Вы находитесь на странице: 1из 50
Partner Technical Training Arbor APS Deployment Partner • Sales • Engineering ©2017 ARBOR ® CONFIDENTIAL
Partner Technical Training Arbor APS Deployment Partner • Sales • Engineering ©2017 ARBOR ® CONFIDENTIAL
Partner Technical Training Arbor APS Deployment Partner • Sales • Engineering ©2017 ARBOR ® CONFIDENTIAL

Partner Technical Training

Arbor APS Deployment

Partner • Sales • Engineering

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

APS

Release 5.12

Objectives At the conclusion of this unit you should understand how to: • Install Arbor

Objectives

At the conclusion of this unit you should understand how to:

Install Arbor APS

Upgrade Arbor APS

Perform initial configuration using the CLI

Apply Best Practices at initial deployment

Begin to use Arbor APS API

Best Practices at initial deployment • Begin to use Arbor APS API ©2017 ARBOR ® CONFIDENTIAL

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

2

Best Practices at initial deployment • Begin to use Arbor APS API ©2017 ARBOR ® CONFIDENTIAL
INSTALLING ARBOR APS ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3

INSTALLING ARBOR APS

INSTALLING ARBOR APS ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

3

INSTALLING ARBOR APS ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3
Connecting to Arbor APS Appliance • Connect to the appliance for configuration by using one

Connecting to Arbor APS Appliance

Connect to the appliance for configuration by using one of the following methods (the serial console is easier to use):

Serial Console

Plug the RJ45 end of an Ethernet patch cable into the serial console port on the front of the appliance

Connect the other end of the Ethernet patch cable to a serial console server or computer

Configure your console server or computer with the following settings:

Baud rate: 9600

Data bits: 8

Stop bits: 1

Parity: None

Flow control: None

VGA – Keyboard, Video Mouse

None • Flow control: None • VGA – Keyboard, Video Mouse ©2017 ARBOR ® CONFIDENTIAL &

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

4

None • Flow control: None • VGA – Keyboard, Video Mouse ©2017 ARBOR ® CONFIDENTIAL &
Installing Arbor APS 1. Turn on the APS appliance 2. When the prompt that tells

Installing Arbor APS

1. Turn on the APS appliance

2. When the prompt that tells you to “Press any key to continue” appears, press a key within five seconds.

3. Select the following option on the GRUB menu and then press enter:

(re)install from on-board flash (Serial)

4. Enter “Y” in response to the following prompt:

Do you want to begin the install process? This will remove all current data and configuration [n]

5. When the installation processes finish, respond to the prompts to configure the APS for the first time

respond to the prompts to configure the APS for the first time ©2017 ARBOR ® CONFIDENTIAL

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

5

respond to the prompts to configure the APS for the first time ©2017 ARBOR ® CONFIDENTIAL
INITIAL CONFIGURATION – CLI ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 6

INITIAL CONFIGURATION CLI

INITIAL CONFIGURATION – CLI ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 6

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

6

INITIAL CONFIGURATION – CLI ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 6
Initial Configuration via CLI • Below is a list of tasks to complete • Access

Initial Configuration via CLI

Below is a list of tasks to complete

Access the system console, set a host name and password

Connect and configure management Ethernet interface (mgt0)

Configure span port in the router / switch

Connect cable from span port into Protection Interface port (ext0)

Configure default gateway

Configure IP access rules

Configure SSH

Set current Time and time zone

Set language (optional)

Configure the system’s license

Set deployment mode

Start Arbor APS services

Save configuration

deployment mode • Start Arbor APS services • Save configuration ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

7

deployment mode • Start Arbor APS services • Save configuration ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Quick Start Cards ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 8

Quick Start Cards

Quick Start Cards ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 8
Quick Start Cards ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 8
Quick Start Cards ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 8

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

8

Quick Start Cards ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 8
Arbor APS Documentation ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 9

Arbor APS Documentation

Arbor APS Documentation ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 9

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

Arbor APS Documentation ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 9

9

Arbor APS Documentation ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 9
Login to the CLI • First time login using default password (“arbor”) Arbor login: admin

Login to the CLI

First time login using default password (“arbor”)

Arbor login: admin Password:

Arbor Networks APS v5.11.0 Copyright (c) 2000-2016 Arbor Networks, Inc. All Rights Reserved.

