAA query the device replies with an empty answer, communicating to the DNS
client that the domain name is known, but the query type is not supported.
If a domain is not found or a record type is not supported by AppDirector, a request is load balanced
to the default farm, (the farm specified in the DNS Layer 4 policy).
When traffic reaches an AppDirector IP interface or Virtual IP Interface (VIPI), DNS load balancing
cannot be performed. Resolution can only performed by the device. If the requested domain appears
in the Host Names table with the DNS Action set to Forward, a No such name response is sent.
Layer 7 Modification
You may often need to change the headers or body of a HTTP session, for a variety of reasons. Some
of the examples are:
Inserting a HTTP Header X-Forwarded-For when redirecting traffic, to convey to the Destination
server who was the originator of the communication.
Removing a HTTP Header from server replies to clients to hide server identity.
extensive Layer 7 modifications capabilities including, inserting, removing and updating Layer 7
headers, such as URL, cookie, header fields and status line as well as any Layer 7 header that
can be identified by a specific text or regular expression.
Layer 7 header modifications support HTTP or other HTTP-like (has HTTP-like header) TCP traffic
only.
238
Note: When multiple rules are configured for the same farm, they should not define
modifications on the same section. If such modification rules are configured, only the
first one, (with the lowest index), will be performed.
Parameter
Description
Name
Key name.
Index
Farm
Modification Scope
239
Parameter
Description
Direction
Admin Status
4.
The rest of the parameters depend on the value of the Modification Scope.
a.
Parameter
Description
Modification Type
b.
Match Condition
Modification
Parameter
Description
Enhanced Acceleration
Header and Body
Condition
5.
240
Configuration
Behavior
Insert
Match Condition:
Text
Remove
Text
Regular Expression
241
Action
Configuration
Behavior
Replace
242
Note: * Only methods supported for each Action type are mentioned.
Example
Modific Direction
ation
Type
Client Requests
Match
Condition
Modification
Empty
Method= Header
Field
Header Field = XForwarded-For
Token=$Client_IP
Insert
Server Replies
Method=Set-Cookie
Cookie Key=MyKey
Cookie Value=
MyFarm
Server Replies
Client Requests
Content Types that Layer 7 Header and Body Modification can process
The following content types expressed as content-type text/......can be processed by Layer
7 Header and Body Modification:
asp
vnd.wap.wml
x-script.csh
x-server-parsed-html
css
vnd.wap.wmlscript
x-script.elisp
x-setext
html
webviewhtml
x-script.guile
x-sgml
mcf
x-asm
x-script.ksh
x-speech
pascal
x-audiosoft-intra
x-script.lisp
x-uil
plain
x-c
x-script.perl
x-vcalendar
richtext
x-component
x-script.perl-module
xml
scriplet
x-fortran
x-script.phyton
javascript
sgml
x-h
x-script.rexx
x-javascript
tab-separated-values
x-java-source
x-script.scheme
application/x-javascript
uri-list
x-la-asf
x-script.sh
vnd.abc
x-m
x-script.tcl
vnd.fmi.flexstor
x-pascal
x-script.tcsh
vnd.rn-realtext
x-script
x-script.zsh
243
When the Add X-Forwarded-For to HTTP request parameter is enabled in a farm, AppDirector
automatically generates a Layer 7 modification rule that inserts the X-Forwarded-For header
with the value of the original client IP in packets sent to the server. This capability is useful when
AppDirector performs Client NAT on traffic sent to servers - it allows server visibility of the
original clients.
2.
When the Insert Cookie for HTTP Persistency parameter is enabled in a farm, if the value of
this parameter is set to Enabled, AppDirector automatically generates the necessary
configuration to insert a cookie that contains the server identifier in the reply and keep
persistency for subsequent requests from the same client according to inserted value. A
different value is created for each client. The value is encoded using base64 encoding. The
device generates the following automatic configuration:
Method Set-cookie
Key <key>
Action Insert
AppDirector also creates the appropriate Text Match Session ID Persistency entry from the server,
before forwarding it to the client.
If Insert Cookie for HTTP Persistency is set to Enable and remove on return path" AppDirector
automatically generates two Layer 7 modification rules, one that inserts a cookie that contains the
server identifier and one that removes this identifier from subsequent requests before forwarding
them to the server. The Layer 7 methods and modification rules that are automatically generated are
read-only. If a user deactivates the capability in the farm configuration, the Layer 7 Modification rule
and Layer 7 method automatically generated for this capability are removed.
The following scenarios show the configurations for rewriting different parts of a URL. Configuring
URL rewriting policies is performed in the Edit URL Rewrite Policy window.
For all scenario examples, configuration that is not specified means default values are used.
In general, it is recommended to be as specific as possible in the Rewrite configuration. For example,
always specify the Domain Name, even when it is not changed.
Match Condition
Modification
Optional
Insert
Request
Name=X-Forwarded-For
Token=$Client_IP
244
Cookie Insert/Rewrite
The following scenarios display the modification rule for inserting or rewriting cookie for persistency
purposes. AppDirector can insert a cookie in server reply, if the application does not do it, to ensure
subsequent requests from same client are forwarded to the same server. In certain cases the
application inserts a cookie in reply, but with the same value for all servers - in such cases
AppDirector can rewrite the value with a value that will identify the server.
To insert a Set Cookie header in server reply, with key MyKey and value representing
the replying server
Match Condition
Modification
Optional
Insert
Reply
Key=MyKey
Value= $Server_SID_Cookie or
$Dyn_Cookie_Value
To change in server reply the cookie value in a Set Cookie header (Rewrite) with value
representing the replying server
Match Condition
Modification
Set CookieKey=AppKeyl
Replace
Reply
Value=$Server_SID_Cookie or
$Dyn_Cookie_Value
Match Condition
Modification
Optional
URL method:
Insert
Request
Path=?Mykey=MyCookie
Protocol Rewrite
The following scenarios display the URL Rewriting policy for rewriting the URL protocol in all requests
and replies, and in requests and replies of a specific domain:
To change all front-end HTTPS requests to back-end HTTP requests and all HTTP links
to HTTPS links:
Parameter
URL Modification
Method
Protocol
HTTPS
HTTP
Additional Parameters
245
Parameter
URL Modification
Method
Protocol
HTTPS
HTTP
Domain Name
www.site.com
www.site.com
Additional Parameters
Parameter
Additional Parameters
Protocol
HTTPS
HTTP
Domain Name
www.front-site.com
www.back-server.com
Parameter
Additional Parameters
Protocol
HTTPS
HTTP
Domain Name
www.front-site.com
www.back-server.com
246
Parameter
Protocol
HTTPS
HTTP
Domain Name
site.com
my.site.com
Additional Parameters
Or, alternatively
Parameter
Protocol
HTTPS
HTTP
Domain Name
site.com
my.
Additional Parameters
Note: Setting the back-end Domain Name to "my" instead of "my." results in changing
site.com to mysite.com.
Parameter
Additional Parameters
Protocol
HTTPS
HTTP
Domain Name
front-site.com
back-server.com
Note: With Operation Replace, the exact text that appears in the Front-end Domain Name is
replaced with the text that appears in Back-end Domain Name. For example, the URL
www.front-site.com/path/page.type with the above configuration is rewritten to
www.back-server/path/page.type, and the URL www1.front-site.com/path/page.type is
rewritten to www1.back-server.com/path/page.type.
247
Port Rewrite
When the client sends a request to destination port 80 for the URL HTTP://www.site.com, or to
HTTP://www.site.com:80 AppDirector rewrites the request to HTTP://www.site.com:8080. For the
reply, AppDirector rewrites URLs of HTTP://www.site.com:8080 to HTTP://www.site.com:80.
Note: When the back-end server is listening on port 8080 and there is no port number
specified explicitly in the URL, then there is no need for AppDirector to change the port
and both Front-End and Back-end Ports must be set to 80.
When the Front-End Port is the same as the Back-end Port, the device does not change the port
specified in the request. If no port is specified in the client's request or in server's reply, then the
device treats it as port 443 for encrypted traffic, and as port 80 for clear text traffic.
Path Rewrite
The following scenarios display the URL Rewriting policy for rewriting the URL path:
Parameter
Protocol
HTTPS
HTTP
Domain Name
www.site.com
www.site.com
Additional Parameters
Path
aaa
mypath/
Comparison
Type: Equal
Note: Setting the back-end Path to "/mypath" instead of "mypath/" as above, where the
operation is "Add Before", results in changing the URL HTTPS://www.site.com/aaa/ to
HTTPS://www.site.com//mypathaaa/.
248
Parameter
Protocol
HTTPS
HTTP
Domain Name
www.front-site.com
www.back-server.com
Additional Parameters
Path
aaa
/mypath
Parameter
Protocol
HTTP
HTTP
Domain Name
www.front-site.com
www.front-site.com
Additional Parameters
Path
aaa
mypath/
Comparison Type:Contain
Operation: Add Before
Parameter
Protocol
HTTP
HTTP
Domain Name
www.front-site.com
www.front-site.com
Additional Parameters
Path
aaa
mypath/
Comparison Type:Contain
Operation: Add Before
Note: When Comparison Type is set to Contain, then Operation Add Before implies the
additional text is added at the beginning of the path. Similarly, when Operation is set to
Append After, the additional text is added at the end of the path.
249
Page Rewrite
The following scenarios display the URL Rewriting policy for rewriting the URL page:
Parameter
Protocol
HTTPS
HTTP
Domain Name
www.site.com
www.site.com
Additional Parameters
Path
aaa
mypath
Page
page
newpage
Note: The Path is defined as the part of the URL between the first slash to the last slash. For a
URL like www.site.com/aaa/page.type/ (with a slash at the end) all directories are used
as the path, and not as page and page type.
Parameter
URL Modification
Method
Protocol
HTTPS
HTTP
Domain Name
www.front-site.com
www.back-server.com
Additional Parameters
Path
mypath
250
Parameter
URL Modification
Method
Protocol
HTTPS
HTTP
Domain Name
www.front-site.com
www.back-server.com
Additional Parameters
Path
mypath
Parameter
URL Modification
Method
Protocol
HTTPS
HTTP
Domain Name
www.front-site.com
www.back-server.com
Additional Parameters
Path
front-path
mypath/
Parameter
Description
Modification Name
Key name.
251
From the AppDirector menu, select Layer 7 Server Modification > Reset Statistics. The
Modification Reset Statistics window appears.
2.
Press Set. The global statistics of Layer 7 modification rules are reset.
Session ID Persistency
When it is necessary to establish multiple connections from the same user to the same server in a
farm, these sessions can be identified by application layer information found in the client's requests.
AppDirector is able to detect / inspect the Session ID information in the traffic and use it for server
selection in further connections, providing application aware server persistency. You can configure
different persistency schemes for different applications and for different farms.
The Layer 7 server persistency mechanism consists of two major blocks:
1.
2.
The packet parser: used to identify the persistency parameter in the traffic.AppDirector allows
searching for any Persistency Parameter within a packet in a text or binary format. AppDirector
searches for Session ID using the following:
Text Match Session ID Persistency: AppDirector searches for text strings within the
packet. The search can be for any Persistency Parameter anywhere in the packet.
Session IDs Management - manages the link between the persistency parameter values and
servers to which they apply. There are 2 options:
Static Session IDs. The user configures persistency parameter values attached to each
server farm and also has to configure a Text Match or Pattern Match entry that defines
where in the message to search for the statically configured persistency parameter.
Dynamically learned values. AppDirector learns persistency parameter values for farm
servers from the traffic passing through it and ensures future transactions with the same
persistency parameter value are sent to the same farm server. In this case, an aging
mechanism is employed to manage the lifetime of each persistency parameter value.
Hashing. Persistency is ensured by performing hash using the persistency parameter value
as input. No values are recorded. This method is especially useful in ensuring URL based
persistency for reverse proxy applications.
UDP protocols.
Session ID persistency is NOT available for dynamic protocols, e.g; FTP, TFTP.
252
Notes:
>> When using Session ID Persistency for UDP traffic, AppDirector inspects each packet
separately and selects the appropriate server.
>> The Cookie Persistency License allows AppDirector to search the HTTP headers for
Session ID Persistency. Without it, AppDirector inspects only the URI and no other HTTP
headers.
>> When DSID and Layer 7 Modifications are configured together (when applied to the
same request/response) , DISD parsing is performed first, then Layer 7 Modifications.
This means that when the modification changes the part in the header to which DISD is
referred, the DISD server selection and learning is performed according to the original
data, prior to the modifications.
General Flow
The general flow is as follows:
Parse Layer 7 data and find the session ID value in request.
1. If found, search the value in the internal session ID table (the internal table includes both
statically configured and dynamically learned values).
a.
b.
253
Parameter
Description
Farm Name
Layer 4 Protocol
Application Port
Lookup Mode
254
Parameter
Description
Lookup Mode
(continued)
In order to define a specific tag, you can concatenate tag names with
slash characters like writing a path (like using XPath).
Notes:
The Parameter Match value will only be allowed to be defined as
"prefix" because in XML the value is not the name itself.
Value offset can remain 0 and AppDirector will know to look for the
value after the closing ">" of the XML tag name.
Parameter Match
This defines if we learn the value that starts immediately after the end
of the Parameter Identifier (when the value is set to Exact) or after the
value that starts after the separator/s ( when the value is set to Prefix).
The separators can be white spaces and "=".
Note: This parameter does not appear when XML Tag Lookup Mode
is selected.
Values:
Exact (Default): Indicates that the configured Persistency
Parameter value must exactly match the received Persistency
Parameter value.
Prefix: Indicates that the configured value appears as a prefix
with possible additional characters following. When using this
mode, a separator can appear between the identifier and the value
in the packet. The separator can be: white space, =, :.
255
Parameter
Description
Value Offset
The offset where the Session ID value resides, within the value
following the Persistency Parameter name. Default is 0, meaning value
location is right after the Persistency Parameter name and value
separator.
Value Offset is used when the value of the Persistency Parameter is
composed of a dynamic value that changes during the session, followed
by a static value that identifies the session, so that AppDirector ignores
the dynamic prefix of the value for server persistency. For example, the
value is a timestamp followed by client ID, where persistency is based
on client ID only.
Default: 0
Stop Chars
Learning Direction
Inactivity Timeout
[sec]
256
Parameter
Description
Tip: Use this option when Static Session IDs are used.
Ignore Source IP
When this is set, only the Session ID info is used for persistency.
Sessions with the same session ID are always forwarded to the same
server.
Disabling this parameter, forces AppDirector to also use the source IP
where there is a session ID match. Two sessions with the same session
ID, but with a different source IP address can be forwarded to different
servers. This mode is relevant only for dynamic entries.
Default: Enabled.
257
Parameter
Description
Farm Name
Application Port
Layer 4 Protocol
Layer 4 protocol for which traffic is intercepted for Session IDs. Can be
Values: TCP (Default), UDP or other.
Pattern Mask
Mask for the search pattern, also defines length of the pattern
matched. This is a hexadecimal field.
Default: 0xffffffff, meaning a 4 bytes long pattern is used for an exact
match.
Maximum pattern length is 128 bits (16 octets).
Inactivity Timeout
Pattern Offset
Offset Relative To
Administrators can specify from which part of the packet the offset is
referring to.
The size of the Offset Relative To parameter, must be greater or equal
to the value of the Pattern Offset parameter plus the length
(determined by the Pattern Mask parameter).
Values: IP header (Default); IP data, Layer 4 header or Layer 4 data.
Ignore Source IP
Learning Direction
258
Parameter
Description
Persistency Method
Data Format
Parameter
Description
Farm Name
Session ID Value
Server Address
The server within the farm that is identified by the Session ID Value.
When AppDirector detects traffic that contains this Session ID Value, it
directs the traffic to the server specified in this parameter.
Server Port
Value Type
4. Click Set. The Static Session ID Persistency Create window closes and a new entry is created.
259
HTTP Persistency
AppDirector can support HTTP persistency according to any parameter by using the Session ID
mechanism. However the most popular persistency mechanism for HTTP is cookie persistency server inserts cookie that identifies it in the reply to client, and the client uses the cookie in all its
subsequent requests. AppDirector support several mechanisms for HTTP cookie persistency:
Cookie Learning
By learning the cookie from server initial reply, AppDirector can ensure that all subsequent requests
from that client reach the same server. For this purpose a Text Match Session ID entry that looks for
cookie key inserted by the server needs to be configured for the farm in question.
Cookie Insert
When servers do not insert cookies, AppDirector can insert a cookie that identifies the server used in
the server reply, before forwarding the reply to the client. To insert a cookie, AppDirector uses its
Layer 7 modification capabilities. When you set the Insert Cookie for HTTP Persistency to Enable for
the farm in question, AppDirector automatically generates the required configuration - see Layer 7
Modification Rules Automatic Configuration, page 244. This can also be manually defined.
Cookie Rewrite
When all servers insert the same cookie value, AppDirector can replace the cookie value that arrives
from the server with a value that enables identification of that server, (the Layer 7 modification
capability called Replace). The required configuration includes:
Set Cookie Layer 7 method that identifies the cookie inserted by server
Set Cookie Layer 7 method that defines the cookie cookie value that should replace the server
inserted value on the reply
Text Match Session ID entry that searches for cookie values inserted by server in subsequent
requests
Static Session ID entries that map the cookie value inserted for each server to that server.
Note: For Cookie / Insert Rewrite, you need the Cookie Persistency License.
URL Hash
When load balancing reverse proxies it is required to maintain persistency for the URL, and
particularly include the object, so that objects are not duplicated between the reverse cache servers.
In cases were huge numbers of objects exist persistency can be ensured by hashing mechanism.
260
Note: This mechanism can be used to ensure persistency via hashing mechanism using any
HTTP persistency parameter, not only URL.
SSL Persistency
SSL ID Tracking ensures that all TCP sessions of a SSL session are forwarded to the same server.
When SSL ID Tracking is enabled, AppDirector uses Delayed Binding, and waits to receive the packet
with the SSL ID before choosing a server.
If the SSL ID is found in the internal Session IDs table, traffic is forwarded to the specified server, if
not the SSL ID value is learned (added to the internal Session IDs table). The SSL ID Session ID
entries are aged according to the aging of corresponding entries in the Client Table. The Client Table
is used to maintain the session data.
SSL ID tracking can only be enabled on a farm whose Sessions Mode is set to Server Per Session. By
default, SSL Tracking is disabled. For farms that use the Server Per Sessions Mode where the SSL ID
Tracking parameter is disabled, AppDirector automatically uses the Entry Per Sessions Mode for the
SSL traffic (port 443). Other traffic is shown in the Client Table using the Server Per Sessions Mode.
Notes:
>> SSL ID cannot be learnt for servers of type Local Triangulation.
>> SSL Session IDs are mirrored as they are kept in the Session ID table.
SIP Persistency
AppDirector also enables you to load balance and maintain client-server persistency for SIP servers.
Persistency of SIP over UDP sessions is maintained by searching for Layer 7 information, like CallID, within SIP headers. Administrators can use one or both of the following methods to maintain
client - server persistency:
1. Using Hashing as a dispatch method: AppDirector searches either the Call-ID header or the
Request-URL header in the SIP (Hash Parameter for SIP) and selects one available server
based on a hashing algorithm performed on the specified parameter.
By using Dispatch Method hashing on Request-URI, while simultaneously tracking Call-ID via
dynamic leaning mechanism, AppDirector provides persistency for multi-party calls and
conference calls.
2. Using Dynamic Session IDs: AppDirector maintains persistency based on any field within the
SIP header (for example, branch tag). When using the Dynamic Session ID for persistency, it is
recommended to use an inactivity timeout longer than the call's expected duration.
To provide easy SIP persistency configuration when a Layer 4 policy is defined with Application
set to SIP (Layer 4 protocol must be UDP), AppDirector automatically creates a Layer 7 Server
Persistency Text Match entry looking for SIP Call-ID for all the farms connected to this Layer 4
policy.
261
RADIUS Persistency
AppDirector supports server persistency for RADIUS traffic using the RADIUS attribute values to
maintain persistency in other application sessions (e.g. HTTP) using the following mechanisms:
RADIUS Attribute
The RADIUS attribute is required to maintain persistency for either RADIUS sessions as well as other
application sessions (e.g. HTTP).
Remote Authentication Dial-In User Server (RADIUS) attributes are used to define specific
authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on
the RADIUS daemon.
Administrators can use one of the following methods to maintain client server persistency for
RADIUS using RADIUS Attribute value.
You can configure the RADIUS Attribute parameter at the farm configuration with the required
RADIUS Attribute value. A Text Match Session ID persistency with Hash Persistency Method rule will
be automatically generated.
RADIUS attributes are used to define specific authentication, authorization, and accounting (AAA)
elements in a user profile, which is stored on the RADIUS daemon. You can configure the RADIUS
Attribute parameter at the farm configuration with the required RADIUS Attribute value. The default
is 0, indicating that AppDirector will not look for RADIUS attributes in order to maintain persistency.
In order to maintain persistency for RADIUS traffic (UDP ports 1812, 1813, 1645, 1646 or Layer 4
Policy Application parameter set to RADIUS), AppDirector searches the attribute within the RADIUS
packets & learns its value for the following requests. The learnt values may be used in order to
maintain persistency for other applications (e.g. HTTP).
Persistency can be maintained on any Dispatch Method, but when using Hashing, (page 178), the
behavior is different although persistency is still preserved:
in case the hash function selects a server which is not available, another server will be selected
and the selection will be recorded in the Layer 7 Server Persistency Table (the reason for this is
the natural server selection has to be overridden) You should set the Session ID Table size as
necessary.
262
Notes:
>> Configuring the RADIUS Proxy Support parameter overrides persistency according to the
defined RADIUS Attribute in the farm.
>> To work with RADIUS, you must first enable UDP tracking.
This behavior can be defined per farm using the RADIUS Proxy Support parameter. When set to 0,
the capability is disabled. To enable the capability, define the number of the RADIUS attribute that
contains the persistency value.
Parameter
Description
Persistency Identifier
matches
Successfully parsed
Dynamic SID values
Number of times that Session ID value was learned from the Servers
request.
Default: 0
Number of times that Session ID value was learned from the client's
request.
Default: 0
263
To maintain client-server persistency in an AppDirector farm, AppDirector uses the Client Table. This
monitors which clients are connected to which servers for each Local Farm. When a client first
approaches a farm, AppDirector checks whether there is an existing client entry in the Client Table:
If the appropriate entry is found, the client is directed to the server that appears in the Client
Table. In that case, there is no need to make a load balancing decision.
If an entry does not exist, a farm is selected according to the service requested. A server is then
selected according to load balancing considerations defined by the Dispatch Method or according
to the Layer 7 Persistency information, where applicable. An entry is then added to the Client
Table, indicating which server was selected.
Once an entry is created in the Client Table, all subsequent packets that arrive from the client to a
farm are forwarded to the server indicated in the Client Table entry. The traffic in the opposite
direction, from the server to the client, is sent using the Virtual IP address with which the requested
service is associated. This VIP address is used as the Source IP address of the outgoing traffic, which
is also reflected in the Client Table entry.
The Client Table also provides information about the way a client is sent to the server; for example,
whether the selected server is a local server, whether the server is on a separate site, or if Port
Multiplexing is used. Here is an example of a Client Table:
Source
Address
Source Port
Requested
Address
Requested
Port
Farm Name
Server
Address
Server Port
100.1.1.1
1062
100.1.1.100
80
Farm A
10.1.1.2
8080
100.1.1.2
1011
100.1.1.100
80
Farm B
10.1.1.2
8080
100.1.1.3
1079
100.1.1.100
80
Farm C
10.1.1.1
8080
2.
Now you can view the Client Table information using various view options.
Static Client: clients that are always assigned to the same server within the farm.
Dynamic Client: Dynamic clients are forwarded to a server that is available during the
connection establishment process. AppDirector selects the best available server according to the
load balancing definitions, as configured in the Dispatch Method or according to persistency.
264
NAT: NAT entries in the Client Table are created for sessions initiated by the servers when
Server Network Address Translation (NAT) is used. NAT is used in this case to translate the
servers IP address to the Virtual IP address that is used to access the farm.
Note: When the server is disabled, the Client Table entries belonging to that server remain
active to allow NAT for outgoing sessions originating from the server. Only when the
server is removed are its sessions deleted from the Client Table.
Client NAT: Client NAT entries are created for sessions in which Client NAT is used. Using the
Client NAT capability, AppDirector hides the IP addresses of the clients from the servers. The
original Source IP of a request is replaced by AppDirector with the configured NAT IP and port
before forwarding the request to the server.
The Client NAT feature is used when, for example, the client and the server are on the same
subnet, so that the client IP address must be hidden. If not, servers may send replies directly to
clients, instead of sending them through AppDirector.
Outbound NAT: Outbound NAT client entries are created for sessions in which the Outbound
NAT capability is used. The Outbound NAT capability allows AppDirector to hide servers or other
local hosts when sending traffic through AppDirector. Using the Outbound NAT capability,
AppDirector replaces the original Source IP of a packet that is routed or bridged by AppDirector
with the configured NAT IP before forwarding the request. It also replaces the Source port.
Note: If a client is configured to statically use a specific server in a farm and the server is
down, AppDirector does not select a new server. Also see Application/Farm Servers,
page 172.
Parameter
Description
Client Address
Farm Name
Status
265
Parameter
Description
Client Type
Server Address
Server Port
4.
Parameter
Description
Client Address
Client Port
Requested Address
Requested Port
Server Address
266
Parameter
Description
Index
Status
Source IP From/To
Destination port number for that protocol. For example, for HTTP, the
protocol can be configured as TCP and the destination port as 80. The
port configuration can also allow for a range of ports to be configured.
Default: 0
Farm Name
Server IP
Client Type
267
Parameter
Description
Action
VLANTag
4.
Note: The Reset Client on Server Failure cannot be activated for farms with the Sessions Mode
set to Regular.
268
Client
Server 1
VIP Address
100.1.1.100
100.1.1.
Server 2
Note: Definitions of Sessions Modes per farm can be overwritten using global parameters.
Note: When a client sends HTTPS requests, it will work in Entry Per Sessions Mode regardless
of the Sessions Mode selected by the user.
The Entry Per Sessions Mode identifies an entry by the following parameters:
Farm Name
VIP Address
Client IP Address
Server IP Address
If, the client approaches the AppDirector Virtual IP address through HTTP, then for this client
AppDirector selects Server 1 with a 10.1.1.1 IP address. In this case, the Client Table entry looks as
follows:
1234
Requested
Address
100.1.1.100
Requested
Port
80
Farm Name
Farm 1
Server IP
Address
10.1.1.1
Source Port
1234
While active, this entry instructs AppDirector to perform the following tasks:
Request for service: All packets from client 100.1.1.1 go to port 1234 VIP address 100.1.1.100
and Destination port 80 and are forwarded to Server 10.1.1.1.
Response: All packets from Server 10.1.1.1 to client 100.1.1.1 with Source port 80 and
Destination port 1234 are sent from AppDirector using Source address 100.1.1.100.
269
Note: An entrys age is reset only when AppDirector receives a new packet from the specific
session, which is already reflected in the Client Table.
Once a Client Table entry is established between the client and the server, all subsequent packets
that match this entry are forwarded to the same server. Moreover, as long as there is an open
session between the client IP and the VIP, all subsequent sessions from that client IP to that VIP and
Destination Port are sent to the same server, even when different sessions (different Source ports)
use different Client Table entries.
Note: Once an entry is made from a client to a server within a farm, the client continues to
approach the same server, regardless of application (provided the same farm is used).
Since a new table entry is made into the Client Table for every new session, the Client Table has
many entries. You can increase the Client Table to accept more entries based on the amount of RAM
available on the AppDirector unit (see Client Table Settings Tuning, page 65).
Note: The size of the Layer 3 Client Table can be configured and is defined as a percentage of
the Client Table size (see Client Table Settings Tuning, page 65).
270
Regular Mode
In Regular mode, AppDirector maintains Layer 3 persistency. In this mode, each entry is identified
by the following parameters:
Client IP Address
If, the client approaches the AppDirector Virtual IP address through HTTP, then for this client
AppDirector selects Server 1 with 10.1.1.1 IP address. Here, the Client Table entry looks as follows:
Source IP
Address
Source Port
Requested
Address
Requested
Port
Farm Name
Server IP
Address
100.1.1.1
100.1.1.100
80
Farm 1
10.1.1.1
While active, this entry instructs AppDirector to perform the following tasks:
Request for service: All packets from client 100.1.1.1 to farm associated with VIP 100.1.1.100
and with Destination port 80 are forwarded to server 10.1.1.1.
Response: All packets from server 10.1.1.1 to client 100.1.1.1 with Source port 80 are sent from
AppDirector using Source address 100.1.1.100.
Parameter
Description
Disable (default)
Note: This option provides a more accurate minimum-user load
balancing, but may hinder some applications that depend on the
same server. It also may overload AppDirector`s internal tables.
This option overrides the New Entry On Source Port option.
271
Note: Open New Entry When Source Port Different and Select New Server When
Source Port Different can override the per farm configuration if set to Enable. You
can also configure both under each farm. However, if you enable them in the global
configuration it will override what has been configured in a farm.
3.
Parameter
Description
Interval (in seconds) for sending dynamic updates of the local load to
other AppDirector's devices that are served by this AppDirector. Also
see Configuring Local Report Protocol, page 303.
Entry Per Session - the Open New Entry When Source Port Different parameter.
Server Per Session - the Select New Server When Source Port Different parameter.
The difference between individual farm and global configuration is that global configuration applies
to all the farms on AppDirector, and can override the configuration of the individual farm.
By default, global parameters are disabled, meaning that all the farms are in the Entry Per Sessions
Mode, unless a different mode was defined during the farm configuration process.
Enabling the Open New Entry When Source Port Different parameter automatically sets all
AppDirector farms to Entry Per Sessions Mode, except for the farms where Server Per Sessions
Mode is already defined.
Enabling the Select New Server When Source Port Different parameter automatically sets all
AppDirector farms to Server Per Sessions Mode.
Tip: Radware recommends disabling the Open New Entry When Source Port Different parameter
and the Select New Server When Source Port Different parameter before setting Sessions
modes for individual farms.
The table below shows the relationship between farm settings and global settings. The top row
shows Farm Modes and the left column shows Global Parameters. The value within each table cell
represents the effective AppDirector behavior when the global setting is the value on the left and the
farm level setting is as above.
Global Parameters
Farm Parameters
Regular
Regular
Regular
272
By VIP Address
By Client IP Address
In Figure 11 - Typical AppDirector Application, page 269, the client opens six sessions to the
AppDirector virtual address of 100.1.1.100 to retrieve a Web page, with all sessions destined to port
80. As the table shows, both servers 10.1.1.1 and 10.1.1.2 are being used for client 100.1.1.1.
Source IP
Address
Source Port
Requested
Address
Requested
Port
Farm Name
Server IP
Address
100.1.1.1
1234
100.1.1.100
80
Farm 1
10.1.1.1
100.1.1.1
1235
100.1.1.100
80
Farm 1
10.1.1.2
100.1.1.1
1236
100.1.1.100
80
Farm 1
10.1.1.1
100.1.1.1
1237
100.1.1.100
80
Farm 1
10.1.1.2
100.1.1.1
1238
100.1.1.100
80
Farm 1
10.1.1.1
100.1.1.1
1239
100.1.1.100
80
Farm 1
10.1.1.2
Note: The Server Per Sessions Mode is similar to the Entry Per Sessions Mode, as new entries
are added in the Client Table for new sessions. The difference is that the sessions from
the same client can be forwarded to different servers. As in the Entry Per Sessions
Mode, the considerations of the Client Table size should be taken into account.
Note: If UDP Session Tracking is disabled, each UDP server can participate in only one farm.
273
AppDirector marks the entry for deletion from the Client Table when it detects a RST or FIN
packet between server and client, as the RST/FIN packets indicate that the session is closed.
For SIP/UDP traffic, AppDirector checks the SIP messages for the BYE command and applies the
rapid Client Table entry aging mechanism when such a command is detected.
AppDirector marks the entry for deletion from the Client Table when it detects a RST or FIN
packet between server and client, as the RST/FIN packets indicate that the session is closed.
Network Address Translation (NAT) is the translation of an IP address used within one network to a
different IP address known within another network. One network is usually the inside network and
the other is the outside. NAT hides the Source IP address. AppDirector uses these NATs..
Parameter
Description
Client NAT
Server NAT
Outbound NAT
274
Client NAT
Using the Client NAT parameter, you can enable the Client NAT capability for the given farm server.
Using Client NAT for a server means that AppDirector hides the Source IP addresses of clients that
access the server in the farm. For more information on Client NAT capability,.
Note: Client NAT cannot be used for UDP sessions when UDP Session Tracking is disabled, as
UDP sessions are not inserted into the Client Table.
Client NAT enables AppDirector to hide client IP addresses when forwarding traffic to servers in
farms. During this process, AppDirector uses Dynamic NAT to replace the original Source IP of a
request with a predefined NAT IP address and dynamically selected ports, before forwarding the
request to the server.
Once the Client NAT feature is enabled on AppDirector, you can start configuring the Client NAT
parameters.
First, you need to specify the ranges of the Source IP addresses in the incoming traffic that you
want to NAT. This is done in the Client NAT Intercept Addresses table. This table defines clients
whose source addresses are NATed.
Next, you need to configure the IP addresses that AppDirector uses to translate the Source IP
addresses of clients' requests. These are configured in the Client NAT Address table. This table
defines the addresses that are used to perform NAT. The NAT addresses are also configured in
ranges. The maximum number of configurable NAT addresses depends on the tuning value of
the NAT Addresses table parameters, (see NAT Settings Tuning, page 65). For each farm, you
can select a single NAT address range and for each server in the farm, you need to enable the
Client NAT capability and optionally, select NAT addresses.
AppDirector allows you to configure different NAT address ranges for different servers in the farm.
When no NAT address range is configured for the server, AppDirector uses the NAT address range
configured for the farm.
When a client with an IP address within one of the Client NAT Intercepted address ranges
approaches a farm, a server is selected. If the Client NAT parameter is Enabled in the selected
servers configuration, AppDirector NATs the client's IP address and port using the configured NAT
address range for the server or for the farm. When the reply from the server reaches AppDirector, it
replaces the NAT address and port with the original client address and port, before forwarding the
reply to the client.
275
Notes:
>> When no NAT addresses are configured, no Client NAT is performed.
>> You can use the Client NAT capability only for Regular Servers, and not for Remote
Servers, Distributed AppDirectors, Local Farm, or Loopback Servers. If Client NAT is
required for a Remote Server, you need to configure this server as a Local Server in the
farm, with Client NAT enabled. This ensures that traffic is forwarded to that server rather
than redirected.
>> When Client NAT is used in a farm where the Sessions mode is set to Regular,
AppDirector uses the Entry Per Sessions Mode for the Client NAT sessions.
>> In a redundant AppDirector scenario, the same NAT Addresses and Client NAT intercept
addresses must be configured on both AppDirector devices.
From the AppDirector menu, select NAT > Client NAT > Global Parameters. The Client NAT
Global Parameters window appears,.
Parameter
Description
Client NAT
Enable/ Disable.
Client NAT hides client IP addresses approaching AppDirector farms, to
solve routing issues. Both client IP and port are changed using Client
NAT.
2.
3.
Note: When no Client NAT Address Range is selected for a farm, AppDirector uses one of the
farms configured Client NAT Address Range when performing Client NAT for servers in
this farm.
276
Parameter
Description
From IP Address
To IP Address
Note: To set the parameters of the Client NAT Intercept Addresses Table window, you must
initially enable Client NAT.
Parameter
Description
From Client IP
To Client IP
277
From the AppDirector menu select NAT. The NAT Settings window appears.
2.
Click the Client NAT Quick Setup button below. The Client NAT Quick Setup window appears.
3.
Parameter
Description
To IP Address
4.
List all farms defined in the system. Each farm should have an accompanying check-box marked
to select it.
5.
Notes:
>> Once you have set the paramaters and at least one NAT range was allocated,
AppDirector will check that there is at least one Intercept range configured, if not, it will
automatically configure a 0.0.0.0 to 255.255.255.255 range
>> If you want to fine tune the ranges, you can do this through Client NAT Addresses,
page 276.
Insert X-Forwarded-For
In many cases it is important for the server that provides a service to know the identity of the client;
for example, for billing. When using Client NAT, the source IP address is replaced by the NAT
address, so that the server cannot know the identity of the original client. To solve this problem
AppDirector can insert an X-Forwarded-For header with the identity of the original client in the traffic
forwarded to server.
To activate this capability in AppDirector, enable the Add X-Forwarded-For in HTTP request
parameters in the farm configuration. Once activated, the following Layer 7 modification rule is
automatically generated for the farm:
Parameter
Description
Index
Name
Auto-G <Farm-Name>
Action
Insert
278
Parameter
Description
Direction
Client Requests
(empty)
Parameter
Description
Name
Method
Header Field
Header Field
X-Forwarded-For
Token
$Client_IP
Server NAT
Server NAT allows AppDirector to hide the servers IP address for outbound traffic in sessions
initiated by servers. Server NAT uses StaticNAT, which means that only the IP address is changed
without port translation. Server NAT is used for servers positioned behind AppDirector.
