Sightline 9.3 Release Notes 2020-07-31

Sightline
Release Notes
Version 9.3
Sightline Release Notes, Version 9.3
Legal Notice
The information contained within this document is subject to change without notice.
NETSCOUT SYSTEMS, INC. makes no warranty of any kind with regard to this material, including, but
not limited to, the implied warranties of merchantability and fitness for a particular purpose.
NETSCOUT SYSTEMS, INC. shall not be liable for errors contained herein or for any direct or indirect,
incidental, special, or consequential damages in connection with the furnishings, performance, or use of
this material.
© 2020 NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary.
Document Number: SP_RN-93-2020/07

31 July 2020
2 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

Contents
Revision History .......................................................................................................................................... 5
Introduction ................................................................................................................................................. 6
Sightline Release Notes ............................................................................................................................. 6
New Features ......................................................................................................................................... 6
Detection exclusions for managed objects ...................................................................................... 6
AIF filter lists ..................................................................................................................................... 6
UDP Session Authentication countermeasure ................................................................................. 7
Dynamic DNS matching for managed objects ................................................................................. 7
Detect AIF threat indicators in customer, profile, and subscriber managed objects ....................... 9
Log AIF threat indicators detected in customer, profile, and subscriber managed objects ............. 9
View reports for threat indicators in customer, profile, and subscriber managed objects ............... 9
Review the latest threat information updates in the AIF threat indicator feed ............................... 10
Enhancements ...................................................................................................................................... 11
Traffic-based generation of Payload Regular Expression countermeasure configuration ............ 11
Using the egress interface IP address for Cloud Signaling heartbeats ......................................... 11
New alerts search keyword ............................................................................................................ 11
Redesigned Explore Traffic page................................................................................................... 12
Relationships graph type on the Explore Traffic page ................................................................... 12
Insight: Traffic fidelity selector ........................................................................................................ 13
Changes in Behavior ............................................................................................................................ 14
Matching packet header data with regular expressions................................................................. 14
Updated configuration management system ................................................................................. 14
Changes to the subscriber configuration pages ............................................................................ 15
Changes to the AIF tab on the ATLAS reports summary page ..................................................... 15
Download XML button removed from certain wizard reports ......................................................... 15
Longer time out for the REST API ................................................................................................. 15
Syslog messages for alert stop events contain impact rates ......................................................... 15
Viewing older city and region information requires a different URL ............................................... 16
HTTP proxy settings check box was renamed .............................................................................. 17
IP address used for Cloud Signaling heartbeats was changed from Sightline 9.2 ........................ 18
Time period selector was renamed ................................................................................................ 18
DDoS menu option was renamed .................................................................................................. 18
Documentation reorganization ....................................................................................................... 18
Information about the REST API in Sightline ....................................................................................... 19
REST API enhancements .............................................................................................................. 19
Legacy REST API versions ............................................................................................................ 19
© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 3

New endpoints in the REST API .................................................................................................... 19

Updated endpoints in the REST API.............................................................................................. 20
Upgrade Information for Insight ............................................................................................................ 24
Using Insight in a Sightline deployment ......................................................................................... 24
Upcoming Insight release: Insight powered by NETSCOUT nGenius Business Analytics ........... 24
Default MTU setting in ArbOS for Insight ....................................................................................... 24
Upgrade Information for Sightline ......................................................................................................... 25
Supported upgrade paths .............................................................................................................. 25
Multi-version compatibility .............................................................................................................. 25
Deployments running SP 8.3.x or lower that use flexible licensing require a new license file ...... 25
TMS services must be stopped and started again if using GRE tunnels (upgrades from Sightline
9.0.x and lower only) ...................................................................................................................... 26
Upgrade process ............................................................................................................................ 26
Upgrading requires an active Maintenance and Support subscription .......................................... 26
Device certificates .......................................................................................................................... 27
Support for DSA keys was deprecated .......................................................................................... 27
Running Sightline in a Virtual Machine .......................................................................................... 27
Support for Microsoft Internet Explorer .......................................................................................... 27
System Requirements for Sightline ...................................................................................................... 28
Supported devices ......................................................................................................................... 28
Supported web browsers ............................................................................................................... 28
Router requirements ...................................................................................................................... 28
Communication ports ..................................................................................................................... 28
Fixed Issues in Sightline ....................................................................................................................... 31
Known Issues in Sightline..................................................................................................................... 34
Other Things to Know about Sightline ................................................................................................... 36
Create a backup after converting to flexible licensing .......................................................................... 36
Dynamic subscriber interfaces ............................................................................................................. 36
Sightline interface handling ............................................................................................................ 36
Untracked interfaces ...................................................................................................................... 36
High CPU load averages ...................................................................................................................... 37
Additional Information .............................................................................................................................. 38
Downloading the software .................................................................................................................... 38
Contacting Arbor Technical Assistance Center .................................................................................... 38
About the Sightline and Threat Mitigation System Documentation ...................................................... 39
Appendix A: New notifications in Sightline 9.3...................................................................................... 40
Threat indicator policy detection notifications....................................................................................... 40

Revision History
The following table lists the dates when these release notes were updated and a description of the
changes that were made:
Date Description of Changes
2020-07-31 • Added bug 89892 to the list of fixed issues.
• Added bug 91304 to the list of known issues.
2020-07-29 Initial release.

Introduction
This document includes release information about Sightline 9.3. For release information about Threat
Mitigation System (TMS) 9.3.0, see the separate Threat Mitigation System Release Notes.
Sightline 9.3 is scheduled for General Availability on July 29, 2020 and will reach End of Maintenance on
July 29, 2022.
Note: Beginning with 9.0, the Arbor Networks SP product has been renamed “Arbor Sightline”.
Sightline Release Notes

New Features
Detection exclusions for managed objects

Detection exclusions allow you to specify prefixes that Sightline excludes from host detection for a given
managed object. You can specify source and destination prefixes separately. Sightline does not generate
host alerts for traffic from excluded source prefixes, or traffic to excluded destination prefixes, even if that
traffic otherwise meets the criteria of host alert traffic.
This feature effectively allows you to create whitelists for sources and destinations of traffic that you do
not want to trigger host alerts for. For example, you might add a data backup server’s prefix as an
excluded destination, because it is typically the destination of large amounts of traffic. Similarly, you might
add a software update server’s prefix as an excluded source, because it is typically the source of large
amounts of traffic.
You can configure this feature on the Detection Exclusions tab of a managed object. Additionally, while
viewing the DoS Host Alert page, you can add the target IP address to the corresponding managed
object’s list of excluded destination prefixes by clicking next to the target IP address and clicking
Exclude Target.
Note: Detection exclusions limit the creation of host alerts only. They do not affect other types of traffic
alerts.
AIF filter lists

If your deployment includes TMS and your flexible license has the AIF for TMS licensed capability,
Sightline can download AIF filter lists from the AIF server. Just as with other filter lists, you can use AIF
filter lists to define which traffic should be dropped or passed by a TMS mitigation. Unlike other filter lists,
the Arbor Security Engineering and Response Team (ASERT) continually configures and updates AIF
filter lists to help you mitigate attack traffic in efficient and effective ways. The entries in AIF filter lists
reflect the most recent ATLAS intelligence and the ASERT team’s extensive research, analysis, and
experience.
Sightline displays AIF filter lists on the Configure Filter Lists page (Administration > Mitigation > Filter
Lists).

UDP Session Authentication countermeasure

You can use the new UDP Session Authentication countermeasure to block traffic from UDP sessions
that do not complete an authentication check. The countermeasure is used with UDP sessions that are
initiated by a packet identifiable by a regular expression.
The countermeasure performs session authentication by dropping the initial packet of a UDP session and
waiting for the session to retransmit it. You enter a regular expression that is used to identify the initial
packet. Valid sessions perform the retransmission, while invalid sessions may not. If the session
retransmits the initial packet within a timeframe you configure, the session is authenticated.
In order to not disrupt legitimate traffic when the countermeasure begins, you configure an in-progress
session acceptance time period. During this time period, all UDP sessions that are in progress are
automatically considered authenticated. They do not undergo the authentication process. The traffic for
these sessions is forwarded, even after the acceptance time period elapses.
Authenticated sessions remain authenticated as long as they continue to have traffic. Re-authentication is
required if a session is idle for longer than an idle time period you configure. After exceeding the idle time
period, any new traffic from the session is dropped until the session is re-authenticated.
The UDP Session Authentication countermeasure is not executed in mitigations that are in inactive mode.
See “Configuring the UDP Session Authentication Countermeasure” in the Sightline and Threat Mitigation
System User Guide for additional information.
Dynamic DNS matching for managed objects

In Sightline 9.3, you can use dynamic DNS matching to monitor traffic for domains, even if the domains
have frequently changing IP addresses. For example, you can track traffic for time-limited IP addresses in
domains for OTT web services such as streaming video, gaming, and VoIP.
Dynamic DNS matching is available for the following managed objects:
• customer, profile, peer, and service managed objects
• managed objects in the AIF managed object feed
• profiles in managed services account groups
Note: To use dynamic DNS matching, your Sightline deployment must have the Sentinel licensed
capability. The Sightline leader must also be configured to communicate with one or more NETSCOUT
InfiniStreamNG® (ISNG) appliances in your network. For assistance, contact your NETSCOUT Sales
Team or ATAC (https://support.arbornetworks.com).
With dynamic matching, the Sightline leader continually ingests a stream of DNS data from ISNG
appliances. Sightline combines the DNS data with the flow data that it collects for managed objects that
have dynamic DNS matching enabled and a configured list of domains to monitor.
Dynamic DNS matching starts when a client requests content from an OTT web service. If the domain for
the requested service is configured in one or more managed objects that have dynamic DNS matching
enabled, Sightline does the following:
• Extracts the latest service IP address associated with the domain from the DNS data.
• Adds the service IP address to the dynamic match values for all managed objects that have dynamic
DNS matching enabled and a configured domain that matches the requested domain.
Sightline then starts matching traffic for the service IP address in all managed objects that have the IP
address in their dynamic match values. Matching continues as long as the DNS data from ISNG
appliances indicates a valid association between the IP address and the requested domain.

