CP DDoSProtector 6.14 Guide

13 October 2016
DDoS Protector
6.14
User Guide
Classification: [Protected]
© 2016 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our
trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html
for a list of relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.
Latest Version of this Document

Download the latest version of this document
http://supportcontent.checkpoint.com/documentation_download?ID=47782.
To learn more, visit the Check Point Support Center
http://supportcenter.checkpoint.com.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on DDoS Protector
6.14 User Guide.
Revision History
Date Description
13 October 2016 Updated for 6.14.03 and improved formatting
02 March 2016 First release of this document

Contents
Important Information................................................................................................... 3
DDoS Protector Overview .............................................................................................. 8
Network Flood Protection ......................................................................................... 8
Server Flood Protection ............................................................................................ 8
Application Layer Protection ..................................................................................... 8
File ................................................................................................................................ 9
Software Update........................................................................................................ 9
Support ..................................................................................................................... 9
Configuration > Send to Device ............................................................................... 10
Configuration > Receive from Device ...................................................................... 10
Logfile > Show ......................................................................................................... 10
Logfile > Clear ......................................................................................................... 10
Logfile > Download .................................................................................................. 11
Software List ........................................................................................................... 11
Device .......................................................................................................................... 12
Reboot Device ......................................................................................................... 12
Device Shutdown ..................................................................................................... 12
Global Parameters .................................................................................................. 13
Device Information .................................................................................................. 13
Utilization > SME Utilization .................................................................................... 14
Utilization > Device Resource Utilization ................................................................ 15
License Upgrade ..................................................................................................... 15
Forwarding Table .................................................................................................... 15
Interface Grouping.........................................................................................................16
Port Mirroring ......................................................................................................... 16
Global Parameters ........................................................................................................17
Reset Traffic Rate Threshold .........................................................................................18
Physical Interface ..........................................................................................................18
L2 Interface ............................................................................................................. 19
Link Aggregation ..................................................................................................... 20
Link Aggregation Trunk Table .......................................................................................21
Link Aggregation Port Table ..........................................................................................22
Jumbo Frames Settings .......................................................................................... 23
Traffic Exclusion ..................................................................................................... 24
Session Table .......................................................................................................... 24
Session Table Global Parameters..................................................................................24
Advanced Session Table Global Parameters .................................................................26
Session Table Entries ....................................................................................................27
IP Fragmentation .................................................................................................... 28
Device Overload Mechanism ................................................................................... 28
High Availability ...................................................................................................... 29
High Availability Global Parameters ..............................................................................30
High Availability Advanced Configuration ......................................................................31
High Availability Pair Definition .....................................................................................32
Update High Availability Pair Definition .........................................................................32
High Availability Monitoring ...........................................................................................32
Switch Over ...................................................................................................................33
Activate Baseline Sync with Peer Device .......................................................................33
Reset Secondary ............................................................................................................33
Tunneling ................................................................................................................ 33
IP Version Mode ...................................................................................................... 34
Dynamic Protocols .................................................................................................. 35
Dynamic Protocols FTP .............................................................................................35
Dynamic Protocols TFTP............................................................................................36
Dynamic Protocols Rshell..........................................................................................36
Dynamic Protocols Rexec ..........................................................................................36
Dynamic Protocols H.225 ...........................................................................................37
Dynamic Protocols SIP ..............................................................................................37
Services ....................................................................................................................... 39
Tuning ..................................................................................................................... 39
Classifier Tuning ...........................................................................................................39
Application Security Tuning ...........................................................................................40
Authentication Table Tuning ..........................................................................................43
Behavioral DoS Tuning ..................................................................................................43
DNS Protection Tuning Parameters ..............................................................................44
Device Tuning ................................................................................................................44
Memory Check ...............................................................................................................45
SYN Protection Tuning ...................................................................................................46
Diagnostics Tuning ........................................................................................................47
Signaling ................................................................................................................. 48
Signaling Global ............................................................................................................48
Signaling Policies ..........................................................................................................49
Situational Signal Reports .............................................................................................50
Source Groups ...............................................................................................................51
Diagnostics .............................................................................................................. 51
Capture..........................................................................................................................51
Trace .............................................................................................................................53
Trace Files.....................................................................................................................55
Diagnostics Policies.......................................................................................................56
Syslog Reporting ..................................................................................................... 57
Daylight Saving........................................................................................................ 61
Management Interfaces .......................................................................................... 61
Telnet ............................................................................................................................61
Web Server ....................................................................................................................62
SSL ................................................................................................................................63
SSH ................................................................................................................................64
Event Log ................................................................................................................ 64
Network Time Protocol (NTP) ................................................................................. 65
RADIUS .................................................................................................................... 65
SMTP ....................................................................................................................... 67
DNS Client Parameters ........................................................................................... 68
Auditing ................................................................................................................... 68
Router ......................................................................................................................... 70
IP Router ................................................................................................................. 70
Operating Parameters ...................................................................................................70
Interface Parameters ....................................................................................................71
Routing Table .......................................................................................................... 72
ARP Table ................................................................................................................ 73
DDoS Protector ........................................................................................................... 74
DoS Signatures........................................................................................................ 74
Application Security Global Parameters ........................................................................74
DoS Shield Global Parameters ......................................................................................75
Basic Static Filters ........................................................................................................76
Basic User Filters ..........................................................................................................76
Advanced Static Filters ..................................................................................................81
Advanced User Filters ...................................................................................................82
Signature Protection Attribute Types ............................................................................82
Attribute Values .............................................................................................................83
Attacks ..........................................................................................................................84
Profiles ..........................................................................................................................92
Server Protection .................................................................................................... 94
Cracking Protection .......................................................................................................94
Protected Servers ....................................................................................................... 105
Denial of Service ................................................................................................... 110
Behavioral DoS ............................................................................................................ 110
DNS Protection ............................................................................................................ 124
Advanced DNS Protection Configuration ..................................................................... 128
SYN Protection ............................................................................................................ 140
Out-of-State ................................................................................................................ 152
Connection Limit ......................................................................................................... 155
PPS .............................................................................................................................. 158
HTTP Mitigator ............................................................................................................ 161
Authentication Tables ........................................................................................... 170
DNS Authentication Table ............................................................................................ 170
TCP Authentication Table ............................................................................................ 170
HTTP Authentication Table .......................................................................................... 171
TCP Contender Authentication Table ........................................................................... 171
Intrusion Protection and Anti-Scanning ................................................................ 171
Anti-Scanning Global Parameters ............................................................................... 171
Advanced - Trusted Ports ............................................................................................ 173
Anti-Scanning Profiles................................................................................................. 173
White List and Black List ....................................................................................... 175
Black List..................................................................................................................... 179
Black-List and White-List Entries and Storage Capabilities ........................................ 182
Black-White List Precedence ...................................................................................... 183
Policies .................................................................................................................. 184
Network Protection Policies ........................................................................................ 184
Policies Resources Utilization ..................................................................................... 188
Policies Import ............................................................................................................ 189
Policies Export ............................................................................................................ 189
Policies Delete............................................................................................................. 190
Global - Suspend Table - Parameters ................................................................... 191
Global - Suspend Table................................................................................................ 192
Reporting .............................................................................................................. 193
Reporting Global Parameters ...................................................................................... 193
Reporting Packet Reporting ........................................................................................ 196
Top Ten Attacks ........................................................................................................... 196
Data Reporting Target Addresses................................................................................ 197
Security Log................................................................................................................. 197
Packet Trace................................................................................................................ 200
Attack Database .................................................................................................... 201
Attack Database Version .............................................................................................. 201
Attack Database Send To Device .................................................................................. 201
Activate Latest Changes ........................................................................................ 201
Packet Anomaly Attacks........................................................................................ 201
Service Discovery .................................................................................................. 206
Service Discovery Global Parameters ......................................................................... 206
Service Discovery Profiles ........................................................................................... 207
Restore Default Configuration .............................................................................. 208
Security ..................................................................................................................... 209
Management Ports ................................................................................................ 209
Ports Access ......................................................................................................... 209
SNMP .................................................................................................................... 210
SNMP Global Parameters ............................................................................................ 210
SNMP User Table ........................................................................................................ 210
SNMP Community Table .............................................................................................. 211
SNMP Groups Table ..................................................................................................... 211
SNMP Access Table ..................................................................................................... 212
SNMP View Table ......................................................................................................... 213
SNMP Notify Table ....................................................................................................... 213
SNMP Target Parameters ........................................................................................... 214
SNMP Target Address ................................................................................................. 215
Ping Physical Ports Table ..................................................................................... 216
Users ..................................................................................................................... 216
Certificates ............................................................................................................ 218
Certificates Table ........................................................................................................ 218
Exporting PKI Components .......................................................................................... 219
Importing a PKI Component......................................................................................... 219
Certificate Default Values ............................................................................................ 220
Classes ...................................................................................................................... 222
Modify .................................................................................................................... 222
Modify Networks.......................................................................................................... 222
Modify Services ........................................................................................................... 223
Modify Application Port Groups ................................................................................... 230
Modify Physical Port Groups ........................................................................................ 230
Modify VLAN Tag Groups ............................................................................................. 231
Modify MAC Groups ..................................................................................................... 231
View Active ............................................................................................................ 232
View Active Networks .................................................................................................. 232
View Active Services .................................................................................................... 232
Viewing Application Port Groups ................................................................................. 232
View Active Physical Port Groups ................................................................................ 232
View Active VLAN Tag Groups ...................................................................................... 233
View Active MAC Groups .............................................................................................. 233
Activate Latest Changes ........................................................................................ 233
Performance ............................................................................................................. 234
Element Statistics ................................................................................................. 234
IP Packet Statistics ...................................................................................................... 234
SNMP........................................................................................................................... 234
IP Router ..................................................................................................................... 236
Accelerator Utilization ................................................................................................. 237
CHAPTE R 1
DDoS Protector Overview

In This Section:
Network Flood Protection ..............................................................................................8
Server Flood Protection .................................................................................................8
Application Layer Protection ..........................................................................................8
-of-service (DoS) attacks within seconds

with multi-layered protection and up to 12-Gbps performance.
Modern distributed DoS (DDoS) attacks use new techniques to exploit areas that traditional
security solutions are not equipped to protect. These attacks can cause serious network downtime
to businesses that rely on networks and Web services to operate. DDoS Protector extends
company security perimeters to block destructive DDoS attacks before they cause damage.
Network Flood Protection

DDoS Protector uses behavioral analysis to provide network-flood-attack protection. First, it
base-lines normal daily and weekly patterns for network traffic. Then, DDoS Protector identifies
abnormal traffic, especially spikes from network floods.
Server Flood Protection

DDoS Protector protects against misuse of application resources. With its automatic
signature-generation capability, DDoS Protector automatically generates new signatures to
mitigate suspected attacks and to prevent known bad behavior. DDoS Protector also prevents
misuse of TCP/IP stacks, by fending off SYN-flood attacks using SYN cookies.
Application Layer Protection

DDoS Protector blocks automated tools and fake users with challenge/response techniques. It
transparently redirects legitimate users to the correct destinations.
DDoS Protector User Guide 6.14 | 8

CHAPTE R 2
File
In This Section:
Software Update .............................................................................................................9
Support ............................................................................................................................9
Configuration > Send to Device ....................................................................................10
Configuration > Receive from Device ..........................................................................10
Logfile > Show ...............................................................................................................10
Logfile > Clear ...............................................................................................................10
Logfile > Download .......................................................................................................11
Software List .................................................................................................................11
Software Update
Check Point may release updated versions of the appliance software. Upload to benefit from
enhanced functionality and performance.
If the upload is not successful, the current appliance software does not change. If the download is
successful, reset the appliance to implement the new version.
To upload software:
1. Select File > Software Update.
2. In Software version, enter the software version number as specified in the new software
documentation.
3. In the File field, enter the filepath. Or, click Browse to navigate to the file.
4. Select Enable New Version.
5. Click Set.
6. Click Device > Reboot Device.
7. Click Set.
Support
DDoS Protector can generate a text file with required CLI commands and their output, such as the
Client table and the ARP table.
You can download this file and send it to the Check Point Support Center.
To download the support file:

1. Select File > Support.
2. Click Download.

File
Configuration > Send to Device

Use the Send to Device pane to upload a configuration file to the appliance. The new file overwrites
the existing appliance configuration.
You cannot import an edited configuration file, and you must reboot the appliance after the upload.
To send the configuration file to an appliance:

1. Click File > Configuration > Send to Device.
2. Select an upload mode:
 Replace configuration file
 Append commands to configuration file
 Append commands to configuration file with reboot
3. Enter the name of the configuration file.
4. Click Set.
5. Click Device > Reboot Device > Set to apply the changes in the configuration.
Configuration > Receive from Device

Use the Receive from Device pane to download the configuration file.
Note: If you download a configuration file with WBM, you cannot upload it to an appliance
configured to use SNMPv3 only.
To download the configuration file

1. Select File > Configuration > Receive from Device.
2. Select whether to include private keys.
3. Click Set.
Logfile > Show

Use the Configuration Error Log pane to view the configuration errors. The report of configuration
errors presented in this log file is automatically generated by the appliance.
To view the log file:

Select File > Configuration > Logfile > Show.
Logfile > Clear

Use the Clear Error Log pane to clear the information in the Configuration Error Log pane.
To clear the error log:

1. Select File > Configuration > Logfile > Clear.
2. Click Set.

File
Logfile > Download

Use the Download Error Log pane to download the latest log file that contains configuration
errors. After the file is downloaded, you can show it.
To download the error log:

1. Select File > Configuration > Logfile > Download.
2. Click Set.
Software List
The appliance can hold different software versions and their configuration files at the same time.
You can set which version is currently active. You can delete the inactive version.
To update the software:

1. Click File > Software List.
To filter the software list, enter or select a parameter and click Reset Filter.
2. Select the version that you want to delete and click Delete.
3. Click Device > Reboot Device > Set.
Filter Description
Parameters
Name The name of the version.
Index The index of the version in the Software List.
Valid The version validity.
Active The status of the version.
Version The version number.

CHAPTE R 3
Device
In This Section:
Reboot Device ...............................................................................................................12
Device Shutdown ..........................................................................................................12
Global Parameters .......................................................................................................13
Device Information .......................................................................................................13
Utilization > SME Utilization .........................................................................................14
Utilization > Device Resource Utilization ....................................................................15
License Upgrade ...........................................................................................................15
Forwarding Table ..........................................................................................................15
Port Mirroring ...............................................................................................................16
L2 Interface ...................................................................................................................19
Link Aggregation...........................................................................................................20
Jumbo Frames Settings ...............................................................................................23
Traffic Exclusion ...........................................................................................................24
Session Table ................................................................................................................24
IP Fragmentation ..........................................................................................................28
Device Overload Mechanism ........................................................................................28
High Availability ............................................................................................................29
Tunneling ......................................................................................................................33
IP Version Mode ............................................................................................................34
Dynamic Protocols ........................................................................................................35
Reboot Device
This feature reboots the appliance. Many changes are applied only after the appliance reboots.
To reboot the appliance:

1. Click Device > Reboot Device.
2. Click Set.
Device Shutdown
To shut down an appliance:
1. Click Device > Device Shutdown.
2. Click Shutdown.

Device
Global Parameters
To set the global appliance parameters:
1. Click Device > Global Parameters.
2. Configure the parameters, and click Set.
Global Description
Parameter
Description The general description of the appliance.
Name The user-assigned name of the appliance that shows in the windows describing
the appliance.
Location The geographic location of the appliance.
Contact Person The person or people responsible for the appliance.
System Up The time elapsed since the last reset.

Time
System Time The current user-defined appliance time, in hh:mm:ss format.
System Date The current user-defined appliance date, in dd/mm/yyyy format.
Boot Server The IP address of the BootP server. The appliance forwards BootP requests to
Address the BootP server and acts as a BootP relay.
BootP How many seconds the appliance waits before relaying requests to the BootP
Threshold server. This delay allows BootP Servers to answer first.
Device Information
Open the Device Information pane to see information about the appliance.
Click Device > Device Information.
Parameter Description
Type The appliance type.
Platform The hardware platform type.
Device The appliance name.
Ports The number of ports on the appliance.
Ports Config The ports configuration.
HW Version The hardware version.
SW Version The software version.

Device
Build The software build date, time, and version number.
Throughput License The throughput license (limit).
Version State The version state; for example, "Final."
APSolute OS The APSolute OS build date, time, and version number.
Network Driver The network driver version.
RAM Size The amount of RAM, in GB.
Flash Size The size of the flash (permanent) memory, in MB.
Hard Disk(s) The number of hard disks installed.
Registered Specifies whether the appliance is registered.
Date The date of version.
Time The time of version.
Up Time The time the appliance has been up.
Base MAC The MAC address of the first port on the appliance.
Serial Number The serial number of the appliance.
Active Boot The active boot version.
Secondary Boot The secondary boot version.
Power Supply The power supply status.
DoS Mitigator The DoS Mitigator type.
SME The SME type.
Utilization > SME Utilization

The Engines Utilization pane displays values relating to the utilization of internal hardware
components. The information is intended only for advanced tuning and debugging by the Check
Point Support Center.

Device
Utilization > Device Resource Utilization

To set appliance resource utilization:
1. Click Device > Utilization > General.
2. Set the resource utilization parameters for your appliance.
Resource Utilization
RS Resource Utilization The percentage of the

resource currently used.
RE Resource Utilization
resource currently used.
Last 5 sec. Average Utilization The average use of resources in the last 5 seconds.
Last 60 sec. Average Utilization The average use of resources in the last 60 seconds.
License Upgrade
To upgrade the software license:
1. Click Device > License Upgrade.
2. Enter your new license key. (The earlier license key shows.)
3. Enter your throughput license key. (The earlier throughput license key shows.)
4. The license code is case sensitive.
5. Click Set.
6. In the Reset the Device pane, click Set. The reset may take a few minutes.
Forwarding Table
You can configure scanning ports using the Static Forwarding mode. In the Static Forwarding
mode, DDoS Protector functions as in promiscuous mode in the network, which means that the
appliance acts as a completely transparent network element.
Scanning ports have a one-to-one forwarding ratio, where the traffic that comes from the
receiving port is always sent out from its corresponding transmitting port. The ports are paired,
meaning one port receives traffic while another transmits traffic. The ports are defined in the
Forwarding Table.
When using the SYN Flood Protection filters, you must set the inbound and the outbound traffic to
operate in the Process mode.
You can assign the same Destination Port to more than one Source Port. For example, you can
define that Source Port 1 is associated with Destination Port 3 and also Source Port 2 is
associated with Destination Port 3.

Device
To configure promiscuous ports:

1. Click Device > Forwarding Table.
2. Click Create.
3. Configure the parameters.
4. Click Set.
Source The user-defined source port for received traffic.
Destination The user-defined destination port for transmitted traffic.
Operation The operation mode that can be assigned to a pair of ports: Process or Switch.
Failure Mode The failure mode.

Values: Fail-Open, Fail-Close
Port Types The port type.

Values: Source, Destination
Note: When you assign the same Destination Port to more than one Source Port, you must set
the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that
direction is ignored. For example, Source Port 1 is associated with Destination Port 3 and also
Source Port 2 is associated with Destination Port 3. In that case, for the traffic in the opposite
direction, the Source Port is 3 and the Destination Port must be defined (typically it is 1 or 2).
Interface Grouping
When you install DDoS Protector between two L2 switches with multiple links (with Link
Aggregation, for example), a link failure of one L2 switch is not detected by the remote L2 switch,
because DDoS Protector continues to keep the link up. Interface Grouping shuts both endpoints of
a link if a failure is detected on one of the endpoints. The endpoints of the links are set by the
Static Forwarding table. Interface Grouping is configured globally for each appliance.
To enable interface grouping:

1. Click Device > Forwarding Table.
2. From the Interface Grouping drop-down list, select Enable.
Port Mirroring
Port mirroring is supported only on DDoS Protector x412 models.
Port Mirroring enables the appliance to duplicate traffic from one physical port on the appliance to
another physical port on the appliance. This is useful when an intrusion detection system (IDS)
appliance is connected to one of the ports on the appliance. You can choose to mirror either
received and transmitted traffic, received traffic only, or transmitted traffic only. You can also
specify whether to duplicate the received broadcast packets.
To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the
DDoS Protector appliance) to a dedicated sniffer port. This allows collecting packet data during an
attack.
Device
DDoS Protector appliances can perform traffic-rate port mirroring only when the appliance is
under attack. Traffic-rate port mirroring is based on a specified traffic threshold. When the
threshold is reached, DDoS Protector starts copying traffic from the interface to its mirroring
output port. The process continues for the specified time, and then the copying process stops. For
example, if you have a single network segment connected between interfaces 1 and 2, whenever
traffic reaches the configured threshold, DDoS Protector copies the traffic arriving on interface 1
to interface 3.
To set the appliance to operate in port mirroring mode:

1. Click Device > Port Mirroring > Table.
2. Click Create.
4. Click Set.
Input Port The port from which the traffic is mirrored.
Output Port The port to which traffic is mirrored.
Receive\Transmit The direction of the traffic that the appliance mirrors.

Values: Transmit and Receive, Receive Only, Transmit Only
Promiscuous Mode If Enabled, the appliance copies all traffic to the specified output
port. If Disabled (default), the appliance copies only the traffic
destined to the input.
Backup Port A backup port for the output.
Mode If Enabled, the mode is continuous Port Mirroring.

Or you can set the Traffic Rate mode, which defines Port
Mirroring according to the traffic rate over the network (PPS or
Kbps). Threshold must be defined for Traffic Rate.
Threshold The threshold value for traffic rate.
Global Parameters
Use the Port Mirroring Global Parameters pane to set the parameters that apply globally for the
appliance, not for each pair of ports.
To set the Port Mirroring Global Parameters:

1. Click Device > Port Mirroring > Global Parameters.
3. Click Set.

Device
Traffic Threshold Units The units in which the threshold is measured.

Values:
 PPS Packets per second
 Kbps Kilobits per second
Threshold Interval How long, in seconds, mirroring continues after the traffic rate falls
below the specified threshold.
Default: 30
Reset Traffic Rate Threshold

Use the Port Mirroring Reset Traffic Rate Threshold pane to set the appliance to record the traffic
that exceeds the predefined limit within a new threshold interval.
To reset the Traffic Rate Threshold:

1. Click Device > Port Mirroring > Reset Traffic Rate.
2. Click Set.
Physical Interface
Use the Physical Interface pane to change the physical attributes of each port individually.
To update the ports physical attributes:

1. Click Device > Physical Interface.
3. Click Set.
Port Index (Read-only) The index number of the port.
Speed The traffic speed of the port.

Values: Ethernet, Fast Ethernet, Giga Ethernet
Duplex Specifies whether the port allows both inbound and outbound traffic (Full
Duplex) or one way only (Half Duplex).
Auto Negotiation Detects and configures the speed and duplex required for the interface.

Device
L2 Interface
Use the L2 Interface pane to configure the administrative status and view settings for each
interface.
To configure the administrative status of an interface:

1. Click Device > L2 Interface.
2. Select the relevant interface.
3. From the Interface Admin Status drop-down list, select the required status of the interface
(up or down).
4. Click Set.
Interface Index The interface name or index number.
Interface Family A hard-coded description of the interface.
Interface Description A hard-coded description of the interface.
interface Type The interface type number assigned by the Internet Assigned
Numbers Authority (IANA).
MAC Address The MAC address of the interface.
Admin Status The administrative status of the interface, Up or Down.
Operational Status The operational status of the interface, Up or Down.
Interface Last Change The value of System Up time at the time the interface entered its
current operational state. If the current state was entered prior to
the last re-initialization of the local network management
subsystem, then this value is zero (0).
ifInOctets Incoming Bytes The number of incoming octets (bytes) through the interface
including framing characters.
InUcastPkt Incoming The number of packets delivered by this sub-layer to a higher

Unicast Packets sub-layer, which were not addressed to a multicast or broadcast
address at this sub-layer.
InNUcastPkt Incoming The number of packets delivered by this sub-layer to a higher

Non-Unicast Packets sub-layer, which were addressed to a multicast or broadcast
address at this sub-layer.
ifInDiscards Incoming The number of inbound packets chosen to be discarded even though
Discards no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a
packet could be to free up buffer space.

Device
ifInErrors Incoming Errors For packet-oriented interfaces, the number of inbound packets that
contained errors preventing them from being deliverable to a
higher-layer protocol. For character-oriented or fixed-length
interfaces, the number of inbound transmission units that contained
errors preventing them from being deliverable to a higher-layer
protocol.
ifOutOctets Outgoing Bytes The total number of octets (bytes) transmitted out of the interface,
including framing characters.
OutUcastPkt Outgoing The total number of packets that higher-level protocols requested
Unicast Packets be transmitted, and which were not addressed to a multicast or
broadcast address at this sub-layer, including those that were
discarded or not sent.
outNUcastPkt Outgoing The total number of packets that higher-level protocols requested
Non-Unicast Packets be transmitted, and which were addressed to a multicast or
broadcast address at this sub-layer, including those discarded or
not sent.
ifOutDiscards Outgoing The number of outbound packets which were chosen to be

Discards discarded even though no errors had been detected to prevent their
being transmitted. One possible reason for discarding such a packet
could be to free up buffer space.
ifOutErrors Outgoing For packet-oriented interfaces, the number of outbound packets

Errors that could not be transmitted because of errors. For
character-oriented or fixed-length interfaces, the number of
outbound transmission units that could not be transmitted because
of errors.
Interface Speed The current bandwidth, in megabits per second, of the interface.
Link Aggregation
Use link aggregation, also called port trunking, to combine physical network links into a single
logical link for increased bandwidth and/or redundancy.
Note: DDoS Protector x06 platforms implement link aggregation via software and not at the
switch level. (This platform does not include a Layer 2 switch hardware component.) Therefore, on
this platform, you cannot define link aggregations as port mirroring participants.
Link aggregation, is a method of combining physical network links into a single logical link for
increased bandwidth and/or redundancy. With link aggregation, you can increase the capacity and
availability of the communications channel between appliances (both switches and end stations)
using existing Fast Ethernet and Gigabit Ethernet technology. This is performed by using a set of
multiple parallel physical links between two appliances grouped together to form a single logical
link.
Device
Link aggregation also provides load balancing where the processing and communications activity
is distributed across several links in a link aggregation, ensuring that no single link is saturated.
By taking multiple LAN connections and treating them as a unified, aggregated link, you can
achieve higher link availability and increased link capacity.
Link aggregation is supported according to the IEEE 802.3ad standard for link aggregation as
follows:
 Link aggregation is supported only on links using the IEEE 802.3 MAC.
 Link aggregation is supported only on point-to-point links.
 Link aggregation is supported only on links operating in Full Duplex mode. AB: uppercase is
correct here
 Link aggregation is permitted only among links with the same speed and direction.
 The failure or replacement of a single link within a link aggregation will not cause failure from
the perspective of a MAC client.
MAC client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one session must be transmitted
through the same physical link.
For DDoS Protector, the algorithm for assigning frames to a physical port with the link
aggregation is based on hashing the Layer 3 destination IP address and Layer 4 destination port.
The link-aggregation feature lets you define up to five (5) link aggregations on an x06 platform,
and up to seven (7) trunks on x420 platform.
In DDoS Protector, all link-aggregation configurations are static.
Notes:
 Only connected ports (Link Up) operating in Full Duplex mode AB: uppercase is correct here
can be attached to a link aggregation.
 A port belonging to a link aggregation cannot be copied to another port (copy port).
 Before attaching a physical port to a link aggregation, make sure that the port is not used in
any configuration (port mirroring, static forwarding). Management ports that have
preconfigured IP addresses cannot be assigned to a link aggregation. If you want to use a
management port in a link aggregation, you must first remove the IP address and only then
add it to the link aggregation.
 When a link aggregation is part of a protected segment definition, Port Operation in the Port
Pairs table must be set to Process mode for both directions of this segment.
 You cannot specify a port within a link aggregation as the source or destination of SSL
inspection.
Link Aggregation Trunk Table

Use link aggregation, also called port trunking, to combine physical network links into a single
logical link for increased bandwidth and/or redundancy.
The Trunk Table, which is read-only, enables you to view the Trunk Index settings that were
defined in the Link Aggregation Port Table (on page 22).
To view the link aggregation trunk table, click Device > Link Aggregation > Trunk Table.