(c) 2000-2016 Arbor Networks, Inc. All Rights Reserved. Welcome to ArbOS admin@arbos:/# _ ©2017 ARBOR ®

Welcome to ArbOS

admin@arbos:/# _

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

10

Inc. All Rights Reserved. Welcome to ArbOS admin@arbos:/# _ ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1
Set System Name • The system name may be arbitrary • The system name is

Set System Name

The system name may be arbitrary

The system name is not used for inter-device communications in Cloud Signaling

admin@arbos:/# system name set demo

in Cloud Signaling admin@arbos:/# system name set demo admin@demo:/# ©2017 ARBOR ® CONFIDENTIAL &

admin@demo:/#

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

11

Cloud Signaling admin@arbos:/# system name set demo admin@demo:/# ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1 1
Admin Password • After installing APS, the default administrator password must be changed before you

Admin Password

After installing APS, the default administrator password must be changed before you can start the APS services

If admin password is not changed prior to starting APS services the following message will appear:

admin@demo:/# services aps start ERROR: The default admin password must be changed

To change admin password:

admin@demo/:# services aaa local password admin interactive Changing password for user admin. New password:

Re-enter new password:

Password changed passwd: all authentication tokens updated successfully.

changed passwd: all authentication tokens updated successfully. ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1 2

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

12

changed passwd: all authentication tokens updated successfully. ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1 2
User Password Criteria • Enforces a minimum level of password complexity • Acceptable Arbor APS

User Password Criteria

Enforces a minimum level of password complexity

Acceptable Arbor APS passwords:

At least 7 characters long

At most 72 characters long

Can include special characters, spaces, and quotation marks

Cannot be all digits

Cannot be all lower-case letters or all uppercase letters

Cannot be only letters followed by only digits (such as, abcd123)

Cannot be only digits followed by only letters (such as, 123abcd)

Cannot consist of alternating letter-digit combinations (such as, 1a3A4c1)

of alternating letter-digit combinations (such as, 1a3A4c1) ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1 3

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

13

of alternating letter-digit combinations (such as, 1a3A4c1) ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1 3
Clock & Time Zone Setting • Setting Clock is important to allow proper Syslog reporting

Clock & Time Zone Setting

Setting Clock is important to allow proper Syslog reporting and also to support advanced features like Cloud Signaling

Setting Time Zone must be done in the GUI, not in the CLI

Clock format is MMDDhhmm[[CC]YY][.ss]

Good idea to set even when plans are to use NTP

Clock is set in UTC timezone

admin@demo /:# clock set 062210222012

is set in UTC timezone admin@demo /:# clock set 062210222012 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

14

is set in UTC timezone admin@demo /:# clock set 062210222012 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Setting Management Interface IP address ip interfaces ifconfig mgt0 10.2.24.76/24 ip interfaces ifconfig mgt0

Setting Management Interface IP address

ip interfaces ifconfig mgt0 10.2.24.76/24 ip interfaces ifconfig mgt0 2620:11e:1001:ebc::34/128

ip route add default 10.2.24.1

admin@demo:/# ping 10.2.24.1 Sending five 64 byte echo request to 10.2.24.1 !!!!!

5 packets transmitted, 5 received, 0% packet loss, time 80ms

!!!!! 5 packets transmitted, 5 received, 0% packet loss, time 80ms ©2017 ARBOR ® CONFIDENTIAL &

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

15

!!!!! 5 packets transmitted, 5 received, 0% packet loss, time 80ms ©2017 ARBOR ® CONFIDENTIAL &
DNS Server Setting • Setting DNS in the CLI is useful to ensure the ability

DNS Server Setting

Setting DNS in the CLI is useful to ensure the ability to reach services like AIF Updates and to provide reverse DNS lookups for UI

/ service dns server add 10.2.24.222

admin@demo:/# / services dns server Active DNS Servers:

admin@demo:/# / services dns server Active DNS Servers: 10.2.24.222 ©2017 ARBOR ® CONFIDENTIAL &