When a session is initiated by a server, the servers request for service is sent using its IP address as
the source address. If the servers IP address is a private IP address, the servers address must be
translated to a public IP address. This ensures proper routing of the reply back across the Internet
to the NATing device and back to the server. To enable servers with private IP addresses to initiate
sessions out of their private network, you can use the Server NAT feature. When enabled, the
servers IP is translated to the Layer 4 Policys VIP and a new entry is added to the Client Table.
Sessions originating from servers are tracked in the Client Table and tagged with a NAT tag to
differentiate this traffic from other regular inbound client traffic.
Notes:
>> Server NAT sessions always use the Entry Per Sessions Mode.
>> When Server NAT is disabled, AppDirector forwards traffic with the servers original
source address. No address translation is done, and no entries are added to the Client
Table.
>> When Server NAT is enabled, you can define the Use Specific NAT Address parameters
for all server NAT sessions. When the default of the Use Specific NAT Address
parameters is 0.0.0.0, AppDirector selects the address according to the VIP of the Layer
4 Policy that is associated with the farm in which the server is included.
>> If no servers are defined, you can define an "empty" farm, associate this farm with a
Layer 4 Policy, and use its VIP address as the specific NAT address.
>> If the traffic is received from a server with Not In Service status, the traffic is handled
according to the definitions of the When Server Is Not-In-Service parameters.
>> When a server participates in multiple farms, outgoing server sessions are translated to
the VIP address of the first found Layer 4 Policy associated with the farm in which this
server is included.
>> Use of a specific server NAT address impacts the NAT address used for all servers.
>> When mirroring is used, server NAT entries are not mirrored.
This figure shows how the servers Source IP is replaced with the Layer 4 Policys VIP.
279
Figure 12: Replacing the Server Source IP with Layer 4 Policy VIP
Internet
Router
Source IP
100.1.1.20
10.1.1.100
AppDirector
VIP 10.1.1.100
Source IP 10.1.1.1
10.1.1.1
10.1.1.2
10.1.1.3
Servers
From the AppDirector menu, select NAT > Server NAT > Global Parameters. The Server
NAT window appears.
2.
Parameter
Description
Server NAT
Enable or Disable (Default) the Server NAT feature. Server NAT hides
IP addresses of messages sent from the server.
You can choose a farm address to be used as a NAT address for all
servers in all the farms, when required.
Remove at Session
End
Whether to delete session entry from the session table at the session
end. if not - the entries will be deleted by aging.
Values: Disabled (default),enabled
3.
280
Parameter
Description
Example
Using the Outbound NAT configuration we want to support static and dynamic NAT using VIP and
non-VIP addresses per intercept range.
You can work with dynamic NAT only using VIP and non-VIP addresses.
For this you need the following:
1. Add NAT type to your Outbound NAT Intercept configuration. The values are Dynamic (default)
and Static.
2. When the Outbound NAT address is VIP
a.
b.
NAT is not performed for intercept addresses that are not servers managed by AppDirector.
When NAT type is Static - perform static NAT (server NAT). In this case the Server NAT
global settings (for VIP not in service and VLAN) are relevant.
281
4.
First configure an Outbound NAT address that represents "regular" Server NAT behavior (the
first VIP configured attached to the transmitting server is used) - for example 255.255.255.255
or 0.0.0.0.
5.
If your Server NAT is enabled and the specific VIP is 0.0.0.0 then for all servers you need to
configure the special IP as an Outbound NAT
If your Server NAT is enabled and a specific VIP is configured then for all the servers that
you need to configure, set this IP as an Outbound NAT.
Non-VIP Dynamic NAT - like traditional Outbound NAT, the NAT Type field is set to Dynamic
(default).
appdirector nat outbound address-range
From IP Address
192.10.10.1
To IP Address (-t )
192.10.10.2
2.2.2.1
To IP (-t )
2.2.2.254
Dynamic
Note: In AppDirector 2.x versions, the NAT Type parameter will be in the Outbound NAT range
and not in the intercepted range.
282
192.10.10.1
To IP Address (-t )
192.10.10.10
2.2.2.1
To IP (-t )
2.2.2.10
192.10.10.1
Static
Notes:
>> The intercept range and NAT address range must be equal in size - otherwise error: "The
NAT addresses range must be equal in size to the intercepted addresses range" will be
displayed.
>> In AppDirector 2.x versions, the NAT Type parameter will be in the Outbound NAT range
and not in the intercepted range
3. VIP Dynamic NAT
appdirector nat outbound address-range
From IP Address
192.10.10.1
To IP Address (-t )
192.10.10.1
2.2.2.1
To IP (-t )
2.2.2.10
192.10.10.1
Dynamic
Notes:
>> If the NAT address range includes VIP, the range size must be 1.
>> In AppDirector 2.x versions, the NAT Type parameter will be in the Outbound NAT range
and not in the intercepted range.
283
192.10.10.1
To IP Address (-t )
192.10.10.1
2.2.2.1
To IP (-t )
2.2.2.10
192.10.10.1
Static
Notes:
>> In AppDirector 2.x versions, the NAT Type parameter will be in the Outbound NAT range
and not in the intercepted range.
>> Traffic from server X will always be NATted using the same VIP (configured in the
Outbound Intercept NAT entry that includes server X in the intercept range), regardless
of the protocol/port used.
>> You cannot configure more than one VIP to the same range of servers.
The Outbound NAT Ports per Address tuning parameter must be set to at least 15,000 because this
requires that NAT ports over 10,000 will be used to minimize the possibility of conflict with inbound
sessions. The availability of each port will be checked before it is used for Outbound NAT.
Outbound NAT
Outbound NAT enables AppDirector to hide various network elements located behind AppDirector.
Using this feature, AppDirector implements Dynamic NAT, which replaces the original Source IP and
source port of a packet that is routed or bridged with the configured NAT IP, before forwarding the
request.
Note: Outbound NAT entries in the Client Table always use the Entry Per Sessions Mode.
284
AppDirector
2 Return
1 Request
Port 8888
Port 8888
Internet
Network
Elements
10.1.1.11
10.1.1.12
10.1.1.1
The AppDirector Outbound NAT operation (as shown here) proceeds as follows:
1. A network element located behind AppDirector sends a request for service to an IP. The request
is intercepted by AppDirector, which replaces the intercepted source address 10.1.1.11 and port
7777 with the Outbound NAT address 100.1.1.100 and port 8888.
2. AppDirector receives the reply packet, replaces the destination address 100.1.1.100 and port
8888 with the elements original address 10.1.1.11 and port 7777, and returns it to the
originating network element.
285
From the AppDirector menu, select NAT > Outbound NAT > Global Parameters. The
Outbound NAT Global Parameters window appears
2.
Parameter
Description
Outbound NAT
Enable/ Disable(Default):
Outbound NAT hides the IP addresses of clients approaching
AppDirector farms, to solve routing issues. Both client IP and port are
changed in the process of Client NAT.
3.
4.
From the Services menu select Tuning > Device. The Device Tuning window appears.
2.
Set the Outbound NAT Addresses After Reset and Outbound NAT Intercept Ranges After Reset
parameters to the required number of entries.
3.
Click Set.
From the AppDirector menu, select NAT > Outbound NAT > NAT Addresses. The Outbound
NAT Address Table window appears.
2.
Click Create. The Outbound NAT Address Table Create window appears.
3.
286
Parameter
Description
From IP Address
To IP Address
Redundancy Mode
Segment Name
Segment providing the traffic that arrives from the configured segment.
NAT Mode
Note: When an Outbound NAT Intercept Range includes servers managed by AppDirector,
Outbound NAT is performed for traffic from the servers even if Server NAT is enabled.
Parameter
Description
Intercept From IP
To IP
Aging Time
Period of idle time after which the Client Table entries associated with this
range are removed. Aging Time for Outbound NAT entries is determined
according to the aging time set by the user in the Outbound NAT
Intercept table.
Default: 60 seconds.
287
Parameter
Description
Outbound NAT
Addresses
Remove Entry at
Session End
Whether to delete session entry from the session table at the session
end. If not - the entries will be deleted by aging.
Values: Disabled (default)/Enabled
4.
2.10.10.10
To IP Address (-t )
2.10.10.10
2.2.2.1
To IP (-t )
2.2.2.10
2.10.10.10
Static
Notes:
>> 2.2.2.1-2.2.2.10 is the range of the servers needs to use NAT.
>> 2.10.10.10 is a VIP on the device.
>> When a server from this range sends outbound traffic, NAT will be used, regardless of
the port\protocol of the server.
>> You cannot configure more than one VIP for the same range of servers.
>> Since we use high ports, you must configure more than 15,000 ports for the tuning of
outbound NAT.
288
Parameter
Description
When enabled, different sessions from the same client to the same
destination are counted separately, but all use the same firewall.
Enabling this option can produce finer load balancing and ensure that all
sessions from the same client to the same server use the same firewall.
When disabled, all the sessions of one application are considered a
single session, to enable better performance.
Interval (in seconds) for sending dynamic updates of local load to other
AppDirectors served by this AppDirector.
The time (in seconds) this device will wait to receive load reports from a
remote device. After this timeout, the remote device is not considered
to be responding.
According to the number of retries configured in the farm, the remote
AppDirector becomes inactive, similar to the connectivity checks of
regular servers.
289
Tweaks
The AppDirector Global Parameters Tweaks window allows you to further refine your advanced
system level settings including the enabling and disabling of the Acceleration Engine.
From the AppDirector menu, select Global > Tweaks. The Tweaks window appears.
2.
Parameter
Description
Sets the grouping mask for clients. This IP mask defines a group of
clients for which the same farm server should be selected.
E.g. 255.255.255.255
UDP Sessions Tracking Whether UDP sessions are recorded in the Client Table.
Values: Enable (default)/ Disable.
One Trap
User Configured
Timeout After TCP
Failure
Extended LRP Security When the Triangulation redirection method is used (see Global
Triangulation Redirection, page 324), the Triangulation VIP address
must be on the same subnet as the Virtual IP address, for security
reasons.
To ensure that the Triangulation VIP address configured for a farm is on
the same subnet as that farm, the Extended LRP Security option must
be enabled.
Session ID Sharing
290
Parameter
Description
DSID reply Learning in When using a DSID policy, this option causes the device to inspect each
'First' mode
reply of each transaction, on the same session, even if Layer 7
Persistent Switching Mode is set to FIRST.
AppDirector inspects the first request in each TCP connection, selects a
server, and forwards the request. During the rest of the TCP
connection, AppDirector forwards all further requests to that server.
If you need to learn from each response, you should configure one of
the 'complete' Persistent Layer 7 Switching modes (Overwrite or
Maintain).
Inspect first reply disabled (default)
Inspect all server replies provides backwards compatibility with
previous AppDirector versions.
Note: DSID is HTTP dependent and cannot be used with GenericSSL offloading selected in the Layer 4 Policy Application,
therefore Inspect First (disabled) is used. See Layer 4
Policies, page 183.
Outbound SIP Session Outbound SIP sessions must use Server NAT to hide the server IP
Support
address behind the service IP (VIP).
To return the session reply to the initiating server, AppDirector must
use a Call-ID persistency mechanism.
Values: Disabled (default), Enabled
Note: Support for Outbound SIP sessions has a performance
impact. Therefore, this feature is activated by flagging the
Outbound SIP only when required (disabled by default). Also
see Outbound SIP Sessions, page 406
When Outbound SIP traffic must be supported:
Servers from the sent outbound traffic can only belong to farms
attached to a SIP Layer 4 policy. This ensures that a SIP service
VIP is used as Server NAT.
If Layer 7 load balancing is used (for inbound SIP Layer 4 policies),
DSID must be enabled for all farms belonging to this Layer 7
policy.
SIP Aging on Session
End
Aging time for SIP dynamic SID entries and SIP client entries as a
result of the SIP session end, measured in seconds.
291
Parameter
Description
Acceleration Engine
(requires reboot)
Enhanced Acceleration
Disable
Standard Acceleration
Outbound Inquiries
Time-Out
3.
Note: Status changes including enabling/disabling the acceleration engine are not exported to
the configuration file when the device configuration is saved. When copying
configurations between AppDirector devices, ensure that their statuses are aligned
before importing a configuration.
292
IP Traffic Management
The global IP traffic management solution is intended for companies with server sites in multiple
locations. Distribution of server sites at different locations ensures high availability while maintaining
multiple level redundancy. If there is damage to a single server, farm, or site, business continuity is
maintained since switching from one server site to another is transparent to the users.
Globalization of business requires global server sites that ensure availability and efficiency over
great geographical distances. Organizations can increase productivity through resource sharing
among different branches placed in various locations.
For example, in a company, that has multiple data centers located all over the world, each data
center may act as an independent business unit. Global traffic management leads to better
administration and provides all employees, business partners and customers with critical resources,
24/7 availability, and optimal content delivery.
This figure illustrates an example of a global load balancing scheme.
New York
London
AppDirector provides site optimization and availability over geographic distances in a way that is
entirely transparent to the user. Various corporate resources are treated as a single entity. The
entire corporate data resource can be represented by a single logical address that corresponds to
entities at multiple physical locations.
293
Transactional Flow
Before considering a global solution it is essential to understand the flow of transactions over the
web and the challenges posed when multiple sites are used.
DNS resolution. To access Internet services the first basic step regardless of the application is
host name resolution; finding the IP address for the service name, using the DNS (Domain
Name System) protocol.
Application Transaction. Once the client receives the IP address of the target host name the
application transaction starts. A common client transaction involves multiple steps and often
multiple TCP connections. During the transaction a client may perform name resolution a few
times, work behind proxies or experience disconnections and resets. Therefore, the IP address
of the client may not be consistent.
AppDirector Global solution follows the transaction flow to provide availability and continuity
throughout the entire transaction life:
DNS Redirection - AppDirector functions as authoritative domain name server for the services
it load balances. When an AppDirector device receives a DNS A record query it selects the best
site for the service and answers with that site VIP.
During the transaction life, the site selected by the DNS redirection mechanism becomes
unavailable or overloaded.
During an HTTP transaction life, a new TCP connection arrives at a different site than the
one where the transaction started.
AppDirector supports specific protocol redirection mechanisms (HTTP/S, RTSP and SIP) and generic
mechanisms (Proxy and Radware patented Global Triangulation).
Site Selection
AppDirector selects the best site based on availability, load and network proximity.
Load & Availability. Any AppDirector with site selection privileges must know the condition of
every other site to make the appropriate decisions, based on the real-time dynamic load. This is
achieved via Radware proprietary protocol called LRP (Load Report Protocol).
Proximity. Network proximity indicates the network distance or time distance between a user
and a data resource. For example, if a user is geographically closer to the New York site than to
the Chicago site, yet can access the Chicago site faster when the network path to the New York
site is overloaded. To measure network proximity AppDirector devices perform proximity checks
to the client subnet. In addition any AppDirector with site selection privileges must know the
network proximity of the client to every other site to make the appropriate decisions. This is
achieved via Radware proprietary protocol called PRP (Proximity Report Protocol).
Caution: All devices in a Global configuration must run the same software version to ensure
that LRP and PRP algorithms can run between the sites.
All local servers are inactive, either operationally or administratively (disabled or in backup
mode).
294
Functionality
AppDirector
AppDirector Global
Regular
Regular
Local Triangulation
Local Triangulation
Local Farm
Local Farm
Remote Server
Local AppDirector
Distributed AppDirector
LRP
Send
PRP
No
Yes
Yes
Yes
Yes
Yes
Cookie Persistency
Yes*
Yes*
295
Server
Server
Distributed devices:
AppDirector/AppDirector-Global
Remote
Server
Main device:
AppDirector-Global
Server
Server
Server
Configure provided services as for local load balancing (farms including local servers, Layer 4
policies, host names, etc.)
In order to preserve global persistency for HTTP traffic under any circumstance, it is
recommended to activate Insert cookie for HTTP Persistency. See HTTP Persistency in Global
Environments for more details.
Configure an LRP entry for each combination of a farm that is part of a distributed service and a
site with distribution privileges.
Configure the proximity checks that you want the device to perform.
On a device with site selection privileges (must be AppDirector Global) you need to:
Define a farm for each distributed service. Each farm includes local servers plus Distributed
AppDirector servers for all distributed sites (the server address is the VIP address of the service
on the distributed AppDirector or a public NAT address of that VIP) and/or remote servers.
Note: If a distributed site is connected via multiple WAN links (multi-homing), it appears in the
distributing site farm as multiple servers - one for each WAN link (each server address is
the public NAT address for the distributed site VIP via a different WAN link).
In order to preserve global persistency for HTTP traffic under any circumstance, it is
recommended to activate Insert cookie for HTTP Persistency. See HTTP Persistency in Global
Environments for more details.
Configure the rest of the service configuration as for local load balancing (Layer 4 policies, host
names, etc.)
296
Note: To ensure that the inter-site proprietary data exchange protocols work properly, the
devices in all sites must run the same version.
Caution: All devices in a Global configuration must run the same software version to ensure
that LRP and PRP algorithms can run between the sites.
Proximity
This section provides information about the methods AppDirector uses to measure proximity to
redirect traffic and includes the following topics:
AppDirector-Global maintains two proximity databases that hold information about a specific subnet
of IP addresses and lists the best three servers for this range. The servers are presented in the list
according to proximity considerations, the closest server appearing first. The server is either a
Virtual IP address on a Distributed AppDirector device (bound to a cluster of physical servers) or a
standalone remote server. If the top priority server is unavailable or loaded, AppDirector-Global
sends clients to the next best server/site. If multiple application instances (farm servers) are defined
on the top priority server, AppDirector-Global distributes the clients between the instances in a
weighted cyclic manner. The following databases are kept:
297
Proximity Parameters
Before you configure proximity checks, you need to set up the Proximity Parameters.
From the AppDirector menu, select Proximity > Parameters > General. The Proximity
Parameters window appears.
2.
Parameter
Description
Proximity Mode
Proximity Aging
Period
Hops Weight
Latency Weight
298
Parameter
Description
Load Weight
Emphasis to put on the load of remote server farm between client and
farms when determining proximity. The number effects the load
balancing decision based on proximity considerations.
Values: 1 (default) - 100
Proximity Table
Cleanup
Proximity Checks
AppDirector has a sophisticated mechanism to detect network proximity using a dynamic
database of clients and their proximate sites. This is constantly updated by an auto-learning
mechanism.
To get accurate network proximity results, the checking method should be configured to cross all
obstacles en route to the client. AppDirector uses several methods to detect the number of hops
and the latency from the client to each of the sites. These methods ensure that the proximity
check will go through any router and firewall with maximum accuracy.
When a client approaches AppDirector, a proximity check is performed by each site and the
results are communicated using the Proximity Report Protocol (PRP). Now AppDirector can
redirect the client to the closest site. When another client from the same network approaches
AppDirector, later, the nearest site is now known, and the client is immediately redirected there.
Parameter
Description
Proximity Checks
Basic Check
A simple ping test unrelated to the application used by the user who
triggered the proximity check.
Default: Enabled
Advanced Check
299
Parameter
Description
Application
Independent
Check
Application UDP
Traceroute Check
Using the traceroute tool for the proximity check in the example above,
AppDirector can measure latency and the number of hops to the last
router. The traceroute proximity check is implemented using the UDP
protocol to port 37853.
Default: Enabled.
Default: Enabled.
Application Aware
Check
Failure Notification
Check Retries
Default: Enabled.
Default: 2
Check Interval
3.
Notes:
>> AppDirector can also send PRP reports. Only AppDirector-Global can send PRP requests
for proximity information. In addition, AppDirector-Global receives and uses the PRP
responses to distribute traffic globally according to proximity considerations.
300
Sends PRP queries to all distributed servers (Distributed AppDirector type servers) in the farm
servicing this client request, asking them to perform proximity checks to this class C network.
An AppDirector that initiates PRP queries saves both its own proximity results and those
received from AppDirectors receiving PRP queries in its Dynamic Proximity table for future
requests from this class C network.
Notes:
>> You need to enter the VIP that is associated with the farm in the static proximity so that
the VIP is always associated with the farm.
>> The number of proximity subnets is configurable per farm. The default number of entries
is 500, but you can select any value between 1-5000. If you configure more entries than
the available memory allows, AppDirector prints a message to the terminal and writes it
to the log file.
>> After setting the new values, the device must be rebooted.
>> You can configure for a known range of clients, the three nearest sites that will provide
the service. Only if all the configured sites are down or overloaded will the next most
convenient site be selected to provide the service.
You use the Static Proximity Table window to configure this feature. This window manages the
ranges of static proximity redirections. You can configure ranges of IP addresses of clients for each
farm address with a list of the three preferred sites for this range. If the range should be handled in
the local site, the local site farm name should be entered.
301
From the AppDirector menu, select Proximity > Static Proximity. The Static Proximity
window appears.
2.
3.
Parameter
Farm Name
Description
Name of the farm to which the entry is applied.
Default: None
From Address
To Address
Server 1
Server 2
Server 3
4.
Default Redirection
Default Redirection is applicable only for remote or distributed servers. When proximity is used and
a client for whom no proximity settings are defined approaches AppDirector, a server is selected for
that client based on load considerations only. When no proximity information is available for a client,
Default Redirection enables you to define which servers to use and in which order of priority. The
table below presents the parameters you need to set for each farm in which you want to employ
Default Redirection.
302
Parameter
Description
Farm Name
Priority
Priority order in which servers are used, where 0 indicates the highest
priority.
Default: 0
Server Address
Server Port
Admin Status
Note: An AppDirector running this version will be able to communicate via LRP only with
AppDirector devices running version 2.14 or higher or devices running AppDirector 1.07
versions from 1.07.15 and higher.
303
Whether the Global Triangulation method can be used to redirect traffic to this Local AppDirector
farm.
Whether any NAT device is installed in front of the Local AppDirector device and/or Remote
AppDirector device.
Whether any multi-homing NAT device (such as LinkProof) is installed in front of the Local
AppDirector device
The following figure describes a configuration in which SF-Farm from San Francisco (Local
AppDirector) appears as a distributed server in NY-Farm from New York (Remote AppDirector)
meaning that the AppDirector in San Francisco (Local) must send reports to the AppDirector-Global
in New York (Remote).
304
305
Parameter
Description
Distributed Farm
Name
Distributed Server
Server address for the distributed server in the Remote AppDirector the value of this parameter depends on whether a NAT device is
installed before the Local AppDirector.
No NAT device: Local AppDirector Layer 4 policy VIP that is
connected to the farm whose load we are reporting - in the
example above, 200.1.1.200.
NAT device: NAT address of the Local AppDirector Layer 4
policy VIP that is connected to the farm whose load we are
reporting - in the example above, 250.1.1.200.
Farm Name
Name of the local farm whose load we are reporting - in the example
above, SF-Farm. This is required if the Layer 4 policy configured for
this entry points to a Layer 7 policy (otherwise it s automatically set
to the farm name used in the Layer 4 policy).
Note: If no farm name configured, no report is sent.
L4 Policy Name
Layer 4 policy configured in the Local device, that points to the farm
whose load we are reporting - in the example above, SF-Policy.
Triangulation VIP
Virtual IP address for global triangulation on the Local AppDirector in the example above, 200.1.1.220. This parameter is relevant only
when Global Triangulation is used.
Destination Address
Operation Status
Original VIP
Original VIP (on the Remote AppDirector) to which the client sent the
request, required when Global Triangulation is used- in the example
above 100.1.1.100, or 163.1.1.100 if NAT device is present. This is
the address that the Local AppDirector device uses as source IP for
triangulated traffic.
4.
5.
Adjust Load Report Interval and Load Report Timeout fields in the Global Configuration window,
as described in the Global Configuration section.
306
The destination IP of the health check is the internal interface of the access router for that link in this case LinkProof routes the health check request to the proper router.
The destination IP of the health check is an external address from the respective link provider
(DNS server, etc). The address used for each health check must be different. The LinkProof must
be configured to send each health check through the appropriate link by using traffic routing
policies (grouping or flow policies according to LinkProof version) to ensure the correct WAN link
is checked - for details please see LinkProof user guide.
Example
The following is an example of the configuration required on a Local AppDirector that is installed
behind a LinkProof (Figure 2).
Step 1.
Configure the appropriate entries in the Report Table.
Parameter
Entry 1
Entry 2
Entry 3
Distributed Farm
NY-Farm
NY-Farm
NY-Farm
Distributed Server
250.1.1.200
192.1.1.200
176.1.1.200
L4 Policy
SF-Policy
SF-Policy
SF-Policy
Farm Name
SF-Farm
SF-Farm
SF-Farm
307
Parameter
Entry 1
Entry 2
Entry 3
Triangulation VIP
200.1.1.220
200.1.1.220
200.1.1.220
250.1.1.220
192.1.1.220
176.1.1.220
Report Destination
Address
100.1.1.10
100.1.1.10
100.1.1.10
Health Monitoring ID
SF-link1
SF-link2
SF-link3
Origin IP Address
100.1.1.100
100.1.1.100
100.1.1.100
Backup Report
Destination Address
Step 2.
Configure health checks for each WAN link. This example shows configuration of simple health
checks, but a health check group can also be bound to a Load Report entry.
WAN1
WAN2
WAN3
Method/Arguments
As required
As required
As required
Destination Host
250.1.1.11
192.1.1.31
176.1.1.53
200.1.1.10
200.1.1.10
200.1.1.10
Step 3.
Bind each health check with the corresponding Load Report entry.
WAN1
WAN2
WAN3
Server/NHR/Report
Report-SF-link1
Report-SF-link2
Report-SF-link3
308
Figure 15: LRP Multi-Homing example - Local AppDirector installed behind a LinkProof
309
On the global AppDirector, define the local AppDirector as a local AppDirector server in the
relevant farm's Remote Server Table.
2.
On the local AppDirector, define the relevant LRP reporting entries to accommodate the
relationship between the global and local AppDirectors.
From the AppDirector menu, select Global > Global Parameters. The Global Parameters
window appears.
2.
Parameter
Description
Open New Entry When Enable: Each session that a client opens, is recorded in the Client
Source Port Different
Table separately.
Disable (default): All client sessions are considered a single
session, providing better performance.
Select New Server
When Source Port
Different
3.
310
Interval (in seconds) for sending dynamic updates of the local load to
other AppDirector's devices that are served by this AppDirector. Also
see Configuring Local Report Protocol, page 303.
The Domain Name System (DNS) allows Internet hosts to use names rather than IP addresses when
accessing an Internet resource. DNS translates easy-to-remember names, such as
www.radware.com, to IP addresses. When a user instructs a Web browser to go to a URL such as
www.radware.com, DNS equates that name with an IP address allowing the users machine to
communicate through IP with the machine that hosts the website of www.radware.com.
The DNS server consists of two main components:
The resolver: Component responsible for asking a DNS question about the IP address,
associated with the URL representing this address.
The name server: Component responsible for answering a DNS query. This is the agent
present in DNS servers. When asked "What is the IP address of www.company.com?", the
name server answers to the best of its ability.
All basic Internet hosts and TCP/IP stacks contain the resolver, while DNS servers contain both
components: resolver and name server. The resolver is necessary if there is a question that the DNS
server cannot answer.
There are two kinds of DNS questions, or DNS "queries," that can be asked:
Iterative: An iterative query CAN be answered with an absolute answer (IP address) or a
referral.
Recursive: A recursive query MUST be answered with an absolute answer (IP address).
Client resolvers cannot handle referrals and therefore, can only ask recursive questions. Server
resolvers, on the other hand, can handle referrals and can ask recursive or iterative questions.
Although it is more common for server resolvers to make iterative queries, they may at times make
recursive queries. When a name server is asked a recursive question, it must answer the question. If
it does not know the answer, it finds it. When a name server is asked an iterative question, it
answers the question to the best of its ability. If a name server knows the answer, the response is
the requested IP address; if a name server does not know the answer, the response is a referral
answer that includes the DNS and IP address of one or more name server(s) that may know the
answer.In the DNS, the IP world is divided into domains. Each domain contains hosts. For example,
a host known as www.radware.com is a host in the radware.com domain. Radware.com is a subdomain of the.com domain. Each domain in the Internet community has one or more authoritative
name servers. An authoritative name server for a domain is responsible for all sub-domains and
hosts within the domain or any of the sub-domains.
Host Names
This DNS table is used to define the relationships between hostnames and farms. You configure the
Host Names Table by defining the IP of the farm which handles the URL.
You can define wildcard host names using the RegExp Host Name Table in addition to the definition
of explicit URLs in the Host Names Table. This allows you to set a single definition for many similar
URLs that are hosted on the same farm. When a DNS request arrives AppDirector first looks for an
exact match in the Host Name Table. If such a match is not found, AppDirector looks for a match in
the RegExp Host Name Table according to the configured order of entries. When no match is found,
AppDirector discards the DNS request.
311
From the AppDirector menu, select DNS > Host Names. The Host Names Table window
appears.
Parameter
Description
Host Name
Farm Name
Farm that you want to include in this policy, for example, Main Farm.
Default: None
Notes:
When a host name entry is created, if the Layer 4 Policy defined for
this host name entry has the Farm Name field configured (does not
include a Layer 7 policy), that farm name is displayed in the host
name entry Farm Name field by default.
System administrators need to configure the appropriate farm,
whose availability the decision for host name DNS resolution is
made.
(Read-Only Parameter for Update mode)
External NAT Address Required when AppDirector is located behind a NAT device that NATs
the VIP address for the host name. AppDirector must use External NAT
Address in its DNS reply for DNS queries for host names.
312
Parameter
Preferred Resolve IP
Description
Chooses how to resolve for the best available IP.
0.0.0.0 (default): Here the host name is resolved to the best
available IP without taking Operation Mode into account.
The VIP of the Layer 4 policy defined for this host name (default):
Here the host name is resolved to the best available IP while taking
Operation Mode into account. If a local server in Regular Operation
Mode is available and the Farm distribution threshold was not
reached, the device answers with the Layer 4 policy VIP, if not it
selects the IP of one of the remote and distributed server's IPs
according to availability, load and proximity.
The IP of a Distributed AppDirector server or a Remote server in
the farm attached to the Layer 4 policy defined for this host name.
While the specified server is available, the host name is resolved to
its IP.
DNS Action
This defines whether the DNS query for a host name should be resolved
by AppDirector for globally load balancing applications or forwarded to
the configured farm for DNS traffic load balancing.
When set to Forward, this parameter enables AppDirector to provide
Layer 7 farm selection for DNS traffic. (See Layer 7 Farm Selection for
DNS, page 237).
Values: Resolve, Forward.
2. When creating, in the Host Names Table window, click Create. The Host Names Table Create
window appears, which contains the above parameters:
3. When updating, in the Host Names Table window, select the desired Host Name. The Host
Names Table Update window appears.
4. Set the parameters.
5. Click Set. Your configuration is set.
Parameter
Description
Index
313
Parameter
Description
Layer 4 Policy Name Layer 4 Policy Name associated with a Host Name entry provides
information about the relevant farm, and Virtual IP to be used in reply.
The farm is used to consider the servers load and can optionally use
Remote Servers or Distributed AppDirector in the farm for the DNS
resolution process.
If the Layer 4 policy selected is connected to a Layer 7 policy, then you
need to select the appropriate farm in the Farm Name field. If no farm is
selected, DNS queries to this host name will not be answered and the
Farm Name from the Layer 4 Policy is automatically selected.
Note: System administrators need to configure the appropriate farm,
whose availability the decision for host name DNS resolution is made.
Farm Name
Farm that you want to include in this policy, for example, Main Farm.
Default: None
Notes:
When a host name entry is created, if the Layer 4 Policy defined for
this has the Farm Name field configured (without a Layer 7 policy),
that farm name is displayed in the host name entry Farm Name field
by default.
System administrators need to configure the appropriate farm,
whose availability is decided for host name DNS resolution.
(Read-Only Parameter for Update mode)
External NAT
Address
Required when AppDirector is located behind a NAT device that NATs the
Virtual IP address for the host name. Here, AppDirector must use the
External NAT Address in DNS reply for DNS queries for host names.
Preferred Resolve IP Chooses how to resolve for the best available IP.
0.0.0.0 (default): The host name is resolved to the best available IP
(either local VIP or VIP of a distributed site as part of local farm). The
device selects a Non-Backup server local or distributed (if the farm
reach the threshold), if there is no Non-Backup it will choose a
Backup server but it will treat the Backup Distributed server as
regular distributed server.
The Local VIP - The VIP of the Layer 4 policy defined for this host
name. If a local server is available, the device answers with the
Layer 4 policy VIP. If not, it selects the IP of one of the remote and
distributed server's IPs according to availability, load and proximity.
The device selects a Non-Backup server local or distributed (if the
farm reach the threshold), if there is no Non-Backup it will choose a
Backup server.
Remote VIP - IP of a Distributed AppDirector server or a Remote
server (not recommended, but possible) in the farm attached to the
Layer 4 policy defined for this host name. If the distributed server is
active it will ALWAYS be chosen regardless of the other servers.
DNS Action
This defines whether the DNS query for a host name should be resolved
by AppDirector or forwarded to another DNS server.
Values: Resolve, Forward.
4.
314
Notes:
>> Host Name field in both tables (Host Name and RegExp Host Name Table) is case
insensitive.
>> Total number of entries in Host Name Table and RegExp Host Name Table is determined
by the value of Host Names parameter in Tuning settings.
>> A . In a regular expression means any single character, to indicate a ., a\ must be
used before the ..
Parameter
Description
DNS Service
Two Records in DNS Enable or Disable (Default) return of two A records in the DNS response.
Reply
Enable returns two A records, disable returns one.
3. Click Set. Your configuration is set.
DNS Persistency
AppDirector maintains persistency for consecutive DNS queries received from the same DNS client
IP address. For example, if a DNS server honors the low TTL that the AppDirector assigned to DNS
replies, it sends queries for the same farm every few seconds. If the client does not cache the
replies, or caches them for a short period, consecutive connections for the same session may end up
on two different sites.
When AppDirector receives a DNS request for a host name, for example www.a.com, it first
searches for the host name in the Host Name Table; and if the host name is not found, AppDirector
searches the RegExp Host Name Table. Once an entry is matched, the relevant Layer 4 Policy that
serves this host name is determined.
If DNS Persistency is configured for this Layer 4 Policy, AppDirector searches the static and dynamic
tables to determine the IP address used in the DNS reply. When AppDirector devices are used in
multiple sites to provide a global solution, Hashing can be used to provide consistent DNS replies
from different AppDirector devices to the same DNS client IP.
DNS Persistency can be configured for each farm using:
DNS Persistency: When AppDirector answers a DNS request, it creates an entry in the DNS
Persistency Table, indicating the requester's IP address and the VIP that was sent as a response.
AppDirector provides the same reply to that requester as long as there is a record in the table.
Static DNS Persistency: You can statically set VIPs to be used for a range of DNS IP
addresses.
315
Note: When using redundant AppDirector devices, mirroring can be used for the DNS
Persistency Table. Similar to other mirrored tables, you can enable or disable DNS
Persistency Table Mirroring, and set the Update Time and Mirroring Percentage (see
Stateful Failover (Mirroring), page 140).
AppDirector devices must be configured so that the same VIPs are available for DNS replies.
When Hash is used for DNS Persistency, server weights are taken into account. To ensure that
different AppDirectors choose the same server, you must set servers with the same respective
weights.
If the VIP selected by Hashing is not available, AppDirector selects the next available VIP. This
behavior is consistent among different AppDirectors.
Entries in the DNS table should be created ONLY if the selected by the hash VIP option is NOT
available at the moment and because of that a different VIP must be selected.
When Hashing is used for DNS Persistency, load and proximity information are not used in the
DNS reply process.
When Hashing is used for DNS Persistency, Capacity Threshold and Distribution Threshold are
ignored.
From the AppDirector menu, select Farms > DNS Persistency Parameters. The DNS
Persistency Parameters Table window appears.
2.
Select the farm where you want to define DNS persistency. The DNS Persistency Parameters
Table Update window appears.
316
Parameter
Description
Farm Name
Status
Mode
AppDirector selects VIP used in DNS replies for the farm using these
modes:
Load Balancing (Default): Load Balancing algorithms are used,
considering load and proximity information.
Hash: Hash on client IP address. This can be used when AppDirector
devices are in a multiple site and global DNS persistency is required.
Static Mode
Aging Mode
Aging Time
Grouping Mask
4. Click Set. The DNS Persistency Parameters Table Update window closes.
Aging Mode
Entries in the DNS Persistency Table can be aged by the Fixed or Inactivity modes. When Fixed
mode is used, the entry is removed from the table after the period of time defined by the Aging Time
parameter. When Inactivity mode is used, the entry is removed from the table if no additional DNS
queries are received from the same DNS client IP address during the period defined by the Aging
Time parameter.
Note: To use static DNS, you need to first set the tuning on the device.
317
From the AppDirector menu, select DNS > Persistency Table. The Static DNS Persistency
Table window appears.
2.
Click Create. The Static DNS Persistency Table Create window appears.
Note: Before adding entries to the Static DNS Persistency table, you must enable DNS
Persistency and Static DNS Persistency.