Device
Trunk Index The trunk index.
Trunk MAC Address The MAC Address assigned to the trunk.
Trunk Status Values:

 Individual (False) No ports are attached to this trunk.
 Aggregated (True) Ports are attached to this trunk.
Link Aggregation Port Table

Use the Port Table to attach ports to a trunk.
Only ports that are connected (Link Up) and operating in full duplex mode can be attached to a
trunk.
To set the link aggregation port table parameters:

1. Click Device > Link Aggregation > Port Table.
2. Select the port index to edit.
3. Configure the parameters
4. Click Set.
Port Index (Read-Only) The physical port index.
Port MAC (Read-Only) The MAC address assigned to the port.
Trunk Index Updated 201409

Values:
 Unattached
 T1 T7 The range of values depends on the platform. That is, the number of trunks that you
can configure depends on the appliance platform.
Default: Unattached
Port Status (Read-Only)

Values:
 Individual The port is not attached to any trunk.
 Aggregate The port is attached to a trunk.

Device
Jumbo Frames Settings

You can specify whether jumbo frames bypass the appliance or are discarded only on x412
platforms.
To configure the jumbo-frame settings:

1. Click Device > Jumbo Frames.
3. Click Set.
Jumbo Frames Values:

Mechanism Status
 enable The appliance inspects frames up to 9216 bytes.
 disable The appliance discards frames that are larger than 1556
bytes.
Default: disable
Configuration changes take effect only after appliance reset.
When this option is enabled, all DDoS Protector monitoring and
protection modules support monitoring, inspection, detection, and
mitigation of traffic and attacks on packets up to 9216 bytes. For
example, when this option is enabled, TCP Authentication using
Transparent Proxy supports an additional maximum segment size
(MSS) value to improve performance of the protected networks.
Jumbo Frames Bypass Values:

 enable - Frames of 1556 through 9216 bytes bypass the appliance
without any inspection or monitoring.
 disable (default) - The appliance discards frames that are larger
than 1556 bytes.
Configuration changes take effect only after appliance reset.
When the option is enabled on an x412 platform, there may be some
negative effect on the following features: Packet Anomalies, Black and
White Lists, and BDoS real-time signatures.
When the option is enabled on an x06 platform, there may be some
negative effect on Black and White lists.
When the option is enabled, TCP SYN Protection may not behave as
expected because the third packet in the TCP three-way-handshake
can include data and be in itself a jumbo frame.
When the option is enabled, some protections that rely on the DDoS
Protector session table might produce false-negatives and drop traffic
when all the session traffic bypasses the appliance in both directions
for a period longer than Session Aging Time.

Device
Traffic Exclusion
This feature is available only on x412 platforms.
You can specify whether the appliance passes through all traffic that matches no network policy
configured on the appliance.
If Traffic Exclusion is enabled, to inspect traffic that matches a Server Protection policy, you must
configure the Server Protection policy as a subset of the Network Protection policy.
To configure traffic exclusion:

1. Click Device > Traffic Exclusion.
2. From the Traffic Exclusion Status drop-down list, select Enable (default) or Disable.
3. Click Set.
Session Table
DDoS Protector includes a Session table, which tracks sessions bridged and forwarded by the
appliance.
Session Table Global Parameters

To set the parameters for the session table:
1. Click Device > Session Table > Global Parameters.
3. Click Set.
Session Table Status Specifies whether the appliance uses the Session table.
Default: Enabled
Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP
sessions.
Values: 1 7200
Default: 100
Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP
sessions.
Values: 1 7200
Default: 100
Idle SCTP-Session Aging Time The time, in seconds, that the Session table keeps idle
SCTP sessions.
Values: 1 7200
Default: 100

Device
Idle ICMP-Session Aging Time The time, in seconds, that the Session table keeps idle
ICMP sessions.
Values: 1 7200
Default: 100
Idle GRE-Session Aging Time The time, in seconds, that the Session table keeps idle GRE
sessions.
Values: 1 7200
Default: 100
Idle Other-Protocol-Session Aging The time, in seconds, that the Session table keeps idle
Time sessions of protocols other than TCP, UDP, SCTP, ICMP, or
GRE.
Values: 1 7200
Default: 100
Session Table No Aging Mode Enables or disables session table aging mode. If enabled,
the Session Table and Flow Table will not be aged.
This parameter can be only configured if Session Table
lookup mode is L4 Dest Port.
Session Table Lookup Mode The layer of address information that is used to categorize
packets in the Session table.
Values:
 Full L4 An entry exists in the Session table for each source IP,
source port, destination IP, and destination port combination of
packets passing through the appliance.
 L4 Destination Port Enables traffic to be recorded based only on
the TCP/UDP destination port. This mode uses minimal Session table
resources (only one entry for each port that is secured).
Default: Full L4
Important: Check Point recommends that you always use
the Full L4 option. When Session Table Lookup Mode is
Layer 4 Destination Port, these protections do not work:
 Anti Scanning
 Connection Packet Rate Limit
 Connection Rate Limit
 HTTP Mitigator
 HTTP Replies Signatures
 Out-of-State protection
 Server Cracking
 SYN Flood protection

Device
Remove Session Table Entry at Specifies whether the appliance removes sessions from the
Session End Session Table after receiving a FIN or RST packet if no
additional packets are received on the same session within
the Remove Session Entry at Session End Timeout period.
Default: Enabled
Remove Session Entry at Session When Remove Session Entry at Session End is enabled, the
End Time time, in seconds, after which the appliance removes
sessions from the Session Table after receiving a FIN or
(This option is supported only if
RST packet if no additional packets are received on the
Remove Session Entry at Session
same session.
End is enabled.)
Values: 1 60
Default: 5
Send Reset To Server Status Specifies whether the DDoS Protector appliance sends a
RST packet to the destination of aged TCP sessions.
Values:
 Enabled DDoS Protector sends reset a RST packet to the
destination and cleans the entry in the DDoS Protector Session table.
 Disabled DDoS Protector ages the session normally (using short
SYN timeout, but the destination might hold the session for quite
some time.
Default: Disabled
Advanced Session Table Global Parameters

To set the session table advanced configuration parameters:
1. Click Device > Session Table > Advanced Configuration.
3. Click Set.
Session-Table-Full The action that the appliance takes when the Session table is at full
Action capacity.
Values:
 Bypass New Sessions The appliance bypasses new sessions until the Session
table has room for new entries.
 Block New Sessions The appliance blocks new sessions until the Session table
has room for new entries.
Default: Bypass New Sessions

Device
Incomplete How long, in seconds, the appliance waits for the three-way
TCP-Handshake Timeout handshake to be achieved and data payload for a new TCP session.
When the timeout elapses, the appliance deletes the session and, if
the Send Reset To Server option is enabled, sends a reset packet to
the server.
Values:
 0 The appliance uses the specified Session Aging Time.
 1 10 The TCP Handshake Timeout in seconds.
Default: 10
Session Table Entries

To set the number of Session Table entries to be shown:
1. Click Device > Session Table > View Table Query Results.
2. In the Maximum Displayed Entries text box, enter the number of Session table entries to be
shown.
To set the session table query filters:

1. Click Device > Session Table > View Table Query Results.
2. Click Create.
4. Click Set.
Name A unique name of the filter.
Source IP The source IP address within the defined subnet.
Source IP mask The source IP address used to define the subnet that you want to
present in the Session Table.
Dest IP The destination IP address within the defined subnet.
Dest IP mask The destination IP address used to define the subnet that you want to
present in the Session Table.
Source Port The session source port.
Dest Port The session destination port.

Device
IP Fragmentation
In some cases, when the length of the IP packet is too long to be transmitted, the originator of the
packet, or one of the routers, transmitting the packet has to fragment the packet to multiple
shorter packets.
IP Fragmentation allows the appliance to forward fragmented IP packets. The appliance identifies
that all the fragments belong to same datagram and treats them accordingly in terms of
classification, load balancing and forwarding. The appliance does not reassemble the original IP
packet, but it forwards the fragmented datagrams to their destination, even if the datagrams
arrives to the appliance out of order.
With asymmetric routing, when the appliance does not see all fragmented packets, the appliance
drops uncompleted fragments.
To set the IP fragmentation parameters:

1. Click Device > IP Fragmentation.
3. Click Set.
Status Enables you to enable or disable IP Fragmentation.

Enabling IP Fragmentation requires reboot.
Queueing-limit The percentage of IP packets that the appliance allocates for out of
ordered fragmented IP datagrams.
Values: 0 100
Default: 25
Aging The time, in seconds, that the appliance keeps the fragmented
datagrams in the queue.
Values: 1 255
Default: 1
Device Overload Mechanism

In cases when the traffic load goes beyond the processing power limitations of the appliance, you
can allow using of the Overload mechanism. Using of this mechanism maintains a high level of
availability and hardware/software stability, reducing traffic delays or packet loss.
The Overload mechanism identifies overload conditions, notifies about them and automatically
takes actions that aim to reduce the relevant operations that consume resources.
When the appliance operations are reduced, some of the security functions are compromised.
To enable the overload mechanism:

1. Click Device > Overload Mechanism.
2. Click Enable to start the Overload mechanism, or Disable to stop it.
3. Click Set.

Device
High Availability
To support high availability (HA), you can configure two compatible DDoS Protector appliances to
operate in a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version,
software license, throughput license, and Check Point signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary. The
primary appliance is the appliance that appliance with the Pair Definition.
When you configure a cluster and submit the configuration, the newly designated primary
appliance configures the required parameters on the designated secondary appliance.
The members of a cluster work in an active-passive architecture.
When a cluster is created:
 The primary and secondary appliances negotiate the active/passive status according to the
specified triggers and thresholds. If both appliance environments are nominal, the primary
appliance becomes the active member.
 The primary appliance transfers the relevant configuration objects to the secondary appliance.
A secondary appliance maintains its own configuration for the appliance users, IP interfaces,
routing, and the port-pair Failure Mode (see Forwarding Table (on page 15)).
A primary appliance immediately transfers each relevant change to its secondary appliance. For
example, after you make a change to a Network Protection policy, the primary appliance
immediately transfers the change to the secondary appliance. However, if you change the list of
appliance users on the primary appliance, the primary appliance transfers nothing (because the
secondary appliance maintains its own list of appliance users).
The passive appliance periodically synchronizes baselines for BDoS and HTTP Mitigator
protections.
If a passive appliance does not detect the active appliance according to the specified Heartbeat
Timeout, the appliance switches to the active state (even though the peer might actually be in a
nominal situation).
These situations trigger the active appliance and the passive appliance to switch states (active to
passive and passive to active):
 All links are identified as down on the active appliance according to the specified Link Down
Timeout and the peer appliance has at least one link up.
 Optionally, the traffic to the active appliance falls below the specified Idle Line Threshold for
the specified Idle Line Timeout.
 You issue the Switch Over command.
 If the Enable Failback option is enabled (default: disabled), the secondary appliance switches
from active to passive after the secondary appliance detects that the primary-appliance
situation is nominal.
You cannot run many actions on a secondary appliance. These actions are available:
 Switch the appliance state (active to passive and passive to active)
 Break the cluster if the primary appliance is unavailable
 Configure management IP addresses and routing
 Configure the port-pair Failure Mode.
Device
 Manage appliance users

 Download a appliance configuration
 Upload a signature file
 Download the appliance log file
 Download the support log file
 Reboot
 Shut down
 Change the appliance name
 Change the appliance time
 Initiate a baseline synchronization if the appliance is passive, using CLI or Web Based
Management.
Notes:
 By design, an active appliance does not to fail over during a user-initiated reboot. Before you
reboot an active appliance, you can manually switch to the other appliance in the cluster.
 You can initiate a baseline synchronization if a cluster member is passive.
 When you upgrade the appliance software, you need to break the cluster (that is, ungroup the
two appliances). Then, you can upgrade the software and reconfigure the cluster as you
require.
 In an existing cluster, you cannot change the role of a appliance (primary to secondary or vice
versa). To change the role of a appliance, you need to break the cluster (that is, ungroup the
two appliances), and then, reconfigure the cluster as you require.
 When a passive appliance becomes active, any grace time resets to 0 (for example, the time of
the Graceful Startup Mode Startup Timer).
High Availability Global Parameters

There is one global parameter for high availability, but the appliance Global Parameters (on page
13) are relevant to the high available configuration.
To configure the global setting for high availability:

1. Click Device > High Availability > Global Parameters.
3. Click Set.
Mechanism Status Specifies whether the appliance is a member of a two-node cluster

for high availability.

Device
High Availability Advanced Configuration

To configure the advanced settings for high availability:
1. Click Device > High Availability > Advanced Configuration.
3. Click Set.
Baseline Sync Interval The interval, in seconds, that the active appliance synchronizes
the BDoS and HTTP Mitigator baselines.
Values: 3600 86,400
Default: 3600
Heartbeat Timeout The time, in seconds, that the passive appliance detects no
heartbeat from the active appliance before the passive appliance
becomes active.
Values: 1 10
Default: 5
Link Down Timeout The time, in seconds, after all links to the active appliance are
identified as being down before the appliances switch states.
Values: 1 65,535
Default: 1
If a dead link or idle line is detected on both cluster members,
there is no switchover.
Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster
members will not change states.
Values: 30 3600
Default: 180
Idle Line Detection Status Specifies whether the appliances switch states due to an idle line
detected on the active appliance.
Default: disable
If an idle line is detected on both cluster members, there is no
switchover.
Total BW Threshold The minimum bandwidth, in Kbit/s, that triggers a switchover

when the Idle Line Detection Status is enable.
Values: 512 4,294,967,296
Default: 512
If Idle Line Detection Status is disable, this parameter is ignored.

Device
Idle Line Timeout The time, in seconds, with line bandwidth below the Total BW
Threshold that triggers a switchover when Idle Line Detection
Status is enable.
Values: 3 65,535
Default: 10
If Idle Line Detection Status is disable, this parameter is ignored.
Enable Failback Specifies whether the secondary appliance can automatically fail
back to the primary.
Default: disable
High Availability Pair Definition

To define a high availability pair:
1. Click Device > High Availability > Pair Definition > Pair Parameters.
3. Click Set.
MNG-1 Peer IP address The IP address of the MNG-1 port on the peer appliance.
MNG-2 Peer IP address The IP address of the MNG-2 port on the peer appliance.
Secondary User Name The name of the secondary appliance.
Secondary Password The password of the secondary appliance.
Update High Availability Pair Definition

To update a definition of a high-availability pair:
1. Click Device > High Availability > Pair Definition > Update Pair.
2. Click Set.
High Availability Monitoring

To monitor high-availability:
1. Click Device > High Availability > Monitoring.
2. See this data:
 High-Availability Priority
 High-Availability State

Device
 High-Availability Protection State

 Last Successful Baseline Sync
 Incompatibility Status (primary only)
 Synchronization IP Interface
 Peer IP
Switch Over
To switch over to the peer appliance:
1. Click Device > High Availability > Switch Over.
2. Click Set.
Activate Baseline Sync with Peer Device

To activate a baseline sync with the peer appliance:
1. Click Device > High Availability > Baseline Sync.
2. Click Set.
Reset Secondary
You can reset the secondary appliance when the appliance role is primary.
To reset the secondary appliance:

1. Click Device > High Availability > Reset secondary.
2. Click Set.
Tunneling
Carriers, service providers, and large organizations use various tunneling protocols to transmit
data from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS appliances and load balancers cannot locate the relevant information
because their decisions are based on information located inside the IP packet in a known offset,
and the original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DDoS Protector inspects traffic in tunnels,
positioning DDoS Protector in peering points and carrier network access points.
You can install DDoS Protector in different environments, which might include encapsulated
traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP
for their tunneling, and mobile operators deploy GRE and GTP.
DDoS Protector can inspect traffic that may use various encapsulation protocols. In some cases,
the external header (tunnel data) is the data that DDoS Protector needs to inspect. In other cases,
DDoS Protector needs to inspect the internal data (IP header and even the payload). You can
configure DDoS Protector to meet your specific inspection requirements.
Changing the configuration of this feature takes effect only after a appliance reset.
Device
To configure tunneling:
1. Click Device > Tunneling.
3. Click Set.
Apply Black and White List Rules to Specifies whether the appliance apply Black List and White
the Encapsulated Headers List rules to the encapsulated headers.
Default: Disabled
Inspect Encapsulated GRE Traffic Specifies whether the appliance inspects this type of traffic.
Default: Disabled
Inspect Encapsulated GTP Traffic Specifies whether the appliance inspects this type of traffic.
Default: Disabled
Inspect Encapsulated L2TP Traffic Specifies whether the appliance inspects this type of traffic.
Default: Disabled
Inspect VLAN (802.1Q) and MPLS Specifies whether the appliance inspects this type of traffic.
Traffic
Default: Disabled
You can configure the appliance to inspect the traffic using
the common Layer 2 tunneling protocols, VLAN (802.1Q) and
MPLS. Inspecting these types of L2 tunnels, as part of the
protection criteria, is essential in environments such as for
Managed Security Service Providers (MSSP).
Inspect Encapsulated IP-in-IP Specifies whether the appliance inspects this type of traffic.
Traffic
Default: Disabled
Bypass IPSec Traffic Specifies whether the appliance bypasses IPsec traffic (that
is, whether the appliance passes-through IPsec traffic).
Default: Enabled
IP Version Mode
Use the IP Version Mode pane to set the IP version to IPv4 and IPv6 or only to IPv4.
Important: The ipv4and6 option consumes more memory than the ipv4 option! If you select
ipv4and6, you must perform a memory check before rebooting the appliance (Services > Tuning >
Memory Check > Perform Test). When you click Perform Test, a message is displayed, which
notifies you whether there is enough memory on the appliance, and, if not, how much memory is
required. If there is not enough memory, reduce the memory of modules that you are not using.

Device
To set the IP version mode:

1. Click Device > IP Version Mode.
2. From the drop-down list, select ipv4and6 or ipv4.
3. Click Set.
Dynamic Protocols
ns.
Dynamic application is an application that has multiple connections belonging to the same
session. For example, FTP has Control Session and Data Session, SIP has Signaling sessions,
Data sessions (RTP) and the Control sessions (RTCP).
In some scenarios, the dynamic sessions should be in the Session Table for a longer time than
regular sessions. In VoIP, SIP, and H.255, for example, there may be a period with no traffic,
however, the call is still active, and the session should not age.
You may configure different aging time for various dynamic applications and configure different
policies for different connections of the same session. In FTP, for example, you can set one policy
for the FTP data and another policy for the FTP control.
The default status for all Dynamic Protocols, other than SIP is enabled.
In Device > Dynamic Protocols > General, you can set the aging time for these Dynamic Protocols:
 FTP
 TFTP
 Rshell
 Rexec
 H.225
 SIP
Dynamic Protocols FTP

Use the FTP Configuration pane to configure the control session and data session Aging Time for
FTP Dynamic Protocol.
Note: When Dynamic Protocol Support is enabled for FTP, it is not possible to limit the
bandwidth of a specific file download (using a filter for the RETR command and the file name).
To set the FTP dynamic protocol parameters:

1. Click Device > Dynamic Protocols > FTP.
3. Click Set.
Status Specifies whether to enable FTP Dynamic Protocol.
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0

Device
Data Session Aging Time The Data Session Aging Time value, in seconds.
Default: 0
Dynamic Protocols TFTP

To set the TFTP dynamic protocol parameters:
1. Click Device > Dynamic Protocols > TFTP.
3. Click Set.
Status Specifies whether to enable TFTP Dynamic Protocol.
Data Session Aging The Data Session Aging Time, in seconds.

Time
Default: 0
Dynamic Protocols Rshell

To set the Rshell configuration parameters:
1. Click Device > Dynamic Protocols > Rshell.
3. Click Set.
Parameters Description
Status Specifies whether to enable Rshell Dynamic Protocol.
Control Session Aging The Control Session Aging Time, in seconds.

Time
Default: 0
Error Session Aging The Error Session Aging Time, in seconds.

Time
Default: 0
Dynamic Protocols Rexec

To set the Rexec dynamic protocol parameters:
1. Click Device > Dynamic Protocols > Rexec.
3. Click Set.
Device
Status Specifies whether to enable Rexec Dynamic Protocol.
Control Session Aging Time (sec) The Control Session Aging Time, in seconds.
Default: 0
Error Session Aging Time (sec) The Error Session Aging Time, in seconds.
Default: 0
Dynamic Protocols H.225

To set the H225 configuration parameters:
1. Click Device > Dynamic Protocols > H.225.
3. Click Set.
Status Specifies whether to enable H.225 Dynamic Protocol.
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
H.245 Session Aging Time The H.245 Session Aging Time, in seconds.
Default: 0
Dynamic Protocols SIP

Note: Enabling and Disabling Dynamic Protocol Support for SIP requires reboot.
To set the SIP dynamic protocol parameters:

1. Click Device > Dynamic Protocols > SIP.
3. Click Set.
Status Specifies whether to enable SIP Dynamic Protocol.
Signaling Session Aging Time The Signaling Session Aging Time, in seconds.
Default: 20
RTCP Session Aging Time The RTCP Session Aging Time, in seconds.
Default: 0

Device
SIP TCP Segments Aging When SIP runs over TCP and packets are segmented, the SIP TCP
Time Segments Aging Time parameter specifies how long the
appliance keeps the packet.
Default: 5

CHAPTE R 4
Services
In This Section:
Tuning ............................................................................................................................39
Signaling........................................................................................................................48
Diagnostics ....................................................................................................................51
Syslog Reporting ...........................................................................................................57
Daylight Saving .............................................................................................................61
Management Interfaces ...............................................................................................61
Event Log.......................................................................................................................64
Network Time Protocol (NTP) ......................................................................................65
RADIUS ..........................................................................................................................65
SMTP .............................................................................................................................67
DNS Client Parameters ................................................................................................68
Auditing .........................................................................................................................68
Tuning
Classifier Tuning
Use the Classifiers Tuning pane to view and edit the Classifier tuning parameters. The changes
take effect after the reset.
Note: Check Point strongly recommends that you run appliance tuning only after consulting with
the Check Point Support Center.
To set the classifier tuning parameters:

1. Select Services > Tuning > Classifier.
2. To change current settings, enter new values in the after reset fields.
3. Click Set.
Network Table The maximum number of entries in the table for ranges.
Values: 32 10,000
Default: 256
Discrete IP Addresses The maximum number of entries in the table for IP addresses that are
Per Network allocated to a network.
Values: 16 1024
Default: 64

Services
Subnets Per Network The maximum number of entries in the table for network subnets.
Values: 16 256
Default: 64
MAC Groups Table The maximum number of entries in the table for MAC groups.
Values:16 2048
Default: 128
Filter Table The maximum number of entries in the table for basic filters.
Values:512 2048
Default: 512
AND Group Table The maximum number of entries in the advanced filters table for AND
groups.
Values: 256 2048
Default: 256
OR Group Table The maximum number of entries in the advanced filters table for OR
groups.
Values: 256 2048
Default: 256
Application port Groups The maximum number of entries in the table for application port
groups.
Values: 32 2000
Default: 512
Content Table The maximum number of content entries in the table.

Values: 16 4096
Default: 256
Application Security Tuning

The Security Tables store information about sessions passing through the appliance and their
sizes which are correlated to the actual amount of sessions.
In the Application Security Tuning pane, you can view and edit the application security tuning
parameters. The changes take effect after the reset.
Note: Check Point strongly recommends that you perform any appliance tuning only after
consulting with the Check Point Support Center.

