Check Point DDoS Protectordownloads.checkpoint.com/.../ID/24113/FILE/DDoS_Protector_6.07_Web... · DDoS Protector uses behavioral analysis to provide network-flood-attack protection

Check Point DDoS Protector

6 March 2013

Software Version - 6.07

User Guide

© 2013 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12676

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

4 March2013 Converted from WBM OLH and edited for print documentation.

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Check Point Lights Out Management Administration Guide).

http://supportcontent.checkpoint.com/documentation_download?ID=12676

http://supportcenter.checkpoint.com/

mailto:[email protected]?subject=Feedback%20on%20Check%20Point%20Lights%20Out%20Management%20%20Administration%20Guide

mailto:[email protected]?subject=Feedback%20on%20Check%20Point%20Lights%20Out%20Management%20%20Administration%20Guide

v

Contents

Important Information .......................................................................................3

DDoS Protector Overview .................................................................................1

Network Flood Protection ...................................................................................... 1 Server Flood Protection ......................................................................................... 1 Application Layer Protection ................................................................................. 1

Configuring File Parameters ............................................................................3

Software Update ..................................................................................................... 3 Support ................................................................................................................... 3 Configuration .......................................................................................................... 4

Send Configuration File to Device ........................................................................ 4 Receive from Device ............................................................................................ 4 Log File ................................................................................................................ 4

Software List ........................................................................................................... 5

Configuring Device Parameters .......................................................................7

Reboot Device ........................................................................................................ 7 Device Shutdown ................................................................................................... 7 Global Parameters .................................................................................................. 7 Device Information ................................................................................................. 8 Utilization ................................................................................................................ 9

SME Utilization..................................................................................................... 9 Device Resource Utilization ................................................................................. 9

License Upgrade .................................................................................................... 9 Port Mirroring ....................................................................................................... 10

Port Mirroring and Traffic Rate Port Mirroring ..................................................... 10 Forwarding Table ................................................................................................. 12

Interface Grouping ............................................................................................. 13 Physical Interface ................................................................................................. 13 L2 Interface ........................................................................................................... 13 Link Aggregation .................................................................................................. 14

Link Aggregation: Trunk Table ........................................................................... 14 Link Aggregation: Port Table .............................................................................. 14

Jumbo Frames Settings ....................................................................................... 15 Traffic Exclusion .................................................................................................. 16 Session Table ....................................................................................................... 16

Session Table Global Parameters ...................................................................... 16 Advanced Session Table Global Parameters ..................................................... 18 Session Table Entries ........................................................................................ 19

IP Fragmentation .................................................................................................. 20 Device Overload Mechanism ............................................................................... 20 High Availability ................................................................................................... 21

High Availability Global Parameters ................................................................... 21 High Availability Advanced Configuration ........................................................... 22 Pair Definition .................................................................................................... 24 High Availability Monitoring ................................................................................ 24

vi

Switch Over ....................................................................................................... 25 Activate Baseline Sync with Peer Device ........................................................... 25 Reset Secondary ............................................................................................... 25

Tunneling .............................................................................................................. 25 IP Version Mode ................................................................................................... 26 Dynamic Protocols ............................................................................................... 26

Dynamic Protocols: General ............................................................................... 26 Dynamic Protocols: FTP .................................................................................... 27 Dynamic Protocols: TFTP .................................................................................. 27 Dynamic Protocols: Rshell ................................................................................. 28 Dynamic Protocols: Rexec ................................................................................. 28 Dynamic Protocols: H.225 .................................................................................. 29 Dynamic Protocols: SIP ..................................................................................... 29

Configuring Router Parameters ..................................................................... 31

IP Router ............................................................................................................... 31 Operating Parameters ........................................................................................ 31 Interface Parameters.......................................................................................... 31

Routing Table ....................................................................................................... 33 ARP Table ............................................................................................................. 34

Configuring DDoS Protector Parameters ...................................................... 35

DoS Signatures ..................................................................................................... 35 Application Security ........................................................................................... 35 DoS Shield ......................................................................................................... 36 Filters ................................................................................................................. 36 Attacks ............................................................................................................... 42 Exclude Attacks ................................................................................................. 48

Denial of Service .................................................................................................. 49 Behavioral DoS .................................................................................................. 49 DNS Protection .................................................................................................. 58 SYN Protection .................................................................................................. 71 Out-of-State ....................................................................................................... 76 Connection Limit ................................................................................................ 78 HTTP Mitigator ................................................................................................... 81

Authentication tables ........................................................................................... 87 DNS Authentication Table .................................................................................. 87 TCP Authentication table ................................................................................... 88 HTTP Authentication table ................................................................................. 88

Server Protection ................................................................................................. 89 Protected Servers .............................................................................................. 89

White List .............................................................................................................. 91 Black List .............................................................................................................. 93

Network Protection Policies................................................................................ 96 Policies Resources Utilization ............................................................................ 98

Global .................................................................................................................... 99 Suspend Table ................................................................................................... 99

Reporting ............................................................................................................ 101 Reporting Global Parameters ........................................................................... 101 Top Ten Attacks ............................................................................................... 103 Data Report ..................................................................................................... 103 Security Log ..................................................................................................... 104 Packet Trace .................................................................................................... 105

Attack Database ................................................................................................. 106

Table of Contents

vii

Attack Database Version .................................................................................. 106 Attack Database Send to Device ...................................................................... 107

Activate Latest Changes .................................................................................... 107 Packet Anomalies ............................................................................................... 107

Packet Anomalies Attacks ................................................................................ 107 Service Discovery .............................................................................................. 110

Service Discovery Global Parameters .............................................................. 110 Service Discovery Profiles ............................................................................... 111

Restore Default Configuration ........................................................................... 112

Configuring Services Parameters ................................................................ 115

Tuning ................................................................................................................. 115 Security ............................................................................................................ 115 Device Tuning .................................................................................................. 118 Memory Check ................................................................................................. 119 Classifier Tuning .............................................................................................. 120 SYN Protection Tuning ..................................................................................... 121 Diagnostics Tuning .......................................................................................... 122

Diagnostics ......................................................................................................... 122 Capture ............................................................................................................ 122 Trace ............................................................................................................... 123 Trace Files ....................................................................................................... 126 Diagnostics Policies ......................................................................................... 127

Syslog Reporting ................................................................................................ 128 Daylight Saving .................................................................................................. 130 Management Interfaces ...................................................................................... 131

Telnet ............................................................................................................... 131 Web Server ...................................................................................................... 132 SSL .................................................................................................................. 133 SSH ................................................................................................................. 133

Event Log ............................................................................................................ 134 Network Time Protocol (NTP) ............................................................................ 134 RADIUS ............................................................................................................... 135 SMTP ................................................................................................................... 136 DNS Client Parameters ...................................................................................... 137 Configuration Auditing ...................................................................................... 138 Event Scheduler ................................................................................................. 138

Configuring Security Parameters ................................................................ 141

Management Ports ............................................................................................. 141 Ports Access ...................................................................................................... 141 SNMP ................................................................................................................... 142

SNMP Global Parameters ................................................................................ 142 SNMP: User Table ........................................................................................... 142 SNMP: Community Table ................................................................................. 143 SNMP: Groups Table ....................................................................................... 144 SNMP: Access Table ....................................................................................... 144 SNMP: View Table ........................................................................................... 145 SNMP Notify Table .......................................................................................... 145 SNMP Target Parameters ................................................................................ 146 SNMP: Target Address .................................................................................... 147

Ping Physical Ports Table .................................................................................. 148 Users ................................................................................................................... 148 Certificates .......................................................................................................... 150

viii

Certificates Table ............................................................................................. 150 Exporting PKI Components .............................................................................. 151 Importing a PKI Component ............................................................................. 151 Certificate Default Values ................................................................................. 152

Configuring Classes Parameters ................................................................. 153

View Active Networks ........................................................................................ 153 Modify ................................................................................................................. 153

Modify Networks .............................................................................................. 153 Modify Services ................................................................................................ 154 Modify Application Port Groups ........................................................................ 161 Modify Physical Port Groups ............................................................................ 161 Modify VLAN Tag Groups ................................................................................ 162 Modify MAC Groups ......................................................................................... 163

View Active ......................................................................................................... 163 View Active Networks ....................................................................................... 163 View Active Services ........................................................................................ 163 Viewing Application Port Groups ...................................................................... 164 View Active Physical Port Groups .................................................................... 164 View Active VLAN Tag Groups ........................................................................ 164 View Active MAC Groups ................................................................................. 164

Activate Latest Changes .................................................................................... 164

Configuring Performance Parameters ......................................................... 165

Element Statistics .............................................................................................. 165 IP Packet Statistics .......................................................................................... 165 SNMP .............................................................................................................. 165 IP Router .......................................................................................................... 166 Accelerator Utilization ...................................................................................... 168

DDoS Protector Web Based Management User Guide | 1

Chapter 1

DDoS Protector Overview Check Point DDoS Protector™ appliances block denial-of-service (DoS) attacks within seconds with multi-layered protection and up to 12-Gbps performance.

Modern distributed DoS (DDoS) attacks use new techniques to exploit areas that traditional security solutions are not equipped to protect. These attacks can cause serious network downtime to businesses that rely on networks and Web services to operate. DDoS protector extends company security perimeters to block destructive DDoS attacks before they cause damage.

Network Flood Protection DDoS Protector uses behavioral analysis to provide network-flood-attack protection. After baselining normal daily and weekly patterns for network traffic, DDoS Protector identifies abnormal traffic—especially spikes from network floods.

Server Flood Protection DDoS Protector protects against misuse of application resources. With its automatic signature-generation capability, DDoS Protector automatically generates new signatures to mitigate suspected attacks, and uses predefined signatures to prevent known bad behavior. DDoS Protector also prevents misuse of TCP/IP stack by fending off SYN-flood attacks using SYN cookies.

Application Layer Protection DDoS Protector blocks automated tools and fake users with challenge/response techniques, while transparently redirecting legitimate users to the desired destinations.


Chapter 2

Configuring File Parameters

Software Update Check Point may release updated versions of the device software. Upload these updated versions to benefit from enhanced functionality and performance. The password is provided with the new software documentation.

Note: If the upload is not successful, the current device software does not change. If the download is successful, reset the device to implement the new version.

To upload software

1. Select File > Software Update.

2. In the Password field, enter the password received with the new software version.

Note: The password is case-sensitive.

3. In the Software version field, type the software version number as specified in the new software documentation.

4. In the File field, enter the filepath. Alternatively, click Browse to navigate to the file.

5. Select the Enable New Version check box.

6. Click Set.

7. Select Device > Reboot Device.

8. Click Set.

Support In case of problems, debugging is required. When debugging is required, DDoS Protector generates a separate file. This file is delivered in text format and it aggregates all the CLI commands needed by the Check Point Support Center. The file also includes an output of various CLI commands, such as printout of the Client table, ARP table and others.

You can download this file using the Support command, which is then sent to the Check Point Support Center.

To download the support file

1. Select File > Support.

2. Click Download.



Configuration

Send Configuration File to Device

Use the Send to Device pane to send a configuration file to the device.

To send the configuration file to a device

1. Select File > Configuration > Send to Device.

2. Select the upload mode: Replace configuration file, Append commands to configuration file, or Append commands to configuration file with reboot.

3. Enter the name of the Configuration file, or click Browse to navigate to the file.

4. Click Set.

5. Select Device > Reboot Device and then Set to apply the changes in the configuration.

Receive from Device

The Receive from Device window enables you to download the configuration file.

To download the configuration file

1. Select File > Configuration > Receive from Device.

2. Select whether to include private keys.

3. Click Set.

Note: When downloading a configuration file using WBM, the configuration file cannot be uploaded to a device that was configured to use SNMPv3 only.

Log File

Log File: Show

The Configuration Error Log window enables you to view the configuration errors. The report of configuration errors presented in this log file is automatically generated by the device.

To view the log file

Select File > Configuration > Logfile > Show.

Log File: Clear

The Clear Error Log window enables you to clear the information contained in the Show Log file.

To clear the error log

1. Select File > Configuration > Logfile > Clear.

2. Click Set.

Log File: Download

The Download Error Log window enables you to download the latest log file that contains configuration errors. Once the file is downloaded, you can view it.

To download the error log

1. Select File > Configuration > Logfile > Download.

2. Click Set.



Software List The device can hold two different software versions at the same time and their respective configuration files. You can set which one of the existing versions is currently active. In addition, you can delete the inactive version.

To update the device software

1. Select File > Software List.

2. In order to filter the software list, enter or select a parameter and click Reset Filter.

3. Select the version that you want to delete and click Delete.

4. Select Device > Reboot Device and Set.

Parameter Description

Name The name of the version that you have selected.

Index The index of the version in the Software List.

Valid The version validity.

Active The status of the version.

Version The version number.


Chapter 3

Configuring Device Parameters

Reboot Device This feature resets (restarts) the device. This may be necessary after completing the configuration of some features, such as Device Tuning. The changes are updated and reflected in the device only after the reset.

To reboot the device

1. Select Device > Reboot Device.

2. Click Set.

Device Shutdown

To shut down a device

1. Select Device > Device Shutdown.

2. Click Shutdown.

Global Parameters

To set the global device parameters

1. Select Device > Global Parameters.

2. Configure the parameters, and click Set.


Description The general description of the device.

Name The user-assigned name of the device, which is displayed in the windows describing the device.

Location The geographic location of the device.

Contact Person The person or people responsible for the device.

System Up Time The time elapsed since the last reset.

System Time The current user-defined device time, in hh:mm:ss format.

System Date The current user-defined device date, in dd/mm/yyyy format.

Bootp Server Address

The IP address of the BootP server. The device forwards BootP requests to the BootP server and acts as a Bootp relay.



BootP Threshold How many seconds the device will wait before relaying requests to the BootP server. This delay allows local BootP Servers to answer first.

Device Information Use the Device Information pane to view information about the device.

To access the device information pane

Select Device > Device Information. The following parameters are displayed:


Type The device type

Platform The hardware platform type, for example On-Demand Switch.

Device The device name

Ports The number of ports on the device.

Ports Config The port configurations.

HW Version The hardware version.

SW Version The software version.

Build The software build date, time, and version number.

Throughput License

The throughput license (limit)

Version State The version state, for example "Final.”

APSolute OS The APSolute OS build date, time, and version number.

Network Driver The Network driver version.

RAM Size The amount of RAM, in GB.

Flash Size The size of the flash (permanent) memory, in MB.

Hard Disk(s) The number of hard disks installed.

Registered Whether the device is registered or not.

Date The date of version.

Time The time of version.

Up Time The amount of time that the device has been up.



Base MAC The MAC address of the first port on the device.

Active Boot The active boot version.

Secondary Boot The secondary boot version.

Power Supply The power supply status.

DoS Mitigator The DoS Mitigator type.

SME The SME type.

Utilization

SME Utilization

The Engines utilization pane displays values relating to the utilization of internal hardware components. The information is intended only for advanced tuning and debugging by the Check Point Support Center.

Device Resource Utilization

To view device resource utilization statistics

Select Device > Utilization > General. The following parameters are displayed:


Resource Utilization The percentage of the device’s CPU currently utilized.

RS Resource Utilization The percentage of the device’s routing services (RS) resource currently utilized.

RE Resource Utilization The percentage of the device’s routing engine (RE) resource currently utilized.

Last 5 sec. Average Utilization

The average utilization of resources in the last 5 seconds.

Last 60 sec. Average Utilization

The average utilization of resources in the last 60 seconds.

License Upgrade The License Upgrade window enables you to upgrade the software license.

To upgrade the software license

1. Select Device > License Upgrade.

2. Enter your new license key, located on your CD case. (The earlier license key is displayed.)



3. Enter your throughput license key. (The earlier throughput license key is displayed.)

Note: The license code is case sensitive.

4. Click Set.

5. In the Reset the Device window, click Set to perform the reset. The reset may take a few minutes.

Port Mirroring

Port Mirroring and Traffic Rate Port Mirroring

Port Mirroring enables the device to mirror traffic from one physical port on the device to another physical port on the device. This is useful when a monitoring device is connected to one of the ports on the device. You can choose to mirror either received and transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether received broadcast packets should be mirrored or not.

To avoid high bandwidth DoS and DDoS attacks, you can perform traffic rate port mirroring mirror the traffic arriving to DDoS Protector to a dedicated sniffer port. This allows collecting packet data in an event of an attack. The mirroring is performed only when the device is under attack, and is based on a predefined traffic threshold.

To set the device to operate in port mirroring mode

1. Select Device > Port Mirroring > Table.

2. Click Create.



Input Port The port from which the traffic is mirrored.

Output Port The port to which traffic is mirrored.

Receive\Transmit The direction of traffic to be mirrored.

Values: Transmit and Receive, Receive Only, Transmit Only



Promiscuous Mode This parameter enables you to either copy all traffic from the input port to the output port or to copy only the traffic that is destined to the input port.

Values:

Enabled—Setting this parameter to enabled means that all traffic is copied to the Output Port.

Disabled—Setting this parameter to Disabled means that only traffic destined to the Input port is copied.

Default: Enabled.

Backup Port A backup port for the output.

Mode Define the relevant mode, either:

Enabled—Port Mirroring is continuously enabled.

Traffic Rate—Port Mirroring is defined according to the Traffic Rate over the network (PPS or Kbps) therefore the Threshold must be defined.

Threshold The threshold value.

Global Parameters

To set the Port Mirroring Global Parameters

1. Select Device > Port Mirroring > Global Parameters.



Traffic Threshold Units

The Traffic Threshold units, according to which to detect attacks.

Values:

PPS—The amount of Packets per Second being sent over the network.

kbps—The number of kbps that can pass through the Input port before the mirroring process begins. If the number of kbps on the traffic interface port is higher than the threshold value, it means that there is an attack and the traffic is mirrored to the output port for the period of time configured by Threshold Interval.

Thresholds Interval The number of seconds in which the mirroring process takes place.

Default: 30 sec.



Reset Traffic Rate Threshold

The Port Mirroring Reset Traffic Rate Threshold window enables you to set the device to record the traffic that exceeds the predefined limit within a new threshold interval.

To reset the Traffic Rate Threshold

1. Select Device > Port Mirroring > Reset Traffic Rate.

2. Click Set.

Forwarding Table You can configure scanning ports using the Static Forwarding mode. In the Static Forwarding mode, DDoS Protector functions as in promiscuous mode in the network, which means that the device acts as completely transparent network element.

Scanning ports have a one-to-one forwarding ratio, where the traffic that comes from the receiving port is always sent out from its corresponding transmitting port. The ports are paired, meaning one port receives traffic while another transmits traffic. The ports are defined in the Forwarding Table.

Note: When using the SYN Flood Protection filters, you must set the inbound and the outbound traffic to operate in the Process mode.

You can assign the same Destination Port to more than one Source Port. For example, you can define that Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3.

To configure promiscuous ports

1. Select Device > Forwarding Table.

2. Click Create.



Source The user-defined source port for received traffic.

Destination The user-defined destination port for transmitted traffic.

Operation The operation mode that can be assigned to a pair of ports: Process or Switch.

Failure Mode The failure mode.

Values: Fail-Open, Fail-Close

Port Type The port type.

Values: Source, Destination

Note: When you assign the same Destination Port to more than one Source Port, you must set the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that direction is ignored. For example, Source Port 1 is associated with Destination Port 3, and also Source Port 2 is associated with Destination Port 3. In that case, for the traffic in the opposite direction, the Source Port is 3 and the Destination Port must be defined (typically it is 1 or 2).



Interface Grouping

When installing DDoS Protector between two L2 switches operating with multiple links (with Link Aggregation, for example), a link failure of one L2 switch would not be detected by the remote L2 switch, as DDoS Protector would continue to keep the link up. Interface Grouping shuts both endpoints of a link once a failure is detected on one of the endpoints. The endpoints of the links are set by the Static Forwarding table. Interface Grouping is configured globally per device.

To enable interface grouping

1. Select Device > Forwarding Table.

2. From the Interface Grouping drop-down list, select Enable.

Physical Interface The Physical Interface window enables you to change the physical attributes of each port individually.

To update the ports physical attributes

1. Select Device > Physical Interface.



Port Index The index number of the port.

Speed The traffic speed of the port.

Values: Ethernet, Fast Ethernet, Giga Ethernet

Duplex Whether the port allows both inbound and outbound traffic (Full Duplex) or one way only (Half Duplex)

Auto Negotiate

Automatically detects and configures the speed and duplex required for the interface.

L2 Interface The L2 Interface window enables you to configure the administrative status and view settings for each interface.

To configure the administrative status of an interface

1. Select Device > L2 Interface.

2. Select the relevant interface.

3. From the Interface Admin Status drop-down list, select the required status of the interface. Values: up, down.

4. Click Set.



Link Aggregation

Link Aggregation: Trunk Table

The Port Trunking feature allows for defining up to seven trunks. Up to eight (8) physical links can be aggregated in to one trunk. All trunk configurations are static.

The Trunk Table, which is read-only, enables you to view the Trunk Index settings that were defined in the Port Table.

To view the link aggregation trunk table

Select Device > Link Aggregation>Trunk Table. The following parameters are displayed:


Trunk Index Displays the trunk index.

Trunk MAC Address Displays the MAC Address assigned to the trunk

Trunk Status Values:

Individual—(False) No ports are attached to this trunk.

Aggregated—(True) Ports attached to this trunk.

Link Aggregation: Port Table

The Port Table enables you to attach ports to a trunk.

Note: Only ports that are connected (Link Up) and operating in full duplex mode can be attached to a trunk.

To set the link aggregation port table parameters

1. Select Device > Link Aggregation > Port Table.

2. Select the port index to edit.



Port Index (Read-only) The physical port index.

Port MAC (Read-only) The MAC address assigned to the port.

Trunk Index Values:

The trunk to which the port is attached

Unattached



Port Status (Read-only)

Values:

Individual—The Port is not attached to any trunk.

Aggregate—The Port is attached to a trunk.

Jumbo Frames Settings You can specify whether jumbo frames bypass the device or are discarded—available only on x412 platforms.

To configure the jumbo-frame settings

1. Select Device > Jumbo Frames.



Jumbo Frames Mechanism Status

Values:

enable—The device inspects frames up to 9216 bytes.

disable—The device discards frames that are larger than 1550 bytes.

Default: disable

Notes:

Changing the configuration of this option takes effect only after a device reset.

When this option is enabled, all DDoS Protector monitoring and protection modules support monitoring, inspection, detection, and mitigation of traffic and attacks on packets up to 9216 bytes. For example, when this option is enabled, TCP Authentication using Transparent Proxy supports an additional maximum segment size (MSS) value to improve performance of the protected networks.

Jumbo Frames Bypass Values:

enable — Frames of 1550 – 9216 bytes bypass the device without any inspection or monitoring.

disable — The device discards frames that are larger than 1550 bytes.

Default: disable

Notes:

Changing the configuration of the option takes effect only after a device reset.

When the option is enabled on an x412 platform, there may be some negative effect on the following features: Packet Anomalies, Black and White Lists, and BDoS real-time



signatures.

When the option is enabled on an x06 platform, there may be some negative effect on Black and White lists.

When the option is enabled, TCP SYN Protection may not behave as expected because the third packet in the TCP three-way-handshake can include data and be in itself a jumbo frame.

When the option is enabled, some protections that rely on the DDoS Protector session table might produce false-negatives and drop traffic when all the session traffic bypasses the device in both directions for a period longer than Session Aging Time.

Traffic Exclusion This feature is available only on x412 platforms.

You can specify whether the device passes through all traffic that matches no network policy configured on the device — regardless of any other protection configured.

If Traffic Exclusion is enabled, to inspect traffic that matches a Server Protection policy, you must configure the Server Protection policy as a subset of the Network Protection policy.

To configure traffic exclusion

1. Select Device > Traffic Exclusion.

2. From the Traffic Exclusion Status drop-down list, select Enable or Disable, and click Set. Default: Enable.

Session Table

Session Table Global Parameters

DDoS Protector includes a Session table, which tracks sessions bridged and forwarded by the device.

To set the parameters for the session table

1. Select Device > Session Table > Global Parameters.



Session Table Status Specifies whether the device uses the Session table.

Default: Enabled

Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP sessions.

Values: 1 – 7200

Default: 100



Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP sessions.

Values: 1 – 7200

Default: 100

Idle SCTP-Session Aging Time

The time, in seconds, that the Session table keeps idle SCTP sessions.

Values: 1 – 7200

Default: 100

Idle ICMP-Session Aging Time The time, in seconds, that the Session table keeps idle ICMP sessions.