3.
Parameter
Description
Farm Name
From Client IP Address First IP address in client IP range for static DNS resolution.
To Client IP Address
Preferred VIP
IP address to be used for DNS replies for host names managed by this
farm. This address is usually set to the Virtual IP address associated to
Layer 4 Policy, or one of that farm's servers, of type Remote Server,
Distributed Server, or Local Farm.
Note: AppDirector uses this IP address only if the corresponding farm
server is available.
Alternate VIP
4.
318
Click Set. The DNS Persistency Parameters Table Update window closes and the new
parameters appear in the DNS Persistency Parameters Table window.
DNS Statistics
You can generate statistics regarding DNS requests.
Parameter
Description
Redirection
This section describes methods used to redirect traffic in the global traffic management solution and
includes the following topics:
When using the global traffic management solution, several Redirection methods can help to define
how service requests are redirected.
When a client sends a new request for service, AppDirector selects the best available server. If the
required server is at the local site, AppDirector forwards the service request to that server. If the
required server is at a remote site, AppDirector redirects the service request using one of the
methods.
Multiple redirection modes can be enabled per farm. Exceptions include Global Triangulation and
Proxy (Client NAT) which cannot be enabled simultaneously.
When an application-specific redirection process (HTTP, RTSP, SIP) and a Global Triangulation or
Proxy mode are enabled in a farm, traffic belonging to an application for which a specific redirection
mode is enabled (HTTP, RTSP or SIP) is redirected accordingly, while other applications are
redirected using the Triangulation or Proxy methods.
319
DNS Redirection
The DNS Redirection method is based on the DNS process (see DNS Persistency, page 315). When a
client sends a DNS query to find the IP address of the host name of the requested service,
AppDirector operates as a DNS server. When a DNS query is made, AppDirector responds with the IP
address of the best site for the client. If the local AppDirector decides that the current site is best
suited for handling the client, it sends the query to its own VIP address. Otherwise, AppDirector
resolves the DNS query using the IP address of a remote farm or server. Redirection is only
performed during the DNS query/answer stage. Therefore, if DNS Redirection is enabled on a farm,
any packet destined to the Virtual IP address is handled by the local servers of this farm.
The DNS Redirection process involves the following steps:
1.
The DNS request reaches the AppDirector-Global physical IP Interface or Virtual IP Interface
from a DNS server. The request is to resolve a host name to an IP address.
2.
No search of the Client Table is made. AppDirector-Global searches the Static Proximity Table
for a range fitting the asking DNS server. If a match is made, the top priority server from the
active AND not overloaded servers is selected. AppDirector-Global resolves the name to the IP
address of the chosen server, which can be a local Layer 4 VIP or a VIP configured on a remote
AppDirector.
3.
If there is no match in the Static Proximity Table, the Dynamic Proximity Table is searched. If
there is a match, AppDirector-Global resolves the request to the Layer 4 VIP address of the
highest priority site (currently active and not overloaded), accounting for the hops weight,
latency weight, and the load weight variables.
4.
If there is no match, AppDirector-Global resolves the request to the IP address of the least
loaded site, while calculating proximity information for the querying DNS server (if proximity is
enabled). Then AppDirector-Global sends PRP requests to other AppDirectors to do the same.
5.
AppDirector-Global resolves the query to the IP address of the least loaded site.
Notes:
>> DNS answers are made with a DNS TTL of 0,(default) to reduce Internet caching and to
keep the system dynamic.
>> You can set DNS TTL to a higher value and you can set different DNS TTL values for
different farms.
Using AppDirector-Global, DNS Redirection works best if DNS servers from all over the Internet
make queries to AppDirector-Global. If the DNS servers local to AppDirector-Global or responsible
for the super-domain make queries to AppDirector-Global, their proximity calculations result in
inaccurate data. AppDirector-Global allows you to configure up to two DNS servers with requests
that are resolved to the least loaded site; no proximity calculations are made if a request comes
from either of these two DNS servers.
HTTP Redirection
The HTTP redirection method is used to redirect the HTTP traffic as follows:
1.
The client sends the GET request using the HTTP protocol to a VIP address of AppDirector.
2.
AppDirector receives the request and selects the best server for the task.
3.
If AppDirector decides that a distributed site or remote server is the most appropriate, then it
issues an HTTP redirect to the user indicating that the user has been redirected. Here,
AppDirector replies to the HTTP request using an HTTP code redirection code (Moved Temporarily
or Moved Permanently) and redirects the client to the relevant server.
320
Note: When redirect by name is enabled and the redirect to URL field is empty, AppDirector
uses server name for redirection.
Hostnames for all sites must belong to the same domain (for example www.a.com for the main
service, www.site1.a.com for site 1 and www.site2.a.com for site 2)
Ensure that the automatically generated Set-Cookie method uses the same cookie key in all
sites. This can be achieved either by using the same Farm Name in all sites, or by editing the
automatically generated cookie key.
Set the domain value of the automatically generated Set-Cookie method to the service domain
(in the example above a.com)
When AppDirector performs SSL for Back End servers the servers receives the requests in HTTP
(clear), therefore, when servers perform redirect to another page/site (using HTTP headers in
response with location field), it can now also use HTTP. If the clients receive this header they will
initiate the new connection over HTTP instead of over HTTPS and is dropped. Therefore the
AppDirector, that sends the response back to the clients must change the server's redirection
location URL appearing in the HTTP header from HTTP:// to HTTPS://.
This modifies the location header of any HTTP header in server's responses from HTTP:// to HTTPS:/
/, and the target port. The modification is performed where the host name in the client's request
matches the host name in the server's response, or where matching criteria are met. Matching
criteria can consist of one Regex that represent hostnames.
321
Notes:
>> For HTTPS redirection - if the Layer 4 policy port is different than port 443, the Layer 4
policy port is appended after a colon to the URL.
>> For HTTP redirection - If the Layer 4 policy port is different than port 80, the Layer 4
policy port is appended after a colon to the URL
>> When Backend SSL is working, you do not need to use HTTP to HTTPS protocol
redirection and you cannot configure them together.
Protocol Redirection
If a user requests the www.ab.com/base_redirect.html page, the page is redirected to www.bb.com/
Redirect/Path/redirect_page.html.
If the redirect was from ab.com to ab.com/some-other-path, no regular expression
is needed since this is the same host.
In this example, the redirect was from ab.com to bb.com and this works only when the regular
expression matches the host (the new host). Thus, when the regular expression is www.ab.com, it
does not match bb.com (which is the real location of the page).
The redirection works as follows:
"www.bb.com"
"www.b*.com"
"/*"
"bb.com"
"bb"
"www"
".com"
"."
".c"
"bb.com/Redirect/"
"www.bb.com/Redirect/Path/redirect_page.html"
"/"
AppDirector does not change to https for the following regular expressions:
"www.ab.com"
"www.bb.com/blabla"
""
" "
"ab.com"
322
RTSP Redirection
Real Time Streaming Protocol (RTSP) is used for audio/video streaming applications such as news
broadcasts, radio stations and live shows over the Internet. Using RTSP redirection, AppDirector can
redirect RTSP sessions to a remote site.
AppDirector forwards a RTSP request to a remote server or AppDirector. During the redirection,
AppDirector responds with a standard RTSP redirection message causing the client sending the
request to establish a new connection to a remote site to view/hear the streaming information. RTSP
redirection is used for requests to TCP port 554 and is enabled by the RTSP Redirection.
The RTSP redirection and the HTTP redirection methods work similarly. The RTSP redirection process
involves the following steps:
1. The client uses the RTSP protocol to send the Options, Describe, or Setup (request for a file)
commands to the VIP address of AppDirector.
2. AppDirector receives the request for service and selects the best server.
3. If AppDirector decides that a distributed site, rather than a local server, is the most appropriate,
then AppDirector issues a RTSP redirect to the user, redirecting the user to one of the distributed
sites.
RTSP redirection can be done by an IP address or by name. The name is taken from the Redirect To
URL parameter of the server. If the Redirect To URL parameter is not configured, the Server Name is
used instead (see HTTP Redirection, page 320). RTSP redirection can be used globally, redirecting
clients to remote farms or servers, or locally, using Redirect to Self (see Using Redirect to Self in
Multi-Homed Environments, page 396).
Note: RTSP redirection preserves the client-server persistency of RTSP sessions when the
Client Table mode Select Server When Source Port is Different is used.
SIP Redirection
The Session Initiation Protocol (SIP) is an IETF standard for a signaling protocol used for
establishing sessions between two or more end users. The SIP redirection method is used to redirect
SIP session invitations to external domains, such as a distributed or remote server.
The SIP redirection process involves the following steps:
1. The client sends the SIP request to an AppDirectors VIP address.
2. AppDirector receives the request and selects the best server for the task.
3. AppDirector chooses the distributed site or remote server, replies to the SIP request using the
SIP code 302 (Moved Temporarily) and redirects the client to the relevant server.
4. SIP redirection can be done by an IP address or by name. SIP redirection by an IP address
redirects the request for service to the IP of the remote server or the Distributed AppDirectors
VIP. When using SIP redirection by name, AppDirector redirects the client to another URL.
5. SIP redirection by name is configured using the Redirect To URL parameter for the server.
Proxy Redirection
This method uses Client NAT to redirect traffic. AppDirector acts as a proxy at the IP level, retrieving
content and then responding to the user. Before selecting this method, the Client NAT must be
enabled on the device and the Client NAT range must be configured for the farm. When traffic is
forwarded to another site, AppDirector replaces the original Source IP of the request with a
predefined NAT IP address and dynamically selected ports. Client NAT enables AppDirector to hide
the IP addresses of clients when forwarding traffic to servers in farms. Using Proxy redirection, the
323
Notes:
>> You cannot use Global Triangulation when any Acceleration Engine related capability (i.e.
SSL, Cache, Compression, and Authentication) is used.
>> The Triangulation redirection method is not applicable in a global solution configuration
that uses remote servers.
main
AppDirector
main VIP
Triangulation
VIP
Address
Remote
AppDirector
Remote VIP
User
To overcome this issue, AppDirector utilizes a process called VIP Mapping, which is used at the
receiving AppDirectors end (in this example, Remote AppDirector). The process consists of the
mapping of three parameters:
Parameter
Description
Distributed Server
Triangulation VIP
Address
VIP address of the main AppDirector farm that directed the user to this
AppDirector. The Origin VIP Address in the example is the virtual
address of the main VIP.
324
Notes:
>> Global Triangulation does not work with persistent Layer 7 switching.
>> Layer 7 with Global Triangulation assumes all sites have the same configuration.
>> In Layer 7 with Global Triangulation, the main device sends the request to the
distributed site with no TCP handshake, just the GET.
The Global Triangulation redirection process involves the following stages:
1. User sends a new service request to VIP of main AppDirector (main VIP).
2. Main AppDirector receives the request for service and selects the best server for the task in the
relevant farm.
3. Main AppDirector decides to send the user to a distributed site. The request for service is sent
using the Triangulation VIP address associated with the Remote AppDirector VIP.
4. Remote AppDirector sends the packet to one of its local servers. The reply to the user is sent
using the Origin VIP Address as the source address.
Main VIP
Triangulation
VIP
Address
User IP
User IP
Main VIP
AppDirector uses Layer 4 Policies internally to manage Triangulation VIP addresses for Global
Triangulation. The Triangulation VIP addresses are defined in the Distributed Sites table.
AppDirector automatically creates, updates, and deletes the corresponding Layer 4 entries. These
entries appear in Layer 4 Policies. They are:
325
Note: The Triangulation VIP address and the Layer 4 Virtual IP address cannot be configured
on different subnets when Extended LRP Security is enabled. Extended LRP Security is
defined globally for each AppDirector and enabled by default. To place them on different
subnets, you must disable this option.
From the AppDirector menu, select Farms > Redirection. The Redirection Table window
appears.
2.
Select the farm where you want to define redirection. The Redirection Table Update window
appears
3.
Parameter
Description
Farm Name
DNS Redirection
HTTP Redirection
326
Parameter
Redirect To HTTPS
Description
Enables the HTTPS redirection method.
Values:
Disabled
Enabled (default)- both HTTP and HTTPS traffic that arrives at this
farm will be redirected to HTTPS, in case redirection is necessary.
HTTPS only - only HTTPS is redirected (HTTP is not redirected to
HTTPS).
RTSP Redirection
SIP Redirection
Global Triangulation
Proxy Redirection
(Client NAT)
Redirect By Name
Farm Distribution
Threshold
Local load balancing is performed between local servers until the farm
reaches the Distribution Threshold limit. Then the distribution
algorithm allows AppDirector to redirect users to other servers.
Default: 2,500
Farm Capacity
Threshold
Static Proximity
Entries
327
Parameter
Description
Application
Redirection Mode
4.
Click Set. The Redirection Table Update window closes and the new parameters appear in the
Redirection Table window.
Anycast Advertise
Anycast is the process that allows a single IP address to be announced from multiple locations. Its a
simulation of a situation where a routing domain may have multiple routes that lead to a certain
destination. Such an application is useful if a service is required globally, and there are multiple
service points that should be totally transparent to the user.
Once a packet has the Anycast address as a destination, the routing domain will control the flow of
that packet towards one of the destinations.
A global system may use the Anycast to announce multiple service points. There are two types of
Anycast service:
Global Anycast: The global Anycast addresses are equally announced from multiple locations
allowing users to connect to these points concurrently. The routing logic creates the load
distribution between the different service points. This type of Anycast is suitable for stateless
applications only, such as DNS. This type of Anycast can be used to select the DNS resolver in a
global solution.
Local Anycast: The local Anycast addresses are not concurrently active in more than a single
primary site. Secondary sites use these addresses only to provide a transparent backup to the
primary site. For the routing logic there should be a single location that serves each IP address.
This type of Anycast is suitable for all protocols as long as the primary site is active persistency
is maintained.
From the AppDirector menu, select Distributed System > Anycast Advertise Table. The
Anycast Advertise Table window appears.
2.
328
Parameter
Description
External NAT IP
329
330
The Health Monitoring module implemented on Radware IAS (Intelligent Application Switching)
products is responsible for checking the health of network elements like servers, firewalls, and Next
Hop Routers (NHRs) that are managed by the IAS device. It determines which network elements are
available for service, enabling the IAS device to load balance traffic among the available resources.
Traffic management decisions are based mainly on the availability of the load-balanced elements
and other resources on the data path. The module provides flexible configuration for health
monitoring of the load-balanced elements. The module supports various predefined and userdefined checks, and enables the creation of dependencies between Health Checks of different
elements.
The Health Monitoring module enables users to track the round-trip time of Health Checks. The
device keeps a Response Level indicator for each check. The Response Level is the average ratio
between the response time and the configured Timeout. The average is calculated based on the
number of samples defined in the Response Level Samples parameters in the Global window. Setting
the Response Level Samples to 0 disables the parameters; any other value between 1-9 defines the
number of samples.
Checked Element
A Checked Element is a network element that is managed and load balanced by the Radware device.
For example, AppDirector-checked elements include the Farm Servers, NHRs, and LRP and PRP
reports.
The health of a Checked Element may depend on a network element that the IAS device does not
load balance. For example, the health of a server managed by AppDirector may depend on the
health of a database server, or other application servers, which are not load balanced by the
AppDirector, or the health of a Next Hop Router managed by LinkProof may depend on the
availability of the service provider.
Health Check
A Health Check defines how to test the health of any network element (not necessarily a Checked
Element). A check configuration includes such parameters as the Check Method, the TCP/UDP port
to which the test is sent, the time interval for the test, its timeout, the number of retries, and more.
These parameters are explained in detail in the Health Checks section. A network element can be
tested using one or more Health Checks.
331
From the Health Monitoring menu select Global Parameters. The Health Monitoring Global
Parameters window appears.
2.
Parameter
Description
Health Monitoring
Response Level
Samples
This is used by the device when the Web server requires a client
certificate during the SSL handshake.
Default: Client certificate generated by the device.
3.
Note: SSL certificate file and SSL private keys are not exported as part of the device
configuration export.
Health Checks
This section discusses Health Checks and contains the following topics:
Uploading, Downloading and Deleting the Diameter File using Binary File Transfer, page 352
You can add or edit health check parameters in the Check Table. The Check Table lists the
configured Health Checks. If a check is not bound to any of the Checked Elements, it is still
performed. If it fails, the device sends notification messages (SNMP Traps, Syslog messages or mail
messages), indicating the failure of the check.
332
For example, having 5000 checks with a large interval of two days could perform better than 200
checks with in interval of 2 seconds.
Parameter
Description
Check Name
333
Parameter
Description
ARP
A reading of the unit ARP cache for the 2 most recently acquired entries.
One at a time, the device sends ARP requests to these machines,
attempting to stimulate network traffic. After each request, the device
counts all received traffic for up to 5 seconds.
If traffic is received, the interface is considered operational. If no traffic is
received, an ARP request is sent to the next machine. If at the end of the
list, no traffic has been received, the ping test begins.
Citrix Application
Browsing
The module sends a "Hello" request to the Citrix server which responds
by sending the list of applications running on it. Based on this reply, the
module compares the applications available on the server with a list of up
to four applications configured by the user.
If all configured applications are running on the Citrix server, the check
passes. If none are running, the module completes the handshake. This
check uses UDP port 1604 by default.
Arguments: e.g. application names.
Citrix ICA
The module initiates a connection to the Citrix server, using TCP port
1494 and performs a Citrix handshake. This check passes when the
Health Monitoring module identifies the Citrix's reply within the first reply
packet.
DHCP
No Arguments
334
Parameter
Description
DHCP (continued)
Diameter
DNS
FIX
The module creates a FIX packet and sends it to the FIX server (after the
TCP handshake). A successful check is where the value of TestReqID in
the reply packet is the same as the one configured; the "SenderCompID"
is the configured value of the "TargetCompID" field, and vice versa; and
the FIX version is the same as the configured value.
Arguments: TestReqID; SenderCompID; TargetCompID; FIX Version.
Note: Since the TestReqID parameter is non-mandatory, the default is
the number of seconds since 01/01/1970.
FTP
The module executes USER and PASS commands on the FTP server.
When the login process is successfully completed, the module executes a
SYST command.
It can verify the existence of the file on the FTP server, but it does not
download the file or check its size. The module verifies that all the
commands are executed successfully, then terminates the connection.
Arguments: Username; Password; Filename.
Note: The module uses a control session only, not a data session,
unless it is necessary to verify the existence of a file.
335
Parameter
Description
HTTP
HTTPS
The module performs an SSL handshake opposite the server. After the
session starts, the device sends a GET request from the Checked
Element.
Arguments: HTTP Header, HTTPS Method; Username; Password; Match
Search String; Match Mode; HTTPS Return Codes.
Note: Radware recommends to use interval values > 15 seconds and
timeout values > 10 seconds.
IMAP4
The module executes a LOGIN command to the IMAP server, and verifies
that the returned code is OK.
Arguments: Username; Password.
LDAP
The Health Monitoring module enhances the Health Checks for LDAP
servers by allowing performing searches in the LDAP server. Before
Health Monitoring performs the search, it issues a Bind request command
to the LDAP server.
After performing the search, it closes the connection with the Unbind
command. A successful search receives an answer from the server that
includes a "searchResultEntry" message. An unsuccessful search receives
an answer that only includes only a "searchResultDone" message.
Arguments:
Username: A user with privileges to search the LDAP server.
Password: The password of the user.
Base Object: The location in the directory from which the LDAP
search begins.
Attribute Name: The attribute to look for. For example, CN Common Name.
Search Value: The value to search for.
Search scope: baseObject, singleLevel, wholeSubtree
Search Deref Aliases: neverDerefAliases, dereflnSearching,
derefFindingBaseObj, derefAlways
336
Parameter
Description
LDAPS
NNTP
The module executes a LIST command and verifies that the returned
status is valid.
No Arguments
Physical Port
The module checks the physical interface status. When the link is up, the
check passes.
Arguments: Physical port number.
Ping
The module sends an ICMP echo request to the Destination address and
waits for an echo reply.
The module checks that the reply was received from the Destination
address to which that the request was sent, and that the sequence
number is correct.
Arguments: Fail; Ping Data Size.
Fail: Whether the reply is received or not, by default, the check fails
when the server does not reply.
Ping Data Size: The size of the ICMP echo request (1 byte to 1024
bytes). The default is 64 bytes.
POP3
The module executes USER and PASS commands on POP3 server, and
checks that the returned code is OK.
Arguments: Username; Password.
RADIUS
Authentication
The module sends an Access Request with a User Name, Password and a
Secret string, and verifies that the request was accepted by the server,
which then expects an Access Accept reply.
Arguments: Username; Password; Secret.
Note: Ensure that the RADIUS server is configured to accept RADIUS
requests from the Radware device.
337
Parameter
Description
RADIUS Accounting
RTSP
SMTP
The module executes a HELLO command to the SMTP server and checks
that the returned code is 250.
Arguments: HELO
SNMP
The module sends an SNMP GET request, and validates the value in the
reply. When the returned value is lower than the minimum range
expected or higher than the maximum range expected, the check fails.
When the returned value is higher than the No New Sessions Value, the
bound element is set to No New Sessions. The results of the SNMP
Check can be used for a load-balancing decision, similar to Private Load
Balancing Algorithms.
Arguments: SNMP Object ID to be checked; Community; Min. Value;
Max. Value; No New Sessions Value; Use Results For Load Balancing.
Notes:
For a device to consider the outcome of the check in the load
balancing decisions, set the farms Dispatch Method to Response
Time.
The SNMP health check supports Integer, Counter and Gauge values.
While Integer can be a negative value, Counter and Gauge must
always be greater than 0.
338
Parameter
Description
SSL Hello
The module sends an SSL Hello packet to the server (using SSL3), and
waits for an SSL Hello reply. The session is then closed (using a RESET
command).
Note: Since generating SSL keys on the server is a time consuming
process, it is recommended to use a timeout of 3 to 5 seconds.
Arguments: SSL Version, can be either V2.3 or V3.0. SSL v3.0 means
that pure SSL v3 is used. SSL v2.3 means that the client sends an SSL v2
request to open a SSL v3 session (Internet Explorer operates this way).
Default: SSL v2.3
TCP Port
TCP User-Defined
TFTP
The module checks the availability of TFTP servers. The check opens
TFTP connection to the tested server and starts downloading the
configured file. Once the first block is received, the check is considered
successful and connection is disconnected.
Arguments: File Full Path
UDP Port
This checks availability of the specified UDP port. It does not test the
server's availability, but the application's availability within the server.
This is due to the nature of UDP.
When the UDP application is operational, no reply is received; when the
UDP application is not operational, an ICMP message UDP Port
Unreachable is sent. No reply indicates the applications availability, so
when the server is down, the application might still be considered as
running. Therefore, the UDP Port check is always used with another
server availability check like Ping or ARP.
No Arguments
Destination Host
(Mandatory)
Next Hop
IP address of the next hop on the network for this check. This is needed
to direct the health check session to a network element's MAC address.
Destination Port
339
Parameter
Description
Arguments
Interval
Retries
Number of times that a health check must fail before the Health
Monitoring module reevaluates the elements availability status.
Note: This field accepts only integers.
Timeout
Maximum number of seconds that the device waits for response to the
Health Check. This field accepts only integers. Maximum value: 2^32-2
seconds.
No New Session
Timeout
Measure Response
Time
Determines whether the response time of the check is being used for
load balancing decisions. Applicable only when Dispatch Method is set to
Response Time LB. The Response Time is measured in milliseconds.
Default: Disabled
Also see Dispatch Methods, page 177.
Note: There are several parameters that must be configured in health
monitoring, for the Response Time Dispatch method or all
traffic will be directed only to first server.
1. Configure Health monitoring -->Global Parameters -->Health
Monitoring Status - to Enable
2. Configure Health monitoring -->Global Parameters --> Response
Level Samples - to non zero value
3. Create Health Monitoring --> Check Table and configure Measure
Response Time - to Enable for All servers in
the farm
4. Create Health Monitoring --> Binding Table for All servers in the farm
Reverse Check
Result
Indicates whether the check fails when reply is received according to the
check arguments or the check passes when no reply received.
Default: Disable (the check fails when the server does not reply).
Table 5 - Predefined Health Check Methods, page 341 describes the predefined Health Check
Methods with the configurable parameters.
4.
340
Method
Name (and
ID)
Argument
Name
ARP
No arguments
Citrix
Application 1
Application 2
for Application
browsing
Additional Info
Default
No
Application 3
Application 4
Citrix ICA
No arguments
DHCP
IP Address
Subnet Mask
255.255.255.255
Default
Gateway
DNS Server
WINS Server
Domain
MAC Address
Relay Agent
Diameter
Diameter
Argument List
Name
DNS
Hostname
Yes
Host Address
Address to be
received.
No
Username
Username.
Yes
Password
Password.
Yes
Filename
No
FIX
Validate
only the
DNS return
code.
TESTREQID
SENDERCOMP
ID
TARGETCOMPI
D
FIX Version
FTP
341
Method
Name (and
ID)
HTTP
Argument
Name
Path
No
Hostname
Host name.
No
HTTP Method
HTTP method to
submit.
No
Additional Info
Default
Any configured
value must begin
with a/.
GET,
GET
POST
HEAD
Proxy HTTP
No
Yes = Use
proxy HTTP,
No
No = Use
Web server
HTTP.
Pragma
Nocache
No
Yes= Use
pragma: nocache,
No
N0=Do not
use pragma:
no-cache.
Authentication Authentication Type
Type
No
Username
No
Password
No
Match Search
string
Basic, NTLM
BASIC
Yes =Fail
check if
pattern not
found
Yes
No =Fail
check if
pattern is
found.
Match Mode
No
String exists
String is
absent
Wildcards not
supported.
342
HTTP Return
Code
No
HTTP Return
Code
No
HTTP Return
Code
No
HTTP Return
Code
No
Method
Name (and
ID)
Argument
Name
Additional Info
Default
HTTP Header
Name
HTTP Header
Value
HTTPS
No
GET,
GET
POST
HEAD
Username
No
Password
No
Match Search
string
Yes =Fail
check if
pattern not
found
Yes
No =Fail
check if
pattern is
found.
Match Mode
No
String exists
String is
absent
Wildcards not
supported.
IMAP4
No
No
No
No
Username
Username
Yes
Password
Password
Yes
343
Method
Name (and
ID)
LDAP
Argument
Name
Username
Username
Password
Password
Base Object
Location in directory
from which the search
starts.
Attribute
name
Search value
Search Scope
baseObject
No
Additional Info
Default
If you configure
Base, then
Attribute is
mandatory.
No
singleLevel
wholeSubtree
Search Deref
Aliases
neverDerefAliases
dereflnSearching
derefFindingBaseOb
j
derefAlways
LDAPS
Username
Username
Password
Password
Base Object
Location in directory
from which the search
starts.
Attribute
name
Search value
Search Scope
baseObject
No
If you configure
Base, then
Attribute is
mandatory.
No
singleLevel
wholeSubtree
Search Deref
Aliases
neverDerefAliases
dereflnSearching
derefFindingBaseOb
j
derefAlways
NNTP
No arguments
Physical
Port
Port Number
344
Yes
Method
Name (and
ID)
PING
Argument
Name
Fail
No
Username
Username
Yes
Password
Password
No
Username
Username
Yes
Password
Password
Yes
Secret
Radius Secret
No
Radius
Username
Authenticatio
Password
n
Secret
Username
Yes
Password
Yes
Radius Secret
No
RTSP
Hostname
No
Path
Yes
POP
Radius
Accounting
SIP TCP
Additional Info
Default
No
No =Fail when
server does not
reply.
=1 - 1024 bytes
IP address of
server.
Request URI
From
Peer From
Max Forward
Match search
string
Match mode
SIP return
code
SIP return
code
SIP return
code
SIP return
code
345
Method
Name (and
ID)
SIP UDP
Argument
Name
Additional Info
Default
Request URI
From
Peer From
Max Forward
Match search
string
Match mode
SIP return
code
SIP return
code
SIP return
code
SIP return
code
SMTP
HELO
SNMP
OID
Object ID to be used
by the check.
Yes
Community
Yes
Min. value
Max value
No New
Sessions
value
Use Results
For Load
Balancing
The measured
response time for the
check.
346
Yes
Yes
No
No
Method
Name (and
ID)
SSL Hello
Argument
Name
SSL Version
v2.3 or v3.0.
Yes
Additional Info
V2.3 or V3.0
Default
v2.3
Yes
Yes
Sequence ID
TFTP
No arguments
UDP User
Defined
Sequence ID
Packet sequence to
submit.
Yes
Packet sequence to
submit.
Yes
Binding
Using the health checks, you can associate, or bind, a health check with a checked element. You can
also define whether the check is mandatory and set the group number.
When several groups are associated with a single Checked Element, they are evaluated with a
logical AND between them. Non-Mandatory checks in a group are evaluated with a logical OR
between them, so that when there is more than one Non-Mandatory check in a group, a failure of
one check does not fail the server.
Parameter
Description
Check
The name of the health check as defined by the user in the Checks Table.
347
Parameter
Group
Description
Group number to which check belongs.
allows you to combine different health checks with the same checked
element.
uses logical AND/OR depending on the Mandatory field.
Group number is only relevant for a given specific checked element.
Mandatory
4.
Click Set. The specified health check is bound to the selected element.
Notes:
>> In order to define a packet, you need to add 0x before the packet itself; for example:
0x00016e69722e747874006f6374657400
>> In a regular expression, a hex string cannot be used.
From the Health Monitoring menu, select Packet Sequence Table. The Health Monitoring
Packet Sequence Table window appears.
2.
Click Create. The Health Monitoring Packet Sequence Table Create window appears.
348
Parameter
Description
Seq ID (Sequence ID) ID number of entire packet sequence. Each sequence defines a new
user-defined check. All packets with same Sequence ID belong to same
check.
Default: 0
PKT ID (Packet ID)
Type
Type of packet.
Values: Send/Transmit (Default), or Receive.
String
Description
Compare Method
Server Table
This table is a read-only table and displays each server configured for the device, in the Application
Server Table, and its status.
Parameter
Description
Server
Description
Farm Name
Availability Status
IP Address
349
Parameter
Description
Response Level
Uptime%
Ratio (in presents) of the number of the success checks and the total
number of checks (successful and failures).
Success Counter
Failure Counter
From the Health Monitoring window, select Diameter > Arguments List. The Diameter
Argument Lists Configuration window appears.
2.
Click Create. The Diameter Argument Lists Configuration Create window appears.
3.
Parameter
Description
Description
Origin-Host
Host name FQDN that identifies the end point that created the
Diameter message and is present in all Diameter messages.
Note: The Origin-Host AVP may resolve to more than one address.
Origin-Realm
Vendor ID
Product-Name
350
Parameter
Description
Application Message
Type
Auth-Application-Id
Auth-Session-State
Destination-Realm
Destination-Host
Public Identity
Disconnect Cause
Accepted Result Codes List of acceptable codes that can be received in a CEA, DPA and LIA
messages. These codes are separated by commas (,)or semi colons (;).
The default is 2001, 2002, 2003, 2004, 2005.
Diameter First Registration (2001)
Diameter Subsequent Registration (2002)
Diameter Unregistered Service (2003)
Diameter Success Server Name Not Served (2004)
Diameter Server Selection (2005)
4. Click Set. Your configuration is set.
351
Uploading, Downloading and Deleting the Diameter File using Binary File
Transfer
Binary File Transfer involves sending a file from one location to another in which all eight bits of the
byte are transmitted either intact or via some encoding scheme. The Diameter Binary File Transfer
window allows you to upload or download the diameter file to the device.
From the Health Monitoring menu, select Diameter > Binary File Transfer. The Diameter
Binary File Transfer window appears.
2.
To upload from the Upload Diameter File option, select the Diameter Argument List Name
from a drop-down list.
3.
From the Health Monitoring menu, select Diameter > Binary File Transfer. The Diameter
Binary File Transfer window appears.
2.
To download from the Download Diameter File option, select the Diameter Argument List
Name from a drop-down list.
3.
From the Health Monitoring menu, select Diameter > Binary File Transfer. The Diameter
Binary File Transfer window appears.
2.
To delete from the Delete Diameter File option, select the Diameter Argument List Name
from a drop-down list.
3.
352
To load balance traffic reaching an AppDirector farm, the farm servers must be checked. AppDirector
periodically checks server health. A successful check shows that the service is available on the
server. Failure to connect causes AppDirector to term the server unavailable although AppDirector
continues to check its availability and generates a Syslog, E-mail, SNMP or CLI trap to indicate that
the server is "Not In Service." AppDirector also monitors the server status in its farms ensuring that
they are available and can handle the request. You can perform a Health Check of the servers using
these methods:
Notes:
>> You can use either Connectivity Checks or Health Monitoring Checks with Farms
regardless of the Health Monitoring Status. However, when both are used, one will
override the other, which means that if a Connectivity Check is set, it will override a
Health Monitoring Report.
>> If there is a need for a large number of concurrent checks, Radware recommends using
Health Monitoring instead of Connectivity checks.
This table describes parameters to configure the Connectivity Methods.
Parameter
Description
Connectivity Check Port Specific port where to conduct connectivity check. It can be TCP or UDP,
depending on Connectivity Method selected.
Note: When the Connectivity Method is HTTP Page, a TCP port is
checked.
Values: FTP, HTTP (default), SMTP, DNS, NNTP, HTTPS, RTSP, RADIUS, or
any port number you enter manually. For example, HTTP automatically
checks port 80.
Connectivity Interval
Connectivity Retries
353
2.
3.
AppDirector sends a FIN-ACK packet to the server, completing the TCP 3 way handshake and
requesting to terminate the connection.
4.
5.
Note: Configurations established in the Advanced Settings window apply to all AppDirector
farms that use the TCP Port connectivity check method.
6.
To enable the user-defined timeout for the connectivity check specified in the Connectivity
Interval parameter (even after a TCP check failure), select Timeout After TCP Failure.
Note: A server is active only when no answer is received from the server during attempts to
connect using the UDP protocol, AND AppDirector receives a successful ping reply.
354
Parameter
Description
Farm
Response Threshold
Using Farm connectivity checks with HTTP Page check, the Response Threshold parameter defines
the number of milliseconds the server has to reply to the GET command. When the server's reply
takes longer, the status of the logical server is set to No New Sessions. The default is 0.
355
356
357
The Bandwidth Management module includes a feature set that allows you to have full control over
the available bandwidth. Using these features, applications can be prioritized according to a wide
array of criteria, while taking the bandwidth used by each application into account. For example,
Bandwidth Management allows you to give HTTP traffic a higher priority than SMTP traffic, which in
turn, may have higher priority than FTP traffic. The Bandwidth Management solution can also track
the total bandwidth used by each application, ensuring a guaranteed bandwidth for certain
applications and setting limits for each classified traffic pattern.
AppDirectors Bandwidth Management capability allows you to define policies that restrict or
maintain the bandwidth that can be sent or received by each application, user, or segment.
Controlling the maximal bandwidth of corporate resources that DoS attacks can consume limits the
attack spread, ensuring that other mission critical operations continue to enjoy the bandwidth and
service level required to guarantee smooth business operation. Carriers can also ensure that a
customer's Service License Agreement (SLA) is not compromised due to a DoS attack launched by
another customer.
Using the Bandwidth Management module, Radware devices classify traffic according to pre-defined
criteria and enforce a set of actions on that traffic. A comprehensive set of user-configurable policies
controls how the device identifies and acts upon each packet.
There are 4 major components in the system: the classifier, the queues, the scheduler and the Policy
Database.
358
Classifier
The packet first flows into the system through the classifier. Its the classifiers duty to decide what
to do with the packet. A very comprehensive set of user-configurable policies that make up the
policy database control how the classifier identifies each packet and what it does with each packet.
When the classifier sees the packet, it can do one of three things:
Discards the packet - This allows the Bandwidth Management module to provide packet
filtering. If configured, a reset packet is sent to the server and/or the client.
Forwards the packet in real time - This means the packet bypasses the entire bandwidth
management system and is immediately forwarded by the device. The end result is effectively
the same as if bandwidth management was not enabled.
How the classifier treats the packet is governed by the policy that best matches the packet. If the
classifier prioritizes the packet it places it into a queue, which. then gets a priority from 0-7, with 0
being the highest priority and 7 the lowest. Each policy gets its own queue. So, the number of
queues is equal to the number of policies in the policy database, but each queue is labeled with one
of the 8 priorities 0- 7. This means that there could be 100 queues (if there are 100 policies), with
each queue having a label from 0- 7.
Scheduler Algorithm
The scheduler takes packets from the queues and forwards them. The scheduler operates through
one of two algorithms: Cyclic and CBQ (Class Based Queuing).
With the Cyclic algorithm, the scheduler gives each priority a preference ratio of 2:1 over the
immediately adjacent lower priority. In other words, a 0 queue has twice the priority of a 1 queue,
which has twice the priority of a 2 queue, etc. The scheduler systematically goes through queues of
the same priority when it is time to forward a packet with this priority. The queues with the highest
priorities are emptied before lower priority queues. A ratio of 2:1 ensures that a queue is not
starved.
