Upload
lyphuc
View
222
Download
0
Embed Size (px)
Citation preview
Check Point DDoS Protector
6 March 2013
Software Version - 6.07
User Guide
© 2013 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12676
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date Description
4 March2013 Converted from WBM OLH and edited for print documentation.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Check Point Lights Out Management Administration Guide).
v
Contents
Important Information .......................................................................................3
DDoS Protector Overview .................................................................................1
Network Flood Protection ...................................................................................... 1 Server Flood Protection ......................................................................................... 1 Application Layer Protection ................................................................................. 1
Configuring File Parameters ............................................................................3
Software Update ..................................................................................................... 3 Support ................................................................................................................... 3 Configuration .......................................................................................................... 4
Send Configuration File to Device ........................................................................ 4 Receive from Device ............................................................................................ 4 Log File ................................................................................................................ 4
Software List ........................................................................................................... 5
Configuring Device Parameters .......................................................................7
Reboot Device ........................................................................................................ 7 Device Shutdown ................................................................................................... 7 Global Parameters .................................................................................................. 7 Device Information ................................................................................................. 8 Utilization ................................................................................................................ 9
SME Utilization..................................................................................................... 9 Device Resource Utilization ................................................................................. 9
License Upgrade .................................................................................................... 9 Port Mirroring ....................................................................................................... 10
Port Mirroring and Traffic Rate Port Mirroring ..................................................... 10 Forwarding Table ................................................................................................. 12
Interface Grouping ............................................................................................. 13 Physical Interface ................................................................................................. 13 L2 Interface ........................................................................................................... 13 Link Aggregation .................................................................................................. 14
Link Aggregation: Trunk Table ........................................................................... 14 Link Aggregation: Port Table .............................................................................. 14
Jumbo Frames Settings ....................................................................................... 15 Traffic Exclusion .................................................................................................. 16 Session Table ....................................................................................................... 16
Session Table Global Parameters ...................................................................... 16 Advanced Session Table Global Parameters ..................................................... 18 Session Table Entries ........................................................................................ 19
IP Fragmentation .................................................................................................. 20 Device Overload Mechanism ............................................................................... 20 High Availability ................................................................................................... 21
High Availability Global Parameters ................................................................... 21 High Availability Advanced Configuration ........................................................... 22 Pair Definition .................................................................................................... 24 High Availability Monitoring ................................................................................ 24
vi
Switch Over ....................................................................................................... 25 Activate Baseline Sync with Peer Device ........................................................... 25 Reset Secondary ............................................................................................... 25
Tunneling .............................................................................................................. 25 IP Version Mode ................................................................................................... 26 Dynamic Protocols ............................................................................................... 26
Dynamic Protocols: General ............................................................................... 26 Dynamic Protocols: FTP .................................................................................... 27 Dynamic Protocols: TFTP .................................................................................. 27 Dynamic Protocols: Rshell ................................................................................. 28 Dynamic Protocols: Rexec ................................................................................. 28 Dynamic Protocols: H.225 .................................................................................. 29 Dynamic Protocols: SIP ..................................................................................... 29
Configuring Router Parameters ..................................................................... 31
IP Router ............................................................................................................... 31 Operating Parameters ........................................................................................ 31 Interface Parameters.......................................................................................... 31
Routing Table ....................................................................................................... 33 ARP Table ............................................................................................................. 34
Configuring DDoS Protector Parameters ...................................................... 35
DoS Signatures ..................................................................................................... 35 Application Security ........................................................................................... 35 DoS Shield ......................................................................................................... 36 Filters ................................................................................................................. 36 Attacks ............................................................................................................... 42 Exclude Attacks ................................................................................................. 48
Denial of Service .................................................................................................. 49 Behavioral DoS .................................................................................................. 49 DNS Protection .................................................................................................. 58 SYN Protection .................................................................................................. 71 Out-of-State ....................................................................................................... 76 Connection Limit ................................................................................................ 78 HTTP Mitigator ................................................................................................... 81
Authentication tables ........................................................................................... 87 DNS Authentication Table .................................................................................. 87 TCP Authentication table ................................................................................... 88 HTTP Authentication table ................................................................................. 88
Server Protection ................................................................................................. 89 Protected Servers .............................................................................................. 89
White List .............................................................................................................. 91 Black List .............................................................................................................. 93
Network Protection Policies................................................................................ 96 Policies Resources Utilization ............................................................................ 98
Global .................................................................................................................... 99 Suspend Table ................................................................................................... 99
Reporting ............................................................................................................ 101 Reporting Global Parameters ........................................................................... 101 Top Ten Attacks ............................................................................................... 103 Data Report ..................................................................................................... 103 Security Log ..................................................................................................... 104 Packet Trace .................................................................................................... 105
Attack Database ................................................................................................. 106
Table of Contents
vii
Attack Database Version .................................................................................. 106 Attack Database Send to Device ...................................................................... 107
Activate Latest Changes .................................................................................... 107 Packet Anomalies ............................................................................................... 107
Packet Anomalies Attacks ................................................................................ 107 Service Discovery .............................................................................................. 110
Service Discovery Global Parameters .............................................................. 110 Service Discovery Profiles ............................................................................... 111
Restore Default Configuration ........................................................................... 112
Configuring Services Parameters ................................................................ 115
Tuning ................................................................................................................. 115 Security ............................................................................................................ 115 Device Tuning .................................................................................................. 118 Memory Check ................................................................................................. 119 Classifier Tuning .............................................................................................. 120 SYN Protection Tuning ..................................................................................... 121 Diagnostics Tuning .......................................................................................... 122
Diagnostics ......................................................................................................... 122 Capture ............................................................................................................ 122 Trace ............................................................................................................... 123 Trace Files ....................................................................................................... 126 Diagnostics Policies ......................................................................................... 127
Syslog Reporting ................................................................................................ 128 Daylight Saving .................................................................................................. 130 Management Interfaces ...................................................................................... 131
Telnet ............................................................................................................... 131 Web Server ...................................................................................................... 132 SSL .................................................................................................................. 133 SSH ................................................................................................................. 133
Event Log ............................................................................................................ 134 Network Time Protocol (NTP) ............................................................................ 134 RADIUS ............................................................................................................... 135 SMTP ................................................................................................................... 136 DNS Client Parameters ...................................................................................... 137 Configuration Auditing ...................................................................................... 138 Event Scheduler ................................................................................................. 138
Configuring Security Parameters ................................................................ 141
Management Ports ............................................................................................. 141 Ports Access ...................................................................................................... 141 SNMP ................................................................................................................... 142
SNMP Global Parameters ................................................................................ 142 SNMP: User Table ........................................................................................... 142 SNMP: Community Table ................................................................................. 143 SNMP: Groups Table ....................................................................................... 144 SNMP: Access Table ....................................................................................... 144 SNMP: View Table ........................................................................................... 145 SNMP Notify Table .......................................................................................... 145 SNMP Target Parameters ................................................................................ 146 SNMP: Target Address .................................................................................... 147
Ping Physical Ports Table .................................................................................. 148 Users ................................................................................................................... 148 Certificates .......................................................................................................... 150
viii
Certificates Table ............................................................................................. 150 Exporting PKI Components .............................................................................. 151 Importing a PKI Component ............................................................................. 151 Certificate Default Values ................................................................................. 152
Configuring Classes Parameters ................................................................. 153
View Active Networks ........................................................................................ 153 Modify ................................................................................................................. 153
Modify Networks .............................................................................................. 153 Modify Services ................................................................................................ 154 Modify Application Port Groups ........................................................................ 161 Modify Physical Port Groups ............................................................................ 161 Modify VLAN Tag Groups ................................................................................ 162 Modify MAC Groups ......................................................................................... 163
View Active ......................................................................................................... 163 View Active Networks ....................................................................................... 163 View Active Services ........................................................................................ 163 Viewing Application Port Groups ...................................................................... 164 View Active Physical Port Groups .................................................................... 164 View Active VLAN Tag Groups ........................................................................ 164 View Active MAC Groups ................................................................................. 164
Activate Latest Changes .................................................................................... 164
Configuring Performance Parameters ......................................................... 165
Element Statistics .............................................................................................. 165 IP Packet Statistics .......................................................................................... 165 SNMP .............................................................................................................. 165 IP Router .......................................................................................................... 166 Accelerator Utilization ...................................................................................... 168
DDoS Protector Web Based Management User Guide | 1
Chapter 1
DDoS Protector Overview Check Point DDoS Protector™ appliances block denial-of-service (DoS) attacks within seconds with multi-layered protection and up to 12-Gbps performance.
Modern distributed DoS (DDoS) attacks use new techniques to exploit areas that traditional security solutions are not equipped to protect. These attacks can cause serious network downtime to businesses that rely on networks and Web services to operate. DDoS protector extends company security perimeters to block destructive DDoS attacks before they cause damage.
Network Flood Protection DDoS Protector uses behavioral analysis to provide network-flood-attack protection. After baselining normal daily and weekly patterns for network traffic, DDoS Protector identifies abnormal traffic—especially spikes from network floods.
Server Flood Protection DDoS Protector protects against misuse of application resources. With its automatic signature-generation capability, DDoS Protector automatically generates new signatures to mitigate suspected attacks, and uses predefined signatures to prevent known bad behavior. DDoS Protector also prevents misuse of TCP/IP stack by fending off SYN-flood attacks using SYN cookies.
Application Layer Protection DDoS Protector blocks automated tools and fake users with challenge/response techniques, while transparently redirecting legitimate users to the desired destinations.
DDoS Protector Web Based Management User Guide | 3
Chapter 2
Configuring File Parameters
Software Update Check Point may release updated versions of the device software. Upload these updated versions to benefit from enhanced functionality and performance. The password is provided with the new software documentation.
Note: If the upload is not successful, the current device software does not change. If the download is successful, reset the device to implement the new version.
To upload software
1. Select File > Software Update.
2. In the Password field, enter the password received with the new software version.
Note: The password is case-sensitive.
3. In the Software version field, type the software version number as specified in the new software documentation.
4. In the File field, enter the filepath. Alternatively, click Browse to navigate to the file.
5. Select the Enable New Version check box.
6. Click Set.
7. Select Device > Reboot Device.
8. Click Set.
Support In case of problems, debugging is required. When debugging is required, DDoS Protector generates a separate file. This file is delivered in text format and it aggregates all the CLI commands needed by the Check Point Support Center. The file also includes an output of various CLI commands, such as printout of the Client table, ARP table and others.
You can download this file using the Support command, which is then sent to the Check Point Support Center.
To download the support file
1. Select File > Support.
2. Click Download.
Configuring File Parameters
DDoS Protector Web Based Management User Guide | 4
Configuration
Send Configuration File to Device
Use the Send to Device pane to send a configuration file to the device.
To send the configuration file to a device
1. Select File > Configuration > Send to Device.
2. Select the upload mode: Replace configuration file, Append commands to configuration file, or Append commands to configuration file with reboot.
3. Enter the name of the Configuration file, or click Browse to navigate to the file.
4. Click Set.
5. Select Device > Reboot Device and then Set to apply the changes in the configuration.
Receive from Device
The Receive from Device window enables you to download the configuration file.
To download the configuration file
1. Select File > Configuration > Receive from Device.
2. Select whether to include private keys.
3. Click Set.
Note: When downloading a configuration file using WBM, the configuration file cannot be uploaded to a device that was configured to use SNMPv3 only.
Log File
Log File: Show
The Configuration Error Log window enables you to view the configuration errors. The report of configuration errors presented in this log file is automatically generated by the device.
To view the log file
Select File > Configuration > Logfile > Show.
Log File: Clear
The Clear Error Log window enables you to clear the information contained in the Show Log file.
To clear the error log
1. Select File > Configuration > Logfile > Clear.
2. Click Set.
Log File: Download
The Download Error Log window enables you to download the latest log file that contains configuration errors. Once the file is downloaded, you can view it.
To download the error log
1. Select File > Configuration > Logfile > Download.
2. Click Set.
Configuring File Parameters
DDoS Protector Web Based Management User Guide | 5
Software List The device can hold two different software versions at the same time and their respective configuration files. You can set which one of the existing versions is currently active. In addition, you can delete the inactive version.
To update the device software
1. Select File > Software List.
2. In order to filter the software list, enter or select a parameter and click Reset Filter.
3. Select the version that you want to delete and click Delete.
4. Select Device > Reboot Device and Set.
Parameter Description
Name The name of the version that you have selected.
Index The index of the version in the Software List.
Valid The version validity.
Active The status of the version.
Version The version number.
DDoS Protector Web Based Management User Guide | 7
Chapter 3
Configuring Device Parameters
Reboot Device This feature resets (restarts) the device. This may be necessary after completing the configuration of some features, such as Device Tuning. The changes are updated and reflected in the device only after the reset.
To reboot the device
1. Select Device > Reboot Device.
2. Click Set.
Device Shutdown
To shut down a device
1. Select Device > Device Shutdown.
2. Click Shutdown.
Global Parameters
To set the global device parameters
1. Select Device > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Description The general description of the device.
Name The user-assigned name of the device, which is displayed in the windows describing the device.
Location The geographic location of the device.
Contact Person The person or people responsible for the device.
System Up Time The time elapsed since the last reset.
System Time The current user-defined device time, in hh:mm:ss format.
System Date The current user-defined device date, in dd/mm/yyyy format.
Bootp Server Address
The IP address of the BootP server. The device forwards BootP requests to the BootP server and acts as a Bootp relay.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 8
BootP Threshold How many seconds the device will wait before relaying requests to the BootP server. This delay allows local BootP Servers to answer first.
Device Information Use the Device Information pane to view information about the device.
To access the device information pane
Select Device > Device Information. The following parameters are displayed:
Parameter Description
Type The device type
Platform The hardware platform type, for example On-Demand Switch.
Device The device name
Ports The number of ports on the device.
Ports Config The port configurations.
HW Version The hardware version.
SW Version The software version.
Build The software build date, time, and version number.
Throughput License
The throughput license (limit)
Version State The version state, for example "Final.”
APSolute OS The APSolute OS build date, time, and version number.
Network Driver The Network driver version.
RAM Size The amount of RAM, in GB.
Flash Size The size of the flash (permanent) memory, in MB.
Hard Disk(s) The number of hard disks installed.
Registered Whether the device is registered or not.
Date The date of version.
Time The time of version.
Up Time The amount of time that the device has been up.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 9
Base MAC The MAC address of the first port on the device.
Active Boot The active boot version.
Secondary Boot The secondary boot version.
Power Supply The power supply status.
DoS Mitigator The DoS Mitigator type.
SME The SME type.
Utilization
SME Utilization
The Engines utilization pane displays values relating to the utilization of internal hardware components. The information is intended only for advanced tuning and debugging by the Check Point Support Center.
Device Resource Utilization
To view device resource utilization statistics
Select Device > Utilization > General. The following parameters are displayed:
Parameter Description
Resource Utilization The percentage of the device’s CPU currently utilized.
RS Resource Utilization The percentage of the device’s routing services (RS) resource currently utilized.
RE Resource Utilization The percentage of the device’s routing engine (RE) resource currently utilized.
Last 5 sec. Average Utilization
The average utilization of resources in the last 5 seconds.
Last 60 sec. Average Utilization
The average utilization of resources in the last 60 seconds.
License Upgrade The License Upgrade window enables you to upgrade the software license.
To upgrade the software license
1. Select Device > License Upgrade.
2. Enter your new license key, located on your CD case. (The earlier license key is displayed.)
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 10
3. Enter your throughput license key. (The earlier throughput license key is displayed.)
Note: The license code is case sensitive.
4. Click Set.
5. In the Reset the Device window, click Set to perform the reset. The reset may take a few minutes.
Port Mirroring
Port Mirroring and Traffic Rate Port Mirroring
Port Mirroring enables the device to mirror traffic from one physical port on the device to another physical port on the device. This is useful when a monitoring device is connected to one of the ports on the device. You can choose to mirror either received and transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether received broadcast packets should be mirrored or not.
To avoid high bandwidth DoS and DDoS attacks, you can perform traffic rate port mirroring mirror the traffic arriving to DDoS Protector to a dedicated sniffer port. This allows collecting packet data in an event of an attack. The mirroring is performed only when the device is under attack, and is based on a predefined traffic threshold.
To set the device to operate in port mirroring mode
1. Select Device > Port Mirroring > Table.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Input Port The port from which the traffic is mirrored.
Output Port The port to which traffic is mirrored.
Receive\Transmit The direction of traffic to be mirrored.
Values: Transmit and Receive, Receive Only, Transmit Only
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 11
Promiscuous Mode This parameter enables you to either copy all traffic from the input port to the output port or to copy only the traffic that is destined to the input port.
Values:
Enabled—Setting this parameter to enabled means that all traffic is copied to the Output Port.
Disabled—Setting this parameter to Disabled means that only traffic destined to the Input port is copied.
Default: Enabled.
Backup Port A backup port for the output.
Mode Define the relevant mode, either:
Enabled—Port Mirroring is continuously enabled.
Traffic Rate—Port Mirroring is defined according to the Traffic Rate over the network (PPS or Kbps) therefore the Threshold must be defined.
Threshold The threshold value.
Global Parameters
To set the Port Mirroring Global Parameters
1. Select Device > Port Mirroring > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Traffic Threshold Units
The Traffic Threshold units, according to which to detect attacks.
Values:
PPS—The amount of Packets per Second being sent over the network.
kbps—The number of kbps that can pass through the Input port before the mirroring process begins. If the number of kbps on the traffic interface port is higher than the threshold value, it means that there is an attack and the traffic is mirrored to the output port for the period of time configured by Threshold Interval.
Thresholds Interval The number of seconds in which the mirroring process takes place.
Default: 30 sec.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 12
Reset Traffic Rate Threshold
The Port Mirroring Reset Traffic Rate Threshold window enables you to set the device to record the traffic that exceeds the predefined limit within a new threshold interval.
To reset the Traffic Rate Threshold
1. Select Device > Port Mirroring > Reset Traffic Rate.
2. Click Set.
Forwarding Table You can configure scanning ports using the Static Forwarding mode. In the Static Forwarding mode, DDoS Protector functions as in promiscuous mode in the network, which means that the device acts as completely transparent network element.
Scanning ports have a one-to-one forwarding ratio, where the traffic that comes from the receiving port is always sent out from its corresponding transmitting port. The ports are paired, meaning one port receives traffic while another transmits traffic. The ports are defined in the Forwarding Table.
Note: When using the SYN Flood Protection filters, you must set the inbound and the outbound traffic to operate in the Process mode.
You can assign the same Destination Port to more than one Source Port. For example, you can define that Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3.
To configure promiscuous ports
1. Select Device > Forwarding Table.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Source The user-defined source port for received traffic.
Destination The user-defined destination port for transmitted traffic.
Operation The operation mode that can be assigned to a pair of ports: Process or Switch.
Failure Mode The failure mode.
Values: Fail-Open, Fail-Close
Port Type The port type.
Values: Source, Destination
Note: When you assign the same Destination Port to more than one Source Port, you must set the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that direction is ignored. For example, Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3. In that case, for the traffic in the opposite direction, the Source Port is 3 and the Destination Port must be defined (typically it is 1 or 2).
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 13
Interface Grouping
When installing DDoS Protector between two L2 switches operating with multiple links (with Link Aggregation, for example), a link failure of one L2 switch would not be detected by the remote L2 switch, as DDoS Protector would continue to keep the link up. Interface Grouping shuts both endpoints of a link once a failure is detected on one of the endpoints. The endpoints of the links are set by the Static Forwarding table. Interface Grouping is configured globally per device.
To enable interface grouping
1. Select Device > Forwarding Table.
2. From the Interface Grouping drop-down list, select Enable.
Physical Interface The Physical Interface window enables you to change the physical attributes of each port individually.
To update the ports physical attributes
1. Select Device > Physical Interface.
2. Configure the parameters, and click Set.
Parameter Description
Port Index The index number of the port.
Speed The traffic speed of the port.
Values: Ethernet, Fast Ethernet, Giga Ethernet
Duplex Whether the port allows both inbound and outbound traffic (Full Duplex) or one way only (Half Duplex)
Auto Negotiate
Automatically detects and configures the speed and duplex required for the interface.
L2 Interface The L2 Interface window enables you to configure the administrative status and view settings for each interface.
To configure the administrative status of an interface
1. Select Device > L2 Interface.
2. Select the relevant interface.
3. From the Interface Admin Status drop-down list, select the required status of the interface. Values: up, down.
4. Click Set.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 14
Link Aggregation
Link Aggregation: Trunk Table
The Port Trunking feature allows for defining up to seven trunks. Up to eight (8) physical links can be aggregated in to one trunk. All trunk configurations are static.
The Trunk Table, which is read-only, enables you to view the Trunk Index settings that were defined in the Port Table.
To view the link aggregation trunk table
Select Device > Link Aggregation>Trunk Table. The following parameters are displayed:
Parameter Description
Trunk Index Displays the trunk index.
Trunk MAC Address Displays the MAC Address assigned to the trunk
Trunk Status Values:
Individual—(False) No ports are attached to this trunk.
Aggregated—(True) Ports attached to this trunk.
Link Aggregation: Port Table
The Port Table enables you to attach ports to a trunk.
Note: Only ports that are connected (Link Up) and operating in full duplex mode can be attached to a trunk.
To set the link aggregation port table parameters
1. Select Device > Link Aggregation > Port Table.
2. Select the port index to edit.
3. Configure the parameters, and click Set.
Parameter Description
Port Index (Read-only) The physical port index.
Port MAC (Read-only) The MAC address assigned to the port.
Trunk Index Values:
The trunk to which the port is attached
Unattached
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 15
Port Status (Read-only)
Values:
Individual—The Port is not attached to any trunk.
Aggregate—The Port is attached to a trunk.
Jumbo Frames Settings You can specify whether jumbo frames bypass the device or are discarded—available only on x412 platforms.
To configure the jumbo-frame settings
1. Select Device > Jumbo Frames.
2. Configure the parameters, and click Set.
Parameter Description
Jumbo Frames Mechanism Status
Values:
enable—The device inspects frames up to 9216 bytes.
disable—The device discards frames that are larger than 1550 bytes.
Default: disable
Notes:
Changing the configuration of this option takes effect only after a device reset.
When this option is enabled, all DDoS Protector monitoring and protection modules support monitoring, inspection, detection, and mitigation of traffic and attacks on packets up to 9216 bytes. For example, when this option is enabled, TCP Authentication using Transparent Proxy supports an additional maximum segment size (MSS) value to improve performance of the protected networks.
Jumbo Frames Bypass Values:
enable — Frames of 1550 – 9216 bytes bypass the device without any inspection or monitoring.
disable — The device discards frames that are larger than 1550 bytes.
Default: disable
Notes:
Changing the configuration of the option takes effect only after a device reset.
When the option is enabled on an x412 platform, there may be some negative effect on the following features: Packet Anomalies, Black and White Lists, and BDoS real-time
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 16
signatures.
When the option is enabled on an x06 platform, there may be some negative effect on Black and White lists.
When the option is enabled, TCP SYN Protection may not behave as expected because the third packet in the TCP three-way-handshake can include data and be in itself a jumbo frame.
When the option is enabled, some protections that rely on the DDoS Protector session table might produce false-negatives and drop traffic when all the session traffic bypasses the device in both directions for a period longer than Session Aging Time.
Traffic Exclusion This feature is available only on x412 platforms.
You can specify whether the device passes through all traffic that matches no network policy configured on the device — regardless of any other protection configured.
If Traffic Exclusion is enabled, to inspect traffic that matches a Server Protection policy, you must configure the Server Protection policy as a subset of the Network Protection policy.
To configure traffic exclusion
1. Select Device > Traffic Exclusion.
2. From the Traffic Exclusion Status drop-down list, select Enable or Disable, and click Set. Default: Enable.
Session Table
Session Table Global Parameters
DDoS Protector includes a Session table, which tracks sessions bridged and forwarded by the device.
To set the parameters for the session table
1. Select Device > Session Table > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Session Table Status Specifies whether the device uses the Session table.
Default: Enabled
Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP sessions.
Values: 1 – 7200
Default: 100
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 17
Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP sessions.
Values: 1 – 7200
Default: 100
Idle SCTP-Session Aging Time
The time, in seconds, that the Session table keeps idle SCTP sessions.
Values: 1 – 7200
Default: 100
Idle ICMP-Session Aging Time The time, in seconds, that the Session table keeps idle ICMP sessions.
Values: 1 – 7200
Default: 100
Idle GRE-Session Aging Time The time, in seconds, that the Session table keeps idle GRE sessions.
Values: 1 – 7200
Default: 100
Idle Other-Protocol-Session Aging Time
The time, in seconds, that the Session table keeps idle sessions of protocols other than TCP, UDP, SCTP, ICMP, or GRE.
Values: 1 – 7200
Default: 100
Session Table No Aging Mode Enables or disables session table aging mode. If enabled, the Session Table and Flow Table will not be aged.
This parameter can be only configured if Session Table lookup mode is L4 Dest Port.
Session Table Lookup Mode The layer of address information that is used to categorize packets in the Session table.