Services
To tune DDoS Protector application security tables:

1. Select Services > Tuning > Security > Application Security.
3. Click Set.
Maximal number of The maximum number of suspect sources in HTTP Mitigation

http-flood suspects sources policies.
Values: 1000 500,000
Default: 100,000
Maximal number of attacks The maximum number of user-configurable IPS signatures. DDoS
to be defined by user Protector can store up to 500 concurrent RSA signatures.
Values: 10 10,000
Default: 100
Maximal number of srcIPs in The maximum number of hosts that the Suspend table is able to
Suspend Table block simultaneously. This value affects the abilities of other
protections, such as Anti-Scanning and SYN protection.
Values: 1000 100,000
Default: 10,000
Maximal number of Server The maximum number of entries in the Server Protection policy.
Protection servers Table
Values: 100 10,000
Default: 350
Counters Source Table The maximum number of sessions in which a source address is
tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic from
a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.
Values: 100 65,536
Default: 65,536
Counters Target Table The maximum number of sessions in which a Destination address
is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 100 65,536
Default: 65,536

Services
Counters Source & Target The maximum number of sessions in which Source and
Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the number
of times traffic from a specific source to a specific destination
matches a signature. When the number of packets sent from a
particular source to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 100 65,536
Default: 65,536
Counters DHCP Table The number of MAC addresses to check for IP requests.
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Values: 100 64,000
Default: 100
Counters Reports for all The maximum number of entries for reports on active concurrent
counters Tracking Signatures attacks.
Values: 100 64,000
Default: 20,000
Counters Cracking The maximum number of entries for concurrent active Server
Protection Cracking protections.
When the Server Cracking protection feature is enabled, DDoS
Protector uses one entry in this table whenever DDoS Protector
receives a response from the server that can indicate a potential
Server Cracking attack. The entry includes the IP address of the
potential attacker, the protected server, and the protocol. The
entry remains in use as long as DDoS Protector receives such
server responses.
Values: 100 65,536
Default: 100
Maximal number of entries The maximal number of entries in the New Count Per Filter table,
in NCPF table which the DoS shield mechanism uses.
Values 100 16,000
Default 10,000

Services
Maximal number of The maximum number of source IP addresses that the appliance
Anti-Scanning IP pairs Table stores for anti-scanning purposes.
Values: 10,000 1,000,000
Default: 50,000
Authentication Table Tuning

Configure the HTTP and TCP settings for the Authentication tables.
Note: Check Point strongly recommends that you consult with the Check Point Support Center
before you run appliance tuning.
To tune the authentication table:

1. Select Services > Tuning > Security > Authentication tables.
3. Click Set.
HTTP Authentication Table The number of sources in the HTTP Authentication table.
Size
DDoS Protector uses the HTTP Authentication table in HTTP Flood
profiles and the HTTP Authentication feature in a SYN Protection
profile.
Values: 500,000 2,000,000
Default: 2,000,000
TCP Authentication Table The number of sources in the TCP Authentication table.
Size
DDoS Protector uses the TCP Authentication table for the Safe
Reset Authentication Method feature in SYN Protection profiles.
Values: 500,000 2,000,000
Default: 2,000,000
For x412 platforms, the value is fixed at the default 2,000,000, and
cannot be tuned.
Behavioral DoS Tuning

Use the Behavioral DoS Tuning pane to set the maximal number of Behavioral DoS policies.
Each time you update a value for a Behavioral DoS, see if there is enough free memory for the
requested value. Use the Memory Check (on page 45) pane.

Services
To set the maximal number of behavioral DoS policies:

1. Select Services > Tuning > Security > Behavioral DoS.
2. To change the current setting, enter a new value in the after reset field.
Values: 1 50
Default: 10
3. Click Set.
DNS Protection Tuning Parameters

In the DNS Protection Tuning Parameters pane, you can view and edit the DNS Flood Protection
tuning parameters.
The changes take effect after the reset.
To tune DNS Protection tables:

1. Select Services > Tuning > Security > DNS Protection.
3. Click Set.
Maximal number of DNS The maximum number of configurable DNS Flood Protection
Protection policies policies.
Values: 1 50
Default: 10
SDM Table Size The size of the SDM table.

Values: small, medium, large
Default: medium
Device Tuning
Use the Device Tuning pane to view and edit the appliance tuning parameters. The changes take
effect after the reset.
To tune the DDoS Protector appliance:

1. Select Services > Tuning > Device.
3. Click Set.

Services
IP Fragmentation Table The maximum number of IP fragments that the appliance stores.
Values: 1 256,000
Default: 10240
Session Table The maximum number of sessions that the appliance can track.
Values per model:
 x06 20 2,000,000
 x412 20 4,000,000
Default per model:

 x06 1,800,000
 x016 2,885,000
Session Resets Table The maximum number of sessions that the appliance tracks to send
RESET when Send Reset To Server is enabled in the Session table.
Values: 1 10,000
Default: 1000
Routing Table The maximum number of entries in the Routing table.

Values: 20 32,767
Default: 64
Pending Table The maximum number of new simultaneous dynamic sessions the
appliance can open.
Values: 16 16,000
Default: 1024
SIP Call Table The maximum number of SIP calls the appliance can track.
Values: 16 256,000
Default: 1024
TCP Segmentation Table The maximum number of TCP Segments. This parameter is used
when SIP Protocol is enabled and SIP is running over TCP.
Values: 1 32,768
Default: 256
Memory Check
To eliminate the chance of causing a memory allocation problem, DDoS Protector can review the
settings in configured tables. Each time you update a value for a certain table, it is possible to
check if there is enough free memory for the requested value.
Services
To check the appliance memory:

1. Select Services > Tuning > Memory Check.
2. Click Perform Test.
This tests whether the appliance has sufficient memory to allocate the values for the updated
tables.
3. If there is enough memory, click Reboot to update the appliance with the new values.
SYN Protection Tuning

Use the SYN Protection Tuning pane to show and edit the SYN Protection Tuning parameters. The
changes take effect after the reset.
To tune SYN Protection tables:

1. Select Services > Tuning > SYN Protection.
3. Click Set.
SYN Protection Table The number of entries in the SYN Protection Table that stores data
regarding the delayed binding process. An entry in the table exists
from the time the client completes the handshake until the
handshake is complete.
The number of entries in the SYN Protection Table after reset.
Values: 10 500,000
Default: 200,000
SYN Protection Requests The number of entries in SYN Protection Requests Table that
Table stores the ACK or data packet that the client sends, until the
handshake with the server is complete and the packet is sent to the
server.
The number of entries in SYN Protection Requests Table after
reset.
Values: 10 500,000
Default: 200,000

Services
SYN Protection Attack The number of entries in the table that stores active triggers that
Detection Entries is, the destination IP addresses and destination ports in SYN Flood
Protection profiles.
Values: 1000 20,000
Default: 1000
Note: There are several reasons that can cause the table to
become full, including:
 Too many services in the protected networks This can happen
in extremely large networks.
 Too many protected services If there are too many services
running in the protected network, or if all TCP ports are
protected by SYN Protection, this can cause problems in some
networks. For example, ones that use multiple TCP ports to
provide a service such as gaming applications.
 A vertical TCP-SYN flood If attackers are using an attack
technique that repeatedly performs high-rate scans on the
entire protected range.
Possible solutions for a full table:
 Apply the protection only to networks that have protected
services and not to normal enterprise host computers.
 Remove some of the protected protocols If you are
unnecessarily protecting all TCP ports by SYN protection,
remove SYN protection and apply the policy only on relevant
services.
 Increase the table size Be aware that increasing the table size
consumes memory allocation and you must reboot the system.
SYN Statistics Entries The number of entries in the SYN Flood Statistics table.
Values: 1000 20,000
Default: 1000
Diagnostics Tuning
Use the Diagnostics Tools Tuning pane to set the number of Diagnostics policy entries in the
tuning table to save memory and limit the policy size.
The changes take effect after the reset.

Services
To set the tuning parameters:

1. Select Services > Tuning > Diagnostics.
2. To change the current setting, enter the new value in the after reset field.
3. Click Set.
Diagnostics Policies The number of Diagnostics policies in the table.

Table
Signaling
DDoS Protector can expose situational signals through the DDoS Protector SOAP API and attack
data to specified syslog servers. A Network Operation Center (NOC) or Security Operation Center
(SOC) situated in the cloud can use the signals to monitor and control attack situations.
For example, if a DDoS Protector appliance, working as customer premises equipment (CPE), is
configured to detect low-volume attacks, when a DoS attack starts, the signals will alert the NOC
or SOC that an attack has started. Then, using the information, the NOC or SOC can divert traffic
through additional mitigation appliances in the cloud, and thus, prevent pipe saturation.
Typically, in the context of DDoS Protector signaling, NOCs are carriers, and SOCs are
managed-security-service providers (MSSPs).
When signaling is enabled:
 DDoS Protector exposes situational data through its SOAP interface. The data includes
appliance-health information, traffic statistics, and management information. Under normal
circumstances that is, when there is no attack, the SOAP queries and responses get
through. However, during attacks, the pipe may be saturated, and the SOAP queries and
responses get lost.
 When DDoS Protector detects an attack, DDoS Protector sends signals to a specified syslog
server. The signals include the attack events and, optionally, additional attack data.
For information on the SOAP API and syslog signals, see the DDoS Protector Signaling API
Integration Guide.
You configure signaling policies to send signals to a syslog server configured in the DDoS
Protector appliance. The configuration of each signaling policy specifies the Network Protection
policies, Server Protection policies, and protection types.
Signaling Global
Use the Global Parameters pane to enable or disable signaling.
To enable or disable signaling:

1. Select Services > Signaling > Global Parameters.
2. From the Signaling drop-down list, select Enabled or Disabled.
3. Click Set.

Services
Signaling Policies
Use the Signaling Policies pane to configure signaling policies.
To configure a signaling policy:

1. Select Services > Signaling > Policies.
 To add an entry, click Create.
 To edit an entry, click the entry link in the table.
ID A numerical identifier for the signaling policy.

Values: 1 100
State Specifies whether the signaling policy is enabled.

Default: Enabled
Policy Name The name of the signaling policy.

Maximum characters: 80
Network-Policies Source Values:

Mode  All The signaling policy sends signals for all enabled Network Protection
policies.
 Source Group The signaling policy sends signals only for specific Network
Protection policies specified by the Network-Policy Group ID.
Default: All
Network-Policies Group ID The ID of the Network-Policies Source Group ("Source Group

Configuration for Network Policies" on page 51), which defines
specific Network Protection policies for the signaling policy.
Server-Protection Source Values:

Mode  All The signaling policy sends signals for all enabled Server Protection
policies.
 Source Group The signaling policy sends signals only for specific Server
Protection policies specified by the Server-Protection Group ID.
Default: All
Server-Protection Group ID The ID of the Server-Protection Group ("Source Group

Configuration for Servers" on page 51), which defines specific
Server Protection policies for the signaling policy.
Signaling Mode Values:

 Events and Data Attack signals contain the basic attack alerts and the
additional metadata for the alert events.
 Events Only Attack signals contain the basic attack alerts only.

Services
Customer Name The name of the customer, which is included in the alert
messages.
Customer Description The description of the customer, which is included in the alert
messages. This description can include, for example, details of
the specific appliance or environment.
Pipe Size The total size, in Mbps, of the ISP link of the customer. DDoS
Protector uses this value to calculate the pipe-utilization
percentage, which is included in attack alerts.
Syslog Server The syslog server to which DDoS Protector sends the attack alert
signals.
Situational Signal Reports

Situational signal reports are only available through the CLI and SOAP interface.
Signaling Reports Total

Use the Total Traffic Report pane to view total traffic signals.
To view the Total Traffic signal report:

Select Services > Signaling > Situational Signal Reports > Total Traffic.
The table contains these columns:
1. Device Name
2. Polling Timestamp
3. Current BW (Mbps)
4. Average BW (Mbps)
5. Average Discarded BW (Mbps)
Signaling Reports Utilization

To view the CPU Utilization report:
Select Services > Signaling > Situational Signal Reports > Maximum CPU Utilization Report.
The table contains the following columns:
 Polling Timestamp
 Maximum CPU Utilization (%)

Services
Source Groups
Source Group Configuration for Network Policies
Use the Source Group Configuration for Network Policies pane to configure Network-Policy
Source Groups for the signaling policy.
To configure a Network-Policy Source Group for the signaling policy:

1. Select Services > Signaling > Source Groups > Network Policies.
Source Group ID The identifier of the group.

Network Policy Name The Network Protection policy.
Source Group Configuration for Servers

Use the Source Group Configuration for Servers pane to configure Server Source Groups for the
signaling policy.
To configure a Server Source Group for the signaling policy:

1. Select Services > Signaling > Source Groups > Servers.
Source Group ID The identifier of the group.

Server Name The Server Protection policy.
Diagnostics
Capture
Diagnostics Capture Parameters
The Traffic Capture tool captures packets that enter the appliance, leave the appliance, or both.
The captured traffic is in TCPDUMP format. You can download the captured packets, and analyze
Services
the traffic using Unix snoop or various tools. For remote administration and debugging, you can
also send captured traffic to a terminal (CLI, Telnet, and SSH). You can specify where the
appliance captures packets to get a better understanding of the traffic flow especially if the
appliance manipulates the packets due to NAT, traffic from a VIP to a real server, and so on.
Important - Enabling this feature may cause severe performance degradation.
Notes:
 To see the actual timestamp of the packets in the files that the diagnostic packet-capture tool
produces, in the packet analyzer (for example, Wireshark), you may need to modify the format
of the time display. The timestamp in the packets in the files that the diagnostic
packet-capture tool produces is always UTC.
 The diagnostic packet-capture tool cannot capture packets that pass through the appliance as
the result of Traffic Exclusion. Traffic Exclusion is when DDoS Protector passes through all
traffic that matches no network policy configured on the appliance.
 The diagnostic packet-capture tool truncates packets longer than 1619 bytes (regardless of the
configuration for jumbo frames).
The Traffic Capture tool uses the following format for packet capture files:
capture_<Device Name>_ddMMyyyy_hhmmss_<file number>.cap
To configure the Capture tool:

1. Select Services > Diagnostics > Capture > Parameters.
Status Specifies whether the Capture Tool is enabled.

Values: Enabled, Disabled
Default: Disabled
Note: When the appliance reboots, the status of the Capture Tool reverts to
Disabled.
Output To File The location of the stored captured data.

Values:
 RAM Drive and Flash The appliance stores the data in RAM and appends
the data to the file on the CompactFlash drive. Due to limits on
CompactFlash size, DDoS Protector uses two files. When the first file
becomes full, the appliance switches to the second, until it is full and then it
overwrites the first file, and so on.
 RAM Drive The appliance stores the data in RAM.
 None The appliance does not store the data in RAM or flash, but you can
view the data using a terminal.
Output To Specifies whether the appliance sends captured data to the terminal.
Terminal
Default: Disabled

Services
Capture Point Specifies where the appliance captures the data.

Values:
 On Packet Arrive The appliance captures packets when they enter the
appliance.
 On Packet Send The appliance captures packets when they leave the
appliance.
 Both The appliance captures packets when they enter the appliance and
when they leave the appliance.
Capture Rate The per-packet capture rate. For example, if the value is 10, the appliance
captures every tenth packet.
Trace
Debug Trace Parameters
The Trace-Log tool provides data on the traffic flow within the appliance. The feature is intended
for debugging purposes only.
Enabling this feature may cause severe performance degradation.
DDoS Protector uses the following format for Trace-Log files:
trace_log_<Device Name>_ddMMyyyy_hhmmss_<file number>.txt
To configure the Trace-Log tool:

1. Select Services > Diagnostics > Trace-Log > Parameters.
3. Click Set.
Status Specifies whether the Trace-Log tool is enabled.

Default: Disabled
Output To File Specifies the location of the stored data.

Values:
 RAM Drive and Flash The appliance stores the data in RAM and appends the data
to the file on the CompactFlash drive. Due to limits on CompactFlash size, DDoS
Protector uses two files. When the first file becomes full, the appliance switches to
the second, until it is full and then it overwrites the first file, and so on.
 RAM Drive The appliance stores the data in RAM.
 None The appliance does not store the data.

Services
Output To Terminal Specifies whether the appliance sends Trace-Log data to the terminal.
Default: Disabled
Output To Syslog Specifies whether the appliance sends Trace-Log data to a syslog
Server server.
Default: Disabled
Debug Message Format

Use the Diagnostics Trace-Log Message Format pane to specify which parameters appear in the
Trace-Log message.
To configure the diagnostics Trace-Log message format:

1. Select Services > Diagnostics > Trace-Log > Message Format.
3. Click Set.
Date Specifies whether the date that the message was generated is included in the
Trace-Log message.
Time Specifies whether the time that the message was generated is included in the
Trace-Log message.
Platform Name Specifies whether the platform MIB name is included in the Trace-Log
message.
File Name Specifies whether the output file name is included in the Trace-Log message.
Line Number Specifies whether the line number in the source code is included in the
Trace-Log message.
Packet ID Specifies whether an ID assigned by the appliance to each packet is included in

the Trace-Log message. This enables you see the order of the packets.
Module Name Specifies whether the name of the traced module is included in the Trace-Log
message.
Task Name Specifies whether the name of the specific task of the d module is included in
the Trace-Log message.

Services
Trace Modules
To help pinpoint the source of a problem, you can specify which DDoS Protector modules the
Trace-Log feature works on and the log severity for each module. For example, you can specify
that the Trace-Log feature traces only the Health Monitoring module to understand why a specific
health check fails.
To configure the parameters of the Trace-Log modules:

1. Select Services > Diagnostics > Trace-Log > Modules.
The table in the pane comprises the following columns:
 Name The name of the module.
Values: CDE, GENERIC, LCD, VSDR
 Status The current status of the traced module.
 Severity The lowest severity of the events that the Trace-Log includes for this module.
Values: Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
2. Click the relevant link.
Name (Read-only) The name of the traced module.
Status Specifies whether the Trace-Log feature is enabled for the module.
Severity The lowest severity of the events that the Trace-Log includes for this module.
The default varies according to module.
Trace Files
DDoS Protector can store the output of the diagnostic tools in RAM and in the CompactFlash.
If the appliance is configured to store the output in the CompactFlash, when the data size in RAM
reaches its limit, the appliance appends the data chunk from RAM to the file on the CompactFlash
drive. For each enabled diagnostic tool, DDoS Protector uses two temporary files. When one
temporary file reaches the limit (1 MB), DDoS Protector stores the information in the second
temporary file. When the second temporary file reaches the limit (1 MB), DDoS Protector
overwrites the first file, and so on. When you download a CompactFlash file, the file contains both
temporary files.
Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or
CompactFlash.
To download or delete Trace-Log data:

1. Select Services > Diagnostics > Files.
The pane contains two tables, Files On RAM Drive and Files On Main Flash. Each table
comprises these columns:
 File Name The name of the file.
 File Size The file size, in bytes.
Services
 Action The action that you can take on the data stored.
The values for Action are:
 download Starts the download process of the selected data.
 delete Deletes the selected file.
2. From the Action column, select the action, Download or Delete.
3. Follow the instructions.
Diagnostics Policies
In most cases, there is no need to capture all the traffic passing through the appliance. Using
diagnostic policies, the appliance can classify the traffic and store only the required information.
To reuse the policy, edit the policy and set it again.
To configure a diagnostics policy:

1. Select Services > Diagnostics > Policies.
2. Click Create.
Name The user-defined name of the policy up to 20 characters.
Index The number of the policy in the order in which the diagnostics tool
classifies (that is, captures) the packets.
Default: 1
Description The user-defined description of the policy.
VLAN Tag Group The VLAN Tag group whose packets the policy classifies (that is,
captures).
Destination The destination IP address or predefined class object whose packets

the policy classifies (that is, captures).
Default: any The diagnostics tool classifies (that is, captures)
packets with any destination address.
Source The source IP address or predefined class object whose packets the
policy classifies (that is, captures).
Default: any The diagnostics tool classifies (that is, captures)
packets with any source address.
Outbound Port Group The port group whose outbound packets the policy classifies (that is,
captures).
You cannot set the Outbound Port Group when the value of the
Trace-Log Status parameter is Enabled.
Inbound Port Group The port group whose inbound packets the policy classifies (that is,
captures).

Services
Service Type The service type whose packets the policy classifies (that is, captures).
Moved May 2014 from Service row.
Values:
 None
 Basic Filter
 AND Group
 OR Group
Default value: None
Service The service whose packets the policy classifies (that is, captures).
Destination MAC Group The Destination MAC group whose packets the policy classifies (that is,
captures).
Source MAC Group The Source MAC group whose packets the policy classifies (that is,
captures).
Maximal Number of The maximal number of packets the policy captures. Once the policy
Packets captures the specified number of packets, it stops capturing traffic. In
some cases, the policy captures fewer packets than the configured
value. This happens when the appliance is configured to drop packets.
Maximal Packet Length The maximal length for a packet the policy captures.
Capture Status Specifies whether the packet-capture feature is enabled in the policy.
Default: Disabled
Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy.
Default: Disabled
You cannot set the Outbound Port Group when the value of the
Trace-Log Status parameter is Enabled.
Syslog Reporting
Event traps can be mirrored to up to five syslog servers. For each DDoS Protector appliance, you
can configure the appropriate information. Any traps generated by the appliance will be mirrored
to the specified syslog servers.

Services
To enable syslog messages:

1. Select Services > Syslog Reporting.
2. From the Syslog Sending drop-down box, select Enabled.
3. Click Set.
To configure syslog messages:

1. Select Services > Syslog Reporting.
2. Click Create.
Syslog Server The IP address or hostname of the appliance running the

syslog service (syslogd).
Syslog Server Operational Status Specifies whether the syslog server is enabled.
Default: Enabled
Syslog Server Source Port The syslog source port.

Default: 514
Port 0 specifies a random port.
Syslog Server Destination Port The syslog destination port.

Default: 514

Services
Syslog Server Facility The type of appliance of the sender. This is sent with syslog
messages.
You can use this parameter to:
 Distinguish between different appliances
 Define rules that split messages
Values:
 Authorization Messages
 Clock Daemon
 Clock Daemon2
 FTP Daemon
 Kernel Messages
 Line Printer Subsystem
 Local 0
 Local 1
 Local 2
 Local 3
 Local 4
 Local 5
 Local 6
 Local 7
 Log Alert
 Log Audit
 Mail System
 Network News Subsystem
 NTP Daemon
 Syslogd Messages
 System Daemons
 User Level Messages
 UUCP
Default value: Local Use 6

Services
Syslog Server Protocol The protocol that the appliance uses to send syslog
messages.
Values:
 UDP The appliance sends syslog messages using UDP.
That is, the appliance sends syslog messages with no
verification of message delivery.
 TCP The appliance sends syslog messages using TCP.
That is, the appliance verifies the message delivery. The
appliance holds undelivered messages in a backlog. As
soon as the connection to the syslog server is
re-established, the appliance sends them. If the backlog
is full (100 messages, non-configurable), the appliance
replaces lower-priority messages with higher-priority
messages (FIFO).
 TLS The appliance sends syslog messages using TCP
with Transport Layer Security (TLS) and uses the CA
certificate specified in the CA Certificate Name field. That
is, the appliance verifies message delivery. The appliance
holds undelivered messages in a backlog. As soon as the
connection to the syslog server is re-established, the
appliance sends them. If the backlog is full (100
messages, non-configurable), the appliance replaces
lower-priority messages with higher-priority messages
(FIFO).
Default: UDP
Report notification of lost syslog messages to your network
administrator.
Syslog Server CA Certificate The name of the CA certificate in the Certificate Table that the
appliance uses to send syslog messages when TLS is
selected in the Syslog Server Protocol field.
Syslog Security Sending Specifies whether the appliance sends security-event reports
to the syslog server. Security events include all events
related to attack detection and mitigation: start, ongoing,
occurred, sampled, and terminated.
Default: Enabled
Syslog Health Sending Specifies whether the appliance sends

appliance-health event reports to the syslog server.
Device-health events include all events related to appliance
health, for example, temperature, fan failure, CPU, tables,
resources, and so on.
Default: Enabled

Services
Syslog User Audit Sending Specifies whether the appliance sends audit-event reports to
the syslog server. Audit events include all events related to
user operations, for example, login attempts and
configuration changes.
Default: Enabled
Daylight Saving
DDoS Protector supports daylight savings time. You can configure the daylight savings time start
and end dates and times. During daylight savings time, the appliance automatically adds one hour
to the system clock. The appliance also specifies whether it is on standard time or daylight saving
time.
When the system clock is manually configured, the system time is changed only when daylight
saving time starts or ends. When daylight saving time is enabled during the daylight saving time
period, the appliance does not change the system time.
To configure daylight saving:

1. Select Services > Daylight Saving.
Daylight Saving Admin Status Enables or disables daylight saving time.

Default: disabled
Daylight Saving Begins[dd/mm:hh] The start date and time for daylight saving time.
Daylight Saving Ends[dd/mm:hh] The end date and time for daylight saving time.
Daylight Saving Designations Specifies whether the appliance is on standard time or

daylight saving time.
Management Interfaces
Telnet
You can use Telnet to access the DDoS Protector.
Use the Telnet Parameters pane to configure the connectivity settings.
To configure Telnet connectivity:

1. Select Services > Management Interfaces > Telnet.
Services
Telnet Port The TCP port used by the Telnet.

Default: 23
Telnet Status Specifies whether to enable Telnet access to the appliance.

Default: Disabled
Telnet Session Timeout The period of time, in minutes, the appliance maintains a
connection during periods of inactivity. If the session is still
inactive when the predefined period ends, the session
terminates.
Values: 1 120
Default: 5
To avoid affecting appliance performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout can be
up to 10 seconds longer than the configured time.
Telnet Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 10 60
Default: 30
Web Server
Web Server Parameters
Use the Web Server Parameters pane to configure Web server connectivity for Web Based
Management (WBM).
To configure the Web server connectivity:

1. Select Services > Management Interfaces > Web Server > Web.
Web Server Port The port to which WBM is assigned.

Default: 80
Web Server Status Specifies whether to enable access to the Web server.
Web Authentication Timeout The idle time, in seconds, after which DDoS Protector requests a
Web Based Management user to log in again. This applies also to
Secure Web users.
Default: 300

Services
Web Help Location The location (path) of the Web help files.
Web Access Level Values: readWrite, readOnly
Secure Web Parameters

Use the Secure Web Server Parameters pane to configure secure Web server connectivity for Web
Based Management (WBM).
To configure secure Web parameters:

1. Select Services > Management Interfaces > Web Server > Secure Web.
Secured Web Port The port through which HTTPS gets requests.
Default: 443
Secured Web Status Specifies whether to enable secured access to the Web server.
Secured Web Certificate File The SSL Certificate that is used by the HTTPS server encryption.
Caution: For security reasons, Check Point recommends that you
replace the out-of-the-box certificate issued by Check Point with a
certificate issued by a Certificate Authority (CA) of your choice.
Web Services
Use the Web Services pane to enable or disable Web Services.
The management port link must be up to change these settings.
To enable or disable Web Services:

1. Select Services > Management Interfaces > Web Server > Web Services.
2. From the drop-down list, select enable or disable.
3. Click Set.
SSL
Weak Ciphers
Configure whether a appliance can use weak ciphers. These are management connections over
secure protocols with ciphers shorter than 128 bits.
To configure the Weak Cipher settings:

1. Select Services > Management Interfaces> SSL > Weak Ciphers.
2. From the Accept Weak Ciphers SSL Status drop-down list, select enable or disable.
The default setting is: enable.
3. Click Set.

Services
SSH
Secure Shell Parameters
SSH (Secure Shell) is a protocol for secure remote connections and network services, over an
insecure network. Using this feature enables a secure alternative to Telnet connections, and lets
you configure the appliance through the Web Based Management.
To set the SSH server connection parameters:

1. Select Services > Management Interfaces> SSH > Server.
2. Enter the SSH Port and set the SSH Status to Enable.
3. Click Set.
SSH Port The source port for the SSH server connection.
Default: 22
SSH Status Specifies whether to enable SSH access to the appliance.