About configuring managed objects for dynamic DNS matching

In Sightline 9.3, you can use the UI or REST API to view or change the dynamic DNS matching
configuration settings for a managed object as follows:
• UI: Navigate to the Match tab for a customer, profile, peer, or service managed object and configure
the settings under Dynamic DNS Matching. These settings allow you to do the following for the
managed object:
▪ Enable or disable dynamic matching.
▪ Select dynamic DNS matching for multiuse service IP addresses. See Dynamic DNS matching for
multiuse service IP addresses below.
▪ Upload a list of domains to dynamically match.
▪ Add and edit the list of domains.
▪ Export the list of domains to a text file.
See “Configuring dynamic DNS matching” under “Configuring Match Settings for Managed Objects” in
the Sightline and Threat Mitigation System User Guide.
• REST API: Configure the new attributes for dynamic matching in the /managed_objects/
endpoint. See the /managed_objects/ section in Updated endpoints in the REST API on page 20.
Note: The dynamic matching settings for AIF managed objects are read-only. See AIF managed objects
with dynamic DNS matching on page 8.
Dynamic DNS matching for multiuse service IP addresses

Some of the domains that you want to monitor with dynamic DNS matching might deliver their content
from the same block of multiuse service IP addresses. In the DNS data that Sightline receives from ISNG
appliances, each multiuse IP address can be associated with multiple domains.
If, in any managed objects with dynamic DNS matching, any configured domains can share multiuse IP
addresses with other configured domains, you can select Match service IP addresses and client
address. When you select this method, Sightline uses the requesting client’s address to ensure that
traffic for the service IP address is associated with the correct configured domain. This also ensures that
the service IP addresses to dynamically match in each managed object are correct.
To select Match service IP addresses and client IP address, see “Dynamic DNS matching method
options” under “Configuring Match Settings for Managed Objects” in the Sightline and Threat Mitigation
System User Guide.
To enable dynamic DNS matching for multiuse service IP addresses in the REST API, set the attributes
dynamic_match_enabled and dynamic_match_multiuse_enabled to true.
Note: For best performance, select the multiuse method for dynamic DNS matching only when you need
to monitor domains that share IP addresses.
AIF managed objects with dynamic DNS matching

In Sightline 9.3, AIF managed objects in the AIF managed object feed can have dynamic DNS matching
enabled. If so, they also include a list of domains to dynamically match. The Arbor Security Engineering
and Response Team (ASERT) uses ATLAS data and global threat intelligence to configure the domains
for dynamic DNS matching in AIF managed objects. ASERT also preconfigures AIF managed objects to
dynamically match multiuse service IP address as required.

Detect AIF threat indicators in customer, profile, and subscriber managed objects
Sightline 9.3 provides licensed access to the AIF threat indicator feed, one of the latest feeds in Arbor’s
ATLAS Intelligence Feed (AIF) suite. Sightline can use the AIF threat indicator feed to detect threats by
reputation or behavior, such as persistent, targeted attacks, cybercrime activity, and mobile malware. The
feed content is continually updated based the latest threat research from the Arbor Security Engineering
and Response Team (ASERT).
With the AIF threat indicator feed, you can log and report on multiple categories of threats that Sightline
detects in the traffic for customer, profile, and subscriber managed objects. Like other ATLAS intelligence
feeds, Sightline automatically checks the AIF server daily for updates to the AIF threat indicator feed. You
can also download the latest feed data from the AIF server on demand.
In the configuration settings for a customer, profile, or subscriber managed object, you can select one or
more threat indicator categories to detect. For example, you can choose categories such as Email
Threats, Location Based Threats, and Mobile for a customer managed object. Sightline will then detect
malicious activity in the traffic for that managed object such as spam, SMS ad fraud, and ransomware
phishing. The threat detection will focus on geographic locations that ASERT classifies as the most likely
sources of these threats.
Note: To get access to the latest threat indicator policies in the AIF threat indicator feed, contact your
account team obtain a new flexible license that includes the Sentinel and AIF for Sightline licensed
capabilities. You can start using the AIF threat indicator feed after your new license is uploaded to the
license server. With cloud-based flexible licensing, the new license uploads automatically. With locally
managed flexible licensing, you must upload the new license manually. See “Uploading a Flexible
License” in the Sightline and Threat Mitigation System User Guide.
Log AIF threat indicators detected in customer, profile, and subscriber managed objects
If your deployment has customer, profile, or subscriber managed objects that are configured to detect
threat indicators, you can use the use the new Configure Threat Indicators page (Administration >
Detection > Threat Indicators) to do the following:
• Configure Sightline to send messages to a remote syslog server automatically when it detects threat
indicators in the traffic for customer, profile, or subscriber managed objects.
• Download threat indicator traffic logs in CSV files. The log files list the total volume of traffic for each
threat indicator policy detected in the traffic for a customer, profile, or subscriber managed object. The
volume for each policy is the 5-minute total for the indicated managed object across all flow collection
devices in your deployment. You can download the threat indicator data logged for any 5-minute
period in the last five days.
For more information, see “Logging Detected Threat Indicators” in the Sightline and Threat Mitigation
System User Guide.
View reports for threat indicators in customer, profile, and subscriber managed objects
New security reports in this release provide traffic graphs and statistics for customer, profile, and
subscriber managed objects that are configured to detect threat indicators from the AIF threat indicator
feed. The reports break out the detection data by host IP addresses, threat indicator categories, and
threat indicator policies.
To view the new threat indicator traffic reports, navigate to the Reports menu and then select the
following:
• The new Security tab for customer managed objects (Customers > Dashboard > Security)
• The new Profile Security page for profile managed objects (Profiles > Security)
• The updated Security tab for subscriber groups (Subscribers > Dashboard > Security)

Each security report page includes the graphs and statistics in the three threat indicator sections below.
The data for these reports are based on the AIF threat indicators that you configure for customer, profile,
or subscriber managed objects. Sightline updates these reports when it detects any configured threat
indicator categories in matching traffic flows.
• Threat Indicator Summary: Shows you how many hosts in matched traffic flows had AIF threat
indicators detected in their traffic. The summary also shows the volume of traffic for hosts with
detected threat indicators.
• Threat Indicator Categories: Shows the volume of AIF threat indicators by category in matched
traffic flows.
• Threat Indicator Policies: Shows the volume of AIF threat indicators by policy in matched traffic
flows.
For more information, see the following topics in the in the Sightline and Threat Mitigation System User
Guide: “About the Customer Dashboard,” “About the Subscriber Dashboard,” and “Profile ‘name’ per
Security Report”.
Review the latest threat information updates in the AIF threat indicator feed
The new AIF Threat Indicator Feed tab on the ATLAS page (Reports > ATLAS > Summary) shows you
the last time the feed was updated. It also lists each AIF policy in the feed along with the AIF threat
indicator categories that are associated with that policy.

Enhancements
Traffic-based generation of Payload Regular Expression countermeasure configuration

Sightline now generates configuration options for the Payload Regular Expression countermeasure,
based on the TCP, UDP, and ICMPv4 traffic seen by a TMS device. This allows you to create a
configuration based on the traffic seen during a mitigation.
Sightline analyzes the blocked and passed traffic seen by the TMS for the protection prefixes of the
mitigation. You can use a fingerprint expression (FCAP) filter to narrow the traffic that Sightline analyzes.
Sightline generates a list of traffic patterns from the traffic it analyzes, and you select the traffic patterns
you want the countermeasure to mitigate against. Countermeasure configuration values are generated
from the traffic patterns you select.
You can either add the configuration values from your selected traffic patterns to the countermeasure's
existing configuration, or you can replace the configuration. The following configuration settings may be
updated, depending on the traffic patterns you select:
• TCP Ports
• UDP Ports
• Port Direction
• Other IP Protocols
• Regular Expression
• Apply to Packet Header
If you select multiple traffic patterns that generate values for the same configuration setting, the values
are combined using OR logic. Regular expressions are combined using the pipe (|) operator.
See “Configuring the Payload Regular Expression Countermeasure” in the Sightline and Threat Mitigation
System User Guide for additional information.
Using the egress interface IP address for Cloud Signaling heartbeats

You can now choose which IP address Sightline uses to send heartbeats to Cloud Signaling client
appliances. This setting is available on the new Cloud Signaling tab on the Configure Network Services
page. When you select the Use egress interface IP address as source IP address check box, Sightline
uses the IP address of the interface from which packets leave the device as the source IP address for
heartbeats from Sightline that are sent to AED or APS appliances. This is the default setting. When you
clear the check box, the configured IP address of the device is used as the source IP address.
This new setting results in a change in behavior from Sightline 9.2. See IP address used for Cloud
Signaling heartbeats was changed from Sightline 9.2 on page 18.
New alerts search keyword

You can now use the tag and tags search keywords to search for alerts on all of the alerts listing pages.
The new keywords match alerts associated with Sightline objects that you have defined tags for, such as
managed objects, devices, network interfaces, and routers. You can search for alerts based on the
specific values you have given the tags.
See “About the Alert Listing Pages” in the Sightline and Threat Mitigation System User Guide for
additional information on viewing alerts.