Values:
Full L4—An entry exists in the Session table for each source IP, source port, destination IP, and destination port combination of packets passing through the device.
L4 Destination Port—Enables traffic to be recorded based only on the TCP/UDP destination port. This mode uses minimal Session table resources (only one entry for each port that is secured).
Default: Full L4
Caution: Check Point recommends that you always use the Full L4 option. When Session Table Lookup Mode is Layer 4 Destination Port, the following Protections do not work: Connection Rate Limit, HTTP Mitigator, HTTP Replies Signatures, Out-of-State protection.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 18
Remove Session Table Entry at Session End
Specifies whether the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session within the Remove Session Entry at Session End Timeout period.
Default: Enabled
Remove Session Entry at Session End Time
(This option is supported only if Remove Session Entry at Session End is enabled.)
When Remove Session Entry at Session End is enabled, the time, in seconds, after which the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session.
Values: 1 – 60
Default: 5
Send Reset To Server Status Specifies whether the DDoS Protector device sends a RST packet to the destination of aged TCP sessions.
Values:
Enabled—DDoS Protector sends reset a RST packet to the destination and cleans the entry in the DDoS Protector Session table.
Disabled—DDoS Protector ages the session normally (using short SYN timeout, but the destination might hold the session for quite some time.
Default: Disabled
Advanced Session Table Global Parameters
To set the session table advanced configuration parameters
1. Select Device > Session Table > Advanced Configuration.
2. Configure the parameters, and click Set.
Parameter Description
Session-Table-Full Action The action that the device takes when the Session table is at full capacity.
Values:
Bypass New Sessions—The device bypasses new sessions until the Session table has room for new entries.
Block New Sessions—The device blocks new sessions until the Session table has room for new entries.
Default: Bypass New Sessions
Incomplete TCP-Handshake Timeout
How long, in seconds, the device waits for the three-way handshake to be achieved for a new TCP session. When the timeout elapses, the device deletes the session and, if the Send Reset To Server option is enabled, sends a reset packet
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 19
to the server.
Values:
0—The device uses the specified Session Aging Time.
1 – 10—The TCP Handshake Timeout in seconds.
Default: 10
Session Table Entries
To set the number of Session Table entries to be shown
1. Select Device > Session Table > View Table Query Results.
2. In the Maximum Displayed Entries text box, enter the number of Session table entries to be shown.
To set the session table query filters
1. Select Device > Session Table > View Table Query Results.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Name A unique name of the filter.
Source IP The source IP within the defined subnet.
Source IP mask The source IP used to define the subnet that you want to present in the Session Table.
Dest IP The destination IP within the defined subnet.
Dest IP mask The destination IP used to define the subnet that you want to present in the Session Table.
Source Port The session source port.
Dest Port The session destination port.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 20
IP Fragmentation In some cases, when the length of the IP packet is too long to be transmitted, the originator of the packet or one of the routers transmitting the packet has to fragment the packet to multiple shorter packets.
IP Fragmentation allows the device to forward fragmented IP packets. The device identifies that all the fragments belong to same datagram and treats them accordingly in terms of classification, load balancing and forwarding. The device does not reassemble the original IP packet, but it forwards the fragmented datagrams to their destination, even if the datagrams arrives to the device out of order.
Note: In case of asymmetric routing, when the device does not see all fragmented packets, the device drops uncompleted fragments.
To set the IP fragmentation parameters
1. Select Device > IP Fragmentation.
2. Configure the parameters, and click Set.
Parameter Description
Status Allows you to enable or disable IP Fragmentation.
Note: Enabling IP Fragmentation requires reboot.
Queueing-limit The percentage of IP packets that the device allocates for out of ordered fragmented IP datagrams.
Values: 0 – 100
Default: 25
Aging The amount of time, in seconds, that the device keeps the fragmented datagrams in the queue.
Values: 1 – 255
Default: 1
Device Overload Mechanism In cases when the traffic load goes beyond the processing power limitations of the device, you can allow using of the Overload mechanism. Using of this mechanism maintains a high level of availability and hardware/software stability, reducing traffic delays or packet loss.
The Overload mechanism identifies overload conditions, notifies about them, and automatically takes actions that aim to reduce the relevant operations that consume resources.
Note: When the device operations are reduced, some of the security functionalities are compromised.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 21
To enable the overload mechanism
1. Select Device > Overload Mechanism.
2. Select one of the following:
Enable to start the Overload mechanism.
Disable to stop the Overload mechanism.
4. Click Set.
High Availability
High Availability Global Parameters
To support high availability (HA), you can configure two compatible DDoS Protector devices to operate in a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version, software license, throughput license, and Check Point signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary. The primary device is the device that device with the High Availability Pair Definition.
When you configure a cluster and submit the configuration, the newly designated primary device configures the required parameters on the designated secondary device.
The members of a cluster work in an active-passive architecture.
When a cluster is created:
The primary and secondary devices negotiate the active/passive status according to the specified triggers and thresholds. If both device environments are nominal, the primary device becomes the active member.
The primary device transfers the relevant configuration objects to the secondary device.
A secondary device maintains its own configuration for the device users, IP interfaces, routing, and the port-pair Failure Mode (see Forwarding Table).
A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.
If a passive device does not detect the active device according to the specified Heartbeat Timeout, the device switches to the active state (even though the peer might actually be in a nominal situation).
The following situations trigger the active device and the passive device to switch states (active to passive and passive to active):
All links are identified as down on the active device according to the specified Link Down Timeout and the peer device has at least one link up.
Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the specified Idle Line Timeout.
You issue the Switch Over command.
If the Enable Failback option is enabled (default: disabled), the secondary device switches from active to passive after the secondary device detects that the primary-device situation is nominal.
You cannot perform many actions on a secondary device.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 22
You can perform only the following actions on a secondary device:
Switch the device state (that is, switch over active to passive and passive to active)
Break the cluster if the primary device is unavailable
Configure management IP addresses and routing
Configure the port-pair Failure Mode.
Manage device users
Download a device configuration
Upload a signature file
Download the device log file
Download the support log file
Reboot
Shut down
Change the device name
Change the device time
Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.
Notes:
By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster.
You can initiate a baseline synchronization if a cluster member is passive.
When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster, as you require.
In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require.
When a passive device becomes active, any grace time resets to 0 (for example, the time
of the Graceful Startup Mode Startup Timer).
To configure the global setting for high availability
1. Select Device > High Availability > Global Parameters.
2. Configure the parameter, and click Set.
Parameter Description
Mechanism Status Specifies whether the device is a member of a two-node cluster for high availability.
High Availability Advanced Configuration
Note: For more information on high availability, see Global Parameters.
To configure the advanced settings for high availability
1. Select Device > High Availability > Advanced Configuration.
2. Configure the parameters, and click Set.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 23
Parameter Description
Baseline Sync Interval The interval, in seconds, that the active device synchronizes the BDoS and HTTP Mitigator baselines.
Values: 3600 – 86,400
Default: 3600
Heartbeat Timeout The time, in seconds, that the passive device detects no heartbeat from the active device before the passive device becomes active.
Values: 1 – 10
Default: 5
Link Down Timeout The time, in seconds, after all links to the active device are identified as being down before the devices switch states.
Values: 1 – 65,535
Default: 1
Note: If a dead link or idle line is detected on both cluster members, there is no switchover.
Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster members will not change states.
Values: 30 – 3600
Default: 180
Idle Line Detection Status Specifies whether the devices switch states due to an idle line detected on the active device.
Default: disable
Note: If an idle line is detected on both cluster members, there is no switchover.
Total BW Threshold The minimum bandwidth, in Kbit/s, that triggers a switchover when the Idle Line Detection Status is enable.
Values: 512 – 4,294,967,296
Default: 512
Note: If Idle Line Detection Status is disable, this parameter is ignored.
Idle Line Timeout The time, in seconds, with line bandwidth below the Total BW Threshold that triggers a switchover when Idle Line Detection Status is enable.
Values: 3 – 65,535
Default: 10
Note: If Idle Line Detection Status is disable, this parameter is ignored.
Enable Failback Specifies whether the secondary device can automatically fail back to the primary.
Default: disable
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 24
Pair Definition
High Availability Pair Definition
Note: For more information on high availability, see Global Parameters.
To define a high-availability pair
1. Select Device > High Availability > Pair Definition > Pair Parameters.
2. Configure the parameters, and click Set.
Parameter Description
MNG-1 Peer IP address The IP address of the MNG-1 port on the peer device.
MNG-2 Peer IP address The IP address of the MNG-2 port on the peer device.
Secondary User Name The name of the secondary device.
Secondary Password The password of the secondary device.
Update High Availability Pair Definition
Note: For more information on high availability, see Global Parameters.
To update a definition of a high-availability pair
1. Select Device > High Availability > Pair Definition > Update Pair.
2. Click Set.
High Availability Monitoring
You can monitor high-availability parameters.
Note: For more information on high availability, see Global Parameters.
To monitor high-availability
Select Device > High Availability > Monitoring. The following information is displayed:
High-Availability Priority
High-Availability State
High-Availability Protection State
Last Successful Baseline Sync
Incompatibility Status (primary only)
Synchronization IP Interface
Peer IP
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 25
Switch Over
Note: For more information on high availability, see Global Parameters.
To switch over to the peer device
1. Select Device > High Availability > Switch Over.
2. Click Set.
Activate Baseline Sync with Peer Device
Note: For more information on high availability, see Global Parameters.
To activate a baseline sync with the peer device
1. Select Device > High Availability > Baseline Sync.
2. Click Set.
Reset Secondary
You can reset the secondary device when the device role is primary
Note: For more information on high availability, see Global Parameters.
To reset the secondary device
1. Select Device > High Availability > Reset secondary.
2. Click Set.
Tunneling Carriers, service providers, and large organizations use various tunneling protocols to transmit data from one location to another. This is done using the IP network so that network elements are unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When tunneling is used, IPS devices and load balancers cannot locate the relevant information because their decisions are based on information located inside the IP packet in a known offset, and the original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DDoS Protector inspects traffic in tunnels, positioning DDoS Protector in peering points and carrier network access points.
You can install DDoS Protector in different environments, which might include encapsulated traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators deploy GRE and GTP.
DDoS Protector can inspect traffic that may use various encapsulation protocols. In some cases, the external header (tunnel data) is the data that DDoS Protector needs to inspect. In other cases, DDoS Protector needs to inspect the internal data (IP header and even the payload). You can configure DDoS Protector to meet your specific inspection requirements.
Note: Changing the configuration of this feature takes effect only after a device reset.
To configure tunneling
1. Select Device > Tunneling.
2. Configure the parameters, and click Set.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 26
Parameter Description
Apply Black and White List Rules to the Encapsulated Headers
Specifies whether the device apply Black List and White List rules to the encapsulated headers.
Default: Disabled
Inspect Encapsulated GRE Traffic
Specifies whether the device inspects this type of traffic.
Default: Disabled
Inspect Encapsulated GTP Traffic
Specifies whether the device inspects this type of traffic.
Default: Disabled
Inspect Encapsulated L2TP Traffic
Specifies whether the device inspects this type of traffic.
Default: Disabled
Inspect VLAN (802.1Q) and MPLS Traffic
Specifies whether the device inspects this type of traffic.
Default: Disabled
Note: You can configure the device to inspect the traffic using the common Layer 2 tunneling protocols, VLAN (802.1Q) and MPLS. Inspecting these types of L2 tunnels, as part of the protection criteria, is essential in environments such as for Managed Security Service Providers (MSSP).
Inspect Encapsulated IP-in-IP Traffic
Specifies whether the device inspects this type of traffic.
Default: Disabled
Bypass IPSec Traffic Specifies whether the device bypasses IPsec traffic (that is, whether the device passes-through IPsec traffic).
Default: Enabled
IP Version Mode Use the IP Version Mode pane you to set the IP version to IPv4 and IPv6 or only to IPv4.
To set the IP version mode
1. Select Device > IP Version Mode.
2. From the drop-down list, select ipv4and6 or ipv4.
3. Click Set.
Dynamic Protocols
Dynamic Protocols: General
Check Point's Classification Engine classifies both static applications and dynamic applications. Dynamic application is an application that has multiple connections belonging to the same session. For example, FTP has Control Session and Data Session, SIP has Signaling sessions, Data sessions (RTP) and the Control sessions (RTCP).
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 27
In some scenarios, the dynamic sessions should be in the Session Table for a longer time than regular sessions. In VoIP, SIP, and H.255, for example, there may be a period with no traffic, however, the call is still active, and the session should not age.
You may configure different aging time for various dynamic applications and configure different policies for different connections of the same session. In FTP, for example, you can set one policy for the FTP data and another policy for the FTP control.
Note: The default status for all Dynamic Protocols, other than SIP is enabled.
You can set the aging time for the following Dynamic Protocols:
FTP
TFTP
Rshell
Rexec
H.225
SIP
Dynamic Protocols: FTP
The FTP Configuration window enables you to configure the control session and data session Aging Time for FTP Dynamic Protocol.
Note: When Dynamic Protocol Support is enabled for FTP, it is not possible to limit the bandwidth of a specific file download (using a filter for the RETR command and the file name).
To set the FTP dynamic protocol parameters
1. Select Device > Dynamic Protocols > FTP.
2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable FTP Dynamic Protocol.
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time The new value for Data Session Aging Time, in seconds.
Default: 0
Dynamic Protocols: TFTP
The TFTP Configuration window enables you to configure the data session Aging Time for TFTP Dynamic Protocol.
To set the TFTP dynamic protocol parameters
1. Select Device > Dynamic Protocols > TFTP.
2. Configure the parameters, and click Set.
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 28
Parameter Description
Status Specifies whether to enable TFTP Dynamic Protocol.
Data Session Aging Time
The Data Session Aging Time, in seconds.
Default: 0
Dynamic Protocols: Rshell
The Rshell Configuration window enables you to configure the control session and Error session Aging Time for Rshell.
To set the Rshell configuration parameters
1. Select Device > Dynamic Protocols > Rshell.
2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable Rshell Dynamic Protocol.
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Error Session Aging Time The Error Session Aging Time, in seconds.
Default: 0
Dynamic Protocols: Rexec
The Rexec Configuration window enables you to configure the control session and Error session Aging Time for Rexec.
To set the Rexec dynamic protocol parameters
1. Select Device > Dynamic Protocols > Rexec.
2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable Rexec Dynamic Protocol.
Control Session Aging Time (sec) The Control Session Aging Time, in seconds.
Default: 0
Error Session Aging Time (sec) The Error Session Aging Time, in seconds.
Default: 0
Configuring Device Parameters
DDoS Protector Web Based Management User Guide | 29
Dynamic Protocols: H.225
The H.225 Configuration window enables you to configure and control the session and H254 Session Aging Time for H225.
To set the H225 configuration parameters
1. Select Device > Dynamic Protocols > H.225
2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable H.225 Dynamic Protocol.
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
H.245 Session Aging Time The H.245 Session Aging Time, in seconds.
Default: 0
Dynamic Protocols: SIP
The SIP Configuration window enables you to configure the Signaling session, RTCP session, and SIP TCP Segments Aging Time for SIP.
Note: Enabling and Disabling Dynamic Protocol Support for SIP requires reboot.
To set the SIP dynamic protocol parameters
1. Select Device > Dynamic Protocols > SIP.
2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether to enable SIP Dynamic Protocol.
Signaling Session Aging Time
The Signalling Session Aging Time, in seconds.
Default: 20
RTCP Session Aging Time The RTCP Session Aging Time, in seconds.
Default: 0:
SIP TCP Segments Aging Time
When SIP runs over TCP and packets are segmented, the SIP TCP Segments Aging Time parameter indicates how long the device keeps the packet.
Default: 5
DDoS Protector Web Based Management User Guide | 31
Chapter 4
Configuring Router Parameters
IP Router
Operating Parameters
The IP Router Parameters window enables you to monitor, add, and edit router settings.
To set the IP router parameters
1. Select Router > IP Router > Operating Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Inactive ARP Timeout
The time, in seconds, that inactive ARP cache entries can remain in the ARP table before the device deletes them. If an ARP cache entry is not refreshed within a specified period, it is assumed that there is a problem with that address.
Default: 60,000
ARP Proxy Specifies whether the device responds to ARP requests for nodes located on a different direct sub-net. (The device responds with its own MAC address.)
Values:
Enabled—The device responds to all ARP requests.
Disabled—The device responds only to ARP requests for its own IP addresses.
Default: Disabled
ICMP Error Messages
Specifies whether ICMP error messages are generated.
Interface Parameters
To configure an interface
1. Select Router > IP Router > Interface Parameters.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Configuring Router Parameters
DDoS Protector Web Based Management User Guide | 32
Parameter Description
IP Address The IP address of the interface.
Network Mask The associated subnet mask.
If Number The interface identifier. If the interface is a VLAN, the included interfaces are listed in the box in the Edit window.
Fwd Broadcast Specifies whether the device forwards incoming broadcasts to this interface.
Broadcast Addr Specifies whether to fill the host ID in the broadcast address with ones or zeros.
VlanTag The VLAN tag to be associated with this IP interface.
When multiple VLANs are associated with the same switch port, the switch needs to identify to which VLAN to direct incoming traffic from that specific port. VLAN tagging provides an indication in the Layer 2 header, which enables the switch to make the correct decision.
Peer Address The address of the peer.
To update the ICMP interface parameters
1. Select Router > IP Router> Interface Parameters.
2. Click on the IP address of the ICMP interface that you want to update.
3. Configure the parameters, and click Set.
Parameter Description
IP Address The IP address of the interface.
Advert. Address The IP destination address for multicast Router Advertisements sent from the interface. Possible values are the all-systems multicast address, 224.0.0.1, or the limited-broadcast address, 255.255.255.255.
Max Advert. Interval The maximum time, in seconds, between multicast Router Advertisements from the interface. Possible values are between the Minimum Advert Interval defined below and 1800 seconds.
Min Advert. Interval The minimum time, in seconds, between sending unsolicited multicast Router Advertisements from the interface. Possible values are between 3 seconds and the maximum interval defined above. Default value is 0.75 of the Maximum Interval.
Advert. Lifetime The maximum time, in seconds, the advertised addresses are considered valid. Must be no less than Maximum Interval defined above, and no greater than 9000 seconds. Default value is three times the Maximum Advert Interval.
Configuring Router Parameters
DDoS Protector Web Based Management User Guide | 33
Advertise Enables to advertise the device IP using ICMP Router Advertise.
Preference Level The preference level of the address as a default router address, relative to other router addresses on the same subnet.
Reset to Defaults Resets the ICMP interface parameters to the default values.
Routing Table DDoS Protector supports IP routing compliant with RFC1812 router requirements. Dynamic addition and deletion of IP interfaces is supported. This ensures that extremely low latency is maintained.
IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP routing protocol, intended to replace RIP in bigger or more complex networks. OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850, with some limitations.
To configure a route
1. Select Router > Routing Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Destination Address The destination IP address of this router.
Network Mask The destination network mask of this route.
Next Hop The address of the next system of this route, local to the interface.
Interface Index The IF Index of the local interface through which the next hop of this route is reached.
Type How remote routing is handled.
Values:
remote—Forwards packets.
reject—Discards packets.
Metric The number of hops to the destination network.
Configuring Router Parameters
DDoS Protector Web Based Management User Guide | 34
ARP Table The ARP (Address Resolution Protocol) Table window allows you to update and create ARP addresses on the local route.
To update an existing ARP
1. Select Router > ARP Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Interface Index The interface number on which the station resides.
IP Address The station's IP address.
MAC Address The station's MAC address.
Type Values:
Other
Invalid
Dynamic—The entry is learned from the ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table.
Static—The entry has been configured by the network management station and is permanent.
DDoS Protector Web Based Management User Guide | 35
Chapter 5
Configuring DDoS Protector Parameters
DoS Signatures
Application Security
Application Security Global Parameters
Application Security is a mechanism that delivers advanced attack detection and prevention capabilities. This mechanism is used by several security modules to provide maximum protection for network elements, hosts, and applications.
To set the application security global parameters
1. Select DDoS Protector > DoS Signatures > Application Security > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Protection Status Select enable to start protection.
Default: enable.
MAX URI Length The maximum URI length permitted. If URI is longer than the configured value, this URI is considered as illegitimate and is dropped.
Default: 500
MIN fragmented URI packet Size The minimum permitted size, in bytes, of an incomplete URI in an HTTP request. A shorter packet length is treated as URI protocol anomaly and is dropped.
Default: 50
Security Tracking Tables Free-Up Frequency [ms]
How often, in milliseconds, the device clears unnecessary entries from the table, and stores information about newly detected security events.
Default: 1250
Unicode Encoding The language encoding (the language and character set) to use for detecting security events.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 36
Tcp Reassembly Mechanism Status Specifies whether the device tries to reassemble fragmented TCP packets.
Default: enable
Session-Drop Mechanism Status When enabled, terminates the whole session when a single malicious packet is recognized.
Default: enable
DoS Shield
DoS Shield Global Parameters
The DoS Shield Global Parameters window enables you to enable the DoS Shield module and set its global parameters.
The DoS Shield mechanism implements the Sampling algorithm, and accommodates traffic flooding targeted to create denial of the network services. Prior to using DoS Shield, you need to enable the DoS Shield module.
To configure DoS shield global parameters
1. Select DDoS Protector >DoS Signatures > DoS Shield > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Protection Status
Specifies whether DoS Shield module is enabled.
Sampling Rate
The rate at which packets are sampled and compared to the Dormant Attacks. You can configure a number that indicates per how many packets the sampling is performed.
Default: 100—that is, 1 out of 100 packets is checked.
Sampling Frequency
How often, in seconds, DoS Shield compares the predefined thresholds for each Dormant Attack to the current value of counters of packets matching the attack. Default: 5
Filters
Basic Filters
Basic Static Filters
The Basic Static Filters window enables you to view the Basic Filter, which constitutes protection against a specific attack, meaning that each Basic Filter has a specific attack signature and protection parameters.
The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them.
Note: You can create the Advanced Filters using the user-defined Basic Filters only.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 37
To view the basic static filters
1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > Static.
2. Select the basic static filter for which you want to view the details.
Basic User Filters
Note: If you edit the parameters of a filter that is bound to an existing policy, you need to activate the latest changes.
To create a basic filter
1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > User.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Name The name of the filter.
Protocol The protocol used.
Values: IP, UDP, TCP, ICMP
Source App. Port The source application ports.
Destination App. Port The destination application ports.
Values: 0 - 65535
Default: 0
OMPC Offset The location in the packet from which the checking of data is started in order to find specific bits in the IP/TCP header.
Values: 0 - 1513
Default: 0
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative.
Values:
None
IP Header
IP Data
L4 Data
Ethernet
L4 Header
IPV6 Header
Default: None
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 38
OMPC Mask The mask for the OMPC data. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter.
The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Mask can be:abcd0000.
Default: 00000000
OMPC Pattern The fixed size pattern within the packet that OMPC rule attempts to find. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter.
The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Pattern can be:abcd0000.
Default: 00000000
OMPC Condition The OMPC condition can be either N/A, equal, notEqual, greaterThan or lessThan.
Default: N/A
OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data.
Values: N/A, oneByte, twoBytes, threeBytes, fourBytes
Default: N/A
Content Offset The location in the packet from which the checking of content is started.
Values: 0 - 1513
Default: 0
Distance A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack.
Content Contains the actual value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ .
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 39
Content Type Enables the user to search for a specific content type.
Values:
None
URL—In the HTTP Request URI. No normalization procedures are taken.
Normalized URL—To avoid evasion techniques when classifying HTTP-GET requests, the URL content is transformed into its canonical representation, to interpret the URL in the same way the server would. The normalization procedure supports the following cases:
Directory referencing by reducing '/./' into '/' or "A/B/../" to "A/";
Changing backslash ('\') to slash ('/');
Changing HEX encoding to ASCII characters. For example the hex value %20 is changed to " " (space).
Unicode support, UTF-8 and IIS encoding.
Host Name—In the HTTP Header
Text—Anywhere in the packet
HTTP Header Field—In the HTTP Header
Mail Domain—In the SMTP Header
Mail To—In the SMTP Header
Mail From—In the SMTP Header
Mail Subject—In the SMTP Header
Regular Expression: Anywhere in the packet
Header Type—HTTP Header field. The "Content" field includes the header field name, and the "Content data" field includes the field value
File Type—The type of the requested file in the http GET command (jpg, exe, and so on).
POP3 User—User field in the POP3 Header.
Cookie Data—HTTP cookie field. The "content" field includes the cookie name, and the "content data" field includes the cookie value
FTP Content—Scans the data transmitted using FTP, performing normalization of the FTP packets and stripping of telnet opcodes.
FTP Command—Performs parsing of FTP commands to commands and arguments, while performing normalization of the FTP packets and stripping of telnet opcodes.
RPC—Reassembles RPC requests over several packets.
RPC RFC 1831 standard provides a feature called Record Marking Standard (RM). This feature is used to delimit several RPC requests sent on top of the transport protocol. In case of the stream-oriented protocol (like TCP) RPC uses a kind of fragmentation to delimit between the records. In spite of its original purpose, fragmentation may also divide records in the middle and not only at their boundaries. In some cases, this functionality may be used to evade IPS systems.
