Академический Документы
Профессиональный Документы
Культура Документы
Release Notes
Version 9.3
Sightline Release Notes, Version 9.3
Legal Notice
The information contained within this document is subject to change without notice.
NETSCOUT SYSTEMS, INC. makes no warranty of any kind with regard to this material, including, but
not limited to, the implied warranties of merchantability and fitness for a particular purpose.
NETSCOUT SYSTEMS, INC. shall not be liable for errors contained herein or for any direct or indirect,
incidental, special, or consequential damages in connection with the furnishings, performance, or use of
this material.
© 2020 NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary.
Contents
Revision History .......................................................................................................................................... 5
Introduction ................................................................................................................................................. 6
Sightline Release Notes ............................................................................................................................. 6
New Features ......................................................................................................................................... 6
Detection exclusions for managed objects ...................................................................................... 6
AIF filter lists ..................................................................................................................................... 6
UDP Session Authentication countermeasure ................................................................................. 7
Dynamic DNS matching for managed objects ................................................................................. 7
Detect AIF threat indicators in customer, profile, and subscriber managed objects ....................... 9
Log AIF threat indicators detected in customer, profile, and subscriber managed objects ............. 9
View reports for threat indicators in customer, profile, and subscriber managed objects ............... 9
Review the latest threat information updates in the AIF threat indicator feed ............................... 10
Enhancements ...................................................................................................................................... 11
Traffic-based generation of Payload Regular Expression countermeasure configuration ............ 11
Using the egress interface IP address for Cloud Signaling heartbeats ......................................... 11
New alerts search keyword ............................................................................................................ 11
Redesigned Explore Traffic page................................................................................................... 12
Relationships graph type on the Explore Traffic page ................................................................... 12
Insight: Traffic fidelity selector ........................................................................................................ 13
Changes in Behavior ............................................................................................................................ 14
Matching packet header data with regular expressions................................................................. 14
Updated configuration management system ................................................................................. 14
Changes to the subscriber configuration pages ............................................................................ 15
Changes to the AIF tab on the ATLAS reports summary page ..................................................... 15
Download XML button removed from certain wizard reports ......................................................... 15
Longer time out for the REST API ................................................................................................. 15
Syslog messages for alert stop events contain impact rates ......................................................... 15
Viewing older city and region information requires a different URL ............................................... 16
HTTP proxy settings check box was renamed .............................................................................. 17
IP address used for Cloud Signaling heartbeats was changed from Sightline 9.2 ........................ 18
Time period selector was renamed ................................................................................................ 18
DDoS menu option was renamed .................................................................................................. 18
Documentation reorganization ....................................................................................................... 18
Information about the REST API in Sightline ....................................................................................... 19
REST API enhancements .............................................................................................................. 19
Legacy REST API versions ............................................................................................................ 19
Revision History
The following table lists the dates when these release notes were updated and a description of the
changes that were made:
Date Description of Changes
2020-07-31 • Added bug 89892 to the list of fixed issues.
• Added bug 91304 to the list of known issues.
2020-07-29 Initial release.
Introduction
This document includes release information about Sightline 9.3. For release information about Threat
Mitigation System (TMS) 9.3.0, see the separate Threat Mitigation System Release Notes.
Sightline 9.3 is scheduled for General Availability on July 29, 2020 and will reach End of Maintenance on
July 29, 2022.
Note: Beginning with 9.0, the Arbor Networks SP product has been renamed “Arbor Sightline”.
Note: The dynamic matching settings for AIF managed objects are read-only. See AIF managed objects
with dynamic DNS matching on page 8.
Note: For best performance, select the multiuse method for dynamic DNS matching only when you need
to monitor domains that share IP addresses.
Detect AIF threat indicators in customer, profile, and subscriber managed objects
Sightline 9.3 provides licensed access to the AIF threat indicator feed, one of the latest feeds in Arbor’s
ATLAS Intelligence Feed (AIF) suite. Sightline can use the AIF threat indicator feed to detect threats by
reputation or behavior, such as persistent, targeted attacks, cybercrime activity, and mobile malware. The
feed content is continually updated based the latest threat research from the Arbor Security Engineering
and Response Team (ASERT).