Values: 1 – 7200

Default: 100

Idle GRE-Session Aging Time The time, in seconds, that the Session table keeps idle GRE sessions.

Values: 1 – 7200

Default: 100

Idle Other-Protocol-Session Aging Time

The time, in seconds, that the Session table keeps idle sessions of protocols other than TCP, UDP, SCTP, ICMP, or GRE.

Values: 1 – 7200

Default: 100

Session Table No Aging Mode Enables or disables session table aging mode. If enabled, the Session Table and Flow Table will not be aged.

This parameter can be only configured if Session Table lookup mode is L4 Dest Port.

Session Table Lookup Mode The layer of address information that is used to categorize packets in the Session table.

Values:

Full L4—An entry exists in the Session table for each source IP, source port, destination IP, and destination port combination of packets passing through the device.

L4 Destination Port—Enables traffic to be recorded based only on the TCP/UDP destination port. This mode uses minimal Session table resources (only one entry for each port that is secured).

Default: Full L4

Caution: Check Point recommends that you always use the Full L4 option. When Session Table Lookup Mode is Layer 4 Destination Port, the following Protections do not work: Connection Rate Limit, HTTP Mitigator, HTTP Replies Signatures, Out-of-State protection.



Remove Session Table Entry at Session End

Specifies whether the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session within the Remove Session Entry at Session End Timeout period.

Default: Enabled

Remove Session Entry at Session End Time

(This option is supported only if Remove Session Entry at Session End is enabled.)

When Remove Session Entry at Session End is enabled, the time, in seconds, after which the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session.

Values: 1 – 60

Default: 5

Send Reset To Server Status Specifies whether the DDoS Protector device sends a RST packet to the destination of aged TCP sessions.

Values:

Enabled—DDoS Protector sends reset a RST packet to the destination and cleans the entry in the DDoS Protector Session table.

Disabled—DDoS Protector ages the session normally (using short SYN timeout, but the destination might hold the session for quite some time.

Default: Disabled

Advanced Session Table Global Parameters

To set the session table advanced configuration parameters

1. Select Device > Session Table > Advanced Configuration.



Session-Table-Full Action The action that the device takes when the Session table is at full capacity.

Values:

Bypass New Sessions—The device bypasses new sessions until the Session table has room for new entries.

Block New Sessions—The device blocks new sessions until the Session table has room for new entries.

Default: Bypass New Sessions

Incomplete TCP-Handshake Timeout

How long, in seconds, the device waits for the three-way handshake to be achieved for a new TCP session. When the timeout elapses, the device deletes the session and, if the Send Reset To Server option is enabled, sends a reset packet



to the server.

Values:

0—The device uses the specified Session Aging Time.

1 – 10—The TCP Handshake Timeout in seconds.

Default: 10

Session Table Entries

To set the number of Session Table entries to be shown

1. Select Device > Session Table > View Table Query Results.

2. In the Maximum Displayed Entries text box, enter the number of Session table entries to be shown.

To set the session table query filters

1. Select Device > Session Table > View Table Query Results.

2. Click Create.



Name A unique name of the filter.

Source IP The source IP within the defined subnet.

Source IP mask The source IP used to define the subnet that you want to present in the Session Table.

Dest IP The destination IP within the defined subnet.

Dest IP mask The destination IP used to define the subnet that you want to present in the Session Table.

Source Port The session source port.

Dest Port The session destination port.



IP Fragmentation In some cases, when the length of the IP packet is too long to be transmitted, the originator of the packet or one of the routers transmitting the packet has to fragment the packet to multiple shorter packets.

IP Fragmentation allows the device to forward fragmented IP packets. The device identifies that all the fragments belong to same datagram and treats them accordingly in terms of classification, load balancing and forwarding. The device does not reassemble the original IP packet, but it forwards the fragmented datagrams to their destination, even if the datagrams arrives to the device out of order.

Note: In case of asymmetric routing, when the device does not see all fragmented packets, the device drops uncompleted fragments.

To set the IP fragmentation parameters

1. Select Device > IP Fragmentation.



Status Allows you to enable or disable IP Fragmentation.

Note: Enabling IP Fragmentation requires reboot.

Queueing-limit The percentage of IP packets that the device allocates for out of ordered fragmented IP datagrams.

Values: 0 – 100

Default: 25

Aging The amount of time, in seconds, that the device keeps the fragmented datagrams in the queue.

Values: 1 – 255

Default: 1

Device Overload Mechanism In cases when the traffic load goes beyond the processing power limitations of the device, you can allow using of the Overload mechanism. Using of this mechanism maintains a high level of availability and hardware/software stability, reducing traffic delays or packet loss.

The Overload mechanism identifies overload conditions, notifies about them, and automatically takes actions that aim to reduce the relevant operations that consume resources.

Note: When the device operations are reduced, some of the security functionalities are compromised.



To enable the overload mechanism

1. Select Device > Overload Mechanism.

2. Select one of the following:

Enable to start the Overload mechanism.

Disable to stop the Overload mechanism.

4. Click Set.

High Availability

High Availability Global Parameters

To support high availability (HA), you can configure two compatible DDoS Protector devices to operate in a two-node cluster.

To be compatible, both cluster members must be of the same platform, software version, software license, throughput license, and Check Point signature file.

One member of the cluster is the primary; the other member of the cluster is the secondary. The primary device is the device that device with the High Availability Pair Definition.

When you configure a cluster and submit the configuration, the newly designated primary device configures the required parameters on the designated secondary device.

The members of a cluster work in an active-passive architecture.

When a cluster is created:

The primary and secondary devices negotiate the active/passive status according to the specified triggers and thresholds. If both device environments are nominal, the primary device becomes the active member.

The primary device transfers the relevant configuration objects to the secondary device.

A secondary device maintains its own configuration for the device users, IP interfaces, routing, and the port-pair Failure Mode (see Forwarding Table).

A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users).

The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.

If a passive device does not detect the active device according to the specified Heartbeat Timeout, the device switches to the active state (even though the peer might actually be in a nominal situation).

The following situations trigger the active device and the passive device to switch states (active to passive and passive to active):

All links are identified as down on the active device according to the specified Link Down Timeout and the peer device has at least one link up.

Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the specified Idle Line Timeout.

You issue the Switch Over command.

If the Enable Failback option is enabled (default: disabled), the secondary device switches from active to passive after the secondary device detects that the primary-device situation is nominal.

You cannot perform many actions on a secondary device.



You can perform only the following actions on a secondary device:

Switch the device state (that is, switch over active to passive and passive to active)

Break the cluster if the primary device is unavailable

Configure management IP addresses and routing

Configure the port-pair Failure Mode.

Manage device users

Download a device configuration

Upload a signature file

Download the device log file

Download the support log file

Reboot

Shut down

Change the device name

Change the device time

Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.

Notes:

By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster.

You can initiate a baseline synchronization if a cluster member is passive.

When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster, as you require.

In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require.

When a passive device becomes active, any grace time resets to 0 (for example, the time

of the Graceful Startup Mode Startup Timer).

To configure the global setting for high availability

1. Select Device > High Availability > Global Parameters.

2. Configure the parameter, and click Set.


Mechanism Status Specifies whether the device is a member of a two-node cluster for high availability.

High Availability Advanced Configuration

Note: For more information on high availability, see Global Parameters.

To configure the advanced settings for high availability

1. Select Device > High Availability > Advanced Configuration.





Baseline Sync Interval The interval, in seconds, that the active device synchronizes the BDoS and HTTP Mitigator baselines.

Values: 3600 – 86,400

Default: 3600

Heartbeat Timeout The time, in seconds, that the passive device detects no heartbeat from the active device before the passive device becomes active.

Values: 1 – 10

Default: 5

Link Down Timeout The time, in seconds, after all links to the active device are identified as being down before the devices switch states.

Values: 1 – 65,535

Default: 1

Note: If a dead link or idle line is detected on both cluster members, there is no switchover.

Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster members will not change states.

Values: 30 – 3600

Default: 180

Idle Line Detection Status Specifies whether the devices switch states due to an idle line detected on the active device.

Default: disable

Note: If an idle line is detected on both cluster members, there is no switchover.

Total BW Threshold The minimum bandwidth, in Kbit/s, that triggers a switchover when the Idle Line Detection Status is enable.

Values: 512 – 4,294,967,296

Default: 512

Note: If Idle Line Detection Status is disable, this parameter is ignored.

Idle Line Timeout The time, in seconds, with line bandwidth below the Total BW Threshold that triggers a switchover when Idle Line Detection Status is enable.

Values: 3 – 65,535

Default: 10

Note: If Idle Line Detection Status is disable, this parameter is ignored.

Enable Failback Specifies whether the secondary device can automatically fail back to the primary.

Default: disable



Pair Definition

High Availability Pair Definition


To define a high-availability pair

1. Select Device > High Availability > Pair Definition > Pair Parameters.



MNG-1 Peer IP address The IP address of the MNG-1 port on the peer device.

MNG-2 Peer IP address The IP address of the MNG-2 port on the peer device.

Secondary User Name The name of the secondary device.

Secondary Password The password of the secondary device.

Update High Availability Pair Definition


To update a definition of a high-availability pair

1. Select Device > High Availability > Pair Definition > Update Pair.

2. Click Set.

High Availability Monitoring

You can monitor high-availability parameters.


To monitor high-availability

Select Device > High Availability > Monitoring. The following information is displayed:

High-Availability Priority

High-Availability State

High-Availability Protection State

Last Successful Baseline Sync

Incompatibility Status (primary only)

Synchronization IP Interface

Peer IP



Switch Over


To switch over to the peer device

1. Select Device > High Availability > Switch Over.

2. Click Set.

Activate Baseline Sync with Peer Device


To activate a baseline sync with the peer device

1. Select Device > High Availability > Baseline Sync.

2. Click Set.

Reset Secondary

You can reset the secondary device when the device role is primary


To reset the secondary device

1. Select Device > High Availability > Reset secondary.

2. Click Set.

Tunneling Carriers, service providers, and large organizations use various tunneling protocols to transmit data from one location to another. This is done using the IP network so that network elements are unaware of the data encapsulated in the tunnel.

Tunneling implies that traffic routing is based on source and destination IP addresses. When tunneling is used, IPS devices and load balancers cannot locate the relevant information because their decisions are based on information located inside the IP packet in a known offset, and the original IP packet is encapsulated in the tunnel.

To provide a carrier-grade IPS/DoS solution, DDoS Protector inspects traffic in tunnels, positioning DDoS Protector in peering points and carrier network access points.

You can install DDoS Protector in different environments, which might include encapsulated traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators deploy GRE and GTP.

DDoS Protector can inspect traffic that may use various encapsulation protocols. In some cases, the external header (tunnel data) is the data that DDoS Protector needs to inspect. In other cases, DDoS Protector needs to inspect the internal data (IP header and even the payload). You can configure DDoS Protector to meet your specific inspection requirements.

Note: Changing the configuration of this feature takes effect only after a device reset.

To configure tunneling

1. Select Device > Tunneling.





Apply Black and White List Rules to the Encapsulated Headers

Specifies whether the device apply Black List and White List rules to the encapsulated headers.

Default: Disabled

Inspect Encapsulated GRE Traffic

Specifies whether the device inspects this type of traffic.

Default: Disabled

Inspect Encapsulated GTP Traffic


Default: Disabled

Inspect Encapsulated L2TP Traffic


Default: Disabled

Inspect VLAN (802.1Q) and MPLS Traffic


Default: Disabled

Note: You can configure the device to inspect the traffic using the common Layer 2 tunneling protocols, VLAN (802.1Q) and MPLS. Inspecting these types of L2 tunnels, as part of the protection criteria, is essential in environments such as for Managed Security Service Providers (MSSP).

Inspect Encapsulated IP-in-IP Traffic


Default: Disabled

Bypass IPSec Traffic Specifies whether the device bypasses IPsec traffic (that is, whether the device passes-through IPsec traffic).

Default: Enabled

IP Version Mode Use the IP Version Mode pane you to set the IP version to IPv4 and IPv6 or only to IPv4.

To set the IP version mode

1. Select Device > IP Version Mode.

2. From the drop-down list, select ipv4and6 or ipv4.

3. Click Set.

Dynamic Protocols

Dynamic Protocols: General

Check Point's Classification Engine classifies both static applications and dynamic applications. Dynamic application is an application that has multiple connections belonging to the same session. For example, FTP has Control Session and Data Session, SIP has Signaling sessions, Data sessions (RTP) and the Control sessions (RTCP).



In some scenarios, the dynamic sessions should be in the Session Table for a longer time than regular sessions. In VoIP, SIP, and H.255, for example, there may be a period with no traffic, however, the call is still active, and the session should not age.

You may configure different aging time for various dynamic applications and configure different policies for different connections of the same session. In FTP, for example, you can set one policy for the FTP data and another policy for the FTP control.

Note: The default status for all Dynamic Protocols, other than SIP is enabled.

You can set the aging time for the following Dynamic Protocols:

FTP

TFTP

Rshell

Rexec

H.225

SIP

Dynamic Protocols: FTP

The FTP Configuration window enables you to configure the control session and data session Aging Time for FTP Dynamic Protocol.

Note: When Dynamic Protocol Support is enabled for FTP, it is not possible to limit the bandwidth of a specific file download (using a filter for the RETR command and the file name).

To set the FTP dynamic protocol parameters

1. Select Device > Dynamic Protocols > FTP.



Status Specifies whether to enable FTP Dynamic Protocol.

Control Session Aging Time The Control Session Aging Time, in seconds.

Default: 0

Data Session Aging Time The new value for Data Session Aging Time, in seconds.

Default: 0

Dynamic Protocols: TFTP

The TFTP Configuration window enables you to configure the data session Aging Time for TFTP Dynamic Protocol.

To set the TFTP dynamic protocol parameters

1. Select Device > Dynamic Protocols > TFTP.





Status Specifies whether to enable TFTP Dynamic Protocol.

Data Session Aging Time

The Data Session Aging Time, in seconds.

Default: 0

Dynamic Protocols: Rshell

The Rshell Configuration window enables you to configure the control session and Error session Aging Time for Rshell.

To set the Rshell configuration parameters

1. Select Device > Dynamic Protocols > Rshell.



Status Specifies whether to enable Rshell Dynamic Protocol.


Default: 0

Error Session Aging Time The Error Session Aging Time, in seconds.

Default: 0

Dynamic Protocols: Rexec

The Rexec Configuration window enables you to configure the control session and Error session Aging Time for Rexec.

To set the Rexec dynamic protocol parameters

1. Select Device > Dynamic Protocols > Rexec.



Status Specifies whether to enable Rexec Dynamic Protocol.

Control Session Aging Time (sec) The Control Session Aging Time, in seconds.

Default: 0

Error Session Aging Time (sec) The Error Session Aging Time, in seconds.

Default: 0



Dynamic Protocols: H.225

The H.225 Configuration window enables you to configure and control the session and H254 Session Aging Time for H225.

To set the H225 configuration parameters

1. Select Device > Dynamic Protocols > H.225



Status Specifies whether to enable H.225 Dynamic Protocol.


Default: 0

H.245 Session Aging Time The H.245 Session Aging Time, in seconds.

Default: 0

Dynamic Protocols: SIP

The SIP Configuration window enables you to configure the Signaling session, RTCP session, and SIP TCP Segments Aging Time for SIP.

Note: Enabling and Disabling Dynamic Protocol Support for SIP requires reboot.

To set the SIP dynamic protocol parameters

1. Select Device > Dynamic Protocols > SIP.



Status Specifies whether to enable SIP Dynamic Protocol.

Signaling Session Aging Time

The Signalling Session Aging Time, in seconds.

Default: 20

RTCP Session Aging Time The RTCP Session Aging Time, in seconds.

Default: 0:

SIP TCP Segments Aging Time

When SIP runs over TCP and packets are segmented, the SIP TCP Segments Aging Time parameter indicates how long the device keeps the packet.

Default: 5


Chapter 4

Configuring Router Parameters

IP Router

Operating Parameters

The IP Router Parameters window enables you to monitor, add, and edit router settings.

To set the IP router parameters

1. Select Router > IP Router > Operating Parameters.



Inactive ARP Timeout

The time, in seconds, that inactive ARP cache entries can remain in the ARP table before the device deletes them. If an ARP cache entry is not refreshed within a specified period, it is assumed that there is a problem with that address.

Default: 60,000

ARP Proxy Specifies whether the device responds to ARP requests for nodes located on a different direct sub-net. (The device responds with its own MAC address.)

Values:

Enabled—The device responds to all ARP requests.

Disabled—The device responds only to ARP requests for its own IP addresses.

Default: Disabled

ICMP Error Messages

Specifies whether ICMP error messages are generated.

Interface Parameters

To configure an interface

1. Select Router > IP Router > Interface Parameters.

2. Do one of the following:

To add an entry, click Create.

To edit an entry, click the entry link in the table.





IP Address The IP address of the interface.

Network Mask The associated subnet mask.

If Number The interface identifier. If the interface is a VLAN, the included interfaces are listed in the box in the Edit window.

Fwd Broadcast Specifies whether the device forwards incoming broadcasts to this interface.

Broadcast Addr Specifies whether to fill the host ID in the broadcast address with ones or zeros.

VlanTag The VLAN tag to be associated with this IP interface.

When multiple VLANs are associated with the same switch port, the switch needs to identify to which VLAN to direct incoming traffic from that specific port. VLAN tagging provides an indication in the Layer 2 header, which enables the switch to make the correct decision.

Peer Address The address of the peer.

To update the ICMP interface parameters

1. Select Router > IP Router> Interface Parameters.

2. Click on the IP address of the ICMP interface that you want to update.



IP Address The IP address of the interface.

Advert. Address The IP destination address for multicast Router Advertisements sent from the interface. Possible values are the all-systems multicast address, 224.0.0.1, or the limited-broadcast address, 255.255.255.255.

Max Advert. Interval The maximum time, in seconds, between multicast Router Advertisements from the interface. Possible values are between the Minimum Advert Interval defined below and 1800 seconds.

Min Advert. Interval The minimum time, in seconds, between sending unsolicited multicast Router Advertisements from the interface. Possible values are between 3 seconds and the maximum interval defined above. Default value is 0.75 of the Maximum Interval.

Advert. Lifetime The maximum time, in seconds, the advertised addresses are considered valid. Must be no less than Maximum Interval defined above, and no greater than 9000 seconds. Default value is three times the Maximum Advert Interval.



Advertise Enables to advertise the device IP using ICMP Router Advertise.

Preference Level The preference level of the address as a default router address, relative to other router addresses on the same subnet.

Reset to Defaults Resets the ICMP interface parameters to the default values.

Routing Table DDoS Protector supports IP routing compliant with RFC1812 router requirements. Dynamic addition and deletion of IP interfaces is supported. This ensures that extremely low latency is maintained.

IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP routing protocol, intended to replace RIP in bigger or more complex networks. OSPF and its MIB are supported as specified in RFC 1583 and RFC 1850, with some limitations.

To configure a route

1. Select Router > Routing Table.






Destination Address The destination IP address of this router.

Network Mask The destination network mask of this route.

Next Hop The address of the next system of this route, local to the interface.

Interface Index The IF Index of the local interface through which the next hop of this route is reached.

Type How remote routing is handled.

Values:

remote—Forwards packets.

reject—Discards packets.

Metric The number of hops to the destination network.



ARP Table The ARP (Address Resolution Protocol) Table window allows you to update and create ARP addresses on the local route.

To update an existing ARP

1. Select Router > ARP Table.






Interface Index The interface number on which the station resides.

IP Address The station's IP address.

MAC Address The station's MAC address.

Type Values:

Other

Invalid

Dynamic—The entry is learned from the ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table.

Static—The entry has been configured by the network management station and is permanent.


Chapter 5

Configuring DDoS Protector Parameters

DoS Signatures

Application Security

Application Security Global Parameters

Application Security is a mechanism that delivers advanced attack detection and prevention capabilities. This mechanism is used by several security modules to provide maximum protection for network elements, hosts, and applications.

To set the application security global parameters

1. Select DDoS Protector > DoS Signatures > Application Security > Global Parameters.



Protection Status Select enable to start protection.

Default: enable.

MAX URI Length The maximum URI length permitted. If URI is longer than the configured value, this URI is considered as illegitimate and is dropped.

Default: 500

MIN fragmented URI packet Size The minimum permitted size, in bytes, of an incomplete URI in an HTTP request. A shorter packet length is treated as URI protocol anomaly and is dropped.

Default: 50

Security Tracking Tables Free-Up Frequency [ms]

How often, in milliseconds, the device clears unnecessary entries from the table, and stores information about newly detected security events.

Default: 1250

Unicode Encoding The language encoding (the language and character set) to use for detecting security events.



Tcp Reassembly Mechanism Status Specifies whether the device tries to reassemble fragmented TCP packets.

Default: enable

Session-Drop Mechanism Status When enabled, terminates the whole session when a single malicious packet is recognized.

Default: enable

DoS Shield

DoS Shield Global Parameters

The DoS Shield Global Parameters window enables you to enable the DoS Shield module and set its global parameters.

The DoS Shield mechanism implements the Sampling algorithm, and accommodates traffic flooding targeted to create denial of the network services. Prior to using DoS Shield, you need to enable the DoS Shield module.

To configure DoS shield global parameters

1. Select DDoS Protector >DoS Signatures > DoS Shield > Global Parameters.



Protection Status

Specifies whether DoS Shield module is enabled.

Sampling Rate

The rate at which packets are sampled and compared to the Dormant Attacks. You can configure a number that indicates per how many packets the sampling is performed.

Default: 100—that is, 1 out of 100 packets is checked.

Sampling Frequency

How often, in seconds, DoS Shield compares the predefined thresholds for each Dormant Attack to the current value of counters of packets matching the attack. Default: 5

Filters

Basic Filters

Basic Static Filters

The Basic Static Filters window enables you to view the Basic Filter, which constitutes protection against a specific attack, meaning that each Basic Filter has a specific attack signature and protection parameters.

The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them.

Note: You can create the Advanced Filters using the user-defined Basic Filters only.



To view the basic static filters

1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > Static.

2. Select the basic static filter for which you want to view the details.

Basic User Filters

Note: If you edit the parameters of a filter that is bound to an existing policy, you need to activate the latest changes.

To create a basic filter

1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > User.






Name The name of the filter.

Protocol The protocol used.

Values: IP, UDP, TCP, ICMP

Source App. Port The source application ports.

Destination App. Port The destination application ports.

Values: 0 - 65535

Default: 0

OMPC Offset The location in the packet from which the checking of data is started in order to find specific bits in the IP/TCP header.

Values: 0 - 1513

Default: 0

OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative.

Values:

None

IP Header

IP Data

L4 Data

Ethernet

L4 Header

IPV6 Header

Default: None



OMPC Mask The mask for the OMPC data. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter.

The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros.

For example, if OMPC Length is twoBytes, OMPC Mask can be:abcd0000.

Default: 00000000

OMPC Pattern The fixed size pattern within the packet that OMPC rule attempts to find. Possible values: a combination of hexadecimal numbers (0-9, a-f). The value must be defined according to the OMPC Length parameter.

The OMPC Pattern parameter definition must contain 8 symbols. If the OMPC Length value is lower than fourBytes, you need complete it with zeros.

For example, if OMPC Length is twoBytes, OMPC Pattern can be:abcd0000.

Default: 00000000

OMPC Condition The OMPC condition can be either N/A, equal, notEqual, greaterThan or lessThan.

Default: N/A

OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data.

Values: N/A, oneByte, twoBytes, threeBytes, fourBytes

Default: N/A

Content Offset The location in the packet from which the checking of content is started.

Values: 0 - 1513

Default: 0

Distance A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack.

Content Contains the actual value of the content search.

Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ .



Content Type Enables the user to search for a specific content type.

Values:

None

URL—In the HTTP Request URI. No normalization procedures are taken.

Normalized URL—To avoid evasion techniques when classifying HTTP-GET requests, the URL content is transformed into its canonical representation, to interpret the URL in the same way the server would. The normalization procedure supports the following cases:

Directory referencing by reducing '/./' into '/' or "A/B/../" to "A/";

Changing backslash ('\') to slash ('/');

Changing HEX encoding to ASCII characters. For example the hex value %20 is changed to " " (space).

Unicode support, UTF-8 and IIS encoding.