Default: N/A
Note: The following two content types appear in devices with the SME card only.
HTTP Reply Header—The header of the HTTP reply.
HTTP Reply Data—The data of the HTTP reply.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 40
Content Max Length The maximum length to be searched within the selected Content Type. The Content Max Length value must be equal or greater than the Offset value.
Values: 0 – 1513
Default: 0
Content Data Refers to the search for the content within the packet.
Values: N/A, URL, Text
Content Encoding Application Security can search for content in languages other than English, for case sensitive or case insensitive text as well as hexadecimal strings. The value of this field corresponds to the Content Type parameter.
Values:
None
Case Insensitive
Case Sensitive
HEX
International
Default: None
Content Data Encoding Application Security can search for data in languages other than English, for case sensitive or case insensitive data as well as hexadecimal strings. The value of this field corresponds to the Content Type parameter.
Values:
None
Case Insensitive
Case Sensitive
HEX
International
Default: None
Content Regular Expression
Allows you to search for content type anywhere in the packet.
Values:
Yes
No
Content Data Reg Expression
Values:
Yes
No
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 41
Packet Size Type The content for which the size is measured.
Values:
L2—The complete packet size is measured, including L2 headers.
L3—The L2 Data part of the packet is measured (excluding the L2 headers).
L4—The L3 Data part of the packet is measured (excluding the L2/L3 headers).
L7—The L4 Data part of the packet is measured (excluding the L2/L3/L4 headers).
Session Type This parameter enables you to create different basic filter connection types for Dynamic Protocols. For example, you can create a Basic Filter for FTP Data, SIP Video, TFTP Control, and other Dynamic Protocols.
Session Type Direction Limits the classification according to the direction of the session.
Values: Only to request packets, Reply packets, all the packets belonging to the session
Packet Size Range The range of values for the packet size.
Notes:
The size is measured per packet only.
The size is not applied on reassembled packets.
Fragmentation of L4-L7 packets may result with tails that do not contain the L4-L7 headers. The check in such cases is bypassed, as no match to the Type = L4-L7 is detected.
Advanced Filters
Advanced Filters: Static
The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them.
Note: You can create the Advanced Filters using the Advanced User Filters.
Use the Static Advanced Filter table to view static Advanced Filters.
To view the view static Advanced Filters
Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > Static. The Advanced Filters Table is displayed with the following parameters:
Parameter Description
Name The name of the filter.
Number of Filters The number of filters for this entry.
Note: To view the configuration of a filter, click on it.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 42
Advanced Filters: User
The advanced filter represents a logical AND relation between two or more basic filters. Some attacks have a complex signature comprised of several patterns and content strings. The system requires more than one basic filter to protect against such attacks.
Note: Once all associated filters are deleted from the advanced filter, the advanced filter is erased.
To create an advanced user filter
1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Advanced Enter the name of the Advanced Filter.
Basic Select a Basic Filter from the drop-down list.
To add a basic filter to an existing advanced user filter
1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User.
2. Click Create.
3. From the Basic drop-down list, select the basic filter to add to the advanced filter and click Set.
To delete an advanced user filter
1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User.
2. Select the advanced filter to delete.
3. Select the checkboxes of all the basic filters in the advanced filter and click Delete.
Attacks
Static Attacks
The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks.
The Signature Protection Static Attack Configuration window enables you to edit existing attack parameters.
To edit a static attack
1. Select DDoS Protector > DoS Signatures > Attacks > Static.
2. Select a static attack.
3. Configure the parameters, and click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 43
Parameter Description
ID (Read-only) The unique identifying number.
Attack Name (Read-only) The name for this attack. The Attack Name is used when DoS Shield sends information about attack status changes.
Filter Name (Read-only) The filter assigned to this attack.
Tracking Time The time, in milliseconds, in which the Threshold is measured. When a number of packets that is greater than the threshold value passes through the device, during this defined period, the device recognizes it as an attack.
Value: 1000
Tracking Type Specifies how the protection determines which traffic to block or drop when under attack.
Values:
Drop All—Select this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks.
Source Count—Select this option when the defined attack is source-based—that is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network.
Target Count—Select this option when the defined attack is destination-based, meaning the hacker is attacking a specific destination such as a Web server, for example, Ping Flood and DDoS attacks.
Source and Destination Count—Select this option when the attack type is a source and destination-based attack—that is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks.
landattack
fragments
ncpsdcan
dhcp
ftpbounce
bobo2K
Sampling—Select this option when the defined attack is based on sampling, that is, a DoS Shield attack.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 44
Action Mode The action that the protection takes when an attack is detected.
Values:
Report Only—The packet is forwarded to the defined destination.
Drop—The packet is discarded.
Reset Source—Sends a TCP-Reset packet to the packet Source IP.
Reset Destination—Sends a TCP-Reset packet to the destination address.
Reset BiDirectional—Sends a TCP reset packet to both, the packet source IP and the packet destination IP.
MM7—If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. It contains Transaction ID, Content Length, and Message ID.
State Enables or disables the Attack Status.
There are cases where you may need to temporarily disable an attack from a static group. For example, if you suspect that a certain attack introduces false positives, and you would like to disable that specific attack only.
Setting the attack status to Disable, means that the attack is disabled but not removed from the group.
Direction A certain protection policy may contain attacks that should be searched only for traffic from client to server or only on traffic from server to client.
To provide simple and efficient scanning configuration you can set per attack the traffic direction for which it is relevant.
Values:
Inbound—On traffic from policy Source to policy Destination
Outbound—On traffic from policy Destination to policy Source
In-Out Bound—On all traffic between policy Source to policy Destination
Suspend Action This functionality allows the user to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time.
Values:
None—Suspend action is disabled for this attack.
SrcIP—All traffic from the IP address identified as source of this attack will be suspended.
SrcIP, DestIP—Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended.
SrcIP, DestPort—Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended.
SrcIP, DestIP, DestPort—Traffic from the IP address identified as source of this attack to the destination IP and port under attack will be suspended.
SrcIP, DestIP, SrcPort, DestPort—Traffic from the IP address and port identified as source of this attack to the destination IP and port under attack will be suspended.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 45
Active Threshold When this threshold is exceeded, the status of the attack is changed to Currently Active. This is only relevant when the Attack Status was configured as Dormant.
The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period.
When the value for Tracking Type is Drop All, the protection ignores this parameter.
Exclude Src The source IP address or network whose packets the protection does not inspect.
Drop Threshold After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS.
When the value for Tracking Type is Drop All, the protection ignores this parameter.
Exclude Dest The destination IP address or network whose packets the protection does not inspect.
Term Threshold When the attack PPS rate drops below this threshold, the protection changes the attack from active mode to inactive mode.
When the value for Tracking Type is Drop All, the protection ignores this parameter.
Packet Trace Specifies whether the protection sends attack packets to the specified physical port.
User Attacks
The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks.
The Signature Protection User Attack Configuration window enables you to create attack parameters.
To create a user attack
1. Select DDoS Protector > DoS Signatures > Attacks > User.
2. Select Create.
3. Configure the parameters, and click Set.
Parameter Description
ID The unique identifying number.
Attack Name The name for this attack. The Attack Name is used when DoS Shield sends information about attack status changes.
Filter Name The filter assigned to this attack.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 46
Tracking Time The time, in milliseconds, in which the Threshold is measured. When a number of packets that is greater than the threshold value passes through the device during this defined time period, the device recognizes it as an attack.
Value: 1000
Tracking Type Specifies how the protection determines which traffic to block or drop when under attack.
Values:
Drop All—Select this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks.
Source Count—Select this option when the defined attack is source-based—that is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network.
Target Count—Select this option when the defined attack is destination-based, meaning the hacker is attacking a specific destination such as a Web server, for example, Ping Flood and DDoS attacks.
Source and Destination Count—Select this option when the attack type is a source and destination-based attack—that is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks.
landattack
fragments
ncpsdcan
dhcp
ftpbounce
bobo2K
Sampling—Select this option when the defined attack is based on sampling, that is, a DoS Shield attack.
Default: Sampling
Action Mode The action that the protection takes when an attack is detected.
Values:
Report Only—The packet is forwarded to the defined destination.
Drop—The packet is discarded.
Reset Source—Sends a TCP-Reset packet to the packet Source IP.
Reset Destination—Sends a TCP-Reset packet to the destination address.
Reset BiDirectional—Sends a TCP reset packet to both, the packet source IP and the packet destination IP.
MM7—If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. It contains Transaction ID, Content Length, and Message ID.
Default: Drop
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 47
State Enables or disables the Attack Status.
There are cases where you may need to temporarily disable an attack from a static group. For example, if you suspect that a certain attack introduces false positives, and you would like to disable that specific attack only.
Setting the attack status to Disable, means that the attack is disabled but not removed from the group.
Default: Enable.
Direction A certain protection policy may contain attacks that should be searched only for traffic from client to server or only on traffic from server to client.
To provide simple and efficient scanning configuration you can set, per attack, the traffic direction for which it is relevant.
Values:
In Bound—On traffic from policy Source to policy Destination
Out Bound—On traffic from policy Destination to policy Source
In-Out Bound—On all traffic between policy Source to policy Destination
Suspend Action
This functionality allows the user to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time.
Values:
None—Suspend action is disabled for this attack.
SrcIP—All traffic from the IP address identified as the source of this attack will be suspended.
SrcIP, DestIP—Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended.
SrcIP, DestPort—Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended.
SrcIP, DestIP, DestPort—Traffic from the IP address identified as source of this attack to the destination IP and port under attack will be suspended.
SrcIP, DestIP, SrcPort, DestPort—Traffic from the IP address and port identified as source of this attack to the destination IP and port under attack will be suspended.
Default: None
Active Threshold
When this threshold is exceeded, the status of the attack is changed to Currently Active. This is only relevant when the Attack Status was configured as Dormant.
The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period.
When the value for Tracking Type is Drop All, the protection ignores this parameter.
Default: 50
Exclude Src The source IP address or network whose packets the protection does not inspect.
Default: None
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 48
Drop Threshold
After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS.
When the value for Tracking Type is Drop All, the protection ignores this parameter.
Default: 50
Exclude Dest The destination IP address or network whose packets the protection does not inspect.
Default: None
Term Threshold
When the attack PPS rate drops below this threshold, the protection changes the attack from active mode to inactive mode.
When the value for Tracking Type is Drop Al., the protection ignores this parameter.
Default: 50
Packet Trace Specifies whether the protection sends attack packets to the specified physical port.
Default: disable
Exclude Attacks
Use the Signature Protection Attacks Excluded Addresses Configuration pane to exclude particular attacks from your network definitions.
To exclude signature protection attacks
1. Select DDoS Protector > DoS Signatures > Exclude Attacks.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Attack ID The ID of the attack not to be included in policy.
Attack Name The name of the attack.
Source Network The source IP address for the excluded attack.
Destination Network The destination IP address for the excluded attack.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 49
Denial of Service
Behavioral DoS
Behavioral DoS: Global Parameters
Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your network-protection policy, defends your network from zero-day network-flood attacks. These attacks fill available network bandwidth with irrelevant traffic, denying use of network resources to legitimate users. The attacks originate in the public network and threaten Internet-connected organizations.
The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks by identifying the footprint of the anomalous traffic.
Network-flood protection types include:
TCP floods—which include TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and TCP Fragmentation Flood
UDP flood
ICMP flood
IGMP flood
Before you configure BDoS Protection profiles, enable BDoS Protection.
Note: Changing the setting of this parameter requires a reboot to take effect.
To enable Behavioral DoS
1. Select DDoS Protector > Behavioral DoS > Global Parameters.
2. Select Enable from the drop-down list.
Advanced
Behavioral DoS Profiles Advanced
A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to the Behavioral DoS policy.
Use the Behavioral DoS Profiles Advanced Configuration pane to configure Behavioral DoS profiles with advanced parameters, which include manual quota settings.
Recommended settings for policies that include Behavioral DoS profiles are as follows:
Configure policies containing Behavioral DoS profiles using Networks with source = Any, the public network, and destination = Protected Network. It is recommended to create multiple Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS servers segment, Web server segments, Mail servers segments, and so on). This assures optimized learning of normal traffic baselines.
It is not recommended to define a network with the Source and Destination set to Any, because the device collects statistics globally with no respect to inbound and outbound directions. This may result in lowered sensitivity to detecting attacks.
When the Direction of a policy is set to One Way, the rule prevents incoming attacks only. When a rule’s Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection.
Note: Check Point recommends that you initially leave the quota fields (for example, TCP In quota) empty so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 50
network performance. The total quota values may exceed 100%, as each value represents the maximum volume per protocol.
To configure a behavioral DoS profile with advanced parameters
1. Select DDoS Protector > Denial of Service > Behavioral DoS > Advanced > Profiles Configuration.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Profile Name The user-defined name for the profile.
SYN Flood status Specifies whether the profile protects against SYN Flood attacks.
Default: inactive
TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood attacks.
Default: inactive
TCP FIN+ACK Flood status
Specifies whether the profile protects against TCP FIN+ACK Flood attacks.
Default: inactive
TCP SYN+ACK Flood status
Specifies whether the profile protects against TCP SYN+ACK Flood attacks.
Default: inactive
TCP Fragmented Flood status
Specifies whether the profile protects against TCP Fragmented Flood attacks.
Default: inactive
UDP Flood status Specifies whether the profile protects against UDP Flood attacks.
Default: inactive
IGMP Flood status Specifies whether the profile protects against IGMP Flood attacks.
Default: inactive
ICMP Flood status Specifies whether the profile protects against ICMP Flood attacks.
Default: inactive
Configuration of the inbound traffic in [Kbit/Sec]
The highest expected volume of inbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.
Values: 0 – 2,147,483,647
Caution: You must configure this setting to start Behavioral DoS protection.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 51
Configuration of the outbound traffic in [Kbit/Sec]
The highest expected volume of outbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.
Values: 0 – 2,147,483,647
Caution: You must configure this setting to start Behavioral DoS protection.
TCP In quota The maximum expected percentage of inbound TCP traffic out of the total traffic.
UDP In quota The maximum expected percentage of inbound UDP traffic out of the total traffic.
ICMP In quota The maximum expected percentage of inbound ICMP traffic out of the total traffic.
IGMP In quota The maximum expected percentage of inbound IGMP traffic out of the total traffic.
TCP Out quota The maximum expected percentage of outbound TCP traffic out of the total traffic.
UDP Out quota The maximum expected percentage of outbound UDP traffic out of the total traffic.
ICMP Out quota The maximum expected percentage of outbound ICMP traffic out of the total traffic.
IGMP Out quota The maximum expected percentage of outbound IGMP traffic out of the total traffic.
Transparent Optimization process
Specifies whether transparent optimization is enabled.
Some network environments are more sensitive to dropping packets (for example, VoIP), therefore, it is necessary to minimize the probability that legitimate traffic is dropped by the IPS device. This transparent optimization can occur during the BDoS closed-feedback iterations until a final footprint is generated.
Note: When transparent optimization is enabled, the profile does not mitigate the attack until the final footprint is generated, which takes several seconds.
UDP packet rate detection sensitivity
Species to what extent the BDoS engine considers the UDP PPS-rate values (baseline and current).
This parameter is relevant only for only for BDoS UDP protection.
Values:
Disable
Low
Medium
High
Default: Low
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 52
Packet Trace Status Specifies whether the profile sends attack packets to the specified physical port.
Default: disable
Behavioral DoS Advanced: Global Parameters
The Behavioral DoS Advanced Setting window enables you to set the Learning Response Period upon which baselines are primary weighed as well as enabling the Sampling status and defining the severity level of the Footprint.
Note: You must configure network flood protection separately for TCP floods, UDP floods, ICMP floods, and IGMP floods.
To set the behavioral DoS advanced settings
1. Select DDoS Protector > Behavioral DoS > Advanced > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Learning response period
The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one-day period for testing purposes only.
Values: day, week, month
Default: Week
Sampling Status Specifies whether the BDoS module uses traffic-statistics sampling during the creation phase of the BDoS footprint. When the BDoS module is trying to generate a real-time signature and there is a high rate of traffic, the device evaluates only a portion of the traffic. The BDoS module tunes the sampling factor automatically, according to the traffic rate. The BDoS module screens all traffic at low traffic rates (below 100K PPS) and only a portion of the traffic at higher rates (above 100K PPS).
Default: enable
Note: For best performance, Check Point recommends that the parameter be enabled.
Footprint Strictness When Behavioral DoS module detects a new attack, the module generates an attack footprint to block the attack traffic. If the Behavioral DoS module is unable to generate a footprint that meets the footprint-strictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the device cannot generate a footprint.
Values:
High—Enforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives.
Medium—Enforces at least two Boolean ANDs and no more than two
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 53
additional Boolean OR values in the footprint.
Low—Allows any footprint suggested by the Behavioral DoS module. This level achieves the best attack blocking, but increases the probability of false positives.
Notes:
DDoS Protector always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness.
See the table below for examples of footprint strictness requirements.
Footprint Strictness Examples
Footprint Example Strictness Level
Low Medium High
TTL Yes No No
TTL AND Packet Size Yes Yes No
TTL AND Packet Size AND Destination Port Yes Yes Yes
Behavioral DoS: Learning Reset
Use the Behavioral DoS Learning Reset pane to reset the learning period for specific policies or all policies.
Behavioral DoS protection learns traffic parameters from the transport layer of incoming packets and generates normative baselines for traffic.
The Learning Period setting defines the period based upon which baselines are primarily weighted.
When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS Protector immediately initiates a new learning period. Generally, this is done when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes.
To reset the policy baseline
1. Select DDoS Protector > Behavioral DoS > Advanced > Learning Reset.
2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies.
3. Click Set.
Mitigation Configuration
Attack Termination Configuration
The DDoS Protector BDoS mechanism assigns various internally defined states for each protection (belonging to the BDoS policy and Protection Type).
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 54
The internally defined states for protections include the following:
Normal state
Analysis state—state 2
Blocking state—state 6
Anomaly state—state 3
Non-strictness state—state 7
Note: DDoS Protector assigns the Non-strictness state when it was not able to generate a DoS-attack footprint that meets the specified Footprint Strictness.
As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal to Analysis. By default, if DDoS Protector detects anomalous traffic for less than 10 seconds, the protection changes state back to Normal.
In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function. When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will consider the attack to have ended (terminated)—switching back to the Normal state, never blocking the attack. The advanced mitigation interface for BDoS enables you to extend pre-termination durations so that such traffic is blocked.
Note: In a production environment, highly orchestrated and synchronized attacks are unlikely; and the default values in a DDoS Protector device configuration are adequate.
To configure attack-termination criteria
1. Select DDoS Protector > Denial of Service > Behavioral DoS > Mitigation Configuration > Attack Termination Configuration.
2. Configure the parameters and click Set.
Parameter Description
Stability Counter State 2 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Analysis state. DDoS Protector declares the attack to be terminated immediately when this value is 0.
Values: 0 – 30
Default: 0
Stability Counter State 6 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. DDoS Protector declares the attack to be terminated immediately when this value is 0. There is no typical use case for reducing the value from the default.
Values: 0 – 300
Default: 10
Stability Counter State 3 and 7
The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the in Anomaly state or the Non-strictness state. DDoS Protector declares the attack to be terminated immediately when this value is 0.
Values: 0 – 300
Default: 10
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 55
Packet Header Field Selection
If the value in the Any Packet Header Field drop-down list in the Early Blocking
Configuration Update window is false, you can select specific packet-header fields for early blocking of DoS traffic.
Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates.
To select packet-header fields for early blocking of DNS DoS traffic
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Packet Header Fields Selection.
2. Select the protection type next to the relevant packet-header field.
3. From the Early Detection Condition drop-down list, select:
yes—DDoS Protector must detect this field to generate a footprint in less than 10 seconds.
no—DDoS Protector can use this field in the footprint, but it is not enough for early blocking.
4. Click Set.
Early Blocking Configuration
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible—even if accuracy is compromised. Using Early Blocking of DoS Traffic—configuring thresholds for generating DoS-attack footprints—you can shorten the Analysis state and start blocking the relevant traffic.
Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates.
To configure early blocking of DNS DoS traffic
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Early Blocking Configuration.
2. Select the Protection type you want to configure for early blocking.
3. Configure the parameters and click Set.
Parameter Description
Any Packet Header Field Specifies the parameters according to which the device blocks DoS traffic early.
Values:
true—the device blocks DoS traffic early based on the specified number of packet-header fields and number of packet-header-field values thresholds.
false—the device blocks DoS traffic early based on the fields as displayed in the Packet Header Fields Selection window.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 56
Any Packet Header Field threshold
The number anomalous packet-header fields that the device must detect to generate a footprint and change to the Blocking state prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.)
Values: 1 – 20
Default (per protection):
ICMP—17
IGMP—16
TCP-ACK-FIN—17
TCP-FRAG—17
TCP-RST—17
TCP-SYN—17
TCP-SYN-ACK—17
UDP—20
Packet Header Field Values
The number of anomalous packet-header-field values that the device must detect to generate a footprint and change to the Blocking state.
Values: 1–500
Default: 500
Behavioral DoS Footprint Bypass
You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate.
To configure footprint bypass
1. Select DDoS Protector > Behavioral DoS > Advanced > Footprint Bypass.
2. Select the link in the relevant row.
3. Configure the parameters, and click Set.
Parameter Description
Controller (Read-only) The attack protection for which you are configuring footprint bypass.
Bypass Field (Read-only) The bypass type to configure.
Bypass Status The bypass option.
Values:
Bypass—The Behavioral DoS module bypasses all possible values of the selected Bypass Field when generating a footprint.
Accept—The Behavioral DoS module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 57
Bypass Values If the value of the Bypass Status parameter is Accept, when generating the footprint, the Behavioral DoS mechanism does not use the specified Bypass Values of the corresponding selected Bypass Field. The valid Bypass Values vary according to the selected Bypass Field. Multiple values in the Bypass Values field must be comma-delimited.
Behavioral DoS Profiles
A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to the Behavioral DoS policy.
Use the Behavioral DoS Profiles pane to configure Behavioral DoS profiles with basic parameters.
Recommended settings for policies that include Behavioral DoS profiles are as follows:
Configure policies containing Behavioral DoS profiles using Networks with source = Any, the public network, and destination = Protected Network. It is recommended to create multiple Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS servers segment, Web server segments, Mail servers segments, and so on). This assures optimized learning of normal traffic baselines.
It is not recommended to define a network with the Source and Destination set to Any, because the device collects statistics globally with no respect to inbound and outbound directions. This may result in lowered sensitivity to detecting attacks.
When the Direction of a policy is set to One Way, the rule prevents incoming attacks only. When a rule’s Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection.
To configure a behavioral DoS profile with basic parameters
1. Select DDoS Protector > Denial of Service > Behavioral DoS > Behavioral DoS Profiles.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Profile Name The user-defined name for the profile.
SYN Flood status Specifies whether the profile protects against SYN Flood attacks.
Default: inactive
TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood attacks.
Default: inactive
TCP FIN+ACK Flood status Specifies whether the profile protects against TCP FIN+ACK Flood attacks.
Default: inactive
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 58
TCP SYN+ACK Flood status Specifies whether the profile protects against TCP SYN+ACK Flood attacks.
Default: inactive
TCP Fragmented Flood status Specifies whether the profile protects against TCP Fragmented Flood attacks.
Default: inactive
UDP Flood status Specifies whether the profile protects against UDP Flood attacks.
Default: inactive
IGMP Flood status Specifies whether the profile protects against IGMP Flood attacks.
Default: inactive
ICMP Flood status Specifies whether the profile protects against ICMP Flood attacks.
Default: inactive
Configuration of the inbound traffic in [Kbit/Sec]
The highest expected volume of inbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.
Values: 0 – 2,147,483,647
Caution: You must configure this setting to start
Behavioral DoS protection.
Configuration of the outbound traffic in [Kbit/Sec]
The highest expected volume of outbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.
Values: 0 – 2,147,483,647
Caution: You must configure this setting to start Behavioral DoS protection.
Packet Trace Status Specifies whether the profile sends attack packets to the specified physical port.
Default: disable
DNS Protection
DNS Protection Global Parameters
DNS Flood Protection, which you can use in your network-protection policy, defends your network from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant traffic, denying legitimate users DNS lookups. The attacks originate in the public network and threaten Internet-connected organizations.
The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood attacks by identifying the footprint of the anomalous traffic.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 59
DNS Flood Protection types can include the following DNS query types:
A
MX
PTR
AAAA
Text
SOA
NAPTR
SRV
Other
DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering with minimal risk of false positives. The default average time for a new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes, and sometimes, hours.
Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You can also change the default global device settings for DNS Flood Protection. The DNS Flood Protection global settings apply to all the network protection policies rules with DNS Flood profiles on the device.
Note: Changing the setting of this parameter requires a reboot to take effect.