Redesigned Explore Traffic page

The Explore Traffic page (Explore > Traffic) was redesigned to take advantage of new technologies and
provide a more responsive experience. Some of these enhancements are described below.
• You can change the graph type, traffic direction for bar and pie graphs, and table check box
selections instantly. Previously, these changes were not reflected in your web browser until you
clicked Update and waited for your web browser to receive traffic data from Sightline.
• You can view traffic details by hovering your mouse pointer over the graph. Move the mouse to the
left or right to view details for the next set of binned traffic. Bin sizes are 5, 30, or 120 minutes, or 24
hours, depending on the length of the time period and the age of the traffic data.
• When you resize your browser window, the control bar, graph, and table resize automatically to fill the
window.
• Graph text is easier to read.
• You can download traffic query results as a JSON-formatted file.
• The Current calculation method was renamed to Last.
Some functionality of the legacy Explore Traffic page, such as some filter 1 and filter 2 combinations, has
not yet been implemented in the redesigned page. Additionally, due to fundamental changes in the
underpinning design of the page, the following elements were removed.
• The formats Excel-XML and XML were removed from the Download as… menu.
• The Bytes and Packets options were removed from the Units selector. To view the total number of
bits, bytes, or packets, select bps, Bps, or pps, respectively, click Update, and then select Total in
the Calculation selector.
Note: If a scoped user attempts to view the Explore Traffic page, Sightline redirects the user to the legacy
version of the page.
Viewing the legacy version of the Explore Traffic page

You can view the legacy version of the Explore Traffic page by changing the page?id displayed in your
web browser’s address bar to explore_traffic, as shown below.
New Explore Traffic page (Explore > Traffic) Legacy Explore Traffic page
https://example.com/page?id=query_traffic https://example.com/page?id=explore_traffic
Relationships graph type on the Explore Traffic page

You can use the new Relationships graph type on the redesigned Explore Traffic page (Explore >
Traffic) to visualize the volume of traffic moving between two filters. Sightline displays the traffic in a
Sankey diagram, similar to the Relationships tab that is available on the Insight page.

Insight: Traffic fidelity selector

The Fidelity selector was added to the control bar on the Insight page (Explore > Insight). It allows you
to select the fidelity of the traffic data displayed on the Insight page. The following settings are available:
• High (Standard): Insight runs a query on 100% of all traffic data for the time period, and returns all
traffic data that matches the settings in the control bar. High-fidelity queries take more time to return
than lower-fidelity queries. This is the default setting.
• Moderate (Faster): Insight runs a query on 10% of all traffic data for the time period, and scales the
traffic that matches the settings in the control bar to account for sampling. Moderate-fidelity queries
take less time to return than high-fidelity queries.
• Low (Fastest): Insight runs a query on 1% of all traffic data for the time period, and scales the traffic
that matches the settings in the control bar to account for sampling. Low-fidelity queries take
significantly less time to return than higher-fidelity queries.
Note: When viewing older traffic data that was logged by Insight 8 or earlier, only High (Standard) is
available.

Changes in Behavior
Matching packet header data with regular expressions

In certain situations, you cannot compare regular expressions against traffic samples if the regular
expression matches packet headers. In order to prevent misleading results in these situations, changes
have been made for the following:
• Payload Regular Expression countermeasure: The Test Regular Expression button is now disabled
when Apply to Packet Header is selected.
• Explore Packets (Explore > Packets) window: A warning message now advises you against using a
regular expression as a filter if it matches data in the packet header.
• Sample Packets (Mitigation > Threat Management > TMS mitigation link) window: A
warning message now advises you against using a regular expression as a filter if it matches data in
the packet header.
Updated configuration management system

Sightline 9.3 introduces a new configuration management system. As a result, the following changes were
made to the Configuration History/Rollback page (Administration > System Maintenance > Config
Version > History):
• The Version column was removed.
• version is no longer an acceptable search word.
• The UI does not show any configurations that were committed in 9.2.x or lower by default, except for
the last configuration committed before you upgraded to 9.3. This last committed configuration
becomes first configuration in 9.3 after you upgrade. If you want the UI to show other configurations
committed in 9.2.x and lower, contact ATAC for assistance (https://support.arbornetworks.com).
In the Sightline CLI, the following changes were made to the / config command:
• In the / config history output, each configuration committed in 9.3 and higher has a unique
commit ID.
• A new / config rcs command was added to provide access to configurations that were
committed in Sightline 9.2.x and lower.
• Without the rcs keyword, the / config command does not provide access to any configurations
that were committed in 9.2.x or lower, except for the last configuration committed before you
upgraded to 9.3. If you want to use / config without rcs to access other configurations committed
in 9.2.x and lower, contact ATAC for assistance (https://support.arbornetworks.com).

Changes to the subscriber configuration pages

Sightline 9.3 can detect categories of AIF threat indicators in the traffic for customer, profile, and
subscriber managed objects. See Detect AIF threat indicators in customer, profile, and subscriber
managed objects on page 9.
To support AIF threat indicator detection and logging, the subscriber configuration pages
(Administration > Monitoring > Subscribers) were changed as follows:
• The Subscriber Settings Administration page (Administration > Monitoring > Subscribers) is now
the Configure Subscribers page.
• The Settings and Logs tabs on the Subscriber Settings Administration page are now on the
Configure Threat Indicators page (Administration > Detection > Threat Indicators). These tabs
now apply to customer and profile managed objects as well as subscribers. See “Logging Detected
Threat Indicators” in the Sightline and Threat Mitigation System User Guide.
• The Malicious Fingerprints tab on the Add/Edit Subscriber page is now the Threat Indicators tab.
You can continue to use this tab to configure the fingerprints to detect for the subscriber managed
object. As of this release, you can also use this tab to configure threat indicator categories for the
subscriber managed object.
Changes to the AIF tab on the ATLAS reports summary page

On the ATLAS page (Reports > ATLAS > Summary), the AIF tab that lists the AIF policies and
fingerprints in the AIF standard feed is now the AIF Standard Feed tab. The following changes also
appear on this tab in release 9.3:
• The date and time of the last feed update now appears at the top with the label Last Updated.
• The left ID column of AIF policy ID’s is now labeled Policy ID.
• The right Group column of AIF fingerprints is now labeled Fingerprints.
Changes were also made to the policy details window that opens when you click on a policy ID link in the
left column:
• The Summary row is now labeled Description, and it contains the policy description that was
previously in the Description row above the FCAP signature.
• The Policy Group row that shows the names of the AIF fingerprints associated with the selected
policy is now labeled Fingerprints.
Download XML button removed from certain wizard reports

The XML button that allows users to download an XML version of a wizard report is no longer available
for wizard reports that contain the Mitigations widget. This change was made in response to bug 89727
on page 32.
Longer time out for the REST API

The REST API times out after 900 ms. It previously timed out after 300 ms. This change was made in
response to bug 90320 on page 31.
Syslog messages for alert stop events contain impact rates

When an alert stops, Sightline now includes the alert’s impact rates in the syslog message associated
with the alert stop. This change was made in response to bug 89626 on page 32.

Viewing older city and region information requires a different URL

Sightline 9.3 stores some location-related information differently than previous versions. As a result, you
must use a different URL to view city and region reports for traffic data that was captured before you
upgraded to Sightline 9.3. When you use the Sightline UI to view reports based on city and region,
Sightline displays information captured after you upgraded to Sightline 9.3.
A similar change was made to Sightline 9.0.
For deployments that used Sightline 9.0 to Sightline 9.2
To view reports for city and region for traffic that was captured by Sightline 9.0 to 9.2, append
_legacy_v2 to the URL.
UI page URL for viewing Sightline 9.0 to 9.2 location data
Explore > Traffic > Type: city https://example.com/page?id=query_traffic_legacy_v2
Explore > Traffic > Type: region https://example.com/page?id=query_traffic_legacy_v2
Reports > Applications > Cities https://example.com/page?id=application_city_legacy_v2
Reports > Applications > Dashboards https://example.com/page?id=application_dashboard_legacy_

v2
Reports > Applications > Regions https://example.com/page?id=application_region_legacy_v2
Reports > Customers > Cities https://example.com/page?id=customer_cities_legacy_v2
Reports > Customers > Dashboard https://example.com/page?id=customer_dashboard_legacy_v2
Reports > Customers > Regions https://example.com/page?id=customer_regions_legacy_v2
Reports > Fingerprints > Cities https://example.com/page?id=fingerprint_city_legacy_v2
Reports > Fingerprints > Regions https://example.com/page?id=fingerprint_region_legacy_v2
Reports > Network > Cities https://example.com/page?id=network_cities_legacy_v2
Reports > Network > Regions https://example.com/page?id=network_regions_legacy_v2
Reports > Peers > Cities https://example.com/page?id=peer_cities_legacy_v2
Reports > Peers > Regions https://example.com/page?id=peer_regions_legacy_v2
Reports > Profiles > Cities https://example.com/page?id=profile_cities_legacy_v2
Reports > Profiles > Regions https://example.com/page?id=profile_regions_legacy_v2
Reports > Services > Cities https://example.com/page?id=service_cities_legacy_v2
Reports > Services > Regions https://example.com/page?id=service_regions_legacy_v2
Reports > Subscribers https://example.com/page?id=subscriber_dashboard_legacy_v