Default: Disabled
SSH Session Timeout The period of time, in minutes, the appliance maintains a connection
during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1 120
Default: 5
To avoid affecting appliance performance, the timeout is checked
every 10 seconds. Therefore the actual timeout can be up to 10
seconds longer than the configured time.
SSH Authentication The timeout, in seconds, required to complete the authentication

Timeout process.
Values: 10 60
Default: 10
Event Log
You can show a log of the events on the appliance.
To show the event log:

Select Services > Event Log.
To clear the event log:

1. Select Services > Event Log.
2. Under Clear Event Log, click Set.

Services
Network Time Protocol (NTP)

Use NTP (Network Time Protocol) to distributing an accurate clock across the network and
synchronize appliances.
To configure the NTP parameters:

1. Select Services > NTP.
NTP polling Interval The interval, in seconds, between time queries sent to the NTP server.
Default: 64
NTP Timezone The offset from GMT for the appliance.

Values: -12:00 through +12:00
Default: 00:00
NTP Server Port The access port number for the NTP server.
Default: 123
NTP Server Name The address or URL of the NTP server.

If you specify a URL, the DNS Server feature must be enabled and
configured.
NTP Status Specifies whether the NTP client is enabled.

Values: enable, disable
Default: disable
RADIUS
DDoS Protector provides additional security and authenticates the users who access a appliance
for management purposes. With RADIUS authentication, you can use RADIUS servers to
determine whether a user is allowed to access appliance management using CLI, Telnet, SSH or
Web Based Management. You can also select whether to use the appliance User Table when
RADIUS servers are not available.
Note: The DDoS Protector managed appliances must have access to the RADIUS server and must
allow appliance access.
To configure RADIUS authentication for appliance management:

1. Select Services > Radius.
2. Configure the parameters and click Set.

Services
Main Radius IP Address The IP address of the primary RADIUS server.

Note: When DDoS Protector stores the Secret, it is encrypted.
Therefore,the length of the Secret in the configuration file is longer
than the number of characters that you configured.
Main Radius Port No. The access port number of the primary RADIUS server.
Values: 1645, 1812
Default: 1645
Main Radius Secret The authentication password for the primary RADIUS server.
When DefensePro stores the Secret, it is encrypted. Therefore, the
length of the Secret in the configuration file is longer than the
number of characters that you configured.
Backup Radius IP Address The IP address of the backup RADIUS server.

Note: When DDoS Protector stores the Secret, it is encrypted.
Therefore,the length of the Secret in the configuration file is longer
than the number of characters that you configured.
Backup Radius Port No. The access port number of the backup RADIUS server.
Values: 1645, 1812
Default: 1645
Backup Radius Secret The authentication password for the backup RADIUS server.
When DefensePro stores the Secret, it is encrypted. Therefore, the
length of the Secret in the configuration file is longer than the
number of characters that you configured.
Radius Timeout The time, in seconds, that the appliance waits for a reply from the
RADIUS server before a retry, or, if the Retries value is exceeded,
before the appliance acknowledges that the server is off line.
Default: 1
Radius Retries The number of connection retries to the RADIUS server, after the
RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts have
failed (Timeout), the backup RADIUS server is used.
Default: 2

Services
Radius Client Life time The time, in seconds, for the client authentication. After the client
lifetime expires, the appliance re-authenticates the user.
Default: 30
SMTP
You can configure the appliance to send information messages via e-mail to appliance users. This
feature can be used for sending trap information via e-mail. When you configure appliance users,
you can specify whether an individual user should receive notifications via e-mail and the minimal
event severity reported via SNMP traps and e-mail. The user will receive traps of the configured
severity and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the appliance.
For example, you can optimize the appliance mailing process to gather security and system
events. It sends them in a single notification message when the buffer is full, or when a timeout of
60 seconds expires.
To receive e-mails about errors, you need to set email address and Severity level in the Users
Table for each user.
To configure the SMTP client:

1. Select Services > SMTP.
SMTP Primary Server The IP address of the SMTP server.

Address
SMTP Alternate Server An IP address of an alternative SMTP Server. The alternate SMTP
Address server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP
server closed the connection. The appliance tries to establish
connection to the main SMTP server, and starts re-using it when
available.
Own Email Address The mail address that appears in the Sender field of e-mail
messages generated by the appliance, for example
appliance1@domain.com
SMTP Status Specifies whether the e-mail client is enabled, which supports
features that are related to sending e-mail messages.
Default: disable
Send emails On Errors Specifies whether the appliance sends notifications via e-mail.
Default: Disable

Services
DNS Client Parameters

You can configure DDoS Protector to operate as a Domain Name Service (DNS) client. When the
DNS client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must
configure servers for which DDoS Protector will send out queries for host name resolving.
You can set the DNS parameters and define the primary and the alternate DNS servers for
dynamic DNS. In addition, you can set static DNS parameters.
To define DNS servers:

1. Select Services > DNS.
DNS Client Specifies whether the DDoS Protector appliance operates as a DNS client
to resolve IP addresses.
Default: Disabled
Primary DNS Server The IP address of the primary DNS server to which DDoS Protector sends
queries.
Alternate DNS Server The IP address of the alternative DNS to which DDoS Protector sends
queries.
To set static DNS:

1. Select Services > DNS.
Host Name The domain name for the specified IP address.
IP Address The IP address for the specified domain name.
Auditing
Configuration Auditing is the process of logging every configuration change and activity into a log
server. When Configuration Auditing is enabled, the appliance tracks the changes made to the
configuration by sending a SNMP trap and syslog message (if syslog is enabled and configured).
Configuration Auditing can be enabled or disabled for all users and all management interfaces.

Services
To prevent overloading the appliance and prevent degraded performance, the feature is disabled
by default.
To configure Configuration Auditing:

1. Select Services > Auditing.
The Auditing Type pane opens.
Auditing Status Specifies whether Configuration Auditing is enabled. Configuration Auditing

is enabled or disabled per platform and it affects all users and all
management interfaces.
Default: Disabled
Auditing Type The type of auditing.

Values:
 Regular Only audits actions that succeeded.
 Extended Audits commands that either succeeded or failed.

CHAPTE R 5
Router
In This Section:
IP Router .......................................................................................................................70
Routing Table ................................................................................................................72
ARP Table ......................................................................................................................73
IP Router
Operating Parameters
Use the IP Router Parameters pane to monitor, add, and edit router settings.
To set the IP router parameters:

1. Select Router > IP Router > Operating Parameters.
Inactive ARP Timeout The time, in seconds, that inactive ARP cache entries can remain
in the ARP table before the appliance deletes them. If an ARP
cache entry is not refreshed within a specified period, it is
assumed that there is a problem with that address.
Default: 60,000
ARP Proxy Specifies whether the appliance responds to ARP requests for
nodes located on a different direct sub-net. (The appliance
responds with its own MAC address.)
Values:
 Enabled The appliance responds to all ARP requests.
 Disabled The appliance responds only to ARP requests for
its own IP addresses.
Default: Disabled
ICMP Error Messages Specifies whether ICMP error messages are generated.

Router
Interface Parameters
Use the IP Router Parameters pane to monitor, add, and edit router settings.
To configure an interface:
1. Select Router > IP Router > Interface Parameters.
IP Address The IP address of the interface.
Network Mask The associated subnet mask.
If Number The interface identifier. If the interface is a VLAN, the included

interfaces are listed in the box in the Edit pane.
Fwd Broadcast Specifies whether the appliance forwards incoming broadcasts to this
interface.
Broadcast Addr Specifies whether to fill the host ID in the broadcast address with ones
or zeros.
VlanTag The VLAN tag to be associated with this IP interface.

When multiple VLANs are associated with the same switch port, the
switch needs to identify to which VLAN to direct incoming traffic from
that specific port. VLAN tagging provides an indication in the Layer 2
header, which enables the switch to make the correct decision.
Peer Address The address of the peer.
To update the ICMP interface parameters:

1. Select Router > IP Router > Interface Parameters.
2. Click on the IP address of the ICMP interface to update.
IP Address The IP address of the interface.
Advert. Address The destination IP address for multicast Router Advertisements sent
from the interface. Possible values are the all-systems multicast
address, 224.0.0.1, or the limited-broadcast address, 255.255.255.255.
Max Advert. Interval The maximum time, in seconds, between multicast Router
Advertisements from the interface. Possible values are between the
Minimum Advert Interval defined below and 1800 seconds.

Router
Min Advert. Interval The minimum time, in seconds, between sending unsolicited multicast
Router Advertisements from the interface. Possible values are
between 3 seconds and the maximum interval defined above. The
default value is 0.75 of the Maximum Interval.
Advert. Lifetime The maximum time, in seconds, the advertised addresses are
considered valid. Must be no less than Maximum Interval defined
above, and no greater than 9000 seconds. Default value is three times
the Maximum Advert Interval.
Advertise Enables to advertise the appliance IP using ICMP Router Advertise.
Preference Level The preference level of the address as a default router address,
relative to other router addresses on the same subnet.
Reset to Defaults Resets the ICMP interface parameters to the default values.
Routing Table
DDoS Protector supports IP routing compliant with RFC1812 router requirements. Dynamic
addition and deletion of IP interfaces is supported. This ensures that extremely low latency is
maintained.
IP router supports RIP I, RIP II and OSPF routing protocols. OSPF is an intra-domain IP routing
protocol, intended to replace RIP in bigger or more complex networks. OSPF and its MIB are
supported as specified in RFC 1583 and RFC 1850, with some limitations.
To configure a route:
1. Select Router > Routing Table.
Destination Address The destination IP address of this router.
Network Mask The destination network mask of this route.
Next Hop The address of the next system of this route, local to the interface.
Interface Index The IF Index of the local interface through which the next hop of this
route is reached.
Type How remote routing is handled.

Values:
 remote Forwards packets.
 reject Discards packets
Router
Metric The number of hops to the destination network.
ARP Table
Use the ARP (Address Resolution Protocol) Table pane to update and create ARP addresses on the
local route.
To update an existing ARP:

1. Select Router > ARP Table.
Interface Index The interface number on which the station resides.
IP Address
MAC Address
Type Values:
 Other
 Invalid
 Dynamic - The entry is learned from the ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the table.
 Static - The entry is configured by the network management station and
is permanent.

CHAPTE R 6
DDoS Protector
In This Section:
DoS Signatures .............................................................................................................74
Server Protection ..........................................................................................................94
Denial of Service .........................................................................................................110
Authentication Tables .................................................................................................170
Intrusion Protection and Anti-Scanning ....................................................................171
White List and Black List ............................................................................................175
Policies ........................................................................................................................184
Global - Suspend Table - Parameters .......................................................................191
Reporting.....................................................................................................................193
Attack Database ..........................................................................................................201
Activate Latest Changes .............................................................................................201
Packet Anomaly Attacks .............................................................................................201
Service Discovery ........................................................................................................206
Restore Default Configuration ...................................................................................208
DoS Signatures
Application Security Global Parameters
Application Security is a mechanism that delivers advanced attack detection and prevention
capabilities. This mechanism is used by several security modules to provide maximum protection
for network elements, hosts and applications.
To set the application security global parameters:

1. Select DDoS Protector > DoS Signatures > Application Security > Global Parameters.
Protection Status Select enable to start protection.

Default: enable.
MAX URI Length The maximum URI length permitted. If URI is longer than the
configured value, this URI is considered as illegitimate and is
dropped.
Default: 500
MIN fragmented URI packet Size The minimum permitted size, in bytes, of an incomplete URI in
an HTTP request. A shorter packet length is treated as URI
protocol anomaly and is dropped.
Default: 50

DDoS Protector
Security Tracking Tables How often, in milliseconds, the appliance clears unnecessary
Free-Up Frequency [ms] entries from the table, and stores information about newly
detected security events.
Default: 1250
Unicode Encoding The language encoding (the language and character set) to
use for detecting security events.
TCP Reassembly Mechanism Specifies whether the appliance tries to reassemble

Status fragmented TCP packets.
Default: enable
Session-Drop Mechanism Status When enabled, terminates the whole session when a single
malicious packet is recognized.
Default: enable
DoS Shield Global Parameters

Use the DoS Shield Global Parameters pane to enable the DoS Shield module and set its global
parameters.
The DoS Shield mechanism implements the Sampling algorithm, and accommodates traffic
flooding targeted to create denial of the network services. Before you use DoS Shield, enable the
DoS Shield module.
To configure DoS shield global parameters:

1. Select DDoS Protector > DoS Signatures > DoS Shield > Global Parameters.
Protection Status Specifies whether DoS Shield module is enabled.
Sampling Rate The rate at which packets are sampled and compared to the Dormant
Attacks. You can configure a number that specifies per how many
packets the sampling is performed.
Default: 100 that is, 1 out of 100 packets is checked.
Sampling Frequency How often, in seconds, DoS Shield compares the predefined thresholds
for each Dormant Attack to the current value of counters of packets
matching the attack. Default: 5

DDoS Protector
Basic Static Filters

Use the Basic Static Filters pane to view the Basic Filter, which constitutes protection against a
specific attack, meaning that each Basic Filter has a specific attack signature and protection
parameters.
The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks
have a complex signature comprised of several patterns and content strings. These attacks
require more than one basic filter to protect against them.
You can create the Advanced Filters using the Basic User Filters only.
To show the application security basic static filters:

1. Select DDoS Protector > DoS Signatures > Filters > Basic Filters > Static.
2. Select the basic static filter for which you want to show the details.
Basic User Filters

If you edit the parameters of a filter that is bound to an existing policy, you need to activate the
latest changes.
To create a basic filter:

1. Select DDoS Protector > Intrusion Prevention > Signature Protection > Filters > Basic Filters
> User.
Name The name of the filter.
Protocol The protocol used.

Values: IP, UDP, TCP, ICMP
Source App. Port The source application ports.
Destination App. Port The destination application ports.

Values 0 65535
Default: 0
OMPC Offset The location in the packet from which the checking of data is
started in order to find specific bits in the IP/TCP header.
Values: 0 65535
Default: 0

DDoS Protector
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
Values:
 None
 IP Header
 IP Data
 L4 Data
 Ethernet
 L4 Header
 IPV6 Header
Default: None
OMPC Mask The mask for the OMPC data.

Values: A combination of hexadecimal numbers (0 9, a f)
The value must be defined according to the OMPC Length
parameter.
The OMPC Pattern parameter definition must contain 8 symbols. If
the OMPC Length value is lower than fourBytes, you need
complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Mask can be:
abcd0000.
Default: 00000000
OMPC Pattern The fixed size pattern within the packet that OMPC rule attempts to
find.
Possible values: a combination of hexadecimal numbers (0 9,
a f). The value must be defined according to the OMPC Length
parameter.
The OMPC Pattern parameter definition must contain 8 symbols. If
the OMPC Length value is lower than fourBytes, you need
complete it with zeros.
For example, if OMPC Length is twoBytes, OMPC Pattern can
be:abcd0000.
Default: 00000000
OMPC Condition The OMPC condition can be either N/A, equal, notEqual,
greaterThan or lessThan.
Default: N/A
OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data.
Values: None, oneByte, twoBytes, threeBytes, fourBytes
Default: None

DDoS Protector
Content Offset The location in the packet from which the checking of content is
started.
Values: 0 1513
Default: 0
Distance A range that defines the allowed distance between two content
characters. If the distance is beyond the specified range, it is
recognized as an attack.
Content Contains the actual value of the content search.

Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < =
>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`a
bcdefghijklmnopqrstuvwxyz{|}~.
Content Type Enables you to search for a specific content type, which you select
from a long list.
For the list of valid values, see the Content Types table below.
Default: None The appliance does not filter the content based on
type.
Content Max Length The maximum length to be searched within the selected Content
Type.
Values: 0 65,535
Default: 0
The Content Max Length value must be equal to or greater than
the Offset value.
Content Data The content type for the content search.

Values:
 HTTP Header The value of the HTTP Header. The header is
defined by the Content field.
 Cookie The cookie value. The cookie is defined by the
Content field.
 FTP Command The FTP command arguments. The FTP
command is defined by the Content field.

DDoS Protector
Content Data Encoding The encoding of the content data. The value of this field applies to
the Content parameter. DDoS Protector can search for data in
languages other than English, for case-sensitive or
case-insensitive data, and hexadecimal strings.
Values:
 Not Applicable
 Case Insensitive
 Case Sensitive
 HEX
 International
Default: None
Content Encoding The encoding of the content. The value of this field applies to the
Content Type parameter. DDoS Protector can search for content in
languages other than English, for case-sensitive or
case-insensitive text, and hexadecimal strings.
Values:
 Not Applicable
 Case Sensitive
 Hex
 International
Default: None
The value of this field corresponds to the Content Type parameter.
Content Regular Expression Specifies whether the Content field value is formatted as a regular
expression (and not as free text to search). You can set a regex
search for all content types.
Content Data Reg Specifies whether the Content Data value is formatted as a regular
Expression expression (and not as free text to search).

DDoS Protector
Packet Size Type Specifies whether the length is measured for Layer 2, Layer 3,
Layer 4 or Layer 7 content.
Values:
 L2 The complete packet length is measured, including Layer
2 headers.
 L3 The Layer 2 data part of the packet is measured
(excluding the Layer 2 headers).
 L4 The Layer 3 data part of the packet is measured
(excluding the Layer 2/Layer 3 headers).
 L7 The L4 data part of the packet is measured (excluding the
Layer 2/Layer 3/Layer 4 headers).
 None
Default: None
Packet Size Range The range of values for packet length.

The size is measured per packet only.
The size is not applied on reassembled packets.
Fragmentation of Layer 4 Layer 7 packets may result in tails that
do not contain the Layer 4 Layer 7 headers. The check is
bypassed, as no match with Type = L4 L7 is detected.
This table describes the Content types that you can configure the appliance to examine as part of
the attack signature.
Content Type Description
Cookie The HTTP cookie field. The Content field includes the cookie name, and
the Content Data field includes the cookie value.
DCE-RPC Distributed Computing Environment / Remote Procedure Calls.
File Type The requested file type in the HTTP GET command (JPG, EXE, and so on).
FTP Command Parses FTP commands to commands and arguments, while normalizing
FTP packets and stripping Telnet opcodes.
FTP Content Scans data transmitted using FTP, normalizes FTP packets and strips
Telnet opcodes.
Header Field The HTTP Header field. The Content field includes the header field
name, and the Content Data field includes the field value.
Host Name In the HTTP header.
HTTP Reply Data The data of the HTTP reply. This is available only on x412 appliances.
HTTP Reply Header The header of the HTTP reply. This is available only on x412 appliances.

DDoS Protector
Content Type Description
Mail Domain In the SMTP header.
Mail From In the SMTP header.
Mail Subject In the SMTP header.
Mail To In the SMTP header.
MM7 File Attachment The file associated with the MM7 request.
MM7 Request The request for an MM7 Error message.
Normalized URL To avoid evasion techniques when classifying HTTP requests, the URL
content is transformed into its canonical representation, interpreting the
URL the same way the server would.
The normalization procedure supports the following:
 Directory referencing by reducing /./ into / or A/B/../ to A/.
 Changing backslash (\) to slash (/).
 Changing HEX encoding to ASCII characters. For example, the hex
value %20 is changed to a space.
 Unicode support, UTF-8 and IIS encoding.
POP3 User The User field in the POP3 header.
RPC Reassembles RPC requests over several packets.

RPC RFC 1831 standard provides a feature called Record Marking
Standard (RM). This feature is used to delimit several RPC requests sent
on top of the transport protocol. For a stream-oriented protocol (like
TCP), RPC uses a kind of fragmentation to delimit between records. In
spite of its original purpose, fragmentation may also divide records in
the middle, not only at their boundaries. This functionality is used to
evade IPS systems.
Text Anywhere in the packet.
URI Length The length, in bytes, of the URI packet.
URL The HTTP Request URI. No normalization procedures are taken.
Advanced Static Filters

The Advanced Filter represents a logical AND between two or more Basic Filters. Some attacks
have a complex signature comprised of several patterns and content strings. These attacks
require more than one basic filter to protect against them.
Use the Static Advanced Filter table to view static Advanced Filters.

DDoS Protector
To show the view static Advanced Filters:

1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > Static.
2. To show the configuration of a filter, click on it.
Name The name of the filter.
Number of Filters The number of filters for this entry.
Advanced User Filters

The advanced filter represents a logical AND relation between two or more basic filters. Some
attacks have a complex signature comprised of several patterns and content strings. The system
requires more than one basic filter to protect against such attacks.
Once all associated filters are deleted from the advanced filter, the advanced filter is erased.
To create an advanced user filter:

1. Select DDoS Protector > DoS Signatures > Filters > Advanced Filters > User.
Advanced Enter the name of the Advanced Filter.
Basic Select a Basic Filter from the drop-down list.
To add a basic filter to an existing advanced filter:

2. Click Create.
3. From the Basic drop-down list, select the basic filter to add to the advanced filter and click
Set.
To delete an advanced user filter:

2. Select the advanced filter to delete.
3. In the advanced filter, select the basic filters and click Delete.
Signature Protection Attribute Types

Attributes are components of the protection rules that are used in a process of the rule-based
profile configuration. Attributes are divided into categories according to the various aspects that
must be taken into consideration when a new rule is defined, such as environment, applications,
threat level, risk levels and so on.

DDoS Protector
The Attributes list presents all the attributes that participate in the defined profiles. You can use
the existing attributes, add new attributes or remove attributes from the list.
Use the Signature Protection Attribute Types pane to view the Signature Protection Attribute
Types.
To show the signature protection attribute types:

Select DDoS Protector > DoS Signatures > Attributes > Types.
Services Defines which protocols are used in your environment, for example
FTP, HTTP, DNS, and so on. Only attack signatures that match
these protocols are selected for protection rules.
Platform The type of operating systems that exist in the segment, which you
want to protect. For example, Windows, Linux, Unix and so on. Only
attack signatures that match these operating systems are selected
for protection rules.
Applications The type of applications used in the segment that you are
protecting. For example, web servers, mail servers, browser, and
other servers.
Threat Type The threats against which you are protecting your segment, for
example, buffer overflows, worms and so on.
Virtual Groups Enables you to create customized rules.
Risk The level of attack severity. For example, attacks that their impact
on the network is very severe are defined as high risk attacks.
Confidence The level of certainty to which an attack can be trusted. The

confidence level is the opposite of the false-positive level
associated with an attack.
For example, if the attack confidence level is set to high, it means
that this attack is prevented only in case it matches 100% one of the
attacks definitions in Signatures database. This is done to prevent
false positive and to allow more packets to enter the segment. To
provide higher protection to your segment, you need to set the
Confidence to low.
Attribute Values
Use the Signature Protection Attribute Values pane to define an intrusion prevention profile based
on various parameters that defines the user environment, applications, threat level and risk
levels.

DDoS Protector
To configure signature protection attribute values:

1. Select DDoS Protector > DoS Signatures > Attributes > Values.
Attribute Type Define the Attribute type from the Signature Protection Attribute Types (on
page 82) list.
Attribute Name Enter a user defined name.
Attacks
Static Attacks
The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks
to reflect specific needs of your network, or edit the existing attacks.
Use the Signature Protection Static Attack Configuration pane to edit existing attack parameters.
To edit a static attack:

1. Select DDoS Protector > DoS Signatures > Attacks > Static.
2. Select a static attack.
ID (Read-only) The unique identifying number.
Attack Name (Read-only) The name for this attack. The Attack Name is used when
DoS Shield sends information about attack status changes.
Filter Name (Read-only) The filter assigned to this attack.
Tracking Time The time, in milliseconds, in which the Threshold is measured. When a
number of packets that is greater than the threshold value passes
through the appliance, during this defined period, the appliance
recognizes it as an attack.
Value: 1000

DDoS Protector
Tracking Type Specifies how the protection determines which traffic to block or drop
when under attack.
Values:
 Drop All Select this option when each packet of the defined attack
is harmful, for example, Code Red and Nimda attacks.
 Source Count Select this option when the defined attack is
source-based that is, the attack can be recognized by its source
address, for example, a Horizontal Port Scan, where the hacker
scans a certain application port (TCP or UDP) to detect which
servers are available in the network.
 Target Count Select this option when the defined attack is
destination-based, meaning the hacker is attacking a specific
destination such as a Web server, for example, Ping Flood and DDoS
attacks.
 Source and Destination Count Select this option when the attack
type is a source and destination-based attack that is, the
hacker is attacking from a specific source IP to a specific
destination IP address, for example, Port Scan attacks.
 landattack
 fragments
 ncpsdcan
 dhcp
 ftpbounce
 bobo2K
 Sampling Select this option when the defined attack is based on
sampling, that is a DoS Shield attack.

DDoS Protector
Action Mode The action that DDoS Protector takes when an attack is detected.
Values:
 Drop DDoS Protector discards the packet is discarded.
 Report Only DDoS Protector forwards the packet to the defined
destination.
 Reset Source DDoS Protector sends a TCP-Reset packet to the
packet source IP address.
 Reset Destination DDoS Protector sends a TCP-Reset packet to
the destination address.
 Reset BiDirectional DDoS Protector sends a TCP-Reset packet to
both the packet source IP and the packet destination IP address.
 MM7 If the packet contains a threat, the appliance drops the
message and sends an application-level error message to the
server to remove the message from the queue to prevent a
re-transmission. It contains Transaction ID, Content Length, and
Message ID.
Default: Drop
The following options are not relevant for DDoS Protector, and
selecting one may cause unexpected results:
 HTTP 200 OK
 HTTP 200 OK Reset Dest
 HTTP 403 Forbidden
 HTTP 403 Forbidden Reset Dest
State Enables or disables the Attack Status.
There are cases where you may need to temporarily disable an attack
from a static group. For example, if you suspect that a certain attack
introduces false positives, and you would like to disable that specific
attack only.
Setting the attack status to Disable, means that the attack is disabled
but not removed from the group.
Direction A certain protection policy may contain attacks that should be searched
only for traffic from client to server or only on traffic from server to
client.
To provide simple and efficient scanning configuration you can set per
attack the traffic direction for which it is relevant.
Values:
 Inbound On traffic from policy Source to policy Destination
 Outbound On traffic from policy Destination to policy Source
 In-Out Bound On all traffic between policy Source to policy
Destination
DDoS Protector
Suspend Action This functionality allows the user to define that for certain attacks, in
addition to the action defined in the attack, the appliance should also
suspend traffic from the IP address that was the source of the attack,
for a time.
Values:
 None Suspend action is disabled for this attack.
 SrcIP All traffic from the IP address identified as source of this
attack will be suspended.
 SrcIP, DestIP Traffic from the IP address identified as source of
this attack to the destination IP under attack will be suspended.
 SrcIP, DestPort Traffic from the IP address identified as source of
this attack to the application (destination port) under attack will be
suspended.
 SrcIP, DestIP, DestPort Traffic from the IP address identified as
source of this attack to the destination IP and port under attack will
be suspended.
 SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and
port identified as source of this attack to the destination IP and port
under attack will be suspended.
Active Threshold When this threshold is exceeded, the status of the attack is changed to
Currently Active. This is only relevant when the Attack Status was
configured as Dormant.
The maximum number of attack packets allowed in each Tracking Time
unit. Attack packets are recognized as legitimate traffic when they are
transmitted within the Tracking Time period.
When the value for Tracking Type is Drop All, the protection ignores
this parameter.
Exclude Src The source IP address or network whose packets the protection does
not inspect.
If you specify a value for Exclude Src, Exclude Dest cannot be None.
To exclude only by source IP address, for Exclude Src, type any.
Default: None
Drop Threshold After an attack has been detected, the appliance starts dropping
excessive traffic only when this threshold is reached. This parameter is
measured in PPS.
this parameter.