To enable DNS Protection
1. Select DDoS Protector > Denial of Service > DNS Protection > Global Parameters.
2. Select enable from the drop-down list.
3. Click Set.
Advanced
DNS Protection Advanced Profiles
Use the DNS Protection Advanced Profiles pane to configure DNS-Flood Protection profiles with advanced parameters.
DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and outbound traffic.
DNS Protection profiles can be used only in one-way policies.
It is recommended to configure policies that include DNS Protection profiles using Networks with source = Any, the public network, and destination = Protected Network.
Note: Check Point recommends that you initially leave the quota fields (for example, DNS A
quota) so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your network performance.
The total quota values may exceed 100%, as each value represents the maximum volume per protocol.
To configure a DNS Protection profile with advanced parameters
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles Configuration.
2. Do one of the following:
To add an entry, click Create.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 60
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Profile Name The user-defined name for the profile.
Expected QPS The expected rate, in queries per second, of DNS queries.
DNS A Flood status Specifies whether this profile protects against DNS A Flood attacks.
Values: inactive, active
Default: inactive
DNS A quota The maximum expected percentage of DNS A traffic out of the total DNS traffic.
DNS MX Flood status Specifies whether this profile protects against DNS MX Flood attacks.
Values: inactive, active
Default: inactive
DNS MX quota The maximum expected percentage of DNS MX traffic out of the total DNS traffic.
DNS PTR Flood status Specifies whether this profile protects against DNS PTR Flood attacks.
Values: inactive, active
Default: inactive
DNS PTR quota The maximum expected percentage of DNS PTR traffic out of the total DNS traffic.
DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA Flood attacks.
Values: inactive, active
Default: inactive
DNS AAAA quota The maximum expected percentage of DNS AAAA traffic out of the total DNS traffic.
DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT Flood attacks.
Values: inactive, active
Default: inactive
DNS TEXT quota The maximum expected percentage of DNS TEXT traffic out of the total DNS traffic.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 61
DNS SOA Flood status Specifies whether this profile protects against DNS SQA Flood attacks.
Values: inactive, active
Default: inactive
DNS SOA quota The maximum expected percentage of DNS SQA traffic out of the total DNS traffic.
DNS NAPTR Flood status Specifies whether this profile protects against DNS NAPTER Flood attacks.
Values: inactive, active
Default: inactive
DNS NAPTR quota The maximum expected percentage of DNS NAPTER traffic out of the total DNS traffic.
DNS SRV Flood status Specifies whether this profile protects against DNS SRV Flood attacks.
Values: inactive, active
Default: inactive
DNS SRV quota The maximum expected percentage of DNS SRV traffic out of the total DNS traffic.
DNS OTHER Flood status Specifies whether this profile protects against DNS OTHER Flood attacks.
Values: inactive, active
Default: inactive
DNS OTHER quota The maximum expected percentage of other DNS traffic (that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS traffic.
Max Allowed QPS The maximum allowed rate of DNS queries per second.
Values: 0–4,000,000
Default: 0
Note: When Manual Triggers Status is set to enable, the Manual Triggers Max QPS Target value overrides this value.
Signature Rate limit Target The percentage of the DNS traffic that matches the real-time signature that the profile will not mitigate above the baseline.
Values: 0–100
Default: 0
Packet Trace Status Specifies whether the DDoS Protector device sends attack packets to the specified physical port.
Default: disable
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 62
Action The action that the profile takes on DNS traffic during an attack.
Values: Block and Report, Report Only
Default: Block and Report
Manual Triggers Status Specifies whether the profile uses user-defined DNS QPS thresholds instead of the learned baselines.
Default: disable
Manual Triggers Activation Threshold
The minimum number of queries per second—after the specified Activation Period—on a single connection that causes the device to consider there to be an attack. When the device detects an attack, it issues an appropriate alert and drops the DNS packets that exceed the threshold. Packets that do not exceed the threshold bypass the DDoS Protector device.
Values: 0–4,000,000
Default: 0
Manual Triggers Termination Threshold
The maximum number of queries per second—after the specified Termination Period—on a single connection that cause the device to consider the attack to have ended.
Values: 0–4,000,000
Default: 0
Note: The Termination Threshold must be less than or equal to the Activation Threshold.
Manual Triggers Max QPS Target
The maximum allowed rate of DNS queries per second.
Values: 0–4,000,000
Default: 0
Manual Triggers Activation Period
The number of consecutive seconds that the DNS traffic on a single connection exceeds the Activation Threshold that causes the device to consider there to be an attack.
Values: 0–30
Default: 3
Manual Triggers Termination Period
The time, in seconds, that the DNS traffic on a single connection is continuously below the Termination Threshold, which causes the device to consider the attack to have ended.
Values: 0–30
Default: 3
Manual Triggers Escalation Period
The time, in seconds, that the device waits before escalating to the next specified Mitigation Action.
Values: 0–30
Default: 3
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 63
DNS Protection Advanced Global Parameters
The DNS Protection Advanced Setting window enables you to set the learning response period upon which baselines are primary weighed as well as enabling the sampling status and defining the severity level of the footprint.
To configure the DNS Protection advanced global parameters
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one-day period for testing purposes only.
Values: day, week, month
Default: week
Sampling Status Specifies whether the DNS Flood Protection module uses traffic-statistics sampling during the creation phase of the footprint.
Values:
enable—Traffic statistics are aggregated through sampling algorithm, which improves overall performance of the DNS Flood Protection module. Although the decision engine is tuned according to the sampling error, the chances for false positive decisions are increased.
disable—Traffic statistic are aggregated without sampling.
Default: enable
Footprint Strictness When the DNS Flood Protection module detects a new attack, the module generates an attack footprint to block the attack traffic. If the module is unable to generate a footprint that meets the footprint-strictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the module cannot generate a footprint.
Values:
high—Enforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives.
medium—Enforces at least two Boolean ANDs and no more than two additional Boolean OR values in the footprint.
low—Allows any footprint suggested by the DNS Flood Protection module. This level achieves the best attack blocking, but increases the probability of false positives.
Notes:
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 64
The DNS Flood Protection module always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness.
See the table below for examples of footprint strictness requirements.
Footprint Strictness Examples
Footprint Example Strictness Level
Low Medium High
DNS Query Yes No No
DNS Query AND DNS ID Yes Yes No
DNS Query AND DNS ID AND Packet Size Yes Yes Yes
DNS Protection Learning Reset
Use the DNS Protection Learning Reset pane to reset the learning period for specific policies or all policies.
DNS Flood protection learns traffic parameters from the transport layer of incoming packets and generates normative baselines for traffic.
The Learning Period setting defines the period based upon which baselines are primarily weighted.
When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS Protector immediately initiates a new learning period. Generally, this is done when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes.
To reset the policy baseline
1. Select DDoS Protector > Behavioral DoS > Advanced > Learning Reset.
2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies.
3. Click Set.
Mitigation Configuration
Attack Termination Configuration
The DNS Protection mechanism assigns various internally defined states for each protection (belonging to the DNS protection policy and protection type).
The internally defined states for protections include the following:
Normal state
Analysis state—state 2
Blocking state—state 6
Anomaly state—state 3
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 65
As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal to Analysis. By default, if DDoS Protector detects anomalous traffic for less than 10 seconds, the protection changes state back to Normal.
In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function. When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will consider the attack to have ended (terminated)—switching back to the Normal state, never blocking the attack. The advanced mitigation interface enables you to extend pre-termination durations so that such traffic is blocked.
Note: In a production environment, highly orchestrated and synchronized attacks are unlikely; and the default values in a DDoS Protector device configuration are adequate.
To configure attack-termination criteria
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Attack Termination Configuration.
2. Configure the parameters and click Set.
Parameter Description
Stability Counter State 2 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Analysis state. DDoS Protector declares the attack to be terminated immediately when this value is 0.
Values: 0 – 30
Default: 0
Stability Counter State 6 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. DDoS Protector declares the attack to be terminated immediately when this value is 0. There is no typical use case for reducing the value from the default.
Values: 0 – 300
Default: 10
Stability Counter State 3 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the in Anomaly state. DDoS Protector declares the attack to be terminated immediately when this value is 0.
Values: 0 – 300
Default: 10
Methods
When the protection is enabled and the device detects that a DNS-flood attack has started, the device implements the Mitigation Actions in escalating order—in the order that they appear in the group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after a certain Escalation Period), the device implements the next more-severe enabled Mitigation Action, and so on. As the most severe Mitigation Action, the device always implements the Collective Rate Limit, which limits the rate of all DNS queries to the protected server.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 66
To configure DNS Protection mitigation methods
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Methods.
2. Configure the parameters and click Set.
Parameter Description
Signature challenge mitigation status
Specifies whether the device challenges suspect DNS queries that match the real-time signature.
Default: enable
Note: DDoS Protector challenges only A and AAAA query types.
Signature rate-limit mitigation status
Specifies whether the device limits the rate of DNS queries that match the real-time signature.
Default: enable
Collective challenge mitigation status
Specifies whether the device challenges all unauthenticated DNS queries to the protected server.
Default: enable
Note: DDoS Protector challenges only A and AAAA query types.
Collective rate-limit mitigation status
(Read-only) The device limits the rate of all DNS queries to the protected server.
Value: enable
Packet Header Field Selection
If the value in the Any Packet Header Field drop-down list in the Early Blocking
Configuration Update window is false, you can select specific packet-header fields for early blocking of DoS traffic.
Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates.
To select packet-header fields for early blocking of DNS DoS traffic
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Packet Header Fields Selection.
2. Select the protection type next to the relevant packet-header field.
3. From the Early Detection Condition drop-down list, select:
yes—DDoS Protector must detect this field to generate a footprint in less than 10 seconds.
no—DDoS Protector can use this field in the footprint, but it is not enough for early blocking.
4. Click Set.
Early Blocking Configuration
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible—even if accuracy is compromised. Using Early Blocking of DoS Traffic—configuring thresholds for generating DoS-attack footprints—you can shorten the Analysis state and start blocking the relevant traffic.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 67
Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the
accuracy of the DoS-attack footprint that DDoS Protector generates.
To configure early blocking of DNS DoS traffic
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Early Blocking Configuration.
2. Select the Protection type you want to configure for early blocking.
3. Configure the parameters and click Set.
Parameter Description
Any Packet Header Field Specifies the parameters according to which the device blocks DoS traffic early.
Values:
true—the device blocks DoS traffic early based on the specified number of packet-header fields and number of packet-header-field values thresholds.
false—the device blocks DoS traffic early based on the fields as displayed in the Packet Header Fields Selection window.
Any Packet Header Field threshold
The number anomalous packet-header fields that the device must detect to generate a footprint and change to the Blocking state prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.)
Values: 1 – 20
Default (per protection):
ICMP—17
IGMP—16
TCP-ACK-FIN—17
TCP-FRAG—17
TCP-RST—17
TCP-SYN—17
TCP-SYN-ACK—17
UDP—20
Packet Header Field Values The number of anomalous packet-header-field values that the device must detect to generate a footprint and change to the Blocking state.
Values: 1–500
Default: 500
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 68
SDM Challenge Response Configuration
To configure SDM challenge response
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > SDM.
2. Configure the parameter and click Set.
Parameter Description
SDM Protocol Compliance Checks Status
Specifies whether the device checks each DNS query for DNS protocol compliance and drops the non-compliant queries.
Default: disable
DNS Footprint Bypass
You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate.
To configure DNS footprint bypass
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Footprint Bypass.
2. Click the controller name of the DNS query type for which you want to configure footprint bypass.
3. Configure the parameters and click Set.
Parameter Description
Controller (Read-only) The selected DNS query type for which you are configuring footprint bypass.
Bypass Field (Read-only) The selected Bypass Field to configure.
Bypass Status The bypass option.
Values:
bypass—The DNS Flood Protection module bypasses all possible values of the selected Bypass Field when generating a footprint.
accept—The DNS Flood Protection module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.
Bypass Values Used if the value of the Bypass Status parameter is Accept. DNS Flood Protection bypasses only the values of a selected Bypass Type, while it may use all other values. These values vary according to the Bypass Field selected. The values in the field must be comma-delimited.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 69
DNS Protection Profile
Use the DNS Protection Profiles pane to configure DNS-Flood Protection profiles with basic parameters.
DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and outbound traffic.
DNS Protection profiles can be used only in one-way policies.
It is recommended to configure policies that include DNS Protection profiles using Networks with source = Any, the public network, and destination = Protected Network.
Note: Check Point recommends that you initially leave the quota fields (for example, DNS A quota) so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your network performance.
The total quota values may exceed 100%, as each value represents the maximum volume per protocol.
To configure a DNS Protection profile with basic parameters
1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles Configuration.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Profile Name The user-defined name for the profile.
Expected QPS The expected rate, in queries per second, of DNS queries.
DNS A Flood status Specifies whether this profile protects against DNS A Flood attacks.
Values: inactive, active
Default: inactive
DNS A quota The maximum expected percentage of DNS A traffic out of the total DNS traffic.
DNS MX Flood status Specifies whether this profile protects against DNS MX Flood attacks.
Values: inactive, active
Default: inactive
DNS MX quota The maximum expected percentage of DNS MX traffic out of the total DNS traffic.
DNS PTR Flood status Specifies whether this profile protects against DNS PTR Flood attacks.
Values: inactive, active
Default: inactive
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 70
DNS PTR quota The maximum expected percentage of DNS PTR traffic out of the total DNS traffic.
DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA Flood attacks.
Values: inactive, active
Default: inactive
DNS AAAA quota The maximum expected percentage of DNS AAAA traffic out of the total DNS traffic.
DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT Flood attacks.
Values: inactive, active
Default: inactive
DNS TEXT quota The maximum expected percentage of DNS TEXT traffic out of the total DNS traffic.
DNS SOA Flood status Specifies whether this profile protects against DNS SQA Flood attacks.
Values: inactive, active
Default: inactive
DNS SOA quota The maximum expected percentage of DNS SQA traffic out of the total DNS traffic.
DNS NAPTR Flood status
Specifies whether this profile protects against DNS NAPTER Flood attacks.
Values: inactive, active
Default: inactive
DNS NAPTR quota The maximum expected percentage of DNS NAPTER traffic out of the total DNS traffic.
DNS SRV Flood status Specifies whether this profile protects against DNS SRV Flood attacks.
Values: inactive, active
Default: inactive
DNS SRV quota The maximum expected percentage of DNS SRV traffic out of the total DNS traffic.
DNS OTHER Flood status
Specifies whether this profile protects against DNS OTHER Flood attacks.
Values: inactive, active
Default: inactive
DNS OTHER quota The maximum expected percentage of other DNS traffic (that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS traffic.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 71
Max Allowed QPS The maximum allowed rate of DNS queries per second, when the Manual Triggers option is not enabled.
Values: 0–4,000,000
Default: 0
Note: When the Manual Triggers option is enabled (see DNS Protection Advanced Profiles), the Manual Triggers Max QPS Target value overrides this value.
Signature Rate limit Target
The percentage of the DNS traffic that matches the real-time signature that the profile will not mitigate above the baseline.
Values: 0–100
Default: 0
Packet Trace Status Specifies whether the DDoS Protector device sends attack packets to the specified physical port.
Default: disable
Action The action that the profile takes on DNS traffic during an attack.
Values: Block and Report, Report Only
Default: Block and Report
SYN Protection
SYN Protection: Global Parameters
A SYN flood attack is usually aimed at specific servers with the intention of consuming the server’s resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements.
Before you configure SYN profiles for the network-protection policy, ensure the following:
SYN Protection is enabled the SYN Flood Protection global parameters are configured.
The Session table Lookup Mode is Full Layer 4.
To enable SYN Flood Protection
1. Select DDoS Protector > Denial of Service > SYN Protection.
2. From the drop-down list, select enable.
3. Click Set.
Note: Changing the setting of this parameter requires a reboot to take effect.
SYN Protection: Advanced Parameters
The SYN Protection Advanced Settings window exposes the advanced SYN Protection tuning parameters.
To set the SYN protection advanced parameters
1. Select DDoS Protector > Denial of Service > SYN Protection > Advanced Parameters.
2. Configure the parameters and click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 72
Parameter Description
Tracking time The time, in seconds, that the device tracks the number of SYN packets directed to same destination. DDoS Protector uses the value to determine when to activate and deactivate SYN Protections.
Values: 1 – 10
Default: 5
Attacks
SYN Static Attacks
Predefined SYN Protections, referred to as SYN Static Attacks, are available for the most common applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are predefined by Check Point. Use the SYN Protection Static Attack Configuration pane to change the thresholds for these attacks. You cannot delete SYN Static Attacks.
Caution: DDoS Protector x06 does not support physical-port classification for SYN Protection. When triggered, all traffic that matches the attacked destination—classified by destination IP
address, Layer 4 port number, and optionally a VLAN tag—will be challenged, regardless or the physical port identification. That is, even if the attack is carried out through a specific physical port, all traffic from all ports that matches the other parameters will be challenged.
To edit a static attack
1. Select DDoS Protector > SYN Protection > Attacks > Static.
2. Click on the name of an attack that you want to edit.
3. Configure the parameters, and click Set.
Parameter Description
ID (Read-only) The ID number assigned to the protection.
Attack Name A name for easy identification of the attack for configuration and reporting.
ApplicationPortGroup (Read-only) The group of TCP ports that represent the application that you want to protect.
Activation Threshold If the average rate of SYN packets received at a certain destination is higher than this threshold, the protection is activated.
Values: 1 – 150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain destination for the duration of the tracking period drops below this threshold, the protection is stopped.
Values: 1 – 150,000
Default: 1500
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 73
Attack Type (Read-only) Specifies whether the SYN protection is a predefined (static) or user-defined (user) protection.
Risk The risk level assigned to this attack for reporting purposes.
Values:
low
medium
high
SYN: User Attacks
After you define SYN flood protections, you can add them to SYN profiles.
Caution: DDoS Protector x06 does not support physical-port classification for SYN Protection.
When triggered, all traffic that matches the attacked destination—classified by destination IP address, Layer 4 port number, and optionally a VLAN tag—will be challenged, regardless or the physical port identification. That is, even if the attack is carried out through a specific physical port, all traffic from all ports that matches the other parameters will be challenged.
To edit a static attack
1. Select DDoS Protector > SYN Protection > Attacks > Static.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
ID The ID number assigned to the protection.
Enter 0 to cause the device to generate a valid ID.
Attack Name A name for easy identification of the attack for configuration and reporting.
ApplicationPortGroup The group of TCP ports that represent the application that you want to protect. Specify an existing group, or leave the field empty to select any port.
Activation Threshold If the average rate of SYN packets received at a certain destination is higher than this threshold, the protection is activated.
Values: 1 – 150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain destination for the duration of the tracking period drops below this threshold, the protection is stopped.
Values: 1 – 150,000
Default: 1500
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 74
Risk The risk level assigned to this attack for reporting purposes.
Values:
low
medium
high
Profiles
SYN Static Profiles
The SYN Profiles window enables you to create a new SYN Profile. First, you need to create a profile, and then add the attacks you wish to protect against. The profile may then be included in the SYN Protection Policy.
To create a new SYN profile
1. Select DDoS Protector > SYN Protection > Profiles > Profile Attacks.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
SYN Profile The name for the profile.
SYN Attack From the drop-down list, select the type of attacks to include in this profile.
SYN Protection Profiles Parameters
Us the SYN Protection Profiles Parameters pane to specify the authentication parameters of an existing profile.
To specify the authentication parameters of a profile
1. Select DDoS Protector > SYN Protection > Profiles > Profiles Parameters.
2. Click the profile in the Profile Name column.
3. Configure the parameters, and click Set.
Parameter Description
Profile Name (Read-only) The name of the profile.
Authentication Method
The Authentication Method that the device uses at the transport layer.
When the device is installed in and ingress-only topology, select the Safe-Reset method.
Values:
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 75
transparent-proxy—When the device receives a SYN packet, the device replies with a SYN ACK packet with a cookie in the Sequence Number field. If the response is an ACK that contains the cookie, the device considers the session to be legitimate. Then, the device opens a connection with the destination and acts as transparent proxy between the source and the destination.
safe-reset—When the device receives a SYN packet, the device responds with an ACK packet with an invalid Sequence Number field as a cookie. If the client responds with RST and the cookie, the device discards the packet, adds the source IP address to the TCP Authentication Table. The next SYN packet from the same source passes through the device, and the session is approved for the server. The device saves the source IP address for a specified time. Typically, you specify this method when the network policy rule handles only ingress traffic.
Default: Transparent Proxy
Use HTTP Authentication
Specifies whether the device authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method.
Values:
enable—The device authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method.
disable—The device handles HTTP traffic using the specified TCP Authentication Method.
Default: disable
HTTP Authentication Method
The method that the profile uses to authenticates HTTP traffic at the application layer.
Values:
Redirect—The device authenticates HTTP traffic using a 302-Redirect response code.
JavaScript—The device authenticates HTTP traffic using a JavaScript object generated by the device.
Default: 302-Redirect
Notes:
Some attack tools are capable of handling 302-redirect responses. The HTTP Redirect HTTP Authentication Method is not effective against attacks that use those tools. The JavaScript HTTP Authentication Method requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios.
Limitations when using the JavaScript HTTP Authentication Method:
If the browser does not support JavaScript calls, the browser will not answer the challenge.
When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DDoS Protector JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example:
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 76
The request in bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service/appMy.jsp?dlid
=12345";
document.getElementsByTagName("head")[0].appendChild(js);
},1000);
</script>
The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.
Out-of-State
Out-of-State Global Parameters
Out of State Protection detects out-of-state packets to provide additional protection for application-level attacks.
To configure global stateful inspection parameters
1. Select DDoS Protector > Denial of Service > Out-of-State > Global Parameters.
2. From the Protection Status drop-down list, choose enable.
3. Click Set and confirm reset.
4. Configure the parameters, and click Set.
Parameter Description
Protection Status Specifies whether or not Out-of-State inspection protection is enabled.
Startup Mode The behavior of the device after startup. Out-of-State Protection cannot be applied to existing traffic; therefore, the device can either drop existing traffic and apply Out-of-State Protection to all new traffic, or suspend Out-of-State Protection for a period of time, which is used to learn traffic and sessions.
Values:
On—Start the protection immediately. Existing sessions are dropped and only new sessions are allowed.
Off—Do not protect.
Graceful—Start the protection while maintaining existing sessions for the time specified by the StartUp Timer parameter.
Default: Graceful
StartUp Timer For Graceful startup mode, this parameter specifies the time, in seconds, after startup when the device ignores Out-of-State Protection and registers all sessions in the Session table, including those whose initiation was not registered (for example, SYN with TCP). After this time, the device drops new sessions whose initiation was not registered (for example, SYN with TCP).
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 77
Values: 0 – 65,535
Default: 1800
Operational State Specifies whether the device starts and stops Out-of-State Protection without rebooting the device.
Out-of-State Profiles
Out of State Protection detects out-of-state packets to provide additional protection for application-level attacks.
Caution: In cases of overlapping network policies configured with Out-of-State profiles, attacks
triggered on both policies are reported twice, once per policy. Therefore, there might be some inconsistencies in the DDoS Protector counter values for discarded traffic.
Caution: The DDoS Protector x06 platform uses two CPUs to handle the activation and termination of Out of State protection. DDoS Protector issues an Occurred trap when half the threshold is reached on one CPU, and DDoS Protector does not issue Start or Term (terminated)
traps. There is a small chance that DDoS Protector will report Out-of-State security events even if the specified thresholds have not been reached.
To configure an Out of State Protection profile
1. Select DDoS Protector > Denial of Service > Out-of-State > Profiles.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Profile Name The name of the profile.
Activation Threshold The rate, in PPS, of out-of-state packets above which the profile considers the packets to be part of a flood attack. When the device detects an attack, it issues an appropriate alert and drops the out-of-state packets that exceed the threshold. Packets that do not exceed the threshold bypass the DDoS Protector device.
Values: 1 – 250,000
Default: 5000
Termination Threshold
The rate, in PPS, of out-of-state packets below which the profile considers the flood attack to have stopped, and the device resumes normal operation.
Values: 1 – 250,000
Default: 4000
SYN-ACK Allow status
Values:
enable—When the device receives a SYN-ACK packet for which the device has received no corresponding SYN packet, the device opens a session for the packet and processes it. This option supports asymmetric environments, when the first packet that the device receives
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 78
is the SYN-ACK.
Disable—When the device receives a SYN-ACK packet for which the device has received no corresponding SYN packet, the device drops the packet and counts it in the Activation Threshold and Termination Threshold.
Default: enable
Packet Trace status Specifies whether the profile sends out-of-state packets to the specified physical port.
Default: disable
Profile Risk The risk—for reporting purposes—assigned to the attack that the profile detects.
Values: info, low, medium, high
Default: low
Profile Action The action that the profile takes when it encounters out-of-state packets.
Values: Block and Report, Report Only
Default: Block and Report
Connection Limit
Connection Limit: Profiles
The Connection Limit Profiles window enables you to create Connection Limit profiles.
Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports. DDoS Protector counts the number of TCP connections, or UDP sessions, opened per client, per server, or per client plus server combination, for traffic that matches a Connection Limit policy attack definition. Once the number of connections per second reaches the specified threshold, any session/connection over the threshold is dropped, unless the action mode defined for this attack is Report Only.
You can also define whether to suspend the source IP address, dropping traffic from this source for a number of seconds according to the Suspend table parameters.
Recommended settings for policies that include Connection Limit profiles:
Configure policies containing Connection Limit profiles using Networks only with source = Any, the public network, and destination = Protected Network. You can define segments using VLAN tag, and physical ports.
It is not recommended to define networks when the Source and Destination are set to any.
Policies containing Connection Limit profiles can be configured with Direction set to either oneway or twoway.
Before you configure a Connection Limit profile, ensure the following:
Connection Limit protection is enabled.
The Session table Lookup Mode is Full Layer 4.
(Recommended) The required Connection Limit attacks are configured.
A Connection Limit profile should include all the Connection Limit Attacks that you want to apply in a network protection policy.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 79
To configure a new Connection Limit profile
1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles.
2. Click Create.
3. In the Connection Limiting Profile text box, type the name of the Connection Limit profile.
4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to include in the profile.
5. Click Set.
To add a Connection Limit Attack to a Connection Limit profile
1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles.
2. Click the profile link in the table.
3. Click Create.
4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to include in the profile.
Connection Limit: Attacks
The Connection Limit Attacks window enables you to define a Connection Limit Attack.
Configure Connection Limit Attacks to add to Connection Limit profiles for network protection.
Note: Connection Limit Attacks are also referred to as Connection Limit protections.
To configure a Connection Limit Attack
1. Select DDoS Protector > Connection Limit > Attacks.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
ID (Read-only) The ID number assigned to the Connection Limit protection.
Attack Name A descriptive name for easy identification of the attack in configuration and reporting.
Destination App. Port A group of Layer4 ports that represent the application you want to protect.
Protocol The Layer 4 protocol of the application you want to protect.
Values: tcp, udp
Default: tcp
Threshold The maximum number of new TCP connections, or new UDP sessions, per second, allowed for each source, destination, or source-and-destination pair. All additional sessions are dropped. When the threshold is reached, attacks are identified and a security event generated.
Default: 5
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 80
Tracking Type The counting rule for tracking sessions.
Values:
Source and Target Count—Sessions are counted per source IP and destination IP address combination.
Source Count—Sessions are counted per source IP address.
Target Count—Sessions are counted per destination IP address.
Default: Source Count
Note: When Tracking Type is Target Count, the Suspend Action can only be None.
Action Mode The action when an attack is detected.
Values:
Drop—The packet is discarded.
Report-only—The packet is forwarded to the destination IP address.
Reset Source—Sends a TCP-Reset packet to the packet source IP address.
Default: Drop
Risk The risk assigned to this attack for reporting purposes.
Values: High, Info, Low, Medium
Default: Medium
Suspend Action Specifies which session traffic the device suspends for the attack duration (see Suspend Table).
Values:
None—Suspend action is disabled for this attack.
SrcIP—All traffic from the IP address identified as the source of this attack is suspended.
SrcIP\, DestIP—Traffic from the IP address identified as the source of this attack to the destination IP address under attack is suspended.
SrcIP\, DestPort—Traffic from the IP address identified as the source of this attack to the application (Destination port) under attack is suspended.
SrcIP\, DestIP\, DestPort—Traffic from the IP address identified as the source of this attack to the destination IP address and port under attack is suspended.
SrcIP\, DestIP\, SrcPort\, DestPort—Traffic from the IP address and port identified as the source of this attack to the destination IP address and port under attack is suspended.
Default: None
Note: When Tracking Type is Target Count, the Suspend Action can only be None.
Packet Trace Specifies whether the DDoS Protector device sends attack packets to the specified physical port.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 81
HTTP Mitigator
HTTP Mitigator Global Setting
The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then, using fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and identifies the malicious sources.
To configure the HTTP mitigator
1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Global Settings.
2. Configure the parameters, and click Set.
Parameter Description
Protection Status Specifies whether the HTTP Mitigator is enabled on the device.
HTTP flood protection must be enabled to set HTTP flood protection parameters.
Default: enable
Learning period before activation The time, in days, the HTTP Mitigator takes to collect the data needed to establish the baseline that HTTP Mitigation uses.
Values: 0 – 65,536
Default: 7
Learning Mode The learning mode of the HTTP Mitigator.
Values:
Continuous Only—The learning process about the traffic environment is continuous.
Automatic—The HTTP Mitigator can switch to 24x7 learning when it detects a recurring pattern per hour of the day of the week in a period of 4, 8, or 12 weeks (based on sensitivity).
Learning Sensitivity The period from which the HTTP Mitigator establishes baselines. Select the time unit based on the site characteristics. For example, if the site traffic fluctuates during the course of a day, but fluctuates the same way each day, select Day, but if there are significant fluctuations between the days of the week, select Week.
Values: Day, Week, Month
Default: Week
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 82
Advanced
HTTP Mitigator Advanced Mitigation Configuration
Check Point recommends that only advanced users modify the values in the HTTP Mitigator Advanced Mitigation Configuration pane.
To perform advanced configuration for the manual mitigation mode
1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Mitigation Configuration.
2. Configure the parameters, and click Set.
Parameter Description
Mitigation Failure Condition The number of automatic attempts that the device makes before announcing an anomaly state, meaning the device cannot mitigate the attack.
Values: 1 – 100
Default: 3
Clear Authentication List On Negative Feedback
Specifies whether the device clears the authentication table (which is a white list) every time a challenge state fails to block the attack.
Values: enable, disable
Default: disable
HTTP Mitigator Advanced Profiles
Use the HTTP Mitigator Advanced Profiles pane to configure an HTTP Flood Mitigation profile with advanced parameters.
HTTP Flood Mitigation profiles defend the applications in your network against server flooding.
Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service.
Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests.
Before you configure an HTTP Flood profile, ensure that HTTP mitigation is enabled and the global parameters are configured.
To configure an HTTP Flood Mitigation profile with advanced parameters
1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Profiles Configuration.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 83
Parameter Description
Profile Name The name of the profile.
Sensitivity When User-Defined Attack Triggers are not used, this parameter specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines.
Values:
minor
low
medium
high
Default: medium
Action The action that the profile takes when the profile detects suspicious traffic.
Values:
Block and Report—Blocks and reports on the suspicious traffic.
Report Only—Reports the suspicious traffic.
Default: Block and Report
User Defined Attack Triggers
Specifies whether the profile uses static, user-defined thresholds to identify when an attack is in progress or checks the server traffic and compares the traffic behavior to the baseline to identify when an attack is in progress.
Values: inactive, active
Default: inactive
Get and POST Request-Rate Trigger
The maximum number of GET and POST requests allowed, per server per second.
Values:
0—The profile ignores the threshold.
1 – 4,294,967,296
Default: 0
Other Request-type Request-Rate Trigger
The maximum number of requests that are not GET or POST (for example, HEAD, PUT, and so on) allowed, per server per second.
Values:
0—The profile ignores the threshold.
1 – 4,294,967,296
Default: 0
Caution: If Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST)
requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is enable too but the rate does not exceed the threshold. The high
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 84
outbound HTTP bandwidth consumption may cause the Outbound HTTP BW Trigger mechanism to consider the attack to be an anomaly, and the profile
will not mitigate it.
Outbound HTTP BW Trigger
The maximum allowed bandwidth, in kilobits per second, of HTTP responses.
Values:
0—The profile ignores the threshold.
1 – 4,294,967,296
Default: 0
Request-per-Source Trigger
The maximum number of requests allowed per source IP per second.
Values:
0—The profile ignores the threshold.
1 – 4,294,967,296
Default: 5
Request-per-Connection Trigger
The maximum number of requests allowed from the same connection.
Value:
0—The profile ignores the threshold.
1 – 4,294,967,296
Default: 5
Request-Rate Threshold
The number of HTTP requests per second from a source that causes the profile to consider the source to be suspicious.
Values: 1 – 65,535
Default: 5
Request-per-Connection Threshold
The number of HTTP requests for a connection that causes the profile to consider the source to be suspicious.
Values: 1 – 65,535
Default: 5
Packet Trace Specifies whether the profile sends attack packets to the specified physical port.
Values: enable, disable
Default: disable
Note: A change to this parameter takes effect only after you update policies.
Source Challenge Status
Specifies whether the profile challenges HTTP sources that match the real-time signature.
Values: enable, disable
Default: enable
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 85
Collective Challenge Status
Specifies whether the profile challenges all HTTP traffic toward the protected server.
Values: enable, disable
Default: enable
Source Blocking Status
Specifies whether the profile blocks all traffic from the suspect sources.
Values: enable, disable
Default: enable
Challenge Mode Specifies how the profile challenges suspect HTTP sources.
Values:
HTTP Redirect—The device authenticates HTTP traffic using a 302-Redirect response code.
JavaScript—The device authenticates HTTP traffic using a JavaScript object generated by the device.
Default: HTTP Redirect
Notes:
Some attack tools are capable of handling 302-redirect responses. The HTTP Redirect Challenge Mode is not effective against attacks that use those tools. The JavaScript Challenge Mode requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios.
Limitations when using the JavaScript Challenge Mode:
If the browser does not support JavaScript calls, the browser will not answer the challenge.
When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DDoS Protector JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service/appMy.jsp?dl
id=12345";
documentational"head")[0].appends);
},1000);
</script>
The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.
Other Requests Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of requests that are not GET or POST requests exceeds the learned baseline.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 86
Values: enable, disable
Default: enable
Caution: If Outbound BW Decision Engine is enable and Other Requests Decision Engine is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound BW Decision
Engine is enable and Other Requests Decision Engine is enable too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP Bandwidth mechanism to consider the attack to be an anomaly, and the profile will not mitigate it.
Requests per source Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of requests per source exceeds the learned baseline.
Values: enable, disable
Default: enable
Get and POST global requests Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of GET and POST requests exceeds the learned baseline.
Values: enable, disable
Default: enable
Outbound BW Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the outbound HTTP bandwidth exceeds the learned baseline.
Values: enable, disable
Default: enable
Requests per connection Decision Engine
Specifies whether the profile identifies an HTTP flood attack when the rate of requests per connection exceeds the learned baseline.
Values: enable, disable
Default: enable
HTTP Mitigator Profiles
Use the HTTP Mitigator Profiles pane to configure a basic HTTP Flood Mitigation profile.
Note: To configure an HTTP Flood Mitigation profile with advanced parameters, use the HTTP
Mitigator Advanced Profiles pane. For more information, see HTTP Mitigator Advanced Profiles.
HTTP Flood Mitigation profiles defend the applications in your network against server flooding.
Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service.
Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests.
Before you configure an HTTP Flood Mitigation profile, ensure that HTTP mitigation is enabled and the global parameters are configured.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 87
To configure a basic HTTP Flood Mitigation profile
1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Profiles.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Profile Name The name of the profile.
Sensitivity Specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines.
Values:
minor
low
medium
high
Default: medium
Action The action that the profile takes when the profile detects suspicious traffic.
Values:
Block and Report—Blocks and reports on the suspicious traffic.
Report Only—Reports the suspicious traffic.
Default: Block and Report
Packet Trace Specifies whether the profile sends attack packets to the specified physical port.
Values: enable, disable
Default: disable
Note: A change to this parameter takes effect only after you update policies.
Authentication tables
DNS Authentication Table
The DNS authentication table holds the DNS source addresses.
To set the DNS authentication table parameters
1. Select DDoS Protector > Authentication table > DNS.
2. Configure the parameters, and click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 88
Parameter Description
Authentication table status Specifies whether the device uses the DNS authentication table (which is a white list) during a DNS challenge state.
Values: enable, disable
Authentication table aging The time, in minutes, that the device keeps idle sources in the DNS Authentication table.
Values: 1–60
Default: 20
Note: You can enter a value even if DNS Flood Protection is not enabled, and the value will persist.
Authentication table utilization The percentage of the table that is full.
Clean Table Select the checkbox to clear the authentication table.
TCP Authentication table
The TCP authentication table holds the TCP source addresses.
To set the TCP authentication table parameters
1. Select DDoS Protector > Authentication table > TCP.
2. Configure the parameters, and click Set.
Parameter Description
Authentication table aging The time, in seconds, that the device keeps idle sources in the TCP Authentication table.
Values: 60–3600
Default: 1200
Authentication table utilization (Read-only) The percentage of the table that is currently full.
Clean Table Select the checkbox to clear the authentication table.
HTTP Authentication table
The HTTP authentication table holds the number of source-destination couples for protected HTTP servers. For example, if there are two attacks towards two HTTP servers and the source addresses are the same, for those two servers, there will be two entries for the source in the table.
To set the HTTP authentication table parameters
1. Select DDoS Protector > Authentication table > HTTP.
2. Configure the parameters, and click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 89
Parameter Description
Authentication table aging The time, in seconds, that the device keeps idle sources in the HTTP Authentication table.
Values: 60–3600
Default: 1200
Authentication table utilization (Read-only) The percentage of the table that is currently full.
Clean Table Select the checkbox to clear the authentication table.
Server Protection
Protected Servers
The Server Protection table contains the protected servers and the actions that DDoS Protector takes when an attack on a protected server is detected. You can add servers manually to the Server Protection table or the Service Discovery mechanism adds discovered servers to the table.
The name of a discovered server in the Server Protection table is in the following format:
<Number>_<NetworkProtectionPolicyName>
where:
<Number> is a number that the DDoS Protector device generates serially.
<NetworkProtectionPolicyName> is the Network Protection policy that discovered the
server.
Example: 234_MyNetPolicyN
To configure a protected server
1. Select DDoS Protector > Server Protection > Protected Servers.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Name The name of the server.
Maximum characters: 30
IP The IP address of the protected server
HTTP mitigator Profile
The HTTP-flood-mitigator profile that the device activates against an attack.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 90
State Values:
active—The server protection is active.
inactive—The server protection is inactive, but the DDoS Protector device maintains baselines and the configuration of the associated HTTP profile.
Default: active
Server Status The status of the server, especially in the context of the Service Discovery mechanism.
Values:
static—The server is a static member of the Server Protection table, and it is protected if the State is active. If the server is a discovered server, the Service Discovery mechanism does not revalidate the server.
ignored—The server is ignored, with no protection from the device. The DDoS Protector device maintains no baselines or associated HTTP profile configuration for the server.
discovered—The Service Discovery mechanism discovered the server, and it is protected if the State is active. The Service Discovery mechanism revalidates the server according to the specified Revalidation Time.
revalidating—For internal use only. The Service Discovery mechanism is currently checking again whether the server meets the Tracking-Time–Responses-per-Minute criteria.
in evaluation—For internal use only. The Service Discovery mechanism is currently checking whether the server meets the Tracking-Time–Responses-per-Minute criteria.
Notes:
For server entries that you create, you can only specify the Server Status static or ignored.
You can change the Server Status from discovered only to static or ignored.
You cannot change the Server Status once you specify ignored. You can delete the server entry if required.
Discoverer Policy Specifies the Network Protection policy with a Service Discovery profile that added the server to the Server Protection table.
Note: You can modify a Discoverer Policy only for a server whose Server Status is discovered.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 91
White List DDoS Protector exempts packets that match an active White List policy from specified inspection processes.
For each protection, you can set the direction of the bypass. For example, sessions initiated from the white list IP address are bypassed, while sessions initiated toward the IP address are inspected as usual.
Note: Since IP addresses belonging to the White list are not inspected, certain protections are not applied for the opposite direction. For example, with SYN protection this can cause servers to not be added to known destinations due to ACK packets not being inspected.
Caution: DDoS Protector continues to block packets from a source or destination that is part of an active attack even after you add the source or destination to the White List per protection.
To configure a white list policy
1. Select DDoS Protector > White List.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
State Specifies whether the policy is active. You can select inactive to deactivate the policy without removing it from the list.
Values: active, inactive
Default: active
Name The user-defined name for the policy.
SrcNetwork The source of the packets that the policy uses.
Values:
A Network class
An IP address
any
DstNetwork The destination of the packets that the policy uses.
Values:
A Network class
An IP address
any
SrcPortGroup The source Application Port class or application-port number that the policy uses.
Values:
An Application Port class
An application-port number
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 92
Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE.
DstPortGroup The destination Application Port class or application-port number that the policy uses.
Values:
An Application Port class
An application-port number
Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE.
PhysicalPortGroup The Physical Port class or physical port that the policy uses.
Values:
A Physical Port class
The physical ports on the device
VLANTag The VLAN Tag class that the policy uses.
Values: A VLAN Tag class
Protocol The protocol of the traffic that the policy uses.
Values:
Any
GRE
ICMP
ICMPv6
IGMP
SCTP
TCP
UDP
L2TP
GTP
IP in IP
Default: Any
Direction The direction of the traffic to which the policy relates. This parameter relates to L4 sessions only.
Values:
one-direct—The protection applies to sessions originating from sources to destinations that match the network definitions of the policy.
bi-direct—The protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: one-direct
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 93
Description The user-defined description for the policy up to 19 characters.
All Modules Bypass Specifies whether the policy includes all specific protection modules.
Values:
active—The specified Classification criteria determine the traffic that is exempt from security inspection.
inactive—The specified source (that is, the source Network class or source IP address) and specified protection modules determine the traffic that is exempt from security inspection.
Default: active
Performance is better when All Modules Bypass is active rather than having the having the modules enabled individually.
SYN Protection Bypass When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses SYN Protection inspection.
Values: active, inactive
Default: active
Anti-Scanning Bypass When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Anti-Scanning inspection.
Values: active, inactive
Default: active
Signature Protection Bypass
When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Signature Protection inspection.
Values: active, inactive
Default: active
HTTP Mitigator Bypass When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses HTTP Flood inspection.
Values: active, inactive
Default: active
Black List DDoS Protector drops packets that match an active Black List rule. The Black List comprises the traffic that the device always blocks without inspection. You use the Black List as policy exceptions for security policies. The device black-lists packets if all the criteria for the policy evaluate to true.
You enable or disable the Packet Trace feature for all the Black List rules on the device. When the Packet Trace feature is enabled for Black Lists, the DDoS Protector device sends blacklisted packets to the specified physical port.
To configure the Packet Trace status
1. Select DDoS Protector > Black List.
2. From the Packet Trace Status drop-down list, select enable or disable.
3. Click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 94
To configure a Black List rule
1. Select DDoS Protector > Black List.
2. Click Create.
3. Configure the parameters and click Set.
Parameter Description
State Specifies whether the rule is active. You can select inactive to deactivate the rule without removing it from the list.
Values: active, inactive
Default: active
Name The user-defined name for the rule.
SrcNetwork The source of the packets that the rule uses.
Values:
A Network class
An IP address
any
DstNetwork The destination of the packets that the rule uses.
Values:
A Network class
An IP address
any
SrcPortGroup The source Application Port class or application-port number that the rule uses.
Values:
An Application Port class
An application-port number
Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE.
DstPortGroup The destination Application Port class or application-port number that the rule uses.
Values:
An Application Port class
An application-port number
Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 95
PhysicalPortGroup The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class
The physical ports on the device
VLANTag The VLAN Tag class that the rule uses.
Values: A VLAN Tag class
Protocol The protocol of the traffic that the rule uses.
Values:
Any
GRE
ICMP
ICMPv6
IGMP
SCTP
TCP
UDP
L2TP
GTP
IP in IP
Default: Any
Direction The direction of the traffic to which the rule relates. This parameter relates to L4 sessions only.
Values:
one-direct—The protection applies to sessions originating from sources to destinations that match the network definitions of the rule.
bi-direct—The protection applies to sessions that match the network definitions of the rule regardless of their direction.
Default: one-direct
Report Action The report action that the device takes when it encounters a packet that matches the rule.
Value:
report—The device issues a trap when it encounters a blacklisted packet.
no-report—The device issues no trap when it encounters a blacklisted packet.
Description The user-defined description for the rule up to 19 characters.
Entry Expiration Timer (Hours)
Specifies the hours and minutes remaining for the rule.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 96
Entry Expiration Timer (Minutes)
The maximum Expiration Timer is two hours.
The Expiration Timer can be used only with dynamic Black List rules. The Expiration Timer for a static Black List rule must be set to 0 (zero hours and zero minutes).
When the rule expires (that is, when the Entry Expiration Timer elapses), the rule disappears from the Black List Policy table when the table refreshes.
Dynamic Specifies whether the rule implements the Expiration Timer.
Default: Disabled
Note: Changing the configuration of this option takes effect only after you update policies
Network Protection Policies
The Network Protection policy protects your configured networks using protection profiles.
Before you configure Network Protection policy and profiles, ensure that you have enabled all the required protections and configured the corresponding global protection parameters.
Each Network Protection consists of two parts:
The classification that defines the protected network segment.
The action to be applied when an attack is detected on the matching network segment. The action defines the protection profiles to be applied to the network segment, and whether the malicious traffic should be blocked. Malicious traffic is always reported.
To configure a Network Protection policy
1. Select DDoS Protector > Policies > Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Name The name of the Network Protection policy.
Direction The direction of the traffic to which the policy relates.
Values:
oneway—The protection applies to sessions originating from sources to destinations that match the network definitions of the policy.
twoway—The protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: One Way
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 97
Source Address The source of the packets that the rule uses.
Values:
A Network class configured in the Classes menu
An IP address
any—Any IP address
Default: any
Destination Address The destination of the packets that the rule uses.
Values:
A Network class configured in the Classes menu
An IP address
any—Any IP address
Default: any
Inbound Physical Port Group The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class configured in the Classes menu
The physical ports on the device
None
Vlan Tag Group The VLAN Tag class that the rule uses.
Values:
A VLAN Tag class configured in the Classes menu
None
State Specifies whether the policy is enabled.
Values: active, inactive
Default: active
Action The default action for all attacks under this policy.
Values:
Block and Report—The malicious traffic is terminated and a security event is generated and logged.
Report Only—The malicious traffic is forwarded to its destination and a security event is generated and logged.
Default: Block and Report
Note: Signature-specific actions override the default action for the policy.
Signatures Profile The Signature Protection profile applied to the network segment defined in this policy.
Connection Limit Profile The Connection Limit profile applied to the network segment defined in this policy.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 98
Out-Of-State Profile The Out-of-State profile applied to the network segment defined in this policy.
Behavioral Dos Profile The BDoS profile applied to the network segment defined in this policy.
SYN Protection Profile The SYN Flood profile applied to the network segment defined in this policy.
DNS protection Profile The DNS Protection profile applied to the network segment defined in this policy.
Packet Trace Specifies whether the policy sends attack packets to the specified physical port.
Values: enable, disable
Default: disable
Packet Trace configuration on policy takes precedence
Specifies whether the configuration of the Packet Trace feature here, on this policy, takes precedence over the configuration of the Packet Trace feature in the associated profiles.
Values: enable, disable
Default: disable
Caution: A change to this parameter takes effect only after you update policies.
Service Discovery Profile The Service Discovery profile that the Network Protection policy uses to identify HTTP servers to protect.
Leave the field empty if you do not want to implement the Service Discovery feature.
For more information, see Service Discovery Global Parameters and Restore Default Configuration, which describes the default profiles.
Policies Resources Utilization
The Policies Resources Utilization pane is supported only on x412 platforms.
You can view statistics relating the user-defined policies to the utilization of the DME.
The values that the device exposes are the calculated according to the configured values—even before running the Update Policies command.
To view statistics relating the user-defined policies to the utilization of the DoS Mitigation Engine
Select DDoS Protector > Policies > Resources View.
If any of the following values is close to the maximum, the resources for the device are exhausted:
Parameter Description
Total Number of Policies
The total number of policies in the context of the DME, which is double the number of network policies configured in the device.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 99
Sub Policies Utilization The percentage of DME resource utilization from the entries of sub-policies.
In the context of the DME, a sub-policy is a combination of the following:
Source-IP-address range
Destination-IP-address range
VLAN-tag range
HW Entries Utilization The percentage of resource utilization from the HW entries in the context of the DME.
Policies Resources Utilization table
Parameter Description
Policy Name The name of the policy.
Direction The direction of the policy.
Values: inbound, outbound
Num of HW Entries The number of DME hardware entries that the policy uses.
Num of Sub-Policies The number of DME sub-policy entries that the policy uses.
Global
Suspend Table
Suspend Table Parameters
The Suspend Table allows you to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time.
The period for which a source is suspended is set according to the following algorithm:
The first time a source is suspended, the suspension time is according to the Minimal Aging Time configured for the Suspend Table.
Each time the same source is suspended again, the suspension length is doubled, until it reaches the Maximum Aging Time set for the Suspend Table.
Once the suspension length has reached the maximum length allowed, it will remain constant for each additional suspension.
The Suspend Table Parameters window enables you to set the tuning parameters for the Suspend Table.
To set the suspend table parameters
1. Select DDoS Protector > Global > Suspend Table Parameters.
2. Configure the parameters, and click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 100
Parameter Description
Suspend Table min time The time, in seconds, for which the DDoS Protector device suspends first-time offending source IP addresses.