2
Reports > Subscribers > More Reports https://example.com/page?id=subscriber_city_legacy_v2
tab > Cities

For deployments that used SP 8.4 and lower

To view reports for city and region for traffic that was captured by SP 8.4 or lower, append _legacy to
the URL.
UI page URL for viewing SP 8.4 or lower location data
Explore > Traffic > Type: city https://example.com/page?id=query_traffic_legacy
Explore > Traffic > Type: region https://example.com/page?id=query_traffic_legacy
Reports > Applications > Cities https://example.com/page?id=application_city_legacy
Reports > Applications > Dashboards https://example.com/page?id=application_dashboard_legacy
Reports > Applications > Regions https://example.com/page?id=application_region_legacy
Reports > Customers > Cities https://example.com/page?id=customer_cities_legacy
Reports > Customers > Dashboard https://example.com/page?id=customer_dashboard_legacy
Reports > Customers > Regions https://example.com/page?id=customer_regions_legacy
Reports > Fingerprints > Cities https://example.com/page?id=fingerprint_city_legacy
Reports > Fingerprints > Regions https://example.com/page?id=fingerprint_region_legacy
Reports > Network > Cities https://example.com/page?id=network_cities_legacy
Reports > Network > Regions https://example.com/page?id=network_regions_legacy
Reports > Peers > Cities https://example.com/page?id=peer_cities_legacy
Reports > Peers > Regions https://example.com/page?id=peer_regions_legacy
Reports > Profiles > Cities https://example.com/page?id=profile_cities_legacy
Reports > Profiles > Regions https://example.com/page?id=profile_regions_legacy
Reports > Services > Cities https://example.com/page?id=service_cities_legacy
Reports > Services > Regions https://example.com/page?id=service_regions_legacy
Reports > Subscribers https://example.com/page?id=subscriber_dashboard_legacy
Reports > Subscribers > More Reports tab https://example.com/page?id=subscriber_city_legacy

> Cities
HTTP proxy settings check box was renamed

The Use configured IP address of egress interface as source check box on the ATLAS Intelligence
Feeds tab of the Configure ATLAS Services page and on the HTTP Proxy tab of the Configure Network
Services page was renamed. It is now the Use egress interface IP address as source IP address
check box. The function of this check box is unchanged.

IP address used for Cloud Signaling heartbeats was changed from Sightline 9.2
By default, Sightline 9.3 uses the IP address of the interface from which packets leave the Sightline
device as the source IP address for heartbeats from Sightline that are sent to AED or APS appliances.
This behavior is different from Sightline 9.2, which used the configured IP address of the Sightline device
is used as the source IP address. (The behavior in Sightline 9.3 is the same as that of Sightline 9.1 and
lower.)
To configure Sightline 9.3 to use the configured IP address as the source of heartbeats, as it did in
Sightline 9.2:
1. Navigate to the Configure Network Services page (Administration > System Maintenance >
Network Services).
2. Click the Cloud Signaling tab.
3. Clear the Use egress interface IP address as source IP address check box.
4. Click Save.
This change in behavior is the result of the enhancement described in Using the egress interface IP
address for Cloud Signaling heartbeats on page 11.
Time period selector was renamed

The Period selector on the Explore Traffic page, on the Summary tab on alerts pages, and on report
pages was renamed. It is now the Time selector. Similarly, The Time Period selector on the Insight page
is now the Time selector. The function of this selector is unchanged.
DDoS menu option was renamed

In the Administration > Detection menu, the DDoS menu option was renamed Global Detection
Settings. Select this option to open the Configure Global Detection Settings page.
Documentation reorganization
The content of the Advanced Configuration Guide was merged with the User Guide. No content was
removed. You can find content that was formerly included in the Advanced Configuration Guide in the
relevant chapters of the User Guide.

Information about the REST API in Sightline
REST API enhancements

The Sightline REST API version was not incremented in Sightline 9.3. The latest version is version 7.
Legacy REST API versions

The following legacy versions of the REST API are scheduled for removal in the next Sightline release:
• V.1
• V.2
• V.3
For information about the deprecation policy, see the Sightline REST API documentation (Administration
> REST API Documentation).
New endpoints in the REST API

The following endpoints were added to the Sightline REST API:
New endpoint Supported methods
/bgp_peering_sessions/ GET
/insight/data_sources/ GET
/managed_objects/<managed_object_id>/dynamic_match_values GET, PATCH
/packet_capture_analyses/ GET, POST
/traffic_queries/ GET, POST
/traffic_queries_facets/ GET
/traffic_queries_facet_values/ GET
/traffic_query_facet_values/application_tags/ GET
/traffic_query_facet_values/applications/ GET
/traffic_query_facet_values/countries/ GET
/traffic_query_facet_values/customer_tags/ GET
/traffic_query_facet_values/fingerprints/ GET
/traffic_query_facet_values/interface_tags/ GET
/traffic_query_facet_values/interfaces/ GET
/traffic_query_facet_values/managed_objects/ GET
/traffic_query_facet_values/peer_tags/ GET
/traffic_query_facet_values/profile_tags/ GET
/traffic_query_facet_values/router_tags/ GET
/traffic_query_facet_values/routers/ GET
/traffic_query_facet_values/service_tags/ GET
/traffic_query_facet_values/tms/ GET
/traffic_query_facet_values/vpnsite_tags/ GET
/traffic_query_facet_values/vpn_tags/ GET

Updated endpoints in the REST API

The following endpoints were updated in the Sightline REST API:
/devices/
• Added the tms_ports relationship. This is a relationship to the TMS ports on the device. You can
use the GET method with the tms_ports relationship. tms_ports is a relationship to the
/tms_ports/ endpoint.
• Added the bgp_peering_sessions relationship. This is a relationship to a BGP peering session on
the device. You can use the GET, PATCH, and POST methods with the bgp_peering_sessions
relationship. bgp_peering_sessions is a relationship to the /bgp_peering_sessions/
endpoint.
/fingerprints/
• You can now use the following query parameters in GET requests for this endpoint:
▪ filter: Allows you to request data with specific attributes or relationships. This endpoint uses
the Sightline filtering syntax.
▪ perPage: Allows you to specify the maximum number of results that are returned in the
response.
▪ page: Allows you to specify which set (page) of results is returned.
▪ sort: Allows you to request data sorted by attribute, relationship, or ID.
/insight/
• Insight can now provide multiple data sources that you can use for Insight traffic data queries. You
can use the /insight/data_sources endpoint to get a list of the data sources available on your
cluster.
A typical Insight cluster provides the following data sources.
▪ annotated_flow: This is a full-fidelity data set. When you choose this data source, Insight runs
a query on 100% of all traffic data for the time period. These queries take more time to return
than lower-fidelity queries. If you specify no data source, Insight uses this data source for the
query.
▪ annotated_flow_s10: This is a sampled data set. When you choose this data source, Insight
runs a query on 10% of all traffic data for the time period, and scales the traffic volume that it
returns to account for sampling. These queries take less time to return than full-fidelity queries.
Note: This data source is not available on small Insight clusters.
▪ annotated_flow_s100: This is a sampled data set. When you choose this data source, Insight
runs a query on 1% of all traffic data for the time period, and scales the traffic volume that it
returns to account for sampling. These queries take significantly less time to return than full-
fidelity queries.
This is the REST API equivalent of the Fidelity selector that was added to the Insight page. See
Insight: Traffic fidelity selector on page 13.
You can select the data source that is used when querying the following sub-endpoints:
▪ rawflows
▪ timeseries
▪ topn_timeseries
▪ topn

/managed_objects/
• Added the sub-endpoint:
▪ /<managed_object_ID>/dynamic_match_values: Associates the specified managed
object with the list of domains for dynamic DNS matching that are configured in the domains
array attribute. See Dynamic DNS matching for managed objects on page 7.
▪ You can optionally use JSON Patch documents in PATCH requests to this endpoint. This allows
you to add, remove, or replace individual domains in the domains array attribute without
replacing the entire array. For more information, see the documentation for this endpoint.
• Added the following attributes:
▪ dynamic_match_enabled: (boolean) Enables or disables dynamic DNS matching for a
managed object. If true, Sightline can use the managed object to monitor traffic for domains that
have frequently changing service IP addresses. See Dynamic DNS matching for managed
objects on page 7.
▪ dynamic_match_multiuse_enabled: (boolean) Enables or disables multiuse dynamic DNS
matching. If true while dynamic_match_enabled is true, Sightline performs dynamic DNS
matching even if some service IP addresses to match are used by different domains in a single
managed object or across managed objects. If false while dynamic_match_enabled is true,
Sightline performs single-use dynamic matching. See Dynamic DNS matching for multiuse
service IP addresses on page 8.
▪ domains: (array(string)) attribute in the /dynamic_match_values/<managed_object_id>
resource that specifies the domains for the service IP addresses to dynamically match in the
specified managed object. See About configuring managed objects for dynamic DNS matching on
page 8.
▪ detection_exclusions_destination: (array(string)) CIDR blocks. Sightline does not
create host alerts for the managed object for traffic to these CIDR blocks.
▪ detection_exclusions_source: (array(string)) CIDR blocks. Sightline does not create host
alerts for the managed object for traffic from these CIDR blocks.
/tms_filter_lists/
▪ atlas_feed_id: (string) Read only. The unique identifier for an AIF filter list. If
atlas_feed_id is set, the filter list is an AIF filter list. Sightline downloads AIF filter lists in the
AIF filter lists feed (one of the licensed ATLAS Intelligence Feeds).
/tms_ports/ and /tms_ports/<id>

▪ description: (string) The description of the TMS port.
▪ capabilities: (object) An object describing the actions performed on the TMS port.
capabilities has the following sub-attributes:
• dns: (boolean) If true, the TMS device gathers DNS usage statistics by inspecting the
packets flowing through this port.
Important: Contact ATAC before using this feature, as additional configuration is required.
• flow: (boolean) If true, the TMS device generates ArborFlow data from the incoming traffic
on the port.
Important: Contact ATAC before using this feature, as additional configuration is required.
• http: (boolean) If true, the TMS device gathers HTTP usage statistics (for example, MIME
types, HTTP URLs) by inspecting the packets flowing through this port.