The CBQ algorithm has the same packet-forwarding pattern as the Cyclic algorithm, with one
significant difference. The CBQ algorithm is aware of a predefined bandwidth configured per policy.
Each policy can be configured with a guaranteed bandwidth and a maximum bandwidth (see
Guaranteed Bandwidth, page 362).
Application Classification
Application Classification is defined as Per Packet or Per Session. If it is defined as Per Packet, the
device classifies each packet that flows through it. In this mode, every packet must be individually
classified.
If the Application Classification is defined as Per Session, all packets are classified by session. An
intricate algorithm is used to classify all packets in a session until a best fit policy is found. Once
the session is classified, all packets belonging to the same session are given the same classification,
allowing the classifier to classify sessions rather than every single packet.
Classification Mode
The following classification modes are available:
Policies: The device classifies each packet or session by matching it to policies configured by
the user.
Diffserv: The device classifies packets only by the DSCP (Differentiated Services Code Point)
value.
ToS: The device classifies packets only by the ToS (Type of Service) bit value.
359
Bandwidth Borrowing
if the scheduler is operating through the CBQ algorithm, it can forward packets from queues,
considering the maximum bandwidth configured by that queues policy. If borrowing is enabled and
the scheduler visits a queue whose bandwidth has been exceeded (or is about to be exceeded), then
the scheduler will see if any other policy has left over bandwidth. If such a policy is found,
bandwidth is borrowed from that policy and allocated to the policy whose bandwidth limit was about
to be violated. This allows a scheduling scheme where available bandwidth can be used from other
queues, if the queue in question has exceeded its configured limit.
Borrowing can be enabled when the scheduler operates through the CBQ algorithm. If enabled, the
scheduler can borrow bandwidth from queues that can spare it, to forward packets from queues that
have exceeded (or are about to exceed) their allotted amount of bandwidth
Global RED - Global RED monitors the capacity of all the queues (i.e., the global set of queues),
and randomly discards TCP packets before the classifier sees them.
Weighted RED (WRED) - The RED algorithm checks the priority of the queue (instead of all the
packets in the queues), before deciding whether or not packets get dropped.
Maximum Bandwidth
Each policy in the policy database can be configured with its own maximum allowed bandwidth.
Aside from per-policy configurations, the device can also be configured with a global bandwidth
limit. This is the bandwidth limit for the entire device, regardless of individual policy configurations.
This limit is the sum of per-physical-port maximum bandwidth configuration. Each physical port for
the device can be configured with its own maximum allotted bandwidth, the sum of which will make
up the global device bandwidth limit. Note that if borrowing is enabled, bandwidth can not be
borrowed beyond the configured maximum bandwidth.
360
Default Policy - The last policy in the policy database is the default policy. All traffic that is not
matched by the user defined policy is matched by the default policy. By default, the default
policy forward traffic is assigned a priority 4.
Source: Defines the source of traffic. This can be a specific IP address or a network. A network
is a collection of ranges and/or subnets. Configure the networks; the default value is any,
covering traffic from any source.
Destination: Defines the destination of the traffic. Can be specific IPs, a range of IP addresses,
or IP subnet addresses. The default value is any, which covers traffic to any destination.
Note: To limit or block access to the device's interface, type the IP address of the interface in
the Destination box.
Direction: Defines traffic direction. Setting direction to "one way" enables asymmetric
Bandwidth Management. When a policy is set to "one way", the classifier searches for traffic in
one direction only and the device classifies only traffic in one direction; return traffic is not
classified. When a policy is set to "two way", the classifier searches for traffic in both directions
and the device replaces Source and Destination IP addresses and ports (if the policy is a Layer 4
or Layer 7) of the return traffic.
Service: Defines the traffic type. The Service configured per policy allows the policy to consider
other aspects of the packet, such as protocol (IP/TCP/UDP), TCP/UDP port numbers, bit patterns
at any offset in the packet, and content (such as URLs or Cookies) deep in the upper layers of
the packet. The default value is none, which covers all protocols.
Inbound Physical Port Group: Classifies only traffic received on physical interfaces of the
device. It enables you to set different policies on identical traffic classes received on different
interfaces of the device.
VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID tags.
Traffic Flow Identification: Defines what type of traffic flow is limited via this policy. The
available options are:
361
Cookie Field Identifier (string that identifies the cookie field with the that value used to
determine the different traffic flows)
Note: This is required only when Traffic Flow Identification is set to SessionCookie. In such a
case, the BWM classifier searches for the Cookie Field Identifier followed by = and
classifies flows according to the value.
Classification Point: In the nature of Traffic Redirection and Load Balancing decisions, the
device has to modify packets when it forwards the packets to and from the servers. In
AppDirector for example, client's traffic is destined to the Layer 4 Policy VIP, but the AppDirector
makes a Load Balancing decision and forwards the packet to the selected server, it has to
change the destination IP address to the server's real IP address. On LinkProof, clients use their
own IP addresses and after LinkProof forwards the traffic to the NHR, it uses the SmartNAT and
changes the source IP address. Bandwidth Management allows administrators to select at which
point in the traffic flow the classification is performed: before modifying the packet or after the
modification.
Action
The action determines the access given to traffic. Possible values include:
Forward: The connection is accepted and traffic is forwarded to its destination. This is the
default value.
Block and Reset: All packets are dropped. In TCP traffic, an RST packet is sent to the client.
Block and Bi-directional Reset: All packets are dropped. In TCP traffic, an RST packet is sent
to both the client and the server.
Priority
If the action associated with the policy is forward, the packet is classified according to the
configured priority. There are nine options available; real time forwarding, and priorities 0 through
7.
Guaranteed Bandwidth
If the scheduler is configured to use the CBQ algorithm, the policy can be assigned a minimum
(guaranteed) bandwidth. The scheduler does not allow classified packets to exceed this allotted
bandwidth, unless borrowing is enabled. Note that the maximum bandwidth configured for the
entire device, as described above, overrides per-policy bandwidth configurations. In other words,
the sum of the guaranteed bandwidth for all the policies cannot be higher than the total device
bandwidth.
362
Maximum Limit
Borrowing can be enabled when the scheduler operates through the CBQ algorithm. If enabled, the
scheduler can borrow bandwidth from other queues, to forward packets from queues that have
exceeded, or are about to exceed, their allotted amount of bandwidth. Guaranteed Bandwidth and
Maximum Limit with the following values cause bandwidth allotted to a policy to act as follows:
Guaranteed
Bandwidth
Maximum
Bandwidth
Policy Bandwidth
No Minimum
No Minimum
No Minimum
No Minimum
Y (Y>X)
Non-burstable, X guaranteed.
Policy Group
You can define several bandwidth borrowing domains on a device by organizing policies in groups.
Bandwidth that is not utilized by a specific policy in a group is allocated proportionally to the other
policies. Allowing policies to borrow from each other prevents starvation and utilizes the bandwidth
more efficiently. Only policies within the same group can share bandwidth.
The total bandwidth available for a policy group is the sum of the Guaranteed Bandwidth values of
all the policies in the group. Also see Viewing Active Policy Groups, page 368.
Note: Not available when Traffic Flow Identification is set to Session or Full Layer 4 Session.
363
Packet Marking
Packet Marking refers to Differentiated Services Code Point (DSCP) or Diffserv. It enables the device
to mark the matched packet with a range of bits.
Activation/Inactivation Schedule
Some policies in a network remain inactive during specific hours of the day and are activated during
others. For example, an enterprise may give high priority to mail traffic between 08:00 - 10:00. You
can schedule the activation and inactivation of specific Bandwidth Management policies using the
Event Scheduler, which can then be attached to a policy's configurations. "Events" define the date
and time in which an action must be performed.
Note: Full functionality of the Bandwidth Management module is only available with a SynApps
license.
The BWM Global Parameters window specifies the BWM functionality of the device.
364
Parameter
Description
Classification Mode
Select from:
Disable: No classification. BWM management feature is disabled.
Policies: The device classifies each packet or session by matching it
to policies configured by the user.
Diffserv: The device classifies packets only by the DSCP
(Differentiated Services Code Point) value.
ToS: The device classifies packets only by the ToS (Type of Service)
bit value.
Note: After changing Classification Mode, device needs a reboot.
Scheduling
Algorithms
The scheduler forwards packets from the queues. The scheduler operates
through one of two algorithms: WRR (Weighted Round Robin) and CBQ
(Class Based Queuing).
WRR (Weighted Round Robin) - the scheduler gives each priority
a preference ratio of 2:1 over the immediately adjacent lower
priority. A 0 queue has twice the priority of a 1 queue, which has
twice the priority of a 2 queue, etc. The scheduler systematically
goes through same priority queues when it is time to forward a
packet with this priority.
CBQ (Class Based Queuing) - has the same packet-forwarding
pattern as WRR, with one significant difference. CBQ is aware of the
predefined bandwidth configured per policy. As policies are
configured, they can be given a guaranteed minimum and a
maximum allotted bandwidth, in Kbps.
Note: Unless CBQ is used, policies cannot be configured with an
associated bandwidth allocation.
Random Early
Detection (RED)
Queue Size
The number of packets in each BWM queue. There is 1 queue per each
traffic shaping policy.
Default: 128
Dynamic Borrowing
(checkbox)
365
Parameter
Description
Time, in seconds, a non-active traffic flow is kept in the flow table used by
the Bandwidth Management module.
When Application Classification mode is set to Per Session and one of the
policies is configured to search for content, this parameter displays
maximum number of packets that the device searches through for the
configured content.
If the device cannot find the content after searching the number of
packets defined in the parameter, the device will stop searching.
Values: 0 (Disabled - the device will search for the content in all the
packets belonging to the session) - 100.
Default:5
3.
From the BWM menu, select View Active Policies. The Active Policies Table window appears.
2.
From the Active Policies Table window, select the policy you wish to view. The table displays the
parameters of the active policy.
Parameter
Description
Name
Index
Destination
366
Source
Action
Direction
Priority
Priority attached to the packet by which it is forwarded is either Realtime or a value of 0-7, 7 being the lowest priority. Priority is only
applicable if the action is forward.
Policy Type
Description
Parameter
Description
Guaranteed
Bandwidth
Maximum Bandwidth
Service Type
Service
Name of the service required for this policy, based on the Service Type.
Packet Marking
Reporting
User set policies for identical traffic classes that are received on
different interfaces of the device. For example, the user can allow
HTTP access to the main server only to traffic entering the device via
physical interface 3. This provides greater flexibility in configuration.
From dropdown list, select name of tag group that you want to use.
Policy Group
Parameter
Description
Name
Classification Point
Traffic Flow
Identification
Defines what type of traffic flow we are going to limit via this policy. The
available options are:
Client (source IP).
Session (source IP and port).
Connection (source IP and destination IP).
FullL4Session (source and destination IP and port).
SessionCookie (must configure cookie identifier).
Traffic Flow Max BW Maximum bandwidth in Kbps allowed per traffic flow.
(Kbps)
Max Concurrent
Sessions
367
Parameter
Description
When the Traffic Flow Max BW parameter is configured, and the Traffic
Flow Identification parameter is set to Session Cookie, the device can
track and limit the number of requests, such as HTTP GET or Post or
HEAD per Cookie.
Cookie Field
Identifier
String that identifies the cookie field whose value must be used to
determine the different traffic flows.
Note: This is required only when Traffic Flow Identification is set to
SessionCookie. When Traffic Flow Identification is set to
SessionCookie, the BWM classifier searches for the Cookie Field
Identifier followed by = and classifies flows according to the
value.
Policy Group
Inactivation
Schedule
Parameter
Description
Name
Modify Policies
You can add, modify and delete policies in the Modify Policies Table window, according to your
requirements. In addition, you can edit the default policy of the device. A default policy exists, which
can be matched to any traffic that does not match a user-defined policy. You can change the action
and the priority of the default policy only.
From the BWM menu, select Modify Policies. The Modify Policies Table window appears.
2.
3.
368
Parameter
Description
Name
Index
Source
Parameter
Description
Destination
Direction
Action
Priority (SynApps
only)
Policy Type
Guaranteed
Bandwidth (SynApps
only)
The defined bandwidth limitation for packets matching this policy. This
option is used in conjunction with CBQ, not WWR.
Service
Name of the service required for this policy, based on the Service Type.
Service Type
Description
Operational Status
Packet Marking
(SynApps only)
Reporting
Maximum Bandwidth
(SynApps)
Inbound Physical Port User set policies for identical traffic classes that are received on
Group
different interfaces of the device. For example, the user can allow HTTP
access to the main server only to traffic entering the device via
physical interface 3. This provides greater flexibility in configuration.
VLAN Tag Group
From dropdown list, select name of the tag group that you want to use.
Policy Group
369
Note: For all the policies that are associated with a policy group the Guaranteed Bandwidth
parameter must be set to a value greater than 0 and Borrowing Limit parameter to 0.
The Dynamic Borrowing global parameter must be enabled.
From the Bandwidth Management menu, select Modify > Policy Groups. The Modify Policy
Group Table window appears.
2.
Click Create. The Modify Policy Group Table Create window appears.
3.
In the Name text box, type the name of the new Policy Group and click Set. The new policy
group appears in the Modify Policy Group Table window and the Active Policy Group Table.
4.
Parameter
Description
Name
Index
Source
Destination
Direction
Action
Priority (SynApps
only)
Priority attached to the packet by which it is forwarded is either Realtime or a value of 0-7, 7 being the lowest priority. Priority is only
applicable if the action is forward.
Policy Type
Guaranteed
Bandwidth (SynApps
only)
Service
Name of the service required for this policy, based on the Service Type.
Service Type
Description
Operational Status
Packet Marking
(SynApps only)
370
Parameter
Description
Reporting
Maximum Bandwidth
(SynApps)
Inbound Physical Port User set policies for identical traffic classes that are received on
Group
different interfaces of the device. For example, the user can allow HTTP
access to the main server only to traffic entering the device via physical
interface 3. This provides greater flexibility in configuration.
VLAN Tag Group
From dropdown list, select name of the tag group that you want to use.
Policy Group
To delete policies
1. From the Modify Policies Table window, select the policy you require to delete.
2. Click Delete. The policy is deleted.
Parameter
Description
Name
Classification Point
Traffic Flow
Identification
Defines what type of traffic flow we are going to limit via this policy. The
available options are:
Client (source IP).
Session (source IP and port).
Connection (source IP and destination IP).
FullL4Session (source and destination IP and port).
SessionCookie (must configure cookie identifier).
Traffic Flow Max BW Maximum bandwidth in Kbps allowed per traffic flow.
(Kbps)
371
Parameter
Description
Max Concurrent
Sessions
When the Traffic Flow Max BW parameter is configured, and the Traffic
Flow Identification parameter is set to Session Cookie, the device can
track and limit the number of requests, such as HTTP GET or Post or
HEAD per Cookie.
Cookie Field
Identifier
String that identifies the cookie field whose value must be used to
determine the different traffic flows.
Note: This option is not available if the Traffic Flow Identifier is set to
Session or FullL4Session.
3.
Policy Group
Inactivation
Schedule
From the BWM or Classes menu, select Update Policies. The Activate Latest Changes window
appears.
2.
Configuring Networks
The Bandwidth Management module allows multiple Networks to have the same configured name.
This allows a Network with the name net1 to encompass multiple, disjointed IP address ranges.
This makes the Network name a logical pointer to all ranges configured with that name and further
facilitates the configuration and management of the system. You can view active networks, and
configure new ones. You can define networks used by the device (active) and you can define
networks kept in a separate database until they are required (inactive). You can add, modify and
delete these networks according to your requirements.
372
Parameter
Description
Name
Sub Index
Unique index number of the subnet. Each network can have several
subnets. Sub Indexes for the subnets within the same network must be
unique.
Address
Mask
From IP
To IP
Mode
Note: To simplify configuration, a network can consist of a combination of network subnets and
ranges. For example:
>> Range = 176.200.100.0: 176.200.100.255
>> Subnet = 172.0.0.0: 255.0.0.0
To edit a network
1. From the Modify Network Table window, select the network you require to edit. The Modify
Network Table Update window appears.
2. Adjust the values of the appropriate fields.
373
To delete networks
1.
From the Modify Network Table window, select the network you want to delete.
2.
Services
Services can be configured within the Bandwidth Management system and are configured separately
from policies. As each policy is configured, it can be associated with a configured Service. The
Service associated with a policy in the policy database can be a basic filter, an advanced filter or a
filter group.
Basic Filters
A basic filter has the following components:
Protocol: The specific protocol that the packet carries. The possible choices are IP, TCP, UDP,
ICMP, and Other. If the protocol is configured as IP, all IP packets (including TCP and UDP) are
considered. When configuring TCP or UDP protocol, some additional parameters are also
available:
Destination Port (From-To) - Destination port number for the protocol. For example, for
HTTP, the protocol is configured as TCP and the Destination port as 80. The port
configuration can also allow for a range of ports to be configured.
Source Port (From-To) - Similar to the Destination port; the Source port that a packet
carries to match the filter.
Offset Mask Pattern Condition (OMPC): The OMPC is a condition where any bit pattern can be
located for a match at any offset in the packet. This helps to locate specific bits in the IP header.
You do not have to configure an OMPC per filter. However, when an OMPC is configured, the
packet needs to match the configured protocol (and Source/Destination ports) AND the OMPC.
Content
When the protocol configured is TCP or UDP, you can search for any text string in the packet. Similar
to an OMPC, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect
examples of how a text search can help in classifying a session.
The service editor allows you to choose between multiple types of configurable content: URL, host
name, HTTP header field, Cookie, mail domain, mail to, mail from, mail subject, file type, regular
expression and text. For example, when the content type is URL, then the session is assumed to be
HTTP with a GET, HEAD, or POST method. The classifier searches the URL following the GET/HEAD/
POST to find a match for the configured text. In this case, the configured offset is meaningless since
the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, then the
entire packet is searched for the content text, starting at the configured offset. By allowing a filter to
take the content of a packet/session into account, the classifier can recognize and classify a wider
array of packets and sessions.
Like OMPCs, content rules are not mandatory to configure. However, when a content rule exists in
the filter, the packet needs to match the configured protocol (and ports), OMPC (if one exists) AND
the content rule.
374
Pre-Defined Filters
This table lists pre-defined Bandwidth Management filters for each service.
Table 6:
Service Name
Description
Filter
Name
ERP/CRM
sap
Basic
Database
mssql
Group
mssql-monitor
Basic
mssql-server
Basic
oracle
Group
oracle-v1
Basic
oracle-v2
Basic
oracle-server 1
Basic
oracle-server2
Basic
oracle-server3
Basic
Group
Basic
citrix-rtmp
Citrix RTMP
Basic
citrix-rtmp
Citrix RTMP
Basic
citrix-ima
Basic
citrix-ma-client
Citrix MA Client
Basic
citrix-admin
Citrix Admin
Basic
p2p
Peer-2-Peer applications
Group
edonkey
Basic
gnutella
Basic
fasttrack
Basic
Kaaza
Basic
Peer-to-Peer
Internet
dns
ftp-session
Basic
http
Web traffic
Basic
http-alt
Basic
https
Basic
icmp
Basic
375
Table 6:
Service Name
Description
ip
IP traffic
nntp
Filter
Name
Basic
telnet
tftp
Basic
udp
Basic
Instant Messaging
aol-msg
Basic
icq
ICQ
Basic
msn-msg
Basic
yahoo-msg
Yahoo Messenger
Group
yahoo-msg1
Basic
yahoo-msg2
Basic
yahoo-msg3
Basic
Email
mail
Group
smtp
Basic
imap
Basic
pop3
Basic
Basic Filters
The Active Basic Filters window allows you to view the basic filters of the active services.
From the Classes menu select Modify Services > Basic Filters. The Active Basic Filters
window appears.
2.
Select the required name. The Active Basic Filters Update window appears with these read-only
parameters.
Parameter
Description
Name
Protocol
Last port in the range of destination ports for UDP and TCP traffic only.
Values: 0 (default) - 65535.
Defined value must be greater than Destination Port Range: From
value.
376
Parameter
Description
Last port in the range of source ports for UDP and TCP traffic only.
Values: 0 (default) - 65535.
Defined value must be greater than the Source Port Range: From
value.
OMPC Offset
OMPC Mask
OMPC Pattern
Fixed size pattern within the packet that OMPC rule attempts to find.
Values: a combination of hexadecimal numbers (0-9, a-f). The value
must be defined according to the OMPC Length parameter.
OMPC Pattern parameter definition must contain 8 symbols. If the
OMPC Length value is lower than fourBytes, you need complete it with
zeros.
For example, if OMPC Length is twoBytes, OMPC Pattern can
be:abcd0000.
Default: 00000000.
OMPC Condition
OMPC Length
Content Offset
Content
377
Parameter
Description
Content Type
Enables you to search for a specific content type from these values:
N/A (Default)
URL: In the HTTP Request URI
Host Name: In the HTTP Header
Text: Anywhere in the packet
HTTP Header Field: In the HTTP Header
Mail Domain: In the SMTP Header
Mail To: In the SMTP Header
Mail From: In the SMTP Header
Mail Subject: In the SMTP Header
Regular Expression: Anywhere in the packet
Header Type: HTTP Header field. The "Content" field includes the
header field name, and the "Content data" field includes the field
value
File Type: Type of requested file in the http GET command (jpg,
exe etc.)
Cookie Data: HTTP cookie field. The "content" field includes the
cookie name, and the "content data" field includes the cookie
value.
Filter Type
Content Data
Content Encoding
Content Data Encoding Application Security can search for content in languages other than
English, for case sensitive/insensitive text and hexadecimal strings.
Values:
None (Default)
Case Insensitive
Case Sensitive
HEX
International
Description
378
Note: If you edit the parameters of the filter, which is bound to the existing policy, you need to
activate the latest changes
Parameter
Description
Note: If you edit the parameters of the advanced filter, which is bound to the existing policy,
you need to activate the latest changes.
379
From the menu select Classes > Modify > Services > OR Groups. The Modify OR Groups
Table window appears.
2.
3.
Parameter
Description
OR Group Name
Filter Type
Basic: The basic building block of a Service is a basic filter which is made
up of the following components:
Protocol:
Destination Port (From-To)
Source Port (From-To)
Offset Mask Pattern Condition (OMPC)
Content
AND Group: Combination of basic filters with a logical AND between them.
Note: A Filter Group is a combination of basic filters and/or advanced
filters with a logical OR between them. To continue the example
above, filter group FG1 can be defined as FG1 = {AF1 OR F4 OR
F6}
Filter Name
4.
380
Parameter
Description
Name
From Port
To Port
Group Type
4. For Updating, in the Modify Application Port Groups Table window, click on the application name.
The Modify Appl. Port Groups Table Update window appears
5. Click Set. Your configuration is set.
Parameter
Description
Name
From Port
381
382
To Port
Group Type
Parameter
Description
Group Name
Inbound Port
Inbound port for this group. Values can be a port number or Any.
Parameter
Description
Group Name
VLAN Tag
Group Mode
Mode of the group that you want to define is Discrete if you define a
single VLAN Tag number, OR Range if you define range of the group.
383
Note: This feature is applicable only when the 802.1q parameter is set to Enabled.
Classifications performed according to the tag of the received packet
From the Classes menu select View Active > VLAN Tag Groups. The Modify VLAN Tag Groups
Table window appears
2.
3.
Parameter
Description
Group Name
VLAN Tag
Group Mode
Mode of group that you want to define is Discrete if you define a single
VLAN Tag number, OR Range if you define range of the group.
MAC Groups
From the Classes menu select Modify > MAC Groups. The Modify MAC Address Groups Table
appears.
2.
Click Create. The Modify MAC Address Groups Table Create window appears.
3.
4.
Parameter
Description
Group Name
MAC Address
Protocol Discovery
This describes the Protocol Discovery feature that allows you to recognize different applications
running on your network by creating Protocol Discovery Policies.
To use the Bandwidth Management module optimally, network administrators must be aware of the
different applications running on their networks and the amount of bandwidth they consume. The
Protocol Discovery feature provides a full view of the different protocols running on the network.
This feature can be activated on the entire network or on separate sub-networks by defining
Protocol Discovery policies.
384
Source: Defines the source of traffic. It can be a specific IP address or a network. A network is
a collection of ranges and/or subnets. Configure the Networks; the default value is any, which
covers traffic from any source.
Destination: Defines the traffic destination. It can be specific IPs, a range of IP addresses, or
an IP subnet address. The default value is any, which covers traffic to any destination.
Source MAC Address Group: Views applications and protocols present in the traffic sent by a
transparent network device (firewall, router).
Destination MAC Group: Views applications and protocols present in the traffic sent to a
transparent network device (firewall, router).
Inbound Physical Port Group: Classifies only traffic received on certain interfaces of the
device. Enables you to set different policies for identical traffic classes that are received on
different device interfaces.
VLAN Tag Group: Defines VLAN traffic classification according to VLAN ID tags.
Classification Point: Defines the point where traffic redirection occurs. The device modifies
packets by changing the Destination IP from the Virtual IP to the servers real IP address. The
traffic can be classified as before packet changes, or after packet changes, After Changes.
Direction: Defines the direction of the traffic. It can be One Way (from Source to Destination)
or Two Way.
Operational Status: Determines whether Policy is active or not. Select from Active or Inactive.
Interface Classification
This describes the process of interface classification, which enhances Bandwidth performance
Parameter
Description
Port Index
Port number.
385
From the BWM menu select Miscellaneous > Cancel Classification Per Port. The Cancel
Classification Per Port window appears.
2.
Parameter
Description
Inbound Port
Outbound Port
Direction
3.
From the Classes menu, select Modify Appl Port Groups. The Modify Appl. Port Groups Table
window appears.
2.
Click Create. The Modify Appl. Port Groups Table Create window appears.
3.
386
Parameter
Description
Name
From Port
To Port
Group Type
Notes:
>> To define a group with a single port, set the same value for the From Port and To Port
parameters.
>> To associate a number of ranges with the same port group, use the same group name
for all the ranges that you want to include in one group.
4. Click Set. Your preferences are recorded.
Parameter
Description
Group Name
MAC Address
387
From the Classes menu select View Active VLAN tag Groups. The Active VLAN Tags Table
window appears.
2.
Select a group name. The Active VLAN Tags Table Update window appears which contains the
following read-only parameters.
Parameter
Description
Group Name
VLAN Tag
Lowest value in the range of VLAN Tags that you want to define.
Highest value in the range of VLAN Tags that you want to define.
Group Mode
Note: This is applicable only when the 802.1q parameter is set to Enabled. Classifications
performed according to the tag of the received packet.
From the Classes menu, select Modify Port Groups. The Modify Physical Port Groups Table
window appears.
2.
Select a group name. The Modify Physical Port Groups Table Update window appears.
388
Parameter
Description
Group Name
Inbound Port
Inbound port for this group. Values can be a port number or Any.
389
389
Standard Acceleration
TCP Splitting is the ability to maintain open concurrent connections opposite all servers providing
Diameter or LDAP services, while a single connection was opened by the client. It is important to
improve TCP throughput due to the many applications that use TCP. A performance characteristic of
TCP is that the rate at which its window size increases is inversely proportional to the average round
trip time (RTT), and the average window size is directly related to the throughput. Thus, reducing
the RTT between connection endpoints can increase the window size faster, resulting in increased
throughput.
An intuitive way to reduce the effective RTT of a direct TCP connection between any two hosts is to
split that connection into multiple pipelined sub-connections so that each sub-connection has a
lower RTT than the direct connection. In addition to increasing throughput, TCP Splitting can also
route around failures and discover paths that are better than the direct path. This not only improves
the connection throughput but also improve the reliability and quality of paths between endpoints.
From the AppDirector menu, select Servers > Application Servers > TCP SplittingTable.
The Application Server TCP Splitting Table window is displayed.
2.
Select a server to edit. Click Create. The Application Server TCP Splitting Update Table Create
window is displayed.
3.
4.
390
Parameter
Description
Farm Name
Server Address
Server Port
Tunnel ID
Standard Acceleration
Dynamic load balancing protects ISP networks from sudden congestion caused by load spikes or link
failures. Dynamic load balancing protocols, however, require schemes for splitting traffic across
multiple paths at a fine granularity. Current splitting schemes present a tussle between slicing
granularity and packet reordering. Splitting traffic at the granularity of packets quickly and
accurately assigns the desired traffic share to each path, but can reorder packets within a TCP flow,
confusing TCP congestion control.
Splitting traffic at the granularity of a flow avoids packet reordering but may overshoot the desired
shares by up to 60% in dynamic environments, resulting in low end-to-end network throughput.
The TCP Splitting table defines for AppDirector which backend servers provide the service that this
AppXcel farm must perform TCP Splitting for, so that AppDirector knows which backend servers to
configure on the AppXcel devices in this farm.
An entry in this table is configured by selecting a Layer 4 policy from a drop-down list. The dropdown list only displays Layer 4 policies that meet the following conditions:
In the farm associated with the policy: the Transparent Server Support parameter is set to TCP
Splitting.
Once a Layer 4 policy is configured in the TCP Splitting table of a Front-End AppXcel farm, the Layer
4 policy parameters that are subjected to the conditions above (Layer 4 Protocol and Layer 4 Port,
Farm Name) and the Transparent Server Support parameter of the Layer 4 policy farm, cannot be
changed to values that do not meet the above conditions.
See also Application Server TCP Splitting, page 390.
Parameter
Description
Front-End AppXcel
Farm Name
Backend L4 Policy
Name
391
Multihoming
This section explains AppDirector Multihoming capability as a solution to load balancing between
servers and routers of different ISPs and includes the following topics:
The AppDirector Multihoming solution is intended for networks in which AppDirector is connected to
multiple ISPs.
Using Multihoming, AppDirector can simultaneously use multiple ISPs for inbound traffic. To achieve
multihoming AppDirector uses the ability to configure a default router per Virtual IP Next Hop
Router, (VIP NHR) and to redirect to self.
To ensure ISP persistency for HTTP transactions (all the sessions related to a HTTP transaction are
processed via the same ISP) it is recommended to use Insert Cookie for HTTP persistency capability.
This capability must be enabled for all farms involved in the process. Here, AppDirector will ensure
ISP persistency automatically.
Router 1
Router 2
Router 3
AppDirector
VIP1
VIP3
VIP2
Farm 1
Farm 2
Router 1
Farm 3
Router 2
Router 3
AppDirector
VIP1
Farm 1
392
VIP2
Farm 2
VIP3
Farm 3
DNS answers.
Triangulated packets.
Note: Static routes cannot be configured per Virtual IP, only the default router can be
configured individually for each Virtual IP. Specific static routes are configured globally
for the device and take precedence over the default route.
You can set a backup default router for AppDirector. This enables using a backup router for traffic
generated by AppDirector that is not farm-related, such as ping, SNMP, or DNS requests, and for
traffic related to farms that do not have a default router configured.
Note: The VIP NHR table is enabled only when the packet is destined for the default gateway
of the box but because of the static route, the packet was not destined for the default
gateway so in these instances the VIP NHR table is not enabled. The NHR per VIP
feature works only for traffic that matches the device's default gateway.
393
Parameter
Description
NHR IP Address
Administrative Status
Enabled
Check Method
AppDirector pings the remote IP via the specified router to make sure
the router is healthy and connected to its uplink. If a Path Health Check
fails, the relevant router is considered Not in Service.
Default: 0.0.0.0
Check Interval
Check Retries
Note: When the Health Check of the router is disabled, AppDirector still checks the health of
the router by sending ARPs to the router's MAC address.
Once the general NHR parameters are defined, you can set up the VIP NHR table parameters. For
each Virtual IP, you can configure a default router and a backup router, as shown here.
Parameter
Description
VIP Address
NHR Weight
394
Parameter
Description
No Route Action
If both routers set for a VIP are down, AppDirector behaves as follows:
Discard: Discards the packet.
Use Regular Routing (Default): Uses the Routing Table.
When a default router and a backup router are configured, you can send outgoing traffic through
both NHRs simultaneously. AppDirector performs load sharing between the NHRs of the traffic that
arrives from the farms, using Hashing on the Source and Destination IP addresses. This ensures that
each session uses a single NHR.
Note: When a server participates in multiple farms, each with a different NHR, AppDirector
makes sure to use a NAT address, which is a VIP address that has an active NHR. This
means AppDirector keeps a list of up to three VIPs to which a server belongs. When a
NAT address for the server is needed, AppDirector uses only VIPs with an active NHR.
395
ISP 2
Router 1
Router 2
201.1.1.20
202.2.2.20
201.1.1.1
Port 1
202.2.2.10
AppDirector
VIP: 201.1.1.10
VIP: 202.2.2.10
Port 2
10.1.1.10
Server 1
10.1.1.1
Server 2
10.1.1.2
Properties:
396
Note: This configuration requires the NHR per VIP feature (see Default Router Per Virtual IP,
page 393).
397
ISP 1
Router 1
Router 2
201.1.1.20
202.2.2.20
201.1.1.10
202.2.2.10
Port 1
AppDirector
VIP: 202.2.2.10
VIP: 201.1.1.10
Port 2
10.1.1.10
Server 2
Server 1
10.1.1.1
10.1.1.2
Properties
When a client accesses Farm 1, a server is selected in this farm, by the usual load balancing
considerations. If server Farm 2 is selected, then redirection takes place.
Using this configuration, the user achieves load balancing not only between the servers, but also
between the routers of the ISPs.
Segmentation
This section discusses the use of segmentation when working with AppDirector in the network and
includes the following topics:
Segmentation Overview
Segmentation involves dividing your network into logical segments, where a single AppDirector load
balances the traffic for all segments, but traffic between segments is always inspected by a external
inspection device (e.g. firewalls, anti-virus device etc.)
Using Segmentation, a single AppDirector device connects to multiple segments around the firewall
(see Figure 20 - Physical Port Segmentation, page 399). AppDirector forces the traffic originating in
one firewall segment and destined to a different segment to pass through the firewall. This also
applies when the Destination IP is a VIP of the Layer 4 Policy that resides on the same AppDirector
device.
398
Notes:
>> You have to attach the VIP to a "different segment" otherwise the traffic from the
"firewall segment" to a VIP in the default segment will be redirected to the "firewall"
segment NHR on the request path.
>> On the reply path the behavior will be according to the non-segment-action parameter.
Interface 2
DMZ2
VIP
Interface 1
10.10.10.2
20.20.20.2
10.10.10.1
20.20.20.
Interface 2
DMZ1
VIP 10.10.10.100
Interface 1
AppDirector
Segmentation can be configured using physical ports, as shown here. Physical switches ports that
connect computing devices (nodes) can be logically grouped together to form segmented virtual
LANs on the same physical switch. VLANs require switches that have managed Layer 2 switching
capabilities. Switches without management capabilities are usually not capable of implementing
VLANs.
Segmentation can also be configured using VLAN tags, as shown here.
Firewall
AppDirector
Tag 20
Tag 10
DMZ 2
VIP 2
DMZ 1
VIP 1
399
Default Segments
Physical ports, Trunks and 802.1q VLAN Tags that are not part of any segment are considered to be
members of a default segment.
No specific NHR is defined for the default segment, but the default gateway belongs to the default
segment.
Traffic from a client belonging to segment to a destination (the default segment for the server or
VIP) will be redirected via the segment NHR. However, the reply will be redirected according to the
Default Segment Operating Method.
Note: If you want to allow asymmetric routing, on an ODS 3 platform, the Session Table must
to be disabled in order for the traffic to be correctly routed.
Configuring Segmentation
1. Enable Segmentation and configure default segment behavior
2. Configure Segments and attach NHRs.
Notes:
>> AppDirector default gateway can only belong to the default segment.
>> Device management can only be performed via a port or VLAN tag that belongs to the
default segment.
400
Segmentation Configuration
Parameter
Description
Segmentation
Operating Method
Shared Ports
Default Segment
Operating Method
Physical ports, Trunks and 802.1q VLAN Tags that are not part of any
segment are considered to be members of a default segment. You can
configure the behavior of traffic from a port or tag that is not a member
of any segment and is destined to a port or tag that is a segment
member.
Select the Default Segment Operating Method, from one of these:
Forward (Handling without Segmentation): Forwards traffic to
destination (not via a firewall)- as if Segmentation was disabled.
Discard: Discards the traffic.
Default Gateway (Handling with Segmentation if necessary)(Default): Forwards the traffic to the AppDirector Default gateway
with Segmentation, if necessary.
Notes:
Traffic from a shared port to a VIP (Load balanced) or directly to a
server (Routing) will be sent directly.
Load balancing to a VIP and the selected server is on a shared port the shared port is unrelated in this scenario. Segmentation will
never occur between the VIP and the server's segment.
Segmentation conflict might happen here but this depends on the
client and VIP parameter.
401
Parameter
Description
Default Segment
Shared VIP
This shows segmentation prevention for sessions from the server to the
Layer 4 policy with this segment. When disabled, the segmentation will
not be honored.
Enables you to provide clients in any other segment direct access,
without passing via the firewall, to the Layer 4 policy VIPs belonging to
this segment.
Default: Disabled
Note: Segmentation is always applied to traffic from other segments
to IPs belonging to servers in this segment.