Default: 10
Suspend Table max time The maximal time, in seconds, for which the DDoS Protector device suspends a specific source. Each time the DDoS Protector device suspends the same source, the suspension length doubles until it reaches the Maximal Aging Timeout.
Default: 600
Suspend Table max same source entries
The number of times the DDoS Protector device suspends the same source IP address before the DDoS Protector device suspends all traffic from that source IP address — regardless of the specified Suspend Action. For example, if the value for this parameter is 4 and the specified Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the DDoS Protector device suspends all traffic from a source IP address that had an entry in the Suspend list more than four times, even if the destination IP address, source port, and destination ports were different for the previous updates to the Suspend table.
This parameter is irrelevant when the specified Suspend Action is SrcIP.
Values:
0—The device does not implement the feature.
1 – 10
Default: 0
Suspend Table Pane
Use the Suspend Table pane to view and monitor attacks that are currently in the Suspend Table.
To view the suspend table
Select DDoS Protector > Global > Suspend Table > Table. The following parameters are displayed:
Parameter Description
Source IP The IP address from which traffic was suspended.
Dest IP The IP address to which traffic was suspended (0.0.0.0 means traffic to all destinations was suspended).
Dest Port The application port to which traffic was suspended (0 means all ports).
Protocol Values: TCP, UDP
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 101
Module The internal, higher-level module that identified the entry in the Suspend Table.
Classification Object Type
The internal, classification-object Type that identified the entry in the Suspend Table.
Values: Policy, Server Protection
Classification Object Name
The internal, lower-level classification module that identified the entry in the Suspend Table, for example: Connection Limit.
Reporting
Reporting Global Parameters
Use the Reporting Global Parameters pane to enable DDoS Protector reporting channels and set the polling time parameters of the Alert Table and the Log File.
To define global reporting parameters
1. Select DDoS Protector > Reporting > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Report Interval The frequency, in seconds, at which the reports are sent though the reporting channels.
Values: 1 – 65,535
Default: 5
Max Alerts per Report
The maximum number of attack events that can appear in each report (sent within the reporting interval).
Values: 1 – 2000
Default: 1000
Report Per-Attack Aggregation Threshold
The number of events for a specific attack during a reporting interval, before the events are aggregated to a report. When the number of the generated events exceeds the Aggregation Threshold value, the IP address value for the event is displayed as 0.0.0.0, which specifies any IP address.
Values: 1 – 65,535
Default: 5
SNMP Traps Sending
When enabled, the device uses the traps reporting channel.
Default: enable
Syslog Sending When enabled, the device uses the syslog reporting channel.
Default: disable
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 102
Terminal Echo When enabled, the device uses the Terminal Echo reporting channel.
Default: disable
Email Sending When enabled, the device uses the e-mail reporting channel.
Default: disable
SNMP Traps Sending Risk
The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Email Sending Risk The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Terminal Echo Risk The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Syslog Sending Risk The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.
Values:
info
low
medium
high
Default: low
Destination UDP The port used for packet reporting.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 103
Port Values: 1 – 65,535
Default: 2088
Security Log Status When enabled, the device uses the security logging reporting channel.
Top Ten Attacks
Predefined attack reports help you to explore Security attack patterns over time. Check Point has created predefined reports for specific types of attack analysis. Attacks can be ranked by volume and by type. Predefined reports also include reports for groups of attacks, or attacks relating to a specific module.
Predefined reports allow you to focus attention on specific threats. Attack information is pre-sorted, with the most important security event information plotted in easily read charts, for your convenience.
To generate a predefined report
1. Select DDoS Protector > Reporting > Top Ten Attacks.
2. Configure the parameters, and click Set.
Parameter Description
Choose type Select the type of attack report you want.
Values:
Top Attacks—Displays the top ten attacks, according to packet count per attack.
Top Attack Sources—Displays the top attacks according to attack sources per IP address.
Top Attack Destinations—Displays the top attacks according to attack destinations per IP address.
Top Attacks by Category—Displays the top ten attack groups (Intrusions, DoS, Anomalies, SYN Floods, and Anti-Scanning), calculated according to packet count per group.
Top Attacks by Risk—Displays the attacks ranked by severity of risk: i.e. High/Medium/Low by displaying a breakdown of all attack over a set period of time according to the attack severity.
Seconds The number of seconds (retroactive from the current time) for the report.
Data Report
Data Reporting Target Addresses
The device can store up to 10 target addresses for data reporting.
To create a target address for data reporting
1. Select DDoS Protector > Reporting > Data Report > Address.
2. Click Create.
3. In the ip-address text box, enter the IP address.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 104
4. Configure the parameters, and click Set.
To delete a target address for data reporting
1. Select DDoS Protector > Reporting > Data Report > Address.
2. Select the check box in the relevant row, and click Delete.
Security Log
Security Log Show
All events and alerts are logged in an all-purpose cyclic log file. The log file can be obtained at any time.
The size of log file is limited. When the number of entries is beyond the permitted limit, the oldest entries are overwritten. You are notified regarding the status of the log file utilization. The notifications appear when the file is 80% utilized and 100% utilized.
To view alerts
1. Select DDoS Protector > Reporting > Security Log > Show.
2. Click on the Attack Index number. The following parameters are displayed.
Parameter Description
Attack Index The number of the entry in the table.
Attack Name The name of the attack that was detected.
Attack Source Address The IP address from which the attack arrived.
Attack Destination Address
The IP address to which the attack is destined.
Last Action The current status of the event.
Values:
Occurred—Each packet matched with signatures is reported as an attack and must be dropped. In that case, the Tracking Type that is activated is Drop All.
Started/terminated—When the number of packets that match with signatures, goes beyond the predefined threshold within the Tracking Time, the reported Attack Status is started. When the amount of packets that match with signatures is below the predefined threshold, the reported Attack Status becomes terminated. In that case, the Tracking Type that is activated is Target, or Target & Source.
Attack Time The time that the report was generated.
Date The date that the report was generated.
Attack context The context in which the attack was recognized.
Source Port TCP/UDP source port.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 105
Destination Port TCP/UDP destination port.
Protocol The transmission protocol used.
Values: TCP, UDP, ICMP, IP
VLAN Tag The VLAN tag.
Physical Interface The actual port on the device from which the attack arrived.
ID A unique identifier of the attack.
Context The context.
Service The security service that detected the attack: Application Security, DOS Shield, Generic.
Policy Name The policy that was used to detect the attack.
Packet Count The number of packets in the attack since the latest trap was sent
KByte Count The number of Kbytes that were dropped/forwarded.
Report Mode Values:
Drop— The packet is discarded.
Forward—The packet is forwarded to the defined destination.
Reset Source—Sends TCP-Reset packet to the packet Source IP.
Reset Destination—Sends TCP-Reset packet to the destination address.
Default—Takes the Action Mode parameter defined in the Application Security Global Parameters window.
Risk How dangerous the attack is: High, Low, Medium, Not Available.
Security Log Clear
The Security Log Clear window enables you to clear the previously created log.
To clear the log
1. Select DDoS Protector > Reporting > Security Log > Clear.
2. Click Set.
Packet Trace
To configure packet trace
1. Select DDoS Protector > Reporting > Packet Trace.
2. Configure the parameters, and click Set.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 106
Parameter Description
Enable Packet Trace on Physical Port
Specifies whether the feature is disabled or enables the feature and specifies the physical port to which the DDoS Protector device sends identified attack traffic (when the Packet Trace feature is enabled in the policy rule or profile).
Values:
none—The Packet Trace feature is disabled.
The physical, inspection ports (that is, excluding the management ports)
Default: none
Caution: A change to this parameter takes effect only after you
update policies.
Note: DDoS Protector x06 models support the Packet Trace functionality only for dropped traffic.
Max Packet Rate The maximum number of packets per second that the Packet Trace feature sends.
Values: 1–200,000
Default: 50,000
Caution: A change to this parameter takes effect only after you
update policies.
Packet Length The maximum length, in bytes, of dropped packets that the Packet Trace feature sends. DDoS Protector can limit the size of Packet Trace sent packets only for dropped packets. That is, when a rule is configured with Report Only (as opposed to Block), the Packet Trace feature sends the whole packets.
Values: 64 – 1550
Default: 1550
Caution: A change to this parameter takes effect only after you update policies.
Tip: If you are interested only in the packet headers of the dropped packets, to conserve resources, modify the minimal value, 64.
Attack Database
Attack Database Version
The Attack Database Version window is a read-only window that shows the version of the current attack database.
To view the attack database version
Select DDoS Protector > Attack Database > Version.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 107
Attack Database Send to Device
The DoS Signatures module uses the Signature File Update feature to update the signatures database.
The update of the Signature file is performed per device using the Send Attack Database to Device window.
You can download an updated DoS Signature file from the Check Point Security Updates Center, and load it to the device.
To view the signature file (attack database) version
1. Select DDoS Protector > Attack Database > Send to Device.
2. In the File field, type the name of the file, or click Browse to navigate to the relevant file.
Activate Latest Changes If you edit the parameters of a basic filter or an advanced filter, which is bound to the existing policy, you need to update the policy with the recent changes.
To activate the latest changes
1. Select DDoS Protector > Update Policies.
2. Click Set.
Packet Anomalies
Packet Anomalies Attacks
Packet Anomaly protection detects and provides protection against packet anomalies. Generally, whenever a packet matching one of the predefined checks arrives it is automatically blocked, discarded, and reported. However, you may wish to allow certain anomalous traffic to flow through the device without inspection.
The Packet Anomalies Table window enables you to allow certain packets to pass through the device without inspection as well as defining the risk factor.
When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends anomalous packets to the specified physical port. You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on the device.
To configure the Packet Trace status
1. Select DDoS Protector > Packet Anomalies > Table.
2. From the Packet Trace Status drop-down list, select enable or disable.
3. Click Set.
To configure the packet anomalies parameters
1. Select DDoS Protector > Packet Anomalies > Table.
2. Select the relevant ID from the table.
3. Configure the parameters, and click Set.
Parameter Description
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 108
ID (Read-only) The ID number for the packet-anomaly protection.
Name (Read-only) The name of the packet-anomaly protection.
Risk The risk associated with the trap for the specific anomaly.
Values: Info, Low, Medium, High
Default: Info
Action The action that the device takes when the packet anomaly is detected. The action is only for the specified packet-anomaly protection.
Values:
block—The device discards the anomalous packets and issues a trap.
report—The device issues a trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules.
no-report—The device issues no trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules.
Report Action The action that the DDoS Protector device takes on the anomalous packets when the specified Action is report or no-report. The Report Action is only for the specified packet-anomaly protection.
Values:
bypass—The anomalous packets bypass the device.
process—The DDoS Protector modules process the anomalous packets. If the anomalous packets are part of an attack, DDoS Protector can mitigate the attack.
Note: You cannot select process for the following packet-anomaly protections:
104—Invalid IP Header or Total Length
107—Inconsistent IPv6 Headers
131—Invalid L4 Header Length
Default Configuration of Packet-Anomaly Protections
Anomaly Description
Unrecognized L2 Format
(This anomaly is available only on x412 platforms. This anomaly cannot be sampled.)
Packets with more than two VLAN tags, L2 broadcast, or L2 multicast traffic.
ID: 100
Default Action: No Report
Default Report Action: Process
Default Risk: Info
Incorrect IPv4 Checksum
(This anomaly is available only
The IP packet header checksum does not match the packet header.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 109
on x412 platforms. This anomaly cannot be sampled.)
ID: 103
Default Action: Drop
Default Report Action: Bypass
Default Risk: Info
Invalid IPv4 Header or Total Length
The IP packet header length does not match the actual header length, or the IP packet total length does not match the actual packet length.
ID: 104
Default Action: Drop
Report Action: Bypass
Default Risk: Info
TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1.
ID: 105
Default Action: Report
Default Report Action: Process
Default Risk: Info
Inconsistent IPv6 Headers Inconsistent IPv6 headers.
ID: 107
Default Action: Drop
Report Action: Bypass—You cannot select Process for this packet-anomaly protection
Default Risk: Info
IPv6 Hop Limit Reached IPv6 hop limit is not greater than 1.
ID: 108
Default Action: Report
Default Report Action: Process
Default Risk: Info
Unsupported L4 Protocol Traffic other than UDP, TCP, ICMP, or IGMP.
ID: 110
Default Action: No Report
Default Report Action: Process
Default Risk: Info
Invalid TCP Flags The TCP flags combination is not according to the standard.
ID: 113
Default Action: Drop
Default Report Action: Bypass
Default Risk: Info
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 110
Source or Dest. Address same as Local Host
The IP packet source address or destination address is equal to the local host.
ID: 119
Default Action: Drop
Default Report Action: Bypass
Default Risk: Info
Source Address same as Dest Address (Land Attack)
The source IP address and the destination IP address in the packet header are the same. This is referred to as a LAND, Land, or LanD attack.
ID: 120
Default Action: Drop
Default Report Action: Bypass
Default Risk: Info
L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero.
ID: 125
Default Action: Drop
Default Report Action: Bypass
Default Risk: Info
Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid.
ID: 131
Default Action: Report
Report Action: Bypass—You cannot select Process for this packet-anomaly protection
Default Risk: Info
Service Discovery
Service Discovery Global Parameters
Use the Service Discovery feature in a Network Protection policy to identify HTTP servers in a specified network and protect the discovered servers with the default HTTP-flood-mitigator profile.
The Service Discovery mechanism discovers HTTP servers by identifying HTTP responses. Therefore, in order to use Service Discovery, the DDoS Protector device needs to be in a topology where it can inspect both HTTP requests and HTTP responses.
The details of the discovered servers are contained in the Server Protection table.
When a discovered server is no longer active for a specified period, the Service Discovery mechanism can remove the server from the table.
To implement the Service Discovery feature, when you configure a Network Protection policy, you specify the Service Discovery profile to use in the policy.
To configure the global parameters of the Service Discovery feature
1. Select DDoS Protector > Service Discovery > Global Parameters.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 111
2. Configure the following parameters, and click Set.
Parameter Description
Mechanism Status
Specifies whether the DDoS Protector device uses Service Discovery feature.
Values: enable, disable
Default: enable
Tracking Time The time, in minutes, that the Service Discovery mechanism tracks a server sending HTTP responses. The Service Discovery mechanism uses the Tracking Time and the specified number of HTTP responses during the Tracking Time to determine whether to protect the server.
Values: 1– 60
Default: 5
Revalidation Time
Specifies how often, in days, the Service Discovery mechanism revalidates the discovered servers.
Values:
1 – 365
disable—Once identified, the Service Discovery mechanism never revalidates a server to protect.
Default: 7
Service Discovery Profiles
To implement the Service Discovery feature, when you configure a Network Protection policy, you specify the Service Discovery profile to use in the policy. Check Point DDoS Protector configures a default Service Discovery profile, ServiceDiscovery_Default. You can modify ServiceDiscovery_Default profile. You can also configure additional Service Discovery profiles to use in your Network Protection policies.
Note: The Service Discovery profile can be specified in multiple Network Protection policies, which
may have overlapping network ranges. The Service Discovery mechanism protects the discovered server only with the first policy that matches.
To configure a Service Discovery profile
1. Select the DDoS Protector > Service Discovery > Profiles.
2. Do one of the following:
To create a new entry, click Create.
To modify an existing entry, click the entry.
3. Configure the following parameters, and click Set.
Parameter Description
Profile Name The name of the Service Discovery profile.
Maximum characters: 30
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 112
HTTP Profile The HTTP-flood mitigator profile for the server.
Default: HTTP_Default
Notes:
The server is protected with the profile configuration that exists when the server is added to the Server Protection table. If the configuration of the profile changes, the new configuration protects only the subsequently added/discovered servers.
The profile configuration includes the parameters Action and Packet Trace, but the DDoS Protector device ignores the values. Instead, the device uses the Action and Packet Trace values that are configured in the Network Protection policy.
Responses per Minute
The average number of HTTP responses per minute during the Tracking Time (specified globally) that causes the Service Discovery mechanism to protect the server. If the total value is reached before the Tracking Time elapses (Responses per Minute × Tracking Time), the Service Discovery mechanism adds the server to the Server Protection table immediately.
Values: 1 – 5000
Default: 100
Automatic Removal Specifies whether the Service Discovery mechanism removes the server from the Server Protection table if, after the Revalidation Time the server does not meet the Tracking-Time–Responses-per-Minute criteria.
Values: Yes, No
Default: No
Restore Default Configuration DDoS Protector supports default protection profiles, which you can use in your Network Protection policies and are used in the default Network Protection policy. You cannot delete the default protection profiles, but you can change their parameters.
The Restore Default Configuration action reconfigures the default protection profiles in existing Network Protection policies with the default values, and then reboots the device. You can run the Restore Default Configuration action in the Restore Default Configuration pane.
DDoS Protector supports default profiles for the following protections:
DoS Signatures—Uses the Dos-All profile as the default profile. You can use the Dos-All profile in your Network Protection policies or you can use no DoS Shield protection. You cannot modify the profile.
BDoS—Supports the NetFlood_Default default protection profile. By default, the profile is enabled.
DNS—Supports the DNSFlood_Default default protection profile. By default, the profile is enabled.
SYN Protection—Supports the SYNFlood_Default default protection profile. By default, the profile is enabled, and includes all static SYN-protection attacks (that is, FTP Control, HTTP, HTTPS, IMAP, POP3, RPC, RTSP, SMTP, and Telnet).
OOS Protection—Supports the OOSFlood_Default default protection profile. By default, the profile is enabled.
Configuring DDoS Protector Parameters
DDoS Protector Web Based Management User Guide | 113
Notes:
For BDoS, DNS, SYN, Out-of-State protections, you can also create your own protection profiles, and use them instead of the default protection profiles.
The Restore Default Configuration action does not affect user-defined protection profiles.
Since BDoS and DNS baselines are not part of the profiles, BDoS and DNS protections keep their values during the Restore Default Configuration operation.
To restore the default configuration
1. Select DDoS Protector > Restore Default Configuration.
2. Click Set.
DDoS Protector Web Based Management User Guide | 115
Chapter 6
Configuring Services Parameters
Tuning
Security
Application Security Tuning
The Security Tables store information about sessions passing through the device and their sizes, which are correlated to the actual amount of sessions.
In the Application Security Tuning window, you can view and edit the application security tuning parameters. The changes take effect after the reset.
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
To tune DDoS Protector application security tables
1. Select Services > Tuning > Security > Application Security.
2. To change current settings, enter new values in the after reset fields.
3. Click Set.
Parameter Description
Maximal number of http-flood suspects sources
The maximum number of suspect sources in HTTP Mitigation policies.
Values: 1000 – 500,000
Default: 100,000
Maximal number of attacks to be defined by user
The maximum number of attack entries in the User Attacks Database Table.
The Attacks Database Table contains attacks provided by Check Point as well as attacks defined by the user.
Maximal number of srcIPs in Suspend Table
The maximum number of hosts that the Suspend table is able to block simultaneously.
Values: 1000 – 100,000
Default: 10,000
Maximal number of Server Protection servers Table
The maximum number of entries in the Server Protection policy.
Values: 100 – 10,000
Default: 350
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 116
Counters Source Table The maximum number of sessions in which a source address is tracked.
Some attack signatures use thresholds per source for activation. The Counter Source Table counts the number of times traffic from a specific source matches a signature. When the number of packets sent from a particular source exceeds the predefined limit, it is identified as an attack.
Values: 100 – 65,536
Default: 65,536
Counters Target Table The maximum number of sessions in which a Destination address is tracked.
Some attack signatures use thresholds per destination for activation. The Counter Target Table counts the number of times traffic to a specific destination matches a signature. When the number of packets sent to a particular destination exceeds the predefined limit, it is identified as an attack.
Values: 100 – 65,536
Default: 65,536
Counters Source & Target Table The maximum number of sessions in which Source and Destination addresses are tracked.
Some signatures use thresholds per source and destination for activation. The Counter Source & Target Table counts the number of times traffic from a specific source to a specific destination matches a signature. When the number of packets sent from a particular source to a particular destination exceeds the predefined limit, it is identified as an attack.
Values: 100 – 65,536
Default: 65,536
Counters DHCP Table The number of MAC addresses to check for IP requests.
The DHCP Discover table detects attacks by counting the IP requests for each MAC address. The requests are made using Dynamic Host Configuration Protocol. When the number of IP requests for a particular MAC address exceeds the predefined limit, it is identified as an attack.
Values: 100 – 64,000
Default: 100
Counters Reports for all counters The maximum number of entries for reports on active concurrent Tracking Signatures attacks.
Values: 100 – 64,000
Default: 20,000
Maximal number of entries in NCPF table
The maximal number of entries in the New Count Per Filter table, which the DoS shield mechanism uses.
Values 100 – 16,000
Default 10,000
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 117
Authentication Table Tuning
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
To tune the authentication table
1. Select Services > Tuning > Security > Authentication tables.
2. To change current settings, enter new values in the after reset fields.
3. Click Set.
Parameter Description
HTTP Authentication Table Size
The number of sources in the HTTP Authentication table.
DDoS Protector uses the HTTP Authentication table in HTTP Flood profiles and the HTTP Authentication feature in a SYN Protection profile.
Values: 500,000 – 2,000,000
Default: 2,000,000
TCP Authentication Table Size
The number of sources in the TCP Authentication table.
DDoS Protector uses the TCP Authentication table for the Safe Reset Authentication Method feature in SYN Protection profiles.
Values: 500,000 – 2,000,000
Default: 2,000,000
Note: For x412 platforms, the value is fixed at the default 2,000,000, and cannot be tuned.
Behavioral DoS
The Behavioral DoS Tuning window enables you to set the maximal number of Behavioral DoS policies.
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
Note: Each time you update a value for a Behavioral DoS, it is possible to check whether there is enough free memory for the requested value. This may be done from the Memory Check window.
To set the maximal number of behavioral DoS policies
1. Select Services > Tuning > Security > Behavioral DoS.
2. To change the current setting, enter a new value in the after reset field. Values: 1 – 100. Default: 10.
3. Click Set.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 118
DNS Protection Tuning Parameters
In the DNS Protection Tuning Parameters window, you can view and edit the DNS Flood Protection tuning parameters.
The changes take effect after the reset.
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
To tune DNS Protection tables
1. Select Services > Tuning > Security > DNS Protection.
2. To change current settings, enter new values in the after reset fields.
3. Click Set.
Parameter Description
Maximal number of DNS Protection policies
The maximum number of configurable DNS Flood Protection policies.
Values: 1 – 100
Default: 10
SDM Table Size The size of the SDM table.
Values: small, medium, large
Default: medium
Device Tuning
The Device Tuning window allows you to view and edit the device tuning parameters. The changes take effect after the reset.
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
To tune DDoS Protector
1. Select Services > Tuning > Device.
2. To change current settings, enter new values in the after reset fields.
3. Click Set.
Parameter Description
IP Fragmentation Table The maximum number of IP fragments that the device stores.
Values: 1 – 256,000
Default: 1240
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 119
Session Table The maximum number of sessions that the device can track.
Values per model:
x06—20 – 2,000,000
x412—20 – 4,000,000
Default per model:
x06—1,800,000
x412—2,885,000
Session Resets Table The maximum number of sessions that the device tracks to send RESET when Send Reset To Server is enabled in the Session table.
Values: 1 – 10,000
Default: 1000
Routing Table The maximum number of entries in the Routing table.
Values: 20 – 32,767
Default: 64
Pending Table The maximum number of new simultaneous dynamic sessions the device can open.
Values: 16 – 16,000
Default: 1024
SIP Call Table The maximum number of SIP calls the device can track.
Values: 16 – 256,000
Default: 1024
TCP Segmentation Table The maximum number of TCP Segments. This parameter is used when SIP Protocol is enabled and SIP is running over TCP.
Values: 1 – 32,768
Default: 256
Memory Check
DDoS Protector pre-checks the feasibility of values in configured tables. This eliminates the chance of causing a memory allocation problem. Each time you update a value for a certain table, it is possible to check whether there is enough free memory for the requested value.
Caution: Check Point strongly recommends that you perform any device tuning only after
consulting with the Check Point Support Center.
To check the device memory
1. Select Services > Tuning > Memory Check.
2. Click Perform Test. This tests whether the device has sufficient memory to allocate the values for the updated tables.
3. If there is enough memory, click Reboot to update the device with the new values.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 120
Classifier Tuning
The Classifiers Tuning window enables you to view and edit the Classifier tuning parameters. The changes take effect after the reset.
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
To set the classifier tuning parameters
1. Select Services > Tuning > Classifier.
2. To change current settings, enter new values in the after reset fields.
3. Click Set.
Parameter Description
Network Table The maximum number of entries in the table for ranges.
Values: 32 – 10,000
Default: 256
Discrete IP Addresses Per Network
The maximum number of entries in the table for IP addresses that are allocated to a network.
Values: 16 – 1024
Default: 64
Subnets Per Network The maximum number of entries in the table for network subnets.
Values: 16 – 256
Default: 64
MAC Groups Table The maximum number of entries in the table for MAC groups.
Values:16 – 2048
Default: 128
Filter Table The maximum number of entries in the table for basic filters.