Host Name—In the HTTP Header

Text—Anywhere in the packet

HTTP Header Field—In the HTTP Header

Mail Domain—In the SMTP Header

Mail To—In the SMTP Header

Mail From—In the SMTP Header

Mail Subject—In the SMTP Header

Regular Expression: Anywhere in the packet

Header Type—HTTP Header field. The "Content" field includes the header field name, and the "Content data" field includes the field value

File Type—The type of the requested file in the http GET command (jpg, exe, and so on).

POP3 User—User field in the POP3 Header.

Cookie Data—HTTP cookie field. The "content" field includes the cookie name, and the "content data" field includes the cookie value

FTP Content—Scans the data transmitted using FTP, performing normalization of the FTP packets and stripping of telnet opcodes.

FTP Command—Performs parsing of FTP commands to commands and arguments, while performing normalization of the FTP packets and stripping of telnet opcodes.

RPC—Reassembles RPC requests over several packets.

RPC RFC 1831 standard provides a feature called Record Marking Standard (RM). This feature is used to delimit several RPC requests sent on top of the transport protocol. In case of the stream-oriented protocol (like TCP) RPC uses a kind of fragmentation to delimit between the records. In spite of its original purpose, fragmentation may also divide records in the middle and not only at their boundaries. In some cases, this functionality may be used to evade IPS systems.

Default: N/A

Note: The following two content types appear in devices with the SME card only.

HTTP Reply Header—The header of the HTTP reply.

HTTP Reply Data—The data of the HTTP reply.



Content Max Length The maximum length to be searched within the selected Content Type. The Content Max Length value must be equal or greater than the Offset value.

Values: 0 – 1513

Default: 0

Content Data Refers to the search for the content within the packet.

Values: N/A, URL, Text

Content Encoding Application Security can search for content in languages other than English, for case sensitive or case insensitive text as well as hexadecimal strings. The value of this field corresponds to the Content Type parameter.

Values:

None

Case Insensitive

Case Sensitive

HEX

International

Default: None

Content Data Encoding Application Security can search for data in languages other than English, for case sensitive or case insensitive data as well as hexadecimal strings. The value of this field corresponds to the Content Type parameter.

Values:

None

Case Insensitive

Case Sensitive

HEX

International

Default: None

Content Regular Expression

Allows you to search for content type anywhere in the packet.

Values:

Yes

No

Content Data Reg Expression

Values:

Yes

No



Packet Size Type The content for which the size is measured.

Values:

L2—The complete packet size is measured, including L2 headers.

L3—The L2 Data part of the packet is measured (excluding the L2 headers).

L4—The L3 Data part of the packet is measured (excluding the L2/L3 headers).

L7—The L4 Data part of the packet is measured (excluding the L2/L3/L4 headers).

Session Type This parameter enables you to create different basic filter connection types for Dynamic Protocols. For example, you can create a Basic Filter for FTP Data, SIP Video, TFTP Control, and other Dynamic Protocols.

Session Type Direction Limits the classification according to the direction of the session.

Values: Only to request packets, Reply packets, all the packets belonging to the session

Packet Size Range The range of values for the packet size.

Notes:

The size is measured per packet only.

The size is not applied on reassembled packets.

Fragmentation of L4-L7 packets may result with tails that do not contain the L4-L7 headers. The check in such cases is bypassed, as no match to the Type = L4-L7 is detected.

Advanced Filters

Advanced Filters: Static

The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them.

Note: You can create the Advanced Filters using the Advanced User Filters.

Use the Static Advanced Filter table to view static Advanced Filters.

To view the view static Advanced Filters

Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > Static. The Advanced Filters Table is displayed with the following parameters:



Number of Filters The number of filters for this entry.

Note: To view the configuration of a filter, click on it.



Advanced Filters: User

The advanced filter represents a logical AND relation between two or more basic filters. Some attacks have a complex signature comprised of several patterns and content strings. The system requires more than one basic filter to protect against such attacks.

Note: Once all associated filters are deleted from the advanced filter, the advanced filter is erased.

To create an advanced user filter

1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User.






Advanced Enter the name of the Advanced Filter.

Basic Select a Basic Filter from the drop-down list.

To add a basic filter to an existing advanced user filter


2. Click Create.

3. From the Basic drop-down list, select the basic filter to add to the advanced filter and click Set.

To delete an advanced user filter


2. Select the advanced filter to delete.

3. Select the checkboxes of all the basic filters in the advanced filter and click Delete.

Attacks

Static Attacks

The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks.

The Signature Protection Static Attack Configuration window enables you to edit existing attack parameters.

To edit a static attack

1. Select DDoS Protector > DoS Signatures > Attacks > Static.

2. Select a static attack.





ID (Read-only) The unique identifying number.

Attack Name (Read-only) The name for this attack. The Attack Name is used when DoS Shield sends information about attack status changes.

Filter Name (Read-only) The filter assigned to this attack.

Tracking Time The time, in milliseconds, in which the Threshold is measured. When a number of packets that is greater than the threshold value passes through the device, during this defined period, the device recognizes it as an attack.

Value: 1000

Tracking Type Specifies how the protection determines which traffic to block or drop when under attack.

Values:

Drop All—Select this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks.

Source Count—Select this option when the defined attack is source-based—that is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network.

Target Count—Select this option when the defined attack is destination-based, meaning the hacker is attacking a specific destination such as a Web server, for example, Ping Flood and DDoS attacks.

Source and Destination Count—Select this option when the attack type is a source and destination-based attack—that is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks.

landattack

fragments

ncpsdcan

dhcp

ftpbounce

bobo2K

Sampling—Select this option when the defined attack is based on sampling, that is, a DoS Shield attack.



Action Mode The action that the protection takes when an attack is detected.

Values:

Report Only—The packet is forwarded to the defined destination.

Drop—The packet is discarded.

Reset Source—Sends a TCP-Reset packet to the packet Source IP.

Reset Destination—Sends a TCP-Reset packet to the destination address.

Reset BiDirectional—Sends a TCP reset packet to both, the packet source IP and the packet destination IP.

MM7—If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. It contains Transaction ID, Content Length, and Message ID.

State Enables or disables the Attack Status.

There are cases where you may need to temporarily disable an attack from a static group. For example, if you suspect that a certain attack introduces false positives, and you would like to disable that specific attack only.

Setting the attack status to Disable, means that the attack is disabled but not removed from the group.

Direction A certain protection policy may contain attacks that should be searched only for traffic from client to server or only on traffic from server to client.

To provide simple and efficient scanning configuration you can set per attack the traffic direction for which it is relevant.

Values:

Inbound—On traffic from policy Source to policy Destination

Outbound—On traffic from policy Destination to policy Source

In-Out Bound—On all traffic between policy Source to policy Destination

Suspend Action This functionality allows the user to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time.

Values:

None—Suspend action is disabled for this attack.

SrcIP—All traffic from the IP address identified as source of this attack will be suspended.

SrcIP, DestIP—Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended.

SrcIP, DestPort—Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended.

SrcIP, DestIP, DestPort—Traffic from the IP address identified as source of this attack to the destination IP and port under attack will be suspended.

SrcIP, DestIP, SrcPort, DestPort—Traffic from the IP address and port identified as source of this attack to the destination IP and port under attack will be suspended.



Active Threshold When this threshold is exceeded, the status of the attack is changed to Currently Active. This is only relevant when the Attack Status was configured as Dormant.

The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period.

When the value for Tracking Type is Drop All, the protection ignores this parameter.

Exclude Src The source IP address or network whose packets the protection does not inspect.

Drop Threshold After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS.


Exclude Dest The destination IP address or network whose packets the protection does not inspect.

Term Threshold When the attack PPS rate drops below this threshold, the protection changes the attack from active mode to inactive mode.


Packet Trace Specifies whether the protection sends attack packets to the specified physical port.

User Attacks

The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks to reflect specific needs of your network, or edit the existing attacks.

The Signature Protection User Attack Configuration window enables you to create attack parameters.

To create a user attack

1. Select DDoS Protector > DoS Signatures > Attacks > User.

2. Select Create.



ID The unique identifying number.

Attack Name The name for this attack. The Attack Name is used when DoS Shield sends information about attack status changes.

Filter Name The filter assigned to this attack.



Tracking Time The time, in milliseconds, in which the Threshold is measured. When a number of packets that is greater than the threshold value passes through the device during this defined time period, the device recognizes it as an attack.

Value: 1000

Tracking Type Specifies how the protection determines which traffic to block or drop when under attack.

Values:

Drop All—Select this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks.

Source Count—Select this option when the defined attack is source-based—that is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network.

Target Count—Select this option when the defined attack is destination-based, meaning the hacker is attacking a specific destination such as a Web server, for example, Ping Flood and DDoS attacks.

Source and Destination Count—Select this option when the attack type is a source and destination-based attack—that is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks.

landattack

fragments

ncpsdcan

dhcp

ftpbounce

bobo2K

Sampling—Select this option when the defined attack is based on sampling, that is, a DoS Shield attack.

Default: Sampling

Action Mode The action that the protection takes when an attack is detected.

Values:

Report Only—The packet is forwarded to the defined destination.


Reset Source—Sends a TCP-Reset packet to the packet Source IP.

Reset Destination—Sends a TCP-Reset packet to the destination address.

Reset BiDirectional—Sends a TCP reset packet to both, the packet source IP and the packet destination IP.

MM7—If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. It contains Transaction ID, Content Length, and Message ID.

Default: Drop



State Enables or disables the Attack Status.

There are cases where you may need to temporarily disable an attack from a static group. For example, if you suspect that a certain attack introduces false positives, and you would like to disable that specific attack only.

Setting the attack status to Disable, means that the attack is disabled but not removed from the group.

Default: Enable.

Direction A certain protection policy may contain attacks that should be searched only for traffic from client to server or only on traffic from server to client.

To provide simple and efficient scanning configuration you can set, per attack, the traffic direction for which it is relevant.

Values:

In Bound—On traffic from policy Source to policy Destination

Out Bound—On traffic from policy Destination to policy Source

In-Out Bound—On all traffic between policy Source to policy Destination

Suspend Action

This functionality allows the user to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time.

Values:


SrcIP—All traffic from the IP address identified as the source of this attack will be suspended.

SrcIP, DestIP—Traffic from the IP address identified as source of this attack to the destination IP under attack will be suspended.

SrcIP, DestPort—Traffic from the IP address identified as source of this attack to the application (destination port) under attack will be suspended.

SrcIP, DestIP, DestPort—Traffic from the IP address identified as source of this attack to the destination IP and port under attack will be suspended.

SrcIP, DestIP, SrcPort, DestPort—Traffic from the IP address and port identified as source of this attack to the destination IP and port under attack will be suspended.

Default: None

Active Threshold

When this threshold is exceeded, the status of the attack is changed to Currently Active. This is only relevant when the Attack Status was configured as Dormant.

The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period.


Default: 50

Exclude Src The source IP address or network whose packets the protection does not inspect.

Default: None



Drop Threshold

After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS.


Default: 50

Exclude Dest The destination IP address or network whose packets the protection does not inspect.

Default: None

Term Threshold

When the attack PPS rate drops below this threshold, the protection changes the attack from active mode to inactive mode.

When the value for Tracking Type is Drop Al., the protection ignores this parameter.

Default: 50

Packet Trace Specifies whether the protection sends attack packets to the specified physical port.

Default: disable

Exclude Attacks

Use the Signature Protection Attacks Excluded Addresses Configuration pane to exclude particular attacks from your network definitions.

To exclude signature protection attacks

1. Select DDoS Protector > DoS Signatures > Exclude Attacks.

2. Click Create.



Attack ID The ID of the attack not to be included in policy.

Attack Name The name of the attack.

Source Network The source IP address for the excluded attack.

Destination Network The destination IP address for the excluded attack.



Denial of Service

Behavioral DoS

Behavioral DoS: Global Parameters

Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your network-protection policy, defends your network from zero-day network-flood attacks. These attacks fill available network bandwidth with irrelevant traffic, denying use of network resources to legitimate users. The attacks originate in the public network and threaten Internet-connected organizations.

The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks by identifying the footprint of the anomalous traffic.

Network-flood protection types include:

TCP floods—which include TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and TCP Fragmentation Flood

UDP flood

ICMP flood

IGMP flood

Before you configure BDoS Protection profiles, enable BDoS Protection.

Note: Changing the setting of this parameter requires a reboot to take effect.

To enable Behavioral DoS

1. Select DDoS Protector > Behavioral DoS > Global Parameters.

2. Select Enable from the drop-down list.

Advanced

Behavioral DoS Profiles Advanced

A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to the Behavioral DoS policy.

Use the Behavioral DoS Profiles Advanced Configuration pane to configure Behavioral DoS profiles with advanced parameters, which include manual quota settings.

Recommended settings for policies that include Behavioral DoS profiles are as follows:

Configure policies containing Behavioral DoS profiles using Networks with source = Any, the public network, and destination = Protected Network. It is recommended to create multiple Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS servers segment, Web server segments, Mail servers segments, and so on). This assures optimized learning of normal traffic baselines.

It is not recommended to define a network with the Source and Destination set to Any, because the device collects statistics globally with no respect to inbound and outbound directions. This may result in lowered sensitivity to detecting attacks.

When the Direction of a policy is set to One Way, the rule prevents incoming attacks only. When a rule’s Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection.

Note: Check Point recommends that you initially leave the quota fields (for example, TCP In quota) empty so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your



network performance. The total quota values may exceed 100%, as each value represents the maximum volume per protocol.

To configure a behavioral DoS profile with advanced parameters

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Advanced > Profiles Configuration.






Profile Name The user-defined name for the profile.

SYN Flood status Specifies whether the profile protects against SYN Flood attacks.

Default: inactive

TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood attacks.

Default: inactive

TCP FIN+ACK Flood status

Specifies whether the profile protects against TCP FIN+ACK Flood attacks.

Default: inactive

TCP SYN+ACK Flood status

Specifies whether the profile protects against TCP SYN+ACK Flood attacks.

Default: inactive

TCP Fragmented Flood status

Specifies whether the profile protects against TCP Fragmented Flood attacks.

Default: inactive

UDP Flood status Specifies whether the profile protects against UDP Flood attacks.

Default: inactive

IGMP Flood status Specifies whether the profile protects against IGMP Flood attacks.

Default: inactive

ICMP Flood status Specifies whether the profile protects against ICMP Flood attacks.

Default: inactive

Configuration of the inbound traffic in [Kbit/Sec]

The highest expected volume of inbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.

Values: 0 – 2,147,483,647

Caution: You must configure this setting to start Behavioral DoS protection.



Configuration of the outbound traffic in [Kbit/Sec]

The highest expected volume of outbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.

Values: 0 – 2,147,483,647


TCP In quota The maximum expected percentage of inbound TCP traffic out of the total traffic.

UDP In quota The maximum expected percentage of inbound UDP traffic out of the total traffic.

ICMP In quota The maximum expected percentage of inbound ICMP traffic out of the total traffic.

IGMP In quota The maximum expected percentage of inbound IGMP traffic out of the total traffic.

TCP Out quota The maximum expected percentage of outbound TCP traffic out of the total traffic.

UDP Out quota The maximum expected percentage of outbound UDP traffic out of the total traffic.

ICMP Out quota The maximum expected percentage of outbound ICMP traffic out of the total traffic.

IGMP Out quota The maximum expected percentage of outbound IGMP traffic out of the total traffic.

Transparent Optimization process

Specifies whether transparent optimization is enabled.

Some network environments are more sensitive to dropping packets (for example, VoIP), therefore, it is necessary to minimize the probability that legitimate traffic is dropped by the IPS device. This transparent optimization can occur during the BDoS closed-feedback iterations until a final footprint is generated.

Note: When transparent optimization is enabled, the profile does not mitigate the attack until the final footprint is generated, which takes several seconds.

UDP packet rate detection sensitivity

Species to what extent the BDoS engine considers the UDP PPS-rate values (baseline and current).

This parameter is relevant only for only for BDoS UDP protection.

Values:

Disable

Low

Medium

High

Default: Low



Packet Trace Status Specifies whether the profile sends attack packets to the specified physical port.

Default: disable

Behavioral DoS Advanced: Global Parameters

The Behavioral DoS Advanced Setting window enables you to set the Learning Response Period upon which baselines are primary weighed as well as enabling the Sampling status and defining the severity level of the Footprint.

Note: You must configure network flood protection separately for TCP floods, UDP floods, ICMP floods, and IGMP floods.

To set the behavioral DoS advanced settings

1. Select DDoS Protector > Behavioral DoS > Advanced > Global Parameters.



Learning response period

The initial period from which baselines are primarily weighted.

The default and recommended learning response period is one week.

If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one-day period for testing purposes only.

Values: day, week, month

Default: Week

Sampling Status Specifies whether the BDoS module uses traffic-statistics sampling during the creation phase of the BDoS footprint. When the BDoS module is trying to generate a real-time signature and there is a high rate of traffic, the device evaluates only a portion of the traffic. The BDoS module tunes the sampling factor automatically, according to the traffic rate. The BDoS module screens all traffic at low traffic rates (below 100K PPS) and only a portion of the traffic at higher rates (above 100K PPS).

Default: enable

Note: For best performance, Check Point recommends that the parameter be enabled.

Footprint Strictness When Behavioral DoS module detects a new attack, the module generates an attack footprint to block the attack traffic. If the Behavioral DoS module is unable to generate a footprint that meets the footprint-strictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the device cannot generate a footprint.

Values:

High—Enforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives.

Medium—Enforces at least two Boolean ANDs and no more than two



additional Boolean OR values in the footprint.

Low—Allows any footprint suggested by the Behavioral DoS module. This level achieves the best attack blocking, but increases the probability of false positives.

Notes:

DDoS Protector always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness.

See the table below for examples of footprint strictness requirements.

Footprint Strictness Examples

Footprint Example Strictness Level

Low Medium High

TTL Yes No No

TTL AND Packet Size Yes Yes No

TTL AND Packet Size AND Destination Port Yes Yes Yes

Behavioral DoS: Learning Reset

Use the Behavioral DoS Learning Reset pane to reset the learning period for specific policies or all policies.

Behavioral DoS protection learns traffic parameters from the transport layer of incoming packets and generates normative baselines for traffic.

The Learning Period setting defines the period based upon which baselines are primarily weighted.

When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS Protector immediately initiates a new learning period. Generally, this is done when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes.

To reset the policy baseline

1. Select DDoS Protector > Behavioral DoS > Advanced > Learning Reset.

2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies.

3. Click Set.

Mitigation Configuration

Attack Termination Configuration

The DDoS Protector BDoS mechanism assigns various internally defined states for each protection (belonging to the BDoS policy and Protection Type).



The internally defined states for protections include the following:

Normal state

Analysis state—state 2

Blocking state—state 6

Anomaly state—state 3

Non-strictness state—state 7

Note: DDoS Protector assigns the Non-strictness state when it was not able to generate a DoS-attack footprint that meets the specified Footprint Strictness.

As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal to Analysis. By default, if DDoS Protector detects anomalous traffic for less than 10 seconds, the protection changes state back to Normal.

In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function. When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will consider the attack to have ended (terminated)—switching back to the Normal state, never blocking the attack. The advanced mitigation interface for BDoS enables you to extend pre-termination durations so that such traffic is blocked.

Note: In a production environment, highly orchestrated and synchronized attacks are unlikely; and the default values in a DDoS Protector device configuration are adequate.

To configure attack-termination criteria

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Mitigation Configuration > Attack Termination Configuration.

2. Configure the parameters and click Set.


Stability Counter State 2 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Analysis state. DDoS Protector declares the attack to be terminated immediately when this value is 0.

Values: 0 – 30

Default: 0

Stability Counter State 6 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. DDoS Protector declares the attack to be terminated immediately when this value is 0. There is no typical use case for reducing the value from the default.

Values: 0 – 300

Default: 10

Stability Counter State 3 and 7

The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the in Anomaly state or the Non-strictness state. DDoS Protector declares the attack to be terminated immediately when this value is 0.

Values: 0 – 300

Default: 10



Packet Header Field Selection

If the value in the Any Packet Header Field drop-down list in the Early Blocking

Configuration Update window is false, you can select specific packet-header fields for early blocking of DoS traffic.

Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DDoS Protector generates.

To select packet-header fields for early blocking of DNS DoS traffic

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Packet Header Fields Selection.

2. Select the protection type next to the relevant packet-header field.

3. From the Early Detection Condition drop-down list, select:

yes—DDoS Protector must detect this field to generate a footprint in less than 10 seconds.

no—DDoS Protector can use this field in the footprint, but it is not enough for early blocking.

4. Click Set.

Early Blocking Configuration

In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible—even if accuracy is compromised. Using Early Blocking of DoS Traffic—configuring thresholds for generating DoS-attack footprints—you can shorten the Analysis state and start blocking the relevant traffic.


To configure early blocking of DNS DoS traffic

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Early Blocking Configuration.

2. Select the Protection type you want to configure for early blocking.



Any Packet Header Field Specifies the parameters according to which the device blocks DoS traffic early.

Values:

true—the device blocks DoS traffic early based on the specified number of packet-header fields and number of packet-header-field values thresholds.

false—the device blocks DoS traffic early based on the fields as displayed in the Packet Header Fields Selection window.



Any Packet Header Field threshold

The number anomalous packet-header fields that the device must detect to generate a footprint and change to the Blocking state prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.)

Values: 1 – 20

Default (per protection):

ICMP—17

IGMP—16

TCP-ACK-FIN—17

TCP-FRAG—17

TCP-RST—17

TCP-SYN—17

TCP-SYN-ACK—17

UDP—20

Packet Header Field Values

The number of anomalous packet-header-field values that the device must detect to generate a footprint and change to the Blocking state.

Values: 1–500

Default: 500

Behavioral DoS Footprint Bypass

You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate.

To configure footprint bypass

1. Select DDoS Protector > Behavioral DoS > Advanced > Footprint Bypass.

2. Select the link in the relevant row.



Controller (Read-only) The attack protection for which you are configuring footprint bypass.

Bypass Field (Read-only) The bypass type to configure.

Bypass Status The bypass option.

Values:

Bypass—The Behavioral DoS module bypasses all possible values of the selected Bypass Field when generating a footprint.

Accept—The Behavioral DoS module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.



Bypass Values If the value of the Bypass Status parameter is Accept, when generating the footprint, the Behavioral DoS mechanism does not use the specified Bypass Values of the corresponding selected Bypass Field. The valid Bypass Values vary according to the selected Bypass Field. Multiple values in the Bypass Values field must be comma-delimited.

Behavioral DoS Profiles

A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to the Behavioral DoS policy.

Use the Behavioral DoS Profiles pane to configure Behavioral DoS profiles with basic parameters.

Recommended settings for policies that include Behavioral DoS profiles are as follows:

Configure policies containing Behavioral DoS profiles using Networks with source = Any, the public network, and destination = Protected Network. It is recommended to create multiple Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS servers segment, Web server segments, Mail servers segments, and so on). This assures optimized learning of normal traffic baselines.

It is not recommended to define a network with the Source and Destination set to Any, because the device collects statistics globally with no respect to inbound and outbound directions. This may result in lowered sensitivity to detecting attacks.

When the Direction of a policy is set to One Way, the rule prevents incoming attacks only. When a rule’s Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection.

To configure a behavioral DoS profile with basic parameters

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Behavioral DoS Profiles.







SYN Flood status Specifies whether the profile protects against SYN Flood attacks.

Default: inactive

TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood attacks.

Default: inactive

TCP FIN+ACK Flood status Specifies whether the profile protects against TCP FIN+ACK Flood attacks.

Default: inactive



TCP SYN+ACK Flood status Specifies whether the profile protects against TCP SYN+ACK Flood attacks.

Default: inactive

TCP Fragmented Flood status Specifies whether the profile protects against TCP Fragmented Flood attacks.

Default: inactive

UDP Flood status Specifies whether the profile protects against UDP Flood attacks.

Default: inactive

IGMP Flood status Specifies whether the profile protects against IGMP Flood attacks.

Default: inactive

ICMP Flood status Specifies whether the profile protects against ICMP Flood attacks.

Default: inactive

Configuration of the inbound traffic in [Kbit/Sec]

The highest expected volume of inbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.

Values: 0 – 2,147,483,647

Caution: You must configure this setting to start

Behavioral DoS protection.

Configuration of the outbound traffic in [Kbit/Sec]

The highest expected volume of outbound traffic, expressed in Kbit/s, on the relevant network segment. DDoS Protector derives the initial baselines from the bandwidth and quota settings.

Values: 0 – 2,147,483,647


Packet Trace Status Specifies whether the profile sends attack packets to the specified physical port.