With the AIF threat indicator feed, you can log and report on multiple categories of threats that Sightline
detects in the traffic for customer, profile, and subscriber managed objects. Like other ATLAS intelligence
feeds, Sightline automatically checks the AIF server daily for updates to the AIF threat indicator feed. You
can also download the latest feed data from the AIF server on demand.
In the configuration settings for a customer, profile, or subscriber managed object, you can select one or
more threat indicator categories to detect. For example, you can choose categories such as Email
Threats, Location Based Threats, and Mobile for a customer managed object. Sightline will then detect
malicious activity in the traffic for that managed object such as spam, SMS ad fraud, and ransomware
phishing. The threat detection will focus on geographic locations that ASERT classifies as the most likely
sources of these threats.
Note: To get access to the latest threat indicator policies in the AIF threat indicator feed, contact your
account team obtain a new flexible license that includes the Sentinel and AIF for Sightline licensed
capabilities. You can start using the AIF threat indicator feed after your new license is uploaded to the
license server. With cloud-based flexible licensing, the new license uploads automatically. With locally
managed flexible licensing, you must upload the new license manually. See “Uploading a Flexible
License” in the Sightline and Threat Mitigation System User Guide.
Log AIF threat indicators detected in customer, profile, and subscriber managed objects
If your deployment has customer, profile, or subscriber managed objects that are configured to detect
threat indicators, you can use the use the new Configure Threat Indicators page (Administration >
Detection > Threat Indicators) to do the following:
• Configure Sightline to send messages to a remote syslog server automatically when it detects threat
indicators in the traffic for customer, profile, or subscriber managed objects.
• Download threat indicator traffic logs in CSV files. The log files list the total volume of traffic for each
threat indicator policy detected in the traffic for a customer, profile, or subscriber managed object. The
volume for each policy is the 5-minute total for the indicated managed object across all flow collection
devices in your deployment. You can download the threat indicator data logged for any 5-minute
period in the last five days.
For more information, see “Logging Detected Threat Indicators” in the Sightline and Threat Mitigation
System User Guide.
View reports for threat indicators in customer, profile, and subscriber managed objects
New security reports in this release provide traffic graphs and statistics for customer, profile, and
subscriber managed objects that are configured to detect threat indicators from the AIF threat indicator
feed. The reports break out the detection data by host IP addresses, threat indicator categories, and
threat indicator policies.
To view the new threat indicator traffic reports, navigate to the Reports menu and then select the
following:
• The new Security tab for customer managed objects (Customers > Dashboard > Security)
• The new Profile Security page for profile managed objects (Profiles > Security)
• The updated Security tab for subscriber groups (Subscribers > Dashboard > Security)
Each security report page includes the graphs and statistics in the three threat indicator sections below.
The data for these reports are based on the AIF threat indicators that you configure for customer, profile,
or subscriber managed objects. Sightline updates these reports when it detects any configured threat
indicator categories in matching traffic flows.
• Threat Indicator Summary: Shows you how many hosts in matched traffic flows had AIF threat
indicators detected in their traffic. The summary also shows the volume of traffic for hosts with
detected threat indicators.
• Threat Indicator Categories: Shows the volume of AIF threat indicators by category in matched
traffic flows.
• Threat Indicator Policies: Shows the volume of AIF threat indicators by policy in matched traffic
flows.
For more information, see the following topics in the in the Sightline and Threat Mitigation System User
Guide: “About the Customer Dashboard,” “About the Subscriber Dashboard,” and “Profile ‘name’ per
Security Report”.
Review the latest threat information updates in the AIF threat indicator feed
The new AIF Threat Indicator Feed tab on the ATLAS page (Reports > ATLAS > Summary) shows you
the last time the feed was updated. It also lists each AIF policy in the feed along with the AIF threat
indicator categories that are associated with that policy.
Enhancements
See “Configuring the Payload Regular Expression Countermeasure” in the Sightline and Threat Mitigation
System User Guide for additional information.