Values:512 – 2048
Default: 512
AND Group Table The maximum number of entries in the advanced filters table for AND groups.
Values: 256 – 2048
Default: 256
OR Group Table The maximum number of entries in the advanced filters table for OR groups.
Values: 256 – 2048
Default: 256
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 121
Application port Groups The maximum number of entries in the table for application port groups.
Values: 32 – 2000
Default: 512
Content Table The maximum number of content entries in the table.
Values: 16 – 4096
Default: 256
SYN Protection Tuning
The SYN Protection Tuning window enables you to view and edit the SYN Protection Tuning parameters. The changes take effect after the reset.
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
To tune SYN Protection tables
1. Select Services > Tuning > SYN Protection.
2. To change current settings, enter new values in the after reset fields.
3. Click Set.
Parameter Description
SYN Protection Table The number of entries in the SYN Protection Table that stores data regarding the delayed binding process. An entry in the table exists from the time the client completes the handshake until the handshake is complete.
The number of entries in the SYN Protection Table after reset.
Values: 10 – 500,000
Default: 200,000
SYN Protection Requests Table The number of entries in SYN Protection Requests Table that stores the ACK or data packet that the client sends, until the handshake with the server is complete and the packet is sent to the server.
The number of entries in SYN Protection Requests Table after reset.
Values: 10 – 500,000
Default: 200,000
SYN Protection Attack Detection Entries
The number of entries in the table that stores active triggers — that is, the destination IP addresses/ports from which the device identifies an ongoing attack.
Values: 1000 – 20,000
Default: 1000
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 122
SYN Statistics Entries The number of entries in the SYN Flood Statistics table.
Values: 1000 – 20,000
Default: 1000
Diagnostics Tuning
The Diagnostics Tools Tuning window enables you to set the number of Diagnostics policy entries in the tuning table in order to save memory and limit the policy size.
The changes take effect after the reset.
Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.
To set the tuning parameters
1. Select Services > Tuning > Diagnostics.
2. To change the current setting, enter the new value in the after reset field.
3. Click Set.
Parameter Description
Diagnostics Policies Table The number of Diagnostics policies in the table.
Diagnostics
Capture
Diagnostics Capture Parameters
The Traffic Capture tool captures packets that enter the device, leave the device, or both. The captured traffic is in TCPDUMP format. You can download the captured packets, and analyze the traffic using Unix snoop or various tools. For remote administration and debugging, you can also send captured traffic to a terminal (CLI, Telnet, and SSH). You can specify where the device captures packets to get a better understanding of the traffic flow—especially if the device manipulates the packets—due to NAT, traffic from a VIP to a real server, and so on.
The Traffic Capture tool truncates packets longer than 1619 bytes (regardless of the configuration for jumbo frames).
Caution: Enabling this feature may cause severe performance degradation.
The Traffic Capture tool uses the following format for packet capture files:
capture_<Device Name>_ddMMyyyy_hhmmss_<file number>.cap
To configure the Capture Tool
1. Select Services > Diagnostics > Capture > Parameters.
2. Configure the parameters, and click Set.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 123
Parameter Description
Status Specifies whether the Capture Tool is enabled.
Values: Enabled, Disabled
Default: Disabled
Note: When the device reboots, the status of the Capture Tool reverts to Disabled.
Output To File The location of the stored captured data.
Values:
RAM Drive and Flash—The device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DDoS Protector uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on.
RAM Drive—The device stores the data in RAM.
None—The device does not store the data in RAM or flash, but you can view the data using a terminal.
Output To Terminal Specifies whether the device sends captured data to the terminal.
Values: Enabled, Disabled
Default: Disabled
Capture Point Specifies where the device captures the data.
Values:
On Packet Arrive—The device captures packets when they enter the device.
On Packet Send—The device captures packets when they leave the device.
Both—The device captures packets when they enter the device and when they leave the device.
Capture Rate The capture rate, in packets per second.
Trace
Debug: Trace Parameters
The Trace-Log tool provides data on the traffic flow within the device. The feature is intended for debugging purposes only.
Enabling this feature may cause severe performance degradation.
DDoS Protector uses the following format for Trace-Log files:
trace_log_<Device Name>_ddMMyyyy_hhmmss_<file number>.txt
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 124
To configure the Trace-Log tool
1. Select Services > Diagnostics > Trace-Log > Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Status Specifies whether the Trace-Log tool is enabled.
Values: Enabled, Disabled
Default: Disabled
Output To File Specifies the location of the stored data.
Values:
RAM Drive and Flash—The device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DDoS Protector uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on.
RAM Drive—The device stores the data in RAM.
None—The device does not store the data.
Output To Terminal Specifies whether the device sends Trace-Log data to the terminal.
Values: Enabled, Disabled
Default: Disabled
Output To Syslog Server Specifies whether the device sends Trace-Log data to a syslog server.
Values: Enabled, Disabled
Default: Disabled
Debug: Message Format
Use the Diagnostics Trace-Log Message Format pane to specify which parameters appear in the Trace-Log message.
To configure the diagnostics Trace-Log message format
1. Select Services > Diagnostics > Trace-Log > Message Format.
2. Configure the parameters, and click Set.
Parameter Description
Date Specifies whether the date that the message was generated is included in the Trace-Log message.
Time Specifies whether the time that the message was generated is included in the Trace-Log message.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 125
Platform Name Specifies whether the platform MIB name is included in the Trace-Log message.
File Name Specifies whether the output file name is included in the Trace-Log message.
Line Number Specifies whether the line number in the source code is included in the Trace-Log message.
Packet Id Specifies whether an ID assigned by the device to each packet is included in the Trace-Log message. This enables you see the order of the packets.
Module Name Specifies whether the name of the traced module is included in the Trace-Log message.
Task Name Specifies whether the name of the specific task of the d module is included in the Trace-Log message.
Trace: Modules
To help pinpoint the source of a problem, you can specify which DDoS Protector modules the Trace-Log feature works on and the log severity per module. For example, you can specify that the Trace-Log feature traces only the Health Monitoring module to understand why a specific health check fails.
To configure the parameters of the Trace-Log modules
1. Select Services > Diagnostics > Trace-Log > Modules.
The table in the pane comprises the following columns:
Name—The name of the module.
Values:
CDE
GENERIC
LCD
VSDR
Status—The current status of the traced module.
Severity—The lowest severity of the events that the Trace-Log includes for this module.
Values:
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
2. Click the relevant link.
3. Configure the parameters, and click Set.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 126
Parameter Description
Name (Read-only) The name of the traced module.
Status Specifies whether the Trace-Log feature is enabled for the module.
Severity The lowest severity of the events that the Trace-Log includes for this module.
Values:
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
Note: The default varies according to module.
Trace Files
DDoS Protector can store the output of the diagnostic tools in RAM and in the CompactFlash.
If the device is configured to store the output in the CompactFlash, when the data size in RAM reaches its limit, the device appends the data chunk from RAM to the file on the CompactFlash drive. For each enabled diagnostic tool, DDoS Protector uses two temporary files. When one temporary file reaches the limit (1 MB), DDoS Protector stores the information in the second temporary file. When the second temporary file reaches the limit (1 MB), DDoS Protector overwrites the first file, and so on. When you download a CompactFlash file, the file contains both temporary files.
Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or CompactFlash.
To download or delete Trace-Log data
1. Select Services > Diagnostics > Files.
The pane contains two tables, Files On RAM Drive and Files On Main Flash. Each table comprises the following columns:
File Name—The name of the file.
File Size—The file size, in bytes.
Action—The action that you can take on the data stored.
Values:
download—Starts the download process of the selected data. Follow the on-screen instructions.
delete—Deletes the selected file.
2. From the Action column, select the action, Download or Delete, and follow the instructions.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 127
Diagnostics Policies
In most cases, there is no need to capture all the traffic passing through the device. Using diagnostic policies, the device can classify the traffic and store only the required information.
Note: To reuse the policy, edit the policy and set it again.
To configure a diagnostics policy
1. Select Services > Diagnostics > Policies.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Name The user-defined name of the policy up to 20 characters.
Index The number of the policy in the order in which the diagnostics tools classifies (that is, captures) the packets.
Default: 1
Description The user-defined description of the policy.
VLAN Tag Group The VLAN Tag group whose packets the policy classifies (that is, captures).
Destination The destination IP address or predefined class object whose packets the policy classifies (that is, captures).
Default: any — The diagnostics tool classifies (that is, captures) packets with any destination address.
Source The source IP address or predefined class object whose packets the policy classifies (that is, captures).
Default: any — The diagnostics tool classifies (that is, captures) packets with any source address.
Outbound Port Group The port group whose outbound packets the policy classifies (that is, captures).
Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.
Inbound Port Group The port group whose inbound packets the policy classifies (that is, captures).
Service Type The service type whose packets the policy classifies (that is, captures).
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 128
Service The service whose packets the policy classifies (that is, captures).
Values:
None
Basic Filter
AND Group
OR Group
Default: None
Destination MAC Group The Destination MAC group whose packets the policy classifies (that is, captures).
Source MAC Group The Source MAC group whose packets the policy classifies (that is, captures).
Maximal Number of Packets The maximal number of packets the policy captures. Once the policy captures the specified number of packets, it stops capturing traffic. In some cases, the policy captures fewer packets than the configured value. This happens when the device is configured to drop packets.
Maximal Packet Length The maximal length for a packet the policy captures.
Capture Status Specifies whether the packet-capture feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.
Syslog Reporting Event traps can be mirrored to up to five syslog servers. For each DDoS Protector device, you can configure the appropriate information. Any traps generated by the device will be mirrored to the specified syslog servers.
You can also use additional notification settings, such as Facility and Severity. Facility specifies the type of device of the sender. Severity specifies the importance or impact of the reported event. The user-defined Facility value is used when the device sends syslog messages; the Severity value is determined dynamically by the device for each message that is sent.
To enable syslog messages
1. Select Services > Syslog Reporting.
2. Configure the parameters, and click Set.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 129
Parameter Description
Syslog Server The IP address or hostname of the device running the syslog service (syslogd).
Syslog Server Operational Status
Specifies whether the syslog server is enabled.
Default: Enabled
Syslog Server Source Port The syslog source port.
Default: 514
Note: Port 0 specifies a random port.
Syslog Server Destination Port The syslog destination port.
Default: 514
Syslog Server Facility The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages
Clock Daemon
Clock Daemon2
FTP Daemon
Kernel Messages
Line Printer Subsystem
Local 0
Local 1
Local 2
Local 3
Local 4
Local 5
Local 6
Local 7
Log Alert
Log Audit
Mail System
Network News Subsystem
NTP Daemon
Syslogd Messages
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 130
System Daemons
User Level Messages
UUCP
Default: Local Use 6
Syslog Server Protocol he protocol that the device uses to send syslog messages.
Values:
UDP—The device sends syslog messages using UDP. That is, the device sends syslog messages with no verification of message delivery.
TCP—The device sends syslog messages using TCP. That is, the device verifies the message delivery. The device holds undelivered messages in a backlog. As soon as the connection to the syslog server is re-established, the device sends them. If the backlog is full (100 messages, non-configurable), the device replaces lower-priority messages with higher-priority messages (FIFO).
TLS—The device sends syslog messages using TCP with Transport Layer Security (TLS) and uses the CA certificate specified in the CA Certificate Name field. That is, the device verifies message delivery. The device holds undelivered messages in a backlog. As soon as the connection to the syslog server is re-established, the device sends them. If the backlog is full (100 messages, non-configurable), the device replaces lower-priority messages with higher-priority messages (FIFO).
Default: UDP
Note: Report notification of lost syslog messages to your network administrator.
Syslog Server CA Certificate The name of the CA certificate in the Certificate Table that the device uses to send syslog messages when TLS is selected in the Syslog Server Protocol field.
Daylight Saving DDoS Protector supports daylight savings time. You can configure the daylight-savings-time start and end dates and times. During daylight savings time, the device automatically adds one hour to the system clock. The device also indicates whether it is on standard time or daylight saving time.
Note: When the system clock is manually configured, the system time is changed only when daylight saving time starts or ends. When daylight saving time is enabled during the daylight saving time period, the device does not change the system time.
To configure daylight saving
1. Select Services > Daylight Saving.
2. Configure the parameters, and click Set.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 131
Parameter Description
Daylight Saving Admin Status Enables or disables daylight saving time.
Default: disabled
Daylight Saving Begins[dd/mm:hh]
The start date and time for daylight saving time.
Daylight Saving Ends[dd/mm:hh]
The end date and time for daylight saving time.
Daylight Saving Designations Specifies whether the device is on standard time or daylight saving time.
Management Interfaces
Telnet
You can access the DDoS Protector via Telnet.
Use the Telnet Parameters pane to configure connectivity.
To configure Telnet connectivity
1. Select Services > Management Interfaces > Telnet.
2. Configure the parameters, and click Set.
Parameter Description
Telnet Port The TCP port used by the Telnet.
Default: 23
Telnet Status Specifies whether to enable Telnet access to the device.
Default: Disabled
Telnet Session Timeout The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates.
Values: 1 – 120
Default: 5
Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore, the actual timeout can be up to 10 seconds longer than the configured time.
Telnet Authentication Timeout
The timeout, in seconds, required to complete the authentication process.
Values: 10 – 60
Default: 30
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 132
Web Server
Web Server Parameters
Use the Web Server Parameters pane configure Web server connectivity for Web Based Management (WBM).
To configure the Web server connectivity
1. Select Services > Management Interfaces > Web Server > Web.
2. Configure the parameters, and click Set.
Parameter Description
Web Server Port The port to which WBM is assigned.
Default: 80
Web Server Status Specifies whether to enable access to the Web server.
Web Help Location The location (path) of the Web help files.
Web Access Level Values: readWrite, readOnly
Secure Web Parameters
Use the Secure Web Server Parameters pane configure secure Web server connectivity for Web Based Management (WBM).
To configure secure Web parameters
1. Select Services > Management Interfaces > Web Server > Secure Web.
2. Configure the parameters, and click Set.
Parameter Description
Secured Web Port The port through which HTTPS gets requests.
Default: 443
Secured Web Status Specifies whether to enable secured access to the Web server.
Secured Web Certificate File The Certificate file that is used by secure web for encryption.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 133
Web Services
Use the Web Services pane enable or disable Web Services.
To enable or disable Web Services
1. Select Services > Management Interfaces > Web Server > Web Services.
2. From the drop-down list, select enable or disable, as required.
3. Click Set.
SSL
Weak Ciphers
To specify whether the device allows management connections over secure protocols
with ciphers shorter than 128 bits
1. Select Services > Management Interfaces> SSL > Weak Ciphers.
2. From the Accept Weak Ciphers SSL Status drop-down list, select enable or disable, as required. Default: enable.
3. Click Set.
SSH
Secure Shell Parameters
SSH (Secure Shell) is a protocol for secure remote connections and network services, over an insecure network. Using this feature enables a secure alternative to Telnet connection, while enabling configuration of the device through the Web Based Management.
To set the SSH server connection parameters
1. Select Services > Management Interfaces> SSH >Server.
2. Enter the SSH Port and set the SSH Status to Enable.
3. Click Set.
Parameter Description
SSH Port The source port for the SSH server connection.
Default: 22
SSH Status Specifies whether to enable SSH access to the device.
Default: Disabled
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 134
SSH Session Timeout The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates.
Values: 1 – 120
Default: 5
Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore the actual timeout can be up to 10 seconds longer than the configured time.
SSH Authentication Timeout The timeout, in seconds, required to complete the authentication process.
Values: 10 – 60
Default: 10
Event Log You can view a log of the events on the device.
To view the event log
Select Services > Event Log.
To clear the event log
1. Select Services > Event Log.
2. Under the Clear Event Log text, click Set.
Network Time Protocol (NTP) Network Time Protocol enables you to synchronize devices by distributing an accurate clock across the network.
To configure the NTP parameters
1. Select Services > NTP.
2. Configure the parameters, and click Set.
Parameter Description
NTP polling Interval The interval, in seconds, between time queries sent to the NTP server.
Default: 172,800
NTP Timezone The offset from GMT for the device.
Values: -12:00 through +12:00
Default: 00:00
NTP Server Port The access port number for the NTP server.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 135
Default: 123
NTP Server Name The address or URL of the NTP server.
Note: If you specify a URL, the DNS Server feature must be enabled and configured.
NTP Status Specifies whether the NTP client is enabled.
Values: enable, disable
Default: disable
RADIUS DDoS Protector provides additional security by authenticating the users who access a device for management purposes. With RADIUS authentication, you can use RADIUS servers to determine whether a user is allowed to access device management using CLI, Telnet, SSH or Web Based Management. You can also select whether to use the device User Table when RADIUS servers are not available.
Caution: The DDoS Protector managed devices must have access to the RADIUS server and must allow device access.
To configure RADIUS authentication for device management
1. Select Services > Radius.
2. Configure the parameters and click Set.
Parameter Description
Main Radius IP Address The IP address of the primary RADIUS server.
Main Radius Port No. The access port number of the primary RADIUS server.
Values: 1645, 1812
Default: 1645
Main Radius Secret The authentication password for the primary RADIUS server.
Backup Radius IP Address The IP address of the backup RADIUS server.
Backup Radius Port No. The access port number of the backup RADIUS server.
Values: 1645, 1812
Default: 1645
Backup Radius Secret The authentication password for the backup RADIUS server.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 136
Radius Timeout The time, in seconds, that the device waits for a reply from the RADIUS server before a retry, or, if the Retries value is exceeded, before the device acknowledges that the server is off line.
Default: 1
Radius Retries The number of connection retries to the RADIUS server, after the RADIUS server does not respond to the first connection attempt. After the specified number of Retries, if all connection attempts have failed (Timeout), the backup RADIUS server is used.
Default: 2
Radius Client Life time The time, in seconds, for the client authentication. After the client lifetime expires, the device re-authenticates the user.
Default: 30
SMTP You can configure the device to send information messages via e-mail to device users. This feature can be used for sending trap information via e-mail. When you configure device users, you can specify whether an individual user should receive notifications via e-mail and the minimal event severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP notifications are enabled globally for the device.
Notes:
The device optimizes the mailing process by gathering security and system events, which it
sends in a single notification message when the buffer is full, or when a timeout of 60 seconds expires.
To receive e-mails about errors, you need to set email address and Severity level in the Users
Table for each user.
To configure the SMTP client
1. Select Services > SMTP.
2. Configure the parameters, and click Set.
Parameter Description
SMTP Primary Server Address The IP address of the SMTP server.
SMTP Alternate Server Address An IP address of an alternative SMTP Server. The alternate SMTP server is used when SMTP connection cannot be established successfully with the main SMTP server, or when main SMTP server closed the connection. The device tries to establish connection to the main SMTP server, and starts re-using it when available.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 137
Own Email Address The mail address that appears in the Sender field of e-mail messages generated by the device, for example [email protected].
SMTP Status Specifies whether the e-mail client is enabled, which supports features that are related to sending e-mail messages.
Default: disable
Send emails On Errors Specifies whether the device sends notifications via e-mail.
Default: Disabled
DNS Client Parameters You can configure DDoS Protector to operate as a Domain Name Service (DNS) client. When the DNS client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must configure servers for which DDoS Protector will send out queries for host name resolving.
You can set the DNS parameters and define the primary and the alternate DNS servers for dynamic DNS. In addition, you can set static DNS parameters.
To define DNS servers
1. Select Services > DNS.
2. Configure the parameters, and click Set.
Parameter Description
DNS Client Specifies whether the DDoS Protector device operates as a DNS client to resolve IP addresses.
Values: Enabled, Disabled
Default: Disabled
Primary DNS server The IP address of the primary DNS server to which DDoS Protector sends queries.
Alternate DNS Server The IP address of the alternative DNS to which DDoS Protector sends queries.
To set static DNS
1. Select Services > DNS.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 138
Parameter Description
Host Name The domain name for the specified IP address.
IP Address The IP address for the specified domain name.
Configuration Auditing Configuration Auditing is the process of logging every configuration change and activity into a special logging server. When Configuration Auditing is enabled, the device keeps track of all the changes made to the configuration by sending a SNMP trap and syslog message (if syslog is enabled and configured).
Configuration Auditing can be enabled or disabled for all users and all management interfaces.
To prevent overloading the device and prevent degraded performance, the feature is disabled by default.
To enable configuration auditing
1. Select Services > Auditing.
2. Select enable.
3. Click Set.
To disable configuration auditing
1. Select Services > Auditing.
2. Select disable.
3. Click Set.
Event Scheduler Sometimes, it is necessary for a specific policy to be inactive during certain hours of the day or activate in the middle of the night. For example, a school library may want to block instant messaging during school hours but allow instant messages after school hours. Or, an enterprise may give high priority for mail traffic between 08:00–10:00.
Using the Event Scheduler, you can create event schedules. An event schedule can be a daily, weekly, or one-time event.
To configure an event schedule
1. Select Services > Event Scheduler. The Event Scheduler window is displayed.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Configuring Services Parameters
DDoS Protector Web Based Management User Guide | 139
Name A user-defined name for the event.
Frequency The frequency of the event.
Values: Once, Daily, Weekly
Time(HHMM) The time on the designated day or days. If you specify multiple days, the time for the event is the same for all the specified days.
Default: 0000—12:00 AM
Days The day or days on which the event occurs when the specified Frequency is Weekly.
If the Frequency is not Weekly, the Days(SMTWTFS) checkboxes must be cleared.
Date(DDMMYYYY) The date on which the event occurs when the specified Frequency is Once.
If the Frequency is not Once, the value in the Date(DDMMYYYY) text box must be 00000000.
DDoS Protector Web Based Management User Guide | 141
Chapter 7
Configuring Security Parameters
Management Ports Use the Management Ports Table pane to enable or disable access to a management port.
To set the management ports
1. Select Security > Management Ports.
2. Select a port.
3. Configure the parameters, and click Set.
Parameter Description
Port Number (Read-only) The identifier of the selected management port.
SNMP Specifies whether the port allows access with SNMP.
TELNET Specifies whether the port allows access with Telnet.
SSH Specifies whether the port allows access with SSH.
WEB Specifies whether the port allows access with HTTP.
SSL Specifies whether the port allows access with SSL.
Ports Access You can specify how unbound UDP and TCP ports respond to SYN packets.
To set the port unreachable status
1. Select Security > Ports Access.
2. From the Port Unreachable Status drop-down list, select the required value, as follows:
Enabled—Unbound TCP ports answer SYN packets with an RST. Unbound UDP ports answer SYN packets with a port-unreachable message.
Disabled—The device drops SYN or UDP packets without sending a reply. When the device uses this option, the device does not expose itself to the network.
Default: Enabled
3. Click Set.
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 142
SNMP
SNMP Global Parameters
DDoS Protector devices work with SNMPv1, SNMPv2, and SNMPv3.
Use the SNMP Global Parameters pane to configure the SNMP global parameters.
To configure the SNMP global parameters
1. Select Security > SNMP > Global Parameters.
2. Configure the parameters, and click Set.
Parameter Description
Supported SNMP Versions (Read-only) The SNMP versions currently supported.
Supported SNMP Versions After Reset
The SNMP versions that will be supported by the SNMP agent after resetting the device. Select the checkboxes of the SNMP version to support.
SNMP Port The UDP port on which the agent listens for SNMP requests.
SNMP Status The status of the SNMP agent.
Default: Enabled
SNMP: User Table
Use the User Based Security Model pane to define users that can connect to the device and store the access parameters for each SNMP user.
Note: The Configuration file of the device, which contains SNMPv3 users with authentication, can only be used by the specific device that the users configured. When exporting the configuration file to another device, the passwords need to be re-entered, since passwords (of SNMPv3 users) cannot be exported from one device to another. Therefore, there must be at least one user in the user table (to be able to change the password) in case the configuration file is uploaded to another device.
To configure a new user
1. Select Security > SNMP > User Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 143
Parameter Description
User Name The name of the new user.
Authentication Protocol The algorithm used for authentication.
Authentication Password A password required in case authentication is used.
Privacy Protocol The algorithm used for encryption.
Privacy Password A password used to identify the user.
SNMP: Community Table
You can map community strings into user names and vice versa using the SNMP Community Table. This table restricts the range of addresses from which SNMP requests are accepted and to which traps may be sent.
The SNMP Community Table is used only for SNMP versions 1 and 2.
To configure the SNMP community table
1. Select Security > SNMP > Community Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Index A descriptive name for this entry.
Community Name The community string.
Security Name The user name associated with the community string.
Transport Tag Specifies a set of target addresses from which the SNMP accepts SNMP requests and to which traps may be sent. The target addresses identified by this tag are defined in the Target Address Table. If this string is empty, addresses are not checked when an SNMP request is received or when a trap is sent. If this string is not empty, the transport tag must be contained in the value of the tag list of at least one entry in the Target Address Table.
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 144
SNMP: Groups Table
You can associate users with groups in the Groups Table. Access rights are defined for groups of users.
To configure the groups table
1. Select Security > SNMP > Groups Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Security Model The security model to be associated with this group.
Security Name A relevant security name.