Default: disable

DNS Protection

DNS Protection Global Parameters

DNS Flood Protection, which you can use in your network-protection policy, defends your network from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant traffic, denying legitimate users DNS lookups. The attacks originate in the public network and threaten Internet-connected organizations.

The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood attacks by identifying the footprint of the anomalous traffic.



DNS Flood Protection types can include the following DNS query types:

A

MX

PTR

AAAA

Text

SOA

NAPTR

SRV

Other

DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering with minimal risk of false positives. The default average time for a new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes, and sometimes, hours.

Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You can also change the default global device settings for DNS Flood Protection. The DNS Flood Protection global settings apply to all the network protection policies rules with DNS Flood profiles on the device.


To enable DNS Protection

1. Select DDoS Protector > Denial of Service > DNS Protection > Global Parameters.

2. Select enable from the drop-down list.

3. Click Set.

Advanced

DNS Protection Advanced Profiles

Use the DNS Protection Advanced Profiles pane to configure DNS-Flood Protection profiles with advanced parameters.

DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and outbound traffic.

DNS Protection profiles can be used only in one-way policies.

It is recommended to configure policies that include DNS Protection profiles using Networks with source = Any, the public network, and destination = Protected Network.

Note: Check Point recommends that you initially leave the quota fields (for example, DNS A

quota) so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your network performance.

The total quota values may exceed 100%, as each value represents the maximum volume per protocol.

To configure a DNS Protection profile with advanced parameters

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles Configuration.









Expected QPS The expected rate, in queries per second, of DNS queries.

DNS A Flood status Specifies whether this profile protects against DNS A Flood attacks.

Values: inactive, active

Default: inactive

DNS A quota The maximum expected percentage of DNS A traffic out of the total DNS traffic.

DNS MX Flood status Specifies whether this profile protects against DNS MX Flood attacks.


Default: inactive

DNS MX quota The maximum expected percentage of DNS MX traffic out of the total DNS traffic.

DNS PTR Flood status Specifies whether this profile protects against DNS PTR Flood attacks.


Default: inactive

DNS PTR quota The maximum expected percentage of DNS PTR traffic out of the total DNS traffic.

DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA Flood attacks.


Default: inactive

DNS AAAA quota The maximum expected percentage of DNS AAAA traffic out of the total DNS traffic.

DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT Flood attacks.


Default: inactive

DNS TEXT quota The maximum expected percentage of DNS TEXT traffic out of the total DNS traffic.



DNS SOA Flood status Specifies whether this profile protects against DNS SQA Flood attacks.


Default: inactive

DNS SOA quota The maximum expected percentage of DNS SQA traffic out of the total DNS traffic.

DNS NAPTR Flood status Specifies whether this profile protects against DNS NAPTER Flood attacks.


Default: inactive

DNS NAPTR quota The maximum expected percentage of DNS NAPTER traffic out of the total DNS traffic.

DNS SRV Flood status Specifies whether this profile protects against DNS SRV Flood attacks.


Default: inactive

DNS SRV quota The maximum expected percentage of DNS SRV traffic out of the total DNS traffic.

DNS OTHER Flood status Specifies whether this profile protects against DNS OTHER Flood attacks.


Default: inactive

DNS OTHER quota The maximum expected percentage of other DNS traffic (that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS traffic.

Max Allowed QPS The maximum allowed rate of DNS queries per second.

Values: 0–4,000,000

Default: 0

Note: When Manual Triggers Status is set to enable, the Manual Triggers Max QPS Target value overrides this value.

Signature Rate limit Target The percentage of the DNS traffic that matches the real-time signature that the profile will not mitigate above the baseline.

Values: 0–100

Default: 0

Packet Trace Status Specifies whether the DDoS Protector device sends attack packets to the specified physical port.

Default: disable



Action The action that the profile takes on DNS traffic during an attack.

Values: Block and Report, Report Only

Default: Block and Report

Manual Triggers Status Specifies whether the profile uses user-defined DNS QPS thresholds instead of the learned baselines.

Default: disable

Manual Triggers Activation Threshold

The minimum number of queries per second—after the specified Activation Period—on a single connection that causes the device to consider there to be an attack. When the device detects an attack, it issues an appropriate alert and drops the DNS packets that exceed the threshold. Packets that do not exceed the threshold bypass the DDoS Protector device.

Values: 0–4,000,000

Default: 0

Manual Triggers Termination Threshold

The maximum number of queries per second—after the specified Termination Period—on a single connection that cause the device to consider the attack to have ended.

Values: 0–4,000,000

Default: 0

Note: The Termination Threshold must be less than or equal to the Activation Threshold.

Manual Triggers Max QPS Target

The maximum allowed rate of DNS queries per second.

Values: 0–4,000,000

Default: 0

Manual Triggers Activation Period

The number of consecutive seconds that the DNS traffic on a single connection exceeds the Activation Threshold that causes the device to consider there to be an attack.

Values: 0–30

Default: 3

Manual Triggers Termination Period

The time, in seconds, that the DNS traffic on a single connection is continuously below the Termination Threshold, which causes the device to consider the attack to have ended.

Values: 0–30

Default: 3

Manual Triggers Escalation Period

The time, in seconds, that the device waits before escalating to the next specified Mitigation Action.

Values: 0–30

Default: 3



DNS Protection Advanced Global Parameters

The DNS Protection Advanced Setting window enables you to set the learning response period upon which baselines are primary weighed as well as enabling the sampling status and defining the severity level of the footprint.

To configure the DNS Protection advanced global parameters

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Global Parameters.



Learning Response Period The initial period from which baselines are primarily weighted.

The default and recommended learning response period is one week.

If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one-day period for testing purposes only.

Values: day, week, month

Default: week

Sampling Status Specifies whether the DNS Flood Protection module uses traffic-statistics sampling during the creation phase of the footprint.

Values:

enable—Traffic statistics are aggregated through sampling algorithm, which improves overall performance of the DNS Flood Protection module. Although the decision engine is tuned according to the sampling error, the chances for false positive decisions are increased.

disable—Traffic statistic are aggregated without sampling.

Default: enable

Footprint Strictness When the DNS Flood Protection module detects a new attack, the module generates an attack footprint to block the attack traffic. If the module is unable to generate a footprint that meets the footprint-strictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the module cannot generate a footprint.

Values:

high—Enforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives.

medium—Enforces at least two Boolean ANDs and no more than two additional Boolean OR values in the footprint.

low—Allows any footprint suggested by the DNS Flood Protection module. This level achieves the best attack blocking, but increases the probability of false positives.

Notes:



The DNS Flood Protection module always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness.

See the table below for examples of footprint strictness requirements.

Footprint Strictness Examples

Footprint Example Strictness Level

Low Medium High

DNS Query Yes No No

DNS Query AND DNS ID Yes Yes No

DNS Query AND DNS ID AND Packet Size Yes Yes Yes

DNS Protection Learning Reset

Use the DNS Protection Learning Reset pane to reset the learning period for specific policies or all policies.

DNS Flood protection learns traffic parameters from the transport layer of incoming packets and generates normative baselines for traffic.

The Learning Period setting defines the period based upon which baselines are primarily weighted.

When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS Protector immediately initiates a new learning period. Generally, this is done when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes.

To reset the policy baseline

1. Select DDoS Protector > Behavioral DoS > Advanced > Learning Reset.

2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies.

3. Click Set.

Mitigation Configuration

Attack Termination Configuration

The DNS Protection mechanism assigns various internally defined states for each protection (belonging to the DNS protection policy and protection type).

The internally defined states for protections include the following:

Normal state

Analysis state—state 2

Blocking state—state 6

Anomaly state—state 3



As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal to Analysis. By default, if DDoS Protector detects anomalous traffic for less than 10 seconds, the protection changes state back to Normal.

In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function. When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will consider the attack to have ended (terminated)—switching back to the Normal state, never blocking the attack. The advanced mitigation interface enables you to extend pre-termination durations so that such traffic is blocked.

Note: In a production environment, highly orchestrated and synchronized attacks are unlikely; and the default values in a DDoS Protector device configuration are adequate.

To configure attack-termination criteria

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Attack Termination Configuration.



Stability Counter State 2 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Analysis state. DDoS Protector declares the attack to be terminated immediately when this value is 0.

Values: 0 – 30

Default: 0

Stability Counter State 6 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. DDoS Protector declares the attack to be terminated immediately when this value is 0. There is no typical use case for reducing the value from the default.

Values: 0 – 300

Default: 10

Stability Counter State 3 The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the in Anomaly state. DDoS Protector declares the attack to be terminated immediately when this value is 0.

Values: 0 – 300

Default: 10

Methods

When the protection is enabled and the device detects that a DNS-flood attack has started, the device implements the Mitigation Actions in escalating order—in the order that they appear in the group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after a certain Escalation Period), the device implements the next more-severe enabled Mitigation Action, and so on. As the most severe Mitigation Action, the device always implements the Collective Rate Limit, which limits the rate of all DNS queries to the protected server.



To configure DNS Protection mitigation methods

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Methods.



Signature challenge mitigation status

Specifies whether the device challenges suspect DNS queries that match the real-time signature.

Default: enable

Note: DDoS Protector challenges only A and AAAA query types.

Signature rate-limit mitigation status

Specifies whether the device limits the rate of DNS queries that match the real-time signature.

Default: enable

Collective challenge mitigation status

Specifies whether the device challenges all unauthenticated DNS queries to the protected server.

Default: enable

Note: DDoS Protector challenges only A and AAAA query types.

Collective rate-limit mitigation status

(Read-only) The device limits the rate of all DNS queries to the protected server.

Value: enable

Packet Header Field Selection

If the value in the Any Packet Header Field drop-down list in the Early Blocking

Configuration Update window is false, you can select specific packet-header fields for early blocking of DoS traffic.


To select packet-header fields for early blocking of DNS DoS traffic

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Packet Header Fields Selection.

2. Select the protection type next to the relevant packet-header field.

3. From the Early Detection Condition drop-down list, select:

yes—DDoS Protector must detect this field to generate a footprint in less than 10 seconds.

no—DDoS Protector can use this field in the footprint, but it is not enough for early blocking.

4. Click Set.

Early Blocking Configuration

In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible—even if accuracy is compromised. Using Early Blocking of DoS Traffic—configuring thresholds for generating DoS-attack footprints—you can shorten the Analysis state and start blocking the relevant traffic.



Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the

accuracy of the DoS-attack footprint that DDoS Protector generates.

To configure early blocking of DNS DoS traffic

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > Early Blocking Configuration.

2. Select the Protection type you want to configure for early blocking.



Any Packet Header Field Specifies the parameters according to which the device blocks DoS traffic early.

Values:

true—the device blocks DoS traffic early based on the specified number of packet-header fields and number of packet-header-field values thresholds.

false—the device blocks DoS traffic early based on the fields as displayed in the Packet Header Fields Selection window.

Any Packet Header Field threshold

The number anomalous packet-header fields that the device must detect to generate a footprint and change to the Blocking state prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.)

Values: 1 – 20

Default (per protection):

ICMP—17

IGMP—16

TCP-ACK-FIN—17

TCP-FRAG—17

TCP-RST—17

TCP-SYN—17

TCP-SYN-ACK—17

UDP—20

Packet Header Field Values The number of anomalous packet-header-field values that the device must detect to generate a footprint and change to the Blocking state.

Values: 1–500

Default: 500



SDM Challenge Response Configuration

To configure SDM challenge response

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation Configuration > SDM.

2. Configure the parameter and click Set.


SDM Protocol Compliance Checks Status

Specifies whether the device checks each DNS query for DNS protocol compliance and drops the non-compliant queries.

Default: disable

DNS Footprint Bypass

You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate.

To configure DNS footprint bypass

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Footprint Bypass.

2. Click the controller name of the DNS query type for which you want to configure footprint bypass.



Controller (Read-only) The selected DNS query type for which you are configuring footprint bypass.

Bypass Field (Read-only) The selected Bypass Field to configure.

Bypass Status The bypass option.

Values:

bypass—The DNS Flood Protection module bypasses all possible values of the selected Bypass Field when generating a footprint.

accept—The DNS Flood Protection module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.

Bypass Values Used if the value of the Bypass Status parameter is Accept. DNS Flood Protection bypasses only the values of a selected Bypass Type, while it may use all other values. These values vary according to the Bypass Field selected. The values in the field must be comma-delimited.



DNS Protection Profile

Use the DNS Protection Profiles pane to configure DNS-Flood Protection profiles with basic parameters.

DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and outbound traffic.

DNS Protection profiles can be used only in one-way policies.

It is recommended to configure policies that include DNS Protection profiles using Networks with source = Any, the public network, and destination = Protected Network.

Note: Check Point recommends that you initially leave the quota fields (for example, DNS A quota) so that the default values will automatically be used. To view default values after creating the profile, click the entry in the table. You can then adjust quota values based on your network performance.

The total quota values may exceed 100%, as each value represents the maximum volume per protocol.

To configure a DNS Protection profile with basic parameters

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles Configuration.







Expected QPS The expected rate, in queries per second, of DNS queries.

DNS A Flood status Specifies whether this profile protects against DNS A Flood attacks.


Default: inactive

DNS A quota The maximum expected percentage of DNS A traffic out of the total DNS traffic.

DNS MX Flood status Specifies whether this profile protects against DNS MX Flood attacks.


Default: inactive

DNS MX quota The maximum expected percentage of DNS MX traffic out of the total DNS traffic.

DNS PTR Flood status Specifies whether this profile protects against DNS PTR Flood attacks.


Default: inactive



DNS PTR quota The maximum expected percentage of DNS PTR traffic out of the total DNS traffic.

DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA Flood attacks.


Default: inactive

DNS AAAA quota The maximum expected percentage of DNS AAAA traffic out of the total DNS traffic.

DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT Flood attacks.


Default: inactive

DNS TEXT quota The maximum expected percentage of DNS TEXT traffic out of the total DNS traffic.

DNS SOA Flood status Specifies whether this profile protects against DNS SQA Flood attacks.


Default: inactive

DNS SOA quota The maximum expected percentage of DNS SQA traffic out of the total DNS traffic.

DNS NAPTR Flood status

Specifies whether this profile protects against DNS NAPTER Flood attacks.


Default: inactive

DNS NAPTR quota The maximum expected percentage of DNS NAPTER traffic out of the total DNS traffic.

DNS SRV Flood status Specifies whether this profile protects against DNS SRV Flood attacks.


Default: inactive

DNS SRV quota The maximum expected percentage of DNS SRV traffic out of the total DNS traffic.

DNS OTHER Flood status

Specifies whether this profile protects against DNS OTHER Flood attacks.


Default: inactive

DNS OTHER quota The maximum expected percentage of other DNS traffic (that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS traffic.



Max Allowed QPS The maximum allowed rate of DNS queries per second, when the Manual Triggers option is not enabled.

Values: 0–4,000,000

Default: 0

Note: When the Manual Triggers option is enabled (see DNS Protection Advanced Profiles), the Manual Triggers Max QPS Target value overrides this value.

Signature Rate limit Target

The percentage of the DNS traffic that matches the real-time signature that the profile will not mitigate above the baseline.

Values: 0–100

Default: 0

Packet Trace Status Specifies whether the DDoS Protector device sends attack packets to the specified physical port.

Default: disable

Action The action that the profile takes on DNS traffic during an attack.



SYN Protection

SYN Protection: Global Parameters

A SYN flood attack is usually aimed at specific servers with the intention of consuming the server’s resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements.

Before you configure SYN profiles for the network-protection policy, ensure the following:

SYN Protection is enabled the SYN Flood Protection global parameters are configured.

The Session table Lookup Mode is Full Layer 4.

To enable SYN Flood Protection

1. Select DDoS Protector > Denial of Service > SYN Protection.

2. From the drop-down list, select enable.

3. Click Set.


SYN Protection: Advanced Parameters

The SYN Protection Advanced Settings window exposes the advanced SYN Protection tuning parameters.

To set the SYN protection advanced parameters

1. Select DDoS Protector > Denial of Service > SYN Protection > Advanced Parameters.





Tracking time The time, in seconds, that the device tracks the number of SYN packets directed to same destination. DDoS Protector uses the value to determine when to activate and deactivate SYN Protections.

Values: 1 – 10

Default: 5

Attacks

SYN Static Attacks

Predefined SYN Protections, referred to as SYN Static Attacks, are available for the most common applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are predefined by Check Point. Use the SYN Protection Static Attack Configuration pane to change the thresholds for these attacks. You cannot delete SYN Static Attacks.

Caution: DDoS Protector x06 does not support physical-port classification for SYN Protection. When triggered, all traffic that matches the attacked destination—classified by destination IP

address, Layer 4 port number, and optionally a VLAN tag—will be challenged, regardless or the physical port identification. That is, even if the attack is carried out through a specific physical port, all traffic from all ports that matches the other parameters will be challenged.


1. Select DDoS Protector > SYN Protection > Attacks > Static.

2. Click on the name of an attack that you want to edit.



ID (Read-only) The ID number assigned to the protection.

Attack Name A name for easy identification of the attack for configuration and reporting.

ApplicationPortGroup (Read-only) The group of TCP ports that represent the application that you want to protect.

Activation Threshold If the average rate of SYN packets received at a certain destination is higher than this threshold, the protection is activated.

Values: 1 – 150,000

Default: 2500

Termination Threshold If the average rate of SYN packets received at a certain destination for the duration of the tracking period drops below this threshold, the protection is stopped.

Values: 1 – 150,000

Default: 1500



Attack Type (Read-only) Specifies whether the SYN protection is a predefined (static) or user-defined (user) protection.

Risk The risk level assigned to this attack for reporting purposes.

Values:

low

medium

high

SYN: User Attacks

After you define SYN flood protections, you can add them to SYN profiles.

Caution: DDoS Protector x06 does not support physical-port classification for SYN Protection.

When triggered, all traffic that matches the attacked destination—classified by destination IP address, Layer 4 port number, and optionally a VLAN tag—will be challenged, regardless or the physical port identification. That is, even if the attack is carried out through a specific physical port, all traffic from all ports that matches the other parameters will be challenged.


1. Select DDoS Protector > SYN Protection > Attacks > Static.






ID The ID number assigned to the protection.

Enter 0 to cause the device to generate a valid ID.

Attack Name A name for easy identification of the attack for configuration and reporting.

ApplicationPortGroup The group of TCP ports that represent the application that you want to protect. Specify an existing group, or leave the field empty to select any port.

Activation Threshold If the average rate of SYN packets received at a certain destination is higher than this threshold, the protection is activated.

Values: 1 – 150,000

Default: 2500

Termination Threshold If the average rate of SYN packets received at a certain destination for the duration of the tracking period drops below this threshold, the protection is stopped.

Values: 1 – 150,000

Default: 1500



Risk The risk level assigned to this attack for reporting purposes.

Values:

low

medium

high

Profiles

SYN Static Profiles

The SYN Profiles window enables you to create a new SYN Profile. First, you need to create a profile, and then add the attacks you wish to protect against. The profile may then be included in the SYN Protection Policy.

To create a new SYN profile

1. Select DDoS Protector > SYN Protection > Profiles > Profile Attacks.






SYN Profile The name for the profile.

SYN Attack From the drop-down list, select the type of attacks to include in this profile.

SYN Protection Profiles Parameters

Us the SYN Protection Profiles Parameters pane to specify the authentication parameters of an existing profile.

To specify the authentication parameters of a profile

1. Select DDoS Protector > SYN Protection > Profiles > Profiles Parameters.

2. Click the profile in the Profile Name column.



Profile Name (Read-only) The name of the profile.

Authentication Method

The Authentication Method that the device uses at the transport layer.

When the device is installed in and ingress-only topology, select the Safe-Reset method.

Values:



transparent-proxy—When the device receives a SYN packet, the device replies with a SYN ACK packet with a cookie in the Sequence Number field. If the response is an ACK that contains the cookie, the device considers the session to be legitimate. Then, the device opens a connection with the destination and acts as transparent proxy between the source and the destination.

safe-reset—When the device receives a SYN packet, the device responds with an ACK packet with an invalid Sequence Number field as a cookie. If the client responds with RST and the cookie, the device discards the packet, adds the source IP address to the TCP Authentication Table. The next SYN packet from the same source passes through the device, and the session is approved for the server. The device saves the source IP address for a specified time. Typically, you specify this method when the network policy rule handles only ingress traffic.

Default: Transparent Proxy

Use HTTP Authentication

Specifies whether the device authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method.

Values:

enable—The device authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method.

disable—The device handles HTTP traffic using the specified TCP Authentication Method.

Default: disable

HTTP Authentication Method

The method that the profile uses to authenticates HTTP traffic at the application layer.

Values:

Redirect—The device authenticates HTTP traffic using a 302-Redirect response code.

JavaScript—The device authenticates HTTP traffic using a JavaScript object generated by the device.

Default: 302-Redirect

Notes:

Some attack tools are capable of handling 302-redirect responses. The HTTP Redirect HTTP Authentication Method is not effective against attacks that use those tools. The JavaScript HTTP Authentication Method requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios.

Limitations when using the JavaScript HTTP Authentication Method:

If the browser does not support JavaScript calls, the browser will not answer the challenge.

When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DDoS Protector JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example:



The request in bold below accesses a secure server:

<script>

setTimeout(function(){

var js=document.createElement("script");

js.src="http://mysite.site.com.domain/service/appMy.jsp?dlid

=12345";

document.getElementsByTagName("head")[0].appendChild(js);

},1000);

</script>

The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.

Out-of-State

Out-of-State Global Parameters

Out of State Protection detects out-of-state packets to provide additional protection for application-level attacks.

To configure global stateful inspection parameters

1. Select DDoS Protector > Denial of Service > Out-of-State > Global Parameters.

2. From the Protection Status drop-down list, choose enable.

3. Click Set and confirm reset.



Protection Status Specifies whether or not Out-of-State inspection protection is enabled.

Startup Mode The behavior of the device after startup. Out-of-State Protection cannot be applied to existing traffic; therefore, the device can either drop existing traffic and apply Out-of-State Protection to all new traffic, or suspend Out-of-State Protection for a period of time, which is used to learn traffic and sessions.

Values:

On—Start the protection immediately. Existing sessions are dropped and only new sessions are allowed.

Off—Do not protect.

Graceful—Start the protection while maintaining existing sessions for the time specified by the StartUp Timer parameter.

Default: Graceful

StartUp Timer For Graceful startup mode, this parameter specifies the time, in seconds, after startup when the device ignores Out-of-State Protection and registers all sessions in the Session table, including those whose initiation was not registered (for example, SYN with TCP). After this time, the device drops new sessions whose initiation was not registered (for example, SYN with TCP).



Values: 0 – 65,535

Default: 1800

Operational State Specifies whether the device starts and stops Out-of-State Protection without rebooting the device.

Out-of-State Profiles

Out of State Protection detects out-of-state packets to provide additional protection for application-level attacks.

Caution: In cases of overlapping network policies configured with Out-of-State profiles, attacks

triggered on both policies are reported twice, once per policy. Therefore, there might be some inconsistencies in the DDoS Protector counter values for discarded traffic.

Caution: The DDoS Protector x06 platform uses two CPUs to handle the activation and termination of Out of State protection. DDoS Protector issues an Occurred trap when half the threshold is reached on one CPU, and DDoS Protector does not issue Start or Term (terminated)

traps. There is a small chance that DDoS Protector will report Out-of-State security events even if the specified thresholds have not been reached.

To configure an Out of State Protection profile

1. Select DDoS Protector > Denial of Service > Out-of-State > Profiles.






Profile Name The name of the profile.

Activation Threshold The rate, in PPS, of out-of-state packets above which the profile considers the packets to be part of a flood attack. When the device detects an attack, it issues an appropriate alert and drops the out-of-state packets that exceed the threshold. Packets that do not exceed the threshold bypass the DDoS Protector device.

Values: 1 – 250,000

Default: 5000

Termination Threshold

The rate, in PPS, of out-of-state packets below which the profile considers the flood attack to have stopped, and the device resumes normal operation.

Values: 1 – 250,000

Default: 4000

SYN-ACK Allow status

Values:

enable—When the device receives a SYN-ACK packet for which the device has received no corresponding SYN packet, the device opens a session for the packet and processes it. This option supports asymmetric environments, when the first packet that the device receives



is the SYN-ACK.

Disable—When the device receives a SYN-ACK packet for which the device has received no corresponding SYN packet, the device drops the packet and counts it in the Activation Threshold and Termination Threshold.