Changes in Behavior
IP address used for Cloud Signaling heartbeats was changed from Sightline 9.2
By default, Sightline 9.3 uses the IP address of the interface from which packets leave the Sightline
device as the source IP address for heartbeats from Sightline that are sent to AED or APS appliances.
This behavior is different from Sightline 9.2, which used the configured IP address of the Sightline device
is used as the source IP address. (The behavior in Sightline 9.3 is the same as that of Sightline 9.1 and
lower.)
To configure Sightline 9.3 to use the configured IP address as the source of heartbeats, as it did in
Sightline 9.2:
1. Navigate to the Configure Network Services page (Administration > System Maintenance >
Network Services).
2. Click the Cloud Signaling tab.
3. Clear the Use egress interface IP address as source IP address check box.
4. Click Save.
This change in behavior is the result of the enhancement described in Using the egress interface IP
address for Cloud Signaling heartbeats on page 11.
Documentation reorganization
The content of the Advanced Configuration Guide was merged with the User Guide. No content was
removed. You can find content that was formerly included in the Advanced Configuration Guide in the
relevant chapters of the User Guide.
/devices/
• Added the tms_ports relationship. This is a relationship to the TMS ports on the device. You can
use the GET method with the tms_ports relationship. tms_ports is a relationship to the
/tms_ports/ endpoint.
• Added the bgp_peering_sessions relationship. This is a relationship to a BGP peering session on
the device. You can use the GET, PATCH, and POST methods with the bgp_peering_sessions
relationship. bgp_peering_sessions is a relationship to the /bgp_peering_sessions/
endpoint.
/fingerprints/
• You can now use the following query parameters in GET requests for this endpoint:
▪ filter: Allows you to request data with specific attributes or relationships. This endpoint uses
the Sightline filtering syntax.
▪ perPage: Allows you to specify the maximum number of results that are returned in the
response.
▪ page: Allows you to specify which set (page) of results is returned.
▪ sort: Allows you to request data sorted by attribute, relationship, or ID.
/insight/
• Insight can now provide multiple data sources that you can use for Insight traffic data queries. You
can use the /insight/data_sources endpoint to get a list of the data sources available on your
cluster.
A typical Insight cluster provides the following data sources.
▪ annotated_flow: This is a full-fidelity data set. When you choose this data source, Insight runs
a query on 100% of all traffic data for the time period. These queries take more time to return
than lower-fidelity queries. If you specify no data source, Insight uses this data source for the
query.
▪ annotated_flow_s10: This is a sampled data set. When you choose this data source, Insight
runs a query on 10% of all traffic data for the time period, and scales the traffic volume that it
returns to account for sampling. These queries take less time to return than full-fidelity queries.
Note: This data source is not available on small Insight clusters.
▪ annotated_flow_s100: This is a sampled data set. When you choose this data source, Insight
runs a query on 1% of all traffic data for the time period, and scales the traffic volume that it
returns to account for sampling. These queries take significantly less time to return than full-
fidelity queries.
This is the REST API equivalent of the Fidelity selector that was added to the Insight page. See
Insight: Traffic fidelity selector on page 13.
You can select the data source that is used when querying the following sub-endpoints:
▪ rawflows
▪ timeseries
▪ topn_timeseries
▪ topn
/managed_objects/
• Added the sub-endpoint:
▪ /<managed_object_ID>/dynamic_match_values: Associates the specified managed
object with the list of domains for dynamic DNS matching that are configured in the domains
array attribute. See Dynamic DNS matching for managed objects on page 7.
▪ You can optionally use JSON Patch documents in PATCH requests to this endpoint. This allows
you to add, remove, or replace individual domains in the domains array attribute without
replacing the entire array. For more information, see the documentation for this endpoint.
• Added the following attributes:
▪ dynamic_match_enabled: (boolean) Enables or disables dynamic DNS matching for a
managed object. If true, Sightline can use the managed object to monitor traffic for domains that
have frequently changing service IP addresses. See Dynamic DNS matching for managed
objects on page 7.