• mitigate: (boolean) If true, the TMS device mitigates the traffic on this port. mitigate is
false if nxdomain is true.
• nxdomain: (boolean) If true, the TMS device uses this port to listen to DNS NXDomain
responses. This prevents the port from forwarding and mitigating traffic, but allows the TMS
device to use the DNS NXDomain Rate Limiting Countermeasure. nxdomain is false if
mitigate is true.
• voip: (boolean) If true, the TMS device gathers VoIP usage statistics (for example, top
callers, callees, and conversations) by inspecting the packets flowing through this interface.
▪ ipv4_address: The IPv4 address of the TMS port. This attribute is required for ports on TMS
devices configured in diversion mode, but is optional for ports on TMS devices configured in inline
mode. ipv4_address includes a netmask if the TMS device is configured in diversion mode
with layer 3 forwarding.
▪ ipv6_address: The IPv6 address of the TMS port. This attribute is required for ports on TMS
devices configured in diversion mode, but is optional for ports on TMS devices configured in inline
mode. ipv6_address includes a netmask if the TMS device is configured in diversion mode
with layer 3 forwarding.
▪ ipv4_nexthop: (string) The IPv4 address of the nexthop for the TMS port. This attribute is
returned only when the TMS device is configured in diversion mode with patch panel forwarding.
▪ ipv6_nexthop: (string) The IPv6 address of the nexthop for the TMS port. This attribute is
returned only when the TMS device is configured in diversion mode with patch panel forwarding.
▪ mpls_label_enabled: (boolean) If true, the TMS port can process and pop MPLS labels, and
then mitigate IPv6 traffic routed using 6PE.
▪ mtu: (integer) The maximum transmission unit of the TMS port. mtu is not returned for a physical
port that is a parent of a subinterface or a physical port that is part of a logical port. mtu must be
in the range of 28-1544.
▪ snmp_id: (integer) The SNMP ID of the TMS port. This is assigned by Sightline.
▪ lacp_mode_passive: (boolean) If true, LACP mode is passive. This attribute is returned only
for TMS ports with port_type set to logical.
Note: For Cisco ASR 9000 vDDoS Protection devices, lacp_mode_passive is automatically
set to true.
▪ vlan_id: (integer) The VLAN ID of the TMS port. vlan_id is returned only for TMS ports with
port_type set to subinterface.
▪ speed_mbps: (integer) The speed of the TMS port in megabits per second.
Note: For Software TMS devices, speed_mbps is null.
▪ usable: (boolean) If true, the port is available for use to forward or mitigate traffic. usable is
false for the following port configurations:
• ports with a port_type of physical that belong to a logical port
• ports with a port_type of physical that have subinterfaces
• ports with a port_type of logical that have subinterfaces
• Added the following relationships:
▪ output_port: A relationship to the TMS port that traffic is forwarded out through.
output_port is a relationship to the /tms_ports/ endpoint.
▪ logical_port: A relationship to the TMS logical port(s) a physical port is part of.
logical_port is a relationship to the /tms_ports/ endpoint.
▪ member_port: A relationship to the TMS physical ports that comprise a logical port.
member_port is a relationship to the /tms_ports/ endpoint.

▪ subinterfaces: A relationship to TMS ports used as subinterfaces for logical and physical
ports. subinterfaces is a relationship to the /tms_ports/ endpoint.
▪ parent_port: A relationship to the TMS port that is the parent port of this subinterface.
parent_port is a relationship to the /tms_ports/ endpoint.
/tms_ports/<id>
• Added the ability to POST the endpoint.
You cannot POST a TMS port with a port_type of physical.
For the Cisco ASR9000 vDDoS Protection device, the following guidelines apply:
▪ you should only POST a port with port_type of subinterface
▪ all capabilities sub-attributes must be set to false
• Added the ability to PATCH the endpoint.
The following attributes cannot be PATCHed:
▪ port_type
▪ name
▪ snmp_id
▪ speed_mbps
▪ usable
▪ vlan_id
Relationships cannot be patched.
For the Cisco ASR9000 vDDoS Protection device, you cannot PATCH and set any of the
capabilities sub-attributes to true.
• Added the ability to DELETE the endpoint.
You cannot DELETE a TMS port with a port_type of physical.
When you DELETE a TMS port with a port_type of logical, the following actions occur:
▪ the subinterfaces on the logical port are deleted
▪ the logical_port relationship is cleared on all physical ports that were part of the logical port
▪ the output_port relationship is cleared on all ports that had that logical port as an output port
When you DELETE a TMS port with a port_type of subinterface, the output_port
relationship is cleared on all ports that had that subinterface as an output port.

Upgrade Information for Insight
Using Insight in a Sightline deployment

If you use Insight and you upgrade to Sightline 9.3, observe the following requirements:
• You must upgrade all Sightline devices to Sightline 9.3.
• You must upgrade all Insight nodes to the same version of Insight. Contact the Arbor Technical
Assistance Center (https://support.arbornetworks.com) for Insight version information.
To receive the appropriate version of the Insight installation files, contact the Arbor Technical Assistance
Center (https://support.arbornetworks.com).
Upcoming Insight release: Insight powered by NETSCOUT nGenius Business Analytics

An upcoming Insight Feature Pack will introduce the ability to use NETSCOUT nGenius Business
Analytics (nBA) technology to power Insight. Insight-on-nBA will provide increased scale and
performance, additional analytical tools, and a new and exciting foundation for Insight and its future
enhancements. Details about scale and performance improvements, migration options, and certified
NETSCOUT-branded and COTS hardware will be provided when the Insight Feature Pack is announced.
Insight Feature Pack 11 will support using a legacy Insight cluster in concert with an nBA-based cluster
(dual mode), and will also support nBA-exclusive clusters. Sightline 9.3 is required in all cases.
Insight Feature Pack 11 is scheduled for release in summer, 2020.
Default MTU setting in ArbOS for Insight
When using Arbor hardware to run Insight, we recommend that the network used for intra-cluster
communication supports an MTU (maximum transmission unit) of 9000. As a result of this
recommendation, the default MTU setting for 10 GbE interfaces (eth2 to eth5, which are typically used
for intra-cluster communication) is 9000 in all versions of ArbOS that were released with Insight 7 and
above.
Discrepancies between the MTU setting used by ArbOS for Insight and your network’s MTU can cause
errors during Insight installation and will cause issues with communication between Insight nodes.

Upgrade Information for Sightline
Supported upgrade paths

For information about the supported upgrade paths to Sightline 9.3, see “Supported Upgrade Paths” in
the Sightline and Threat Mitigation System Compatibility Guide, available from the Arbor Technical
Assistance Center (https://support.arbornetworks.com).
Multi-version compatibility
Sightline 9.3 is compatible with previous versions of Sightline, SP, and TMS. This allows you to upgrade
the devices in your deployment in stages. For details about multi-version compatibility, refer to the
Sightline and Threat Mitigation System Compatibility Guide, available from the Arbor Technical
Deployments running SP 8.3.x or lower that use flexible licensing require a new license
file
The following information applies to deployments that run SP 8.3.x or lower that also use
flexible licensing.
Before upgrading from SP 8.3.x or lower to Sightline 9.3, you must first contact the Arbor Technical
Assistance Center (ATAC) at https://support.arbornetworks.com/ to obtain a new flexible license file. If
you continue to use your old license file, you may experience a reduction in the number of managed
objects that can be used in the deployment or the number of users accounts that can access the UI.
Follow the procedures below to ensure no reduction in deployment capabilities.
For deployments that use locally-managed flexible licensing

1. Contact the Arbor Technical Assistance Center (ATAC) at https://support.arbornetworks.com/ and
obtain a new flexible license file.
2. Install the new flexible license file.
For more information, see the Sightline and Threat Mitigation System Licensing Guide at
https://support.arbornetworks.com/
3. Proceed with the upgrade procedure and install the new version of Sightline on the leader. For more
information, see “Upgrading the Software and Installing Maintenance Releases on a Sightline
Appliance” in the Sightline and Threat Mitigation System Advanced Configuration Guide at
For deployments that use cloud-based flexible licensing

1. Contact the Arbor Technical Assistance Center at https://support.arbornetworks.com/
Your new license file will be made available on the cloud license server.
2. Before beginning the upgrade procedure, disable cloud-based flexible licensing.
a. Enter / services sp license flexible server cloud_licensing disable
b. Enter config write
3. Proceed with the upgrade procedure and install the new version of Sightline on the leader.
For more information, see “Upgrading the Software and Installing Maintenance Releases on a
Sightline Appliance” in the Sightline and Threat Mitigation System Advanced Configuration Guide at