Default: enable

Packet Trace status Specifies whether the profile sends out-of-state packets to the specified physical port.

Default: disable

Profile Risk The risk—for reporting purposes—assigned to the attack that the profile detects.

Values: info, low, medium, high

Default: low

Profile Action The action that the profile takes when it encounters out-of-state packets.



Connection Limit

Connection Limit: Profiles

The Connection Limit Profiles window enables you to create Connection Limit profiles.

Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports. DDoS Protector counts the number of TCP connections, or UDP sessions, opened per client, per server, or per client plus server combination, for traffic that matches a Connection Limit policy attack definition. Once the number of connections per second reaches the specified threshold, any session/connection over the threshold is dropped, unless the action mode defined for this attack is Report Only.

You can also define whether to suspend the source IP address, dropping traffic from this source for a number of seconds according to the Suspend table parameters.

Recommended settings for policies that include Connection Limit profiles:

Configure policies containing Connection Limit profiles using Networks only with source = Any, the public network, and destination = Protected Network. You can define segments using VLAN tag, and physical ports.

It is not recommended to define networks when the Source and Destination are set to any.

Policies containing Connection Limit profiles can be configured with Direction set to either oneway or twoway.

Before you configure a Connection Limit profile, ensure the following:

Connection Limit protection is enabled.

The Session table Lookup Mode is Full Layer 4.

(Recommended) The required Connection Limit attacks are configured.

A Connection Limit profile should include all the Connection Limit Attacks that you want to apply in a network protection policy.



To configure a new Connection Limit profile

1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles.

2. Click Create.

3. In the Connection Limiting Profile text box, type the name of the Connection Limit profile.

4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to include in the profile.

5. Click Set.

To add a Connection Limit Attack to a Connection Limit profile

1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles.

2. Click the profile link in the table.

3. Click Create.

4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to include in the profile.

Connection Limit: Attacks

The Connection Limit Attacks window enables you to define a Connection Limit Attack.

Configure Connection Limit Attacks to add to Connection Limit profiles for network protection.

Note: Connection Limit Attacks are also referred to as Connection Limit protections.

To configure a Connection Limit Attack

1. Select DDoS Protector > Connection Limit > Attacks.






ID (Read-only) The ID number assigned to the Connection Limit protection.

Attack Name A descriptive name for easy identification of the attack in configuration and reporting.

Destination App. Port A group of Layer4 ports that represent the application you want to protect.

Protocol The Layer 4 protocol of the application you want to protect.

Values: tcp, udp

Default: tcp

Threshold The maximum number of new TCP connections, or new UDP sessions, per second, allowed for each source, destination, or source-and-destination pair. All additional sessions are dropped. When the threshold is reached, attacks are identified and a security event generated.

Default: 5



Tracking Type The counting rule for tracking sessions.

Values:

Source and Target Count—Sessions are counted per source IP and destination IP address combination.

Source Count—Sessions are counted per source IP address.

Target Count—Sessions are counted per destination IP address.

Default: Source Count

Note: When Tracking Type is Target Count, the Suspend Action can only be None.

Action Mode The action when an attack is detected.

Values:


Report-only—The packet is forwarded to the destination IP address.

Reset Source—Sends a TCP-Reset packet to the packet source IP address.

Default: Drop

Risk The risk assigned to this attack for reporting purposes.

Values: High, Info, Low, Medium

Default: Medium

Suspend Action Specifies which session traffic the device suspends for the attack duration (see Suspend Table).

Values:


SrcIP—All traffic from the IP address identified as the source of this attack is suspended.

SrcIP\, DestIP—Traffic from the IP address identified as the source of this attack to the destination IP address under attack is suspended.

SrcIP\, DestPort—Traffic from the IP address identified as the source of this attack to the application (Destination port) under attack is suspended.

SrcIP\, DestIP\, DestPort—Traffic from the IP address identified as the source of this attack to the destination IP address and port under attack is suspended.

SrcIP\, DestIP\, SrcPort\, DestPort—Traffic from the IP address and port identified as the source of this attack to the destination IP address and port under attack is suspended.

Default: None

Note: When Tracking Type is Target Count, the Suspend Action can only be None.

Packet Trace Specifies whether the DDoS Protector device sends attack packets to the specified physical port.



HTTP Mitigator

HTTP Mitigator Global Setting

The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then, using fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and identifies the malicious sources.

To configure the HTTP mitigator

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Global Settings.



Protection Status Specifies whether the HTTP Mitigator is enabled on the device.

HTTP flood protection must be enabled to set HTTP flood protection parameters.

Default: enable

Learning period before activation The time, in days, the HTTP Mitigator takes to collect the data needed to establish the baseline that HTTP Mitigation uses.

Values: 0 – 65,536

Default: 7

Learning Mode The learning mode of the HTTP Mitigator.

Values:

Continuous Only—The learning process about the traffic environment is continuous.

Automatic—The HTTP Mitigator can switch to 24x7 learning when it detects a recurring pattern per hour of the day of the week in a period of 4, 8, or 12 weeks (based on sensitivity).

Learning Sensitivity The period from which the HTTP Mitigator establishes baselines. Select the time unit based on the site characteristics. For example, if the site traffic fluctuates during the course of a day, but fluctuates the same way each day, select Day, but if there are significant fluctuations between the days of the week, select Week.

Values: Day, Week, Month

Default: Week



Advanced

HTTP Mitigator Advanced Mitigation Configuration

Check Point recommends that only advanced users modify the values in the HTTP Mitigator Advanced Mitigation Configuration pane.

To perform advanced configuration for the manual mitigation mode

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Mitigation Configuration.



Mitigation Failure Condition The number of automatic attempts that the device makes before announcing an anomaly state, meaning the device cannot mitigate the attack.

Values: 1 – 100

Default: 3

Clear Authentication List On Negative Feedback

Specifies whether the device clears the authentication table (which is a white list) every time a challenge state fails to block the attack.

Values: enable, disable

Default: disable

HTTP Mitigator Advanced Profiles

Use the HTTP Mitigator Advanced Profiles pane to configure an HTTP Flood Mitigation profile with advanced parameters.

HTTP Flood Mitigation profiles defend the applications in your network against server flooding.

Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service.

Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests.

Before you configure an HTTP Flood profile, ensure that HTTP mitigation is enabled and the global parameters are configured.

To configure an HTTP Flood Mitigation profile with advanced parameters

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Profiles Configuration.









Sensitivity When User-Defined Attack Triggers are not used, this parameter specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines.

Values:

minor

low

medium

high

Default: medium

Action The action that the profile takes when the profile detects suspicious traffic.

Values:

Block and Report—Blocks and reports on the suspicious traffic.

Report Only—Reports the suspicious traffic.


User Defined Attack Triggers

Specifies whether the profile uses static, user-defined thresholds to identify when an attack is in progress or checks the server traffic and compares the traffic behavior to the baseline to identify when an attack is in progress.


Default: inactive

Get and POST Request-Rate Trigger

The maximum number of GET and POST requests allowed, per server per second.

Values:

0—The profile ignores the threshold.

1 – 4,294,967,296

Default: 0

Other Request-type Request-Rate Trigger

The maximum number of requests that are not GET or POST (for example, HEAD, PUT, and so on) allowed, per server per second.

Values:


1 – 4,294,967,296

Default: 0

Caution: If Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST)

requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP BW Trigger is enable and Other Request-type Request-Rate Trigger is enable too but the rate does not exceed the threshold. The high



outbound HTTP bandwidth consumption may cause the Outbound HTTP BW Trigger mechanism to consider the attack to be an anomaly, and the profile

will not mitigate it.

Outbound HTTP BW Trigger

The maximum allowed bandwidth, in kilobits per second, of HTTP responses.

Values:


1 – 4,294,967,296

Default: 0

Request-per-Source Trigger

The maximum number of requests allowed per source IP per second.

Values:


1 – 4,294,967,296

Default: 5

Request-per-Connection Trigger

The maximum number of requests allowed from the same connection.

Value:


1 – 4,294,967,296

Default: 5

Request-Rate Threshold

The number of HTTP requests per second from a source that causes the profile to consider the source to be suspicious.

Values: 1 – 65,535

Default: 5

Request-per-Connection Threshold

The number of HTTP requests for a connection that causes the profile to consider the source to be suspicious.

Values: 1 – 65,535

Default: 5

Packet Trace Specifies whether the profile sends attack packets to the specified physical port.


Default: disable

Note: A change to this parameter takes effect only after you update policies.

Source Challenge Status

Specifies whether the profile challenges HTTP sources that match the real-time signature.


Default: enable



Collective Challenge Status

Specifies whether the profile challenges all HTTP traffic toward the protected server.


Default: enable

Source Blocking Status

Specifies whether the profile blocks all traffic from the suspect sources.


Default: enable

Challenge Mode Specifies how the profile challenges suspect HTTP sources.

Values:

HTTP Redirect—The device authenticates HTTP traffic using a 302-Redirect response code.

JavaScript—The device authenticates HTTP traffic using a JavaScript object generated by the device.

Default: HTTP Redirect

Notes:

Some attack tools are capable of handling 302-redirect responses. The HTTP Redirect Challenge Mode is not effective against attacks that use those tools. The JavaScript Challenge Mode requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios.

Limitations when using the JavaScript Challenge Mode:

If the browser does not support JavaScript calls, the browser will not answer the challenge.

When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DDoS Protector JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server:

<script>

setTimeout(function(){

var js=document.createElement("script");

js.src="http://mysite.site.com.domain/service/appMy.jsp?dl

id=12345";

documentational"head")[0].appends);

},1000);

</script>

The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.

Other Requests Decision Engine

Specifies whether the profile identifies an HTTP flood attack when the rate of requests that are not GET or POST requests exceeds the learned baseline.




Default: enable

Caution: If Outbound BW Decision Engine is enable and Other Requests Decision Engine is disable, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound BW Decision

Engine is enable and Other Requests Decision Engine is enable too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP Bandwidth mechanism to consider the attack to be an anomaly, and the profile will not mitigate it.

Requests per source Decision Engine

Specifies whether the profile identifies an HTTP flood attack when the rate of requests per source exceeds the learned baseline.


Default: enable

Get and POST global requests Decision Engine

Specifies whether the profile identifies an HTTP flood attack when the rate of GET and POST requests exceeds the learned baseline.


Default: enable

Outbound BW Decision Engine

Specifies whether the profile identifies an HTTP flood attack when the outbound HTTP bandwidth exceeds the learned baseline.


Default: enable

Requests per connection Decision Engine

Specifies whether the profile identifies an HTTP flood attack when the rate of requests per connection exceeds the learned baseline.


Default: enable

HTTP Mitigator Profiles

Use the HTTP Mitigator Profiles pane to configure a basic HTTP Flood Mitigation profile.

Note: To configure an HTTP Flood Mitigation profile with advanced parameters, use the HTTP

Mitigator Advanced Profiles pane. For more information, see HTTP Mitigator Advanced Profiles.

HTTP Flood Mitigation profiles defend the applications in your network against server flooding.

Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service.

Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests.

Before you configure an HTTP Flood Mitigation profile, ensure that HTTP mitigation is enabled and the global parameters are configured.



To configure a basic HTTP Flood Mitigation profile

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Profiles.







Sensitivity Specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines.

Values:

minor

low

medium

high

Default: medium

Action The action that the profile takes when the profile detects suspicious traffic.

Values:

Block and Report—Blocks and reports on the suspicious traffic.

Report Only—Reports the suspicious traffic.


Packet Trace Specifies whether the profile sends attack packets to the specified physical port.


Default: disable

Note: A change to this parameter takes effect only after you update policies.

Authentication tables

DNS Authentication Table

The DNS authentication table holds the DNS source addresses.

To set the DNS authentication table parameters

1. Select DDoS Protector > Authentication table > DNS.





Authentication table status Specifies whether the device uses the DNS authentication table (which is a white list) during a DNS challenge state.


Authentication table aging The time, in minutes, that the device keeps idle sources in the DNS Authentication table.

Values: 1–60

Default: 20

Note: You can enter a value even if DNS Flood Protection is not enabled, and the value will persist.

Authentication table utilization The percentage of the table that is full.

Clean Table Select the checkbox to clear the authentication table.

TCP Authentication table

The TCP authentication table holds the TCP source addresses.

To set the TCP authentication table parameters

1. Select DDoS Protector > Authentication table > TCP.



Authentication table aging The time, in seconds, that the device keeps idle sources in the TCP Authentication table.

Values: 60–3600

Default: 1200

Authentication table utilization (Read-only) The percentage of the table that is currently full.


HTTP Authentication table

The HTTP authentication table holds the number of source-destination couples for protected HTTP servers. For example, if there are two attacks towards two HTTP servers and the source addresses are the same, for those two servers, there will be two entries for the source in the table.

To set the HTTP authentication table parameters

1. Select DDoS Protector > Authentication table > HTTP.





Authentication table aging The time, in seconds, that the device keeps idle sources in the HTTP Authentication table.

Values: 60–3600

Default: 1200

Authentication table utilization (Read-only) The percentage of the table that is currently full.


Server Protection

Protected Servers

The Server Protection table contains the protected servers and the actions that DDoS Protector takes when an attack on a protected server is detected. You can add servers manually to the Server Protection table or the Service Discovery mechanism adds discovered servers to the table.

The name of a discovered server in the Server Protection table is in the following format:

<Number>_<NetworkProtectionPolicyName>

where:

<Number> is a number that the DDoS Protector device generates serially.

<NetworkProtectionPolicyName> is the Network Protection policy that discovered the

server.

Example: 234_MyNetPolicyN

To configure a protected server

1. Select DDoS Protector > Server Protection > Protected Servers.






Name The name of the server.

Maximum characters: 30

IP The IP address of the protected server

HTTP mitigator Profile

The HTTP-flood-mitigator profile that the device activates against an attack.



State Values:

active—The server protection is active.

inactive—The server protection is inactive, but the DDoS Protector device maintains baselines and the configuration of the associated HTTP profile.

Default: active

Server Status The status of the server, especially in the context of the Service Discovery mechanism.

Values:

static—The server is a static member of the Server Protection table, and it is protected if the State is active. If the server is a discovered server, the Service Discovery mechanism does not revalidate the server.

ignored—The server is ignored, with no protection from the device. The DDoS Protector device maintains no baselines or associated HTTP profile configuration for the server.

discovered—The Service Discovery mechanism discovered the server, and it is protected if the State is active. The Service Discovery mechanism revalidates the server according to the specified Revalidation Time.

revalidating—For internal use only. The Service Discovery mechanism is currently checking again whether the server meets the Tracking-Time–Responses-per-Minute criteria.

in evaluation—For internal use only. The Service Discovery mechanism is currently checking whether the server meets the Tracking-Time–Responses-per-Minute criteria.

Notes:

For server entries that you create, you can only specify the Server Status static or ignored.

You can change the Server Status from discovered only to static or ignored.

You cannot change the Server Status once you specify ignored. You can delete the server entry if required.

Discoverer Policy Specifies the Network Protection policy with a Service Discovery profile that added the server to the Server Protection table.

Note: You can modify a Discoverer Policy only for a server whose Server Status is discovered.



White List DDoS Protector exempts packets that match an active White List policy from specified inspection processes.

For each protection, you can set the direction of the bypass. For example, sessions initiated from the white list IP address are bypassed, while sessions initiated toward the IP address are inspected as usual.

Note: Since IP addresses belonging to the White list are not inspected, certain protections are not applied for the opposite direction. For example, with SYN protection this can cause servers to not be added to known destinations due to ACK packets not being inspected.

Caution: DDoS Protector continues to block packets from a source or destination that is part of an active attack even after you add the source or destination to the White List per protection.

To configure a white list policy

1. Select DDoS Protector > White List.






State Specifies whether the policy is active. You can select inactive to deactivate the policy without removing it from the list.

Values: active, inactive

Default: active

Name The user-defined name for the policy.

SrcNetwork The source of the packets that the policy uses.

Values:

A Network class

An IP address

any

DstNetwork The destination of the packets that the policy uses.

Values:

A Network class

An IP address

any

SrcPortGroup The source Application Port class or application-port number that the policy uses.

Values:

An Application Port class

An application-port number



Note: This parameter is relevant only for UDP, TCP, and SCTP traffic. You cannot use a port group for ICMP, IGMP, or GRE.

DstPortGroup The destination Application Port class or application-port number that the policy uses.

Values:




PhysicalPortGroup The Physical Port class or physical port that the policy uses.

Values:

A Physical Port class

The physical ports on the device

VLANTag The VLAN Tag class that the policy uses.

Values: A VLAN Tag class

Protocol The protocol of the traffic that the policy uses.

Values:

Any

GRE

ICMP

ICMPv6

IGMP

SCTP

TCP

UDP

L2TP

GTP

IP in IP

Default: Any

Direction The direction of the traffic to which the policy relates. This parameter relates to L4 sessions only.

Values:

one-direct—The protection applies to sessions originating from sources to destinations that match the network definitions of the policy.

bi-direct—The protection applies to sessions that match the network definitions of the policy regardless of their direction.

Default: one-direct



Description The user-defined description for the policy up to 19 characters.

All Modules Bypass Specifies whether the policy includes all specific protection modules.

Values:

active—The specified Classification criteria determine the traffic that is exempt from security inspection.

inactive—The specified source (that is, the source Network class or source IP address) and specified protection modules determine the traffic that is exempt from security inspection.

Default: active

Performance is better when All Modules Bypass is active rather than having the having the modules enabled individually.

SYN Protection Bypass When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses SYN Protection inspection.


Default: active

Anti-Scanning Bypass When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Anti-Scanning inspection.


Default: active

Signature Protection Bypass

When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Signature Protection inspection.


Default: active

HTTP Mitigator Bypass When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses HTTP Flood inspection.


Default: active

Black List DDoS Protector drops packets that match an active Black List rule. The Black List comprises the traffic that the device always blocks without inspection. You use the Black List as policy exceptions for security policies. The device black-lists packets if all the criteria for the policy evaluate to true.

You enable or disable the Packet Trace feature for all the Black List rules on the device. When the Packet Trace feature is enabled for Black Lists, the DDoS Protector device sends blacklisted packets to the specified physical port.

To configure the Packet Trace status

1. Select DDoS Protector > Black List.

2. From the Packet Trace Status drop-down list, select enable or disable.

3. Click Set.



To configure a Black List rule

1. Select DDoS Protector > Black List.

2. Click Create.



State Specifies whether the rule is active. You can select inactive to deactivate the rule without removing it from the list.


Default: active

Name The user-defined name for the rule.

SrcNetwork The source of the packets that the rule uses.

Values:

A Network class

An IP address

any

DstNetwork The destination of the packets that the rule uses.

Values:

A Network class

An IP address

any

SrcPortGroup The source Application Port class or application-port number that the rule uses.

Values:




DstPortGroup The destination Application Port class or application-port number that the rule uses.

Values:






PhysicalPortGroup The Physical Port class or physical port that the rule uses.

Values:

A Physical Port class


VLANTag The VLAN Tag class that the rule uses.

Values: A VLAN Tag class

Protocol The protocol of the traffic that the rule uses.

Values:

Any

GRE

ICMP

ICMPv6

IGMP

SCTP

TCP

UDP

L2TP

GTP

IP in IP

Default: Any

Direction The direction of the traffic to which the rule relates. This parameter relates to L4 sessions only.

Values:

one-direct—The protection applies to sessions originating from sources to destinations that match the network definitions of the rule.

bi-direct—The protection applies to sessions that match the network definitions of the rule regardless of their direction.

Default: one-direct

Report Action The report action that the device takes when it encounters a packet that matches the rule.

Value:

report—The device issues a trap when it encounters a blacklisted packet.

no-report—The device issues no trap when it encounters a blacklisted packet.

Description The user-defined description for the rule up to 19 characters.

Entry Expiration Timer (Hours)

Specifies the hours and minutes remaining for the rule.



Entry Expiration Timer (Minutes)

The maximum Expiration Timer is two hours.

The Expiration Timer can be used only with dynamic Black List rules. The Expiration Timer for a static Black List rule must be set to 0 (zero hours and zero minutes).

When the rule expires (that is, when the Entry Expiration Timer elapses), the rule disappears from the Black List Policy table when the table refreshes.

Dynamic Specifies whether the rule implements the Expiration Timer.

Default: Disabled

Note: Changing the configuration of this option takes effect only after you update policies

Network Protection Policies

The Network Protection policy protects your configured networks using protection profiles.

Before you configure Network Protection policy and profiles, ensure that you have enabled all the required protections and configured the corresponding global protection parameters.

Each Network Protection consists of two parts:

The classification that defines the protected network segment.

The action to be applied when an attack is detected on the matching network segment. The action defines the protection profiles to be applied to the network segment, and whether the malicious traffic should be blocked. Malicious traffic is always reported.

To configure a Network Protection policy

1. Select DDoS Protector > Policies > Table.






Name The name of the Network Protection policy.

Direction The direction of the traffic to which the policy relates.

Values:

oneway—The protection applies to sessions originating from sources to destinations that match the network definitions of the policy.

twoway—The protection applies to sessions that match the network definitions of the policy regardless of their direction.

Default: One Way



Source Address The source of the packets that the rule uses.

Values:

A Network class configured in the Classes menu

An IP address

any—Any IP address

Default: any

Destination Address The destination of the packets that the rule uses.

Values:

A Network class configured in the Classes menu

An IP address

any—Any IP address

Default: any

Inbound Physical Port Group The Physical Port class or physical port that the rule uses.

Values:

A Physical Port class configured in the Classes menu


None

Vlan Tag Group The VLAN Tag class that the rule uses.

Values:

A VLAN Tag class configured in the Classes menu

None

State Specifies whether the policy is enabled.


Default: active

Action The default action for all attacks under this policy.

Values:

Block and Report—The malicious traffic is terminated and a security event is generated and logged.

Report Only—The malicious traffic is forwarded to its destination and a security event is generated and logged.


Note: Signature-specific actions override the default action for the policy.

Signatures Profile The Signature Protection profile applied to the network segment defined in this policy.

Connection Limit Profile The Connection Limit profile applied to the network segment defined in this policy.



Out-Of-State Profile The Out-of-State profile applied to the network segment defined in this policy.

Behavioral Dos Profile The BDoS profile applied to the network segment defined in this policy.

SYN Protection Profile The SYN Flood profile applied to the network segment defined in this policy.

DNS protection Profile The DNS Protection profile applied to the network segment defined in this policy.

Packet Trace Specifies whether the policy sends attack packets to the specified physical port.


Default: disable

Packet Trace configuration on policy takes precedence

Specifies whether the configuration of the Packet Trace feature here, on this policy, takes precedence over the configuration of the Packet Trace feature in the associated profiles.


Default: disable

Caution: A change to this parameter takes effect only after you update policies.

Service Discovery Profile The Service Discovery profile that the Network Protection policy uses to identify HTTP servers to protect.

Leave the field empty if you do not want to implement the Service Discovery feature.

For more information, see Service Discovery Global Parameters and Restore Default Configuration, which describes the default profiles.

Policies Resources Utilization

The Policies Resources Utilization pane is supported only on x412 platforms.

You can view statistics relating the user-defined policies to the utilization of the DME.

The values that the device exposes are the calculated according to the configured values—even before running the Update Policies command.

To view statistics relating the user-defined policies to the utilization of the DoS Mitigation Engine

Select DDoS Protector > Policies > Resources View.

If any of the following values is close to the maximum, the resources for the device are exhausted:


Total Number of Policies

The total number of policies in the context of the DME, which is double the number of network policies configured in the device.



Sub Policies Utilization The percentage of DME resource utilization from the entries of sub-policies.

In the context of the DME, a sub-policy is a combination of the following:

Source-IP-address range

Destination-IP-address range

VLAN-tag range

HW Entries Utilization The percentage of resource utilization from the HW entries in the context of the DME.

Policies Resources Utilization table


Policy Name The name of the policy.

Direction The direction of the policy.

Values: inbound, outbound

Num of HW Entries The number of DME hardware entries that the policy uses.

Num of Sub-Policies The number of DME sub-policy entries that the policy uses.

Global

Suspend Table

Suspend Table Parameters

The Suspend Table allows you to define that for certain attacks, in addition to the action defined in the attack, the device should also suspend traffic from the IP address that was the source of the attack, for a period of time.

The period for which a source is suspended is set according to the following algorithm:

The first time a source is suspended, the suspension time is according to the Minimal Aging Time configured for the Suspend Table.