10.2.24.222

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

16

/ services dns server Active DNS Servers: 10.2.24.222 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1 6
IP Media Commands (Optional) • If necessary, speed and duplex can be set for both

IP Media Commands (Optional)

If necessary, speed and duplex can be set for both management and protection interfaces

Copper interfaces of both types are 10/100/1000

Management

Management

Interfaces

Protection

Interfaces

Interfaces
Management Interfaces Protection Interfaces / ip interfaces media mgt0 speed 1000 duplex full / services

/ ip interfaces media mgt0 speed 1000 duplex full

Interfaces / ip interfaces media mgt0 speed 1000 duplex full / services aps mitigation interface media

/ services aps mitigation interface media ext0 speed 1000 duplex full

/ services aps mitigation interface media int0 speed 1000 duplex full

aps mitigation interface media int0 speed 1000 duplex full ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

17

aps mitigation interface media int0 speed 1000 duplex full ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 1
Management Interface Traffic Type • Types of traffic for Arbor APS management interfaces • HTTPS

Management Interface Traffic Type

Types of traffic for Arbor APS management interfaces

HTTPS

Web GUI, AIF, Cloud Signaling Handshake

SSH

Ping/ICMP

NTP

DNS

SNMP traffic

Cloud Signaling heartbeats (UDP)

• DNS • SNMP traffic • Cloud Signaling heartbeats (UDP) ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

18

• DNS • SNMP traffic • Cloud Signaling heartbeats (UDP) ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Access Control via IP Access Lists • Arbor APS “internal firewall” needs to be configured

Access Control via IP Access Lists

Arbor APS “internal firewall” needs to be configured to allow access IP access rules allow you to specify authorized access (inbound connections) on a per subnet per interface per application basis

ip access add https all 10.0.0.0/8 ip access add ping all 0.0.0.0/0 ip access add ssh all 10.0.0.0/8 ip access add https all 2620:11e:1000::/44 ip access add ping mgt0 2620:11e:1000::/44 ip access add ssh mgt0 2620:11e:1000::/44

IMPORTANT: In order to activate the access list, it needs to be committed

order to activate the access list, it needs to be committed ip access commit ©2017 ARBOR

ip access commit

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

19

the access list, it needs to be committed ip access commit ©2017 ARBOR ® CONFIDENTIAL &
Ports & Protocols – Access Required • Arbor APS management traffic uses these ports and

Ports & Protocols – Access Required

Ports & Protocols – Access Required • Arbor APS management traffic uses these ports and protocols
Ports & Protocols – Access Required • Arbor APS management traffic uses these ports and protocols

Arbor APS management traffic uses these ports and protocols

Make sure existing firewalls in the management network are configured to allow this traffic ­ Port number is configurable

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

20

configured to allow this traffic ­ Port number is configurable ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Enabling Secure Shell Access • SSH access is optional but recommended • Enabling SSH admin@demo/:#

Enabling Secure Shell Access

SSH access is optional but recommended

Enabling SSH

admin@demo/:# services ssh start admin@demo/:# services ssh show SSH service status:

Status: running Port: 22 (default) Protocol: 2 (default)

Connect via SSH to validate and also to continue the CLI configuration in a more productive way

also to continue the CLI configuration in a more productive way ©2017 ARBOR ® CONFIDENTIAL &

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

21

also to continue the CLI configuration in a more productive way ©2017 ARBOR ® CONFIDENTIAL &
Check for Arbor APS Version • It is very important to ensure you have the

Check for Arbor APS Version

It is very important to ensure you have the latest code release for Arbor APS

To find the latest version, check Arbor Technical Assistance Center (ATAC) web site download area

admin@demo:/# system version Version: Arbor Networks APS 5.11.0 (build HEDK) (arch x86_64)

Note: If you don’t have the latest code release, you MUST upgrade before moving forward

the latest code release, you MUST upgrade before moving forward ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

22

the latest code release, you MUST upgrade before moving forward ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Installed System Software • System will ship with software pre-installed on the internal flash file

Installed System Software

System will ship with software pre-installed on the internal flash file system

software pre-installed on the internal flash file system admin@demo:/# sys tem file s show Installed packages:

admin@demo:/# sys tem file s show

Installed packages:

ArbOS_5.3.6.2

Arbor-APS-5.11.0 Arbor Networks APS 5.11.0 (build HEDK) (arch x86_64)

ArbOS 5.3.6.2 system files (build HEDK) (arch x86_64)

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

23

x86_64) ArbOS 5.3.6.2 system files (build HEDK) (arch x86_64) ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2
Obtain New ArbOS & APS Package • Pre -requisites • Download new software and release

Obtain New ArbOS & APS Package

Pre-requisites

Download new software and release notes from https://update.arbor.net/

open a ticket at ATAC https://support.arbor.net/ to obtain an account

Carefully read Release Notes

Obtain a Product and an AIF license from Arbor Support

Copy software packages to Arbor APS’ disk: (via CLI or GUI)

admin@demo:/# system file copy http://10.2.24.209/arbos-5.3.6.2-HJ4H-x86_64 disk:

system file copy http://10.2.24.209/Arbor-APS-5.12.0-HJ4h-x86_64 disk:

Note: For other copy options and syntax use the cli command #> / system file copy ?

and syntax use the cli command #> / system file copy ? ©2017 ARBOR ® CONFIDENTIAL

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

24

and syntax use the cli command #> / system file copy ? ©2017 ARBOR ® CONFIDENTIAL
Uninstall Old APS Package admin@demo:/# system files show Installed packages: ArbOS_5.3.6.2 Arbor-APS-5.11.0

Uninstall Old APS Package

admin@demo:/# system files show Installed packages:

ArbOS_5.3.6.2

Arbor-APS-5.11.0

admin@demo:/# service aps stop admin@demo:/# config write admin@demo:/# system files uninstall Arbor-APS-5.11.0

ArbOS 5.3.6.2 system files (build HEDK) (arch x86_64) Arbor Networks APS 5.11.0 (build HEDK) (arch x86_64))

Note: System configuration, statistics, history, log, etc. will be preserved

configuration, statistics, history, log, etc. will be preserved ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 5

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

25

configuration, statistics, history, log, etc. will be preserved ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 5
Install New ArbOS & APS Package • Install new ArbOS package and reboot for OS

Install New ArbOS & APS Package

Install new ArbOS package and reboot for OS to take effect

/ system file install disk: arbos-5.3.6.2-HJ4H-x86_64

/ reload

Install new Arbor APS package

/ system file install disk: Arbor-APS-5.12.0-HJ4H-x86_64

/ reload

Note: Be sure to do reload after both the ArbOS install & the Arbor package install

after both the ArbOS install & the Arbor package install ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

26

after both the ArbOS install & the Arbor package install ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Check for Installed Arbor APS Licenses • Arbor APS requires both a product and AIF

Check for Installed Arbor APS Licenses

Arbor APS requires both a product and AIF license

If you see this, you need to install licenses:

admin@demo:/# system license show No licenses are set

If you see this, the licenses are already installed:

admin@demo:/# system license show Product: Arbor Model: PRA-APS-2108 Expires: Never Key: NP94V-NREPK-9C9DB-MG76S-GHDWS-JMXPS-5PY36-J6AP6-V0M38

Product: ASERT Model: PRA-AIF-ADVANCED Expires: Thu Aug 15 13:24:55 2019 Key: BBE4P-4PZGR-GX99M-B93Y5-D10B7-A0HT2-P8HEV-6KQMG-PPM82

2019 Key: BBE4P-4PZGR-GX99M-B93Y5-D10B7-A0HT2-P8HEV-6KQMG-PPM82 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 7

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

27

2019 Key: BBE4P-4PZGR-GX99M-B93Y5-D10B7-A0HT2-P8HEV-6KQMG-PPM82 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 7
Appliance Serial Number • Arbor APS units have unique serial numbers • The serial number

Appliance Serial Number

Arbor APS units have unique serial numbers

The serial number is required to generate the license

admin@demo:/# system hardware Boot time: Thu Dec 20 12:36:54 2012, 43 days 20:44 ago Load averages: 1.17, 1.59, 1.64 BIOS Version: S5500.86B.01.00.0054.092820101104 System Board Model: T5520UR System Model Number: APS2100YAPS2100