DDoS Protector
Exclude Dest The destination IP address or network whose packets the protection
does not inspect.
If you specify a value for Exclude Dest, Exclude Src cannot be None.
To exclude only by source IP address, for Exclude Dest, type any.
Default: None
Term Threshold When the attack PPS rate drops below this threshold, the protection
changes the attack from active mode to inactive mode.
this parameter.
Packet Report Specifies whether the protection sends attack packets to the specified
physical port.
Packet Trace Specifies whether the protection sends attack packets to the specified
physical port.
Quarantine Specifies whether the appliance can quarantine all Web traffic from
internal hosts after matching this signature.
User Attacks
The Attacks Database contains attacks provided by Check Point. You can add user-defined attacks
to reflect specific needs of your network, or edit the existing attacks.
Use the Signature Protection User Attack Configuration pane to create attack parameters.
To create a user attack:

1. Select DDoS Protector > DoS Signatures > Attacks > User.
2. Select Create.
ID The unique identifying number.
Attack Name The name for this attack. The Attack Name is used when DoS Shield sends
information about attack status changes.
Filter Name The filter assigned to this attack.
Tracking Time The time, in milliseconds, in which the Threshold is measured. When a number
of packets that is greater than the threshold value passes through the
appliance, during this defined time period, the appliance recognizes it as an
attack.
Value: 1000

DDoS Protector
Tracking Type Specifies how the protection determines which traffic to block or drop when
under attack.
Values:
 Drop All Select this option when each packet of the defined attack is
harmful, for example, Code Red and Nimda attacks.
 Source Count Select this option when the defined attack is
source-based that is, the attack can be recognized by its source address,
for example, a Horizontal Port Scan, where the hacker scans a certain
application port (TCP or UDP) to detect which servers are available in the
network.
 Target Count Select this option when the defined attack is
destination-based, meaning the hacker is attacking a specific destination
such as a Web server, for example, Ping Flood and DDoS attacks.
 Source and Destination Count Select this option when the attack type is a
source and destination-based attack that is, the hacker is attacking from
a specific source IP to a specific destination IP address, for example, Port
Scan attacks.
 landattack
 fragments
 ncpsdcan
 dhcp
 ftpbounce
 bobo2K
 Sampling Select this option when the defined attack is based on
sampling, that is a DoS Shield attack.
Default: Sampling

DDoS Protector
Values:
 Drop DDoS Protector discards the packet is discarded.
 Report Only DDoS Protector forwards the packet to the defined
destination.
 Reset Source DDoS Protector sends a TCP-Reset packet to the packet
source IP address.
 Reset Destination DDoS Protector sends a TCP-Reset packet to the
destination address.
 Reset BiDirectional DDoS Protector sends a TCP-Reset packet to both the
packet source IP and the packet destination IP address.
 MM7 If the packet contains a threat, the appliance drops the message and
sends an application-level error message to the server to remove the
message from the queue to prevent a re-transmission. It contains
Transaction ID, Content Length, and Message ID.
Default: Drop
The following options are not relevant for DDoS Protector, and selecting one
may cause unexpected results:
 HTTP 200 OK
 HTTP 200 OK Reset Dest
 HTTP 403 Forbidden
 HTTP 403 Forbidden Reset Dest
State Enables or disables the Attack Status.
There are cases where you may need to temporarily disable an attack from a
static group. For example, if you suspect that a certain attack introduces false
positives, and you would like to disable that specific attack only.
Setting the attack status to Disable, means that the attack is disabled but not
removed from the group.
Default: Enable
Direction A certain protection policy may contain attacks that should be searched only for
traffic from client to server or only on traffic from server to client.
To provide simple and efficient scanning configuration you can set per attack
the traffic direction for which it is relevant.
Values:
 In Bound On traffic from policy Source to policy Destination
 Out Bound On traffic from policy Destination to policy Source
 In-Out Bound On all traffic between policy Source to policy Destination

DDoS Protector
Suspend Action This functionality allows the user to define that for certain attacks, in addition
to the action defined in the attack, the appliance should also suspend traffic
from the IP address that was the source of the attack, for a time.
Values:
 SrcIP All traffic from the IP address identified as the source of this attack
will be suspended.
 SrcIP, DestIP Traffic from the IP address identified as source of this
attack to the destination IP under attack will be suspended.
 SrcIP, DestPort Traffic from the IP address identified as source of this
attack to the application (destination port) under attack will be suspended.
 SrcIP, DestIP, DestPort Traffic from the IP address identified as source of
this attack to the destination IP and port under attack will be suspended.
 SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and port
identified as source of this attack to the destination IP and port under attack
will be suspended.
Default: None
Active The maximum number of attack packets allowed in each Tracking Time unit.
Threshold Attack packets are recognized as legitimate traffic when they are transmitted
within the Tracking Time period.
When this threshold is exceeded, the status of the attack is changed to
Currently Active. This is only relevant when the Attack Status was configured as
Dormant.
When the value for Tracking Type is Drop All, the protection ignores this
parameter.
Default: 50
Exclude Src The source IP address or network whose packets the protection does not
inspect.
Default: None
Drop Threshold After an attack has been detected, DDoS Protector starts dropping excessive
traffic only when this threshold is reached. This parameter is measured in PPS.
parameter.
Default: 50

DDoS Protector
Exclude Dest The destination IP address or network whose packets the protection does not
inspect.
Default: None
Term Threshold When the attack PPS rate drops below this threshold, the protection changes
the attack from active mode to inactive mode.
parameter.
Default: 50
Packet Report You can view a capture of an individual attack packet using Packet Reporting.
Enable or disable packet reporting for the specific attack.
Default: disable
Packet Trace Specifies whether the protection sends attack packets to the specified physical
port.
Default: disable
Quarantine Specifies whether the appliance can quarantine all Web traffic from internal
hosts after matching this signature.
Default: disable
Profiles
A Signature Protection profile contains one or more rules for the network segment you want to
protect. Each rule defines a query on the Signatures database. DDoS Protector activates
protections from the signature database that matches the set of rules. The user-defined profile is
updated each time you download an updated Signatures database.
To configure Signature Protection profiles, IPS protection must be enabled and global DoS Shield
parameters must be configured.
You can configure up to 300 Signature Protection profiles on a DDoS Protector appliance.
Each rule in the profile can include one or more entries from the various attribute types.
Rules define a query on the Signatures database based on the following logic:
 Values from the same type are combined with logical OR.
 Values from different types are combined with logical AND.
The rules are combined in the profile with a logical OR.
The relationship inside a signature between all filters is a logical AND.
Rules in the profile are implicit. That is, when you define a value, all signatures that match a
specific selected attribute plus all the signatures that have no attribute of that type(prod00228571
DDoS Protector
20150621). This logic ensures that signatures that may be relevant to the protected network are
included even if they are not associated explicitly (by SOC) with the application in the network.
Static Profiles
The Static Profiles pane displays a list of the existing static profiles. You can view the filter groups
that make up a profile, and drill-down to see the filters in any one of the groups.
To show the static profiles:

1. Select DDoS Protector > DoS Signatures > Profiles > Static. The static profiles are listed.
2. Click the name of a profile.
The contents of the profile are listed.
User Profiles
Security profiles aggregate attack groups and attacks. You can set one or more profiles for each
security module and then associate the protection profile with a policy.
To create a user-defined profile:

1. Select DDoS Protector > DoS Signatures > Profiles > User.
2. Click Create.
Profile The user-defined profile name.
Group The group to which the profile belongs.
Category The category to which the profile belongs.
To add another group to an existing profile:

1. Select DDoS Protector > DoS Signatures > Profiles > User.
2. Click the profile name.
3. Click Create.
4. From the Group drop-down list, select the group to add to the profile.
5. Click Set.
Exclude Attacks
Use the Signature Protection Attacks Excluded Addresses Configuration pane to exclude
particular attacks from your network definitions.
To exclude signature protection attacks:

1. Select DDoS Protector > DoS Signatures > Exclude Attacks.
2. Click Create.

DDoS Protector
Attack ID The ID of the attack not to be included in policy.
Attack Name The name of the attack.
Source Network The source IP address for the excluded attack.
Destination The destination IP address for the excluded attack.

Network
Server Protection
Cracking Protection
Server Cracking Protection provides application-level protection that monitors error responses
from various applications and blocks hacking attempts from suspicious sources while allowing
legitimate traffic to pass.
Each Server Protection policy can include one Server Cracking Protection profile. You can use
Server Cracking profiles for multiple Server Protection policies. A Server Cracking Protection
profile specifies the protections that DDoS Protector applies to protect application servers in your
network against cracking attempts and other vulnerability scans. You can get more information on
the default configuration of each protection ("Server Protection Attacks" on page 101).
Server Cracking Protection Network Topography

Server Cracking protection requires a symmetric environment. Tracking requires inspection of
server responses. Blocking requires inspection or source request.

DDoS Protector
DDoS Protector supports the following protections:

 Brute Force DNS
 Brute Force FTP
 Brute Force IMAP
 Brute Force LDAP
 Brute Force MSSQL
 Brute Force MySQL
 Brute Force POP3
 Brute Force SIP (TCP)
 Brute Force SIP (UDP)
 Brute Force SIP DST (TCP)
 Brute Force SIP DST (UDP)
 Brute Force SMB
 Brute Force SMTP
 Brute Force Web
 SIP Scan (TCP)
 SIP Scan (UDP)
 SIP Scan DST (TCP)
 SIP Scan DST (UDP)
 SMTP Scan
 Web Scan
Cracking, Brute Force, and Dictionary Attacks
Cracking, brute force, and dictionary attacks use scripts or other tools to try to break into an
application by guessing usernames and passwords from known lists.
The risk associated with these types of attacks is clear: once a useful username and password are
obtained, the attacker has free access to a service, information, or even to the server itself.
Additional risks are denial of service, by triggering built-in protections in the application that lock
users, or by consuming system resources during the authentication attempts.
Application-Vulnerability Scanning Attacks

Scanning attacks try to find services that are known to be vulnerable or actual vulnerabilities at
the application level. The attacker later exploits the vulnerable server or application vulnerability.
The scanners, which can be automatic or manual, send a legitimate request to the server. The
request is used to expose the existence of the vulnerability. As such, the scan will not trigger an
IPS-based signature. In most cases, the server will not be vulnerable and will respond with an
error message. Application scanning attempts are usually precursors to more serious exploitation
attempts. Scanning attempts generate a higher than normal error-response rate from the
application. Blocking such attempts helps prevent the vulnerabilities from being disclosed.

DDoS Protector
SIP Scanning Attacks

In Session Initiation Protocol (SIP) scanning, the attacker's aim is slightly different. While it is
possible to find vulnerable SIP implementations, the actual advantage of SIP scanning is to obtain
a list of SIP subscribers, which can be used to send SPIT (SPAM over Internet Telephony). An
attacker can use scripts to send SPIT messages to a guessed list of subscribers and harvest the
existing subscribers according to the received replies. SPIT can annoy subscribers and even
disrupt service if carried out in high volumes.
Register Brute Force Attacks

A register brute force attack is an attempt to gain access to a user account, and through it, to the
service, thus allowing the attacker to exploit a service without paying for it, causing revenue loss,
reputation loss, and increased bill-verification activities.
Server Cracking Threats and Server Cracking Protection Strategies

DDoS Protector identifies attackers using source tracking and a fuzzy-logic decision engine. The
detection mechanism uses the frequency and quantity of server-based error responses, and
uniquely identifies them per protected application. The analysis is done per source IP address and
protected server. DDoS Protector sends these parameters to the Fuzzy Inference System (FIS),
which calculates the degree of attack (DoA).
Application scanning and authentication brute-force attempts are usually precursors to more
serious exploitation attempts. The attacker sends a list of legitimate-looking requests and
analyzes the responses in order to discover a known vulnerability or gain access to restricted
parts of the application.
Both cracking and scanning attempts are characterized by higher-than-normal rates of error
responses from the application to specific users, in terms of frequency and quantity. Blocking
such attempts helps prevent more severe attacks.
Server Cracking Mitigation with Server Cracking Protection

DDoS Protector adds a source identified as an attacker to the Suspend table even when the
protection action is set to Report Only. The data in the Suspend table is affected by the specific
protection configuration. The data can include several combinations of source IP address and
destination details, such as, IP address and/or port.
When DDoS Protector detects an attack, the first blocking period is a random value between 10 to
30 seconds. Upon inserting the source IP address into the Suspend table, the system keeps
tracking the source for the duration of the blocking period and an additional expiration time, which
is defined by the Sensitivity set for the specific attack ("Sensitivity Parameter" on page 97). If the
source keeps attacking the network during the monitoring interval, DDoS Protector blocks it again
using a new blocking period, which is more than twice the last blocking period up to the
maximal blocking period, which is 120 seconds.
Server Cracking Protection Technology

DDoS Protector in the Network
DDoS Protector is a hardware appliance that is placed "in-line" with network traffic, typically
between the clients and the protected servers. A symmetric network environment is mandatory
because Server Cracking protection is done by inspecting server responses.

DDoS Protector
The Detection Mechanism and Available Protections

The detection mechanism is based on the analysis of server error-code replies. The codes are
identified by matching server response signatures. The signatures are part of the signature file.
Behavioral Parameters and States/Degrees of Attack

An exponential moving average mechanism derives behavioral parameters (frequency and
quantity of code replies) per source IP address and protected server.
These parameters are further analyzed through a Fuzzy Logic Inference System that generates a
degree of attack (DoA), which, in turn, determines the DoA of each source IP address:
 Attack state The user (source) is blocked using the Suspend table.
 Suspect state The system continues to follow the user for a predefined duration (suspect
monitoring interval time-out).
 Normal state The system continues to follow the user for a predefined duration (that is, the
normal monitoring interval time-out, which is lower than the suspect state monitoring interval
time-out).
During the Attack state, the user is added to the Suspend table (a block list). When the user is
released from block, the monitoring interval is set again.
Sensitivity Parameter
The Sensitivity parameter of each Server Cracking protection defines thresholds for the quantity
and frequency of server-side error messages. DDoS Protector tracks server-side error messages
to trigger attack detection. High sensitivity means that only a few cracking attempts trigger the
protection, while Minor means that a very high number of attempts trigger the protection. The
default is Medium.
During the Attack state, the attacker is added to the Suspend table, which is the list of blocked
sources. When the user is released from the Suspend table, the monitoring interval is set again.
Degree-of-Attack States and Sensitivity Values

State Sensitivity Monitoring Interval in Seconds
High Medium Low Minor
Normal state 20 15 10 5
Suspect state 40 30 15 10
Attack state 60 45 20 15
There may be cases where you need to tune the value of the Sensitivity parameter. For example, if
you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error
replies at an abnormal rate, which the appliance will falsely identify as an attack. In such a case,
set the sensitivity to Low.
Application-scanning and brute-force attempts are usually generated through multiple L4
connections. If the attack attempts are using the same L4 connection (that is, a TCP or UDP
connection), the detection sensitivity will be automatically set to a higher value than those that are
specified in the above table. Thus, the quantity and frequency of attempts needed to trigger the
protection action will be lower.

DDoS Protector
Sensitivity Levels for Brute-Force Indications

Sensitivity Counter (Request Trigger) Frequency
(Requests/Second)
High 20 5
Medium 40 10
Low 60 15
Minor 80 20
Sensitivity Levels for Cracking Indications (Single Layer 4 Connections)

(Requests/Second)
High 5 1
Medium 10 2
Low 15 4
Minor 20 6
Sensitivity Levels for Scanning Indications

(Requests/Second)
High 10 0.5
Medium 30 1
Low 25 3
Minor 45 30
Errors that Server Cracking Protection Monitors

The following table lists the protocol errors that Server Cracking Protection monitors to identify
various server-cracking attacks.
Error Code Error Web Scan SIP/Web SIP Additional Server

Brute Force Scan Cracking Protection
0xc000006a STATUS_WRONG_PA Brute Force SMB

SSWORD
0xc000006d STATUS_LOGON_FAI Brute Force SMB

LURE

DDoS Protector

0xc0000022 STATUS_ACCESS_DE Brute Force SMB

NIED
48 Inappropriate Brute Force LDAP

Authentication
49 Invalid Credentials Brute Force LDAP
50 Insufficient Access Brute Force LDAP

Rights
400 Bad Request  
401 Unauthorized 
402 Payment Required 
403 Forbidden  
404 Not Found  
405 Method Not Allowed  
406 Not Acceptable  
407 Proxy Authentication  

Required
408 Request Timeout  
409 Conflict 
410 Gone  
411 Length Required 
412 Precondition Failed 
413 Request Entity Too  

Large
414 Request-URI Too  

Large
415 Unsupported Media  

Type
416 Unsupported URI  

Scheme

DDoS Protector

417 Unknown  
Resource-Priority
420 Bad Extension 
421 Extension Required 
423 Interval Too Brief 
481 Call/Transaction 
Does Not Exist
483 Too Many Hops 
485 Ambiguous 
486 Busy Here 
488 Not Acceptable Here 
530 User not logged in Brute Force FTP
535 Authentication Brute Force SMTP

unsuccessful/Bad
username or
password
550 Mailbox Unavailable SMTP Scan
1045 Access denied for Brute Force MySQL

user
8003 Response, No such Brute Force DNS

name
18456 Login Failed Brute Force MSSQL
"-ERR" General POP3 error Brute Force POP3
No - generic error Brute Force IMAP

code

DDoS Protector
Server Cracking Protection Limitations

Server Cracking Protection has the following known limitations:
 Server Cracking protection relies on generic protocol error messages The signatures of
Server Cracking protection are based on these messages, which are defined in protocol RFCs.
Server Cracking Protection can identify traffic using these generic errors, but Server Cracking
Protection might miss cracking attempts of applications and services that do not use generic
protocol error messages.
 Web servers that respond with error messages inside the HTTP content or use HTTP 200 OK
might not be inspected, and malicious attempts will not be detected and blocked.
 Web authentication When the authentication is done at the application level without using
HTTP error codes, the Server Cracking module will not be able to detect the attack.
 Web scans When the server replies with HTTP 200 OK to requests, the Server Cracking
module will not be able to detect the attack. While this practice is not recommended by the
RFC, it is sometimes used by Web server administrators. Support for such customized error
pages is planned.
Server Protection Attacks
Server Cracking Protection Profiles are defined using defined attacks. Each attack protects
against one specific cracking activity.
To show the attack parameters:

1. Select DDoS Protector > Server Protection > Cracking Protection > Attacks.
2. From the attacks table, click the ID of the attack that you want to show.
ID The unique identifying number.
Attack Name The user-defined name for this attack. The Attack Name is used when DoS
Shield sends information about attack status changes.
Values:
 Drop DDoS Protector discards the packets.
 Report DDoS Protector forwards the packets to the defined destination.
Risk The risk assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High

DDoS Protector
Direction The direction of the traffic to inspect. A protection may include attacks that
should be searched only for traffic from client to server or only on traffic from
server to client.
Values:
 Inbound The protection inspects traffic from policy Source to policy
Destination.
 Out Bound The protection inspects traffic from policy Destination to policy
Source
 Inbound & Outbound The protection inspects all traffic between policy
Source to policy Destination
Suspend Action Specifies what traffic to suspend for a period of time.
Values:
 SrcIP All traffic from the IP address identified as the source of the attack
is suspended.
 SrcIP, DestIP Traffic from the IP address identified as the source of the
attack to the destination IP address under attack is suspended.
 SrcIP, DestPort Traffic from the IP address identified as source of the
attack to the application (destination port) under attack is suspended.
 SrcIP, DestIP, DestPort Traffic from the IP address identified as the
source of the attack to the destination IP address and port under attack is
suspended.
 SrcIP, DestIP, SrcPort, DestPort Traffic from the IP address and port
identified as the source of the attack to the destination IP address and port
under attack is suspended.
Sensitivity The detection sensitivity of module. The sensitivity level defines thresholds for
the number and frequency of server-side error messages. These messages are
tracked for attack detection. High sensitivity specifies that the protection needs
few cracking attempts to trigger the protection. Minor sensitivity specifies that
the appliance needs a very high number of attempts.
Values: High, Medium, Low, Minor
Default: Medium
If you are protecting a Web server that is not maintained or not updated, it may
generate HTTP-error replies at an abnormal rate, which the appliance will
falsely identify as an attack. In such a case, set the sensitivity to Low.
Server Cracking Protection Profiles

Server Cracking profiles defend the applications in your network against server flooding,
authorization hacking, vulnerability scanning, and application floods. Each protection protects
against one specific cracking activity.

DDoS Protector
You configure Server Cracking profiles with defined protections.

Each DDoS Protector appliance supports up to 20 Server Cracking profiles.
Before you configure a Server Cracking profile, ensure the following:
 The Session table Lookup Mode is Full Layer 4.
 IPS protection is enabled and the global parameters are configured.
To define a new server cracking protection profile:

1. Select DDoS Protector > Server Protection > Cracking Protection > Profiles.
2. Click Create.
3. In the Cracking Protection Profile text box, type the name for the new profile.
4. From the Cracking Protection Attack drop-down list, select an attack to participate in the
Cracking Protection profile.
5. From the Sensitivity drop-down list, select the detection sensitivity of module. The sensitivity
level defines thresholds for the number and frequency of server-side error messages. These
messages are tracked for attack detection. High sensitivity specifies that the protection needs
few cracking attempts to trigger the protection. Minor sensitivity specifies that the appliance
needs a very high number of attempts.
If you are protecting a Web server that is not maintained or not updated, it may generate
HTTP-error replies at an abnormal rate, which the appliance will falsely identify as an attack.
In such a case, set the sensitivity to Low.
 Values: High, Medium, Low, Minor
 Default: Medium
6. From the Risk drop-down list, select the risk assigned to this attack for reporting purposes.
 Values: Info, Low, Medium, High
7. From the Action drop-down list, select the action that the appliance takes when an attack that
matches the configured protection occurs.
 Values: Block and Report, Report Only
 Default: Report Only
8. From the Packet Trace Status drop-down list, specify whether DDoS Protector sends sampled
attack packets to APSolute Vision for offline analysis.
 Default: Disabled
9. Click Set.
In each Server Cracking policy, you can use only one Server Cracking profile. Therefore,
ensure that all the Cracking Protection Attacks that you want to apply to a policy are contained
in the profile specified for that policy.
10. Do these steps to add all the additional Cracking Protection Attacks:
a) Select DDoS Protector > Server Protection > Server Cracking Protection > Profiles.
b) Click the profile and Create. The Add Cracking Protection Attack To Profile pane opens with
the only the Cracking Protection Profile parameter displayed read-only.
c) Perform step 4 and step 5.
SIP-Cracking Protection Global Parameters

SIP Cracking protection, which provides VoIP protection similar to FTP, POP3, and server-based
crack protections, is designed to detect and mitigate the following types of threats:
DDoS Protector
 Brute-force and dictionary attacks On registrar and proxies SIP servers.
 SIP application scanning activities On SIP servers and SIP phones.
 SIP DoS flood attacks On SIP servers and SIP phones. The types of attacks that are detected
through the SIP crack mechanism include those that use repeated spoofed register and invite
messages.
 Pre-SPIT (Spam over IP Telephony) activities TO TAG Invite messages are used.
DDoS Protector detects attacks based on the frequency and quantity of SIP reply codes. DDoS
Protector performs analysis of authentication, call initiation, registration processes, and reply
codes per source IP address and the SIP URI (SIP FROM).
A SIP server can send replies and error responses to clients either on the same connection or
open a new connection for this purpose. This is also applicable for UDP, where either the same
flow or a new one is used. To support such environments, the SIP Server Cracking protection can
monitor all outgoing messages from the protected server to the SIP Application Port Group or
from the SIP Application Port Group.
When DDoS Protector detects an attack, it does the following:
 Adds the source IP address of the attacker to the Suspend table. The suspend entry will have
both the SIP port and the server IP address.
 Blocks all traffic from the attacker to the protected server and to the SIP Application Port
group. The appliance also drops existing sessions or flows from the attacker to the protected
server and to the Application Port Group.
Before you configure global SIP Cracking Protection, you must configure a profile that includes
SIP protection ("Server Protection Attacks" on page 101).
To configure global SIP Cracking Protection:

1. Select DDoS Protector > Server Protection > Server Cracking Protection > SIP Cracking.
2. Configure the parameters, and then, click Set.
SIP-Crack Tracking type The data that the SIP Cracking feature monitors.
Values: sip-uri, source-ip, both

DDoS Protector
SIP-Crack Application-reset The SIP error code that is sent back to the source IP address.
Values:
 ambiguous Event number 485. Request-URI is
ambiguous/not assigned.
 busy-everywhere Event number 600. All possible
destinations are busy.
 busy-here Event number 486. User busy.
 decline Event number 603. Call rejected.
 forbidden Event number 403.
 not-acceptable-error Event number 406. Client Failure
Response. The resource identified by the request is only
capable of generating response entities that have content
characteristics but not acceptable according to the Accept
header field sent in the request.
 not-acceptable-fail Event number 606. Global Failure
Response. The user s agent was contacted successfully but
some aspects of the session description, such as the
requested media, bandwidth, or addressing style, were not
acceptable)
 not-acceptable-here Event number 488. Some aspects of
the session description of the Request-URI is not acceptable.
 not-found Event number 404. The user does not exist at the
specified domain.
 request-terminated Event number 487. Request has
terminated by bye or cancel.
 temporarily-unavailable Event number 480. The user is
currently unavailable.
Default: not-acceptable-error
SIP-Crack Enables detection of error codes on sessions that originate from

Server-Originated-sessions the server to the client.
Default: Disabled
Protected Servers
Server Protection policies protect servers against targeted attacks.
For each Server Protection policy, you can specify one HTTP Flood protection profile, one Server
Cracking profile, and one VLAN tag. If the Server Protection policy contains a Server Cracking
profile and no HTTP Flood Protection profile, you can configure the policy for ranges, networks, or
a discrete IP address. If the Server Protection policy includes an HTTP Flood Protection profile,

DDoS Protector
you can configure the policy only for a discrete IP address. These profiles are activated when
DDoS Protector identifies an attack on a protected server.
You can configure up to 20 different Server Cracking profiles on a DDoS Protector appliance. You
can use the same Server Cracking profile for multiple Server Protection policies.
You can configure up to 280 Server Protection policies that include an HTTP Flood protection
profile.
You can configure up to 350 Server Protection policies that do not include an HTTP Flood
protection profile.
By default, DDoS Protector can protect up to 350 servers (with discrete IP addresses) that are
protected with Server Cracking profiles, but you can tune a DDoS Protector appliance to support
up to 10,000 servers.
Before you configure Server Protection profiles for a Server Protection policy, ensure that you
have enabled all the required protections and configured the corresponding global protection
parameters.
Configuring a Server Protection Policy

The Server Protection table contains the protected servers and the actions that DDoS Protector
takes when an attack on a protected server is detected.
You can add servers manually to the Server Protection table or the Service Discovery mechanism
adds discovered servers to the table.
The name of a discovered server in the Server Protection table is in the following format:
<Number>_<NetworkProtectionPolicyName>
where:
 <Number> is a number that the DDoS Protectorappliance generates serially.
 <NetworkProtectionPolicyName> is the Network Protection policy that discovered the
server.
Example: 234_MyNetPolicyN
To configure a protected server:

1. Select DDoS Protector > Server Protection > Protected Servers.
Name The name of the server.

IP The IP address of the protected server. You can assign an

HTTP-flood-mitigator profile to a server definition that contains
one discrete IP address. You can assign a Server Cracking profile
to ranges, networks, and discrete IP addresses.