▪ dynamic_match_multiuse_enabled: (boolean) Enables or disables multiuse dynamic DNS
matching. If true while dynamic_match_enabled is true, Sightline performs dynamic DNS
matching even if some service IP addresses to match are used by different domains in a single
managed object or across managed objects. If false while dynamic_match_enabled is true,
Sightline performs single-use dynamic matching. See Dynamic DNS matching for multiuse
service IP addresses on page 8.
▪ domains: (array(string)) attribute in the /dynamic_match_values/<managed_object_id>
resource that specifies the domains for the service IP addresses to dynamically match in the
specified managed object. See About configuring managed objects for dynamic DNS matching on
page 8.
▪ detection_exclusions_destination: (array(string)) CIDR blocks. Sightline does not
create host alerts for the managed object for traffic to these CIDR blocks.
▪ detection_exclusions_source: (array(string)) CIDR blocks. Sightline does not create host
alerts for the managed object for traffic from these CIDR blocks.
/tms_filter_lists/
• Added the following attributes:
▪ atlas_feed_id: (string) Read only. The unique identifier for an AIF filter list. If
atlas_feed_id is set, the filter list is an AIF filter list. Sightline downloads AIF filter lists in the
AIF filter lists feed (one of the licensed ATLAS Intelligence Feeds).
• mitigate: (boolean) If true, the TMS device mitigates the traffic on this port. mitigate is
false if nxdomain is true.
• nxdomain: (boolean) If true, the TMS device uses this port to listen to DNS NXDomain
responses. This prevents the port from forwarding and mitigating traffic, but allows the TMS
device to use the DNS NXDomain Rate Limiting Countermeasure. nxdomain is false if
mitigate is true.
• voip: (boolean) If true, the TMS device gathers VoIP usage statistics (for example, top
callers, callees, and conversations) by inspecting the packets flowing through this interface.
▪ ipv4_address: The IPv4 address of the TMS port. This attribute is required for ports on TMS
devices configured in diversion mode, but is optional for ports on TMS devices configured in inline
mode. ipv4_address includes a netmask if the TMS device is configured in diversion mode
with layer 3 forwarding.
▪ ipv6_address: The IPv6 address of the TMS port. This attribute is required for ports on TMS
devices configured in diversion mode, but is optional for ports on TMS devices configured in inline
mode. ipv6_address includes a netmask if the TMS device is configured in diversion mode
with layer 3 forwarding.
▪ ipv4_nexthop: (string) The IPv4 address of the nexthop for the TMS port. This attribute is
returned only when the TMS device is configured in diversion mode with patch panel forwarding.
▪ ipv6_nexthop: (string) The IPv6 address of the nexthop for the TMS port. This attribute is
returned only when the TMS device is configured in diversion mode with patch panel forwarding.
▪ mpls_label_enabled: (boolean) If true, the TMS port can process and pop MPLS labels, and
then mitigate IPv6 traffic routed using 6PE.
▪ mtu: (integer) The maximum transmission unit of the TMS port. mtu is not returned for a physical
port that is a parent of a subinterface or a physical port that is part of a logical port. mtu must be
in the range of 28-1544.
▪ snmp_id: (integer) The SNMP ID of the TMS port. This is assigned by Sightline.
▪ lacp_mode_passive: (boolean) If true, LACP mode is passive. This attribute is returned only
for TMS ports with port_type set to logical.
Note: For Cisco ASR 9000 vDDoS Protection devices, lacp_mode_passive is automatically
set to true.
▪ vlan_id: (integer) The VLAN ID of the TMS port. vlan_id is returned only for TMS ports with
port_type set to subinterface.
▪ speed_mbps: (integer) The speed of the TMS port in megabits per second.
Note: For Software TMS devices, speed_mbps is null.
▪ usable: (boolean) If true, the port is available for use to forward or mitigate traffic. usable is
false for the following port configurations:
• ports with a port_type of physical that belong to a logical port
• ports with a port_type of physical that have subinterfaces
• ports with a port_type of logical that have subinterfaces
• Added the following relationships:
▪ output_port: A relationship to the TMS port that traffic is forwarded out through.
output_port is a relationship to the /tms_ports/ endpoint.
▪ logical_port: A relationship to the TMS logical port(s) a physical port is part of.
logical_port is a relationship to the /tms_ports/ endpoint.