... next to Shared Ports. The Arguments for Port List window is displayed as shown here.
3.
Click
4.
5.
6.
Segment Table
The Segment Table allows you to create segments and associate physical ports, VLANs Trunks or
802.1q VLAN Tags to the segment. Sometimes you need to use a single AppDirector device to load
balance multiple farms, each located on a different segment around a firewall.
In such cases, AppDirector must ensure that all traffic between segments passes through the
firewall.
From the AppDirector menu select Segmentation > Segment Table. The View Filters window
is displayed.
2.
3.
402
Parameter
Description
Segment Name
Port List
Parameter
Description
Shared VIP
Backend
Segmentation
This defines the behavior when the Layer 4 policy (VIP) and server
providing service to this VIP belong to different segments.
Values:
Enabled (default): Performs segmentation (forward traffic to Layer
4 policy segment NHR).
Disabled: Forwards traffic directly to server.
4. Click
... next to Port List. The Arguments for Port List window is displayed as shown here.
Segmentation NHR
The Segmentation NHR Table is used to assign and update next hop routers to segments. A NHR
must be associated with each segment. Typically this would be the firewall interface of that
segment. When AppDirector receives traffic that cannot be handled due to segment conflicts (that
is, the segment over which traffic was received does not match the segment over which traffic
should be forwarded), AppDirector sends this traffic to the NHR of the receiving segment
Parameter
Description
Segment Name
NHR IP Address
Backup NHR IP
Address
403
Parameter
NHR Weight
Description
Configure a weight for each NHR.
Default: 1
Enabling NHR Load Sharing sends outgoing traffic through both NHRs
at the same time.
Default: Disabled
No Route Action
Allows you to configure AppDirector behavior when both the main and
backup NHRs are down.
Values:
Discard (default): Discards the traffic
Use Regular Routing: Sends traffic according to the regular route
4.
From the AppDirector menu select Segmentation > Segment NHR. The Segmentation NHR
window is displayed.
2.
Select the desired segment name. The Segment NHR Table Update window is displayed
3.
4.
The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating,
modifying and terminating sessions with one or more participants. These sessions include internet
telephone calls, multimedia distribution, and multimedia conferences. However, it can be used in any
application where session initiation is a requirement. SIP works with several other protocols and is
only involved in the signalling portion of a communication session. SIP acts as a carrier for the
Session Description Protocol (SDP), which describes the media content of a session, e.g. what IP
ports to use, the codec being used etc. All voice or video communications are performed over
separate session protocols, usually RTP.
404
Application specific health checks using the OPTIONS SIP method, see Health Checks Per Farm,
page 333.
Application-aware server persistency for SIP over UDP, see SIP Persistency, page 261.
Note: For SIP over TCP, AppDirector offers Layer 4 farm selection and server persistency, and
application specific health check
On each SIP server configure the loopback adapter with a SIP service VIP.
AppDirector will send the traffic to the loopback address of the selected server and the
server will use this address inside the SIP payload in the answer.
Note: The network configuration does not need to be Local Triangulation - response traffic can
return via AppDirector, (AppDirector must be the default gateway for the servers).
2. Define the SIP servers as Regular servers in AppDirector.
a.
b.
c.
On each SIP server, there is a physical IP interface. Configure a second IP interface using the
SIP service VIP. This can be configured on the physical adapter, a loopback adapter or a
virtual adapter.
Bind the SIP application to this interface, instead of the physical IP interface.
AppDirector sends traffic to the physical address of the server and the server will use this
address inside the SIP payload in the answer.
SIP sessions always load balance with servers per session, even if you define eps or regular Sessions
Mode on the farm.
405
Notes: Please note that when Outbound SIP traffic needs to be supported the following
requirements must be met:
>> Servers from which outbound traffic is sent can only belong to farms that are attached
to a SIP Layer 4 policy - to ensure a SIP service VIP is used as Server NAT.
>> If Layer 7 load balancing is used (for the inbound SIP Layer 4 policies), DSID must be
enabled for all the farms that belong to that Layer 7 policy.
406
:
We define a single-home SCTP association as a connection between two single IP addresses. A
multi-home SCTP association is a connection between multiple addresses. Both client and server can
supply additional addresses on top of the one that is carried in the L3 header.
The client sends the additional IP addresses in the INIT packet while the server sends the additional
IP addresses in the INIT-ACK packet.
When NAT is performed for SCTP the INIT and INIT-ACK packets should be updated and the SCTP
association should be supported.
Single-homed SCTP
Multi-homed SCTP
Single-homed SCTP
A single-home SCTP association is a connection between two single IP addresses.
To support single-homed Layer 4 load balancing, the following configuration is required in the Layer
4 policy:
407
Multi-homed SCTP
A multi-homed SCTP association is a connection between multiple addresses belonging to the same
entities. Both client and server can supply additional addresses on top of the one that is carried in
the L3 header.
The client sends the additional IP addresses in the INIT packet while the server sends the additional
IP addresses in the INIT-ACK packet.
To support multi-homed association for inbound traffic the following configuration is required:
A farm with one regular server and one backup server for each external link
The SCTP server answers with multiple internal IP addresses in the INIT-ACK message (a server IP
from each farm). AppDirector must NAT all addresses to their respective VIPs (VIP to each server is
associated).
Note: Sessions Mode Regular and Client NAT cannot be used for multi-homed SCTP
associations.
Outbound SCTP
For outbound SCTP traffic AppDirector can NAT all the IP addresses that appear in the INIT message.
See also Outbound NAT Addresses, page 286.
Configure Outbound NAT range with NAT Mode set to SCTP NAT.
2.
Configure Outbound NAT Intercept range that includes the SCTP servers and connect to the
appropriate Outbound NAT range. The two ranges must have the same size.
Note: Outbound NAT is performed only for SCTP traffic initiated by servers that are defined as
farm servers on AppDirector.
Performance Statistics
This section discusses general performance indicators (statistics) and includes the following topics:
408
Enhanced Acceleration
You also have the ability to take a comprehensive view of monitoring and statistics information
through the WBM. Acceleration engine data is shown in aggregated tables that facilitate a quick
check on the Acceleration Engine status and value. Using these statistics tables, you can drill down
to a specific interface, Layer 4 policy or Rule-list rules.
Notes:
>> All Views are set to refresh automatically according to the refresh rate specified in
configuration view.
>> In WBM, all statistics pages allow you to filter for viewing only specific items.
>> The configurable statistics measuring period and WBM view Auto-refresh time are shown
at the bottom of each statistics window. To edit go to Configuration, page 421.
Throughput Summary
From the Performance menu, select Acceleration > Throughput> Summary. The Acceleration
Engine Throughput Summary window is displayed with these read-only parameters:
Parameter
Description
Client Side Throughput Mbits In - Average of incoming traffic from clients into the
Acceleration Engine per second.
Mbits Out - Average of outgoing traffic towards clients from the
Acceleration Engine per second.
Total (In + Out) - Average of total clients related traffic going in both
ways through the Acceleration Engine per second.
Server Side
Throughput
Total Throughput
409
Parameter
Description
Total Throughput
Note: Statistics shown for all Layer 4 policies also include their Acceleration capabilities, that
is. their traffic flows through Acceleration Engine. A Layer 4 policy that does not include
any Acceleration policy (SSL, Cache, compression, Multiplexing) will not show this view.
Connections Summary
From the Performance menu, select Acceleration > Connections> Summary. The Acceleration
Engine Connections Statistics Summary window is displayed.
Parameter
Description
410
Parameter
Description
Parameter
Description
Concurrent
New
Concurrent
New
Concurrent
New
Total Connections
Multiplexing Percentage
New Connections/Sec
Note: Statistics shown for all Layer 4 policies also include their Acceleration capabilities, that
is. their traffic flows through Acceleration Engine. A Layer 4 policy that does not include
any Acceleration policy (SSL, Cache, compression, Multiplexing) will not show this view.
Parameter
Description
411
Parameter
Description
Parameter
Description
L4 Policy
Requests
Clients -> AE
AE -> Servers
Clients -> AE
AE -> Servers
Responses
Transaction/Sec.
Note: Statistics shown for all Layer 4 policies also include their Acceleration capabilities, that
is. their traffic flows through Acceleration Engine. A Layer 4 policy that does not include
any Acceleration policy (SSL, Cache, compression, Multiplexing) will not show this view.
Parameter
Description
412
Parameter
Description
Parameter
Description
L4 Policy
Average Requests/Connection
Smaller than
1KB
1KB - 10KB
11KB - 50KB
51KB -100KB
Larger than
100KB
413
Note: Statistics shown for all Layer 4 policies also include their Acceleration capabilities, that
is. their traffic flows through Acceleration Engine. A Layer 4 policy that does not include
any Acceleration policy (SSL, Cache, compression, Multiplexing) will not show this view.
Parameter
Description
SSLv2 Percentage
SSLv3 Percentage
TLS Percentage
Parameter
Description
Name
New Handshakes/Sec
SSL V2 Percentage
SSL V3 Percentage
TLS Percentage
Note: Statistics displayed for all Layer 4 policies also includes their Acceleration capabilities,
(their traffic flows through Acceleration Engine). A Layer 4 policy that does not include
any Acceleration policy (SSL, Cache, compression, Multiplexing) does not show this
view.
414
Cache Summary
From the Performance menu, select Acceleration > Cache > Summary. The Cache Summary
window is displayed.
Parameter
Description
Objects of Average Size 101KB-1MB Amount of objects cached by size during last measuring
period of Average size between 101KB and 1MB
Objects of Average Size Larger than Amount of objects cached by size during last measuring
1MB
period of Average size larger than 1MB.
415
Parameter
Description
Name
Cache Hits%
Cache Requests/Sec
Amount of new objects cached during the measuring period per Layer
4 policy.
Objects/sec Cached
Amount of new bytes cached during the measuring period per Layer 4
policy.
Bytes/Sec Cache
Note: Statistics shown for all Layer 4 policies also include their Acceleration capabilities, that
is, their traffic flows through Acceleration Engine. A Layer 4 policy that does not include
any Acceleration policy (SSL, Cache, compression, Multiplexing) will not show this view.
Parameter
Description
Name
Objects of Average
Size
11KB - 100KB
101KB - 1MB
416
Note: Statistics shown for all Layer 4 policies also include their Acceleration capabilities, that
is, their traffic flows through Acceleration Engine. A Layer 4 policy that does not include
any Acceleration policy (SSL, Cache, compression, Multiplexing) will not show this view.
Parameter
Description
Name
Cached Objects
Cached Bytes
Parameter
Description
Rule Name
Rule Priority
Location of the rule in the Rule-List. Since Rule-Lists are scanned for a
match from top (priority 1) to bottom (priority ~65000) this enables to
set the location of the rule in the rule-list. See Leveraging Rule List
Behavior, page 219 on how to use the priority efficiently.
Cached Objects
Cached Bytes
Notes:
>> You can use URL files to specify folders or file types to be cached or not cached. You can
do this by entering a string in the URL filed containing only the file extension or folder
name.
>> If these strings appear elsewhere in the URL, they will also be matched.
Cache Content
You can download a file containing the entire list of objects residing in cache at download time.
1. From the Performance menu, select Acceleration > Cache > Cache Content. The
Acceleration Engine Cache Object-List window is displayed.
2. To save the file listing all cache content, select Save Cache Dump file.
3. A dialog box is displayed asking you if you wish to open or save the Cache Dump file.
417
If you click Open, a Microsoft Excel .csv file will open displaying the following parameters:
Parameter
Description
URL
Size (KB)
Chunked
Compressed
Last Access
5.
If you click Save, you are prompted to save a .csv file in the following default format:
Compression Summary
From the Performance menu, select Acceleration > Compression > Summary. The Compression
Summary window is displayed.
Parameter
Description
Average Uncompressed Object Size (Kbps) Average object size before compression.
Compressed Throughput (Kbps)
418
Parameter
Description
Name
Compression Percentage
Note: Statistics shown for all Layer 4 policies also include their Acceleration capabilities, i.e.
their traffic flows through Acceleration Engine. A Layer 4 policy that does not include any
Acceleration policy (SSL, Cache, compression, Multiplexing) will not show this view.
Parameter
Description
Name
Name of Compressions URL Exception Policy for which this row shows
statistics.
Matched Objects
Size Before Compression Total uncompressed size of objects matched during measuring period by
the URL Exception Policy for which this row shows statistics.
Size After Compression
419
Parameter
Description
Rule Name
Rule Priority
Location of the rule in the Rule-List. Since Rule-Lists are scanned for a
match from top (priority 1) to bottom (priority ~65000) this enables to
set the location of the rule in the rule-list. See Leveraging Rule List
Behavior, page 219on how to use the priority efficiently.
Matched Objects
Compression Percentage
Notes:
>> You can use URL files to specify folders or file types to be compressed or not
compressed. You can do this by entering a string in the URL filed containing only the file
extension or folder name.
>> If these strings appear elsewhere in the URL, they will also be matched.
Parameter
Description
Name
Name of Compressions URL Exception Policy for which this row shows
statistics.
Matched Objects
Parameter
Description
420
Rule Priority
Location of the rule in the Rule-List. Since Rule-Lists are scanned for a
match from top (priority 1) to bottom (priority ~65000) this enables to
set the location of the rule in the rule-list. See Leveraging Rule List
Behavior, page 219 on how to use the priority efficiently.
Matched Objects
Compression Percentage
Configuration
1. From the Performance menu, select Acceleration > Compression > Configuration. The
Acceleration Engine Configuration window is displayed.
Parameter
Description
WBM Statistics display auto- Defined the period after which the WBM display will automatically
refresh (Sec)
refresh to show recently measured values.
2. Click Set. Your configuration is set.
421
From the Performance menu, select BWM Policy Statistics Global Parameters. The Policy
Statistics Global Parameters window is displayed.
Parameter
Description
Statistics measuring
period (Sec)
Defines the time period in which values are being collected. Presented
data always shows results of previous measuring period.
All measuring and statistics are performed within a defined timeframe. This parameter allows controlling this time frame. Since
numbers are updated at the end of every measuring period, a longer
period will give better Averages results but will lower the ability to see
real time monitoring values.
Default: 5 seconds.
WBM Statistics display Defined the period after which the WBM display will automatically
auto-refresh (Sec)
refresh to show recently measured values.
2.
3.
422
Parameter
Description
Policy Statistics
Monitoring
Policy Statistics
Reporting Period
SRP
Default: 60
Note: To view this table, Application Servers Statistics, page 430 must be enabled.
Parameter
Description
Policy Name
Packets (sec)
The number of packets matching the policy during the last second.
Matched BW (Kbits)
Sent BW (Kbits)
Parameter
Description
Policy Name
Packets (sec)
The number of packets matching the policy during the last period.
Matched BW (Kbits)
Sent BW (Kbits)
423
Element Statistics
Element statistics contains several indicators for viewing AppDirector performance. They include:
IP Packet Statistics
The IP Packets Statistics window allows you to view statistics for the IP elements of the device.
Parameter
Description
IP Receives
IP Header Errors
IP Discarded
IP Successfully Delivered
IP Out Requests
IP Out Discard
424
Parameter
Description
SNMP Received Packets Total number of messages delivered to the SNMP entity from the transport
service.
SNMP Sent Packets
Total number of SNMP messages passed from the SNMP protocol entity to
the transport service.
SNMP 'Get-next'
Requests
Total number of SNMP PDUs generated by the SNMP protocol entity and
for which the value of the error-status field is 'tooBig.'
SNMP Out
'NoSuchName'
Total number of SNMP PDUs generated by the SNMP protocol entity and
for which the value of the error-status is 'noSuchName.'
Total number of SNMP PDUs generated by the SNMP protocol entity and
for which the value of the error-status field is 'badValue.'
Total number of SNMP PDUs generated by the SNMP protocol entity and
for which the value of the error-status field is 'genErr.'
Total number of SNMP Trap PDUs generated by the SNMP protocol entity.
425
IP Router Statistics
The IP Router Statistics window allows you to view statistics for the IP Router elements of the
device.
Parameter
Description
IP Forwarded
Number of input datagrams for which this entity was not their final IP
destination, as a result of which an attempt was made to find a route to
forward them to that final destination. In entities, which do not act as
IP Gateways, this counter will include only those packets that were
Source - Routed via this entity, and the Source - Route option
processing was successful.
IP Unknown Protocol
IP Out No Routes
IP Fragments Received
IP Datagram Fragments
Generated
IP Datagram Fragments
Generated
426
Parameter
Description
Parameter
Description
OSPF - LSAs received - The number of link-state advertisements received that are determined to
new instantiations
be new instantiations. This number does not include newer instantiations
of self-originated link-state advertisements
427
Parameter
Description
Resource Utilization
RS Resource Utilization
RE Resource Utilization
Acceleration-Engine Cores
These statistics measure CPU utilization per accelerator.
Enhanced Acceleration
Parameter
Description
Accel-Engine System Total Percentage of Acceleration engine RAM allocated for cache occupied on
Memory
measuring time. Also see Caching Policies, page 220.
Values: 1 - 50%
Default: 20%
Acceleration-Engine id 1
Acceleration-Engine id 2
Acceleration-Engine id 3
IP Interface Statistics
The IP Interface Statistics window allows you to monitor the number of packets discarded and
ignored, enabling you to quickly summarize the state of network congestion from a given interface.
To view IP statistics
1.
From the Performance menu select; IP Statistics. The IP Statistics window is displayed.
2.
Select the desired interface entry. The IP Statistics Update window is displayed.
428
Parameter
Description
Interface Address
RIP - Response Packets Number of RIP responses received by RIP process which were
Discarded
subsequently discarded for any reason.
Discard Examples:
version 0 packet
unknown command type
packet was smaller than the minimum size allowed for IPRIP
packets.
received a packet with an invalid version in its header.
received a packet with an invalid header.
discarded a response packet from a neighbor with IP address:
%1. IPRIPv2 is not configured to accept packets from this
neighbor.
discarded a version: %1 packet received on the interface with IP
address: %2 from a neighbor with IP address: %3. The above
interface is configured to accept only version: %4 packets.
discarded a packet received on the interface with IP address: %1
from a neighboring router with IP address: %2, because the
packet failed authentication.
discarded a response packet from a neighbor with IP address:
%1. The packet was not sent from the standard IP RIP port (520).
RIP - Routes Ignored
429
Servers
As part of AppDirectors toolset, you can monitor server performance including server status, traffic
load and numbers of connections and disconnections.
From the Performance menu, select Server > Application Server Statistics. The Application
Server Statistics window is displayed.
2.
From the Farm drop down list, select the farm for which you want to present the servers
summary. The Application Servers Summary table displays the following read-only statistics:
Parameter
Description
Status
Farm/Server
Kbits
Packets
Connections
430
Parameter
Description
TCP Disconnections
3. To define the frequency in which the summary is refreshed, in the Refresh Interval text box,
type the number of seconds and click Set.
4. To reset statistics, click Set.
Parameter
Description
Status
Physical Server
Name of farm or server, (click the farm or server name to read the
confirmation window).
Kbits
Packets
Connections
431
Parameter
Description
TCP Disconnections Number of disconnections in the TCP sessions established with the farm or
server.
New TCP
Connections
Note: Incoming connections are those accepted by the server. Outgoing connections are those
initiated by the server.
3.
To define the frequency in which the summary is refreshed, in the Refresh Interval text box,
type the number of seconds and click Set.
4.
AppDirector Statistics
The AppDirector statistics window enables you to monitor specific AppDirector elements providing
you with a picture of how well AppDirector is performing using measures of Client table and
Proximity table fillup or Redundancy failure.
Parameter
Description
Redundancy Failure
Redundancy Takeover
432
Standard Acceleration
TCP Splitting is the ability to maintain open concurrent connections opposite all servers providing
Diameter or LDAP services, while a single connection was opened by the client.
The TCP Splitting Statistics window allows you to view performance statistics of the TCP distribution
process for each AppXcel Front-End farm and its servers.
Parameter
Description
Refresh Interval
Update
Reset
Parameter
Description
Status
Farm/Server
Kbits
Out
Packets
In
Out
Number of Kilo-bits received by the server since the Reset button was last
pressed.
Number of Kilo-bits transmitted by the server since the Reset button was
last pressed.
Number of packets received by the server since the Reset button was last
pressed.
Number of packets transmitted by the server since the Reset button was
last pressed.
433
Parameter
Description
Connections
TCP Connections C
New TCP
Connections
Application
Connections
Number of TCP connections to the server that were terminated during the
last second.
Total number of TCP connections to the server that were terminated since
the Reset button was last pressed.
Number of new TCP connections that were opened to the server during
the last second.
Peak number of new TCP connections that were opened to the server
during one second since the Reset button was last pressed.
Total number of new TCP connections that were opened to the server
since the Reset button was last pressed.
Application
Disconnections
Application
Request
Application
Failure
3.
To define the frequency in which the summary is refreshed, in the Refresh Interval text box,
type the number of seconds and click Set.
4.
434
Protocol Statistics
You can display complete protocol statistics information using this feature. If enabled, Protocol
Discovery classification is performed only on traffic to or from the configured default gateway.
Parameter
Description
Status
Protocol Statistics
Reporting Period
[secs.]
SRP Destination
Address
IP Address of the SRP. The statistics will be sent to this address in SRP
mode.
Default: 60
Default: 0.0.0.0
SRP
Protocol Statistics
Aging
435
Parameter
Description
Name
Index
Location of policy in protection table that reflects the order in which the
classification is performed.
Destination
Source
Destination MAC
Address Group
Source MAC Address Enables you to discover applications and protocols present in the traffic
Group
sent by a transparent network device (firewall, router).
Default: None
Inbound Physical
Port Group
Direction
Operational Status
Classification Point
4.
436
Note: To view this table, Protocol Statistics Monitoring must be enabled. See Protocol Statistics
Global Parameters, page 435.
Parameter
Description
Policy Name
Protocol
IP protocol.
Port
Bandwidth
Total bandwidth per second used for this protocol during the last period.
Peak Bandwidth
Peak bandwidth per second used for this protocol during the last period.
Packets
Total number of packets per second used for this protocol during the last
period.
Statistics Monitor
This section shows you how to configure and send statistics to or from the Statistics Monitor.
437
From the Services menu, select Statistics Monitor > Configuration. The Statistics Monitor
Configuration window is displayed.
2.
Parameter
Description
Statistic Reporting
Mode
Enables or disables the creation of statistics files. You can choose what
kind of statistics to broadcast:
Full: Broadcasts all statistics
Disable (Default): Disables broadcasting
Flow: Broadcasts statistics concerning flow
Health: Broadcasts statistics concerning health
Flow Statistics Polling How often, in minutes and seconds, to update the statistics file with
Time [sec]
new flow rate data. The file is cumulative, and new data is added to
existing data.
Health Statistics
Polling Time [sec]
3.
How often, in minutes and seconds, to update the statistics file with
new health data. The file is cumulative, and new data is added to
existing data.
Note: Since the statistics files are cumulative, you must ensure that you disable the Statistic
Reporting Mode before you create files larger than you desire. Failure to do so can result
in creating files that fill all available memory.
438
Utilities
This section contains additional device-related AppDirector utilities and includes these topics:
DNS Client
You can configure AppDirector to operate as a DNS client. When the DNS client is disabled, IP
addresses cannot be resolved. When the DNS client is enabled, you need to configure servers for
which AppDirector will send out queries for host name resolving.
You can set the Domain Name Service parameters in the DNS Client Parameters window. You can
define the primary and the alternate DNS servers for dynamic DNS. In addition you can set static
DNS parameters.
Parameter
DNS Client
Description
Status of DNS Client.
Enabled or Disabled (default) DNS client functionality.
The primary DNS server address that should be used by the device for
DNS
The alternate DNS server address that should be used by the device
for DNS
2. To define the primary DNS server, in the Primary DNS server box type the IP address of the
primary DNS server and click Set.
3. To define the alternate DNS server, in the Alternate DNS server box type the IP address of the
alternate DNS server and click Set.
Note: Primary and alternate DNS server addresses contain the default value 0.0.0.0. If you
decide to delete primary or secondary DNS server addresses, which are already
configured with a different value, you can reset them back to this default value - 0.0.0.0
439
4.
Parameter
Description
Host Name
IP Address
Time Settings
This collection of utilities helps you to synchronize and configure devices for appropriate daylight
saving periods. Utilities included are:
From the Services menu select Time Settings > NTP. The Network Time window is displayed
2.
3.
Parameter
Description
NTP Server
Time zone in which the device is located, in correlation to GMT (12:00 to + 12:00 hours).
NTP Status
Daylight Saving
Radware devices support daylight saving time. You need to configure the start and end date of the
daylight saving time. During the daylight saving time period, the device automatically adds one hour
to the system clock. The device also indicates whether it is on standard time or daylight saving time
using the Daylight Saving Designations indicator.
440
Parameter
Description
Daylight Saving
Admin Status
Daylight Saving
States the Daylight Saving Designation zone
Designations (Readonly)
Starts [dd/mm:hh]
Click the dotted icon alongside. A pop-up is displayed. Enter the date and
time from which Daylight Saving starts with the following parameters:
Mode: Date - an absolute date to configure OR
Recurring: - if it is the same instance for start or/and end (e.g. DST
always starts on the 1st Sunday in April)
Month: January-December
Day: 1-31
Hour:0-22
Start Date and Time Shows the Start date and time in full as follows e.g. TUE JUL 01 02:00:00
(Read Only)
2007.
Ends [dd/mm:hh]
Click the dotted icon alongside. A pop-up is displayed. Enter the date and
time when Daylight Saving ends as follows:
Mode: Date - an absolute date to configure OR
Recurring: - if it is the same instance for start or/and end (e.g. DST
always starts on the 1st Sunday in April)
Month: January-December
Day: 1-31
Hour:1-23
Shows the End date and time in full as follows e.g. TUE JAN 01 02:00:00
2008.
Delta
441
From the Services menu, select Time Settings > Date and Time. The Daylight Saving System
date and Time window is displayed with the following parameters.
2.
3.
Parameter
Description
System Time
[hh:mm:ss]
System Date
[dd/mm/yyyy]
Event Scheduler
Standard Acceleration
Some network policies remain inactive during specific hours of the day and are activated during
others. For example, an enterprise may give high priority to mail traffic between 08:00 - 10:00.
Sometimes within networks we need specific policies to remain inactive during certain hours of the
day, or for a certain policy to be activated in the middle of the night. For example - a school's library,
may want to block instant messaging during school hours, but allowing instant messages after
school hours or an enterprise may give high priority for mail traffic between 08:00 - 10:00. You can
schedule the activation and inactivation of specific Bandwidth Management policies using the Event
Scheduler, which can then be attached to a policy's configurations. Events define the date and time
in which an action must be performed.
From the Services menu, select Event Scheduler. The Event Scheduler window is displayed.
2.
3.
Parameter
Description
Name
Frequency
Time (hh:mm)
442
Parameter
Description
Days
Date (dd/mm/yyyy)
443
444
Chapter 8 Security
This chapter discusses Security modules and sub-modules, and contains these sections:
Caution: All Radware devices include security features and settings that help prevent
unauthorized access and unit tampering.
Parameter
Description
Port Number
SNMP
445
Parameter
Description
Telnet
SSH
SSL
Web
4.
Select the state from the dropdown lists, Enable or Disable, for each management option.
5.
Ports Access
You can define which physical interfaces can be pinged. When a ping is sent to an interface for which
ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.
From the Security menu, select Ports Access. The Ports Access window appears.
2.
Select a Port Number link. The Ping Ports Access Update window appears.
3.
Parameter
Description
Port Number
Ping State
4.
446
Parameter
Description
Authentication
Method
3. Select the appropriate Authentication Method and click Set. The Authentication Method is set.
Parameter
Description
User Name
Password
Severity
Access Level
Sets the users level of access to the WBM and CLI interfaces.
Values: Read-Write, Read-Only, None.
447
Parameter
Description
Select from the drop-down list, the name of the SSH public key relevant
for this user. This is the name of the certificate table entry where the
SSH public key resides
Note: This public key must have been previously imported into
AppDirector via the Certificates management capability.
4.
RADIUS Authentication
RADIUS (Remote Authentication Dial In User Service), defined in RFC 2865, is a protocol for remote
user authentication and accounting. RADIUS enables centralized management of authentication
data, such as user names and passwords.
When a user attempts to login to a RADIUS client, such as a router, the router send the
authentication request to the RADIUS server. The communication between the RADIUS client and
the RADIUS server are authenticated and encrypted through the use of a shared secret, which is not
transmitted over the network.
RADIUS utilizes the MD5 algorithm for secure password hashing.
Read-Write (administrator) user privilege is built into all Radius servers (Service-Type value 6).
Read-Only user privilege (Service-Type value 255) has to be defined in the RADIUS dictionary.
Attribute
Service-Type
26
Value
Service-Type
Read-Only
255
448
Parameter
Description
Main RADIUS IP
Address
Access port number of the primary Radius server. Access port numbers
can be either 1645 (default) or 1812.
Main RADIUS
Secret
Backup RADIUS IP
Address
Backup RADIUS
Port Number
Access port number of the backup Radius server. Access port numbers
can be either 1645 (default) or 1812.
Backup RADIUS
Secret
RADIUS Timeout
Time that device waits for reply from RADIUS server before a retry, or (if
the value RADIUS Retries is exceeded) before the device acknowledges
that the server is offline.
Default: 5
RADIUS Retries
Default
Authorization
449
Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually
provided in the form of an electronic key or value. The digital certificate represents the certification
of an individual business or organizational public key but can also be used to show the privileges and
roles for which the holder has been certified. It also includes information from a third party verifying
identity. Authentication is needed to ensure that users in a communication or transaction are who
they claim to be. A basic certificate includes:
The identity of the Certificate Authority (CA) and its digital signature to affirm the digital
certificate was issued by a valid agency.
Keys
A key is a variable set of numbers that the sender applies to decrypted data to produce encrypted
data, to be sent via the internet. Usually a pair of public and private keys is used. A private key is
kept secret and used, only by its owner, to encrypt and decrypt data. A public key has a wide
distribution and is not secret. It is used for encrypting data and for verifying signatures. One key is
used by the sender to encrypt or interpret the data. The recipient also uses the key to authenticate
that the data comes from the sender.
The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the
appropriate key can the information be easily deciphered or understood. Stolen or copied data would
be incomprehensible without the appropriate key to decipher it and prevent forgery. AppDirector
supports the following key size lengths - 512, 1024 or 2048 bytes.
Certificates Workflows
2.
Complete the relevant fields (or update the defaults before you start)
3.
4.
Move to the Export Certificates window. Export the CSR to file or Text and send to a Certificate
Signing Authority such as Varisign.
5.
After receiving the signed certificate back from CA, use the Import Certificates window to import
it into the CSR and convert it to a Key and a Certificate.
450
To move a Key and Certificate pair from Web server to AppDirector or between
AppDirectors (in redundancy configuration)
1. On the 1st AppDirector machine go to Export Certificates window and select Export Key.
2. On the 1st AppDirector machine go to Export Certificates window and export a Certificate, (if
you have web servers you can export in one PKCS12 unified file).
3. On the 2nd AppDirector machine go to Import Certificates window and select Import Key.
4. On the 2nd AppDirector machine go to Import Certificates window and import Certificate.
451
PKCS#12 - is a standard for storing private keys and certificates securely and is used in
Internet browsers with their import and export options.
This file format can encrypt and seal private keys and certificates with a digital signature, if
required. It can be imported into the device regardless of encryption. AppDirector can be configured
using an existing key/certificate, or by creating a new key/certificate.
Note: Secure management of PKI components - all certificates and key management
operations can only be performed using secure protocols such as HTTPS, SSH and
SNMPv3. Read-Only capabilities are still available when using HTTP, Telnet or SNMPv1
and v2.
Certificates Table
This table holds all imported and created PKI entities. Each PKI entity in the table has a name used
for viewing the certificate details.
From the Security Menu, select Certificates > Table. The Certificates window appears.
2.
For Updating, click on the Certificate name. The Certificate Update window appears.
3.
For creating a new certificate, click Create. The Certificate Create window appears
4.
Parameter
Description
Name
Entry Type
Key Size
452
Parameter
Description
Key Passphrase
Locality
State or Province
State or province.
Organization
Organization Unit
Country Name
Organization country.
Any email address that you want to include within the certificate.
Certificate Validity
Notes:
>> Default values for Certificate and CSR fields can be set in Certificate Defaults, page 456.
>> A key can also be modified into a certificate by importing its corresponding certificates
(to complete the PKI key-pair) to AppDirector.
>> You cannot create a new entry with same name as the key entry.
Certificate Expiry
SNMP traps are sent when certificates are about to expire. They are sent per certificate 30, 15, and
5 days before expiration. You should check only server certificates (used for SSL) in repository once
a day for expiration date.
If Certificate expiration is in 30, 15 or 5,4,3,2,1 days, a SNMP Alert (warning) is generated and if a
Certificate has expired, a SNMP Alert (Error) is generated.
Importing Certificates
This enables you to either import Keys/Certificates from another machine (Duplicate), to import a
Certificate to an existing Signing Request to complete its process, and to import a Intermediate CA
or Certificate of Client CA to be used in Certificate configuration or Client Authentication
configuration.
Keys and Certificates can be imported to AppDirector in either PEM or PKCS#!2 formats. If your key
and certificate are encapsulated in a PKCS#12 (*.p12) file you can import them to AppDirector by
selecting Key & Certificate as entity type. If you have separate PEM files for Key and for certificate
you will need to import them consecutively into the same entity name.
453
To import Certificates
1.
From the Security Menu, select Certificates > Import. The Import PKI Components window
appears showing.
2.
Parameter
Description
Entry Name
Entry Type
Parameter derived from type and displaying the expected file format.
Passphrase
Since Private Keys are the most sensitive parts of PKI data they must
be protected by passphrase.
A Passphrase should be at least 4 characters and you should use
stronger passphrases than those based on letters, numbers and signs.
Maximum size: 1995 bytes.
Text
3.
In this area you can paste Certificate or Key in encrypted text format.
Exporting Certificates
Key, Certificate and Signing Request export is used for backup purposes, moving existing
configurations to another machine or for completion of Signing Request processes. Here is a brief
explanation of how to export certificates from a device either by copying and pasting a key or
downloading a file.
Keys and Certificates can be exported from AppDirector in either PEM or PKCS#!2 formats. If you
want to encapsulate key and certificate in a PKCS#12 file (*.p12) you can export them from
AppDirector selecting Key & Certificate as entity type. If you want them as separate PEM files for
Key and for certificate you need to export them consecutively selecting Key and Certificate as
entry types.
454
Note: The Radware key is created without a Radware password at system startup, thus it can
be exported without a Radware password.
To export Certificates
1. From the Security Menu, select Certificates > Export. The Export PKI components window
appears showing. Key, Certificate or CSR.
2. To display an existing key, certificate or CSR with all parameters, click Show. All certificate
details are displayed here.
Parameter
Description
Entry Name
Entry Type
Format
Read-Only parameter derived from the type and displaying the expected
file format.
Passphrase
Required when exporting Keys. Use passphrase entered when key was
created/imported. You need to enter the key passphrase to validate that
you are authorized to export it.
Since Private Keys are the most sensitive parts of PKI data they must be
protected by a passphrase. A Passphrase should be at least 4 characters
and you should use stronger passphrases than those based on letters,
numbers and signs.
Maximum size: 1995 bytes.
Text
In this space the Key/Certificate/CSR text is shown in text format for you
to Copy-paste it, when you use the "show" option.
3. Choose Show or Export. Click Show to display Key/Certificate/CSR in encrypted text format
for copy-paste purposes, e.g. sending CSR to Certificate signing authority.
4. A dialog message appears asking if you want to open or save the certificate file? If you click
Open, the file is opened in a browser window. If you click Save you are prompted to save the
file.
455
Certificate Defaults
This enables you to define your organization's default parameter to be used when creating Signing
Requests or Self-signed certificates.
From the Security Menu, select Certificates > Default Values. The Default Values window
appears.
2.
Parameter
Description
Certificate Common
Certificate Locality
Certificate State or
Province
State or province.
Certificate Organization
Certificate Organization
Unit
Application Security
This section helps you set up and configure Application Security profiles and contains these topics:
The following topics can only be accessed when you are in:
Applications only control the use of resources granted to them, and not which resources are granted
to them. They, in turn, determine the use of these resources by users of the application through
application security.
456
provides protection against single or multiple packet attacks that cause denial of service.
are part of the protection from and prevention of denial of service attacks.
are predefined traffic detectors that scan incoming traffic identifying known attack signatures.
The profiles use various attacks that find malicious packets and make decisions based on
predefined settings.
Third parties can use the SYN-ACK replies to launch attacks on selected sites by adopting the
selected site's address as the Source IP address of the attack.
The SYN-ACK packets create a storm of reflected traffic that consumes bandwidth and blocks
legitimate traffic.
457
From the Security menu, select SYN Flood Protection > Global Parameters. The SYN Flood
Protection Parameters window appears.
2.
Parameter
Description
Statistics Max
For each policy, the maximum number of destinations that can be
destinations per policy reflected in the statistics report.
Note: Destination is a single IP, dest port, or RX port.