4. After installing the new version of Sightline on the leader, enable cloud-based flexible licensing and
start Sightline services.
a. Enter / services sp license flexible server cloud_licensing enable
b. Enter config write
c. Enter / services sp start
d. Enter config write
TMS services must be stopped and started again if using GRE tunnels (upgrades from
Sightline 9.0.x and lower only)
If you are upgrading from Sightline 9.0.x and lower to Sightline 9.1.x and higher and are using GRE
tunnels, you need to restart TMS services after the upgrade to maintain proper functionality.
This issue is documented in bug 85719.
Follow the procedure below if you have TMSes in your deployment that use GRE tunnels:
1. Upgrade the Sightline leader to Sightline 9.3.
2. Confirm that the Appliance Status page in the Sightline leader’s web UI (System > Status >
Appliance Status) lists each TMS status as “RUNNING”.
3. Log in to the CLI of the TMS and run the following commands:
▪ / services tms stop
▪ / services tms start
4. Repeat the previous step for each TMS in the deployment.
Upgrade process
When upgrading your Sightline deployment, you must upgrade your Sightline devices in a specific order.
For more information, see “Multi-Version Deployment Upgrade Process” in the Sightline and Threat
Mitigation System Compatibility Guide. Be aware of the following when upgrading:
• You must upgrade the leader device before upgrading any other user interface devices in your
deployment.
• The upgraded leader must be running when you upgrade the other user interface devices. If the
leader is not upgraded or not running, you will need to manually resync the database when it is.
• When upgrading from SP 8.2 or higher, a database sync for non-leader user interface devices may
be needed if the devices have been down for an extended time period, usually on the order of hours.
Syncing the database should take less than 10 minutes; however, large databases on slow
connections could take longer.
Upgrading requires an active Maintenance and Support subscription

Before upgrading Sightline, verify that your Maintenance and Support (M&S) subscriptions are active.
Important: If your software M&S subscription is not active when you upgrade Sightline, router capabilities
will be blocked, and Sightline will not be able to process flow. To revert to a previous version, you will
need a backup that was made before you upgraded.
To obtain or renew an M&S subscription, contact your Arbor Sales Team or the Arbor Technical

Device certificates
Contact the Arbor Technical Assistance Center (ATAC) at https://support.arbornetworks.com and obtain a
certificate for your device if you plan to use the device for one of the following:
• Remote services
• UI secure login
Support for DSA keys was deprecated

To prevent potential security issues, TLS v1.1 was deprecated. This change was made in response to
bug 82733.
Running Sightline in a Virtual Machine

If you are running Sightline in a VM and you need to expand the size of the virtual disk used by Sightline,
contact the Arbor Technical Assistance Center (ATAC) at https://support.arbornetworks.com for
assistance.
Note: Sightline does not support disk expansion when the disk is formatted using the XFS file system.
Support for Microsoft Internet Explorer

As of Sightline 9.3, Arbor no longer tests the Sightline UI for compatibility with Microsoft Internet Explorer.
See Supported web browsers on page 28.

System Requirements for Sightline

For information about enforced limits and appliance limits in Sightline deployments, see Sightline and
Threat Mitigation System Deployment and Appliance Limits, available from the Arbor Technical
Assistance Center (https://support.arbornetworks.com/).
Supported devices
For information about Sightline appliances and TMS devices that are supported by Sightline, see the
Sightline and Threat Mitigation System Compatibility Guide, available from the Arbor Technical
For more information about running Sightline in a virtual machine, see the Sightline Virtual Machine
Installation Guide, available from the Arbor Technical Assistance Center
(https://support.arbornetworks.com/).
Supported web browsers

At the time of release, Sightline 9.3 officially supports the latest versions of Mozilla Firefox and Google
Chrome. For more information, see “Supported Web Browsers” in the Sightline and Threat Mitigation
System Compatibility Guide, available from the Arbor Technical Assistance Center
(https://support.arbornetworks.com/).
Note: As of Sightline 9.3, Arbor no longer tests the Sightline UI for compatibility with Microsoft Internet
Explorer.
Router requirements
Sightline is compatible with any router that exports RFC-compliant netflow and includes all the
RFC-required fields. Sightline supports netflow v5, v9, IPFIX, and sFlow.
Communication ports
Required ports
The following table lists the ports that Sightline uses and that are required for a deployment to operate
correctly. When the following terms appear in this table, they refer to appliance roles with flexible
licensing and to appliance types with appliance‑based licensing:
• data storage
• traffic and routing analysis
• user interface
References in this table to the FS appliance (Flow Sensor) only apply to appliance-based licensing.
Service Ports Required Protocol Direction
ArborFlow 31373 UDP • FS appliance to traffic and routing analysis
• FS appliance to data storage traffic and routing
analysis to data storage
• traffic and routing analysis to data storage
ArborFlow (if ArborFlow 5000 (default) UDP TMS appliance to traffic and routing analysis
from TMS is enabled)

Service Ports Required Protocol Direction

BGP 179 TCP • traffic and routing analysis to router
• FS appliance to router
• Router to traffic and routing analysis
• Router to FS appliance
• Router to TMS appliance
DNS 53 UDP • Sightline appliance to DNS server
• Return on same port
Flow 2055 UDP • Router to traffic and routing analysis
(netflow) (configurable) • Router to FS appliance
By default, traffic and routing analysis or FS
appliances watch all UDP ports for netflow packets
from configured routers.
HTTPS 443 TCP • Sightline non-leader appliance(s) to Sightline
leader appliance
• Sightline leader appliance to Sightline non-leader
appliance(s)
• TMS appliance to managing appliance
• Managing appliance to TMS appliance
SNMP polling of routers 161 UDP • Traffic and routing analysis to router
• FS appliance to router
• Return on same port
Sightline user interface 443 TCP User workstation to Sightline leader or user interface
(HTTPS)
Sightline user interface 443 TCP Web proxy to Sightline leader or user interface
with single-sign-on
(HTTPS)
SSL 40000-40030 TCP Any appliance to any appliance (excluding TMS)
(configurable)
Note: Some of the ports may not be applicable to your deployment.
Optional ports
The following ports are optional and only need to be enabled if you are using the corresponding service:
Service Ports Protocol Direction
Cloud-based 443 TCP • Leader to cloud license server
licensing • Cloud license server response to leader
Cloud signaling 443 TCP • APS to leader appliance
handshake • Leader appliance response to APS
(HTTPS)
Cloud signaling 7550 UDP • APS to leader appliance
heartbeat • Leader appliance response to APS
FTP 20-21 TCP • Sightline appliance query to FTP server
• FTP server response to Sightline appliance
HTTP 80 TCP • Sightline appliance to HTTP server
• HTTP server response to Sightline appliance
NTP 123 UDP • Sightline appliance request to NTP server
• NTP server response to Sightline appliance

Service Ports Protocol Direction

ping echorequest, ICMP • Sightline appliance request to remote device
echoreply • Remote device response to Sightline appliance
RADIUS 1812 UDP • Sightline appliance query to RADIUS server
Authentication • RADIUS server response to Sightline appliance
RADIUS 1813 UDP • Sightline appliance query to RADIUS server
Accounting • RADIUS server response to Sightline appliance
SMTP 25 TCP • Leader appliance delivery to SMTP server
• SMTP server response to leader appliance
SNMP polling of 161 UDP • User polling equipment query to Sightline appliance
appliances • Sightline appliance response to user polling
equipment
SNMP trap, inform 162 UDP • Leader appliance message to SNMP trap or inform
manager
SSH 22 TCP • Workstation to Sightline appliance
• Sightline appliance response to workstation
Note: Backup uses SSH
Syslog 514 UDP • Sightline appliance message to Syslog server
TACACS+ 49 TCP • Sightline appliance query to TACACS+ server
• TACACS+ response to Sightline appliance
Whois 43 TCP • Leader appliance, user interface, and backup user
interface query to Whois server
• Whois server response to appliance
ATLAS services ports

All ATLAS services require you to open access to hosts outside your network. These host live across the
internet and leverage modern content delivery networks and web services.
Important: Because each of these services uses DNS to find the IP address of the ATLAS service, the IP
addresses of the services may change. If an ATLAS service cannot connect to the service IP address,
you may need to check the current DNS results for the addresses listed in the following table and update
your firewall rules. Use of a proxy server for outbound connections is an excellent method for accessing
these services. Contact the Arbor Technical Assistance Center (https://support.arbornetworks.com) if you
have any questions or have special requirements.
The following table lists the ATLAS services:
Service Address (DNS) Port Protocol Direction
AIF aif.arbor.net 443 HTTPS/TCP Leader to feed server(s)
ATLAS Visibility atlas-visibility.arbor.net 443 HTTPS/TCP Leader and all UI appliances to

ATLAS servers
HTTP proxy (If Your HTTP proxy server 1080 TCP Leader to the proxy server
you configure a (configurable)
proxy to reach
out to ATLAS
services or the
Internet)

Fixed Issues in Sightline

Bug Number Ticket Number Fixed In Sightline Fixed Issues Description
90504 200417-000034 9.3 In some cases, Sightline stopped getting SNMP information
from a router or interface.
90426 200410-000027 9.3 Spaces in flowspec filters caused a process to crash.
90345 200330-000068 9.3 In some cases, Mitigation Orchestration caused a delay in
the moving of a mitigation to a backup TMS group.
90320 200406-000061 9.3 The REST API timed out after 300 ms. The time out
changed to 900 ms.
90263 200309-000052 9.3 In some cases, syslog messages for alerts showed negative
durations.
90238 9.3 Users could use the REST API to edit locked settings in a
mitigation template.
90167 200224-000038 9.3 The mitigation duration displayed in the alert summary was
inaccurate.
90111 200211-000017 9.3 Users with only numbers in their user names could not log
in to the Sightline UI.
90088 200205-000063 9.3 If the name of a child managed object contained a space,
200120-000032 Sightline would not allow the parent managed object to be
200210-000021 edited.
200505-000056
90063 200127-000046 9.3 Sightline displayed the misuse types graph for DoS host
200209-000000 alerts using the user’s time zone setting, not the time zone
200218-000012 setting of the Sightline device.
200311-000042
200402-000062
90033 200117-000026 9.3 Sightline allowed users to delete a notification group that
was used by a notification rule.
89986 200122-000060 9.3 If your Sightline deployment had a large number of
configured routers and you edited a rule on the Auto-
Configuration Rules page (Administration > Monitoring >
Auto-Configuration Rules), the Sightline UI did not display
all routers.
89938 191213-000017 9.3 Sightline upgrades were too slow on a deployment with
large numbers of stored alerts and mitigations.
89908 200108-000047 9.3 The Alert Search Wizard did not allow the user to select
200102-000023 certain years.
200102-000038
200120-000074
89892 200106-000055 9.2 When the amount of Sightline configuration data exceeded
the available storage space, configuration commits in the
Sightline UI could fail while appearing to succeed.
89794 191217-000048 9.3 Sightline devices that were set to Cloud Signaling Only
mode did not function when the Sightline deployment
contained a backup leader.
89791 191213-000024 9.3 Sightline dropped flow in some cases.
89730 191206-000024 9.3 The Sightline leader device produced Cloud Signaling Fault
191212-000101 errors.
200107-000025