▪ member_port: A relationship to the TMS physical ports that comprise a logical port.
member_port is a relationship to the /tms_ports/ endpoint.
▪ subinterfaces: A relationship to TMS ports used as subinterfaces for logical and physical
ports. subinterfaces is a relationship to the /tms_ports/ endpoint.
▪ parent_port: A relationship to the TMS port that is the parent port of this subinterface.
parent_port is a relationship to the /tms_ports/ endpoint.
/tms_ports/<id>
• Added the ability to POST the endpoint.
You cannot POST a TMS port with a port_type of physical.
For the Cisco ASR9000 vDDoS Protection device, the following guidelines apply:
▪ you should only POST a port with port_type of subinterface
▪ all capabilities sub-attributes must be set to false
• Added the ability to PATCH the endpoint.
The following attributes cannot be PATCHed:
▪ port_type
▪ name
▪ snmp_id
▪ speed_mbps
▪ usable
▪ vlan_id
Relationships cannot be patched.
For the Cisco ASR9000 vDDoS Protection device, you cannot PATCH and set any of the
capabilities sub-attributes to true.
• Added the ability to DELETE the endpoint.
You cannot DELETE a TMS port with a port_type of physical.
When you DELETE a TMS port with a port_type of logical, the following actions occur:
▪ the subinterfaces on the logical port are deleted
▪ the logical_port relationship is cleared on all physical ports that were part of the logical port
▪ the output_port relationship is cleared on all ports that had that logical port as an output port
When you DELETE a TMS port with a port_type of subinterface, the output_port
relationship is cleared on all ports that had that subinterface as an output port.
When using Arbor hardware to run Insight, we recommend that the network used for intra-cluster
communication supports an MTU (maximum transmission unit) of 9000. As a result of this
recommendation, the default MTU setting for 10 GbE interfaces (eth2 to eth5, which are typically used
for intra-cluster communication) is 9000 in all versions of ArbOS that were released with Insight 7 and
above.
Discrepancies between the MTU setting used by ArbOS for Insight and your network’s MTU can cause
errors during Insight installation and will cause issues with communication between Insight nodes.
Multi-version compatibility
Sightline 9.3 is compatible with previous versions of Sightline, SP, and TMS. This allows you to upgrade
the devices in your deployment in stages. For details about multi-version compatibility, refer to the
Sightline and Threat Mitigation System Compatibility Guide, available from the Arbor Technical
Assistance Center (https://support.arbornetworks.com).
Deployments running SP 8.3.x or lower that use flexible licensing require a new license
file
The following information applies to deployments that run SP 8.3.x or lower that also use
flexible licensing.
Before upgrading from SP 8.3.x or lower to Sightline 9.3, you must first contact the Arbor Technical
Assistance Center (ATAC) at https://support.arbornetworks.com/ to obtain a new flexible license file. If
you continue to use your old license file, you may experience a reduction in the number of managed
objects that can be used in the deployment or the number of users accounts that can access the UI.
Follow the procedures below to ensure no reduction in deployment capabilities.
4. After installing the new version of Sightline on the leader, enable cloud-based flexible licensing and
start Sightline services.
a. Enter / services sp license flexible server cloud_licensing enable
b. Enter config write
c. Enter / services sp start
d. Enter config write
TMS services must be stopped and started again if using GRE tunnels (upgrades from
Sightline 9.0.x and lower only)
If you are upgrading from Sightline 9.0.x and lower to Sightline 9.1.x and higher and are using GRE
tunnels, you need to restart TMS services after the upgrade to maintain proper functionality.
This issue is documented in bug 85719.
Follow the procedure below if you have TMSes in your deployment that use GRE tunnels:
1. Upgrade the Sightline leader to Sightline 9.3.
2. Confirm that the Appliance Status page in the Sightline leader’s web UI (System > Status >
Appliance Status) lists each TMS status as “RUNNING”.
3. Log in to the CLI of the TMS and run the following commands:
▪ / services tms stop
▪ / services tms start
4. Repeat the previous step for each TMS in the deployment.
Upgrade process
When upgrading your Sightline deployment, you must upgrade your Sightline devices in a specific order.