Each time the same source is suspended again, the suspension length is doubled, until it reaches the Maximum Aging Time set for the Suspend Table.

Once the suspension length has reached the maximum length allowed, it will remain constant for each additional suspension.

The Suspend Table Parameters window enables you to set the tuning parameters for the Suspend Table.

To set the suspend table parameters

1. Select DDoS Protector > Global > Suspend Table Parameters.





Suspend Table min time The time, in seconds, for which the DDoS Protector device suspends first-time offending source IP addresses.

Default: 10

Suspend Table max time The maximal time, in seconds, for which the DDoS Protector device suspends a specific source. Each time the DDoS Protector device suspends the same source, the suspension length doubles until it reaches the Maximal Aging Timeout.

Default: 600

Suspend Table max same source entries

The number of times the DDoS Protector device suspends the same source IP address before the DDoS Protector device suspends all traffic from that source IP address — regardless of the specified Suspend Action. For example, if the value for this parameter is 4 and the specified Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the DDoS Protector device suspends all traffic from a source IP address that had an entry in the Suspend list more than four times, even if the destination IP address, source port, and destination ports were different for the previous updates to the Suspend table.

This parameter is irrelevant when the specified Suspend Action is SrcIP.

Values:

0—The device does not implement the feature.

1 – 10

Default: 0

Suspend Table Pane

Use the Suspend Table pane to view and monitor attacks that are currently in the Suspend Table.

To view the suspend table

Select DDoS Protector > Global > Suspend Table > Table. The following parameters are displayed:


Source IP The IP address from which traffic was suspended.

Dest IP The IP address to which traffic was suspended (0.0.0.0 means traffic to all destinations was suspended).

Dest Port The application port to which traffic was suspended (0 means all ports).

Protocol Values: TCP, UDP



Module The internal, higher-level module that identified the entry in the Suspend Table.

Classification Object Type

The internal, classification-object Type that identified the entry in the Suspend Table.

Values: Policy, Server Protection

Classification Object Name

The internal, lower-level classification module that identified the entry in the Suspend Table, for example: Connection Limit.

Reporting

Reporting Global Parameters

Use the Reporting Global Parameters pane to enable DDoS Protector reporting channels and set the polling time parameters of the Alert Table and the Log File.

To define global reporting parameters

1. Select DDoS Protector > Reporting > Global Parameters.



Report Interval The frequency, in seconds, at which the reports are sent though the reporting channels.

Values: 1 – 65,535

Default: 5

Max Alerts per Report

The maximum number of attack events that can appear in each report (sent within the reporting interval).

Values: 1 – 2000

Default: 1000

Report Per-Attack Aggregation Threshold

The number of events for a specific attack during a reporting interval, before the events are aggregated to a report. When the number of the generated events exceeds the Aggregation Threshold value, the IP address value for the event is displayed as 0.0.0.0, which specifies any IP address.

Values: 1 – 65,535

Default: 5

SNMP Traps Sending

When enabled, the device uses the traps reporting channel.

Default: enable

Syslog Sending When enabled, the device uses the syslog reporting channel.

Default: disable



Terminal Echo When enabled, the device uses the Terminal Echo reporting channel.

Default: disable

Email Sending When enabled, the device uses the e-mail reporting channel.

Default: disable

SNMP Traps Sending Risk

The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.

Values:

info

low

medium

high

Default: low

Email Sending Risk The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.

Values:

info

low

medium

high

Default: low

Terminal Echo Risk The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.

Values:

info

low

medium

high

Default: low

Syslog Sending Risk The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported.

Values:

info

low

medium

high

Default: low

Destination UDP The port used for packet reporting.



Port Values: 1 – 65,535

Default: 2088

Security Log Status When enabled, the device uses the security logging reporting channel.

Top Ten Attacks

Predefined attack reports help you to explore Security attack patterns over time. Check Point has created predefined reports for specific types of attack analysis. Attacks can be ranked by volume and by type. Predefined reports also include reports for groups of attacks, or attacks relating to a specific module.

Predefined reports allow you to focus attention on specific threats. Attack information is pre-sorted, with the most important security event information plotted in easily read charts, for your convenience.

To generate a predefined report

1. Select DDoS Protector > Reporting > Top Ten Attacks.



Choose type Select the type of attack report you want.

Values:

Top Attacks—Displays the top ten attacks, according to packet count per attack.

Top Attack Sources—Displays the top attacks according to attack sources per IP address.

Top Attack Destinations—Displays the top attacks according to attack destinations per IP address.

Top Attacks by Category—Displays the top ten attack groups (Intrusions, DoS, Anomalies, SYN Floods, and Anti-Scanning), calculated according to packet count per group.

Top Attacks by Risk—Displays the attacks ranked by severity of risk: i.e. High/Medium/Low by displaying a breakdown of all attack over a set period of time according to the attack severity.

Seconds The number of seconds (retroactive from the current time) for the report.

Data Report

Data Reporting Target Addresses

The device can store up to 10 target addresses for data reporting.

To create a target address for data reporting

1. Select DDoS Protector > Reporting > Data Report > Address.

2. Click Create.

3. In the ip-address text box, enter the IP address.




To delete a target address for data reporting

1. Select DDoS Protector > Reporting > Data Report > Address.

2. Select the check box in the relevant row, and click Delete.

Security Log

Security Log Show

All events and alerts are logged in an all-purpose cyclic log file. The log file can be obtained at any time.

The size of log file is limited. When the number of entries is beyond the permitted limit, the oldest entries are overwritten. You are notified regarding the status of the log file utilization. The notifications appear when the file is 80% utilized and 100% utilized.

To view alerts

1. Select DDoS Protector > Reporting > Security Log > Show.

2. Click on the Attack Index number. The following parameters are displayed.


Attack Index The number of the entry in the table.

Attack Name The name of the attack that was detected.

Attack Source Address The IP address from which the attack arrived.

Attack Destination Address

The IP address to which the attack is destined.

Last Action The current status of the event.

Values:

Occurred—Each packet matched with signatures is reported as an attack and must be dropped. In that case, the Tracking Type that is activated is Drop All.

Started/terminated—When the number of packets that match with signatures, goes beyond the predefined threshold within the Tracking Time, the reported Attack Status is started. When the amount of packets that match with signatures is below the predefined threshold, the reported Attack Status becomes terminated. In that case, the Tracking Type that is activated is Target, or Target & Source.

Attack Time The time that the report was generated.

Date The date that the report was generated.

Attack context The context in which the attack was recognized.

Source Port TCP/UDP source port.



Destination Port TCP/UDP destination port.

Protocol The transmission protocol used.

Values: TCP, UDP, ICMP, IP

VLAN Tag The VLAN tag.

Physical Interface The actual port on the device from which the attack arrived.

ID A unique identifier of the attack.

Context The context.

Service The security service that detected the attack: Application Security, DOS Shield, Generic.

Policy Name The policy that was used to detect the attack.

Packet Count The number of packets in the attack since the latest trap was sent

KByte Count The number of Kbytes that were dropped/forwarded.

Report Mode Values:

Drop— The packet is discarded.

Forward—The packet is forwarded to the defined destination.

Reset Source—Sends TCP-Reset packet to the packet Source IP.

Reset Destination—Sends TCP-Reset packet to the destination address.

Default—Takes the Action Mode parameter defined in the Application Security Global Parameters window.

Risk How dangerous the attack is: High, Low, Medium, Not Available.

Security Log Clear

The Security Log Clear window enables you to clear the previously created log.

To clear the log

1. Select DDoS Protector > Reporting > Security Log > Clear.

2. Click Set.

Packet Trace

To configure packet trace

1. Select DDoS Protector > Reporting > Packet Trace.





Enable Packet Trace on Physical Port

Specifies whether the feature is disabled or enables the feature and specifies the physical port to which the DDoS Protector device sends identified attack traffic (when the Packet Trace feature is enabled in the policy rule or profile).

Values:

none—The Packet Trace feature is disabled.

The physical, inspection ports (that is, excluding the management ports)

Default: none

Caution: A change to this parameter takes effect only after you

update policies.

Note: DDoS Protector x06 models support the Packet Trace functionality only for dropped traffic.

Max Packet Rate The maximum number of packets per second that the Packet Trace feature sends.

Values: 1–200,000

Default: 50,000

Caution: A change to this parameter takes effect only after you

update policies.

Packet Length The maximum length, in bytes, of dropped packets that the Packet Trace feature sends. DDoS Protector can limit the size of Packet Trace sent packets only for dropped packets. That is, when a rule is configured with Report Only (as opposed to Block), the Packet Trace feature sends the whole packets.

Values: 64 – 1550

Default: 1550

Caution: A change to this parameter takes effect only after you update policies.

Tip: If you are interested only in the packet headers of the dropped packets, to conserve resources, modify the minimal value, 64.

Attack Database

Attack Database Version

The Attack Database Version window is a read-only window that shows the version of the current attack database.

To view the attack database version

Select DDoS Protector > Attack Database > Version.



Attack Database Send to Device

The DoS Signatures module uses the Signature File Update feature to update the signatures database.

The update of the Signature file is performed per device using the Send Attack Database to Device window.

You can download an updated DoS Signature file from the Check Point Security Updates Center, and load it to the device.

To view the signature file (attack database) version

1. Select DDoS Protector > Attack Database > Send to Device.

2. In the File field, type the name of the file, or click Browse to navigate to the relevant file.

Activate Latest Changes If you edit the parameters of a basic filter or an advanced filter, which is bound to the existing policy, you need to update the policy with the recent changes.

To activate the latest changes

1. Select DDoS Protector > Update Policies.

2. Click Set.

Packet Anomalies

Packet Anomalies Attacks

Packet Anomaly protection detects and provides protection against packet anomalies. Generally, whenever a packet matching one of the predefined checks arrives it is automatically blocked, discarded, and reported. However, you may wish to allow certain anomalous traffic to flow through the device without inspection.

The Packet Anomalies Table window enables you to allow certain packets to pass through the device without inspection as well as defining the risk factor.

When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends anomalous packets to the specified physical port. You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on the device.

To configure the Packet Trace status

1. Select DDoS Protector > Packet Anomalies > Table.

2. From the Packet Trace Status drop-down list, select enable or disable.

3. Click Set.

To configure the packet anomalies parameters

1. Select DDoS Protector > Packet Anomalies > Table.

2. Select the relevant ID from the table.



http://secureupdates.checkpoint.com/DDOS/SigUpdates.html



ID (Read-only) The ID number for the packet-anomaly protection.

Name (Read-only) The name of the packet-anomaly protection.

Risk The risk associated with the trap for the specific anomaly.

Values: Info, Low, Medium, High

Default: Info

Action The action that the device takes when the packet anomaly is detected. The action is only for the specified packet-anomaly protection.

Values:

block—The device discards the anomalous packets and issues a trap.

report—The device issues a trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules.

no-report—The device issues no trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules.

Report Action The action that the DDoS Protector device takes on the anomalous packets when the specified Action is report or no-report. The Report Action is only for the specified packet-anomaly protection.

Values:

bypass—The anomalous packets bypass the device.

process—The DDoS Protector modules process the anomalous packets. If the anomalous packets are part of an attack, DDoS Protector can mitigate the attack.

Note: You cannot select process for the following packet-anomaly protections:

104—Invalid IP Header or Total Length

107—Inconsistent IPv6 Headers

131—Invalid L4 Header Length

Default Configuration of Packet-Anomaly Protections

Anomaly Description

Unrecognized L2 Format

(This anomaly is available only on x412 platforms. This anomaly cannot be sampled.)

Packets with more than two VLAN tags, L2 broadcast, or L2 multicast traffic.

ID: 100

Default Action: No Report

Default Report Action: Process

Default Risk: Info

Incorrect IPv4 Checksum

(This anomaly is available only

The IP packet header checksum does not match the packet header.



on x412 platforms. This anomaly cannot be sampled.)

ID: 103

Default Action: Drop

Default Report Action: Bypass

Default Risk: Info

Invalid IPv4 Header or Total Length

The IP packet header length does not match the actual header length, or the IP packet total length does not match the actual packet length.

ID: 104


Report Action: Bypass

Default Risk: Info

TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1.

ID: 105

Default Action: Report


Default Risk: Info

Inconsistent IPv6 Headers Inconsistent IPv6 headers.

ID: 107


Report Action: Bypass—You cannot select Process for this packet-anomaly protection

Default Risk: Info

IPv6 Hop Limit Reached IPv6 hop limit is not greater than 1.

ID: 108



Default Risk: Info

Unsupported L4 Protocol Traffic other than UDP, TCP, ICMP, or IGMP.

ID: 110

Default Action: No Report


Default Risk: Info

Invalid TCP Flags The TCP flags combination is not according to the standard.

ID: 113



Default Risk: Info



Source or Dest. Address same as Local Host

The IP packet source address or destination address is equal to the local host.

ID: 119



Default Risk: Info

Source Address same as Dest Address (Land Attack)

The source IP address and the destination IP address in the packet header are the same. This is referred to as a LAND, Land, or LanD attack.

ID: 120



Default Risk: Info

L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero.

ID: 125



Default Risk: Info

Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid.

ID: 131


Report Action: Bypass—You cannot select Process for this packet-anomaly protection

Default Risk: Info

Service Discovery

Service Discovery Global Parameters

Use the Service Discovery feature in a Network Protection policy to identify HTTP servers in a specified network and protect the discovered servers with the default HTTP-flood-mitigator profile.

The Service Discovery mechanism discovers HTTP servers by identifying HTTP responses. Therefore, in order to use Service Discovery, the DDoS Protector device needs to be in a topology where it can inspect both HTTP requests and HTTP responses.

The details of the discovered servers are contained in the Server Protection table.

When a discovered server is no longer active for a specified period, the Service Discovery mechanism can remove the server from the table.

To implement the Service Discovery feature, when you configure a Network Protection policy, you specify the Service Discovery profile to use in the policy.

To configure the global parameters of the Service Discovery feature

1. Select DDoS Protector > Service Discovery > Global Parameters.



2. Configure the following parameters, and click Set.


Mechanism Status

Specifies whether the DDoS Protector device uses Service Discovery feature.


Default: enable

Tracking Time The time, in minutes, that the Service Discovery mechanism tracks a server sending HTTP responses. The Service Discovery mechanism uses the Tracking Time and the specified number of HTTP responses during the Tracking Time to determine whether to protect the server.

Values: 1– 60

Default: 5

Revalidation Time

Specifies how often, in days, the Service Discovery mechanism revalidates the discovered servers.

Values:

1 – 365

disable—Once identified, the Service Discovery mechanism never revalidates a server to protect.

Default: 7

Service Discovery Profiles

To implement the Service Discovery feature, when you configure a Network Protection policy, you specify the Service Discovery profile to use in the policy. Check Point DDoS Protector configures a default Service Discovery profile, ServiceDiscovery_Default. You can modify ServiceDiscovery_Default profile. You can also configure additional Service Discovery profiles to use in your Network Protection policies.

Note: The Service Discovery profile can be specified in multiple Network Protection policies, which

may have overlapping network ranges. The Service Discovery mechanism protects the discovered server only with the first policy that matches.

To configure a Service Discovery profile

1. Select the DDoS Protector > Service Discovery > Profiles.


To create a new entry, click Create.

To modify an existing entry, click the entry.

3. Configure the following parameters, and click Set.


Profile Name The name of the Service Discovery profile.




HTTP Profile The HTTP-flood mitigator profile for the server.

Default: HTTP_Default

Notes:

The server is protected with the profile configuration that exists when the server is added to the Server Protection table. If the configuration of the profile changes, the new configuration protects only the subsequently added/discovered servers.

The profile configuration includes the parameters Action and Packet Trace, but the DDoS Protector device ignores the values. Instead, the device uses the Action and Packet Trace values that are configured in the Network Protection policy.

Responses per Minute

The average number of HTTP responses per minute during the Tracking Time (specified globally) that causes the Service Discovery mechanism to protect the server. If the total value is reached before the Tracking Time elapses (Responses per Minute × Tracking Time), the Service Discovery mechanism adds the server to the Server Protection table immediately.

Values: 1 – 5000

Default: 100

Automatic Removal Specifies whether the Service Discovery mechanism removes the server from the Server Protection table if, after the Revalidation Time the server does not meet the Tracking-Time–Responses-per-Minute criteria.

Values: Yes, No

Default: No

Restore Default Configuration DDoS Protector supports default protection profiles, which you can use in your Network Protection policies and are used in the default Network Protection policy. You cannot delete the default protection profiles, but you can change their parameters.

The Restore Default Configuration action reconfigures the default protection profiles in existing Network Protection policies with the default values, and then reboots the device. You can run the Restore Default Configuration action in the Restore Default Configuration pane.

DDoS Protector supports default profiles for the following protections:

DoS Signatures—Uses the Dos-All profile as the default profile. You can use the Dos-All profile in your Network Protection policies or you can use no DoS Shield protection. You cannot modify the profile.

BDoS—Supports the NetFlood_Default default protection profile. By default, the profile is enabled.

DNS—Supports the DNSFlood_Default default protection profile. By default, the profile is enabled.

SYN Protection—Supports the SYNFlood_Default default protection profile. By default, the profile is enabled, and includes all static SYN-protection attacks (that is, FTP Control, HTTP, HTTPS, IMAP, POP3, RPC, RTSP, SMTP, and Telnet).

OOS Protection—Supports the OOSFlood_Default default protection profile. By default, the profile is enabled.



Notes:

For BDoS, DNS, SYN, Out-of-State protections, you can also create your own protection profiles, and use them instead of the default protection profiles.

The Restore Default Configuration action does not affect user-defined protection profiles.

Since BDoS and DNS baselines are not part of the profiles, BDoS and DNS protections keep their values during the Restore Default Configuration operation.

To restore the default configuration

1. Select DDoS Protector > Restore Default Configuration.

2. Click Set.


Chapter 6

Configuring Services Parameters

Tuning

Security

Application Security Tuning

The Security Tables store information about sessions passing through the device and their sizes, which are correlated to the actual amount of sessions.

In the Application Security Tuning window, you can view and edit the application security tuning parameters. The changes take effect after the reset.

Caution: Check Point strongly recommends that you perform any device tuning only after consulting with the Check Point Support Center.

To tune DDoS Protector application security tables

1. Select Services > Tuning > Security > Application Security.

2. To change current settings, enter new values in the after reset fields.

3. Click Set.


Maximal number of http-flood suspects sources

The maximum number of suspect sources in HTTP Mitigation policies.

Values: 1000 – 500,000

Default: 100,000

Maximal number of attacks to be defined by user

The maximum number of attack entries in the User Attacks Database Table.

The Attacks Database Table contains attacks provided by Check Point as well as attacks defined by the user.

Maximal number of srcIPs in Suspend Table

The maximum number of hosts that the Suspend table is able to block simultaneously.

Values: 1000 – 100,000

Default: 10,000

Maximal number of Server Protection servers Table

The maximum number of entries in the Server Protection policy.

Values: 100 – 10,000

Default: 350



Counters Source Table The maximum number of sessions in which a source address is tracked.

Some attack signatures use thresholds per source for activation. The Counter Source Table counts the number of times traffic from a specific source matches a signature. When the number of packets sent from a particular source exceeds the predefined limit, it is identified as an attack.

Values: 100 – 65,536

Default: 65,536

Counters Target Table The maximum number of sessions in which a Destination address is tracked.

Some attack signatures use thresholds per destination for activation. The Counter Target Table counts the number of times traffic to a specific destination matches a signature. When the number of packets sent to a particular destination exceeds the predefined limit, it is identified as an attack.

Values: 100 – 65,536

Default: 65,536

Counters Source & Target Table The maximum number of sessions in which Source and Destination addresses are tracked.

Some signatures use thresholds per source and destination for activation. The Counter Source & Target Table counts the number of times traffic from a specific source to a specific destination matches a signature. When the number of packets sent from a particular source to a particular destination exceeds the predefined limit, it is identified as an attack.

Values: 100 – 65,536

Default: 65,536

Counters DHCP Table The number of MAC addresses to check for IP requests.

The DHCP Discover table detects attacks by counting the IP requests for each MAC address. The requests are made using Dynamic Host Configuration Protocol. When the number of IP requests for a particular MAC address exceeds the predefined limit, it is identified as an attack.

Values: 100 – 64,000

Default: 100

Counters Reports for all counters The maximum number of entries for reports on active concurrent Tracking Signatures attacks.

Values: 100 – 64,000

Default: 20,000

Maximal number of entries in NCPF table

The maximal number of entries in the New Count Per Filter table, which the DoS shield mechanism uses.

Values 100 – 16,000

Default 10,000



Authentication Table Tuning


To tune the authentication table

1. Select Services > Tuning > Security > Authentication tables.


3. Click Set.


HTTP Authentication Table Size

The number of sources in the HTTP Authentication table.

DDoS Protector uses the HTTP Authentication table in HTTP Flood profiles and the HTTP Authentication feature in a SYN Protection profile.

Values: 500,000 – 2,000,000

Default: 2,000,000

TCP Authentication Table Size

The number of sources in the TCP Authentication table.

DDoS Protector uses the TCP Authentication table for the Safe Reset Authentication Method feature in SYN Protection profiles.

Values: 500,000 – 2,000,000

Default: 2,000,000

Note: For x412 platforms, the value is fixed at the default 2,000,000, and cannot be tuned.

Behavioral DoS

The Behavioral DoS Tuning window enables you to set the maximal number of Behavioral DoS policies.


Note: Each time you update a value for a Behavioral DoS, it is possible to check whether there is enough free memory for the requested value. This may be done from the Memory Check window.

To set the maximal number of behavioral DoS policies

1. Select Services > Tuning > Security > Behavioral DoS.

2. To change the current setting, enter a new value in the after reset field. Values: 1 – 100. Default: 10.

3. Click Set.



DNS Protection Tuning Parameters

In the DNS Protection Tuning Parameters window, you can view and edit the DNS Flood Protection tuning parameters.

The changes take effect after the reset.


To tune DNS Protection tables

1. Select Services > Tuning > Security > DNS Protection.


3. Click Set.


Maximal number of DNS Protection policies

The maximum number of configurable DNS Flood Protection policies.

Values: 1 – 100

Default: 10

SDM Table Size The size of the SDM table.

Values: small, medium, large

Default: medium

Device Tuning

The Device Tuning window allows you to view and edit the device tuning parameters. The changes take effect after the reset.


To tune DDoS Protector

1. Select Services > Tuning > Device.


3. Click Set.


IP Fragmentation Table The maximum number of IP fragments that the device stores.

Values: 1 – 256,000

Default: 1240



Session Table The maximum number of sessions that the device can track.

Values per model:

x06—20 – 2,000,000

x412—20 – 4,000,000

Default per model:

x06—1,800,000

x412—2,885,000

Session Resets Table The maximum number of sessions that the device tracks to send RESET when Send Reset To Server is enabled in the Session table.

Values: 1 – 10,000

Default: 1000

Routing Table The maximum number of entries in the Routing table.

Values: 20 – 32,767

Default: 64

Pending Table The maximum number of new simultaneous dynamic sessions the device can open.

Values: 16 – 16,000

Default: 1024

SIP Call Table The maximum number of SIP calls the device can track.

Values: 16 – 256,000

Default: 1024

TCP Segmentation Table The maximum number of TCP Segments. This parameter is used when SIP Protocol is enabled and SIP is running over TCP.

Values: 1 – 32,768

Default: 256

Memory Check

DDoS Protector pre-checks the feasibility of values in configured tables. This eliminates the chance of causing a memory allocation problem. Each time you update a value for a certain table, it is possible to check whether there is enough free memory for the requested value.

Caution: Check Point strongly recommends that you perform any device tuning only after

consulting with the Check Point Support Center.

To check the device memory

1. Select Services > Tuning > Memory Check.

2. Click Perform Test. This tests whether the device has sufficient memory to allocate the values for the updated tables.

3. If there is enough memory, click Reboot to update the device with the new values.



Classifier Tuning

The Classifiers Tuning window enables you to view and edit the Classifier tuning parameters. The changes take effect after the reset.


To set the classifier tuning parameters

1. Select Services > Tuning > Classifier.


3. Click Set.


Network Table The maximum number of entries in the table for ranges.

Values: 32 – 10,000

Default: 256

Discrete IP Addresses Per Network

The maximum number of entries in the table for IP addresses that are allocated to a network.

Values: 16 – 1024

Default: 64

Subnets Per Network The maximum number of entries in the table for network subnets.

Values: 16 – 256

Default: 64

MAC Groups Table The maximum number of entries in the table for MAC groups.