Serial Number: PRV-20110430

System Model Number: APS2100YAPS2100 Serial Number: PRV-20110430 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 8

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

28

System Model Number: APS2100YAPS2100 Serial Number: PRV-20110430 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 8
Installing Arbor APS Licenses • Once you have obtained both a product and AIF license,

Installing Arbor APS Licenses

Once you have obtained both a product and AIF license, you now need to set them in the system

Best approach is to Copy-Paste into CLI using SSH client

admin@demo:/# system license set Arbor PRA-APS-2108 P8RG5-STWX4-F0DDW-4DYP4-

DVTXW-YMDHH-Y3C1Y-X39N3-DY2RR

admin@demo:/# system license set ASERT "PRA-APS-AIF-ADVANCED expires:

1437749737" 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321

admin@demo:/# system license show

Product: Arbor Model: PRA-APS-2108 Expires: Never Key: P8RG5-STWX4-F0DDW-4DYP4-DVTXW-YMDHH-Y3C1Y-X39N3-DY2RR

Product: ASERT Model: PRA-AIF-ADVANCED Expires: Thu Aug 15 13:24:55 2019

Key: 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321

2019 Key: 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 9

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

29

2019 Key: 98765-43210-FGHIJ-ABCDE-PQRST-KLMNO-UVWXY-Z9876-54321 ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 2 9
Configure Arbor APS Services • Arbor APS Services menu admin@demo:/# services aps ? Subcommands: bypass/

Configure Arbor APS Services

Arbor APS Services menu

admin@demo:/# services aps ? Subcommands:

bypass/

Configure bypass control

database

Initialize or reinitialize the database

histograms

Configure or display histograms

language

Configure the language used in the UI

mode

Switch between Pravail APS deployment modes

protection

Modify protection configuration

reconfig

Reconfigure Pravail APS services

show

Show aps status

start

Start Pravail APS services

stop

Stop Pravail APS services

Start Pravail APS services stop Stop Pravail APS services ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

30

Start Pravail APS services stop Stop Pravail APS services ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3
Set User Interface Language (Optional) • Language selection affects all GUI text • Language can

Set User Interface Language (Optional)

Language selection affects all GUI text

Language can also be changed in GUI

CLI remains in English

admin@demo# services aps language show Language: English admin@demo# services aps language set ? en (English) ja (Japanese) ko (Korean) ru (Russian) zh (Mandarin) admin@demo# services aps language set en admin@demo#

(Mandarin) admin@demo# services aps language set en admin@demo# ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 1

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

31

(Mandarin) admin@demo# services aps language set en admin@demo# ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 1
Set MONITOR Deployment Mode • Determines whether Arbor APS forwards any traffic • Inline forwards,

Set MONITOR Deployment Mode

Determines whether Arbor APS forwards any traffic

Inline forwards, Monitor does not forward,

Setting appears as icon at top of GUI

admin@demo# services aps mode show Deployment mode: inline (inactive) admin@demo# services aps mode set ? inline

l3

monitor admin@demo# services aps mode set inline admin@demo#

l3 monitor admin@demo# services aps mode set inline admin@demo# ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

32

l3 monitor admin@demo# services aps mode set inline admin@demo# ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3
Initialize Arbor APS Database • Database initialization is required to clean up the device •

Initialize Arbor APS Database

Database initialization is required to clean up the device

Resets Arbor APS databases

Any existing Arbor APS data is erased

admin@demo# services aps database initialize

Any GUI-only configuration is erased

Any configuration that appears in CLI is retained

This command removes most customer data remnants from Arbor APS GUI after a trial

CLI logs will still be there

For a complete wipe initialize disks and (re)install the system

For a complete wipe initialize disks and (re)install the system ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

33

For a complete wipe initialize disks and (re)install the system ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Start Monitoring • Start Arbor APS services • Until you start the Arbor APS services,

Start Monitoring

Start Arbor APS services

Until you start the Arbor APS services, the appliance will be in Software Bypass mode

Supports the Graphical User Interface (GUI)

No running APS service = no GUI

admin@demo:/# services aps start Starting Arbor services admin@demo:/# services aps show Arbor state: started

admin@demo:/# services aps show Arbor state: started ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY done. 3 4

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

done.