For more information, see “Multi-Version Deployment Upgrade Process” in the Sightline and Threat
Mitigation System Compatibility Guide. Be aware of the following when upgrading:
• You must upgrade the leader device before upgrading any other user interface devices in your
deployment.
• The upgraded leader must be running when you upgrade the other user interface devices. If the
leader is not upgraded or not running, you will need to manually resync the database when it is.
• When upgrading from SP 8.2 or higher, a database sync for non-leader user interface devices may
be needed if the devices have been down for an extended time period, usually on the order of hours.
Syncing the database should take less than 10 minutes; however, large databases on slow
connections could take longer.
Device certificates
Contact the Arbor Technical Assistance Center (ATAC) at https://support.arbornetworks.com and obtain a
certificate for your device if you plan to use the device for one of the following:
• Remote services
• UI secure login
Supported devices
For information about Sightline appliances and TMS devices that are supported by Sightline, see the
Sightline and Threat Mitigation System Compatibility Guide, available from the Arbor Technical
Assistance Center (https://support.arbornetworks.com).
For more information about running Sightline in a virtual machine, see the Sightline Virtual Machine
Installation Guide, available from the Arbor Technical Assistance Center
(https://support.arbornetworks.com/).
Router requirements
Sightline is compatible with any router that exports RFC-compliant netflow and includes all the
RFC-required fields. Sightline supports netflow v5, v9, IPFIX, and sFlow.
Communication ports
Required ports
The following table lists the ports that Sightline uses and that are required for a deployment to operate
correctly. When the following terms appear in this table, they refer to appliance roles with flexible
licensing and to appliance types with appliance‑based licensing:
• data storage
• traffic and routing analysis
• user interface
References in this table to the FS appliance (Flow Sensor) only apply to appliance-based licensing.
Service Ports Required Protocol Direction
ArborFlow 31373 UDP • FS appliance to traffic and routing analysis
• FS appliance to data storage traffic and routing
analysis to data storage
• traffic and routing analysis to data storage
ArborFlow (if ArborFlow 5000 (default) UDP TMS appliance to traffic and routing analysis
from TMS is enabled)
Optional ports
The following ports are optional and only need to be enabled if you are using the corresponding service:
Service Ports Protocol Direction
Cloud-based 443 TCP • Leader to cloud license server
licensing • Cloud license server response to leader
Cloud signaling 443 TCP • APS to leader appliance
handshake • Leader appliance response to APS
(HTTPS)
Cloud signaling 7550 UDP • APS to leader appliance
heartbeat • Leader appliance response to APS
FTP 20-21 TCP • Sightline appliance query to FTP server
• FTP server response to Sightline appliance
HTTP 80 TCP • Sightline appliance to HTTP server
• HTTP server response to Sightline appliance
NTP 123 UDP • Sightline appliance request to NTP server
• NTP server response to Sightline appliance
Untracked interfaces
In addition to the data gathered on a per-interface basis, there can be untracked interfaces, which have
the following properties:
• They are on a router that was configured with the “Enable Dynamic Subscriber Interface Handling”
option.
• Their SNMP interface names/descriptions do not match a configured Interface Classification rule OR
the interfaces are not represented in the SNMP data obtained from the involved router.
Note: Only 400,000 interfaces with SNMP information can be processed, even if they are untracked
interfaces. The 700,000-interface limit can only be reached if a very large number of the interfaces
have no SNMP presence whatsoever.
• They do not appear in any interface page or report in the product.
• They do not impact any interface scaling limitation on the deployment. Therefore, there can be an
unlimited number of these kinds of interfaces on a particular collector or on the deployment in
general.
• They can have flow sent for them by the router and it will be tracked on a per-router basis in a single
aggregate interface. This appears in normal interface pages and reports.
• The flow sent for these interfaces is constrained by the normal stated flow processing limits on a per-
appliance basis, as well as the normal licensed limits on a per-deployment basis for flex licensing
deployments.
Additional Information
Downloading the software
You can download the software releases and user documentation from the Arbor Technical Assistance
Center at https://support.arbornetworks.com using the Software Downloads link.