Values:16 – 2048

Default: 128

Filter Table The maximum number of entries in the table for basic filters.

Values:512 – 2048

Default: 512

AND Group Table The maximum number of entries in the advanced filters table for AND groups.

Values: 256 – 2048

Default: 256

OR Group Table The maximum number of entries in the advanced filters table for OR groups.

Values: 256 – 2048

Default: 256



Application port Groups The maximum number of entries in the table for application port groups.

Values: 32 – 2000

Default: 512

Content Table The maximum number of content entries in the table.

Values: 16 – 4096

Default: 256

SYN Protection Tuning

The SYN Protection Tuning window enables you to view and edit the SYN Protection Tuning parameters. The changes take effect after the reset.


To tune SYN Protection tables

1. Select Services > Tuning > SYN Protection.


3. Click Set.


SYN Protection Table The number of entries in the SYN Protection Table that stores data regarding the delayed binding process. An entry in the table exists from the time the client completes the handshake until the handshake is complete.

The number of entries in the SYN Protection Table after reset.

Values: 10 – 500,000

Default: 200,000

SYN Protection Requests Table The number of entries in SYN Protection Requests Table that stores the ACK or data packet that the client sends, until the handshake with the server is complete and the packet is sent to the server.

The number of entries in SYN Protection Requests Table after reset.

Values: 10 – 500,000

Default: 200,000

SYN Protection Attack Detection Entries

The number of entries in the table that stores active triggers — that is, the destination IP addresses/ports from which the device identifies an ongoing attack.

Values: 1000 – 20,000

Default: 1000



SYN Statistics Entries The number of entries in the SYN Flood Statistics table.

Values: 1000 – 20,000

Default: 1000

Diagnostics Tuning

The Diagnostics Tools Tuning window enables you to set the number of Diagnostics policy entries in the tuning table in order to save memory and limit the policy size.

The changes take effect after the reset.


To set the tuning parameters

1. Select Services > Tuning > Diagnostics.

2. To change the current setting, enter the new value in the after reset field.

3. Click Set.


Diagnostics Policies Table The number of Diagnostics policies in the table.

Diagnostics

Capture

Diagnostics Capture Parameters

The Traffic Capture tool captures packets that enter the device, leave the device, or both. The captured traffic is in TCPDUMP format. You can download the captured packets, and analyze the traffic using Unix snoop or various tools. For remote administration and debugging, you can also send captured traffic to a terminal (CLI, Telnet, and SSH). You can specify where the device captures packets to get a better understanding of the traffic flow—especially if the device manipulates the packets—due to NAT, traffic from a VIP to a real server, and so on.

The Traffic Capture tool truncates packets longer than 1619 bytes (regardless of the configuration for jumbo frames).

Caution: Enabling this feature may cause severe performance degradation.

The Traffic Capture tool uses the following format for packet capture files:

capture_<Device Name>_ddMMyyyy_hhmmss_<file number>.cap

To configure the Capture Tool

1. Select Services > Diagnostics > Capture > Parameters.





Status Specifies whether the Capture Tool is enabled.

Values: Enabled, Disabled

Default: Disabled

Note: When the device reboots, the status of the Capture Tool reverts to Disabled.

Output To File The location of the stored captured data.

Values:

RAM Drive and Flash—The device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DDoS Protector uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on.

RAM Drive—The device stores the data in RAM.

None—The device does not store the data in RAM or flash, but you can view the data using a terminal.

Output To Terminal Specifies whether the device sends captured data to the terminal.


Default: Disabled

Capture Point Specifies where the device captures the data.

Values:

On Packet Arrive—The device captures packets when they enter the device.

On Packet Send—The device captures packets when they leave the device.

Both—The device captures packets when they enter the device and when they leave the device.

Capture Rate The capture rate, in packets per second.

Trace

Debug: Trace Parameters

The Trace-Log tool provides data on the traffic flow within the device. The feature is intended for debugging purposes only.

Enabling this feature may cause severe performance degradation.

DDoS Protector uses the following format for Trace-Log files:

trace_log_<Device Name>_ddMMyyyy_hhmmss_<file number>.txt



To configure the Trace-Log tool

1. Select Services > Diagnostics > Trace-Log > Parameters.



Status Specifies whether the Trace-Log tool is enabled.


Default: Disabled

Output To File Specifies the location of the stored data.

Values:

RAM Drive and Flash—The device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DDoS Protector uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on.

RAM Drive—The device stores the data in RAM.

None—The device does not store the data.

Output To Terminal Specifies whether the device sends Trace-Log data to the terminal.


Default: Disabled

Output To Syslog Server Specifies whether the device sends Trace-Log data to a syslog server.


Default: Disabled

Debug: Message Format

Use the Diagnostics Trace-Log Message Format pane to specify which parameters appear in the Trace-Log message.

To configure the diagnostics Trace-Log message format

1. Select Services > Diagnostics > Trace-Log > Message Format.



Date Specifies whether the date that the message was generated is included in the Trace-Log message.

Time Specifies whether the time that the message was generated is included in the Trace-Log message.



Platform Name Specifies whether the platform MIB name is included in the Trace-Log message.

File Name Specifies whether the output file name is included in the Trace-Log message.

Line Number Specifies whether the line number in the source code is included in the Trace-Log message.

Packet Id Specifies whether an ID assigned by the device to each packet is included in the Trace-Log message. This enables you see the order of the packets.

Module Name Specifies whether the name of the traced module is included in the Trace-Log message.

Task Name Specifies whether the name of the specific task of the d module is included in the Trace-Log message.

Trace: Modules

To help pinpoint the source of a problem, you can specify which DDoS Protector modules the Trace-Log feature works on and the log severity per module. For example, you can specify that the Trace-Log feature traces only the Health Monitoring module to understand why a specific health check fails.

To configure the parameters of the Trace-Log modules

1. Select Services > Diagnostics > Trace-Log > Modules.

The table in the pane comprises the following columns:

Name—The name of the module.

Values:

CDE

GENERIC

LCD

VSDR

Status—The current status of the traced module.

Severity—The lowest severity of the events that the Trace-Log includes for this module.

Values:

Emergency

Alert

Critical

Error

Warning

Notice

Info

Debug

2. Click the relevant link.





Name (Read-only) The name of the traced module.

Status Specifies whether the Trace-Log feature is enabled for the module.

Severity The lowest severity of the events that the Trace-Log includes for this module.

Values:

Emergency

Alert

Critical

Error

Warning

Notice

Info

Debug

Note: The default varies according to module.

Trace Files

DDoS Protector can store the output of the diagnostic tools in RAM and in the CompactFlash.

If the device is configured to store the output in the CompactFlash, when the data size in RAM reaches its limit, the device appends the data chunk from RAM to the file on the CompactFlash drive. For each enabled diagnostic tool, DDoS Protector uses two temporary files. When one temporary file reaches the limit (1 MB), DDoS Protector stores the information in the second temporary file. When the second temporary file reaches the limit (1 MB), DDoS Protector overwrites the first file, and so on. When you download a CompactFlash file, the file contains both temporary files.

Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or CompactFlash.

To download or delete Trace-Log data

1. Select Services > Diagnostics > Files.

The pane contains two tables, Files On RAM Drive and Files On Main Flash. Each table comprises the following columns:

File Name—The name of the file.

File Size—The file size, in bytes.

Action—The action that you can take on the data stored.

Values:

download—Starts the download process of the selected data. Follow the on-screen instructions.

delete—Deletes the selected file.

2. From the Action column, select the action, Download or Delete, and follow the instructions.



Diagnostics Policies

In most cases, there is no need to capture all the traffic passing through the device. Using diagnostic policies, the device can classify the traffic and store only the required information.

Note: To reuse the policy, edit the policy and set it again.

To configure a diagnostics policy

1. Select Services > Diagnostics > Policies.

2. Click Create.



Name The user-defined name of the policy up to 20 characters.

Index The number of the policy in the order in which the diagnostics tools classifies (that is, captures) the packets.

Default: 1

Description The user-defined description of the policy.

VLAN Tag Group The VLAN Tag group whose packets the policy classifies (that is, captures).

Destination The destination IP address or predefined class object whose packets the policy classifies (that is, captures).

Default: any — The diagnostics tool classifies (that is, captures) packets with any destination address.

Source The source IP address or predefined class object whose packets the policy classifies (that is, captures).

Default: any — The diagnostics tool classifies (that is, captures) packets with any source address.

Outbound Port Group The port group whose outbound packets the policy classifies (that is, captures).

Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.

Inbound Port Group The port group whose inbound packets the policy classifies (that is, captures).

Service Type The service type whose packets the policy classifies (that is, captures).



Service The service whose packets the policy classifies (that is, captures).

Values:

None

Basic Filter

AND Group

OR Group

Default: None

Destination MAC Group The Destination MAC group whose packets the policy classifies (that is, captures).

Source MAC Group The Source MAC group whose packets the policy classifies (that is, captures).

Maximal Number of Packets The maximal number of packets the policy captures. Once the policy captures the specified number of packets, it stops capturing traffic. In some cases, the policy captures fewer packets than the configured value. This happens when the device is configured to drop packets.

Maximal Packet Length The maximal length for a packet the policy captures.

Capture Status Specifies whether the packet-capture feature is enabled in the policy.


Default: Disabled

Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy.


Default: Disabled

Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.

Syslog Reporting Event traps can be mirrored to up to five syslog servers. For each DDoS Protector device, you can configure the appropriate information. Any traps generated by the device will be mirrored to the specified syslog servers.

You can also use additional notification settings, such as Facility and Severity. Facility specifies the type of device of the sender. Severity specifies the importance or impact of the reported event. The user-defined Facility value is used when the device sends syslog messages; the Severity value is determined dynamically by the device for each message that is sent.

To enable syslog messages

1. Select Services > Syslog Reporting.





Syslog Server The IP address or hostname of the device running the syslog service (syslogd).

Syslog Server Operational Status

Specifies whether the syslog server is enabled.

Default: Enabled

Syslog Server Source Port The syslog source port.

Default: 514

Note: Port 0 specifies a random port.

Syslog Server Destination Port The syslog destination port.

Default: 514

Syslog Server Facility The type of device of the sender. This is sent with syslog messages.

You can use this parameter to do the following:

Distinguish between different devices

Define rules that split messages

Values:

Authorization Messages

Clock Daemon

Clock Daemon2

FTP Daemon

Kernel Messages

Line Printer Subsystem

Local 0

Local 1

Local 2

Local 3

Local 4

Local 5

Local 6

Local 7

Log Alert

Log Audit

Mail System

Network News Subsystem

NTP Daemon

Syslogd Messages



System Daemons

User Level Messages

UUCP

Default: Local Use 6

Syslog Server Protocol he protocol that the device uses to send syslog messages.

Values:

UDP—The device sends syslog messages using UDP. That is, the device sends syslog messages with no verification of message delivery.

TCP—The device sends syslog messages using TCP. That is, the device verifies the message delivery. The device holds undelivered messages in a backlog. As soon as the connection to the syslog server is re-established, the device sends them. If the backlog is full (100 messages, non-configurable), the device replaces lower-priority messages with higher-priority messages (FIFO).

TLS—The device sends syslog messages using TCP with Transport Layer Security (TLS) and uses the CA certificate specified in the CA Certificate Name field. That is, the device verifies message delivery. The device holds undelivered messages in a backlog. As soon as the connection to the syslog server is re-established, the device sends them. If the backlog is full (100 messages, non-configurable), the device replaces lower-priority messages with higher-priority messages (FIFO).

Default: UDP

Note: Report notification of lost syslog messages to your network administrator.

Syslog Server CA Certificate The name of the CA certificate in the Certificate Table that the device uses to send syslog messages when TLS is selected in the Syslog Server Protocol field.

Daylight Saving DDoS Protector supports daylight savings time. You can configure the daylight-savings-time start and end dates and times. During daylight savings time, the device automatically adds one hour to the system clock. The device also indicates whether it is on standard time or daylight saving time.

Note: When the system clock is manually configured, the system time is changed only when daylight saving time starts or ends. When daylight saving time is enabled during the daylight saving time period, the device does not change the system time.

To configure daylight saving

1. Select Services > Daylight Saving.





Daylight Saving Admin Status Enables or disables daylight saving time.

Default: disabled

Daylight Saving Begins[dd/mm:hh]

The start date and time for daylight saving time.

Daylight Saving Ends[dd/mm:hh]

The end date and time for daylight saving time.

Daylight Saving Designations Specifies whether the device is on standard time or daylight saving time.

Management Interfaces

Telnet

You can access the DDoS Protector via Telnet.

Use the Telnet Parameters pane to configure connectivity.

To configure Telnet connectivity

1. Select Services > Management Interfaces > Telnet.



Telnet Port The TCP port used by the Telnet.

Default: 23

Telnet Status Specifies whether to enable Telnet access to the device.

Default: Disabled

Telnet Session Timeout The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates.

Values: 1 – 120

Default: 5

Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore, the actual timeout can be up to 10 seconds longer than the configured time.

Telnet Authentication Timeout

The timeout, in seconds, required to complete the authentication process.

Values: 10 – 60

Default: 30



Web Server

Web Server Parameters

Use the Web Server Parameters pane configure Web server connectivity for Web Based Management (WBM).

To configure the Web server connectivity

1. Select Services > Management Interfaces > Web Server > Web.



Web Server Port The port to which WBM is assigned.

Default: 80

Web Server Status Specifies whether to enable access to the Web server.

Web Help Location The location (path) of the Web help files.

Web Access Level Values: readWrite, readOnly

Secure Web Parameters

Use the Secure Web Server Parameters pane configure secure Web server connectivity for Web Based Management (WBM).

To configure secure Web parameters

1. Select Services > Management Interfaces > Web Server > Secure Web.



Secured Web Port The port through which HTTPS gets requests.

Default: 443

Secured Web Status Specifies whether to enable secured access to the Web server.

Secured Web Certificate File The Certificate file that is used by secure web for encryption.



Web Services

Use the Web Services pane enable or disable Web Services.

To enable or disable Web Services

1. Select Services > Management Interfaces > Web Server > Web Services.

2. From the drop-down list, select enable or disable, as required.

3. Click Set.

SSL

Weak Ciphers

To specify whether the device allows management connections over secure protocols

with ciphers shorter than 128 bits

1. Select Services > Management Interfaces> SSL > Weak Ciphers.

2. From the Accept Weak Ciphers SSL Status drop-down list, select enable or disable, as required. Default: enable.

3. Click Set.

SSH

Secure Shell Parameters

SSH (Secure Shell) is a protocol for secure remote connections and network services, over an insecure network. Using this feature enables a secure alternative to Telnet connection, while enabling configuration of the device through the Web Based Management.

To set the SSH server connection parameters

1. Select Services > Management Interfaces> SSH >Server.

2. Enter the SSH Port and set the SSH Status to Enable.

3. Click Set.


SSH Port The source port for the SSH server connection.

Default: 22

SSH Status Specifies whether to enable SSH access to the device.

Default: Disabled



SSH Session Timeout The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates.

Values: 1 – 120

Default: 5

Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore the actual timeout can be up to 10 seconds longer than the configured time.

SSH Authentication Timeout The timeout, in seconds, required to complete the authentication process.

Values: 10 – 60

Default: 10

Event Log You can view a log of the events on the device.

To view the event log

Select Services > Event Log.

To clear the event log

1. Select Services > Event Log.

2. Under the Clear Event Log text, click Set.

Network Time Protocol (NTP) Network Time Protocol enables you to synchronize devices by distributing an accurate clock across the network.

To configure the NTP parameters

1. Select Services > NTP.



NTP polling Interval The interval, in seconds, between time queries sent to the NTP server.

Default: 172,800

NTP Timezone The offset from GMT for the device.

Values: -12:00 through +12:00

Default: 00:00

NTP Server Port The access port number for the NTP server.



Default: 123

NTP Server Name The address or URL of the NTP server.

Note: If you specify a URL, the DNS Server feature must be enabled and configured.

NTP Status Specifies whether the NTP client is enabled.


Default: disable

RADIUS DDoS Protector provides additional security by authenticating the users who access a device for management purposes. With RADIUS authentication, you can use RADIUS servers to determine whether a user is allowed to access device management using CLI, Telnet, SSH or Web Based Management. You can also select whether to use the device User Table when RADIUS servers are not available.

Caution: The DDoS Protector managed devices must have access to the RADIUS server and must allow device access.

To configure RADIUS authentication for device management

1. Select Services > Radius.



Main Radius IP Address The IP address of the primary RADIUS server.

Main Radius Port No. The access port number of the primary RADIUS server.

Values: 1645, 1812

Default: 1645

Main Radius Secret The authentication password for the primary RADIUS server.

Backup Radius IP Address The IP address of the backup RADIUS server.

Backup Radius Port No. The access port number of the backup RADIUS server.

Values: 1645, 1812

Default: 1645

Backup Radius Secret The authentication password for the backup RADIUS server.



Radius Timeout The time, in seconds, that the device waits for a reply from the RADIUS server before a retry, or, if the Retries value is exceeded, before the device acknowledges that the server is off line.

Default: 1

Radius Retries The number of connection retries to the RADIUS server, after the RADIUS server does not respond to the first connection attempt. After the specified number of Retries, if all connection attempts have failed (Timeout), the backup RADIUS server is used.

Default: 2

Radius Client Life time The time, in seconds, for the client authentication. After the client lifetime expires, the device re-authenticates the user.

Default: 30

SMTP You can configure the device to send information messages via e-mail to device users. This feature can be used for sending trap information via e-mail. When you configure device users, you can specify whether an individual user should receive notifications via e-mail and the minimal event severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity and higher.

The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP notifications are enabled globally for the device.

Notes:

The device optimizes the mailing process by gathering security and system events, which it

sends in a single notification message when the buffer is full, or when a timeout of 60 seconds expires.

To receive e-mails about errors, you need to set email address and Severity level in the Users

Table for each user.

To configure the SMTP client

1. Select Services > SMTP.



SMTP Primary Server Address The IP address of the SMTP server.

SMTP Alternate Server Address An IP address of an alternative SMTP Server. The alternate SMTP server is used when SMTP connection cannot be established successfully with the main SMTP server, or when main SMTP server closed the connection. The device tries to establish connection to the main SMTP server, and starts re-using it when available.



Own Email Address The mail address that appears in the Sender field of e-mail messages generated by the device, for example [email protected].

SMTP Status Specifies whether the e-mail client is enabled, which supports features that are related to sending e-mail messages.

Default: disable

Send emails On Errors Specifies whether the device sends notifications via e-mail.

Default: Disabled

DNS Client Parameters You can configure DDoS Protector to operate as a Domain Name Service (DNS) client. When the DNS client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must configure servers for which DDoS Protector will send out queries for host name resolving.

You can set the DNS parameters and define the primary and the alternate DNS servers for dynamic DNS. In addition, you can set static DNS parameters.

To define DNS servers

1. Select Services > DNS.



DNS Client Specifies whether the DDoS Protector device operates as a DNS client to resolve IP addresses.


Default: Disabled

Primary DNS server The IP address of the primary DNS server to which DDoS Protector sends queries.

Alternate DNS Server The IP address of the alternative DNS to which DDoS Protector sends queries.

To set static DNS

1. Select Services > DNS.








Host Name The domain name for the specified IP address.

IP Address The IP address for the specified domain name.

Configuration Auditing Configuration Auditing is the process of logging every configuration change and activity into a special logging server. When Configuration Auditing is enabled, the device keeps track of all the changes made to the configuration by sending a SNMP trap and syslog message (if syslog is enabled and configured).

Configuration Auditing can be enabled or disabled for all users and all management interfaces.

To prevent overloading the device and prevent degraded performance, the feature is disabled by default.

To enable configuration auditing

1. Select Services > Auditing.

2. Select enable.

3. Click Set.

To disable configuration auditing

1. Select Services > Auditing.

2. Select disable.

3. Click Set.

Event Scheduler Sometimes, it is necessary for a specific policy to be inactive during certain hours of the day or activate in the middle of the night. For example, a school library may want to block instant messaging during school hours but allow instant messages after school hours. Or, an enterprise may give high priority for mail traffic between 08:00–10:00.

Using the Event Scheduler, you can create event schedules. An event schedule can be a daily, weekly, or one-time event.

To configure an event schedule

1. Select Services > Event Scheduler. The Event Scheduler window is displayed.








Name A user-defined name for the event.

Frequency The frequency of the event.

Values: Once, Daily, Weekly

Time(HHMM) The time on the designated day or days. If you specify multiple days, the time for the event is the same for all the specified days.

Default: 0000—12:00 AM

Days The day or days on which the event occurs when the specified Frequency is Weekly.

If the Frequency is not Weekly, the Days(SMTWTFS) checkboxes must be cleared.

Date(DDMMYYYY) The date on which the event occurs when the specified Frequency is Once.

If the Frequency is not Once, the value in the Date(DDMMYYYY) text box must be 00000000.


Chapter 7

Configuring Security Parameters

Management Ports Use the Management Ports Table pane to enable or disable access to a management port.

To set the management ports

1. Select Security > Management Ports.

2. Select a port.



Port Number (Read-only) The identifier of the selected management port.

SNMP Specifies whether the port allows access with SNMP.

TELNET Specifies whether the port allows access with Telnet.

SSH Specifies whether the port allows access with SSH.

WEB Specifies whether the port allows access with HTTP.

SSL Specifies whether the port allows access with SSL.

Ports Access You can specify how unbound UDP and TCP ports respond to SYN packets.

To set the port unreachable status

1. Select Security > Ports Access.

2. From the Port Unreachable Status drop-down list, select the required value, as follows:

Enabled—Unbound TCP ports answer SYN packets with an RST. Unbound UDP ports answer SYN packets with a port-unreachable message.

Disabled—The device drops SYN or UDP packets without sending a reply. When the device uses this option, the device does not expose itself to the network.

Default: Enabled

3. Click Set.



SNMP

SNMP Global Parameters

DDoS Protector devices work with SNMPv1, SNMPv2, and SNMPv3.

Use the SNMP Global Parameters pane to configure the SNMP global parameters.

To configure the SNMP global parameters

1. Select Security > SNMP > Global Parameters.



Supported SNMP Versions (Read-only) The SNMP versions currently supported.

Supported SNMP Versions After Reset

The SNMP versions that will be supported by the SNMP agent after resetting the device. Select the checkboxes of the SNMP version to support.

SNMP Port The UDP port on which the agent listens for SNMP requests.

SNMP Status The status of the SNMP agent.

Default: Enabled

SNMP: User Table

Use the User Based Security Model pane to define users that can connect to the device and store the access parameters for each SNMP user.

Note: The Configuration file of the device, which contains SNMPv3 users with authentication, can only be used by the specific device that the users configured. When exporting the configuration file to another device, the passwords need to be re-entered, since passwords (of SNMPv3 users) cannot be exported from one device to another. Therefore, there must be at least one user in the user table (to be able to change the password) in case the configuration file is uploaded to another device.

To configure a new user

1. Select Security > SNMP > User Table.








User Name The name of the new user.

Authentication Protocol The algorithm used for authentication.

Authentication Password A password required in case authentication is used.

Privacy Protocol The algorithm used for encryption.

Privacy Password A password used to identify the user.

SNMP: Community Table

You can map community strings into user names and vice versa using the SNMP Community Table. This table restricts the range of addresses from which SNMP requests are accepted and to which traps may be sent.

The SNMP Community Table is used only for SNMP versions 1 and 2.

To configure the SNMP community table

1. Select Security > SNMP > Community Table.






Index A descriptive name for this entry.

Community Name The community string.

Security Name The user name associated with the community string.

Transport Tag Specifies a set of target addresses from which the SNMP accepts SNMP requests and to which traps may be sent. The target addresses identified by this tag are defined in the Target Address Table. If this string is empty, addresses are not checked when an SNMP request is received or when a trap is sent. If this string is not empty, the transport tag must be contained in the value of the tag list of at least one entry in the Target Address Table.



SNMP: Groups Table

You can associate users with groups in the Groups Table. Access rights are defined for groups of users.

To configure the groups table

1. Select Security > SNMP > Groups Table.






Security Model The security model to be associated with this group.

Security Name A relevant security name.

Group Name The access control policy for a group of users.

SNMP: Access Table

You can define the access rights for each group and security model in the VACM Group Access window.

To configure the parameters of the SNMP access table

1. Select Security > SNMP > Access Table.






Group Name The name of your group.