DDoS Protector
HTTP mitigator Profile The HTTP-flood-mitigator profile that the appliance activates
against an attack.
Server Cracking Protection The Server Cracking profile that the appliance activates against an
attack.
State Values:
 active The server protection is active.
 inactive The server protection is inactive, but DDoS Protector
maintains baselines and the configuration of the associated
HTTP profile.
Default: active
Packet Trace Specifies whether the policy sends attack packets to the specified
physical port.
Default: Disabled
Packet Trace configuration Specifies whether the configuration of the Packet Trace feature
on policy takes precedence here, on this policy, takes precedence over the configuration of the
Packet Trace feature in the associated profiles.
Policy Name The name of the Network Protection policy to which this Server
Protection policy belongs.
Packet Report Specifies whether the appliance sends sampled attack packets to
APSolute Vision for off-line analysis.
Default: Disabled
Packet Report configuration Specifies whether the configuration of the Packet Reporting
on policy takes precedence feature here, on this policy takes precedence over the
configuration of the Packet Reporting feature in the associated
profiles.
VLAN Tag group The VLAN Tag Group of the traffic.

DDoS Protector
Server Status The status of the server, especially in the context of the Service
Discovery mechanism.
Values:
 static The server is a static member of the Server Protection
table, and it is protected if the State is active. If the server is a
discovered server, the Service Discovery mechanism does not
revalidate the server.
 ignored The server is ignored, with no protection from the
appliance. The DDoS Protector appliance maintains no
baselines or associated HTTP profile configuration for the
server.
 discovered The Service Discovery mechanism discovered the
server, and it is protected if the State is active. The Service
Discovery mechanism revalidates the server according to the
specified Revalidation Time.
 revalidating For internal use only. The Service Discovery
mechanism is currently checking again whether the server
meets the Tracking-Time-Responses-per-Minute criteria.
 in evaluation For internal use only. The Service Discovery
mechanism is currently checking whether the server meets the
Tracking-Time-Responses-per-Minute criteria.
For server entries that you create, you can only specify the Server
Status static or ignored.
You can change the Server Status from discovered only to static or
ignored.
You cannot change the Server Status once you specify ignored. You
can delete the server entry if required.
Discoverer Policy Specifies the Network Protection policy with a Service Discovery
profile that added the server to the Server Protection table.
You can modify a Discoverer Policy only for a server whose Server
Status is discovered.
Next Re-evaluation (Read-only) The time remaining, in dd:hh:mm format, before DDoS
Protector revalidates the profile.
Server Protection Import

Use the Import Server to Device pane to import a Server Protection policy.
To import a Server Protection policy:

1. Select DDoS Protector > Server Protection > Import.

DDoS Protector
Update Policy Values:

 Enabled After successfully uploading a template to a
appliance, an Update Policies (Activate Latest Changes)
action is automatically initiated.
 Disabled After successfully uploading a template to a
appliance, an Update Policies (Activate Latest Changes)
action is required to activate the uploaded policy.
Default: Enabled
Override Existing Configuration Values:

 Enabled The template adds the policy and profile
configurations, and any baselines. If a policy or profile with
the same name exists in a target appliance, the template
overwrites it.
 Disabled The template adds the policy and profile
configurations, and any baselines. If a policy or profile
name exists in a target appliance, the update fails.
Default: Enabled
Policy File The filepath of the template file.
Server Protection Export

Use the Server Protection Policies Export pane to export a Server Protection policy.
You can export and import Server Protection policies. The exported information is referred to as a
template. The template can include the policy configuration (that is, the definitions and security
settings) and/or policy baselines. A template from a Server Protection policy can include learned
baselines from the associated HTTP Flood profiles.
To export a Server Protection policy:

1. Select DDoS Protector > Server Protection > Export.
3. Follow the instructions for opening or saving the template file.
The default filename uses the following format:
sever_<PolicyName>_<DeviceName>__<ddMMyyyy>_<hhmmss>.txt
Example:
server_MyPol012_MyDevice_19052014_145044.txt
Name The name of the policy.
Configuration Specifies whether DDoS Protector exports the template with the
configuration of the policy.
Default: Enabled
DDoS Protector
HTTP Flood Baseline Specifies whether DDoS Protector exports the template with the
current HTTP normal-traffic baseline of the policy.
Default: Enabled
Server Protection Delete

Use the Server Protection Policies Delete pane to delete a Server Protection policy and all related
objects.
To delete a policy and all associated configuration objects:

1. Select DDoS Protector > Server Protection > Delete.
Update Policies Values:

 Enabled After successfully deleting the policy, an Update Policies
(Activate Latest Changes) action is automatically initiated.
 Disabled After successfully deleting the policy, an Update
Policies (Activate Latest Changes) action is required for the
configuration to take effect.
Default: Enabled
Denial of Service
Behavioral DoS
Behavioral DoS Global Parameters
Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your
network-protection policy, defends your network from zero-day network-flood attacks. These
attacks fill available network bandwidth with irrelevant traffic, denying use of network resources
to legitimate users. The attacks originate in the public network and threaten Internet-connected
organizations.
The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks
by identifying the footprint of the anomalous traffic.
Network-flood protection types include:
 TCP floods which include TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and
TCP Fragmentation Flood
 ICMP flood
DDoS Protector
 IGMP flood
Before you configure BDoS Protection profiles, enable BDoS Protection.
Changing the setting of this parameter requires a reboot to take effect.
To enable Behavioral DoS protection:

1. Select DDoS Protector > Behavioral DoS > Global Parameters.
2. Select Enable from the drop-down list.
Advanced BDoS
Behavioral DoS Profiles Advanced
A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to
the Behavioral DoS policy.
Use the Behavioral DoS Profiles Advanced Configuration pane to configure Behavioral DoS
profiles with advanced parameters, which include manual quota settings.
The recommended settings for policies that include Behavioral DoS profiles are as follows:
 Configure policies containing Behavioral DoS profiles using Networks with source = Any, the
public network, and destination = Protected Network. It is recommended to create multiple
Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS
servers segment, Web server segments, Mail servers segments, and so on). This assures
optimized learning of normal traffic baselines.
 It is not recommended to define a network with the Source and Destination set to Any, because
the appliance collects statistics globally with no respect to inbound and outbound directions.
This may result in lowered sensitivity to detecting attacks.
 When the Direction of a policy is set to One Way, the rule prevents incoming attacks only.
ction is set to Two Way, the rule prevents both incoming and outgoing
attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to
achieve optimal detection.
Check Point recommends that you initially leave the quota fields (for example, TCP In quota)
empty so that the default values will automatically be used. To view default values after creating
the profile, click the entry in the table. You can then adjust quota values based on your network
performance.
The total quota values may exceed 100%, because each value represents the maximum volume
per protocol.
To configure a behavioral DoS profile with advanced parameters:

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Advanced > Profiles
Configuration.
Profile Name The user-defined name for the profile.

DDoS Protector
SYN Flood status Specifies whether the profile protects against SYN Flood
attacks.
Default: inactive
TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood
attacks.
Default: inactive
TCP FIN+ACK Flood status Specifies whether the profile protects against TCP FIN+ACK
Flood attacks.
Default: inactive
TCP SYN+ACK Flood status Specifies whether the profile protects against TCP SYN+ACK
Flood attacks.
Default: inactive
TCP Fragmented Flood status Specifies whether the profile protects against TCP Fragmented
Flood attacks.
Default: inactive
UDP Flood status Specifies whether the profile protects against UDP Flood
attacks.
Default: inactive
UDP Fragmented Flood status Specifies whether the profile protects against UDP
Fragmented Flood attacks.
Default: inactive
IGMP Flood status Specifies whether the profile protects against IGMP Flood
attacks.
Default: inactive
ICMP Flood status Specifies whether the profile protects against ICMP Flood
attacks.
Default: inactive
Configuration of the inbound The highest expected volume of inbound traffic, expressed in
traffic in [Kbit/Sec] Kbit/s, on the relevant network segment. DDoS Protector
derives the initial baselines from the bandwidth and quota
settings.
Values: 0 2,147,483,647
You must configure this setting to start Behavioral DoS
protection.

DDoS Protector
Configuration of the outbound The highest expected volume of outbound traffic, expressed in
traffic in [Kbit/Sec] Kbit/s, on the relevant network segment. DDoS Protector
derives the initial baselines from the bandwidth and quota
settings.
Values: 0 2,147,483,647
You must configure this setting to start Behavioral DoS
protection.
TCP In quota The maximum expected percentage of inbound TCP traffic out
of the total traffic.
UDP In quota The maximum expected percentage of inbound UDP traffic out
ICMP In quota The maximum expected percentage of inbound ICMP traffic out
IGMP In quota The maximum expected percentage of inbound IGMP traffic out
TCP Out quota The maximum expected percentage of outbound TCP traffic out
UDP Out quota The maximum expected percentage of outbound UDP traffic
out of the total traffic.
ICMP Out quota The maximum expected percentage of outbound ICMP traffic
IGMP Out quota The maximum expected percentage of outbound IGMP traffic
Transparent Optimization Specifies whether transparent optimization is enabled.

process
Some network environments are more sensitive to dropping
packets (for example, VoIP), therefore it is necessary to
minimize the probability that legitimate traffic is dropped by
the IPS appliance. This transparent optimization can occur
during the BDoS closed-feedback iterations until a final
footprint is generated.
When transparent optimization is enabled, the profile does not
mitigate the attack until the final footprint is generated, which
takes several seconds.

DDoS Protector
UDP packet rate detection Species to what extent the BDoS engine considers the UDP
sensitivity PPS-rate values (baseline and current).
This parameter is relevant only for only for BDoS UDP
protection.
Values:
 Disable
 Low
 Medium
 High
Default: Low
Packet Report Status Specifies whether the profile sends sampled attack packets to
Default: enable
Packet Trace Status Specifies whether the profile sends attack packets to the
specified physical port.
Default: disable
Behavioral DoS Advanced — Global Parameters

Use the Behavioral DoS Advanced Setting pane to set advanced BDoS parameters that apply to all
BDoS profiles.
You must configure network flood protection separately for TCP floods, UDP floods, ICMP floods,
and IGMP floods.
To set the behavioral DoS advanced settings:

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Advanced > Global
Parameters.
Learning response period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: day, week, month
Default: Week

DDoS Protector
Sampling Status Specifies whether the BDoS module uses traffic-statistics sampling
during the creation phase of the BDoS footprint. When the BDoS
module is trying to generate a real-time signature and there is a high
rate of traffic, the appliance evaluates only a portion of the traffic. The
BDoS module tunes the sampling factor automatically, according to
the traffic rate. The BDoS module screens all traffic at low traffic
rates (below 100K PPS) and only a portion of the traffic at higher
rates (above 100K PPS).
Default: enable
For best performance, Check Point recommends that the parameter
be enabled.
Always Include Specifies whether DDoS Protector always includes the

Destination IP Address in destination IP-address field in BDoS footprints. Enabling this option
Footprints is intended for advanced users with specific cases. Typically, this
option is for managed security-service providers (MSSPs) who need
to distinguish between attacks targeting separate customers within
the same BDoS policy.
Default: disable
Note: Enabling this option entails certain risks. One risk is that if for
some reason the destination IP-address fields cannot be part of the
footprint, DDoS Protector enters the Anomaly state and forwards the
traffic through the appliance without further processing.
When this option is enabled, the Footprint Strictness calculation
ignores the destination IP-address field. The destination IP-address
field is considered as an additional AND over the specified Footprint
Strictness.

DDoS Protector
Footprint Strictness When Behavioral DoS module detects a new attack, the module
generates an attack footprint to block the attack traffic. If the
Behavioral DoS module is unable to generate a footprint that meets
the footprint-strictness condition, the module issues a notification for
the attack but does not block it. The higher the strictness, the more
accurate the footprint. However, higher strictness increases the
probability that the appliance cannot generate a footprint.
Values:
 High Requires at least two Boolean AND operators and no other
Boolean OR value in the footprint. This level lowers the probability
for false positives but increases the probability for false negatives.
 Medium Requires at least one Boolean AND operator and no
more than two additional Boolean OR values in the footprint.
 Low Allows any footprint suggested by the Behavioral DoS
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Default: Low
DDoS Protector always considers the checksum field and the
sequence number fields as High Footprint Strictness fields.
Therefore, a footprint with only a checksum or sequence number is
always considered as High Footprint Strictness.
See the table below for examples of footprint strictness
requirements.

DDoS Protector
Suppression Threshold The percentage of the specified bandwidth, below which, DDoS
Protector suppresses BDoS-baseline learning.
The Suppression Threshold feature helps preserve a good
BDoS-baseline value in scenarios where, at times, DDoS Protector
handles very little traffic.
There are two typical scenarios where, at times, DDoS Protector
handles very little traffic:
 Out-of-path deployments In an out-of-path deployment, DDoS
Protector is triggered upon attack detection when traffic is
diverted through DDoS Protector for mitigation. During an attack,
the traffic is diverted and routed through DDoS Protector. During
peacetime, no traffic passes through DDoS Protector (except for
maintenance messages). When no traffic is diverted to DDoS
Protector, the BDoS learning must be suppressed to prevent
extremely low values affecting the baseline and ultimately
increasing the susceptibility to false positives.
 Environments where traffic rates change dramatically throughout
the day.
The specified bandwidth refers to the Configuration of the outbound
traffic in [Kbit/Sec] and Configuration of the inbound traffic in
[Kbit/Sec] parameters under DDoS Protector > Denial of Service >
Behavioral DoS > Behavioral DoS Profiles.
The Suppression Threshold applies to all BDoS profiles and
controllers, but DDoS Protector calculates the threshold per Network
Protection policy and specified Direction (DDoS Protector > Policies >
Table). For oneway policies, the Suppression Threshold considers the
inbound bandwidth. DDoS Protector treats twoway policies as two
policies, so the Suppression Threshold calculates the bandwidth for
each policy (inbound/outbound).
Values:
 0 Specifies that BDoS profiles use no Suppression Threshold.
 1 50
Default: 0
Footprint Strictness Examples

Footprint Example Strictness Level
Low Medium High
TTL Yes No No
TTL AND Packet Size Yes Yes No
TTL AND Packet size AND Yes Yes Yes

Destination Port
DDoS Protector
Behavioral DoS — Learning Reset

Use the Behavioral DoS Learning Reset pane to reset the learning period for specific policies or all
policies.
Behavioral DoS protection learns traffic parameters from the transport layer of incoming packets
and generates normative baselines for traffic.
The Learning Period setting defines the period based upon which baselines are primarily
weighted.
When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS
Protector immediately initiates a new learning period. Generally, this is done when the
characteristics of the protected network have changed entirely and bandwidth quotas need to be
changed to accommodate the network changes.
To reset the behavioral DoS policy baseline:

1. Select DDoS Protector > Behavioral DoS > Advanced > Learning Reset.
2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies.
3. Click Set.
Mitigation Configuration
Attack Termination Configuration for Behavioral DoS Protection
The DDoS Protector BDoS mechanism assigns various internally defined states for each
protection (belonging to the BDoS policy and Protection Type).
The internally defined states for protections include the following:
 Normal state
 Analysis state
 state 2
 Blocking state
 state 6
 Anomaly state
 state 3
 Non-strictness state
 state 7
DDoS Protector assigns the Non-strictness state when it was not able to generate a DoS-attack
footprint that meets the specified Footprint Strictness ("Behavioral DoS Advanced Global
Parameters" on page 114).
As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal
to Analysis. By default, if DDoS Protector detects anomalous traffic for less than a specified
threshold, the protection changes state back to Normal.
In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in
terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function.
When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will
consider the attack to have ended (terminated) switching back to the Normal state, never
blocking the attack. The advanced mitigation interface for BDoS to extend pre-termination
durations so that such traffic is blocked.

DDoS Protector
In a production environment, highly orchestrated and synchronized attacks are unlikely; and the
default values in a DDoS Protector appliance configuration are adequate.
To configure behavioral DoS attack-termination criteria:

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Mitigation Configuration >
Attack Termination Configuration.
Stability Counter State 2 The time, in seconds, at which the degree of attack falls below
and stays below the hard-coded threshold in the Analysis
state. DDoS Protector declares the attack to be terminated
immediately when this value is 0.
Values: 0 30
Default: 0
Stability Counter State 6 The time, in seconds, at which the degree of attack falls below
and stays below the hard-coded threshold in the Blocking
state. DDoS Protector declares the attack to be terminated
immediately when this value is 0. There is no typical use case
for reducing the value from the default.
Values: 0 300
Default: 10
Stability Counter State 3 and 7 The time, in seconds, at which the degree of attack falls below
and stays below the hard-coded threshold in the in Anomaly
state or the Non-strictness state. DDoS Protector declares
the attack to be terminated immediately when this value is 0.
Values: 0 300
Packet Header Field Selection for Behavioral DoS Protection

If the value in the Any Packet Header Field drop-down list in the Early Blocking Configuration
Update pane is false ("Early Blocking Configuration for Behavioral DoS Protection" on page 120),
you can select specific packet-header fields for early blocking of DoS traffic.
Note: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the
accuracy of the DoS-attack footprint that DDoS Protector generates.
To select packet-header fields for early blocking of DoS traffic:

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Advanced > Mitigation
Configuration > Packet Header Fields Selection.
2. Select the protection type next to the relevant packet-header field.

DDoS Protector
3. From the Early Detection Condition drop-down list, select one of these options:
 yes DDoS Protector must detect this field to generate a footprint in less than 10 seconds.
 no DDoS Protector can use this field in the footprint, but it is not enough for early
blocking.
4. Click Set.
Early Blocking Configuration for Behavioral DoS Protection
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to
start blocking as soon as possible even if accuracy is compromised. Using Early Blocking of DoS
Traffic configuring thresholds for generating DoS-attack footprints you can shorten the
Analysis state and start blocking the relevant traffic.
For more information on this feature, refer to the DDoS Protector User Guide.
To configure early blocking of DNS DoS traffic:

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Mitigation
Configuration > Early Blocking Configuration.
2. Select the Protection type you want to configure for early blocking.
Any Packet Header Field Specifies the parameters according to which the appliance
blocks DoS traffic early.
Values:
 true The appliance blocks DoS traffic early based on the
specified number of packet-header fields and number of
packet-header-field values thresholds.
 false The appliance blocks DoS traffic early based on the
fields as displayed in the Packet Header Field Selection for
Behavioral DoS Protection (on page 119) pane.

DDoS Protector
Any Packet Header Field The number anomalous packet-header fields that the appliance
threshold must detect to generate a footprint and change to the Blocking
state prior to the default 10 seconds. (The transition after 10
seconds occurs even if the condition is not met.)
Values: 1 20
Default (per protection):
 ICMP 17
 IGMP 16
 TCP-ACK-FIN 17
 TCP-FRAG 17
 TCP-RST 17
 TCP-SYN 17
 TCP-SYN-ACK 17
 UDP 20
Packet Header Field Values The number of anomalous packet-header-field values that the
appliance must detect to generate a footprint and change to the
Blocking state.
Values: 1 500
Default: 500
Behavioral DoS Footprint Bypass

You can define footprint bypass types and values that will not be used as part of a real-time
signature. The types and values not be used in OR or in AND operations within the blocking rule
(real-time signature) even when the protection-engine suggests that the traffic is a real-time
signature candidate.
To configure footprint bypass:

1. Select DDoS Protector > Behavioral DoS > Advanced > Footprint Bypass.
2. Select the link in the relevant row.
Controller (Read-only) The attack protection for which you are configuring footprint
bypass.
Bypass Field (Read-only) The bypass type to configure.

DDoS Protector
Bypass Status The bypass option.

Values:
 Bypass The Behavioral DoS module bypasses all possible values of the
selected Bypass Field when generating a footprint.
 Accept The Behavioral DoS module bypasses only the specified values (if
such a value exists) of the selected Bypass Field when generating a
footprint.
Bypass Values If the value of the Bypass Status parameter is Accept, when generating the
footprint, the Behavioral DoS mechanism does not use the specified Bypass
Values of the corresponding selected Bypass Field. The valid Bypass Values
vary according to the selected Bypass Field. Multiple values in the Bypass
Values field must be comma-delimited.
Behavioral DoS Profiles

A Behavioral DoS profile defines the set of protocols for protection, which can then be assigned to
the Behavioral DoS policy.
Use the Behavioral DoS Profiles pane to configure Behavioral DoS profiles with basic parameters.
You can tune the maximum number of BDoS Protection profiles (Services > Tuning Parameters >
Security > Behavioral DoS). In this version, the default is 10 and you absolute maximum is 50
profiles.
Recommended settings for policies that include Behavioral DoS profiles are as follows:
 Configure policies containing Behavioral DoS profiles using Networks with source = Any, the
public network, and destination = Protected Network. It is recommended to create multiple
Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS
servers segment, Web server segments, Mail servers segments, and so on). This assures
optimized learning of normal traffic baselines.
 It is not recommended to define a network with the Source and Destination set to Any, because
the appliance collects statistics globally with no respect to inbound and outbound directions.
This may result in lowered sensitivity to detecting attacks.
 When the Direction of a policy is set to One Way, the rule prevents incoming attacks only.
irection is set to Two Way, the rule prevents both incoming and outgoing
attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to
achieve optimal detection.
To configure a behavioral DoS profile with basic parameters:

1. Select DDoS Protector > Denial of Service > Behavioral DoS > Behavioral DoS Profiles.

DDoS Protector
SYN Flood status Specifies whether the profile protects against SYN Flood attacks.
Default: inactive
TCP Reset Flood status Specifies whether the profile protects against TCP Reset Flood
attacks.
Default: inactive
TCP FIN+ACK Flood status Specifies whether the profile protects against TCP FIN+ACK Flood
attacks.
Default: inactive
TCP SYN+ACK Flood status Specifies whether the profile protects against TCP SYN+ACK Flood
attacks.
Default: inactive
TCP Fragmented Flood Specifies whether the profile protects against TCP Fragmented
status Flood attacks.
Default: inactive
UDP Flood status Specifies whether the profile protects against UDP Flood attacks.
Default: inactive
UDP Fragmented Flood Specifies whether the profile protects against UDP Fragmented
status Flood attacks.
Default: inactive
IGMP Flood status Specifies whether the profile protects against IGMP Flood attacks.
Default: inactive
ICMP Flood status Specifies whether the profile protects against ICMP Flood attacks.
Default: inactive
Configuration of the inbound The highest expected volume of inbound traffic, expressed in
traffic in [Kbit/Sec] Kbit/s, on the relevant network segment. DDoS Protector derives
the initial baselines from the bandwidth and quota settings.
Values: 0 2,147,483,647
Note: You must configure this setting to start Behavioral DoS
protection.

DDoS Protector
Configuration of the The highest expected volume of outbound traffic, expressed in

outbound traffic in [Kbit/Sec] Kbit/s, on the relevant network segment. DDoS Protector derives
the initial baselines from the bandwidth and quota settings.
Values: 0 2,147,483,647
Note: You must configure this setting to start Behavioral DoS
protection.
Packet Report Status Specifies whether the profile sends sampled attack packets to
Default: enable
Packet Trace Status Specifies whether the profile sends attack packets to the specified
physical port.
Default: disable
DNS Protection
DNS Protection Global Parameters
DNS Flood Protection, which you can use in your network-protection policy, defends your network
from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant
traffic, denying legitimate users DNS lookups. The attacks originate in the public network and
threaten Internet-connected organizations.
The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood
attacks by identifying the footprint of the anomalous traffic.
DNS Flood Protection types can include the following DNS query types:
 A
 MX
 PTR
 AAAA
 Text
 SOA
 NAPTR
 SRV
 Other
DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate
attack footprint based on a heuristic protocol information analysis. This ensures accurate attack
filtering with minimal risk of false positives. The default average time for a new signature creation

DDoS Protector
is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for
minutes and sometimes hours.
Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled.
You can also change the default global appliance settings for DNS Flood Protection. The DNS
Flood Protection global settings apply to all the network protection policies rules with DNS Flood
profiles on the appliance.
To enable DNS Protection:

1. Select DDoS Protector > Denial of Service > DNS Protection > Global Parameters.
2. Select enable from the drop-down list.
3. Click Set.
DNS Protection Profile

Use the DNS Protection Profiles pane to configure DNS-Flood Protection profiles with basic
parameters.
DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and
outbound traffic.
DNS Protection profiles can be used only in one-way policies.
It is recommended to configure policies that include DNS Protection profiles using Networks with
source = Any, the public network, and destination = Protected Network.
Check Point recommends that you initially leave the quota fields (for example, DNS A quota) so
that the default values will automatically be used. To view default values after creating the profile,
click the entry in the table. You can then adjust quota values based on your network performance.
The total quota values may exceed 100%, as each value represents the maximum volume per
protocol.
To configure a DNS Protection profile with basic parameters:

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles
Configuration.
Expected QPS The expected rate, in queries per second, of DNS queries.
DNS A Flood status Specifies whether this profile protects against DNS A Flood
attacks.
Values: inactive, active
Default: inactive

DDoS Protector
DNS A quota The maximum expected percentage of DNS A traffic out of the
total DNS traffic.
DNS MX Flood status Specifies whether this profile protects against DNS MX Flood
attacks.
Default: inactive
DNS MX quota The maximum expected percentage of DNS MX traffic out of the
total DNS traffic.
DNS PTR Flood status Specifies whether this profile protects against DNS PTR Flood
attacks.
Default: inactive
DNS PTR quota The maximum expected percentage of DNS PTR traffic out of the
total DNS traffic.
DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA Flood
attacks.
Default: inactive
DNS AAAA quota The maximum expected percentage of DNS AAAA traffic out of the
total DNS traffic.
DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT Flood
attacks.
Default: inactive
DNS TEXT quota The maximum expected percentage of DNS TEXT traffic out of the
total DNS traffic.
DNS SOA Flood status Specifies whether this profile protects against DNS SQA Flood
attacks.
Default: inactive
DNS SOA quota The maximum expected percentage of DNS SQA traffic out of the
total DNS traffic.