Values: 1 - 100
Default: 5
Statistics time period
(Secs)
Amount of SYN packets per second that are sampled and their source
IP is to be monitored.
Values: 0 - 10000
Default: 100
458
Parameter
Description
Maximum number of SYN Flood and ACK reflection traps per defined
time interval.
Value: >0
Default: 100
Note: Before enabling SYN Flood protection you must set the Session/Client Table to operate in
the Layer 4 mode.
Parameter
Description
Name
Index
Location of policy in the protection table that reflects the order in which
the classification is performed.
Protection Mode
Operational Status
Active or Inactive.
Activation Threshold Maximum number of SYN packets that are allowed to arrive at the same
destination per second. If the Activation Threshold goes beyond the
predefined number, the traffic is recognized as an attack and the packets
are terminated.
Default: 2500
Verification Type
459
Parameter
Description
Description
Deactivation
Threshold
The minimum number of SYN packets per second that can arrive at the
same destination. If the number of packets that arrive at the same
destination is below Deactivation Threshold, the SYN Flood protection
policy is deactivated and the traffic is no longer protected.
Default: 1500
4.
Ack
Request
Destination
Count Statistics
Service
From the Security menu select SYN Flood Protection > Statistics. The SYN Flood Protection
Statistics window appears.
2.
Select the desired policy. Leaving this field empty displays statistical data for all policies. For
each policy the following data appears:
460
Parameter
Description
Name
Dest IP
Dest Port
RX Port
Attack Status
SYNs/Sec Avg
SYNs/Sec Peak
Highest value of SYNs per second during the statistical analysis period.
Parameter
Description
Attack Start
Attack Term
Notes:
>> To define a group with a single port, assign the same value to From Port and To Port.
>> Use the same group name for all ranges that you want to include in the group.
4. Click OK. A new row appears in the Application Port Group table.
5. Click OK. The Application Port Group window closes.
6. From the Destination App. Port Group drop-down list, select a group that was defined in the
Application Port Groups table.
7. In the Attack Description field, enter a description of the attack.
8. Click OK. The SYN Attack Configuration window closes, and a new user-defined attack appears
in the All Regular Filters pane of the Connect & Protect Table window.
Note: AppDirector will recognize an attack when there is more then 1000 packets per second.
Parameter
Description
Type
IP Address
Source IP for SYN ACK Reflection, and dest IP for all other types.
Total SYN
461
Parameter
Description
TCP-Handshake-Timeout
The Timeout for the SYN option enables the protection of the Client Table against SYN attacks that
occur during the TCP handshake process.
When a client sends SYN to the Layer 4 Policy, AppDirector selects a server, adds a new entry to the
Client Table, and forwards SYN to the selected server. If, during a predefined period of time (which
can last for 1 to10 seconds), no additional response arrives from this client, it is regarded as a SYN
attack. In that case, the entry is deleted from the Client Table, and the Reset command is sent to
the server to release the resources allocated to this session. Values run from 1 to 10 seconds and
the default is 5 seconds.
Note: The Timeout for SYN parameter is applicable only when the Open Entry When Source
Port Different or the Select New Server When Source Port Different parameters are
enabled. The Timeout for SYN parameter applies only to TCP sessions.
You can enter the value (in seconds) that AppDirector assigns to a new session started by a SYN
packet if no further traffic is received from the client, until the entry is removed from the Client
Table and a Reset is sent to the server. If the defined SYN Timeout is 0 (regular aging time), this
indicates that the parameter is disabled, and sessions are removed from the Client Table according
to the value defined as the Aging Time.
Notes:
>> The Session Table is disabled by default. When SYN Flood Protection is used, the Session
Table must be enabled.
>> Full Layer 3 and Full Layer 4 modes are supported.
>> Packets must be categorized with the Full Layer 4 Session Table Lookup mode when SYN
Protection is used.
462
Parameter
Description
Session Table
Status
Whether the session table is active or not. If the device does not need
to provide high performance for routed or bridged traffic, it is
disabled.
Default: Disabled
Session Table
Lookup Mode
Remove Session
Table Entry at
Session End
Removes sessions from the Session Table when the session ends
(only valid for Full Layer 4 Lookup mode). Recommended to free
resources when the Aging Time of Session Table is set to a high
value; however, it can cause slight performance degradation.
Default: Enabled
Send Reset To
Server Status
Checks whether the Session Table sends a reset packet to the server
if no data is transmitted through the session, because it could be a
SYN attack.
Default: Disabled
463
From the Device menu, select Session Table > View Table Query Results. The Session Table
Entries window appears.
2.
To set the Session Table Query Filters, from the Session Table Entries window click Create. The
Session Table Query Filters Table Create window appears.
3.
Parameter
Description
Maximum
Displayed Entries
Number of Used
Entries (Read Only)
Dest IP
Source Port
Dest Port
Protocol
4.
464
Lifetime
Aging Type
Click Set. The Session Table Entries table displays information from the Session Table according
to your preferences with these parameters.
Parameter
Description
Name
Source IP
Dest IP
Source Port
Dest Port
Standard Acceleration
When you disable the acceleration engine, (see Tweaks, page 290), you can utilize the further
security features based on other licenses shown here. But first you need to follow these steps:
1. Ensure that you have the correct licenses.
a.
b.
c.
As a default, all AppDirector users receive a basic AppDirector licence. In addition, you may
also have a cookie persistency license.
However, to run Bandwidth Management and IPS features, you will additionally need a bwmips licence.
To run DoS Shield and BDos features, you need a dos license but will first need the BWM and
IPS license, bwm-ips.
2. If you do not have the correct license(s), you will need to obtain them as follows:
a.
b.
c.
3. Using Web Based Management (Device / License Upgrade), or CLI (using the command system
license) enter the new license string. Also see Upgrading Licenses Using WBM, page 53 and
Upgrading Licenses Using the CLI, page 55.
Signature Protection
Signature protection detects and prevents network-oriented attacks, Operation System (OS)
oriented attacks and application-oriented attacks by comparing each packet to the set of signatures
stored in the Signatures database. The attacks handled by this protection can be divided into the
following groups:
Server-based vulnerabilities:
Web vulnerabilities
IRC bots
Spyware
Phishing
Anonymizers
Radware provides you with the Signatures database that contains signatures of predefined attacks.
These attacks are included in the predefined groups and profiles supplied by Radware. Using the
predefined groups and profiles, you can create new protection policies. Each attack group includes a
number of attack signatures that are grouped together according to their common characteristics.
The groups are included in protection profiles that are applied to protection policies
465
Note: To get the Security Update Service, you must purchase it separately.
An updated signatures file can be found every Monday on the Radware Security Zone (http://
www.radware.com/content/security/attack/weeklyupdates.asp), plus, the website is updated on an
ongoing basis with emergency updates when required.
You can Update the Signatures file in the following ways:
Manual updating: If you have an updated file that was downloaded manually from the
Radware website, you can upload the signatures file to AppDirector manually.
Manual downloading and updating: You can download the update file from the Radware
website and update using this file.
Automatic downloading and updating: You can schedule automatic downloads and updates
of the signatures file.
Tip: To provide protection for your network, it is recommended to set automatic daily updates.
The Signature Protection option contains these features:
466
Parameter
Description
Start Protection
Min Risk
MIN fragmented
URI packet Size
Security Tracking
Tables Free-Up
Frequency [ms]
The Free-Up Frequency for each table determines how often the device
clears unnecessary entries from the table, and stores information about
newly detected security events.
Unicode Encoding
The language encoding (the language and character set) to use for
detecting security events.
Session-Drop
Mechanism Status
467
IP Reassembly: AppDirector assembles the IP fragments into a complete IP packet and looks for
attack signatures split among multiple IP fragments.
There is no report of a specific attack. It is mentioned only when a fragment has been identified as
an attack.
From the Security menumenu select, select Signature Protection > Application Security >
IP FragmentsGlobal Parameters. The Application Security IP Fragments Tuning window
appears.
2.
Parameter
Description
Protection Status
IP Reassembly no
memory Action Mode
The device action when the device lacks memory resources to perform
IP reassembly.
Values
IP Reassembly aging
time [sec]
IP Reassembly
Overlap status
IP Reassembly
Overlap Action Mode
468
Parameter
Min IP Fragment
protection status
Min IP Fragment
Action Mode
Description
Enable/Disable (default) the Min Fragment protection feature.
Note: There is no dependency between the IP Reassembly feature
and the Min Fragment protection feature. Min Fragment
protection can be enabled when the IP Reassembly feature is
Enabled or Disabled.
Action mode settings when Min IP Fragment Protection is set to Enable:
Report Only: The fragment is forwarded to the defined destination
Drop (default): The fragment is discarded
Reset Source: A TCP-Reset packet is sent to the packet Source IP
Reset Destination: A TCP-Reset packet is sent to the destination
address
Reset Bi-directional: TCP-Reset packets are sent to both the packet
source IP and the packet destination IP
MIN IP Fragment Size The minimum permitted size of a fragmented IP packet. A shorter
packet length is treated as an IP protocol anomaly and is dropped.
Values: 1-65535 Bytes.
Default: 512 Bytes.
3. Click Set. Your preferences are recorded.
DoS Shield Profiling: Sampling-based service that provides protection against the packet
flooding which causes a denial of service effect. This protection is provided for TCP, UDP, and
ICMP floods. This service utilizes advanced sampling, which significantly reduces the device CPU
load compared to packet-by-packet scanning.
The sampling-based service provides optimized performance in high throughput networks. Once an
attack is detected, the DoS Shield module sets the relevant attack filter for packet-by-packet
inspection. The packet-by-packet scanning service is based on the DoS protection group, named
DOS.
DoS Shield
To prevent denial of service, DoS Shield samples traffic flowing through the device and limits the
bandwidth of traffic that has been recognized as a DoS attack using predefined actions.
This is based on working with two attack states: Dormant and Active.
Dormant state indicates using the sampling method for recognition prior to action activation. An
attack in Dormant state can become active only if the number of packets that enter your network
exceeds the predefined limit.
469
From the Security Menu select Signature Protection > DoS Shield > Global Parameters.
The DoS Shield Global Parameters window appears.
2.
Parameter
Description
Start Protection
Sampling Rate
The rate in which packets are sampled and compared to the Dormant
Attacks.
You can configure a number indicating how many packets the sampling
is performed. Default: 101, (1 out of 101 packets is checked).
Sampling Frequency
[sec]
3.
How often DoS Shield compares the predefined thresholds for each
Dormant Attack to the current value of counters of packets matching
the attack. Default: 5 seconds
Note: You can create the Advanced Filters using the user-defined Basic Filters only.
470
Parameter
Description
Name
Protocol
Destination App.
Port
OMPC Offset
The location in the packet from which the checking of data is started to
find specific bits in the IP/TCP header.
OMPC Mask
The fixed size pattern within the packet that OMPC rule attempts to find.
Values: a combination of hexadecimal numbers (0-9, a-f). The value
must be defined according to the OMPC Length parameter. The OMPC
Pattern parameter definition must contain 8 symbols. If the OMPC Length
value is lower than fourBytes, you need complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Pattern can
be:abcd0000.
Default value: 00000000.
OMPC Condition
OMPC Length
The length of the OMPC (Offset Mask Pattern Condition) data can be N/A,
oneByte, twoBytes, threeBytes or fourBytes.
Default: N/A.
Content Offset
The location in the packet from which the checking of content is started.
Values: 0 (default) - 1513
Distance
471
Parameter
Description
Content
Contains the value of the content search. Possible values: < space > ! " #
$ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I
JKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmno
pqrstuvwxyz{|}~
Content Type
Enables you to search for a specific content type, which can include:
URL: In the HTTP Request URI. No normalization procedures are
taken.
Normalized URL: To avoid evasion techniques when classifying HTTPGET requests, the URL content is transformed into its canonical
representation, to interpret the URL in the same way the server
would. The normalization procedure supports the following cases:
N/A: Default
472
Parameter
Description
Content Max Length Maximum length to be searched within the selected Content Type.
Values: 0 (default) - 1513
The Content Max Length value must be equal or greater than the Offset
value.
Content Data
Refers to the search for the content within the packet. It can be N/A, URL
or Text.
Content Encoding
Content Regular
Expression
Content Data
Encoding
Application Security can search for data in languages other than English,
for case sensitive or case insensitive data and hexadecimal strings.
Values:
None (default)
Case Insensitive
Case Sensitive
HEX
International
The value of this field corresponds to the Content Type parameter.
473
From the Security menu, select Signature Protection > Filters > Basic Filters > User. The
User Basic Filter Table window appears.
2.
Select the basic static filter for which you want to view the details. The User Basic Filter Table
Update window appears with the following read-only parameters.
Parameter
Description
Name
Protocol
OMPC Offset
Location in the packet from which the checking of data is started to find
specific bits in the IP/TCP header.
Values: 0 (default) - 1513
OMPC Mask
OMPC Pattern
Fixed size pattern within the packet that OMPC rule attempts to find.
Values: a combination of hexadecimal numbers (0-9, a-f). The value
must be defined according to the OMPC Length parameter.
The OMPC Pattern parameter definition must contain 8 symbols. If the
OMPC Length value is lower than fourBytes, you need to complete it
with zeros. For example, if OMPC Length is twoBytes, OMPC Pattern can
be:abcd0000.
Default: 00000000.
OMPC Condition
OMPC Length
Content Offset
Distance
474
Parameter
Description
Content
Content Type
N/A: Default
475
Parameter
Description
Content Data
Content Encoding
Content Regular
Expression
Content Data
Encoding
Note: Note: You can create the Advanced Filters using the User Defined Basic Filters only.
The Advanced Static Filters window allows you to view the Advanced Static Filter Table.
476
Parameter
Description
Name
Number of Filters
Parameter
Description
Advanced
Basics
The name of the Basic filter that is associated to the Advanced filter.
Attacks
An Attack is a building block of the profile. Each Attack contains one or more protection filters and
attributes that determine which packets are malicious and how the signature protection mechanism
treats those packets.
Attack parameters define how the malicious packet is tracked and treated once its signature is
recognized in the traffic. Each Attack is bound to a tracking function, which defines how the packet is
handled when it is matched with the signature. The main purpose of these functions is to determine
whether a packet is harmful and to take appropriate action.
The Attacks table provides you with filtering that allows viewing of Radware and user-defined
Attacks. You can define filtering criteria and display all Attacks matching the criteria in the Attacks
table. In addition you can add user-defined Attacks.
For further information see:
477
Static Attacks
The Attacks Database contains attacks provided by Radware. You can add user-defined attacks to
reflect specific needs of your network, or edit the existing attacks.
From the Security menu select, Signature Protection > Attacks > Static. The Signature
Protection Static Attack Configuration Table window appears.
2.
Select a static attack. The Signature Protection Static Attack Configuration Update window
appears.
3.
Parameter
Description
ID
Attack Name
User-defined name for this attack. Attack Name is used when DoS
Shield sends information about attack status changes (read-only).
Filter Name
Filter Type
Tracking Time
Active Threshold
Sets the maximum number of attack packets that are allowed in each
Tracking Time unit. The attack packets are recognized as legitimate
traffic when they are transmitted within the Tracking Time period.
Default: 10
Tracking Type
Defines how the device decides which traffic to block or drop, when
under an attack of this type.
Values:
Drop All (default): Use when each packet of the defined attack is
harmful. For example: Code Red and Nimda attacks.
Source Count: Select this option when the defined attack is
source-based, meaning the hacker attack can be recognized
according to its source address. For example: Horizontal Port Scan,
were the hacker scans a certain application port (TCP or UDP) to
detect which servers are available on the network.
Target Count: Select this option when the defined attack is
destination-based, meaning the hacker is attacking a specific
destination such as a Web server. For example: Ping Flood and
DDoS attacks
Source and Target Count: Select this option when the attack type
is a source and destination based attack, meaning the hacker is
attacking from a specific source IP to a specific destination IP. For
example: Port Scan attack.
Sampling: Select this option when the defined attack is based on
sampling. The rate at which packets are sampled and compared to
the Dormant Attacks.
478
Parameter
Description
Action Mode
Attack Type
Risk
You can define the attack risk as High, Medium (default) or Low
depending on the severity of the damage that the attack can cause to
your system.
Direction
Suspend Action
This functionality allows the user to define that for certain attacks, in
addition to the action defined in the attack, the device should also
suspend traffic from the IP address that was the source of the attack,
for a period of time.
Values:
None: Suspend action is disabled for this attack.
SrcIP: All traffic from the IP address identified as source of this
attack will be suspended.
SrcIP, DestIP: Traffic from the IP address identified as source of
this attack to the destination IP under attack will be suspended.
SrcIP, DestPort: Traffic from the IP address identified as source of
this attack to the application (destination port) under attack will be
suspended.
SrcIP, DestIP, DestPort. Traffic from the IP address identified as
source of this attack to the destination IP and port under attack
will be suspended.
SrcIP, DestIP, SrcPort, DestPort. Traffic from the IP address and
port identified as source of this attack to the destination IP and
port under attack will be suspended.
Drop Threshold
479
4.
Parameter
Description
Term Threshold
If for the duration of the Attack Aging Period this threshold is not
exceeded, the status of the attack reverts to Dormant. You can also
select Do not Deactivate (or 0).
Exclude Src
Exclude Dest
State
User Attacks
The Attacks Database contains attacks provided by Radware. You can add user-defined attacks to
reflect specific needs of your network, or edit the existing attacks.
The User Attacks window allows you to edit existing attacks.
From the Security menu, select Signature Protection > Attacks > User. The User Attacks
Table window appears.
2.
3.
Parameter
Description
ID
Attack Name
User-defined name for this attack. Attack Name is used when DoS
Shield sends information about attack status changes (read-only).
Filter Name
Filter Type
Tracking Time
Active Threshold
Sets the maximum number of attack packets that are allowed in each
Tracking Time unit. The attack packets are recognized as legitimate
traffic when they are transmitted within the Tracking Time period.
Default: 10
480
Parameter
Description
Tracking Type
Defines how the device decides which traffic to block or drop, when
under an attack of this type.
Values:
Drop All (default): Use when each packet of the defined attack is
harmful. For example: Code Red and Nimda attacks.
Source Count: Select this option when the defined attack is sourcebased, meaning the hacker attack can be recognized according to
its source address. For example: Horizontal Port Scan, were the
hacker scans a certain application port (TCP or UDP) to detect
which servers are available on the network.
Target Count: Select this option when the defined attack is
destination-based, meaning the hacker is attacking a specific
destination such as a Web server. For example: Ping Flood and
DDoS attacks
Source and Target Count: Select this option when the attack type
is a source and destination based attack, meaning the hacker is
attacking from a specific source IP to a specific destination IP. For
example: Port Scan attack.
Sampling: Select this option when the defined attack is based on
sampling. The rate at which packets are sampled and compared to
the Dormant Attacks.
Action Mode
Attack Type
Risk
You can define the attack risk as High, Medium (default) or Low
depending on the severity of the damage that the attack can cause to
your system.
Direction
481
Parameter
Description
Suspend Action
This allows you to define that for certain attacks, in addition to the
action defined in the attack, the device should also suspend traffic from
the IP address that was the source of the attack, for a period of time.
Values:
None: Suspend action is disabled for this attack.
SrcIP: All traffic from the IP address identified as source of this
attack will be suspended.
SrcIP, DestIP: Traffic from the IP address identified as source of
this attack to the destination IP under attack will be suspended.
SrcIP, DestPort: Traffic from the IP address identified as source of
this attack to the application (destination port) under attack will be
suspended.
SrcIP, DestIP, DestPort. Traffic from the IP address identified as
source of this attack to the destination IP and port under attack will
be suspended.
SrcIP, DestIP, SrcPort, DestPort. Traffic from the IP address and
port identified as source of this attack to the destination IP and
port under attack will be suspended.
Drop Threshold
4.
Term Threshold
If for the duration of the Attack Aging Period this threshold is not
exceeded, the status of the attack reverts to Dormant. You can also
select Do not Deactivate (or 0).
Exclude Src
Exclude Dest
State
Copy Groups
Radware attack characteristics are static, meaning the user cannot change any of the filter
properties. Changing the attack setting is possible, as the settings include the tracking values and
action values.
If you want to change an attack group, you can create a new user-defined attack group or new userdefined attack, respectively. You can then modify, remove or add attacks to user-defined groups.
You can copy a complete group as a user-defined attack, for which you can add, remove or modify
attack including attack characteristics modifications.
482
Parameter
Description
Existing Group
Select the relevant existing group for which you wish to create a copy.
New Group
Static Groups
The Static Groups window displays a list of existing groups of static filters. You can select a group
name to see a list of the group's static filters.
Parameter
Description
Name
Description
Number of Filters
Note: To see a list of filters in a group, from the Static Groups window click the name of the
group. The Group Contents window appears with a list of the group's filters
User Groups
The User Groups window allows you to create groups of filters.
483
Parameter
Description
Group
Attack
4.
5.
To add another filter to an existing group, from the User Defined Groups window, click the
required group's name. The Group Contents window opens.
6.
7.
From the Attack dropdown list, select the attack to add to the group, and click Set.
Copy Profiles
If you want to change a profile, you can create a new user-defined profile by copying a previously
created profile and then renaming it. You can then change the new profile.
To copy a profile
1.
From the Security menu, select Signature Protection > Application Security Profiles >
Copy Profiles. The Application Security Copy Profiles window appears
2.
3.
Parameter
Description
Existing Profile
New Profile
Static Profiles
Radware profile characteristics are static, meaning the user cannot change any of the filter
properties. Changing the profile setting is possible, as the settings include the tracking values and
action values. In the Profiles window you can create profiles, which can then be applied to policies.
From the Security menu, select Signature Protection > Profiles > Static. The Static Profiles
window appears presenting the configured profiles.
2.
3.
484
Parameter
Description
Profile Name
DoS Attack
Select an attack that you want to associate with the new profile.
Click Set. The window closes and the new profile appears in the Profiles table.
User Profiles
The User Defined Profiles window allows you to create profiles.
Parameter
Description
Profile
Group
Category
To create a Policy
1. From the Security menu, select Signature Protection > Policies. The Policies window
appears.
2. Click Create. The Policies Create window appears.
485
Parameter
Description
Policy Name
Policy Profile
Policy Source Address Definition of the network range to which the Policy is applied.
Default: any.
Policy Destination
Address
Direction
Whether you want to apply the Policy to the defined network range only
in one direction: source - destination (oneway); or in two directions:
source - destination, destination - source (twoways). Default: Oneway.
Default: any.
Inbound Physical Port The physical port group of the device that receives the inbound traffic.
Group
State
Action
4.
Exclude Attacks
Excluded Attack Addresses are used in Signature protection profiles only. When installing an IPS to
protect a wide range of servers and Source IP addresses running different applications, certain
filters cause false alarms to specific proprietary servers/applications. You can exclude these servers/
applications from being checked by the signatures causing the false alarms. The Excluded Attack
Addresses window enables you to exclude particular Attacks from your network definitions.
From the Security menu, select Signature Protection > Exclude Attacks. The Signature
Protection Attacks Excluded Addresses Configuration window appears.
2.
Click Create. The Signature Protection Attacks Excluded Addresses Configuration Create
window appears
3.
Parameter
Description
State
Action
4.
486
Behavioral DoS
The Behavioral DoS (B-DoS) module provides traffic anomaly detection and on-the-fly signature
creation for immediate DoS attack protection.
The B-DoS module detects and prevents network attacks from the public network by detecting
traffic anomalies preventing unknown flood attacks by identifying the footprint of the anomalous
traffic. The B-DoS module protects against Network Flood Attacks, which cause a great deal of
irrelevant traffic to fill available network bandwidth, denying the use of network resources to
legitimate users.
Network Flood protection types include:
SYN Flood
TCP Flood
UDP Flood
ICMP Flood
IGMP Flood
The B-DoS module utilizes known network traffic base lines for each protocol type (i.e., TCP,
UDP,ICMP and IGMP) and compares traffic anomalies with them.
The next step is identifying the attack footprint, which translates into an attack signature. This
module then configures a filter to protect the network according to the policy settings, and activates
the feedback module to optimize the signature and reduce false positives. Once the attack has
ceased, the feedback process is also responsible for removing the attack signature.
The Behavioral DoS module detects statistical traffic anomalies and creates an accurate attack
footprint (signature) based on heuristic protocol information analysis. This ensures accurate attack
filtering with few false-positives. The SYN flood protection provided by the B-DoS module is nonintrusive detecting attacks as they happen, cleaning the links from excessive traffic.
This security option contains these features:
487
Note: To configure the Behavioral DoS module, a B-Dos license is required in addition to the
DoS License.
From the Security menu select Behavioral DoS > Global Parameters. The Behavioral DoS Global
Parameters window appears.
2.
3.
Parameter
Description
Protection Status
From the Security menu select Behavioral DoS > Behavioral DoS Profiles. The Behavioral
DoS Profiles window appears.
2.
3.
Parameter
Description
Profile Name
488
Parameter
Description
Parameter
Description
Policy Name
Policy Profile
Policy Source
Address
Policy Destination
Address
Direction
Default: Any.
Default: Any.
Values:
source - destination (oneway)= default
source - destination and destination - source (twoways).
Inbound Physical
Port Group
Physical port group of the device that receives the inbound traffic.
State
Packet Report
Action
489
Note: You must configure network flood protection separately for TCP floods, UDP floods, ICMP
floods, and IGMP floods.
From the Security menu select Behavioral DoS > Advanced > Global Parameters. The
Behavioral DoS Advanced Settings window appears.
2.
Parameter
Description
Learning Response
Period
Defines the period upon which the baselines are primarily weighed.
If major structural changes occur in the network, such as major
bandwidth addition or reduction, new network-intensive applications
are installed, or other major network changes, then you should change
the Learning Response Period to day.
Values: day, week (default), month
Sampling Status
Footprint Strictness
When a new attack is detected, the B-DoS module generates on the fly
an attack signature to block the traffic anomaly created by the attack.
As there is no mechanism free of false positives, there is a trade-off in
this module between the false-positive rate and blocking rate.
Define the strictness level of the footprint, either:
Low: By setting the strictness to Low the device will perform best
attacks blocking, however the false positive ratio is increased.
Medium: Default
High: By setting the strictness to High, the false-positive ratio is
reduced to minimum, however there may be a higher chance that
attacks will not be blocked.
3.
490
Note: Dont forget to enter bandwidth values before you configure network protections.
Parameter
Description
Inbound Bandwidth Available bandwidth for inbound traffic. The value should be lower than
[Kbit/Sec]
the bandwidth of the circuit or the assigned inbound bandwidth from your
Internet Service Provider.
Default: 300,000
Outbound
Bandwidth [Kbit/
Sec]
Available bandwidth for outbound traffic. The value should be lower than
the bandwidth of the circuit or the assigned outbound bandwidth from
your Internet Service Provider.
Default: 300,000
491
From the Security menu select Behavioral DoS > Advanced > Learning Reset. The
Behavioral DoS Learning Reset window appears.
2.
Parameter
Description
3.
From the Security menu select Behavioral DoS > Advanced > Set Default Quota. The
Behavioral DoS Set Default Quota window appears.
2.
Note: You should always use the default quotas initially. Adjust quota values based on your
experience with your networks performance and usual protocol traffic characteristics.
From the Security menu select Behavioral DoS > Advanced >Quotas. The Behavioral DoS
Protocol Quotas window appears.
2.
3.
492
Parameter
Description
Direction
Set the quota limits for the percentage of total inbound and outbound
bandwidth for the TCP quota.
Parameter
Description
Set the quota limits for the percentage of total inbound and outbound
bandwidth for the UDP quota.
Set the quota limits for the percentage of total inbound and outbound
bandwidth for the ICMP quota.
Set the quota limits for the percentage of total inbound and outbound
bandwidth for the IGMP quota.
Bypass Footprints
Flood attacks commonly disrupt networks by using all or most of the available bandwidth.
You can configure AppDirector to detect and block network flood attacks by defining attack
footprints. Attack Footprints are selected fields in the packet header or payload. AppDirector
automatically detects the footprints and generates filters to protect against the attack
The following table displays the Footprint bypass types and values for each attack group.
Footprint Type
UDP
ICMP
TCP
IGMP
Default
Bypass
Values
Range
NR
Values cannot
be configured.
No values.
NR
NR
NR
0 - (2^32-1)
IP ID Number
0 - (2^16-1)
DNS ID
NR
NR
NR
0 - (2^16-1)
NR
NR
NR
Values cannot
be configured.
No Values.
DNS Qcount
NR
NR
NR
0 - (2^16-1)
Source Port
NR
NR
0 - (2^16-1)
Source IP
0.0.0.0.
255.255.255.25
5
ToS
1 - 255
493
Footprint Type
UDP
ICMP
TCP
IGMP
Default
Bypass
Values
Range
Packet Size
ICMP: 74 (60
L3)
0 - (2^16-1)
Destination Port
NR
nr
0 - (2^16-1)
Destination IP
0.0.0.0 255.255.255.25
5
NR
NR
0-255
TTL
0-255
Values cannot
be configured.
No Values.
From the Security menu select Behavioral DoS > Advanced > Footprint Bypass > TCP. The
Behavioral TCP Footprint Bypass window appears.
2.
Select a bypass field. The Behavioral TCP Footprint Bypass Update window appears.
494
Parameter
Description
Bypass Field
Bypass Status
Allows you to define the status of the bypass, from the dropdown list.
Values: Accept (default), Bypass
Bypass Values
495
From the Security menu select Behavioral DoS > Advanced > Footprint Bypass > TCP
SYN. The Behavioral TCP Syn Footprint Bypass window appears.
2.
Select a bypass field. The Behavioral TCP Syn Footprint Bypass Update window appears.
3.
Parameter
Description
Bypass Field
Bypass Status
496
Allows you to define the status of the bypass, from the dropdown list.
Values: Accept (default), Bypass
Parameter
Description
Bypass Values
497
Parameter
Description
Bypass Field
Bypass Status
Allows you to define the status of the bypass, from the dropdown list.
Values: Accept (default), Bypass
Bypass Values
4.
498
Connection Limit
The Dos-Shield module provides protection against known DoS attacks. To protect against unknown
flooding attacks, AppDirector implements the connection limit capability. This mitigates any kind of
TCP or UDP flood attack whether a half-open attack (SYN-attack), a connection attack or a request
attack.
This security option contains these features:
499
From the Security menu select Connection Limit > Profiles. The Connection Limiting Profiles
window appears.
2.
3.
4.
Parameter
Description
Connection Limiting
Profile
Connection Limiting
Attack
From the Security menu select Connection Limit > Policy. The Connection Limiting Policy
window appears.
2.
3.
Parameter
Description
Policy Name
Policy Profile
From the Policy dropdown list select the name of your profile created in
the Behavioral DoS Profiles window.
Policy Source Address Definition of the external network range to which the Policy is applied.
The range of IP addresses making up the protected network. You must
enter the Policy Source Address of the protected network to activate
protection. All defined protected hosts are automatically entered into
the network range.
Default: Any.
Policy Destination
Address
500
Parameter
Description
Direction
From the dropdown list select the direction of your policy, either:
Oneway (default) - Protects from attacks from the external to
internal (inbound traffic)
Twoway - Protects from attacks from external to Internal and from
Internal to external (outbound).
The physical port group of the device that receives the inbound traffic.
State
Action
Parameter
Description
ID
Attack Name
User-defined name for this attack. Attack Name is used when DoS Shield
sends information about attack status changes (read-only).
Destination App.
Port
Group of Layer 4 ports that represent the application that you want to
protect.
Protocol
Threshold
Maximum number of sessions per second that allowed for each Layer3
entity tracked by this attack any additional session is dropped. When
the threshold is reached an attack is identified and alert is sent.
Default: 10
501
Parameter
Description
Tracking Type
Defines how the device decides which traffic to block or drop, when under
an attack of this type.
Values:
Drop All (default): Use when each packet of the defined attack is
harmful. For example: Code Red and Nimda attacks.
Source Count: Select this option when the defined attack is sourcebased, meaning the hacker attack can be recognized according to its
source address. For example: Horizontal Port Scan, were the hacker
scans a certain application port (TCP or UDP) to detect which servers
are available on the network.
Target Count: Select this option when the defined attack is
destination-based, meaning the hacker is attacking a specific
destination such as a Web server. For example: Ping Flood and DDoS
attacks
Source and Target Count: Select this option when the attack type is a
source and destination based attack, meaning the hacker is attacking
from a specific source IP to a specific destination IP. For example:
Port Scan attack.
Action Mode
Risk
You can define the attack risk as High, Medium, or Low depending on the
severity of the damage that the attack can cause to your system.
Default: Medium
Tracking Time
502
Parameter
Description
Suspend Action
This enables you to define that for certain attacks, in addition to the
action defined in the attack, the device should also suspend traffic from
the IP address that was the source of the attack, for a period of time.
Values:
None: Suspend action is disabled for this attack.
SrcIP: All traffic from the IP address identified as source of this
attack will be suspended.
SrcIP, DestIP: Traffic from the IP address identified as source of this
attack to the destination IP under attack will be suspended.
SrcIP, DestPort: Traffic from the IP address identified as source of
this attack to the application (destination port) under attack will be
suspended.
SrcIP, DestIP, DestPort. Traffic from the IP address identified as
source of this attack to the destination IP and port under attack will
be suspended.
SrcIP, DestIP, SrcPort, DestPort. Traffic from the IP address and port
identified as source of this attack to the destination IP and port under
attack will be suspended.
Intrusions
Anomalies
Anti-Scanning
DoS/DDoS
The period for which a source is suspended is set according to the following algorithm:
The first time a source is suspended, the suspension time is according to the Minimal Aging Time
configured for the Suspend Table.
Each time the same source is suspended again the suspension length is doubled, until it reaches the
Maximum Aging Time set for the Suspend Table.
Once the suspension length has reached the maximum length allowed, it will remain constant for
each additional suspension.
This security option contains these features:
503
From the Security menu select Global > Suspend Table > Parameters. The Suspend Table
Parameters window appears.
2.
Parameter
Description
Length of time for which source IPs that are first-time offenders are
suspended.
Default: 10 seconds
If the number of entries for the same source IP is higher than this
threshold all traffic from this source IP is suspended (this can happen
when Suspend Action is not set to SrcIP only)
Default: 4
3.
Security Reporting
A security event is an attack or a protocol anomaly. You can configure each device to alert you
whenever a security event takes place.
When an attack is detected, the device creates a security event that includes the information
relevant to the specific attack. Once an event has been created, the device reports it in the following
ways:
SNMP traps.
You can enable the reporting channels used by Radware devices to receive information about
security events. You can also set the device to report detected attacks based on various risk levels.
504
Parameter
Description
Report Interval
Number of seconds that defines frequency in which the reports are sent
though the reporting channels.
Default: 5
Report Per-Attack
Aggregation
Threshold
Sets the number of events for a specific attack during a reporting interval
before the events are aggregated to a report.
Default: 5
Note: When the number of generated events exceeds the Report
Aggregation Threshold value, the IP value of the event appears
as 0.0.0.0, which indicates "Any."
Terminal Echo
Email Sending
505
Parameter
Description
All events and alerts are logged in an all-purpose cyclic Log File. The Log
File can be obtained at any time but its size is limited. When the number
of entries is beyond the permitted limit, the oldest entries are
overwritten. You are notified about the status of Log File utilization.
Notifications appear when the file is 80% utilized and 100% utilized.
Values: Enable/Disable (default)
3.
NetForensics
netForensics is a Security Information Management (SIM) that gathers information from various
security equipment in the network and provides analysis tools and a unified view of network
security. netForensics supports the collection of security events generated by Radware devices.
From the Security menu, select Reporting > NetForensic. The NetForensic Reporting
Configuration window appears.
2.
Parameter
Description
Reporting Status
Agent IP Address
Agent Port
3.
Parameter
Description
506
Parameter
Description
All events and alerts are logged in an all-purpose cyclic Log File. The Log
File can be obtained at any time.
The size of Log File is limited. When the number of entries is beyond the
permitted limit, the oldest entries are overwritten. You are notified
regarding the status of the Log File utilization. The notifications appear
when the file is 80% utilized and 100% utilized.
Values: Enable/Disable (default)
Parameter
Description
Choose Type
Seconds
Enter the number of seconds (retroactive from the current time) for the
report.
To The size of Log File is limited. When the number of entries is beyond the permitted limit, the
oldest entries are overwritten. You are notified regarding the status of the Log File utilization.
The notifications appear when the file is 80% utilized and 100% utilized.view alerts
1. From the Security menu, select Reporting > Security Log > Show. The Security Log File
window appears.
2. From the Logfile Table, click on the Attack Index number to view the event parameters of the
attack. The Security Log File Update window appears, showing the event parameters.
507
Parameter
Description
Attack Index
Radware ID
Attack Name
Attack Source Address The IP address from which the attack arrived.
Attack Destination
Address
Message Type
Attack Time
Source Port
Destination Port
Context
Protocol
Physical Port
VLAN Tag
VLAN Tag information, according to which you can generate reports for
each customer by using the customer's VLAN Tag value. A value of "0"
in this field indicates that the VLAN Tag is not available.