89727 191205-000019 9.3 When a user downloaded the XML version of a wizard
report that contained the Mitigations widget, Sightline did
not include mitigation information. The download XML
button was removed.
89642 191122-000031 9.3 In some cases, Sightline logged the error “Too many open
191101-000031 files” in syslog, or reported that SNMP was down.
191120-000018
191105-000036
190821-000010
191001-000051
191213-000017
191223-000028
200120-000008
200519-000057
89641 200114-000067 9.3 In some cases, the Sightline UI displayed an error when the
user tried to select the routers to use in a flowspec auto-
mitigation.
89626 191119-000033 9.3 When an alert stopped, Sightline did not include alert impact
191210-000018 rates in syslog messages.
89603 191114-000073 9.3 Sightline did not insert custom logos in custom PDF reports.
200302-000006
89599 191031-000056 9.3 After a user deleted a mitigation template, in some cases
Sightline assigned a different mitigation template (not the
default template) to managed objects that used the deleted
template. Beginning in Sightline 9.3, users cannot delete a
mitigation template if the template is assigned to a managed
object.
89498 191101-000027 9.3 Sightline could not import learning mitigations into mitigation
191121-000020 templates.
200110-000025
200122-000011
200520-000021
89456 191025-000031 9.3 Sightline did not send syslog messages.
191102-000012
200109-000043
89412 200316-000016 9.3 Sightline did not classify some interfaces automatically
200213-000064 using auto-configuration rules.
200401-000010
200416-000039
89368 191008-000039 9.3 In some cases, Sightline stopped getting SNMP information
200417-000034 from a router or interface.
89337 191006-000016 9.3 In some cases, Cloud Signaling mitigation requests
prevented auto-mitigations from stopping when the
associated alert ended.
89178 190910-000034 9.3 In some cases, blackhole and flowspec mitigations did not
mitigate traffic even though Sightline reported no errors.
89114 190822-000064 9.3 The calendar displayed in the time selector on the Insight
191106-000035 page was missing a day near the end of each month.
200331-000025
200401-000074
89051 190819-000081 9.3 Sightline would not allow you to add a filter list to a
mitigation if the name of the filter list contained an
apostrophe.


89000 190806-000064 9.3 Sightline did not allow scoped users to use custom reports.
88981 190806-000039 9.3 In some cases, Sightline did not show the username in API
activity logs.
88535 190425-000023 9.3 When a user edited a managed object that was homed to
191029-000013 specific Sightline devices, the changes could not be saved
191203-000019 or were applied to another managed object.
88469 190610-000055 9.3 On the Deployment Status page, Sightline did not display a
legend under the graph when the user selected TMS Total
Bandwidth or TMS IPv6 Bandwidth.
86848 181109-000014 9.3 Managed services users could see alert annotations added
automatically for manual mitigations and auto-mitigations.
(They should not be able to see them.)
84326 180320-000021 9.3 Sightline did not display resolved host names on the
191107-000050 Customer×Top Talkers External page.
82763 191002-000070 9.3 When a user posted a commit message to the REST API,
Sightline displayed an error if the message contained non-
ASCII characters.
82093 170831-000033 9.3 When a user added IPv6 ICMP traffic patterns to the Alert
Scratchpad, Sightline produced a malformed FCAP that
could not be applied to mitigations.
73267 160127-000032 9.3 Sightline displayed excessive CPU load errors for TMS
160817-000028 devices on the Appliance Status page.
170420-000012
170815-000033
170912-000012

Known Issues in Sightline

Bug Number Ticket Number Found In Sightline Known Issues Description
91304 9.3 When you configure a managed object, if you enable
dynamic DNS matching and enter domain names in the
Domains box, you cannot save the changes if the managed
object's name contains spaces.
Workaround: Upload domain names in a text file if the
managed object name contains spaces.
91162 9.1 When you select a misuse type on the Host Automatic Rate
Calculation page and click Show Results, in some cases
Sightline displays the message No data available even
though there is traffic associated with the specified misuse
type.
90754 200515-000021 9.2 Reports show no data for managed objects that are homed
200617-000046 on data storage appliances that were upgraded to Sightline
200619-000035 9.2.
200701-000005
90741 9.3 If you include filters in the query string when querying the
/traffic_query_facet_values/ sub-endpoints,
Sightline does not include the filters in the links that it returns.
90740 9.3 The following endpoints require brackets in the filter query
string, even when only one filter is specified.
• traffic_query_facet_values
• fingerprints
When specifying a single filter to query these endpoints, use
brackets in the filter query string, as shown below.
Working example:
https://example.com/api/sp/traffic_query_face
t_values/managed_objects/?filter[]=a/name.eq.
internet
Non-working example:
https://example.com/api/sp/traffic_query_face
t_values/managed_objects/?filter=a/name.eq.in
ternet
90714 9.3 When viewing configuration history, it can take several
minutes for Sightline to display any configuration data.
90709 9.3 When the user clicks Configure Based on Traffic in the
Payload Regular Expression countermeasure in a TMS
mitigation, sometimes Sightline sets the port direction to
Source when it should be Destination.
90708 9.3 Managed services users cannot select threat indicator
policies when editing a profile. If a managed services user
clicks Edit Threat Indicator Categories, the Sightline UI
opens and then closes the selection wizard immediately.
90702 9.3 When the user clicks Test Regular Expression in a TMS
mitigation countermeasure, the Sightline UI changes the
selected filter type to FCAP Filter each time the user selects
a different TMS device in the TMS Appliance list.
90693 9.3 When a user manually runs a classic XML report on the
Configure Reports page, Sightline does not return any
results. (Sightline returns results as expected for scheduled
classic XML reports.)

Bug Number Ticket Number Found In Sightline Known Issues Description

90548 9.3 When a user generates regular expressions from a PCAP file
that contains both IPv4 and IPv6 traffic, Sightline generates
regular expressions that match IPv4 traffic only.
90521 9.3 If an AIF filter list that is used in a mitigation template is
deleted, the following occurs:
• Sightline displays the Commit Config button, even
though the user may have made no changes themselves.
• The next time a user commits a configuration, the AIF
filter list appears in the configuration log as having been
removed from the template, even though the user did not
remove the filter list themselves.
90516 9.3 Occasionally the REST API returns a 500 error or an “internal
service error”. This is more likely to occur for REST API calls
that require more time to process. If the API returns these
errors, wait a few seconds and try the call again.
89991 200122-000025 9.0.1 While binning flow data, the flow data binning process on a
data storage appliance can crash soon after reading the new
appliance configuration.
89766 9.2 In certain situations, mitigation templates that you created by
merging an AIF template do not have a description.
88791 9.1 In some cases, Smart Mitigation graphs do not show
“Not Dropped” traffic even though traffic is passing.
87191 9.1 When you delete a router, Sightline does not remove it as the
target for TMS flowspec blacklist offloading.
90144 200204-000047 9.0.1 In some cases, if a scoped user changes a password,
Sightline reverts the scoped user’s password to the previous
password when an admin commits changes.
86214 9.0 If you POST an invalid calculation attribute value to the
/smart_alert_settings/ endpoint in the REST API, the
smart alert that you create will not work. The only valid
calculation values are avg, last, max, pct95, and sum.
86192 9.0 If you POST an invalid filter or view attribute value to the
/smart_alert_settings/ endpoint in the REST API, the
returned error data contains a correct error description in
the detail attribute but an incorrect error path in the
pointer attribute.
86087 9.0 The REST API returns an error with the ambiguous message
`Detailed error information unavailable` during
a misuse-triggered flowspec auto-mitigation using a Juniper
router.
86081 9.0 Error messages appear in syslog when you commit a
configuration that has no user-defined misuse types.
86080 9.0 On the Host Automatic Rate Calculation page, the Managed
Object list might not include all the managed objects that you
can select.
Workaround:
Type the name (or a portion of the name) of the managed
object to select in the Managed Object list box.
86014 9.0 Although the product has been renamed “Sightline”, some
places in the product refer to the previous product names
(“Peakflow” or “SP”).