DDoS Protector
DNS NAPTR Flood status Specifies whether this profile protects against DNS NAPTER Flood
attacks.
Default: inactive
DNS NAPTR quota The maximum expected percentage of DNS NAPTER traffic out of
the total DNS traffic.
DNS SRV Flood status Specifies whether this profile protects against DNS SRV Flood
attacks.
Default: inactive
DNS SRV quota The maximum expected percentage of DNS SRV traffic out of the
total DNS traffic.
DNS OTHER Flood status Specifies whether this profile protects against DNS OTHER Flood
attacks.
Default: inactive
DNS OTHER quota The maximum expected percentage of other DNS traffic (that is,
not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out of the total DNS
traffic.
Max Allowed QPS The maximum allowed rate of DNS queries per second, when the
Manual Triggers option is not enabled.
Values: 0 4,000,000
Default: 0
Note: When the Manual Triggers option is enabled, the Manual
Triggers Max QPS Target value overrides this value ("DNS
Protection Advanced Profiles" on page 128).
Signature Rate limit Target The percentage of the DNS traffic that matches the real-time
signature that the profile will not mitigate above the baseline.
Values: 0 100
Default: 0
Packet Report Status Specifies whether the appliance sends sampled attack packets to
Default: disable

DDoS Protector
Packet Trace Status Specifies whether the DDoS Protector appliance sends attack
packets to the specified physical port.
Default: disable
Action The action that the profile takes on DNS traffic during an attack.
Values: Block and Report, Report Only
Default: Block and Report
Advanced DNS Protection Configuration

DNS Protection Advanced Profiles
Use the DNS Protection Advanced Profiles pane to configure DNS-Flood Protection profiles with
advanced parameters.
DDoS Protector uses the bandwidth and quota values to derive a baseline for normal inbound and
outbound traffic.
The configuration of a DNS Flood Protection profile includes the Challenge Method ("DNS
Challenge Methods" on page 132): Active or Passive.
You can tune the maximum number of DNS Protection profiles (Services > Tuning Parameters >
Security > DNS Protection). The default is 10 and the absolute maximum is 50 profiles.
DNS Protection profiles can be used only in one-way policies.
It is recommended to configure policies that include DNS Protection profiles using Networks with
source = Any, the public network, and destination = Protected Network.
Check Point recommends that you initially leave the quota fields (for example, DNS A quota) so
that the default values will automatically be used. To view default values after creating the profile,
click the entry in the table. You can then adjust quota values based on your network performance.
The total quota values may exceed 100%, as each value represents the maximum volume per
protocol.
To configure a DNS Protection profile with advanced parameters:

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Profiles
Configuration.
Expected QPS The expected rate, in queries per second, of DNS queries.

DDoS Protector
DNS A Flood status Specifies whether this profile protects against DNS A
Flood attacks.
Default: inactive
DNS A quota The maximum expected percentage of DNS A traffic out

of the total DNS traffic.
DNS MX Flood status Specifies whether this profile protects against DNS MX
Flood attacks.
Default: inactive
DNS MX quota The maximum expected percentage of DNS MX traffic out

DNS PTR Flood status Specifies whether this profile protects against DNS PTR
Flood attacks.
Default: inactive
DNS PTR quota The maximum expected percentage of DNS PTR traffic
out of the total DNS traffic.
DNS AAAA Flood status Specifies whether this profile protects against DNS AAAA
Flood attacks.
Default: inactive
DNS AAAA quota The maximum expected percentage of DNS AAAA traffic
DNS TEXT Flood status Specifies whether this profile protects against DNS TEXT
Flood attacks.
Default: inactive
DNS TEXT quota The maximum expected percentage of DNS TEXT traffic
DNS SOA Flood status Specifies whether this profile protects against DNS SQA
Flood attacks.
Default: inactive

DDoS Protector
DNS SOA quota The maximum expected percentage of DNS SQA traffic
DNS NAPTR Flood status Specifies whether this profile protects against DNS
NAPTER Flood attacks.
Default: inactive
DNS NAPTR quota The maximum expected percentage of DNS NAPTER

traffic out of the total DNS traffic.
DNS SRV Flood status Specifies whether this profile protects against DNS SRV
Flood attacks.
Default: inactive
DNS SRV quota The maximum expected percentage of DNS SRV traffic
DNS OTHER Flood status Specifies whether this profile protects against DNS
OTHER Flood attacks.
Default: inactive
DNS OTHER quota The maximum expected percentage of other DNS traffic
(that is, not A, MX, AAAA, TEXT, SOA, NAPTR, or SRV) out
Max Allowed QPS The maximum allowed rate of DNS queries per second.
Values: 0dialog box4,000,000
Default: 0
When Manual Triggers Status is enable, the Manual
Triggers Max QPS Target value overrides this value.
Signature Rate limit Target The percentage of the DNS traffic that matches the
real-time signature that the profile will not mitigate
above the baseline.
Values: 0dialog box100
Default: 0
Packet Report Status Specifies whether the appliance sends sampled attack
packets to APSolute Vision for off-line analysis.
Default: disable

DDoS Protector
Packet Trace Status Specifies whether the DDoS Protector appliance sends
attack packets to the specified physical port.
Default: disable
Action The action that the profile takes on DNS traffic during an
attack.
Manual Triggers Status Specifies whether the profile uses user-defined DNS QPS
thresholds instead of the learned baselines.
Default: disable
Manual Triggers Activation Threshold The minimum number of queries per second after the
specified Activation Period on a single connection that
causes the appliance to consider there to be an attack.
When the appliance detects an attack, it issues an
appropriate alert and drops the DNS packets that exceed
the threshold. Packets that do not exceed the threshold
bypass the DDoS Protector appliance.
Values: 0 4,000,000
Default: 0
Manual Triggers Termination The maximum number of queries per second after the
Threshold specified Termination Period on a single connection
that cause the appliance to consider the attack to have
ended.
Values: 0 4,000,000
Default: 0
The Termination Threshold must be less than or equal to
the Activation Threshold.
Manual Triggers Max QPS Target The maximum allowed rate of DNS queries per second.
Values: 0 4,000,000
Default: 0
Manual Triggers Activation Period The number of consecutive seconds that the DNS traffic
on a single connection exceeds the Activation Threshold
that causes the appliance to consider there to be an
attack.
Values: 0 30
Default: 3

DDoS Protector
Manual Triggers Termination Period The time, in seconds, that the DNS traffic on a single
connection is continuously below the Termination
Threshold, which causes the appliance to consider the
attack to have ended.
Values: 0 30
Default: 3
Manual Triggers Escalation Period The time, in seconds, that the appliance waits before
escalating to the next specified Mitigation Action.
Values: 0 30
Default: 3
Challenge Method The method that the profile uses to authenticate DNS
traffic.
Values:
 Passive DDoS Protector authenticates DNS traffic
based on discard of A and AAAA queries.
 Active DDoS Protector authenticates DNS traffic by
challenging all DNS query types and shifting UDP
traffic to TCP (with a TC flag).
Default: Passive
Note: Using the Active option requires that the entire
connection path to, and including, the DNS server(s) that
the profile protects must support TCP.
 This parameter is effective only when Signature
challenge mitigation status and/or Collective
challenge mitigation status are enabled globally
(DDoS Protector > Denial of Service > DNS Protection
> Advanced > Mitigation Configuration > Methods).
DDoS Protector stores sources from the both method in
the SDM table.
DNS Challenge Methods

The configuration of a DNS Flood Protection profile includes the Challenge Method: Active or
Passive.
The Passive Challenge Method authenticates DNS traffic by dropping A and AAAA queries and
saving the source IP addresses in memory. When the same source IP address sends a query
within the specified period, DDoS Protector considers the source to be legitimate.
The Active Challenge Method authenticates DNS traffic by challenging all DNS query types and
shifting UDP traffic to TCP (with a TC flag).
Note: Using the Active option requires that the entire connection path to, and including, the DNS
server(s) that the profile protects must support TCP.
DDoS Protector
The Active challenge method utilizes the DNS TC bit. The TC (truncated) bit is typically used by the
DNS server to indicate to the client that the response is too large for UDP, and it is required to use
TCP. When a DNS Flood Protection profile uses the Active challenge method, DDoS Protector
considers a client to be legitimate if the client opens a TCP connection to the server.
The Active challenge method works as follows:
1. DDoS Protector sends a DNS reply to the client with the TC bit set.
2. One of the following:
 The DNS client opens a TCP connection to port 53 with the same query that was sent over
UDP.
a) DDoS Protector validates the query name and adds the source to the authentication table
for future queries.
b) DDoS Protector passes the query to the DNS server.
c) DDoS Protector authenticates the source in the SYN Protection module (optional) After
the TCP connection is created, using the SYN Protection module, DDoS Protector can
implement a Transparent Proxy Authentication Method phase for TCP authentication of
the client. This phase enhances the authentication but introduces an additional, yet
tolerable, delay especially, in the context of attack conditions. Check Point recommends
using the out-of-the-box SYN protection: DNS (ID: 200009).
 The DNS client does not reply with a TCP connection.
a. DDoS Protector blocks the client from communicating with the protected DNS server.
b. DDoS Protector continues challenging new queries from the client.
The main advantages of the Active challenge method are as follows:
 The Active challenge method is compatible with all DNS query types.
 With the Active challenge method, a response from the client is forced according to the DNS
standard (RFC 1034 and RFC 1035).
 Active authentication over TCP helps verify that the client has a complete legitimate DNS stack
with both UDP and TCP support.
The Active challenge method can potentially increase the load on the protected DNS servers. The
challenge is only applied in the mitigation phase, during a DNS attack. In addition, DDoS
s action escalation mechanism first applies the challenge on the attack footprint, and
only later on all the queries (of a certain query type). All in all, the impact of the resulting load is
expected to be lower than the attack itself.
In terms of latency and user experience, legitimate DNS clients are authenticated based on their
initial query, and all subsequent queries from the same source, over UDP, pass directly to the
server unchallenged.
The Active challenge method, similar to all other DDoS Protector challenges, is based on the
address.
There are some public DNS resolvers that change the source IP address with every new
query as recommended in RFC 5452. Since these public DNS resolvers are legitimate, they are
expected to reply successfully to every challenge that is, send the query over TCP. A query over
TCP, with a new IP address, is passed to the target DNS server, but the new source IP address is
not authenticated for subsequent queries.

DDoS Protector
In such scenarios, the TCP traffic load on the protected DNS servers increases. Check Point
recommends using the out-of-the-box SYN protection: DNS (ID: 200009) and Connection Limit
Protection.
DNS Protection Advanced Global Parameters

Use the DNS Protection Advanced Setting pane to set the learning response period upon which
baselines are primarily weighted as well as enabling the sampling status and defining the severity
level of the footprint.
To configure the DNS Protection advanced global parameters:

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Global
Parameters.
DNS Protection Advanced Global Parameters

Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one
week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: day, week, month
Default: week
Sampling Status Specifies whether the DNS Flood Protection module uses
traffic-statistics sampling during the creation phase of the footprint.
Values:
 enable Traffic statistics are aggregated through sampling
algorithm which improves overall performance of the DNS Flood
Protection module. Although the decision engine is tuned
according to the sampling error, the chances for false positive
decisions are increased.
 disable Traffic statistic are aggregated without sampling.
Default: enable

DDoS Protector
Footprint Strictness When the DNS Flood Protection module detects a new attack, the
module generates an attack footprint to block the attack traffic. If
the module is unable to generate a footprint that meets the
footprint-strictness condition, the module issues a notification for
the attack but does not block it. The higher the strictness, the more
accurate the footprint. However, higher strictness increases the
probability that the module cannot generate a footprint.
Values:
 high Requires at least two Boolean AND operators and no
other Boolean OR value in the footprint. This level lowers the
probability for false positives but increases the probability for
false negatives.
 medium Requires at least one Boolean AND operator and no
more than two additional Boolean OR values in the footprint.
 low Allows any footprint suggested by the DNS Flood
Protection module. This level achieves the best attack blocking,
but increases the probability of false positives.
Default: low
The DNS Flood Protection module always considers the checksum
field and the sequence number fields as High Footprint Strictness
fields. Therefore, a footprint with only a checksum or sequence
number is always considered as High Footprint Strictness.
See the table below for examples of footprint strictness
requirements.
Footprint Strictness Examples for DNS

Footprint Example Strictness Level
Low Medium High
DNS Query Yes No No
DNS Query AND DNS ID Yes Yes No
DNS Query AND DNS ID AND Packet Size Yes Yes Yes
DNS Protection Learning Reset

Use the DNS Protection Learning Reset pane to reset the learning period for specific policies or
all policies.
DNS Flood protection learns traffic parameters from the transport layer of incoming packets and
generates normative baselines for traffic.
The Learning Period setting defines the period based upon which baselines are primarily
weighted.

DDoS Protector
When the baseline for the policy is reset, the baseline traffic statistics are cleared, and then DDoS
Protector immediately initiates a new learning period. Generally, this is done when the
characteristics of the protected network have changed entirely and bandwidth quotas need to be
changed to accommodate the network changes.
To reset the policy baseline:

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Learning Reset.
2. From the Reset Baseline For Policy drop-down list, select a policy or select All Policies.
3. Click Set.
Mitigation Configuration for DNS Protection

Attack Termination Configuration for DNS Protection
The DNS Protection mechanism assigns various internally defined states for each protection
(belonging to the DNS protection policy and protection type).
The internally defined states for protections include the following:
 Normal state
 Analysis state
 state 2
 Blocking state
 state 6
 Anomaly state
 state 3
As soon as DDoS Protector detects anomalous traffic, the protection changes state, from Normal
to Analysis. By default, if DDoS Protector detects anomalous traffic for less than 10 seconds, the
protection changes state back to Normal.
In a laboratory environment, it is possible to generate traffic that exhibits periodic behavior in
terms of traffic volume. Such traffic in a test attack typically looks like a square-wave function.
When such test attacks exhibit peaks and troughs of certain durations, DDoS Protector will
consider the attack to have ended (terminated) switching back to the Normal state, never
blocking the attack. The advanced mitigation interface to extend pre-termination durations so that
such traffic is blocked.
In a production environment, highly orchestrated and synchronized attacks are unlikely; and the
default values in a DDoS Protector appliance configuration are adequate.
To configure attack-termination criteria:

Configuration > Attack Termination Configuration.

DDoS Protector
Stability Counter State 2 The time, in seconds, at which the degree of attack falls below and
stays below the hard-coded threshold in the Analysis state. DDoS
Protector declares the attack to be terminated immediately when
this value is 0.
Values: 0 30
Default: 0
stays below the hard-coded threshold in the Blocking state. DDoS
this value is 0. There is no typical use case for reducing the value
from the default.
Values: 0 300
Default: 10
stays below the hard-coded threshold in the in Anomaly state. DDoS
this value is 0.
Values: 0 300
Default: 10
Mitigation Methods for DNS Protection

When the protection is enabled and the appliance detects that a DNS-flood attack has started, the
appliance implements the Mitigation Actions in escalating order in the order that they appear in
the group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after
a certain Escalation Period), the appliance implements the next more-severe enabled Mitigation
Action, and so on. As the most severe Mitigation Action, the appliance always implements the
Collective Rate Limit, which limits the rate of all DNS queries to the protected server.
To configure DNS Protection mitigation methods:

Configuration > Methods.
Signature challenge Specifies whether the appliance challenges suspect DNS queries
mitigation status that match the real-time signature.
Default: enable
Signature rate-limit Specifies whether the appliance limits the rate of DNS queries that
mitigation status match the real-time signature.
Default: enable

DDoS Protector
Collective challenge Specifies whether the appliance challenges all unauthenticated

mitigation status DNS queries to the protected server.
Default: enable
Collective rate-limit (Read-only) The appliance limits the rate of all DNS queries to the
mitigation status protected server.
Value: enable
Packet Header Field Selection for DNS Protection

If the value in the Any Packet Header Field drop-down list in the Early Blocking Configuration for
Behavioral DoS Protection ("Early Blocking Configuration for DNS Protection" on page 138) pane
is false, you can select specific packet-header fields for early blocking of DoS traffic.
For more information on this feature, refer to the DDoS Protector User Guide.
To select packet-header fields for early blocking of DNS DoS traffic:

Configuration > Packet Header Fields Selection.
2. Select the protection type next to the relevant packet-header field.
3. From the Early Detection Condition drop-down list, select:
 yes DDoS Protector must detect this field to generate a footprint in less than 10 seconds.
 no DDoS Protector can use this field in the footprint, but it is not enough for early
blocking.
4. Click Set.
Early Blocking Configuration for DNS Protection

In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to
start blocking as soon as possible even if accuracy is compromised. Using Early Blocking of DoS
Traffic configuring thresholds for generating DoS-attack footprints you can shorten the
Analysis state and start blocking the relevant traffic.
To configure early blocking of DNS DoS traffic:

Configuration > Early Blocking Configuration.
2. Select the Protection type you want to configure for early blocking.

DDoS Protector
Any Packet Header Field Specifies the parameters according to which the appliance blocks
DoS traffic early.
Values:
 true The appliance blocks DoS traffic early based on the
specified number of packet-header fields and number of
packet-header-field values thresholds.
 false The appliance blocks DoS traffic early based on the fields
as displayed in the Packet Header Field Selection for Behavioral
DoS Protection ("Packet Header Field Selection for DNS
Protection" on page 138) pane.
Any Packet Header Field The number anomalous packet-header fields that the appliance
threshold must detect to generate a footprint and change to the Blocking state
prior to the default 10 seconds. (The transition after 10 seconds
occurs even if the condition is not met.)
Values: 1 20
Default (per protection):
 ICMP 17
 IGMP 16
 TCP-ACK-FIN 17
 TCP-FRAG 17
 TCP-RST 17
 TCP-SYN 17
 TCP-SYN-ACK 17
 UDP 20
Packet Header Field The number of anomalous packet-header-field values that the
Values appliance must detect to generate a footprint and change to the
Blocking state.
Values: 1 500
Default: 500
SDM Challenge Response Configuration
To configure SDM challenge response:

Configuration > SDM.
2. Configure the parameter and click Set.

DDoS Protector
SDM Protocol Compliance Specifies whether the appliance checks each DNS query for DNS
Checks Status protocol compliance and drops the non-compliant queries.
Default: disable
DNS Footprint Bypass

You can define footprint bypass types and values that will not be used as part of a real-time
signature. The types and values not be used in OR or in AND operations within the blocking rule
(real-time signature) even when the protection-engine suggests that the traffic is a real-time
signature candidate.
To configure DNS footprint bypass:

1. Select DDoS Protector > Denial of Service > DNS Protection > Advanced > Footprint Bypass.
2. Click the controller name of the DNS query type for which you want to configure footprint
bypass.
Controller (Read-only) The selected DNS query type for which you are configuring
footprint bypass.
Bypass Field (Read-only) The selected Bypass Field to configure.
Bypass Status The bypass option.

Values:
 bypass The DNS Flood Protection module bypasses all possible values
of the selected Bypass Field when generating a footprint.
 accept The DNS Flood Protection module bypasses only the specified
values (if such a value exists) of the selected Bypass Field when
generating a footprint.
Bypass Values Used if the value of the Bypass Status parameter is Accept. DNS Flood
Protection bypasses only the values of a selected Bypass Type, while it may
use all other values. These values vary according to the Bypass Field
selected. The values in the field must be comma-delimited.
SYN Protection
SYN Protection Global Parameters
A SYN flood attack is usually aimed at specific servers with the intention of consuming the
configure SYN Protection as a Network Protection to allow
easier protection of multiple network elements.

DDoS Protector
Before you configure SYN profiles for the network-protection policy, ensure the following:
 SYN Protection is enabled the SYN Flood Protection global parameters are configured.
To enable SYN Flood Protection:

1. Select DDoS Protector > Denial of Service > SYN Protection.
2. From the drop-down list, select enable.
3. Click Set.
SSL Mitigation
SSL Policies
DDoS Protector can mitigate SSL-flood attacks with SSL Mitigation policies. When SYN Protection
is triggered for TCP port 443 protection and the SYN Protection profile is configured with the Use
HTTP Authentication checkbox selected, an active SSL Mitigation policy challenges new SSL
connections using a Safe-Reset method. To decrypt and re-encrypt the SSL packets during the
challenge process, DDoS Protector uses the SSL engine of a specified Alteon platform. DDoS
Protector allows traffic from validated clients to pass through the DDoS Protector appliance to the
protected server.
The DDoS Protector SSL Mitigation mechanism works as follows:
1. The DDoS Protector appliance receives a SYN packet from a client on port 443.
2. DDoS Protector responds with an ACK packet with an invalid Sequence Number field as a
cookie.
3. If the client responds with RST and the cookie, DDoS Protector discards the packet, and adds
the source IP address to the TCP Authentication Table.
4. The DDoS Protector appliance passes the next SYN packet from the same source to the SSL
engine of the specified Alteon platform.
5. The Alteon appliance performs the SSL handshake with the client.
6. The DDoS Protector appliance passes the following HTTPS GET or POST request from the
same source to the SSL engine of the Alteon appliance.
7. The Alteon appliance communicates with the DDoS Protector appliance to generate an
encrypted challenge.
8. The DDoS Protector appliance sends the encrypted HTTPS challenge to the client.
9. The DDoS Protector appliance receives a valid response from the client and considers the
connection to be legitimate.
10. The DDoS Protector appliance adds the source IP address to the HTTP Authentication Table.
11. The DDoS Protector appliance passes the encrypted HTTPS response to the SSL engine of the
Alteon appliance.
12. The Alteon appliance communicates with the DDoS Protector appliance to generate an
encrypted termination message.
13. The next SYN packet from the validated source passes through the DDoS Protector appliance
to the server that is under attack, and DDoS Protector acts as a transparent proxy for the
remainder of the session.

DDoS Protector
To configure an SSL mitigation policy:

1. Select DDoS Protector > Denial of Service > SYN Protection > SSL Mitigation > SSL Policies.
SSL VIP The IPv4 VIP address on the Alteon appliance.
SSL Server IP Address The IPv4 address of the SSL server specified on the Alteon appliance.
VIP MAC The MAC address of the Alteon appliance.
Network Policy Name The name of the existing Network Protection rule.
State Specifies whether the policy is active.

Values: active, inactive
Default: active
Basic Parameters for SSL Policies

1. Select DDoS Protector > Denial of Service > SYN Protection > SSL Mitigation > Basic
Parameters.
Enable SSL Mitigation Specifies whether the appliance enables the SSL Mitigation mechanism
with an Alteon appliance.
Note: DDoS Protector supports inspection of jumbo frames, however
Alteon cannot handle jumbo frames. Therefore, when the Enable SSL
Mitigation and Inspect Jumbo Frames checkboxes are both selected,
the Alteon appliance will drop packets larger than the Alteon
a
TCP or HTTP authentication phases), even though the packets may
belong to legitimate connections.
Alteon MNG IP The IP address of the Alteon management port.
Health-Check Port The health-check port (that is, the SNMP Traps port) on the Alteon
appliance.

DDoS Protector
Assigned The table that displays the pair of static-forwarding ports.

SSL-Mitigation Ports
Click an entry to open the dialog box where you can modify the inbound
port and/or the outbound port.
In addition to being able to specify a port, you can specify a link
aggregation. (A link aggregation may also be referred to as a trunk.) If
you specify a link aggregation, it must be configured already in the Link
Aggregation Port table (on page 22). Using link aggregation combines
physical network links into a single logical link for increased capacity
and availability. In a link-aggregation scenario, traffic is divided
between the ports that are up, and if one of the ports is down, the traffic
continues to flow using the port that is up.
Mask SSL Traffic to and Specifies whether all traffic between DDoS Protector and Alteon is
from Alteon masked with the specified 16-character XOR key.
When this option is enabled, the configuration of the Alteon must
include the proper AppShape++ script with the same 16-character key.
For more information on this, contact the Check Point Support Center.
Values: Enable, Disable
Default: Disable
Note: When the Enable masking between DDoS Protector and Alteon
is selected, the AppShape++ script on the Alteon appliance must be
enabled. When this option is disabled, the AppShape++ must be
disabled. Otherwise, no traffic will flow between DDoS Protector and
Alteon.
Masking Key The 16-character XOR key for masking the traffic between DDoS
Protector and Alteon.
Note: Unexpected behavior is likely to occur if the Enable masking
between DDoS Protector and Alteon is selected and the Masking Key
field is empty.
SYN Protection Advanced Parameters

The SYN Protection Advanced Settings pane exposes the advanced SYN Protection tuning
parameters.
To set the SYN protection advanced parameters:

1. Select DDoS Protector > Denial of Service > SYN Protection > Advanced Parameters.

DDoS Protector
SSL Mitigation Status Specifies whether the appliance enables the SSL Mitigation
mechanism with an Alteon appliance.
Default: disable
For more information, see the user guide.
Tracking time The time, in seconds, that the appliance tracks the number
of SYN packets directed to same destination. DDoS
Protector uses the value to determine when to activate and
deactivate SYN Protections.
Values: 1 10
Default: 5
Minimum Allowed SYN The minimum time, in seconds, for the SYN-packet
Retransmission Time retransmission in the Safe-Reset authentication mechanism
to consider the retransmission to be valid.
(This parameter is supported only
on x412 platforms.) Values: 2 15
Default: 2
Maximum Allowed SYN The maximum time, in seconds, for the SYN-packet
Retransmission Time retransmission in the Safe-Reset authentication mechanism
to consider the retransmission to be valid.
(This parameter is supported only
on x412 platforms.) Values: 2 15
Default: 4
Attacks
SYN Static Attacks
Predefined SYN Protections, referred to as SYN Static Attacks, are available for the most common
applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are
predefined by Check Point.
Use the SYN Protection Static Attack Configuration pane to change the thresholds for these
attacks. You cannot delete SYN Static Attacks.
Note: DDoS Protector x06 models do not support physical-port classification for SYN Protection.
When triggered, all traffic that matches the attacked destination classified by destination IP
address, Layer 4 port number, and optionally a VLAN tag will be challenged, regardless of the
physical port identification. That is, even if the attack is carried out through a specific physical
port, all traffic from all ports that matches the other parameters will be challenged.