Note: AppDirector on Application Switch 4 does not support VLAN
Tagging, and a value of "0" is always placed.
Category
Policy Name
Packet Count
The number of packets in the attack since the latest trap was sent.
Byte Count
Action
508
Parameter
Description
Report Mode
Risk
How dangerous the attack is: High, Low, Medium, Not Available.
Attack Database
The Dormant Attacks database is a list of attacks supplied by Radware. These attacks provide
constant protection against all recent DoS attacks. Each attack includes protection filters that are
configured to detect and block malicious packets. You can use these attacks to define prevention
profiles. Most existing DoS attacks can be prevented using Radware attacks.
509
From the Security menu, select Attack Database > Send to Device. The Send to Device
window appears displaying the current Attack Database version of the device.
2.
From the File field, type the name of the file, or click Browse to navigate to the relevant file.
3.
Click Set.
Parameter
Description
Name
Classification Point
Defines what type of traffic flow we are going to limit via this policy.
The available options are:
Client (source IP).
Session (source IP and port).
Connection (source IP and destination IP).
FullL4Session (source and destination IP and port).
SessionCookie (must configure cookie identifier).
When the Traffic Flow Max BW parameter is configured, and the Traffic
Flow Identification parameter is set to Session Cookie, the device can
track and limit the number of requests, such as HTTP GET or Post or
HEAD per Cookie.
String that identifies the cookie field whose value must be used to
determine the different traffic flows.
Note: This is required only when Traffic Flow Identification is set to
SessionCookie. The BWM classifier searches for the Cookie
Field Identifier followed by = and classifies flows according
to value.
510
Parameter
Description
Policy Group
Inactivation Schedule
Note: For all the policies associated with a policy group, the Guaranteed Bandwidth parameter
must be set to a value greater than 0 and Borrowing Limit parameter to 0. The Dynamic
Borrowing global parameter must be enabled.
511
4.
Parameter
Description
Port Index
Port Bandwidth
(kbps)
From the BWM menu select Miscellaneous > Cancel Classification Per Port. The Cancel
Classification Per Port window appears.
2.
3.
Parameter
Description
Inbound Port
Outbound Port
Direction
Direction of traffic flow through each port. Values can be Oneway, the
traffic flows in through the Inbound Port and out through the Outbound
Port, or Twoway, the traffic flows both ways through both ports.
Update Policies
In case you edit the parameters of a basic filter or an advanced filter, which is bound to the existing
policy, you need to update the policy with the recent changes.
From Security menu, select Update Policies. The Activate Latest Changes window appears.
2.
Packet Anomalies
To avoid detection, hackers use evasion techniques, such as splitting packets and sending attacks in
fragments. An attack that contains fragmented packets is called a Protocol Anomaly attack. These
attacks are detected and blocked.
512
Parameter
Description
ID
Displays the selected ID number of the packet selected from the table.
Name
Displays the name of the Packet Anomaly according to what was selected
in the Packet Anomalies table.
Action
From the dropdown list, define the action for the Packet Anomaly, select
either:
Forward: Selecting Forward means that the packet is allowed to pass
through the device without inspection.
Drop: Selecting Drop means that the Packet is dropped.
Risk
Define the risk for the Packet Anomaly according to your preference.
Values: Info, Low, Medium, High
Parameter
Description
Name
From Port
To Port
Group Type
513
Notes:
>> To define a group with a single port, set the same value for the From Port and To Port
parameters.
>> To associate a number of ranges with the same port group, use the same group name
for all the ranges that you want to include in one group.
4.
From the Classes menu, select Modify Appl Port Groups. The Modify Appl. Port Groups Table
window appears.
2.
Click on the application name. The Modify Appl. Port Groups Table Update window appears.
Proceed from step 3.
From the Classes menu, select View Active > Appl Port Groups. The Active Application Port
Groups Table window appears.
2.
Select the desired name. The Active Application Port Groups Table Update window appears with
read-only parameters. See To create the Modify Appl. Port Groups Table parameters, page 513.
From the Classes menu select Modify > MAC Groups. The Modify MAC Address Groups Table
appears.
2.
Click Create. The Modify MAC Address Groups Table Create window appears.
3.
4.
514
Parameter
Description
Group Name
MAC Address
Note: This is applicable only when the 802.1q parameter is set to Enabled. Classifications
performed according to the tag of the received packet.
Parameter
Description
Group Name
Inbound Port
The inbound port for this group. Values can be a port number or Any.
515
From the Classes menu select Modify >Port Groups. The Modify Physical Port Groups Table
window appears.
2.
Select Create. The Physical Port Groups Table Create window appears. Proceed as step 3.
Caution: It is strongly advised that Application Security tuning only be performed after
consulting Radware Technical Support.
From the Services menu, select Tuning > Security > Application Security. The Application
Security Tuning window appears.
2.
Parameter
Description
Source Table
The current number of entries in the Source Table that contains attacks
detection mechanism, which is based on the source addresses of the
incoming traffic.
If the number of packets sent from the same source is above the
predefined limit, this is identified as an attack.
The Source Table tuning parameter defines in how many sessions to
check the source address.
Target Table
Represents the current size of the table for destination entries. This
table contains attacks detection mechanism, which is based on the
destination addresses of the incoming traffic.
If the number of packets sent to the same destination is above the
predefined limit, this is identified as an attack.
The Target Table tuning parameter defines in how many sessions to
check the destination address.
516
The size of the table for destination entries that you define. The
settings are applied after reset.
Represents the current size of the table for both source and destination
entries, which are counted as one.
The size of the table for both source and destination entries that you
define. The settings are applied after reset.
Parameter
Description
DHCP Table
The current number of entries in the DHCP Table that contains attacks
detection mechanism based on counting of IP requests for each MAC
address.
The requests are made using the Dynamic Host Configuration Protocol.
When the number of IP requests for a particular MAC address is above
the predefined limit, an attack is identified.
The DHCP Discover tuning parameter determines for how many MAC
addresses to check the number of IP requests.
Maximal number of
groups to be defined
by user
Maximal number of
groups to be defined
by user after reset
Maximal number of
attacks to be defined
by user
Maximal number of
attacks to be defined
by user after reset
IP Reassembly buffers Current allotted memory, in MB, of the IP Reassembly buffers pool.
pool size [MB]
IP Reassembly buffers Allotted memory, in MB, of the IP Reassembly buffers pool after reset.
pool size after reset
[MB]
Maximal number of
entries in NCPF table
Maximal number of
entries in NCPF table
after reset
Maximum number of entries that can be defined in the NPCF table after
reset.
Maximal number of
srcIPs in Suspend
Table
Maximal number of
srcIPs in Suspend
Table after reset
Maximal number of
Maximum number of entries that can be defined in the Anti-Scanning IP
Anti-Scanning IP pairs pairs table.
Table
Maximal number of
Maximum number of entries that can be defined in the Anti-Scanning IP
Anti-Scanning IP pairs pairs table after reset.
Table after reset
3. Click Set. Your preferences are recorded.
517
Note: Each time you update a value for a Behavioral DoS, you can check whether there is
enough free memory for the requested value.
From the Services menu, select Tuning > Security > Behavioral DoS. The Behavioral DoS
Tuning Parameters window appears.
2.
3.
518
Parameter
Description
Maximal number of
Behavioral DoS
policies
Maximal number of
Behavioral DoS
policies after reset
Term
Definition
802.1Q Trunking
Active-Active
Active-Backup
519
Term
Definition
Application
Delivery
Controller (ADC)
Application
Delivery Network
AND Group
520
Term
Definition
Anycast
API
AppDirector
(Radware)
521
Term
Definition
Application
Delivery
Controller
(Radware)
Application
Grouping
Application Grouping allows you to select the next hop routers to handle traffic
destined for a specific application port.
APSolute
Operating System
The APSolute Operating System is the operating system for the Radware
ASIC-based Application Switches. The AppDirector is based on Radwares
APSolute Operating System.
ARP
Address Resolution Protocol (ARP) is the standard Layer 2 method for finding a
host's hardware address (MAC) via its network layer address (IP).
A client station broadcasts an ARP request onto the network with the IP
address of the target node it wishes to communicate with, and the node with
that address responds by sending back its physical address so that packets
can be transmitted. ARP returns the layer 2 address for a layer 3 address.
Due to the overwhelming prevalence of IPv4 and Ethernet, ARP is primarily
used to translate IP addresses to Ethernet MAC addresses. It is also used for
IP over other LAN technologies, such as Token Ring, FDDI, or IEEE 802.11,
and for IP over ATM.
522
Term
Definition
ARP, Fake
ARP, Gratuitous
A Gratuitous ARP is an ARP broadcast sent out by a device for the sole purpose
of keeping other devices informed of its presence on the network.
ARP Table
ARP table contains the destination MAC address for each destination IP.
Authority DNS
Server
Authority DNS Server - any DNS server that contains a complete copy of the
domain's zone file is considered to be authoritative for that domain only. A
complete copy of a zone file must have:
A valid Start of Authority (SOA) record
Valid Name Server (NS) records for the domain
The listed NS records should match the servers listed in the SOA record.
Servers listed in the zone file, but not in the SOA record are called lame
servers.
It is considered standard practice to have a primary authoritative DNS server
(the first server on your list) and a secondary authoritative DNS server/s (all
other servers on your list).
The secondary and primary servers should be on different IP subnets and the
hardware should be located in different physical locations, for safety and
redundancy purposes. A secondary server can, and should be, authoritative
for any domain for which it performs secondary authoritative resolution.
Backup in VLAN
In Regular VLAN configuration, the device that is inactive can cause broadcast
storms and lead to loops. Backup in VLAN, when enabled, prevents loop
creation.
BER
Basic Encoding Rules (BER) are a set of ASN.1 encoding rules that define a
specific way in which information may be encoded in a binary form. It is used
as the underlying mechanism for encoding LDAP messages.
523
Term
Definition
BGP
The Border Gateway Protocol (BGP) routing protocol, defined in RFC 1771,
provides loop-free inter-domain routing between Autonomous Systems (AS is
a set of routers that operate under the same administration).
BGP is often the protocol used between gateway hosts on the Internet and is
also often run among the networks of Internet service providers (ISPs).
Hosts using BGP communicate using the Transmission Control Protocol (TCP)
and send updated router table information only when one host has detected a
change. Only the affected part of the routing table is sent.
Binding
Binding is the process by which protocols are associated with one another and
the network adapter to provide a complete set of protocols needed for
handling data from the application layer to the physical layer. For example, the
configuration of a Load Balancer to associate certain servers with certain
applications.
Binding, Delayed
Delayed Binding (TCP splicing), is the delaying of the connection between the
client and the server until sufficient information is acquired to make a routing
decision. Some application switches and routers delay binding the client
session to the server until the proper handshakes are completed.
BOOTP
Bridging
Bridge Forwarding
Table
524
This lists the MAC addresses of frames arriving from each physical interface.
Term
Definition
Broadcast Domain
A Broadcast Domain is a set of all devices that will receive broadcast frames
originating from any device within the set.
Broadcast domains can be bounded by VLANs in a stand-alone environment.
In an internetworking environment, they are bounded by routers because
routers do not forward broadcast frames.
Class
Client NAT
Address table
Client NAT Address table - defines the addresses that are available for the
AppDirector to choose from to perform NAT.
Client Table
(Radware)
The NAT addresses are also configured in ranges. The maximum number of
configurable NAT addresses depends on the value of the NAT Addresses table
parameters.
The Layer 3 Client table contains information about the server selected for
each client (Source IP address) in each farm, defined as a percent of the Client
Table size.
If AppDirector finds that a request exists in the Client Table the request is
directed to the server recorded in the table. If an entry does not exist, a farm
is selected according to the service requested, and a server is selected
according to load balancing considerations or according to the Layer 7
Persistency info, The selected server is recorded in the table.
Once an entry is created in the Client Table, all subsequent packets that arrive
from the client to a farm are forwarded to the server recorded in the entry.
Client Table,
Mirrored
A Mirrored Client Table is the internal table used by a Backup device to store
the Client session information mirrored by the Active device.
Cluster
525
Term
Definition
Cookies, HTTP
HTTP cookies are parcels of text sent by a server to a user via a web browser
to allow the server to store its own information about a user and then sent
back unchanged by the browser each time its client accesses that server.
HTTP cookies are used for authenticating, tracking, and maintaining specific
information about users, such as site preferences and the contents of their
electronic shopping carts.
When a user initiates a connection to the server, a new TCP connection is
established with the server and an HTTP request is sent. A cookie-enabled
server processes the HTTP request and sends the user an HTTP response
containing a Set-Cookie HTTP Header with the relevant cookie. Once the client
receives the cookie in the HTTP response, it stores it locally (unless configured
to ignore cookies), usually in a form of a text file. Multiple Set-Cookie Headers
may be used in an HTTP reply.
A Set-Cookie header contains the following information:
Cookie name and value, in the format of key=value, (minimum character
length is 1).
A comment (optional).
A domain name, which always starts with a leading dot (optional).
The expires parameter, which indicates the maximum age of the cookie
(optional). When not specified in the Set-Cookie Header, the browser
deletes the cookie as soon as the browser is closed.
Cookie, Session
Cookie, Persistent
DHCP
526
Term
Definition
DNS Resolution
Dynamic Cookies
Dynamic Routing
Dynamic IP
Address
Dynamic
Proximity Table
527
Term
Definition
Element, Checked
Failover
Farm (Server )
Farm Profile
Filter, Basic
Filter, Basic is a regular filter which defines the criteria for classifying traffic.
A filter can consist of Layer 2 - Layer 7 classifying criteria, part of the classes
database
Force Port Down enables the temporary forcing down electrically of physical
ports belonging to a VLAN when the VLAN is disabled due to Interface
Grouping activation.
This allows the switches connected to these ports to clear their MAC tables and
prevent them from continuing to send traffic to the wrong AppDirector device;
this problem is relevant mainly for Regular VLANs.
This capability is supported only in VRRP configuration.
528
Term
Definition
FTP
File Transfer Protocol (FTP) is a protocol for exchanging files over the Internet.
FTP works in the same way as HTTP for transferring Web pages from a server
to a user's browser and SMTP for transferring electronic mail across the
Internet in that, like these technologies, FTP uses the Internet's TCP/IP
protocols to enable data transfer. FTP is most commonly used to download a
file from a server using the Internet or to upload a file to a server (e.g.,
uploading a Web page file to a server).
Full Duplex
Gateway
Global Solution
Group Health
Check
Group Health Checks enables the creation of complex health conditions for
Checked Elements.
For instance, consider a Web server that communicates with one of two
database servers and uses one of two routers to provide service. This Web
server is bound using three different binding groups:
One contains Health Checks for the two routers (each check is nonmandatory).
Another contains Health Checks for the database servers (each check is
non-mandatory).
The third contains the Health Checks for the Web server.
As long as one of the database servers and one of the routers are active, and
the Web server Health Check passes, the Web server is considered active.
Otherwise, the Health Monitoring module determines that the Web server is
unable to provide the required service.
529
Term
Definition
Group, Server
Hardware Load
Balancer
Health Check
A Health Check defines how to test the health of any network element (not
necessarily a Checked Element).
A check configuration includes such parameters as the Check Method, the
TCP/UDP port to which the test is sent, the time interval for the test, its
timeout, the number of retries, and more. A network element can be tested
using one or more Health Checks.
Health Checking,
Advanced
Health Monitoring
High Availability
530
Term
Definition
Hop
A hop is the trip that a data packet takes from one router to another as it
traverses a network on the way to its destination.
ICMP
IDN
Interface
Grouping
Interface,
Hardware
(Physical)
Interface, Physical
(Radware)
531
Term
Definition
Interface, IP
Physical
IP Interface
(Radware)
This address belongs to AppDirector and is used for SNMP management and/
or routing purposes.
IP Address,
Physical
IP Forwarding
Table
The IP Forwarding Table contains the destination MAC address and port for
each destination IP address.
IP Routing
IPCS
IPCM
LAN
A MAC address is searched in this table before it is searched in the ARP table.
532
Term
Definition
Layer 4
Classification
Layer-4-7
Switching
Layer-7 Switching
Layer 7
Classification
Rule
Layer 7 Data
Modification
TCP and UDP are the most used Layer 4 protocols and their headers contain
the information required to make an intelligent switching decision. For
example, the HTTP protocol normally runs on TCP Port 80. Radwares Traffic
Redirection can make the decision to prioritize, block or redirect traffic based
on, for example, TCP or UDP port numbers.
533
Term
Definition
LDAP
Layer 7 Methods
Layer 7 Methods are used to classify Layer 7 traffic, such as URLs, cookies,
etc. A Layer 7 Method must be bound to a Layer 7 Classification rule in order
for it to be used in a Traffic Redirection rule and the same Layer 7 Method can
be reused on multiple devices.
License, Cookie
Persistency
Link Aggregation
534
Term
Definition
Load Balancing
Load Balancing,
Software
Load Balancing,
Hardware
535
Term
Definition
Load Balancing,
Clustering
Load Distribution
Load Balancer
Capacity
Load Balancer Capacity - Load Balancers are network devices, but they have
more in common with Web servers when it comes to performance
characteristics. Web servers are measured in connections per second, while
routers and switches are measured in pure throughput (bits per second).
The most important performance metric for load balancers is connections per
second. The work involved in accepting and establishing a TCP session,
potentially parsing the HTTP header, and forwarding the traffic to another Web
server, is substantial when compared with the relatively easy task of
throughput. Throughput is dependent on the speed of the network interface
(Fast Ethernet: 100Mbps or Gigabit Ethernet: 1,000Mbps).
536
Term
Definition
Load Sharing
Load Sharing utilizes multi-path routing to allow a source to use any of several
paths to a particular destination at any given time.
Multi-path routing has several advantages as compared to single-path routing,
including smoothing out the traffic, load balancing, supporting QoS, improving
reliability, and enhancing the privacy of the information being sent.
In a Load Sharing Gateway Cluster, all machines in the cluster filter packets,
providing transparent failover to any of the other machines in the cluster and
enhanced reliability and performance.
Load Sharing is also known as Active/Active.
Logical Server
LRP
Load Report Protocol (LRP) is used by AppDirectors to report their status and
load to other AppDirectors and to the Global AppDirector. The redirection
decisions which each global AppDirector makes are based on load, availability
and proximity.
MAC
The Media Access Control (MAC) address is your computer's unique hardware
number. On an Ethernet LAN, it is the same as your Ethernet address.
When connected to the Internet, a correspondence table relates your IP
address to your computer's physical (MAC) address on the LAN.
The MAC address is used by the Media Access Control sublayer of the DataLink Layer (DLC) of telecommunication protocols. There is a different MAC
sublayer for each physical device type. The other sublayer level in the DLC
layer is the Logical Link Control sublayer.
MIB
MIME
Mirroring
537
Term
Definition
Mirroring
(dynamic client
tables)
Monitor
A Monitor verifies connections and services on nodes that are members of load
balancing pools. A monitor can be either a health monitor or a performance
monitor, to check the status of a node or service on an ongoing basis, at a set
interval.
Multi-homing
Multiplexing
NAT
NAT, Client
Client NAT - AppDirector uses this parameter to hide the IP addresses of the
clients from the servers.
The original Source IP of a request is replaced by the configured NAT IP and
port before forwarding the request to the server.
The Client NAT feature is used when, for example, the client and the server
are on the same subnet, so that the IP address of the client must be hidden. If
it is not, servers may send replies directly to clients, rather than sending them
through AppDirector.
NAT, Dynamic
538
Term
Definition
NAT, Outbound
NAT, Overlapping
NAT, Pooled
Pooled NAT is similar to Port Address Translation (PAT) except there is a oneto-one mapping of addresses; the number of inside network clients is the
same as the number of outside network IP addresses.
The NAT router has a pool of available IP addresses, and each client receives
its own IP address when it requests a NAT translation. The next available IP
address is selected each time that the client requests a translation.
NAT, Server
NAT, Static
Static NAT is a type of NAT in which client requests with private IP addresses
are mapped to a fixed public IP address (for example, the case of an email
server).
This allows an internal host, such as a Web server, to have an unregistered
(private) IP address and still be reachable over the Internet.
Networks
539
Term
Definition
Network (Scalefree)
Network Layers
(OSI Model)
NHR
NHRP
Next Hop Resolution Protocol (NHRP) is a protocol or method to find the most
direct route (the fewest number of hops) to the receiving computer. NHRP
informs the source of the most direct path to the closest router to the
destination.
NHRP is a query-and-reply protocol that builds a network knowledge table
that can be used for all subsequent traffic, and send packets directly to the
destination computer.
NMS
NTP
The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of
computer systems over packet-switched, variable-latency data networks.
NTP uses UDP port 123 as its transport layer. It is designed particularly to
resist the effects of variable latency (jitter buffer).
540
Term
Definition
On Demand
Switch
OR Group
OSPF
Open Shortest Path First (OSPF) is a dynamic routing protocol used within
large IP networks.
Using OSPF, a host that obtains a change to a routing table or detects a
change in the network, immediately multicasts the information to all other
hosts in the network so that all will have the same routing table information.
Unlike the RIP in which the entire routing table is sent, the host using OSPF
sends only the part that has changed. With RIP, the routing table is sent to a
neighbor host every 30 seconds. OSPF multicasts the updated information
only when a change has taken place.
Out-of-band
Monitoring
Outbound NAT
Intercept
Addresses Table
The Outbound NAT Intercept Addresses table lists networking elements with
source addresses that have been NATed.
Packet, Network
PAP
PAT
541
Term
Definition
PBNM
Persistency
Persistency, HTTP
HTTP persistency can mean either that AppDirector allows multiple HTTP
requests within a single TCP session, or that AppDirector restricts the TCP
session to a single HTTP request.
The latter is required when the customer cannot guarantee that a single server
can serve all requests within a single TCP session, for example, when different
farms serve different file types.
Persistence,
Session
Session Persistence (aka sticky connection, because client must stick to the
same server for all sessions) is when the Load Balancer sends all connections
from a gvien client to the same server.
Ping
Port Group,
Application
542
An Application Port Group combines Layer 4 ports for UDP and TCP traffic only.
Each group is identified by its unique name. Each group name can be
associated with a number of entries in the Application Port Groups table.
Term
Definition
Port Groups,
Physical
Port Group,
Physical Inbound /
Outbound
Port Group,
Source /
Destination
Source / Destination Port Groups are intended for UDP and TCP traffic only.
Port Mirroring
Port Mirroring enables the AppDirector device to duplicate traffic from one
physical port to another physical port on the same device.
For example, when an Intrusion Detection System (IDS) device is connected
to one of the ports on the AppDirector device, you can configure port mirroring
for received traffic only, for transmitted traffic only, or for both. You can also
decide whether to mirror the received broadcast packets.
Port Trunking
Profile, Load
Balancing
Protocol
Discovery
Each server farm can have only one profile, although a Load Balancing profile
can be applied to other farms.
Protocol Port
543
Term
Definition
Proximity
Proxy Redirection
Proxy Redirection uses the Client NAT mechanism to redirect traffic to another
server or site, while ensuring that the return traffic flows through the
AppDirector that received the original request.
PRP
Physical Servers
RADIUS
544
Term
Definition
RED
Redirection,
Global
(Radware)
545
Term
Definition
Redirection
Methods, Global
Redundancy (in
Load Balancing)
Redundancy,
Physical & Virtual
IP addresses
546
Term
Definition
Redundancy,
(Radware)
Regular
Expression
Requests Table
REXEC
Remote Exec (rexec), like rsh allows you to execute non-interactive programs
on another system.
The difference between rsh and rexec is that rexec requires you to specify a
valid password for the other system and rsh does not.
The other system must be running a remote exec daemon (rexecd) to handle
the incoming rexec command. Most Unix and Linux systems include a remote
exec daemon, but Windows does not.
547
Term
Definition
RIP
Router
Router, Neighbor
Routing Engine
(RE)
Routing Services
(RS)
Radware Routing Services (RS) deals with Client Table Aging, HM, Statistics,
SNMP (management), Dynamic routing, ARP, ICMP, Proximity.
Routing Table
548
Term
Definition
RSH
Remote Shell (rsh) [aka remsh or rcmd] allows you to execute non-interactive
programs on another system.
RSH executes the command on the other system and returns the program's
standard output and standard error output. The other system must be running
a remote shell daemon (rshd) to handle the incoming rsh command.
Unix and Linux systems include a remote shell daemon, but Windows does
not.
RTP
RTSP
SCTP
Server Group
Session
Session ID
549
Term
Definition
Session ID Table
The Session ID table contains the Session IDs collected from server replies
when Session ID Persistency is active.
SNMP
SNMP Community
Name
SOA
SOAP
Simple Object Access Protocol (SOAP) is the standard for web services
messages.
Based on XML, SOAP defines an envelope format and various rules for
describing its contents. With WSDL and UDDI, it is one of the three foundation
standards of web services.
Socket
550
Term
Definition
SSL Acceleration /
Offloading
With SSL Offloading, the cryptography is performed with the load balancers
main processor. SSL Offloading is less expensive, because no additional
hardware is required. However, because CPU-intensive cryptographic functions
are done on the general processor, the number of SSL connections a given
device can handle is limited
With SSL Acceleration, the cryptography is done on a separate SSL accelerator
card (usually an installed PCI card), enabling even a modest box to handle
thousands of SSL transactions per second.
You can perform cookie-based persistence, even on an SSL connection.
Without SSL offloading/acceleration, the load balancer cannot see the HTTP
headers, which contain the cookie that is used for persistence.
If you terminate the SSL session at the load balancer, the HTTP headers are
then viewable by the load balancer. With SSL acceleration, you get the ability
to do cookie persistence on Secure-HTTP traffic, and the performance increase
that hardware acceleration gives you.
SSO
Shared Object
SSL
SSL Table
Stateless Load
Balancing
Stateful Load
Balancing
Stateful Load Balancing detects session initiation and termination and uses
load-distribution method to determine the destination server. All subsequent
packets received for that session are sent to the same destination server until
the session is terminated.
To do this, the Load Balancer keeps a session table and creates an entry when
a new session is initiated, then removing the entry when the session is
terminated.
551
Term
Definition
Stateful Failover
Stateful
Inspection
Stateful Inspection ensures that transmission and application stateful rules are
enforced according to the protocol RFCs.
Switch, LAN
A LAN Switch is a network device that consists of multiple ports that connect
LAN segments (Ethernet and Token Ring) and a high-speed port (such as 100Mbps Ethernet, Fiber Distributed Data Interface [FDDI], or 155-Mbps ATM).
The high-speed port, in turn, connects the LAN switch to other devices in the
network.
A LAN switch has dedicated bandwidth per port, and each port represents a
different segment. For best performance, network designers often assign just
one host to a port, giving that host dedicated bandwidth of 10 Mbps, as shown
in Figure 123, or 16 Mbps for Token Ring networks.
Switch, Network
Super Farm
TCP/IP
Traffic, Network
552
Traffic is data transmitted over a network. Traffic is a very general term and
refers to overall network usage at a given moment, although it can refer to
specific transactions, messages, records or users in any kind of data or
telephone network.
Term
Definition
TFTP
Trivial File Transfer Protocol (TFTP), a simple form of the File Transfer Protocol
(FTP), TFTP uses the User Datagram Protocol (UDP)and provides no security
features. It is often used by servers to boot diskless workstations, X-terminals,
and routers.
Traffic Redirection
Policy
A Traffic Redirection Policy is a set of rules with Layer 4 and Layer 7 conditions
that directs requests to the appropriate server farms.
Traffic Redirection
Rule
Traffic Shaping
Trunk
Trunks main purpose is to carry traffic between switches and maintain VLAN
information.
Unlike an access link, the trunk link does not belong to a single VLAN but
instead can carry traffic from several VLANs over a point-to-point link between
two devices that understand the protocol. Because a trunk is a point-to-point
connection between two switches, it is very efficient and highly recommended
that it runs in full-duplex mode.
Trunk Port
TTL
TTS
553
Term
Definition
UDP
URL Parsing
Virtual DNS
Virtual IP
Virtual Server
A Virtual Server with its virtual address is the visible, routable entity through
which nodes in a load balancing pool are made available to a client, either
directly or indirectly, through a rule.
554
Term
Definition
VLAN
VLAN, Regular
(Radware)
VLAN Interface
555
Term
Definition
VLAN Tag
VoIP
VoIP/SIP
VRID
556
Term
Definition
VRRP
Weight, Server
557
558
"of despair$": Matches a string that ends in the substring "of despair"
"^abc$": A string that starts and ends with "abc" this can only be "abc"
If neither of the two characters is used (as in the last example), this means that the pattern may
occur anywhere within the string and is not "hooked" to any of the edges.
Symbols '*', '+', and '?' indicate the number of times a character or a sequence of characters
may occur. These symbols mean "zero or more", "one or more", and "zero or one", respectively.
For example:
"ab*": Matches a string that has an a followed by zero or more b's ("a", "ab", "abbb", etc.)
Bounds can also be used. Bounds are defined inside the brace brackets and indicate ranges in the
number of occurrences:
"ab{2}": Matches a string that has an a followed by exactly two b's ("abb");
"ab{2,}": Matches a string that has at least two b's ("abb", "abbbb", etc.);
"ab{3,5}": Matches a string that has from three to five b's ("abbb", "abbbb", or "abbbbb").
The first number of a range must always be specified, for example: "{0,2}", not "{,2}").
Symbols '*', '+', and '?' denote the same as bounds "{0,}", "{1,}" and "{0,1}",
respectively.
To quantify a sequence of characters, they must be defined within parentheses:
"a(bc)*": Matches a string that has an a followed by zero or more copies of the sequence
"bc";
"(a|b)*c" is a string that has a sequence of alternating as and b's ending with c.
"a.[0-9]": Matches a string that has an a followed by a single character and a digit.
Bracket expressions specify which characters are allowed in a single position of a string:
559
You can also list the characters which you do not want to appear in the string. Use a '^' as the first
symbol in a bracket expression. For example:
"%[^a-zA-Z]%" matches a string with a character that is not a letter, between two percent
signs.
To take the characters "^.[$()|*+?{\" literally, they must follow a backslash ('\'), to denote
they have a special meaning. This includes the backslash character itself.
Remember that bracket expressions are an exception to the above rule. Within brackets, all special
characters, including the backslash ('\'), lose their special meanings. For example, "[*\+?{}.]"
matches precisely any of the characters within the brackets.
560
Appendix C Troubleshooting
This appendix provides:
Diagnostic Tools
This section contains common Diagnostics tools to use with AppDirector and contains these topics:
When the device does not operate as expected and traffic is not redirected according to configured
policies, you must diagnose the system to understand the problem, or to help provide Radware with
more information. System administrators can use the following Diagnostics tools:
Diagnostics Trace-Log
Traffic Capture
Diagnostics Trace-Log
Understanding the traffic flow within the device is an important stage in the diagnostic process.
Using the Diagnostics Trace-Log feature, system administrators can trace traffic passing via the
device to understand the flow of packets. To pinpoint the source of the problem, Diagnostics TraceLog allows differentiating between various application modules. For example, you can trace the
Health Monitoring Module to understand why a specific check fails.
Note: In this version, Diagnostics Trace-Log is provided for APSolute OS generic modules only
(Health Check, Bandwidth Management), not for AppDirector specific functionality.
When using the Diagnostics Trace-Log, you can configure the message format using the following
parameters:
561
Line Number -the line number in the source code (used by Radware's R&D).
Packet ID - an ID given by the device for each packet. This allows seeing the packets order.
Task Name - The name of the specific task of the traced module.
>> The trace-log module is also used as a logging mechanism. When the trace-log feature is
enabled the device will write logs for two scenarios, Packet Flow and Log File. In both
cases the messages are written to the same log file.
>> Packet flow for each packet, logs are written describing the actions the device took
regarding this packet.
>> Log file this is a regular log file as found in other (not Radware) applications. Each
module in the device writes it own logs. In this case there is no direct connection
between the logs written to the traffic passing through the device. For example, if the
log severity level of the BWM module is set to Info the BWM module will write a message
to the log each time the user enable/disable the BWM feature.
From the Services menu, select Diagnostics > Trace-Log > Parameters. The Diagnostics
Trace Tool Configuration window appears.
2.
Parameter
Description
Status
Output To Sys-log
Server
Output To File
Output To Terminal
3.
562
Parameter
Description
Date
Time
Platform Name
File Name
Line Number
Packet Id
An ID assigned by the device to each packet. This enables you see the
order of the packets.
Module Name
Task Name
Trace-Log Modules
The Trace Modules window allows you to view the results of the debug trace process according to the
application modules employed by the device. Differentiating between various application modules in
the debug process helps to pinpoint the source of the problem. For example, you can trace only the
Health Monitoring Module to understand why a specific check fails.
Parameter
Description
Name
Status
Severity
3. Click on the relevant name from the table. The Traced Modules Update window appears.
4. Click Set. Your configuration is set.
563
Traffic Capture
Traffic Capture allows system administrators to capture the traffic passing via the device and traffic
that is generated by the device. The capture is saved in a TCPDUMP format for later analysis.
For remote administration and debugging, it is also possible to send the output of the Traffic
snapshots to the terminal (CLI / Telnet and SSH).
System administrators may also configure the capture point - when the packet reaches the device,
when packet leaves the device or in both cases. This allows better understanding of the traffic flow
in case the device manipulates the packet, due to NAT, Traffic from VIP to real server, etc.
Traffic Captures allow you to capture the traffic passing via the device and traffic that is generated
by the device. Captured traffic can be saved in a TCPDUMP format for later analysis. For remote
administration and debugging it is also possible to send the output of the Traffic Captures to the
terminal (CLI / Telnet and SSH). You can configure the capture point. Using the snapshot point you
can capture packets that reach the device, packets that leave the device or both. This allows better
understanding of the traffic flow in case the device manipulates the packet, due to NAT, Traffic from
VIP to real server etc.
From the Services menu, select Diagnostics > Capture > Parameters. The Capture Tool
Configuration window appears.
2.
Parameter
Description
Status
Output To File
Output To Terminal
Capture Point
564
Parameter
Description
This is relevant only for traffic that is handled by the Client Table.
This is relevant when the IP address changes during the session (examples: NAT, VIP etc.).
Notes:
>> Inbound and Outbound mode can potentially affect performance.
>> When rebooting the device, the capture option moves to "disable " (since the "enable"
state reduces the performance of the device) .
On-packet-arrive - Point A
On-packet-send - Point B
The Capture Point can also be set using the CLI command system diagnostics capture point.
Traffic in this scenario is as follows:
1. Client IP to VIP
2. Client IP to Server IP
565
VIP to Client IP
With Capture filters set to: Any to VIP and VIP to Any, the output depends on the Capture Mode used
and on Capture Point, as follows:
Mode \ Point
On-packet-arrive
On-packet-send
Inbound \ Both
Step #1
Step #2
To capture all steps with Capture Mode of Inbound Only, use Capture Point of Both and set policies
as follows: Any to VIP and Server IPs to Any.
TCP-Dump (Sniffer)
TCP-Dump is a common packet sniffer that runs under the command line. It allows you to intercept
and display TCP/IP and other packets being transmitted or received over a network. It is one of the
most useful tools for debugging network problems. Benefits include:
captures traffic flow through proxy for configuration debugging and checking purposes
When the AppDirector acceleration engine module is used, information about TCP Connections and
Sessions, terminated and processed by it, can be received using TCP-Dump.
You can use TCP-Dump on any AppDirector interface. You can output dump to the CLI prompt or
export it to a file (over SSH).
After you connect to the acceleration engine module (see Direct Access to Proxy, page 575)use the
following commands at prompt for TCP-Dump:
system tcpdump print [-t <timeout (sec)>] [-c <max number of packets>] [-s
<size>]
This displays the TCP-Dump at the prompt. The information is continuously printed to the screen
until the collection timeout is over.
system tcpdump export [-t <timeout (sec)>] [-c<max number of packets>] [-s
<size>]
This exports the TCP-Dump information to a text file. Information is saved in the file until the
collection timeout is over where the following variable suffixes are:
You can apply traffic filters to the dump. AppDirector uses the Ethereal format of expressions. For a
complete description refer to: http://www.ethereal.com/docs/man-pages/tcpdump.8.html
566
To filter by destination IP
Enter: 'dst host' and the IP.
To filter by source IP
Enter: 'src host' and the IP.
SSL Dump
SSL dump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the chosen
network interface and attempts to interpret them as SSL/TLS traffic. When it identifies SSL/TLS
traffic, it decodes the records and displays them in a textual form. If provided with the appropriate
keying material, it will also decrypt the connections and display the application data traffic. Benefits
include:
captures encrypted traffic and can view it in the clear for debugging and checking.
previously you needed to export from the device and use 3rd party software combined with
device Keys to decrypt and see traffic but with SSL dump, it is easier and safer.
Normally, one of the most useful tools for debugging network problems is sniffing or TCP-Dump
utilities, however, because part of the traffic that goes through AppDirector acceleration engine is
encrypted, an SSL dump is also required, to dump and decrypt traffic. This feature is available only
from CLI, by direct access. For more information on how to direct access the proxy, see Direct
Access to Proxy, page 575.