Group Name The access control policy for a group of users.
SNMP: Access Table
You can define the access rights for each group and security model in the VACM Group Access window.
To configure the parameters of the SNMP access table
1. Select Security > SNMP > Access Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Group Name The name of your group.
Security Model Values:
SNMPv1
SNMPv2c
User Based
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 145
Security Level Values:
No Authentication
Auth Not Private
Auth Private
ReadView Name The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree are readable by this group.
WriteView Name The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree are writable by this group.
NotifyView Name The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree can be accessed in notifications (traps) by this group.
SNMP: View Table
The View Table window allows you to define subsets of the MIB tree for use in the Access Table. Different entries may have the same name. The union of all entries with the same name defines the subset of the MIB tree and can be referenced in the Access Table through its name.
To set the view table parameters
1. Select Security > SNMP > View Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
View Name The name of this entry.
Subtree The object ID of a subtree of the MIB.
Subtree Mask The subtree mask.
Type Specifies whether objects defined in this entry should be included or excluded in the MIB view.
Default: included
SNMP Notify Table
Use the Notify Table pane to select management targets that receive notifications and the type of notification to be sent to each selected management target. The Tag parameter identifies a set of target addresses. An entry in the SNMP - Target Address table that contains a tag specified in the Notify table receives notifications.
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 146
To configure SNMP notification settings
1. Select Security > SNMP > Notify Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Name A descriptive name for this entry, for example, the type of notification.
Tag A string that defines the target addresses that are sent this notification. All the target addresses that have this tag in their tag list are sent this notification.
SNMP Target Parameters
The Target Parameters table defines message-processing and security parameters that are used in sending notifications to a particular management target. Entries in the Target Parameters table are referenced in the Target Address table.
To set the target parameters
1. Select Security > SNMP > Target Parameters Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Name The name of the target parameters entry.
Maximum characters: 32
Message Processing
Values: SNMPv1, SNMPv2c, SNMPv3
Default: SNMPv1
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 147
Security Model The SNMP version that represents the required Security Model.
Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User Based—That is, SNMPv3
Default: SNMPv1
Security Name If the User Based security model is used, the security name identifies the user that is used when the notification is generated. For other security models, the security name identifies the SNMP community used when the notification is generated.
Security Level Specifies whether the trap is authenticated and encrypted before it is sent.
Values:
noAuthNoPriv—No authentication or privacy are required.
authNoPriv—Authentication is required, but privacy is not required.
authPriv—Both authentication and privacy are required.
Default: No Authentication
SNMP: Target Address
In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the Transport Tag of an entry in the community table is not empty it must be included in one or more entries in the Target Address Table.
To set the SNMP target parameters
1. Select Security > SNMP > Target Address Table.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Name The name of the target address entry.
Address-Port
The IP address of the management station and TCP port to be used as the target of SNMP traps. The format of the values is <IP address >-<TCP port>, where <TCP port> must be 162. For example, if the value for Address-Port is 1.2.3.4-162, 1.2.3.4 is the
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 148
IP address of the management station and 162 is the port number for SNMP traps.
Tag List Specifies sets of target addresses. Tags are separated by spaces. The tags contained in the list may be tags from the Notify table or Transport tags from the Community table.
Each tag can appear in more than one tag list. When a significant event occurs on the network device, the tag list identifies the targets to which a notification is sent.
Mask A subnet mask of the management station.
Parameters The set of target parameters to be used when sending SNMP Traps. Target parameters are defined in the Target Parameters table.
Ping Physical Ports Table You can define which physical interfaces can be pinged. When a ping is sent to an interface for which ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.
To configure physical ports to allow ping
1. Select Security > Ping Physical Ports Table.
2. Select a Port Number link.
3. In the Ping Device field, select Enable or Disable, as required.
4. Click Set.
Users You can configure a list of users who are authorized to access that device through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing is enabled, users can receive e-mail notifications of changes made to the device.
To configure the user-access authenticating method
1. Select Security > Users.
2. From the Authentication Method drop-down list, configure the parameter, and click Set.
Parameter Description
Authentication Method
The method for of authenticating a user’s access to the device.
Values:
Local User Table—The device uses the User Table to authenticate access.
Radius and Local User Table—The device uses the RADIUS servers to authenticate access. If the request to the RADIUS server times out, the device uses the User Table to authenticate access.
Default: Local User Table
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 149
To configure the users table
1. Select Security > Users.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
User Name The name of the user.
Password The text password for the user.
Email Address The e-mail address of the user to which notifications will be sent.
Severity The minimum severity level of traps sent to this user.
Values:
None—The user receives no traps.
Info—The user receives traps with severity info or higher.
Warning—The user receives Warning, Error, and Fatal traps.
Error—The user receives Error and Fatal traps.
Fatal—The user receives Fatal traps only.
Default: None
Trace Status When enabled, the specified user receives notifications of configuration changes made in the device.
Every time the value of a configurable variable changes, information about all the variables in the same MIB entry is reported to the specified users. The device gathers reports and sends them in a single notification message when the buffer is full or when the timeout of 60 seconds expires.
The notification message contains the following details:
Name of the MIB variable that was changed.
New value of the variable.
Time of configuration change.
Configuration tool that was used.
User name, when applicable.
User Access Level The user’s level of access to the WBM and CLI.
Values: readwrite, readonly, none
Default: readwrite
SSH public key name The name of the SSH public key.
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 150
Certificates
Certificates Table
Use the Certificates Table pane to manage keys and certificates.
Create and Delete functionality is available only when you are connected with a secure protocol, such as HTTPS.
To update an entry
1. Select Security > Certificates > Table.
2. Click the entry name.
3. To create a new certificate, click Create.
4. Configure the parameters, and click Set.
To create an entry
1. Select Security > Certificates > Table.
2. Click Create.
3. Configure the parameters, and click Set.
Parameter Description
Name The name of the entry.
Entry Type Values:
Key
Signing Request
Certificate
Intermediate CA Certificate
Certificate of Client CA
Key Size Values: 512, 1024, 2048
Key Passphrase The key password (the same that you use to export the key from the web server).
Common Name The domain name of the organization. For example, www.checkpoint.com
Locality The name of the city.
State or Province The state or province.
Organization The name of the organization.
Organization Unit The department/unit within the organization.
Country Name The country of residence.
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 151
Certificate Expiry (Read-only) The date of expiry in DDD MMM dd hh:mm:ss yyyy format.
Example: SAT SEP 01 08:29:40 2012
Email Default email address for the organization.
Certificate Validity The number of days for which the certificate is valid.
To delete an entry
1. Select Security > Certificates > Table.
2. Select the checkbox in the row with the entry.
3. Click Delete.
Exporting PKI Components
You can export Public Key Infrastructure (PKI) components when you are connected with a secure protocol, such as HTTPS.
To export a PKI component
1. Select Security > Certificates > Export.
2. Configure the parameters, and click Show to view the component details, or click Export, to export the component from the device. A dialog message is displayed asking if you want to open or save the component file. If you click Open, the file will be opened in a browser window. If you click Save, you will be prompted to save the file.
Parameter Description
Name The name of component.
Type Values:
Key
Certificate
Certificate and Key
Format (Read-only) The format for the specified Type.
Passphrase The password (the same that you use to export the key from the Web server).
Text The certificate text, which you can enter.
Importing a PKI Component
You can import Public Key Infrastructure (PKI) components when you are connected with a secure protocol, such as HTTPS.
To import a PKI component
1. Select Security > Certificates > Export.
2. Configure the parameters, and click Import.
Configuring Security Parameters
DDoS Protector Web Based Management User Guide | 152
Parameter Description
Name The name of component.
Type Values:
Key
Certificate
Certificate and Key
Intermediate CA Certificate
Certificate of Client CA
SSH Public Key
Format (Read-only) The format for the specified Type.
Passphrase The password (the same that you use to export the key from the Web server).
Text The certificate text, which you can enter.
Certificate File Browse to the certificate file to import.
Certificate Default Values
The certificate is a digitally signed indicator that identifies the server or user. This is usually provided in the form of an electronic key or value. You can set the default values to your specifications.
To configure default values for certificates
1. Select Security > Certificates > Default Values.
2. Configure the parameters, and click Set.
Parameter Description
Certificate Common The domain name of the organization. For example, www.checkpoint.com.
Certificate Locality The name of the city.
Certificate State Or Province The state or province.
Certificate Organization The name of the organization.
Certificate Organization Unit The department/unit within the organization
Certificate Country Name The country of residence.
Certificate Email The default email address for the organization.
DDoS Protector Web Based Management User Guide | 153
Chapter 8
Configuring Classes Parameters
View Active Networks You can view the active network classes that are configured on the device.
To view the active network class configuration
Select Classes > View Active > Networks.
Modify
Modify Networks
You can view active networks, as well as configure new ones. You can define networks that are used by the device (active) and you can define networks that are kept in a separate database until they are required (inactive).
You can add, modify, and delete these networks according to your requirements.
A network class is identified by a name and defined by a network address and mask, or by a range of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2 can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2 can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration.
Using classes allows you to define a network comprised of multiple subnets and/or IP ranges, all identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and 10.1.1.1 to 10.1.1.7.
You can use network classes in the following:
Black lists
White lists
Network-protection policies to match source or destination traffic
To configure a network class
1. Select Classes > Modify Networks.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 154
Parameter Description
Name The name of the network class.
The network name is case-sensitive.
The network name cannot be an IP address.
Sub Index When you define multiple network classes with the same name, you must assign each instance a different sub-index number. The numbers do not need to be sequential or in order.
Address
(For an IP Mask entry only)
The network address.
Mask
(For an IP Mask entry only)
The mask of the subnet, which you can enter in either of the following ways:
A subnet mask in dotted decimal notation—for example, 255.0.0.0 or 255.255.0.0.
An IP prefix, that is, the number of mask bits—for example, 8 or 16.
From IP
(For an IP Range entry only)
The first IP address in the range.
To IP
(For an IP Range entry only)
The last IP address in the range.
Mode Specifies whether the network is defined by a subnet and mask, or by an IP range.
Values: IP Mask, IP Range
Modify Services
Modify Basic Filters Table
Use Services to filter traffic. Services classify traffic based on criteria for Layers 3 – 7. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). DDoS Protector supports a long list of predefined basic filters. A basic filter includes attributes that specify parameters such as protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the filter can include a text string.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 155
A basic filter includes the following components:
Protocol—The specific protocol that the packet should carry. The choices are IP, TCP, UDP, ICMP, NonIP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and UDP) will be considered.
When configuring TCP or UDP, the following additional parameters are available:
Destination Port (From-To)—Destination port number for that protocol. For example, for HTTP, the protocol would be configured as TCP and the destination port as 80. The port configuration can also allow for a range of ports to be configured.
Source Port (From-To)—Similar to the destination port, the source port that a packet should carry in order to match the filter can be configured.
Offset Mask Pattern Condition (OMPC)—The OMPC is a means by which any bit pattern can be located for a match at any offset in the packet. This can aid in locating specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there should be an OMPC match in addition to a protocol (and source/destination port) match. In other words, if an OMPC is configured, the packet needs to match the configured protocol (and ports) and the OMPC.
Content Specifications—When the protocol of a basic filter is TCP or UDP, you can search for any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect examples of how a text search can help in classifying a session.
You can choose from the many types of configurable content—for example, URL, hostname, HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so on.
When the content type is URL, for example, the module assumes the session to be HTTP with a GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to find a match for the configured text. In this case, the configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module searches the entire packet for the content text, starting at the configured offset.
By allowing a filter to take actual content of a packet/session into account, the module can recognize and classify a wider array of packets and sessions.
Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if one exists) and the Content Rule.
Note: If you edit the parameters of the filter, which is bound to the existing policy, you need to
activate the latest changes.
To configure a basic filter
1. Select Classes > Modify > Services > Basic Filters.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 156
Parameter Description
Name The name of the filter.
Protocol Values:
IP
TCP
UDP
ICMP
NonIP
ICMPV6
SCTP
Default: IP
Source App.port The Layer-4 source port or source-port range for TCP, UDP, or SCTP traffic.
Values: A value in the range 0 – 65,535; value ranges (for example, 30 – 400) greater than the Source Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
Destination App. Port
The Layer-4 destination port or destination-port range for TCP, UDP, or SCTP traffic.
Values: values in the range 0 – 65,535; value ranges (for example, 30 – 400) greater than the Destination Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
OMPC Offset The location in the packet where the data starts being checked for specific bits in the IP or TCP header.
Values: 0 – 1513
Default: 0
OMPC Offset Relative to
Specifies to which OMPC offset the selected offset is relative.
Values:
None
IPv4 Header
IPv6 Header
IP Data
L4 Data
ASN1
Ethernet
L4 Header
Default: None
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 157
OMPC Mask The mask for OMPC data. The value must be defined according to the OMPC Length parameter.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts to find. The value must be defined according to the OMPC Length parameter. The OMPC Pattern must contain eight hexadecimal symbols. If the value for the OMPC Length parameter is smaller than Four Bytes, you need to pad the OMPC Pattern with zeros. For example, if OMPC Length is two bytes, the OMPC Pattern can be abcd0000.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Condition Values:
None
Equal
Not Equal
Greater Than
Less Than
Default: None
OMPC Length Values:
None
One Byte
Two Bytes
Three Bytes
Four Bytes
Default: None
Content Offset The location in the packet at which the checking of content starts.
Values: 0 – 1513
Default: 0
Distance A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack.
Content The value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 158
Content Type The specific content type to search for.
Values:
None
URL—A URL in the HTTP request URI.
Text—Text anywhere in the packet.
Hostname—A hostname in the HTTP header. The host names in the Hostname List of an L7 Policy are not algorithmically related to a host name configured for a basic filter.
Header Field—A header field in the HTTP header.
Expression—Text anywhere in the packet represented by a regular expression specified in the Content field.
Mail Domain—The Mail Domain in the SMTP header.
Mail To—The Mail To SMTP header.
Mail From—The Mail From SMTP header.
Mail Subject—The Mail Subject SMTP header.
File Type—The type of the requested file in the HTTP GET command (for example, JPG, EXE, and so on).
Cookie—The HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value.
Normalized URL—A normalized URL in the HTTP request URI.
POP3 User—The POP3 User field in the POP3 header.
URI Length—Filters according to URI length.
FTP Command—Parses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes.
FTP Content—Scans the data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes.
Generic Url—The generic URL in the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.
Generic Header—In the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.
Generic Cookie—In the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.
Default: None
Content End Offset The location in the packet at which the checking of content ends.
Values: 0 – 1513
Default: 0
Content Data Refers to the search for the content within the packet.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 159
Content Coding The encoding type of the content to search for (as specified in the Content field).
Values:
None
Case Insensitive
Case Sensitive
HEX
International
Default: None
Note: The value of this field corresponds to the Content Type parameter.
Content Data Coding
The encoding type of the content data to search for (as specified in the Content Data field).
Values:
None
Case Insensitive
Case Sensitive
HEX
International
Default: None
Note: The value of this field corresponds to the Content Type parameter.
Description A description of the filter.
Session Type The specific session type to search for.
Values: None, Ftp Control, Ftp Data, Ftp All, Tftp Control, Tftp Data, Tftp All , Rshell Control, Rshell Data, Rshell All, Rexec Control, Rexec Errors, Rexec All, H225 Control, H245 session , H225 All, SIP Signal, SIP Media Control, SIP Audio, SIP All
Default: None
Session Type Direction
The specific direction of the specified session type to search for.
Values: All, Request, Reply
Default: None
AND Groups
An AND Group filter is a combination of basic filters with a logical AND between them.
Example: The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3).
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 160
Notes:
You cannot modify or delete predefined AND Groups.
In case you edit the parameters of the AND group, which is bound to the existing policy, you need to activate the latest changes.
To configure an AND group
1. Select Classes > Modify Services > AND Group.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
AND Group Name The name of the AND Group
Basic Filter Name The basic filter for this AND Group.
Modify OR Group Table
An OR Group Filter is a combination of basic filters and/or AND filters with a logical OR between them. DDoS Protector supports a set of predefined, static OR Groups. The predefined OR Groups are based on the predefined basic filters.
Example: The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6.
Notes:
You cannot modify or delete predefined OR Groups.
In case you edit the parameters of the OR group, which is bound to the existing policy, you
need to activate the latest changes.
To add a new OR group
1. Select Classes > Modify Services > OR Groups.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
OR Group Name The name of the OR Group.
Filter Name The filter for this OR Group, which can be a Basic filter or an AND Group.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 161
Filter Type Values:
Static—The OR Group is predefined.
Regular—The OR Group is user-defined.
Modify Application Port Groups
Application classes are groups of Layer-4 ports for UDP and TCP traffic. Each class is identified by its unique name, and you can define multiple Layer-4 ports in a single class. You cannot modify the predefined application classes for standard applications; however, you can add entries for the class. You can add and modify user-defined classes to the Application Port Group table.
To view the application port groups parameters
1. Select Classes > Modify > Appl. Port Groups.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Name The name of the Application Port Group.
To associate a number of ranges with the same port group, use the same name for all the ranges that you want to include in the group. Each range appears as a separate row with the same name in the Application Port Group table.
From Port The first port in the range.
To Port The last port in the range. To define a group with a single port, set the same value for the From Port and To Port fields.
Modify Physical Port Groups
You can define network segments using definitions of physical ports. Use physical port classes to classify traffic according to physical ports in security policy rules.
To configure a physical port groups
1. Select Classes > Modify > Port Groups.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 162
Parameter Description
Group Name The name of the Port Group..
Inbound Port The inbound port associated with the Port Group.
Modify VLAN Tag Groups
You can define network segments using VLAN tags. Use VLAN tag classes (groups) to classify traffic according to VLAN tags in security policy rules.
Each DDoS Protector device supports a maximum 64 VLAN Tag groups. Each VLAN Tag group can contain a maximum 32 discrete tags and 32 ranges. That is, in effect, each managed device supports up to 642 definitions.
To configure a VLAN tag class
1. Select Classes > Modify > VLAN Tag Groups.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Group Name The name of the VLAN tag group.
VLAN Tag
(for Discrete mode only)
The VLAN tag number.
VLAN Tag From
(for Range Group Mode only)
The first VLAN tag in the range.
You cannot modify this field after creating the VLAN group.
VLAN Tag To
(for Range Group Mode only)
The last VLAN tag in the range.
Group Mode The VLAN mode.
Values:
Discrete—An individual VLAN tag, as defined in the interface parameters of the device.
Range—A group of sequential VLAN tag numbers, as defined in the interface parameters of the device.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 163
Modify MAC Groups
MAC groups identify traffic whose source or destination is a transparent network device.
To configure a MAC address class
1. Select Classes > Modify MAC Groups.
2. Do one of the following:
To add an entry, click Create.
To edit an entry, click the entry link in the table.
3. Configure the parameters, and click Set.
Parameter Description
Group Name The name of the MAC address group.
MAC Address The MAC address associated with the group.
View Active
View Active Networks
You can view the active network classes that are configured on the device.
To view the active network class configuration
Select Classes > View Active > Networks.
View Active Services
View Active Services
The Basic Filter constitutes protection against a specific attack, meaning that each Basic Filter has a specific attack signature and protection parameters.
To view the parameters of the basic filter
1. Select Classes > View Active > Services > Basic Filters.
2. Select the name of the filter whose parameters you want to view.
The AND Group represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them.
Note: You can create the AND Groups using the user-defined Basic Filters only.
To view the parameters of the AND group
1. Select Classes > View Active > Services > AND Groups.
2. Select the name of the filter whose parameters you want to view.
The OR Group represents a logical OR between two or more Basic Filters or AND Groups.
Configuring Classes Parameters
DDoS Protector Web Based Management User Guide | 164
To view the active OR group table
1. Select Classes > View Active > Services > OR Groups.
2. Select the name of the filter whose parameters you want to view.
Viewing Application Port Groups
You can view the active Application Port Group classes that are configured on the device.
To view the active application port groups
Select Classes > View Active > Appl. Port Groups.
View Active Physical Port Groups
You can view the active Application Port Group classes that are configured on the device.
To view the active physical port groups
Select Classes > View Active > Port Groups.
View Active VLAN Tag Groups
You can view the active VLAN Tag Group classes that are configured on the device.
To view the active VLAN tag groups
Select Classes > View Active > VLAN Tag Groups.
View Active MAC Groups
You can view the active MAC Group classes that are configured on the device.
To view the active MAC groups
Select Classes > View Active > MAC Groups.
Activate Latest Changes Use the Activate Latest Changes pane to activate all the latest changes made to configuration of the device.
To activate latest policy changes
1. Select Classes > Update Policies.
2. Click Set.
DDoS Protector Web Based Management User Guide | 165
Chapter 9
Configuring Performance Parameters
Element Statistics
IP Packet Statistics
To view the IP packet statistics
Select Performance > Element Statistics > IP. The following parameters are displayed:
Parameter Description
IP Receives The total number of input datagrams received from interfaces, including those received in error.
IP Header Errors The number of input datagrams discarded due to header error due to errors in their IP headers, including bad checksums, version number mismatch, their format errors, time-to-live exceeded, errors discovered in processing their options, and so on.
IP Discarded The total number of input datagrams discarded. Note: This counter does not include any datagrams discarded while awaiting re-assembly.
IP Successfully Delivered The total number of input datagrams successfully delivered to IP user- protocols (including ICMP).
IP Out Requests The total number of IP datagrams, which local IP user-protocols (including ICMP) supplied to IP in requests for transmission.
IP Out Discards The total number of IP datagrams, which local IP user-protocols (including ICMP) supplied to IP in requests for transmission.
SNMP
To view the SNMP element statistics
Select Performance > Element Statistics > SNMP; the following parameters are displayed:
Configuring Performance Parameters
DDoS Protector Web Based Management User Guide | 166
Parameter Description
SNMP Received Packets The total number of messages delivered to the SNMP entity from the transport service.
SNMP Sent Packets The total number of SNMP messages that were passed from the SNMP protocol entity to the transport service.
SNMP successful 'Get' requests
The total number of MIB objects that have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs.
SNMP successful 'Set' requests
The total number of MIB objects that have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs.
SNMP 'get' requests The total number of SNMP Get-Request PDUs processed PDUs that have been accepted and processed by the SNMP protocol entity.
SNMP 'get-next' requests The total number of SNMP Get-Request PDUs that have been accepted and processed by the SNMP protocol entity.
SNMP 'set' requests The total number of SNMP Set-Request PDUs that have been accepted and processed by the SNMP protocol entity.
SNMP Out TooBig The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is tooBig.
SNMP Out NoSuchName The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status is noSuchName.
SNMP Out BadValue The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is badValue.
SNMP Out GenErrs The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is genErr.
SNMP Out Get-Responses The total number of SNMP Get-Response PDUs that have been generated by the SNMP protocol entity.
SNMP Out Traps The total number of SNMP Trap PDUs that have been generated by the SNMP protocol entity.
IP Router
To view the IP router element statistics
Select Performance > Element Statistics > IP Router. The following parameters are displayed:
Configuring Performance Parameters
DDoS Protector Web Based Management User Guide | 167
Parameter Description
IP Forwarded The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities, which do not act as IP Gateways, this counter will include only those packets that were Source - Routed via this entity, and the Source - Route option processing was successful.
IP Unknown Protocol The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.
IP Out No Routes The number of IP datagrams discarded because no route could be found to transmit them to their destination. This counter includes any packets counted in ipForwDatagrams that meet this no-route criterion. Note that this includes any datagrams, which a host cannot route because all of its default gateways are down. Note: This counter includes any packets counted in ipForwDatagrams, which meet this `no-route' criterion. It also includes any datagrams that a host cannot route because all of its default gateways are down.
IP Fragments Received The number of IP fragments received which needed to be reassembled at this entity.
IP Fragments successfully reassembled
The number of IP datagrams successfully re-assembled.
IP Fragments failed reassembly The number of failures detected by the IP re-assembly algorithm (for whatever reason: timed out, errors, etc). Note: This is not necessarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.
IP datagrams successfully fragmented
The number of IP datagrams that have been successfully fragmented at this entity.
IP datagrams discarded - failed fragmentation
The number of IP datagrams that have been discarded because they needed to be fragmented at this entity but could not be, e.g., because their Do not Fragment flag was set.
IP datagram fragments generated The number of IP datagram fragments that have been generated as a result of fragmentation at this entity.
Valid routing entries discarded N/A
IP Fragments successfully reassembled
The number of IP datagrams successfully re-assembled.
DDoS Protector Web Based Management User Guide | 168
Accelerator Utilization
Use the Accelerator Utilization pane to view the utilization for each accelerator.
To view the accelerator utilization
Select Performance > Element Statistics > Accelerator. The following parameters are displayed:
Parameter Description
Accelerator The name of the accelerator. The accelerator named Flow_Accelerator_0 is one logical accelerator that uses several CPU cores. The accelerator named HW Classifier is the string-matching engine (SME).
CPU The CPU number for the accelerator.
Forwarding The percentage of CPU cycles used.
Other The percentage of CPU resources used for other tasks such as aging and so on.
Idle The percentage of free CPU resources.