Security Model Values:

SNMPv1

SNMPv2c

User Based



Security Level Values:

No Authentication

Auth Not Private

Auth Private

ReadView Name The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree are readable by this group.

WriteView Name The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree are writable by this group.

NotifyView Name The name of one or more entries in the View Tree Family Table. Specifies which objects in the MIB tree can be accessed in notifications (traps) by this group.

SNMP: View Table

The View Table window allows you to define subsets of the MIB tree for use in the Access Table. Different entries may have the same name. The union of all entries with the same name defines the subset of the MIB tree and can be referenced in the Access Table through its name.

To set the view table parameters

1. Select Security > SNMP > View Table.






View Name The name of this entry.

Subtree The object ID of a subtree of the MIB.

Subtree Mask The subtree mask.

Type Specifies whether objects defined in this entry should be included or excluded in the MIB view.

Default: included

SNMP Notify Table

Use the Notify Table pane to select management targets that receive notifications and the type of notification to be sent to each selected management target. The Tag parameter identifies a set of target addresses. An entry in the SNMP - Target Address table that contains a tag specified in the Notify table receives notifications.



To configure SNMP notification settings

1. Select Security > SNMP > Notify Table.






Name A descriptive name for this entry, for example, the type of notification.

Tag A string that defines the target addresses that are sent this notification. All the target addresses that have this tag in their tag list are sent this notification.

SNMP Target Parameters

The Target Parameters table defines message-processing and security parameters that are used in sending notifications to a particular management target. Entries in the Target Parameters table are referenced in the Target Address table.

To set the target parameters

1. Select Security > SNMP > Target Parameters Table.






Name The name of the target parameters entry.


Message Processing

Values: SNMPv1, SNMPv2c, SNMPv3

Default: SNMPv1



Security Model The SNMP version that represents the required Security Model.

Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used.

Values:

SNMPv1

SNMPv2c

User Based—That is, SNMPv3

Default: SNMPv1

Security Name If the User Based security model is used, the security name identifies the user that is used when the notification is generated. For other security models, the security name identifies the SNMP community used when the notification is generated.

Security Level Specifies whether the trap is authenticated and encrypted before it is sent.

Values:

noAuthNoPriv—No authentication or privacy are required.

authNoPriv—Authentication is required, but privacy is not required.

authPriv—Both authentication and privacy are required.

Default: No Authentication

SNMP: Target Address

In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the Transport Tag of an entry in the community table is not empty it must be included in one or more entries in the Target Address Table.

To set the SNMP target parameters

1. Select Security > SNMP > Target Address Table.






Name The name of the target address entry.

Address-Port

The IP address of the management station and TCP port to be used as the target of SNMP traps. The format of the values is <IP address >-<TCP port>, where <TCP port> must be 162. For example, if the value for Address-Port is 1.2.3.4-162, 1.2.3.4 is the



IP address of the management station and 162 is the port number for SNMP traps.

Tag List Specifies sets of target addresses. Tags are separated by spaces. The tags contained in the list may be tags from the Notify table or Transport tags from the Community table.

Each tag can appear in more than one tag list. When a significant event occurs on the network device, the tag list identifies the targets to which a notification is sent.

Mask A subnet mask of the management station.

Parameters The set of target parameters to be used when sending SNMP Traps. Target parameters are defined in the Target Parameters table.

Ping Physical Ports Table You can define which physical interfaces can be pinged. When a ping is sent to an interface for which ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.

To configure physical ports to allow ping

1. Select Security > Ping Physical Ports Table.

2. Select a Port Number link.

3. In the Ping Device field, select Enable or Disable, as required.

4. Click Set.

Users You can configure a list of users who are authorized to access that device through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing is enabled, users can receive e-mail notifications of changes made to the device.

To configure the user-access authenticating method

1. Select Security > Users.

2. From the Authentication Method drop-down list, configure the parameter, and click Set.


Authentication Method

The method for of authenticating a user’s access to the device.

Values:

Local User Table—The device uses the User Table to authenticate access.

Radius and Local User Table—The device uses the RADIUS servers to authenticate access. If the request to the RADIUS server times out, the device uses the User Table to authenticate access.

Default: Local User Table



To configure the users table

1. Select Security > Users.






User Name The name of the user.

Password The text password for the user.

Email Address The e-mail address of the user to which notifications will be sent.

Severity The minimum severity level of traps sent to this user.

Values:

None—The user receives no traps.

Info—The user receives traps with severity info or higher.

Warning—The user receives Warning, Error, and Fatal traps.

Error—The user receives Error and Fatal traps.

Fatal—The user receives Fatal traps only.

Default: None

Trace Status When enabled, the specified user receives notifications of configuration changes made in the device.

Every time the value of a configurable variable changes, information about all the variables in the same MIB entry is reported to the specified users. The device gathers reports and sends them in a single notification message when the buffer is full or when the timeout of 60 seconds expires.

The notification message contains the following details:

Name of the MIB variable that was changed.

New value of the variable.

Time of configuration change.

Configuration tool that was used.

User name, when applicable.

User Access Level The user’s level of access to the WBM and CLI.

Values: readwrite, readonly, none

Default: readwrite

SSH public key name The name of the SSH public key.



Certificates

Certificates Table

Use the Certificates Table pane to manage keys and certificates.

Create and Delete functionality is available only when you are connected with a secure protocol, such as HTTPS.

To update an entry

1. Select Security > Certificates > Table.

2. Click the entry name.

3. To create a new certificate, click Create.


To create an entry


2. Click Create.



Name The name of the entry.

Entry Type Values:

Key

Signing Request

Certificate

Intermediate CA Certificate

Certificate of Client CA

Key Size Values: 512, 1024, 2048

Key Passphrase The key password (the same that you use to export the key from the web server).

Common Name The domain name of the organization. For example, www.checkpoint.com

Locality The name of the city.

State or Province The state or province.

Organization The name of the organization.

Organization Unit The department/unit within the organization.

Country Name The country of residence.



Certificate Expiry (Read-only) The date of expiry in DDD MMM dd hh:mm:ss yyyy format.

Example: SAT SEP 01 08:29:40 2012

Email Default email address for the organization.

Certificate Validity The number of days for which the certificate is valid.

To delete an entry


2. Select the checkbox in the row with the entry.

3. Click Delete.

Exporting PKI Components

You can export Public Key Infrastructure (PKI) components when you are connected with a secure protocol, such as HTTPS.

To export a PKI component

1. Select Security > Certificates > Export.

2. Configure the parameters, and click Show to view the component details, or click Export, to export the component from the device. A dialog message is displayed asking if you want to open or save the component file. If you click Open, the file will be opened in a browser window. If you click Save, you will be prompted to save the file.


Name The name of component.

Type Values:

Key

Certificate

Certificate and Key

Format (Read-only) The format for the specified Type.

Passphrase The password (the same that you use to export the key from the Web server).

Text The certificate text, which you can enter.

Importing a PKI Component

You can import Public Key Infrastructure (PKI) components when you are connected with a secure protocol, such as HTTPS.

To import a PKI component

1. Select Security > Certificates > Export.

2. Configure the parameters, and click Import.




Name The name of component.

Type Values:

Key

Certificate

Certificate and Key

Intermediate CA Certificate

Certificate of Client CA

SSH Public Key

Format (Read-only) The format for the specified Type.

Passphrase The password (the same that you use to export the key from the Web server).

Text The certificate text, which you can enter.

Certificate File Browse to the certificate file to import.

Certificate Default Values

The certificate is a digitally signed indicator that identifies the server or user. This is usually provided in the form of an electronic key or value. You can set the default values to your specifications.

To configure default values for certificates

1. Select Security > Certificates > Default Values.



Certificate Common The domain name of the organization. For example, www.checkpoint.com.

Certificate Locality The name of the city.

Certificate State Or Province The state or province.

Certificate Organization The name of the organization.

Certificate Organization Unit The department/unit within the organization

Certificate Country Name The country of residence.

Certificate Email The default email address for the organization.


Chapter 8

Configuring Classes Parameters

View Active Networks You can view the active network classes that are configured on the device.

To view the active network class configuration

Select Classes > View Active > Networks.

Modify

Modify Networks

You can view active networks, as well as configure new ones. You can define networks that are used by the device (active) and you can define networks that are kept in a separate database until they are required (inactive).

You can add, modify, and delete these networks according to your requirements.

A network class is identified by a name and defined by a network address and mask, or by a range of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2 can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2 can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration.

Using classes allows you to define a network comprised of multiple subnets and/or IP ranges, all identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and 10.1.1.1 to 10.1.1.7.

You can use network classes in the following:

Black lists

White lists

Network-protection policies to match source or destination traffic

To configure a network class

1. Select Classes > Modify Networks.








Name The name of the network class.

The network name is case-sensitive.

The network name cannot be an IP address.

Sub Index When you define multiple network classes with the same name, you must assign each instance a different sub-index number. The numbers do not need to be sequential or in order.

Address

(For an IP Mask entry only)

The network address.

Mask

(For an IP Mask entry only)

The mask of the subnet, which you can enter in either of the following ways:

A subnet mask in dotted decimal notation—for example, 255.0.0.0 or 255.255.0.0.

An IP prefix, that is, the number of mask bits—for example, 8 or 16.

From IP

(For an IP Range entry only)

The first IP address in the range.

To IP

(For an IP Range entry only)

The last IP address in the range.

Mode Specifies whether the network is defined by a subnet and mask, or by an IP range.

Values: IP Mask, IP Range

Modify Services

Modify Basic Filters Table

Use Services to filter traffic. Services classify traffic based on criteria for Layers 3 – 7. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). DDoS Protector supports a long list of predefined basic filters. A basic filter includes attributes that specify parameters such as protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the filter can include a text string.



A basic filter includes the following components:

Protocol—The specific protocol that the packet should carry. The choices are IP, TCP, UDP, ICMP, NonIP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and UDP) will be considered.

When configuring TCP or UDP, the following additional parameters are available:

Destination Port (From-To)—Destination port number for that protocol. For example, for HTTP, the protocol would be configured as TCP and the destination port as 80. The port configuration can also allow for a range of ports to be configured.

Source Port (From-To)—Similar to the destination port, the source port that a packet should carry in order to match the filter can be configured.

Offset Mask Pattern Condition (OMPC)—The OMPC is a means by which any bit pattern can be located for a match at any offset in the packet. This can aid in locating specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there should be an OMPC match in addition to a protocol (and source/destination port) match. In other words, if an OMPC is configured, the packet needs to match the configured protocol (and ports) and the OMPC.

Content Specifications—When the protocol of a basic filter is TCP or UDP, you can search for any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect examples of how a text search can help in classifying a session.

You can choose from the many types of configurable content—for example, URL, hostname, HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so on.

When the content type is URL, for example, the module assumes the session to be HTTP with a GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to find a match for the configured text. In this case, the configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module searches the entire packet for the content text, starting at the configured offset.

By allowing a filter to take actual content of a packet/session into account, the module can recognize and classify a wider array of packets and sessions.

Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if one exists) and the Content Rule.

Note: If you edit the parameters of the filter, which is bound to the existing policy, you need to

activate the latest changes.

To configure a basic filter

1. Select Classes > Modify > Services > Basic Filters.









Protocol Values:

IP

TCP

UDP

ICMP

NonIP

ICMPV6

SCTP

Default: IP

Source App.port The Layer-4 source port or source-port range for TCP, UDP, or SCTP traffic.

Values: A value in the range 0 – 65,535; value ranges (for example, 30 – 400) greater than the Source Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp

Destination App. Port

The Layer-4 destination port or destination-port range for TCP, UDP, or SCTP traffic.

Values: values in the range 0 – 65,535; value ranges (for example, 30 – 400) greater than the Destination Port Range From value; dcerpc, dns, ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn, my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell, rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp

OMPC Offset The location in the packet where the data starts being checked for specific bits in the IP or TCP header.

Values: 0 – 1513

Default: 0

OMPC Offset Relative to

Specifies to which OMPC offset the selected offset is relative.

Values:

None

IPv4 Header

IPv6 Header

IP Data

L4 Data

ASN1

Ethernet

L4 Header

Default: None



OMPC Mask The mask for OMPC data. The value must be defined according to the OMPC Length parameter.

Values: Must comprise eight hexadecimal symbols

Default: 00000000

OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts to find. The value must be defined according to the OMPC Length parameter. The OMPC Pattern must contain eight hexadecimal symbols. If the value for the OMPC Length parameter is smaller than Four Bytes, you need to pad the OMPC Pattern with zeros. For example, if OMPC Length is two bytes, the OMPC Pattern can be abcd0000.

Values: Must comprise eight hexadecimal symbols

Default: 00000000

OMPC Condition Values:

None

Equal

Not Equal

Greater Than

Less Than

Default: None

OMPC Length Values:

None

One Byte

Two Bytes

Three Bytes

Four Bytes

Default: None

Content Offset The location in the packet at which the checking of content starts.

Values: 0 – 1513

Default: 0

Distance A range that defines the allowed distance between two content characters. If the distance is beyond the specified range, it is recognized as an attack.

Content The value of the content search.

Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~



Content Type The specific content type to search for.

Values:

None

URL—A URL in the HTTP request URI.

Text—Text anywhere in the packet.

Hostname—A hostname in the HTTP header. The host names in the Hostname List of an L7 Policy are not algorithmically related to a host name configured for a basic filter.

Header Field—A header field in the HTTP header.

Expression—Text anywhere in the packet represented by a regular expression specified in the Content field.

Mail Domain—The Mail Domain in the SMTP header.

Mail To—The Mail To SMTP header.

Mail From—The Mail From SMTP header.

Mail Subject—The Mail Subject SMTP header.

File Type—The type of the requested file in the HTTP GET command (for example, JPG, EXE, and so on).

Cookie—The HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value.

Normalized URL—A normalized URL in the HTTP request URI.

POP3 User—The POP3 User field in the POP3 header.

URI Length—Filters according to URI length.

FTP Command—Parses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes.

FTP Content—Scans the data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes.

Generic Url—The generic URL in the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.

Generic Header—In the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.

Generic Cookie—In the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.

Default: None

Content End Offset The location in the packet at which the checking of content ends.

Values: 0 – 1513

Default: 0

Content Data Refers to the search for the content within the packet.



Content Coding The encoding type of the content to search for (as specified in the Content field).

Values:

None

Case Insensitive

Case Sensitive

HEX

International

Default: None

Note: The value of this field corresponds to the Content Type parameter.

Content Data Coding

The encoding type of the content data to search for (as specified in the Content Data field).

Values:

None

Case Insensitive

Case Sensitive

HEX

International

Default: None

Note: The value of this field corresponds to the Content Type parameter.

Description A description of the filter.

Session Type The specific session type to search for.

Values: None, Ftp Control, Ftp Data, Ftp All, Tftp Control, Tftp Data, Tftp All , Rshell Control, Rshell Data, Rshell All, Rexec Control, Rexec Errors, Rexec All, H225 Control, H245 session , H225 All, SIP Signal, SIP Media Control, SIP Audio, SIP All

Default: None

Session Type Direction

The specific direction of the specified session type to search for.

Values: All, Request, Reply

Default: None

AND Groups

An AND Group filter is a combination of basic filters with a logical AND between them.

Example: The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:

AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3).



Notes:

You cannot modify or delete predefined AND Groups.

In case you edit the parameters of the AND group, which is bound to the existing policy, you need to activate the latest changes.

To configure an AND group

1. Select Classes > Modify Services > AND Group.






AND Group Name The name of the AND Group

Basic Filter Name The basic filter for this AND Group.

Modify OR Group Table

An OR Group Filter is a combination of basic filters and/or AND filters with a logical OR between them. DDoS Protector supports a set of predefined, static OR Groups. The predefined OR Groups are based on the predefined basic filters.

Example: The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6.

Notes:

You cannot modify or delete predefined OR Groups.

In case you edit the parameters of the OR group, which is bound to the existing policy, you

need to activate the latest changes.

To add a new OR group

1. Select Classes > Modify Services > OR Groups.






OR Group Name The name of the OR Group.

Filter Name The filter for this OR Group, which can be a Basic filter or an AND Group.



Filter Type Values:

Static—The OR Group is predefined.

Regular—The OR Group is user-defined.

Modify Application Port Groups

Application classes are groups of Layer-4 ports for UDP and TCP traffic. Each class is identified by its unique name, and you can define multiple Layer-4 ports in a single class. You cannot modify the predefined application classes for standard applications; however, you can add entries for the class. You can add and modify user-defined classes to the Application Port Group table.

To view the application port groups parameters

1. Select Classes > Modify > Appl. Port Groups.






Name The name of the Application Port Group.

To associate a number of ranges with the same port group, use the same name for all the ranges that you want to include in the group. Each range appears as a separate row with the same name in the Application Port Group table.

From Port The first port in the range.

To Port The last port in the range. To define a group with a single port, set the same value for the From Port and To Port fields.

Modify Physical Port Groups

You can define network segments using definitions of physical ports. Use physical port classes to classify traffic according to physical ports in security policy rules.

To configure a physical port groups

1. Select Classes > Modify > Port Groups.








Group Name The name of the Port Group..

Inbound Port The inbound port associated with the Port Group.

Modify VLAN Tag Groups

You can define network segments using VLAN tags. Use VLAN tag classes (groups) to classify traffic according to VLAN tags in security policy rules.

Each DDoS Protector device supports a maximum 64 VLAN Tag groups. Each VLAN Tag group can contain a maximum 32 discrete tags and 32 ranges. That is, in effect, each managed device supports up to 642 definitions.

To configure a VLAN tag class

1. Select Classes > Modify > VLAN Tag Groups.






Group Name The name of the VLAN tag group.

VLAN Tag

(for Discrete mode only)

The VLAN tag number.

VLAN Tag From

(for Range Group Mode only)

The first VLAN tag in the range.

You cannot modify this field after creating the VLAN group.

VLAN Tag To

(for Range Group Mode only)

The last VLAN tag in the range.

Group Mode The VLAN mode.

Values:

Discrete—An individual VLAN tag, as defined in the interface parameters of the device.

Range—A group of sequential VLAN tag numbers, as defined in the interface parameters of the device.



Modify MAC Groups

MAC groups identify traffic whose source or destination is a transparent network device.

To configure a MAC address class

1. Select Classes > Modify MAC Groups.






Group Name The name of the MAC address group.

MAC Address The MAC address associated with the group.

View Active

View Active Networks

You can view the active network classes that are configured on the device.

To view the active network class configuration

Select Classes > View Active > Networks.

View Active Services

View Active Services

The Basic Filter constitutes protection against a specific attack, meaning that each Basic Filter has a specific attack signature and protection parameters.

To view the parameters of the basic filter

1. Select Classes > View Active > Services > Basic Filters.

2. Select the name of the filter whose parameters you want to view.

The AND Group represents a logical AND between two or more Basic Filters. Some attacks have a complex signature comprised of several patterns and content strings. These attacks require more than one basic filter to protect against them.

Note: You can create the AND Groups using the user-defined Basic Filters only.

To view the parameters of the AND group

1. Select Classes > View Active > Services > AND Groups.


The OR Group represents a logical OR between two or more Basic Filters or AND Groups.



To view the active OR group table

1. Select Classes > View Active > Services > OR Groups.


Viewing Application Port Groups

You can view the active Application Port Group classes that are configured on the device.

To view the active application port groups

Select Classes > View Active > Appl. Port Groups.

View Active Physical Port Groups

You can view the active Application Port Group classes that are configured on the device.

To view the active physical port groups

Select Classes > View Active > Port Groups.

View Active VLAN Tag Groups

You can view the active VLAN Tag Group classes that are configured on the device.

To view the active VLAN tag groups

Select Classes > View Active > VLAN Tag Groups.

View Active MAC Groups

You can view the active MAC Group classes that are configured on the device.

To view the active MAC groups

Select Classes > View Active > MAC Groups.

Activate Latest Changes Use the Activate Latest Changes pane to activate all the latest changes made to configuration of the device.

To activate latest policy changes

1. Select Classes > Update Policies.

2. Click Set.


Chapter 9

Configuring Performance Parameters

Element Statistics

IP Packet Statistics

To view the IP packet statistics

Select Performance > Element Statistics > IP. The following parameters are displayed:


IP Receives The total number of input datagrams received from interfaces, including those received in error.

IP Header Errors The number of input datagrams discarded due to header error due to errors in their IP headers, including bad checksums, version number mismatch, their format errors, time-to-live exceeded, errors discovered in processing their options, and so on.

IP Discarded The total number of input datagrams discarded. Note: This counter does not include any datagrams discarded while awaiting re-assembly.

IP Successfully Delivered The total number of input datagrams successfully delivered to IP user- protocols (including ICMP).

IP Out Requests The total number of IP datagrams, which local IP user-protocols (including ICMP) supplied to IP in requests for transmission.

IP Out Discards The total number of IP datagrams, which local IP user-protocols (including ICMP) supplied to IP in requests for transmission.

SNMP

To view the SNMP element statistics

Select Performance > Element Statistics > SNMP; the following parameters are displayed:




SNMP Received Packets The total number of messages delivered to the SNMP entity from the transport service.

SNMP Sent Packets The total number of SNMP messages that were passed from the SNMP protocol entity to the transport service.

SNMP successful 'Get' requests

The total number of MIB objects that have been retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP Get-Request and Get-Next PDUs.

SNMP successful 'Set' requests

The total number of MIB objects that have been altered successfully by the SNMP protocol entity as the result of receiving valid SNMP Set-Request PDUs.

SNMP 'get' requests The total number of SNMP Get-Request PDUs processed PDUs that have been accepted and processed by the SNMP protocol entity.

SNMP 'get-next' requests The total number of SNMP Get-Request PDUs that have been accepted and processed by the SNMP protocol entity.

SNMP 'set' requests The total number of SNMP Set-Request PDUs that have been accepted and processed by the SNMP protocol entity.

SNMP Out TooBig The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is tooBig.

SNMP Out NoSuchName The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status is noSuchName.

SNMP Out BadValue The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is badValue.

SNMP Out GenErrs The total number of SNMP PDUs that were generated by the SNMP protocol entity and for which the value of the error-status field is genErr.

SNMP Out Get-Responses The total number of SNMP Get-Response PDUs that have been generated by the SNMP protocol entity.

SNMP Out Traps The total number of SNMP Trap PDUs that have been generated by the SNMP protocol entity.

IP Router

To view the IP router element statistics

Select Performance > Element Statistics > IP Router. The following parameters are displayed:




IP Forwarded The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities, which do not act as IP Gateways, this counter will include only those packets that were Source - Routed via this entity, and the Source - Route option processing was successful.

IP Unknown Protocol The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.

IP Out No Routes The number of IP datagrams discarded because no route could be found to transmit them to their destination. This counter includes any packets counted in ipForwDatagrams that meet this no-route criterion. Note that this includes any datagrams, which a host cannot route because all of its default gateways are down. Note: This counter includes any packets counted in ipForwDatagrams, which meet this `no-route' criterion. It also includes any datagrams that a host cannot route because all of its default gateways are down.

IP Fragments Received The number of IP fragments received which needed to be reassembled at this entity.

IP Fragments successfully reassembled

The number of IP datagrams successfully re-assembled.

IP Fragments failed reassembly The number of failures detected by the IP re-assembly algorithm (for whatever reason: timed out, errors, etc). Note: This is not necessarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.

IP datagrams successfully fragmented

The number of IP datagrams that have been successfully fragmented at this entity.

IP datagrams discarded - failed fragmentation

The number of IP datagrams that have been discarded because they needed to be fragmented at this entity but could not be, e.g., because their Do not Fragment flag was set.

IP datagram fragments generated The number of IP datagram fragments that have been generated as a result of fragmentation at this entity.

Valid routing entries discarded N/A

IP Fragments successfully reassembled

The number of IP datagrams successfully re-assembled.


Accelerator Utilization

Use the Accelerator Utilization pane to view the utilization for each accelerator.

To view the accelerator utilization

Select Performance > Element Statistics > Accelerator. The following parameters are displayed:


Accelerator The name of the accelerator. The accelerator named Flow_Accelerator_0 is one logical accelerator that uses several CPU cores. The accelerator named HW Classifier is the string-matching engine (SME).

CPU The CPU number for the accelerator.

Forwarding The percentage of CPU cycles used.

Other The percentage of CPU resources used for other tasks such as aging and so on.

Idle The percentage of free CPU resources.

Documents

Check Point DDoS Protectordownloads.checkpoint.com/.../ID/24113/FILE/DDoS_Protector_6.07_Web... · DDoS Protector uses behavioral analysis to provide network-flood-attack protection