Using this command you can dump traffic and decrypt it using keys configured on the device. The
following need to be set:
1. The key(s) used for traffic decryption
2. SSLDump:
a.
b.
Traffic to dump and decrypt. This is set using a filter expression as described above in TCPDump (Sniffer), page 566.
How long to capture traffic. This is set using the Timeout parameter, default is 60 seconds,
(maximum packets to capture is 10000).
567
system ssldump [-t <timeout (sec)>] [-c<max number of packets>] [-s <size>]
This exports the SSLDump information to a text file. Information is saved in the file until the
collection timeout is over where the following variable suffixes are:
The output of SSLdump is a text file (or multiple files, if multiple keys are used) and the output files
are packed into a zip file.
With SSLdump, print to screen is not available, the user can only save the output to file (or multiple
files if multiple keys are used).
Examples
The following prompt is received:
Capture started.
Press <ctrl-c> to stop.
2.
The CLI is locked until capture timeout is reached, default maximum packet count has been
reached (10,000) or you have pressed <ctrl-c>.
3.
In the background, a tcpdump process is run with the default parameters or with the filter
expression that you entered.
4.
The device now runs the "ssldump" on the output file of the "tcpdump" K times (1 time for each
of the chosen keys). Eventually there will be K+1 files inside the machine:
"tcpdump" capture file and K ssldump files (one for each key).
5.
These files will be zipped into one file called "ssldump.tar.gz", which is saved in /tmp dir.
6.
ssldump for the keyname id X when X is the key name. This is the prompt for each key.
1-SSH
2-Quit
Please select export protocol [1-2]:
7.
Capture ended.
You must copy /tmp/ssldump.tar.gz via scp:
Warning:
568
Note: To reuse the policy, edit the policy and set it again.
Parameter
Description
Name
Index
Number assigned to this policy in Debug Policy table. Using this index
number, policies are identified by the device.
Description
Destination
Source
Inbound/Outbound
Port Group
Service Type
Service
Services to be classified.
569
4.
Parameter
Description
Source/Destination
MAC Group
Maximal Number of
Packets
Maximal Packet
Length
Capture Status
Trace Status
In addition to the above, the user can configure the amount of packets to capture. Once the device
captures the predefined amount of packets, it stops capturing traffic for the specific policy. In some
cases, the device captures fewer number of packets than the configurable value. This happens when
the device is configured to drop packets.
Note: In capture mode when limiting the number of packets to reuse the policy, it is necessary
to edit the policy and reset it.
Classification by diagnostics policy is performed for all packets arriving to device immediately after
their arrival. Only packets generated on device are being classified before the packet is sent. This
may cause the following:
When Capture point is set to "on-packet-send", the number of packets contained in the capture
file may be lower than the preconfigured limit. This can happen if some packets arriving to
device were matched by the policy but were not sent (since it was blocked by the device).
When Capture point is set to "both", the capture file may contain more packets than the
predefined limit (This happens, when sending ping to device).
For Traffic Capture you can also configure the length of the packet that the device captures. By
default the device captures the entire packet.
570
Parameter
Description
File Name
File Size
Action
To access the file system using FTP Client. The files are located under the dbgtools
directories (CF / CM and RD). To access the device via the FTP service, the FTP server must
be enabled prior to access.
Using TFTP In addition, the files can be sent to a TFTP server (supported only via the CLI
using the CLI command "system diagnostics files send.
Notes:
>> Diagnostic Tools may cause a performance penalty on the AppDirector device by
increasing CPU load and console response time.
>> If a software upgrade is being performed while any of the diagnostics tools are being
executed, operation of the diagnostics tools stops and all diagnostics files are erased.
>> After reboot, the diagnostics tools is disabled by default.
571
Select Services > Tuning > Diagnostics. The Diagnostics Tools Tuning window appears.
2.
3.
Parameter
Description
Policies
System Diagnostics
This section includes these topics:
Included in this appendix is a short introduction to Radware system diagnostics using CLI. The
system diagnostics tool set is accessed by performing the command, System Diagnostics in the
terminal console. For more detailed information see the accompanying CLI Reference Guide.
capture
mode
(1) on-packet-arrive
(2) on-packet-send
(3) both
status
1 - enabled
2 - disabled
files
abort
572
Delete file
<Name>
set
destroy/del <Name>
create/add <Name> <-switch value>
help
<-switch>
Switches:
-i
: Index
-d
: Description
-src : Source
-dst : Destination
-rx
-tx
-st
: Service Type
-srv : Service
-vt
-sm
-dm
: Trace-Log Status
-pn
-pl
trace-log
modules
Trace-Log Modules
<Name>
set
help
<-switch>
Switches:
-st
: Status
-sev : Severity
msg-format Message Format Configuration
573
file
line
module
time
output
file
syslog
term
Traffic Captures
Parameter
Description
Status
Output to File
Enables the file to be kept on compact flash. Due to compact flash size
limitation, two files are employed to save data. Once the first is full, the
device automatically switches to the second until the second file is full.
The device then overwrites the first file etc.using this file name
convention:
capture_device_name_DDMMYYYY_HHMMSS (for Example capture_AppDirector_27122051_010302_1.cap).
Output to Terminal
Enables you to send traffic output captures to the RAM Drive. Here, the
file is deleted after device reboot.
Capture Point
574
Diagnostics Trace
Parameter
Description
Status
Output to File
Output to Terminal
Enables you to send traffic captures output to the RAM Drive - For AS 1.
Output to Syslog
you gain access to the proxy module to run TCP-Dump and SSLdump
Proxy |
SSH Port
------|---------1
1500
Use any IP address on AppDirector SSH enabled ports to access the proxy on the specified port (in
the above example: 1500).
system logfile
For using the tcpdump and ssldump feature see TCP-Dump (Sniffer), page 566.
575
Acceleration-Engine Logs
From the Services menu, select Logging > Acceleration-Engine Logs. The AccelerationEngine Logs window appears.
2.
Parameter
Description
Compression Logs
Caching Logs
HTTP Logs
SSL Logs
3.
Note: The downloaded log file is in text format, and can be best viewed by importing into
Microsoft Excel. For best results, import the file into Microsoft Excel.
576
To import a log
1. Open Microsoft Excel.
1. Open the log as a text file within Microsoft Excel. Step 1 of the Text Import Wizard dialog
appears.
2. Mark the radio button Delimited.
577
2.
Select row 8 (first row of logs) and go to Microsoft Excel 2007 View menu.
3.
4.
5.
Select the Filter button (Auto-Filters in older versions of Microsoft Excel). You can use the filters
to see logs by date/time, and then filter the specific session that you want to review using the
session-ID column filter.
In the main WBM window, from the File menu select Support. The Download Technical Support
Info File window appears.
2.
Click Set to download the file. A file download dialog box opens asking if you wish to open or
save the file.
3.
578
Notes:
>> The .TAR format that includes AppDirector support, AppXcel DX log, AppXcel logger and
the AppDirector configuration file is only available via WBM. However, if you download
the Technical Support file via CLI (.i.e. TFTP) it only includes the regular support file.
>> To ensure that all device messages are displayed, please define your AppDirector WBM
as a "safe site" in your pop-up blocker, and enable it to display pop-up messages.
>> For more information, refer to the Radware CLI Reference Manual.
579
580
581
582
SSL Encryption
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols that provide communications security over the Internet. TLS and SSL encrypt the
segments of network connections above the Transport Layer, using symmetric cryptography for
privacy and a keyed message authentication code for message reliability. This allows us to encrypt
the data stream itself, which can then be transmitted securely, using any of the application layer
protocols. Two encryption techniques are used:
Public key encryption is used to encrypt and decrypt certificates during the SSL handshake.
A mutually agreed symmetric encryption technique, such as DES (data encryption standard), or
triple DES, is used in the data transfer following the handshake.
To make an environment secure, you must be sure that any communication is with "trusted" sites
whose identity you can be sure of. SSL uses certificates for authentication these are digitally
signed documents which bind the public key to the identity of the private key owner. Authentication
happens at connection time, and is independent of the application or the application protocol.
Authentication involves making sure that sites with which you communicate are who they claim to
be. With SSL, authentication is performed by an exchange of certificates, which are blocks of data in
a format described in ITU-T standard X.509. The X.509 certificates are issued, and digitally signed
by an external authority known as a certificate authority.
583
Certificates
In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) for single sign-on
(SSO) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things,
standard formats for public key certificates, certificate revocation lists, attribute certificates, and a
certification path validation algorithm.
In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is
an electronic document which uses a digital signature to bind together a public key with an identity
information such as the name of a person or an organization, their address, and so forth. The
certificate can be used to verify that a public key belongs to an individual.
In a typical public key infrastructure (PKI) scheme, the signature will be of a certificate authority
(CA). In a web of trust scheme, the signature is of either the user (a self-signed certificate) or other
users ("endorsements"). In either case, the signatures on a certificate are attestations by the
certificate signer that the identity information and the public key belong together.
For provable security this reliance on something external to the system has the consequence that
any public key certification scheme has to rely on some special setup assumption, such as the
existence of a certificate authority.
Certificates can be created for Unix-based servers with tools such as OpenSSL's ssl-ca or SuSE's
gensslcert.
Issuer The entity that verified the information and issued the certificate.
Public Key The public key to encrypt a message to the named subject.
Thumbprint The hash itself to ensure that the certificate has not been tampered with.
584
Classes
VeriSign introduced the concept of classes of digital certificates:
Class 3 for servers and software signing, for which independent verification and checking of
identity and authority is done by the issuing certificate authority
X.509 Certificates
An X.509 certificate specifies a binding between a public key and a set of attributes that includes (at
least) a subject, name, issuer name, serial number and validity interval. This binding may be subject
to subsequent revocation advertised by mechanisms that include issuance of CRLs, OCSP tokens or
mechanisms that are outside the X.509 framework, such as XKMS. An X.509 certificate may be used
to validate a public key that may be used to authenticate a SOAP message or to identify the public
key with SOAP message that has been encrypted.
X.509 certificates rely on the use of key pairs. A key pair consists of two distinct values,either of
which may be used to encrypt data. Once data has been encrypted with one of the keys, it can
subsequently only be decrypted using the other key. For this reason the mechanism is sometimes
referred to as asymmetric key cryptography. Once a key pair has been generated, then one of the
keys is published (made known to anyone that wants it); theother remains known only to one
person. An X.509 certificate for an entity contains (among other things) the public key for that
entity.
By presenting its certificate, as well as some data which has been encrypted with its privatekey, an
entity can therefore prove its identity (because no one other than the owner of theprivate key could
have encrypted the data). Provided the certificate owner is a trusted entity, a transaction can
proceed safe in the knowledge that no-one is masquerading as that entity. A natural way of
organising mutual authentication would be for everyone to keep a copy ofthe certificates for all the
entities that they trust: when I am presented with a certificate, I just check to see if its in my list.
585
The identity of the Certificate Authority (CA) which issued the certificate
The name of the entity that the certificate belongs to. Such names are represented as
Distinguished Names.
Note: The CA never sees the entitys private key (it is not contained in the CSR), so even it
cannot subsequently use the certificate in this way.
Secure Identities
Assuming you have obtained a certificate, then in order to make use of it to perform strong
authentication, you need:
Some information about what CAs you yourself are prepared to trust (because the other entity will
send you their certificate, and you will want to check that whoever issued it is on your list)
Isode software refers to this set of information as an "identity": you may have one or more
identities, each of which will be stored in a separate file. Whenever X.509 strong authentication is
performed, each entity will use an identity of its own.
Since identities include sensitive data (the private key), they are stored in an encrypted form using
a passphrase, and can only be used by someone who knows that passphrase. The passphrase itself
is used only to gain access to the identity on the local system: it is never transmitted as part of any
strong authentication operation.
Signed Operations
As part of the X.500 Directory Standard, individual directory operations (such as read, search and
modify) may be "signed". In the case of a signed operation, a cryptographically secure signature is
computed and included in both the request that is sent to the Directory, and the response which the
Directory returns. Signing a message incurs an overhead, but makes it much less likely that the
content of that message could be tampered with without the recipient realising.
586
Compared to CRLs
Since an OCSP response contains less information than a typical CRL(certificate revocation list),
OCSP can feasibly provide more timely information regarding the revocation status of a certificate
without burdening the network. However, the greater number of requests and connection overhead
may overwhelm this benefit if the client does not cache responses.
Using OCSP, clients do not need to parse CRLs themselves, saving client-side complexity. However,
this is balanced by the practical need to maintain a cache. In practice, such considerations are of
little consequence, since most applications rely on third-party libraries for all X.509 functions.
CRLs may be seen as analogous to a credit card company's "bad customer list" an unnecessary
public exposure.
OCSP discloses to the requester that a particular network host used a particular certificate at a
particular time. OCSP does not mandate encryption, so this information also may be intercepted by
other parties.
Protocol details
An OCSP responder may return a signed response signifying that the certificate specified in the
request is 'good', 'revoked' or 'unknown'. If it cannot process the request, it may return an error
code.
The OCSP request format supports additional extensions. This enables extensive customization to a
particular PKI scheme.
OCSP can be resistant to replay attacks, where a signed, 'good' response is captured by a malicious
intermediary and replayed to the client at a later date after the subject certificate may have been
revoked. OCSP overcomes this by allowing a nonce to be included in the request that must be
included in the corresponding response.
587
conduct a transaction requiring the status of that certificate within the time frame of the validity
of the response.
Since it is not often that a revoked certificate is unrevoked (only if it is suspended is it even possible)
a person would have to capture a good response and wait until the certificate was revoked then
replay it.
OCSP can support more than one level of CA. OCSP requests may be chained between peer
responders to query the issuing CA appropriate for the subject certificate, with responders validating
each other's responses against the root CA using their own OCSP requests.
An OCSP responder may be queried for revocation information by delegated path validation (DPV)
servers. OCSP does not, by itself, perform any DPV of supplied certificates.
The key that signs a response need not be the same key that signed the certificate. The certificate's
issuer may delegate another authority to be the OCSP responder. In this case, the responder's
certificate (the one that is used to sign the response) must be issued by the issuer of the certificate
in question, and must include a certain extension that marks it as an OCSP signing authority (more
precisely, an extended key usage extension with the OID {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) keyPurpose(3) ocspSigning(9)})
Certificate Authority
In cryptography, a certificate authority or certification authority (CA) is an independent entity that
issues digital certificates for use by other parties. It is an example of a trusted third party. Before
issuing a certificate, a certificate authority will examine the credentials of the person or organization
that has requested the certificate. When the certificate has been issued, information about it is held
on a publicly accessible repository. Users can consult the repository to check the status and validity
of any certificates receivedCAs are characteristic of many public key infrastructure (PKI) schemes.
In order that one system can be assured that a certificate received from another system is genuine,
a trusted third party that can vouch for the certificate is needed.
588
Secure e-mail
Client authentication
Server authentication
There are many commercial CAs that charge for their services. There are also several providers
issuing digital certificates to the public at no cost. Institutions and governments may have their own
CAs.
Issuing a certificate
This article may be confusing or unclear to readers. Please help clarify the article; suggestions may
be found on the talk page. (February 2009)
A CA issues digital certificates that contain a public key and the identity of the owner. The matching
private key is not similarly made available publicly, but kept secret by the end user who generated
the key pair. The certificate is also an attestation by the CA that the public key contained in the
certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's
obligation in such schemes is to verify an applicant's credentials, so that users and relying parties
can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so.
In essence the Certificate Authority is responsible for saying "yes" this person is who they say they
are, and we, the CA, verify that.
If the user trusts the CA and can verify the CA's signature, then he can also verify that a certain
public key does indeed belong to whomever is identified in the certificate.
Subversion of CA
If the CA can be subverted, then the security of the entire system is lost for each user for whom the
CA is attesting a link between a public key and an identity.
For example, suppose an attacker, Eve (not using the Alice and Bob convention), manages to get a
CA to issue to her a certificate that claims to represent Alice. That is, the certificate would publicly
state that it represents Alice, and might include other information about Alice. Some of the
information about Alice, such as her employer name, might be true, increasing the certificate's
credibility. Eve, however, would have the all-important private key associated with the certificate.
Eve could then use the certificate to send digitally signed email to Bob, tricking Bob into believing
that the email was from Alice. Bob might even respond with encrypted email, believing that it could
only be read by Alice, when Eve is actually able to decrypt it using the private key.
Security
The problem of assuring correctness of match between data and entity when the data are presented
to the CA (perhaps over an electronic network), and when the credentials of the person/company/
program asking for a certificate are likewise presented, is difficult. This is why commercial CAs often
use a combination of authentication techniques including leveraging government bureaus, the
payment infrastructure, third parties' databases and services, and custom heuristics. In some
enterprise systems, local forms of authentication such as Kerberos can be used to obtain a
certificate which can in turn be used by external relying parties. Notaries are required in some cases
to personally know the party whose signature is being notarized; this is a higher standard than is
reached by many CAs.
In large-scale deployments, Alice may not be familiar with Bob's certificate authority (perhaps they
each have a different CA server), so Bob's certificate may also include his CA's public key signed by
a different CA2, which is presumably recognizable by Alice. This process typically leads to a
hierarchy or mesh of CAs and CA certificates.
589
Ciphers
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption a
series of well-defined steps that can be followed as a procedure. An alternative, less common term
is encipherment. In non-technical usage, a cipher is the same thing as a code; however, the
concepts are distinct in cryptography. In classical cryptography, ciphers were distinguished from
codes. Codes operated by substituting according to a large codebook which linked a random string
of characters or numbers to a word or phrase. For example, UQJHSE could be the code for
Proceed to the following coordinates. When using a cipher the original information is known as
plaintext, and the encrypted form as ciphertext. The ciphertext message contains all the information
of the plaintext message, but is not in a format readable by a human or computer without the
proper mechanism to decrypt it; it should resemble random gibberish to those not intended to read
it.
The operation of a cipher usually depends on a piece of auxiliary information, called a key or, in
traditional NSA parlance, a cryptovariable. The encrypting procedure is varied depending on the key,
which changes the detailed operation of the algorithm. A key must be selected before using a cipher
to encrypt a message. Without knowledge of the key, it should be difficult, if not nearly impossible,
to decrypt the resulting ciphertext into readable plaintext.
Most modern ciphers can be categorized in several ways
By whether they work on blocks of symbols usually of a fixed size (block ciphers), or on a
continuous stream of symbols (stream ciphers).
By whether the same key is used for both encryption and decryption (symmetric key
algorithms), or if a different key is used for each (asymmetric key algorithms). If the algorithm
is symmetric, the key must be known to the recipient and sender and to no one else. If the
algorithm is an asymmetric one, the enciphering key is different from, but closely related to, the
deciphering key. If one key cannot be deduced from the other, the asymmetric key algorithm
has the public/private key property and one of the keys may be made public without loss of
confidentiality
Modern encryption methods can be divided by two criteria by type of key used, and by type of
input data.
symmetric key algorithms (Private-key cryptography) where the same key is used for
encryption and decryption. In a symmetric key algorithm (e.g., DES and AES), the sender and
receiver must have a shared key set up in advance and kept secret from all other parties; the
sender uses this key for encryption, and the receiver uses the same key for decryption. The
Feistel cipher uses a combination of substitution and transposition techniques. Most block cipher
algorithms are based on this structure
asymmetric key algorithms (Public-key cryptography) where two different keys are
used for encryption and decryption. In an asymmetric key algorithm (e.g., RSA), there are two
separate keys: a public key is published and enables any sender to perform encryption, while a
private key is kept secret by the receiver and enables only him to perform correct decryption.
590
Input Data
Ciphers can be distinguished into two types by the type of input data:
Mathematical advances that allow new attacks or weaknesses to be discovered and exploited.
Computational power available, i.e., the computing power which can be brought to bear on the
problem. It is important to note that average performance/capacity of a single computer is not
the only factor to consider. An adversary can use multiple computers at once, for instance, to
increase the speed of exhaustive search for a key (i.e., brute force attack) substantially.
Key size, i.e., the size of key used to encrypt a message. As the key size increases, so does the
complexity of exhaustive search to the point where it becomes infeasible to crack encryption
directly.
Cipher Suites
A cipher suite is a named combination of authentication, encryption, and message authentication
code (MAC) algorithms used to negotiate the security settings for a network connection using the
Transport Layer Security (TLS) or Secure Sockets Layer (SSL) network protocol.
The structure and use of the cipher suite concept is defined in the documents that define the
protocol (RFC 5246 standard for TLS version 1.2). A reference for named cipher suites is provided in
RFC 2434, the TLS Cipher Suite Registry.
When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol,
occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message
is passed. (RFC 5246, p. 37) First, the client sends a cipher suite list, a list of the cipher suites that
it supports, in order of preference. Then the server replies with the cipher suite that it has selected
from the client cipher suite list. (RFC 5246, p. 40) In order to test which TLS ciphers that a server
supports an SSL/TLS Scanner may be used.
Each named cipher suite defines a key exchange algorithm, a bulk encryption algorithm, a message
authentication code (MAC) algorithm, and a pseudorandom function (PRF). (RFC 5246, p. 40)
The key exchange algorithm is used to determine if and how the client and server will authenticate
during the handshake. (RFC 5246, p. 47).
The bulk encryption algorithm is used to encrypt the message stream. It also includes the key size
and the lengths of explicit and implicit initialization vectors (cryptographic nonces). (RFC 5246, p.
17).
The message authentication code (MAC) algorithm is used to create the message digest, a
cryptographic hash of each block of the message stream. (RFC 5246, p. 17).
The pseudorandom function (PRF) is used to create the master secret, a 48-byte secret shared
between the two peers in the connection. The master secret is used as a source of entropy when
creating session keys, such as the one used to create the MAC. (RFC 5246, p. 16-17, 26).
591
592
Table 8: Complete List of the Content Of All Cipher Suites (Front-end and Back-end)
The terms used in this table are:
RSARivest-Shamir-Adleman encryption
Kx key
exchange
algorithm
Au
Enc symmetric Mac digest
authentication encryption
algorithm
algorithm
algorithm
AES256-SHA
Kx=RSA
Au=RSA
Enc=AES(256)
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DES-CBC-SHA
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
NULL-SHA
Kx=RSA
Au=RSA
Enc=None
Mac=SHA1
NULL-MD5
Kx=RSA
Au=RSA
Enc=None
Mac=MD5
ADH-AES256-SHA
Kx=DH
Au=None
Enc=AES(256)
Mac=SHA1
DHE-RSA-AES256-SHA
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
DHE-DSS-AES256-SHA
Kx=DH
Au=DSS
Enc=AES(256)
Mac=SHA1
ADH-DES-CBC3-SHA
Kx=DH
Au=None
Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA
Kx=DH
Au=RSA
Enc=3DES(168) Mac=MD5
EDH-DSS-DES-CBC3-SHA
Kx=DH
Au=DSS
Enc=3DES(168) Mac=SHA1
DHE-DSS-RC4-SHA
Kx=DH
Au=DSS
Enc=RC4(128)
ADH-AES128-SHA
Kx=DH
Au=None
Enc=AES(128)
Mac=SHA1
DHE-RSA-AES128-SHA
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-DSS-AES128-SHA
Kx=DH
Au=DSS
Enc=AES(128)
Mac=SHA1
Mac=SHA1
ADH-RC4-MD5
Kx=DH
Au=None
Enc=RC4(128)
Mac=MD5
ADH-DES-CBC-SHA
Kx=DH
Au=None
Enc=DES(56)
Mac=SHA1
EDH-RSA-DES-CBC-SHA
Kx=DH
Au=RSA
Enc=DES(56)
Mac=SHA1
EDH-DSS-DES-CBC-SHA
Kx=DH
Au=DSS
Enc=DES(56)
Mac=SHA1
EXP1024-RC4-SHA
Kx=RSA(1024)
Au=RSA
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DES-CBC-SHA
Kx=RSA(1024)
Au=RSA
Enc=DES(56)
Mac=SHA1
export
EXP-DES-CBC-SHA
Kx=RSA(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
593
Kx key
exchange
algorithm
Au
Enc symmetric Mac digest
authentication encryption
algorithm
algorithm
algorithm
EXP-RC4-MD5
Kx=RSA(512)
Au=RSA
Enc=RC4(40)
Mac=MD5
export
EXP1024-DHE-DSS-RC4-SHA Kx=DH(1024)
Au=DSS
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DHE-DSS-DESCBC-SHA
Kx=DH(1024)
Au=DSS
Enc=DES(56)
Mac=SHA1
export
EXP-ADH-DES-CBC-SHA
Kx=DH(512)
Au=None
Enc=DES(40)
Mac=SHA1
export
EXP-ADH-RC4-MD5
Kx=DH(512)
Au=None
Enc=RC4(40)
Mac=MD5
export
EXP-EDH-RSA-DES-CBC-SHA
Kx=DH(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512)
Au=DSS
Enc=DES(40)
Mac=SHA1
export
Mac=SHA1
Kx=RSA
Au=RSA
Enc=AES(256)
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DHE-DSS-AES256-SHA
Kx=DH(512)
Au=DSS
Enc=AES(256)
Mac=SHA1
EDH-RSA-DES-CBC3-SHA
Kx=DH(512)
Au=RSA
Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA
Kx=DH(512)
Au=DSS
Enc=3DES(168) Mac=SHA1
DHE-DSS-RC4-SHA
Kx=DH(512)
Au=DSS
Enc=RC4(128)
Mac=SHA1
DHE-DSS-AES128-SHA
Kx=DH(512)
Au=DSS
Enc=AES(128)
Mac=SHA1
Mac=SHA1
Kx=RSA
Au=RSA
Enc=AES(256)
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DES-CBC-SHA
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
DHE-RSA-AES256-SHA
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
Mac=SHA1
DHE-DSS-AES256-SHA
Kx=DH
Au=DSS
Enc=AES(256)
EDH-RSA-DES-CBC3-SHA
Kx=DH
Au=RSA
Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA
Kx=DH
Au=DSS
Enc=3DES(168) Mac=SHA1
DHE-DSS-RC4-SHA
Kx=DH
Au=DSS
Enc=RC4(128)
Mac=SHA1
DHE-RSA-AES128-SHA
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-DSS-AES128-SHA
Kx=DH
Au=DSS
Enc=AES(128)
Mac=SHA1
594
Kx key
exchange
algorithm
Au
Enc symmetric Mac digest
authentication encryption
algorithm
algorithm
algorithm
EDH-RSA-DES-CBC-SHA
Kx=DH
Au=RSA
Enc=DES(56)
Mac=SHA1
EDH-DSS-DES-CBC-SHA
Kx=DH
Au=DSS
Enc=DES(56)
Mac=SHA1
EXP1024-RC4-SHA
Kx=RSA(1024)
Au=RSA
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DES-CBC-SHA
Kx=RSA(1024)
Au=RSA
Enc=DES(56)
Mac=SHA1
export
EXP-DES-CBC-SHA
Kx=RSA(512
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-RC4-MD5
Kx=RSA(512
Au=RSA
Enc=RC4(40)
Mac=MD5
export
EXP1024-DHE-DSS-RC4-SHA Kx=DH(1024)
Au=DSS
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DHE-DSS-DESCBC-SHA
Kx=DH(1024)
Au=DSS
Enc=DES(56
Mac=SHA1
export
EXP-EDH-RSA-DES-CBC-SHA
Kx=DH(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512)
Au=DSS
Enc=DES(40)
Mac=SHA1
export
Mac=SHA1
Kx=RSA
Au=RSA
Enc=AES(256)
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DES-CBC-SHA
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
NULL-SHA
Kx=RSA
Au=RSA
Enc=None
Mac=SHA1
NULL-MD5
Kx=RSA
Au=RSA
Enc=None
Mac=MD5
ADH-AES256-SHA
Kx=DH
Au=None
Enc=AES(256)
Mac=SHA1
DHE-RSA-AES256-SHA
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
DHE-DSS-AES256-SHA
Kx=DH
Au=DSS
Enc=AES(256)
Mac=SHA1
ADH-DES-CBC3-SHA
Kx=DH
Au=None
Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA
Kx=DH
Au=RSA
Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA
Kx=DH
Au=DSS
Enc=3DES(168) Mac=SHA1
DHE-DSS-RC4-SHA
Kx=DH
Au=DSS
Enc=RC4(128)
Mac=SHA1
ADH-AES128-SHA
Kx=DH
Au=None
Enc=AES(128)
Mac=SHA1
DHE-RSA-AES128-SHA
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-DSS-AES128-SHA
Kx=DH
Au=DSS
Enc=AES(128)
Mac=SHA1
ADH-RC4-MD5
Kx=DH
Au=None
Enc=RC4(128)
Mac=MD5
ADH-DES-CBC-SHA
Kx=DH
Au=None
Enc=DES(56)
Mac=SHA1
EDH-RSA-DES-CBC-SHA
Kx=DH
Au=RSA
Enc=DES(56)
Mac=SHA1
595
Kx key
exchange
algorithm
Au
Enc symmetric Mac digest
authentication encryption
algorithm
algorithm
algorithm
EDH-DSS-DES-CBC-SHA
Kx=DH
Au=DSS
Enc=DES(56)
Mac=SHA1
EXP1024-RC4-SHA
Kx=RSA(1024)
Au=RSA
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DES-CBC-SHA
Kx=RSA(1024)
Au=RSA
Enc=DES(56)
Mac=SHA1
export
EXP-DES-CBC-SHA
Kx=RSA(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-RC4-MD5
Kx=RSA(512)
Au=RSA
Enc=RC4(40)
Mac=MD5
export
EXP1024-DHE-DSS-RC4-SHA Kx=RSA(1024)
Au=DSS
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DHE-DSS-DESCBC-SHA
Kx=RSA(1024)
Au=DSS
Enc=DES(56)
Mac=SHA1
export
EXP-ADH-DES-CBC-SHA
Kx=RSA(512)
Au=None
Enc=DES(40)
Mac=SHA1
export
EXP-ADH-RC4-MD5
Kx=RSA(512)
Au=None
Enc=RC4(40)
Mac=MD5
export
EXP-EDH-RSA-DES-CBC-SHA
Kx=RSA(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA Kx=RSA(512)
Au=DSS
Enc=DES(40)
Mac=SHA1
export
Mac=SHA1
Kx=RSA
Au=RSA
Enc=AES(256)
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DES-CBC-SHA
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
NULL-SHA
Kx=RSA
Au=RSA
Enc=None
Mac=SHA1
NULL-MD5
Kx=RSA
Au=RSA
Enc=None
Mac=MD5
ADH-AES256-SHA
Kx=DH
Au=None
Enc=AES(256)
Mac=SHA1
DHE-RSA-AES256-SHA
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
DHE-DSS-AES256-SHA
Kx=DH
Au=DSS
Enc=AES(256)
Mac=SHA1
ADH-DES-CBC3-SHA
Kx=DH
Au=None
Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA
Kx=DH
Au=RSA
Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA
Kx=DH
Au=DSS
Enc=3DES(168) Mac=SHA1
DHE-DSS-RC4-SHA
Kx=DH
Au=DSS
Enc=RC4(128)
Mac=SHA1
ADH-AES128-SHA
Kx=DH
Au=None
Enc=AES(128)
Mac=SHA1
DHE-RSA-AES128-SHA
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-DSS-AES128-SHA
Kx=DH
Au=DSS
Enc=AES(128)
Mac=SHA1
ADH-RC4-MD5
Kx=DH
Au=DSS
Enc=RC4(128)
Mac=MD5
596
Kx key
exchange
algorithm
Au
Enc symmetric Mac digest
authentication encryption
algorithm
algorithm
algorithm
ADH-DES-CBC-SHA
Kx=DH
Au=None
Enc=DES(56)
Mac=SHA1
EDH-RSA-DES-CBC-SHA
Kx=DH
Au=RSA
Enc=DES(56)
Mac=SHA1
EDH-DSS-DES-CBC-SHA
Kx=DH
Au=DSS
Enc=DES(56)
Mac=SHA1
EXP1024-RC4-SHA
Kx=RSA(1024)
Au=RSA
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DES-CBC-SHA
Kx=RSA(1024)
Au=RSA
Enc=DES(56)
Mac=SHA1
export
EXP-DES-CBC-SHA
Kx=RSA(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-RC4-MD5
Kx=RSA(512)
Au=RSA
Enc=RC4(40)
Mac=MD5
export
EXP1024-DHE-DSS-RC4-SHA Kx=DH(1024)
Au=DSS
Enc=RC4(56)
Mac=SHA1
export
EXP1024-DHE-DSS-DESCBC-SHA
Kx=DH(1024)
Au=DSS
Enc=DES(56)
Mac=SHA1
export
EXP-ADH-DES-CBC-SHA
Kx=DH(512)
Au=None
Enc=DES(40)
Mac=SHA1
export
EXP-ADH-RC4-MD5
Kx=DH(512)
Au=None
Enc=RC4(40)
Mac=MD5
export
EXP-EDH-RSA-DES-CBC-SHA
Kx=DH(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512)
Au=DSS
Enc=DES(40)
Mac=SHA1
export
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
ADH-DES-CBC-SHA
Kx=DH
Au=None
Enc=DES(56)
Mac=SHA1
EDH-RSA-DES-CBC-SHA
Kx=DH
Au=RSA
Enc=DES(56)
Mac=SHA1
EDH-DSS-DES-CBC-SHA
Kx=DH
Au=DSS
Enc=DES(56)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DHE-DSS-RC4-SHA
Kx=DH
Au=DSS
Enc=RC4(128)
Mac=SHA1
ADH-RC4-MD5
Kx=DH
Au=None
Enc=RC4(128)
Mac=MD5
AES256-SHA
Kx=RSA
Au=RSA
Enc=AES(256)
Mac=SHA1
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
ADH-AES256-SHA
Kx=DH
Au=None
Enc=AES(256)
Mac=SHA1
DHE-RSA-AES256-SHA
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
597
Kx key
exchange
algorithm
Au
Enc symmetric Mac digest
authentication encryption
algorithm
algorithm
algorithm
DHE-DSS-AES256-SHA
Kx=DH
Au=DSS
Enc=AES(256)
ADH-DES-CBC3-SHA
Kx=DH
Au=None
Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA
Kx=DH
Au=RSA
Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA
Kx=DH
Au=DSS
Enc=3DES(168) Mac=SHA1
ADH-AES128-SHA
Kx=DH
Au=None
Enc=AES(128)
Mac=SHA1
DHE-RSA-AES128-SHA
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-DSS-AES128-SHA
Kx=DH
Au=DSS
Enc=AES(128)
Mac=SHA1
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
Kx=RSA
Au=RSA
Enc=AES(256)
Mac=SHA1
AES256-SHA
Kx=RSA
Au=RSA
Enc=AES(256)
Mac=SHA1
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DES-CBC-SHA
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
DHE-RSA-AES256-SHA
Kx=DH
Au=RSA
Enc=AES(256)
Mac=SHA1
DHE-DSS-AES256-SHA
Kx=DH
Au=DSS
Enc=AES(256)
Mac=SHA1
EDH-RSA-DES-CBC3-SHA
Kx=DH
Au=RSA
Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA
Kx=DH
Au=DSS
Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA
Kx=DH
Au=RSA
Enc=AES(128)
Mac=SHA1
DHE-DSS-AES128-SHA
Kx=DH
Au=DSS
Enc=AES(128)
Mac=SHA1
DHE-DSS-RC4-SHA
Kx=DH
Au=DSS
Enc=RC4(128)
Mac=SHA1
EDH-RSA-DES-CBC-SHA
Kx=DH
Au=RSA
Enc=DES(56)
Mac=SHA1
EDH-DSS-DES-CBC-SHA
Kx=DH
Au=DSS
Enc=DES(56)
Mac=SHA1
EXP-DES-CBC-SHA
Kx=RSA
Au=RSA
Enc=DES(40)
Mac=SHA1
export
Mac=SHA1
RSA:RC4-128:MD5:
RC4-MD5
RSA:RC4-128:SHA1:
RC4-SHA
RSA:DES:SHA1:
DES-CBC-SHA
RSA:3DES:SHA1:
DES-CBC3-SHA
RSA:AES-128:SHA1:
AES128-SHA
RSA:AES-256:SHA1:
AES256-SHA
MSIE Export56
598
Kx key
exchange
algorithm
Au
Enc symmetric Mac digest
authentication encryption
algorithm
algorithm
algorithm
EXP-RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(40)
Mac=MD5
export
EXP-EDH-RSA-DES-CBC-SHA
Kx=DH(512)
Au=RSA
Enc=DES(40)
Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA Kx=DH(512)
Au=DSS
Enc=DES(40)
Mac=SHA1
export
Back-End - Low
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
DES-CBC-SHA
Kx=RSA
Au=RSA
Enc=DES(56)
Mac=SHA1
RC4-SHA
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=SHA1
RC4-MD5
Kx=RSA
Au=RSA
Enc=RC4(128)
Mac=MD5
AES256-SHA
Kx=RSA
Au=RSA
Enc=AES(256)
Mac=SHA1
DES-CBC3-SHA
Kx=RSA
Au=RSA
Enc=3DES(168) Mac=SHA1
AES128-SHA
Kx=RSA
Au=RSA
Enc=AES(128)
Mac=SHA1
599