34

admin@demo:/# services aps show Arbor state: started ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY done. 3 4
Save the Configuration admin@demo:/# conf write admin@demo:/# Initial CLI configuration is complete ! ©2017 ARBOR

Save the Configuration

admin@demo:/# conf write admin@demo:/#

Initial CLI configuration is complete !

conf write admin@demo:/# Initial CLI configuration is complete ! ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

35

conf write admin@demo:/# Initial CLI configuration is complete ! ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3
BEST PRACTICES AT INITIAL DEPLOYMENT ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 6

BEST PRACTICES AT INITIAL DEPLOYMENT

BEST PRACTICES AT INITIAL DEPLOYMENT ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 6

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

36

BEST PRACTICES AT INITIAL DEPLOYMENT ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 6
Device Configuration • There are a few things that are important to ensure success in

Device Configuration

There are a few things that are important to ensure success in Arbor APS’s deployment. Some of them are:

Initialize the disk and reinstall if there is previous data in the system

Create user-ids for each person accessing Arbor APS

Leave admin as a backup for last resort. Do not use it daily.

Use Radius or TACACS if possible

Configure IP access lists as strict as possible

Always avoid using 0.0.0.0/0

Use NTP to ensure all devices share the same time (especially your Syslog server)

Configure Syslog to export data to a local server As soon as you finish the setup, create a Remote backup

• As soon as you finish the setup, create a Remote backup ©2017 ARBOR ® CONFIDENTIAL

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

37

• As soon as you finish the setup, create a Remote backup ©2017 ARBOR ® CONFIDENTIAL
Operation • When operating APS, best practice is to: • Access the devices using only

Operation

When operating APS, best practice is to:

Access the devices using only encrypted connections (HTTPS or SSH)

Create a separate Protection Group for each of the services that need to be monitored

Configure Filter Lists to Drop unnecessary traffic into a Protection Group

For a Web Server Type, configure the Filter List Prevention with “drop udp” (unless it is a requirement for UDP traffic to be allowed to the service)

it is a requirement for UDP traffic to be allowed to the service) ©2017 ARBOR ®

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

38

it is a requirement for UDP traffic to be allowed to the service) ©2017 ARBOR ®
Allow Internal Traffic in Advance • Reduce service disruptions by whitelisting institutional space in Master

Allow Internal Traffic in Advance

Reduce service disruptions by whitelisting institutional space in Master Filter List

by whitelisting institutional space in Master Filter List ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 9
by whitelisting institutional space in Master Filter List ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 9

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

by whitelisting institutional space in Master Filter List ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 9

39

by whitelisting institutional space in Master Filter List ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 3 9
Whitelist Known / Approved Traffic Sources • Try to Whitelist known NATs and Known Sources

Whitelist Known / Approved Traffic Sources

Try to Whitelist known NATs and Known Sources

Traffic Sources • Try to Whitelist known NATs and Known Sources ©2017 ARBOR ® CONFIDENTIAL &
Traffic Sources • Try to Whitelist known NATs and Known Sources ©2017 ARBOR ® CONFIDENTIAL &

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

40

Traffic Sources • Try to Whitelist known NATs and Known Sources ©2017 ARBOR ® CONFIDENTIAL &
Tuning: Look for Collateral Damage • While in Inactive Mode, Try different Protection Levels and

Tuning: Look for Collateral Damage

While in Inactive Mode, Try different Protection Levels and look for hosts that would be unintentionally blocked

Then, in peace time, do the same under Active mode

blocked • Then, in peace time, do the same under Active mode ©2017 ARBOR ® CONFIDENTIAL
blocked • Then, in peace time, do the same under Active mode ©2017 ARBOR ® CONFIDENTIAL

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

41

blocked • Then, in peace time, do the same under Active mode ©2017 ARBOR ® CONFIDENTIAL
IPv6 Functionality (1 of 2) • Arbor APS does not support the following functionality for

IPv6 Functionality (1 of 2)

Arbor APS does not support the following functionality for IPv6:

ICMPv6 decode in packet capture

Blacklist countries, URLs, and Domains

AIF support of IPv6 Threats

Outbound Threat Filter

Outbound Black / Whitelist

Notifications to IPv6 destinations (SNMP traps, Syslog, Email)

IPv6 host as a backup server

IPv6 host as a proxy server

IPv6 host as a Cloud Signaling server

IPv6 host as NSI controller

host as a Cloud Signaling server • IPv6 host as NSI controller ©2017 ARBOR ® CONFIDENTIAL

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

42

host as a Cloud Signaling server • IPv6 host as NSI controller ©2017 ARBOR ® CONFIDENTIAL
IPv6 Functionality (2 of 2) • Arbor APS does not support the following functionality for

IPv6 Functionality (2 of 2)

Arbor APS does not support the following functionality for IPv6:

GRE Remote IP’s

Post GRE Routes

API calls for the following functionality

Blacklists

Whitelists

Blocked Hosts

Protection Group creation

Server Type creation

Default IPv6 Protection Group

• Server Type creation • Default IPv6 Protection Group ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 4

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

43

• Server Type creation • Default IPv6 Protection Group ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 4
MANAGEMENT WITH ARBOR APS API ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 4 4

MANAGEMENT WITH ARBOR APS API

MANAGEMENT WITH ARBOR APS API ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 4 4

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

44

MANAGEMENT WITH ARBOR APS API ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 4 4
Application Program Interface: API • Allows customers to create or use their current custom management

Application Program Interface: API

Application Program Interface: API • Allows customers to create or use their current custom management portals
Application Program Interface: API • Allows customers to create or use their current custom management portals
Application Program Interface: API • Allows customers to create or use their current custom management portals

Allows customers to create or use their current custom management portals to correlate threat alert and information across multiple devices

Enterprise: Manage a large security deployment across dispersed architecture

Partners: Manage multiple clients utilizing current ticketing and management systems

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

45

clients utilizing current ticketing and management systems ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 4 5
Arbor APS API Use cases • User can eliminate the need to interact with multiple

Arbor APS API Use cases

User can eliminate the need to interact with multiple UIs creating a single UI view to present all of the collected data on a single screen

Automation of repetitive tasks across multiple APS appliances

Blacklist / Whitelist multiple hosts using a single script

• Blacklist / Whitelist multiple hosts using a single script ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

46

• Blacklist / Whitelist multiple hosts using a single script ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY
Arbor APS API Automation Examples • Arbor APS API usage examples: • Configuration Synchronization •

Arbor APS API Automation Examples

Arbor APS API usage examples:

Configuration Synchronization

Create / Manage Protection Groups and Server Types

Change Protection Levels and Deployment modes

Send and Manage manual Cloud signaling alerts

Whitelist and Blacklist management

Summary Traffic reporting on Protection Groups and APS’s

Get Attack Category statistics per Protection Group

What cannot be done with Arbor APS API

Gain IPv6 data and histograms

be done with Arbor APS API • Gain IPv6 data and histograms ©2017 ARBOR ® CONFIDENTIAL

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

47

be done with Arbor APS API • Gain IPv6 data and histograms ©2017 ARBOR ® CONFIDENTIAL
API Documentation ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY Available for download from Arbor’s Support

API Documentation

API Documentation ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY Available for download from Arbor’s Support
API Documentation ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY Available for download from Arbor’s Support

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

Available for download from Arbor’s Support Knowledge Base

48

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY Available for download from Arbor’s Support Knowledge Base 4 8
Unit Summary In this unit we have learned how to: • Install Arbor APS •

Unit Summary

In this unit we have learned how to:

Install Arbor APS

Upgrade Arbor APS

Perform initial configuration using the CLI

Apply Best Practices at initial deployment

Begin to use Arbor APS API

Practices at initial deployment • Begin to use Arbor APS API ©2017 ARBOR ® CONFIDENTIAL &

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

49

Practices at initial deployment • Begin to use Arbor APS API ©2017 ARBOR ® CONFIDENTIAL &
Q&A / THANK YOU ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 50

Q&A / THANK YOU

Q&A / THANK YOU ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 50

©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY

50

Q&A / THANK YOU ©2017 ARBOR ® CONFIDENTIAL & PROPRIETARY 50