Other Things to Know about Sightline

Create a backup after converting to flexible licensing
Important: If you are converting from legacy appliance-based licensing to flexible licensing, be sure to
create a backup as soon as possible after the conversion. It is not recommended/supported to restore a
backup made before the conversion onto an appliance that was converted to flexible licensing.
Dynamic subscriber interfaces
Sightline interface handling

Sightline provides three levels of granularity when gathering data on a per-interface basis, depending on
the interface classification and discovery method:
Interface classification Discovery method Data granularity
External or configured to Via flow • Highest level of data granularity
collect “detailed” statistics • Available in all interface pages and reports
Other than external Via flow • Much lower level of data granularity
• Available in all interface pages and reports
• Included in the UI
Never sends flow data SNMP • Tracked individually
• Not available in all interface pages and reports
• Impacts the overall interface scaling properties of the
deployment, but not as much as the other types of
interfaces
Untracked interfaces
In addition to the data gathered on a per-interface basis, there can be untracked interfaces, which have
the following properties:
• They are on a router that was configured with the “Enable Dynamic Subscriber Interface Handling”
option.
• Their SNMP interface names/descriptions do not match a configured Interface Classification rule OR
the interfaces are not represented in the SNMP data obtained from the involved router.
Note: Only 400,000 interfaces with SNMP information can be processed, even if they are untracked
interfaces. The 700,000-interface limit can only be reached if a very large number of the interfaces
have no SNMP presence whatsoever.
• They do not appear in any interface page or report in the product.
• They do not impact any interface scaling limitation on the deployment. Therefore, there can be an
unlimited number of these kinds of interfaces on a particular collector or on the deployment in
general.
• They can have flow sent for them by the router and it will be tracked on a per-router basis in a single
aggregate interface. This appears in normal interface pages and reports.
• The flow sent for these interfaces is constrained by the normal stated flow processing limits on a per-
appliance basis, as well as the normal licensed limits on a per-deployment basis for flex licensing
deployments.

High CPU load averages

On large multi-appliance deployments, high load averages will be seen when arbor_stats runs. This
does not materially impact interactive performance of the Sightline appliance.

Additional Information
Downloading the software
You can download the software releases and user documentation from the Arbor Technical Assistance
Center at https://support.arbornetworks.com using the Software Downloads link.
Contacting Arbor Technical Assistance Center

You can download the software release and user documentation from the Arbor Technical Assistance
Center website. You will need a username and password to access the site.
If you do not already have a customer account, contact Arbor Technical Assistance Center at:
• 1 877 272 6721 [U.S. toll free]
• +1 781 768 4301 [Worldwide]
• https://support.arbornetworks.com/

About the Sightline and Threat Mitigation System Documentation

The following documentation is available for Sightline and TMS devices and software. All documentation
is available from the Arbor Technical Assistance Center (https://support.arbornetworks.com).
The user documentation for Sightline includes the following documents:
Document Title Description
Sightline Release Notes Release information about Sightline and TMS, including new features,
enhancements, fixed issues, and known issues.
Threat Mitigation System Release
Notes Instructions and information that explain how to configure and use Sightline
and TMS devices and software via the Sightline user interface (UI) and the
command line interface (CLI).
Sightline and Threat Mitigation You can access the User Guide by clicking the icon in the Sightline UI. It
System User Guide is also available as a PDF.
Note: The User Guide contains all information that was previously included
in the Sightline and Threat Mitigation System Advanced Configuration
Guide.
Sightline and Threat Mitigation Descriptions of the support for multi-version, multi-platform Sightline and
System Compatibility Guide TMS deployments.
Sightline and Threat Mitigation Lists the enforced limits and guideline limits for Sightline and Sightline/TMS
System Deployment and Appliance deployments. It also covers the enforced limits and guideline limits for each
Limits currently supported Sightline and TMS appliance.
Sightline and Threat Mitigation Descriptions of each Sightline and TMS software licensing mode, how to
System Licensing Guide obtain licenses to run your Sightline and TMS software, and how to add
and change the licensed capabilities and capacities in your deployment.
Sightline and Threat Mitigation Instructions and information for the managed services customers who use
System Managed Services the Sightline user interface.
Customer Guide
Sightline and Threat Mitigation Instructions for remotely accessing Sightline and TMS using the REST,
System API Guide SOAP, and Arbor Web Services APIs.
Sightline REST API Documentation Instructions and information that explain how to use Sightline REST API.
You can access this documentation from the Sightline UI by selecting
Administration > REST API Documentation. It is also available for
download.
Sightline Virtual Machine Installation Instructions on installing Sightline in a VM environment. Follow the
Guide instructions in this guide if you are using a VM instead of hardware for
Sightline.
Software Threat Mitigation System Instructions on installing Software TMS on your own hardware. Follow the
Installation on Hardware instructions in this guide if you are installing Software TMS on hardware
instead of a VM.
Software Threat Mitigation System Instructions on installing Software TMS in a VM environment. Follow the
Virtual Machine Installation Guide instructions in this guide if you are using a VM instead of hardware for
Software TMS.
Software Threat Mitigation System Performance benchmarks for Software TMS installations on a VM and your
Performance Benchmarks own hardware.
Insight Hardware Introduction Guide Information about the hardware required to add Insight to a Sightline
deployment. Also provides information that helps Sightline users who are
trying to decide whether to run Insight on Arbor hardware or on non-Arbor
hardware.
Insight Software Installation Guide Information and instructions for installing and upgrading Insight software.
Quick Start Card for Sightline and Instructions and requirements for the initial installation and configuration of
Threat Mitigation System appliances Sightline, Insight, and TMS appliances.

Appendix A: New notifications in Sightline 9.3

Threat indicator policy detection notifications
Sightline can generate a syslog notification each time it detects a threat indicator policy that is associated
with a configured threat indicator category. In order to trigger a syslog notification, the detected policy
must be in a threat indicator category that is configured in the settings for a customer, profile, or
subscriber managed object. The syslog notification is sent to the remote syslog server address configured
in the default notification group.
Example: Syslog notification triggered by threat indicator policy detection
May 12 15:35:00 example.com pfsp: Threat_Indicator host 192.0.2.120 threat
indicator categories: [“Campaigns and Targeted Attacks” (2)] threat indicator
policy “njRAT” (696) Managed object “AS11420” (268) last-seen 05/12/20
15:34:59 bytes 282200000 packets 282200 - sample flow
(src ip: 198.51.100.223, src port: 60235, dst ip: 203.0.113.211,
dst port: 20480, proto: 6)
The syslog message includes the following information:

• The string Threat_Indicator
• Host
• Matching threat indicator categories
• Matching threat indicator policy
• Managed object name
• The date/time of the match
The syslog message also includes the following field values in the matching flow record:
• Source IP address
• Source port
• Destination IP address
• Destination port

Sightline 9.3 Release Notes 2020-07-31

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Sightline 9.3 Release Notes 2020-07-31

Загружено:

Авторское право:

Доступные форматы

Sightline

Document Number: SP_RN-93-2020/07

2 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 3

New endpoints in the REST API .................................................................................................... 19

4 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 5

Sightline Release Notes

Detection exclusions for managed objects

AIF filter lists

6 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

UDP Session Authentication countermeasure

Dynamic DNS matching for managed objects

© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 7

About configuring managed objects for dynamic DNS matching

Dynamic DNS matching for multiuse service IP addresses

AIF managed objects with dynamic DNS matching

8 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 9

10 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

Traffic-based generation of Payload Regular Expression countermeasure configuration

Using the egress interface IP address for Cloud Signaling heartbeats

New alerts search keyword

© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 11

Redesigned Explore Traffic page

Viewing the legacy version of the Explore Traffic page

Relationships graph type on the Explore Traffic page

12 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

Insight: Traffic fidelity selector

© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 13

Matching packet header data with regular expressions

Updated configuration management system

14 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

Changes to the subscriber configuration pages

Changes to the AIF tab on the ATLAS reports summary page

Download XML button removed from certain wizard reports

Longer time out for the REST API

Syslog messages for alert stop events contain impact rates

© NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary 15

Viewing older city and region information requires a different URL

Explore > Traffic > Type: city https://example.com/page?id=query_traffic_legacy_v2

Explore > Traffic > Type: region https://example.com/page?id=query_traffic_legacy_v2

Reports > Applications > Cities https://example.com/page?id=application_city_legacy_v2

Reports > Applications > Dashboards https://example.com/page?id=application_dashboard_legacy_

Reports > Customers > Cities https://example.com/page?id=customer_cities_legacy_v2

Reports > Customers > Dashboard https://example.com/page?id=customer_dashboard_legacy_v2

Reports > Customers > Regions https://example.com/page?id=customer_regions_legacy_v2

Reports > Fingerprints > Cities https://example.com/page?id=fingerprint_city_legacy_v2

Reports > Fingerprints > Regions https://example.com/page?id=fingerprint_region_legacy_v2

Reports > Network > Cities https://example.com/page?id=network_cities_legacy_v2

Reports > Network > Regions https://example.com/page?id=network_regions_legacy_v2

Reports > Peers > Cities https://example.com/page?id=peer_cities_legacy_v2

Reports > Peers > Regions https://example.com/page?id=peer_regions_legacy_v2

Reports > Profiles > Cities https://example.com/page?id=profile_cities_legacy_v2

Reports > Profiles > Regions https://example.com/page?id=profile_regions_legacy_v2

Reports > Services > Cities https://example.com/page?id=service_cities_legacy_v2

Reports > Services > Regions https://example.com/page?id=service_regions_legacy_v2

Reports > Subscribers https://example.com/page?id=subscriber_dashboard_legacy_v

16 © NETSCOUT SYSTEMS, INC. All rights reserved. Confidential and Proprietary

For deployments that used SP 8.4 and lower

Explore > Traffic > Type: city https://example.com/page?id=query_traffic_legacy

Explore > Traffic > Type: region https://example.com/page?id=query_traffic_legacy

Reports > Applications > Cities https://example.com/page?id=application_city_legacy