1. Select DDoS Protector > Denial of Service > SYN Protection > Attacks > Static.
2. Click on the name of an attack that you want to edit.

DDoS Protector
ID (Read-only) The ID number assigned to the protection.
Attack Name A name for easy identification of the attack for configuration and
reporting.
ApplicationPortGroup (Read-only) The group of TCP ports that represent the application that
you want to protect.
Activation Threshold If the average rate of SYN packets received at a certain destination is
higher than this threshold, the protection is activated.
Values: 1 150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain destination for
the duration of the tracking period drops below this threshold, the
protection is stopped.
Values: 1 150,000
Default: 1500
Attack Type (Read-only) Specifies whether the SYN protection is a predefined

(static) or user-defined (user) protection.
Risk The risk level assigned to this attack for reporting purposes.
Values:
 low
 medium
 high
SYN User Attacks

After you define SYN flood protections, you can add them to SYN profiles.
Note: DDoS Protector x06 models do not support physical-port classification for SYN Protection.
When triggered, all traffic that matches the attacked destination classified by destination IP
address, Layer 4 port number, and optionally a VLAN tag will be challenged, regardless or the
physical port identification. That is, even if the attack is carried out through a specific physical
port, all traffic from all ports that matches the other parameters will be challenged.

1. Select DDoS Protector > Denial of Service > SYN Protection > Attacks > Static.

DDoS Protector
SYN Protection Static Attack Parameters

ID The ID number assigned to the protection.

Enter 0 to cause the appliance to generate a valid ID.
Attack Name A name for easy identification of the attack for configuration and
reporting.
ApplicationPortGroup The group of TCP ports that represent the application that you want to
protect.
Activation Threshold If the average rate of SYN packets received at a certain destination is
higher than this threshold, the protection is activated.
Values: 1 150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain destination for
the duration of the tracking period drops below this threshold, the
protection is stopped.
Values: 1 150,000
Default: 1500
Attack Type (Read-only) Specifies whether the SYN protection is a predefined

(static) or user-defined (user) protection.
Risk The risk level assigned to this attack for reporting purposes.
Values:
 low
 medium
 high
Profiles
SYN Static Profiles
Use the SYN Profiles pane to create a new SYN Profile. First, you need to create a profile, and then
add the attacks you wish to protect against. The profile may then be included in the SYN Protection
Policy.
To create a new SYN profile:

1. Select DDoS Protector > Denial of Service > SYN Protection > Profiles > Profile Attacks.

DDoS Protector
SYN Protection Profile Attack Parameters

SYN Profile The name for the profile.
SYN Attack From the drop-down list, select the type of attacks to include in this profile.
SYN Protection Profiles Parameters

Use the SYN Protection Profiles Parameters pane to specify the authentication parameters of an
existing profile.
To specify the authentication parameters of a profile:

1. Select DDoS Protector > Denial of Service > SYN Protection > Profiles > Profiles Parameters.
2. Click the profile in the Profile Name column.
Profile Name (Read-only) The name of the profile.
Authentication The Authentication Method that the appliance uses at the transport layer.
Method
When DDoS Protector is installed in and ingress-only topology, select the
Safe-Reset method.
Values:
 transparent-proxy When DDoS Protector receives a SYN packet,
DDoS Protector replies with a SYN ACK packet with a cookie in the
Sequence Number field. If the response is an ACK that contains the
cookie, DDoS Protector considers the session to be legitimate. Then,
DDoS Protector opens a connection with the destination and acts as
transparent proxy between the source and the destination.
 safe-reset When DDoS Protector receives a SYN packet, DDoS
Protector responds with an ACK packet with an invalid Sequence
Number field as a cookie. If the client responds with RST and the
cookie, DDoS Protector discards the RST packet, and adds the source
IP address to the TCP Authentication Table. The next SYN packet from
the same source (normally, a retransmit of the previous SYN packet)
passes through DDoS Protector, and the session is approved for the
server. DDoS Protector saves the source IP address for a specified
time.
Default: transparent-proxy

DDoS Protector
Authentication The Authentication Method that the appliance uses at the transport layer.
Method
When DDoS Protector is installed in and ingress-only topology, select the
Safe-Reset method.
Values:
 transparent-proxy When the appliance receives a SYN packet, the
appliance replies with a SYN ACK packet with a cookie in the Sequence
Number field. If the response is an ACK that contains the cookie, DDoS
Protector considers the session to be legitimate. Then, DDoS Protector
opens a connection with the destination and acts as transparent proxy
between the source and the destination.
 safe-reset When DDoS Protector receives a SYN packet, DDoS
Protector responds with an ACK packet with an invalid Sequence
Number field as a cookie. What happens next differs slightly depending
on the platform (see note1 below), but includes DDoS Protector adding
the source IP address to the TCP Authentication Table. Finally, the next
SYN packet from the same source (normally, in the case of non-x412
platforms, a retransmit of the previous SYN packet) passes through
DDoS Protector, and the session is approved for the server. DDoS
Protector saves the source IP address for a specified time. Typically,
you specify this method when the network policy handles only ingress
traffic.
Default: transparent-proxy
HTTP Authentication Specifies whether the appliance authenticates the transport layer of HTTP
traffic using SYN cookies and then authenticates the HTTP application
layer using the specified HTTP Authentication Method.
Values:
 enable The appliance authenticates the transport layer of HTTP
traffic using SYN cookies and then authenticates the HTTP application
layer using the specified HTTP Authentication Method.
 disable The appliance handles HTTP traffic using the specified TCP
Authentication Method.
Default: disable

DDoS Protector
HTTP Authentication The method that the profile uses to authenticates HTTP traffic at the
method application layer.
Values:
 Redirect The appliance authenticates HTTP traffic using a
302-Redirect response code.
 JavaScript The appliance authenticates HTTP traffic using a
JavaScript object generated by the appliance.
 Advanced JavaScript DDoS Protector authenticates HTTP traffic
using an obfuscated and polymorphic challenge, which can overcome
advanced attack tools.
Default: Redirect
Note: The Cloud Authentication option is not relevant for DDoS Protector,
and selecting it may cause unexpected results.
Some attack tools are capable of handling 302-redirect responses. The
HTTP Redirect HTTP Authentication Method is not effective against attacks
that use those tools. The JavaScript HTTP Authentication Method requires
an engine on the client side that supports JavaScript, and therefore, the
JavaScript option is considered stronger. However, the JavaScript option
has some limitations, which are relevant in certain scenarios.
Limitations when using the JavaScript HTTP Authentication Method:
 If the browser does not support JavaScript calls, the browser will not
answer the challenge.
 When the protected server is accessed as a sub-page through another
(main) page only using JavaScript, the user session will fail (that is, the
browser will not answer the challenge.) For example, if the protected
server supplies content that is requested using a JavaScript tag, the
DDoS Protector JavaScript is enclosed within the original JavaScript
block. This violates JavaScript rules, which results in a challenge
failure.
Example: The request in bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service/appMy.j
sp?dlid=12345";
document.getElementsByTagName("head")[0].appendChild(
js);
},1000);
</script>
The returned challenge page contains the <script> tag again, which is
illegal, and therefore, it is dropped by the browser without making the
redirect.

DDoS Protector
TCP-Reset Status Specifies whether DDoS Protector uses the TCP-Reset method ("TCP
Reset" on page 150) for HTTP, HTTPS, SMTP, and custom-protocol traffic
instead of the specified Authentication Method (Transparent Proxy or
Safe-Reset).
Check Point recommends enabling this option in symmetric and
ingress-only environments that include HTTP, HTTPS, and SMTP traffic.
Default: Disabled
TCP Reset
Check Point recommends enabling the TCP-Reset option in symmetric and ingress-only
environments that include HTTP, HTTPS, and SMTP traffic.
Note: When DDoS Protector implements the TCP-Reset mechanism, according to the relevant
RFCs (for HTTP, HTTPS, and SMTP), a new connection must be initiated automatically when the
original connection is reset (in this case, by the TCP-Reset mechanism). For browsers that fully
comply with this aspect of the RFCs, the connection will be re-initiated automatically, and the user
will experience a delay of approximately three seconds with no additional latency expected during
the authentication period. (The authentication period is determined by the TCP Authentication
Table Aging parameter, which, by default, is 20 minutes). For browsers that do not fully comply
with this aspect of the RFCs, legitimate users will receive a notification that the connection is
reset and will need to manually retry the connection. After the retry, the users will be able to
browse with no additional latency expected during the authentication period.
When the TCP-Reset Status is enable, DDoS Protector uses the TCP-Reset authentication method
for HTTP, HTTPS, SMTP, and custom-protocol traffic instead of the specified Authentication
Method (Transparent Proxy or Safe Reset).
Custom-protocol refers to traffic that you define for the TCP-Reset method to handle. To enable
you to do this, DDoS Protector exposes two, system-defined Application Port Groups:
TCPReset-ACK and TCPReset-Data. These Application Port Groups are dummy groups, which are
defined with Layer 4 port 0 (zero).
When DDoS Protector implements the TCP-Reset method, DDoS Protector tries to match packets
to a relevant Application Port Group according to the following order:
1. HTTP
2. HTTPS
3. SMTP
4. TCPReset-Data
5. TCPReset-ACK
DDoS Protector handles packets in a session according to the first packet that matched one of the
relevant Application Port Groups.
When the TCP-Reset option is enabled, DDoS Protector does the following:
1. When it receives a SYN packet, DDoS Protector replies with a SYN-ACK packet with a cookie in
the Sequence Number field using the original destination IP address and MAC, without any
additional authentication parameters (cookies).

DDoS Protector
2. If the response is an ACK with the cookie:

a) In HTTP or HTTPS traffic or custom-protocol traffic with the TCPReset-Data Application
Port Group, DDoS Protector waits for the first data packet from the client. (If DDoS
Protector receives an ACK with no data before the first data packet, DDoS Protector drops
the packet.) When the DDoS Protector appliance receives data, it replies with a RST packet,
and saves the source IP address in the TCP Authentication table.
b) For SMTP or custom-protocol traffic with the TCPReset-ACK Application Port Group, DDoS
Protector replies with a RST packet, and saves the source IP address in the TCP
Authentication table.
Note: HTTP, HTTPS, and SMTP sources respond automatically to a RST packet by re-sending a
SYN that is, the source automatically retries to open the connection with the protected
server. Legitimate clients are expected to retry and open a new connection towards the
protected server.
3. DDoS Protector checks each SYN packet against the entries in the TCP Authentication table. If
there is a match, DDoS Protector forwards the packet to the other DDoS Protector inspection
modules and later forwards the SYN packet to the destination as-is, so the protected server
will open a connection with the source.
4. Once DDoS Protector has authenticated a source, DDoS Protector does not challenge the
source again during the authentication period. (The authentication period is determined by the
TCP Authentication Table Aging parameter, which, by default, is 20 minutes.)
Notes:
 If DDoS Protector receives multiple SYNs from the same source, DDoS Protector implements
the TCP-Reset authentication process per SYN packet, until one of the connections is
authenticated.
 DDoS Protector always uses the TCPReset-Data behavior (see step 2 above) for traffic through
ports included in HTTP Application Port Group and HTTPS Application Port Group.
 DDoS Protector always uses the TCPReset-ACK behavior (see step 2 above) for traffic through
ports included in SMTP Application Port Group.
 When you enable both HTTP Authentication and TCP-Reset, DDoS Protector uses the HTTP
Authentication method, not the TCP-Reset method except for when SSL Mitigation is
enabled.
 When SSL Mitigation is enabled, DDoS Protector always uses the TCP-Reset method,
regardless of other SYN Protection profile configuration.
To define custom-protocol traffic for the TCP-Reset method:

1. Create a new Application Port Group as follows:
a) Select Classes > Modify > Appl. Port Groups> Create.
b) In the Name text box, type TCPReset-ACK or TCPReset-Data according to the
TCP-Reset behavior that you require (see step 2 above).
c) In the From Port text box, type the first port in the range.
d) In the To Port text box, type the last port in the range.
Note: To define a group with a single port, type the same value in the From L4 Port and To
L4 Port text boxes.

DDoS Protector
e) Click Set.
f) Select Classes > Update Policies and click Set.
2. Configure a SYN Protection profile as follows:
a) Configure a SYN Protection for the SYN Protection Profile in the previous step, and, in the
ApplicationPortGroup text box, type TCPReset-ACK or TCPReset-Data as you require.
b) Click Set.
Out-of-State
Out-of-State Global Parameters
Out of State Protection detects out-of-state packets to provide additional protection for
application-level attacks.
To configure global out-of-state parameters:

1. Select DDoS Protector > Denial of Service > Out-of-State > Global Parameters.
2. From the Protection Status drop-down list, choose enable.
3. Click Set and confirm reset.
Protection Status Specifies whether the appliance enables Out-of-State Protection

configuration and learning.
Startup Mode The behavior of the appliance after startup.

Values:
 On Start Out-of-State Protection action immediately after startup
(with no time to learn traffic and sessions). Sessions that started before
startup get dropped. Only new, valid sessions are allowed.
 Off Do not start Out-of-State Protection after startup or reboot.
 Graceful After startup, start learning sessions (and updating the
Session table) for the time specified by the Startup Timer parameter.
Then, begin Out-of-State Protection actions.
Default: Graceful
When the value is Off or Graceful, to start Out-of-State Protection
immediately after startup (with no learning of traffic and sessions), for
Operational State drop-down list, select On.

DDoS Protector
StartUp Timer When the selected Startup Mode is Graceful, this parameter specifies the
time, in seconds, after startup or reboot, that the DDoS Protector delays
Out-of-State Protection actions and only registers all sessions in the
Session table, including sessions whose initiation was not registered (for
example, SYN with TCP). After this time, DDoS Protector drops new
sessions whose initiation was not registered (for example, SYN with TCP).
Values: 0 65,535
Default: 1800
Operational State Values:

 Enabled Activate Out-of-State Protection actions immediately.
 Disabled Deactivate Out-of-State Protection actions immediately.
When the Operational State is On and the Update Policies action starts,
DDoS Protector clears the checkbox and suspends Out-of-State Protection
actions for 30 seconds. These 30 seconds give DDoS Protector some time to
learn traffic and sessions, thereby reducing chances for false positives.
When the selected Startup Mode is Off or Graceful, to start Out-of-State
Protection after startup immediately (with no learning of traffic and
sessions), set Operational State to On.
When the Operational State is On and the selected Startup Mode is
Graceful, after startup, the Operational State field is cleared for the
duration of the Startup Timer. After the Startup Timer has elapsed, the
Operational State turns On automatically.
When the Operational State is On and the selected Startup Mode is Off,
after startup, the Operational State is set to Off.
Out-of-State Profiles
Out of State Protection detects out-of-state packets to provide additional protection for
application-level attacks.
Note: In cases of overlapping network policies configured with Out-of-State profiles, attacks
triggered on both policies are reported twice, once per policy. Therefore, there might be some
inconsistencies in the DDoS Protector counter values for discarded traffic.
DDoS Protector x06 platforms use two CPUs to handle the activation and termination of Out of
State protection. DDoS Protector issues an Occurred trap when half the threshold is reached on
one CPU, and DDoS Protector does not issue Start or Term (terminated) traps. There is a small
chance that DDoS Protector will report Out-of-State security events even if the specified
thresholds have not been reached.
To configure an Out of State Protection profile

1. Select DDoS Protector > Denial of Service > Out-of-State > Profiles.

DDoS Protector
Profile Name The name of the profile.
Activation Threshold The rate, in PPS, of out-of-state packets above which the profile
considers the packets to be part of a flood attack. When the appliance
detects an attack, it issues an appropriate alert and drops the
out-of-state packets that exceed the threshold. Packets that do not
exceed the threshold bypass the DDoS Protector appliance.
Values: 1 250,000
Default: 5000
Termination The rate, in PPS, of out-of-state packets below which the profile
Threshold considers the flood attack to have stopped, and the appliance resumes
normal operation.
Values: 1 250,000
Default: 4000
SYN-ACK Allow Values:

status
 enable When the appliance receives a SYN-ACK packet for which
the appliance has received no corresponding SYN packet, the
appliance opens a session for the packet and processes it. This option
supports asymmetric environments, when the first packet that the
appliance receives is the SYN-ACK.
 Disable When the appliance receives a SYN-ACK packet for which
the appliance has received no corresponding SYN packet, the
appliance drops the packet and counts it in the Activation Threshold
and Termination Threshold.
Default: enable
Packet Trace status Specifies whether the profile sends out-of-state packets to the specified
physical port.
Default: disable
Packet Reporting Specifies whether the profile reports out-of-state packets.

status
Default: disable
Profile Risk The risk for reporting purposes assigned to the attack that the
profile detects.
Values: info, low, medium, high
Default: low

DDoS Protector
Profile Action The action that the profile takes when it encounters out-of-state packets.
Connection Limit
Connection Limit Profiles
Use the Connection Limit Profiles pane to create Connection Limit profiles.
Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports.
DDoS Protector counts the number of TCP connections, or UDP sessions, opened per client, per
server, or per client plus server combination, for traffic that matches a Connection Limit policy
attack definition. Once the number of connections per second reaches the specified threshold, any
session/connection over the threshold is dropped, unless the action mode defined for this attack is
Report Only.
You can also define whether to suspend the source IP address, dropping traffic from this source
for a number of seconds according to the Suspend table parameters.
Recommended settings for policies that include Connection Limit profiles:
 Configure policies containing Connection Limit profiles using Networks only with source = Any,
the public network, and destination = Protected Network. You can define segments using VLAN
tag, MPLS RDs, and physical ports.
 It is not recommended to define networks when the Source and Destination are set to any.
 Policies containing Connection Limit profiles can be configured with Direction set to either
oneway or twoway.
Before you configure a Connection Limit profile, ensure the following:
 Connection Limit protection is enabled.
 (Recommended) The required Connection Limit attacks are configured.
A Connection Limit profile should include all the Connection Limit Attacks that you want to apply
in a network protection policy.
Connection Limit Attacks are also referred to as Connection Limit protections.
To configure a new Connection Limit profile:

1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles.
2. Click Create.
3. In the Connection Limiting Profile text box, type the name of the Connection Limit profile.
4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to
include in the profile.
5. Click Set.

DDoS Protector
To add a Connection Limit Attack to a Connection Limit profile:

1. Select DDoS Protector > Denial of Service > Connection Limit > Profiles.
2. Click the profile link in the table.
3. Click Create.
4. From the Connection Limiting Attack drop-down list, select a Connection Limit Attack to
include in the profile.
Connection Limit Attacks

Use the Connection Limit Attacks pane to define a Connection Limit Attack.
Configure Connection Limit Attacks to add to Connection Limit profiles for network protection.
Connection Limit Attacks are also referred to as Connection Limit protections.
configure a Connection Limit Attack

1. Select DDoS Protector > Connection Limit > Attacks.
ID (Read-only) The ID number assigned to the Connection Limit protection.
Attack Name A descriptive name for easy identification of the attack in configuration
and reporting.
Destination App. Port A group of Layer4 ports that represent the application you want to
protect.
Protocol The Layer 4 protocol of the application you want to protect.

Values: tcp, udp
Default: tcp
Threshold The maximum number of new TCP connections, or new UDP sessions,
per second, allowed for each source, destination or
source-and-destination pair. All additional sessions are dropped. When
the threshold is reached, attacks are identified and a security event
generated.
Default: 5

DDoS Protector
Tracking Type The counting rule for tracking sessions.

Values:
 Source and Target Count Sessions are counted per source IP and
destination IP address combination.
 Source Count Sessions are counted per source IP address.
 Target Count Sessions are counted per destination IP address.
Default: Source Count
When Tracking Type is Target Count, the Suspend Action can only be
None.
Action Mode The action when an attack is detected.

Values:
 Drop The packet is discarded.
 Report-only The packet is forwarded to the destination IP address.
 Reset Source Sends a TCP-Reset packet to the packet source IP
address.
Default: Drop
Packet Report Specifies whether to enable logging a copy of the filtered packet.
Default: disable

Values: High, Info, Low, Medium
Default: Medium

DDoS Protector
Suspend Action Specifies which session traffic the appliance suspends for the attack
duration.
Values:
 SrcIP All traffic from the IP address identified as the source of this
attack is suspended.
 SrcIP\, DestIP Traffic from the IP address identified as the source
of this attack to the destination IP address under attack is suspended.
 SrcIP\, DestPort Traffic from the IP address identified as the
source of this attack to the application (Destination port) under attack
is suspended.
 SrcIP\, DestIP\, DestPort Traffic from the IP address identified as
the source of this attack to the destination IP address and port under
attack is suspended.
 SrcIP\, DestIP\, SrcPort\, DestPort Traffic from the IP address and
port identified as the source of this attack to the destination IP
address and port under attack is suspended.
Default: None
When Tracking Type is Target Count, the Suspend Action can only be
None.
Packet Trace Specifies whether the DDoS Protector appliance sends attack packets to
the specified physical port.
PPS
PPS Limit Profiles
PPS Limit profiles (also referred to as Connection PPS Limit profiles) defend against attacks that
flood established TCP connections (not necessarily many connections) with a high PPS rate of
legitimate or non-legitimate packets.
You can configure up to 50 PPS Limit profiles on a DDoS Protector appliance.
Before you configure a PPS limit profile, ensure the following:
 (Recommended) The required PPS Limit attacks (that is attack protections) are configured.
A PPS Limit profile should contain all the PPS Limit attack protections that you want to apply in a
Network Protection policy.
To configure a new PPS Limit profile:

1. Select DDoS Protector > Denial of Service > PPS > Profiles.
2. Click Create.

DDoS Protector
3. In the PPS Limiting Profile text box, type the name of the PPS Limit profile.
4. From the PPS Limit Attack drop-down list, select a PPS attack protection to include in the
profile.
5. Click Set.
To add a PPS Attack to a PPS Limit profile:

1. Select DDoS Protector > Denial of Service > PPS > Profiles.
2. Click the profile link in the table.
3. Click Create.
4. From the PPS Attack drop-down list, select a PPS attack protection to include in the profile.
PPS Attacks
Use the PPS Attacks pane to define a PPS Limit Attack.
Configure PPS Limit attacks (that is, attack protections) to add to PPS Limit profiles for network
protection.
PPS Limit Attacks are also referred to as PPS Limit protections.
To configure a PPS Limit Attack:

1. Select DDoS Protector > PPS > Attacks.
PPS Limit Protection Parameters

ID (Read-only) The ID number assigned to the PPS Limit protection.
Attack Name Descriptive name for easy identification when configuring and
reporting.
Destination App. Port The group of Layer 4 ports representing the application you want to
protect.
Values:
 The name of an Application Port Group class displayed under
the Appl. Port Groups
 An application-port number
 Empty (specifies all ports)
Note: When the field is empty, no matter which port the traffic is
destined, as soon as the traffic exceeds the Activation Threshold,
DDoS Protector applies the specified Action Mode.

DDoS Protector
Activation Threshold The PPS threshold on a single connection that activates the
protection after the specified Activation Period.
Values: 1 4,294,967,295
Default: 10,000
Termination Threshold The PPS threshold on all the connections that deactivates the
protection after the Termination Period. That is, when the PPS
rate falls below the specified threshold on all the connections,
DDoS Protector considers the attack to have ended after the
Termination Period.
Values: 1 4,294,967,295
Default: 9000
The Termination Threshold must be less than or equal to the
Activation Threshold.
Drop threshold The PPS rate that the protection allows on the connections during
an attack. DDoS Protector drops packets exceeding the specified
Drop Threshold.
Values: 1 4,294,967,295
Default: 0

Values: high, info, low, medium
Default: medium
Values: report-only, drop
Default: drop
Tracking Type On what the protection tracks the PPS rate.

Value: Per Connection
Activation Period The time, in seconds, after the PPS rate on a connection has
exceeded the Activation Threshold, that DDoS Protector considers
a PPS attack to have started and starts the configured protection
measures.
Values: 1 120
Default: 5

DDoS Protector
Term Period The time, in seconds, after the PPS rate on a connection has fallen
below the Termination Threshold, that DDoS Protector considers a
PPS attack to have ended.
Values: 1 120
Default: 2
Packet Trace Specifies whether the DDoS Protector appliance sends attack
packets to the specified physical port.
Default: disable
Note: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled. In addition, a change to
this parameter takes effect only after you update policies.
HTTP Mitigator
HTTP Mitigator Global Setting
The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The
HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then,
using fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and
identifies the malicious sources.
To configure the HTTP mitigator:

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Global Settings.
Protection Status Specifies whether the HTTP Mitigator is enabled on the appliance.
HTTP flood protection must be enabled to set HTTP flood
protection parameters.
Default: enable
Learning period before The time, in days, the HTTP Mitigator takes to collect the data
activation needed to establish the baseline that HTTP Mitigation uses.
Values: 0 65,536
Default: 7

DDoS Protector
Learning Mode The learning mode of the HTTP Mitigator.

Values:
 Continuous Only The learning process about the traffic
environment is continuous.
 Automatic The HTTP Mitigator can switch to 24x7 learning
when it detects a recurring pattern per hour of the day of the
week in a period of 4, 8, or 12 weeks (based on sensitivity).
Learning Sensitivity The period from which the HTTP Mitigator establishes baselines.
Select the time unit based on the site characteristics. For
example, if the site traffic fluctuates during the course of a day,
but fluctuates the same way each day, select Day; but if there are
significant fluctuations between the days of the week, select Week.
Values: Day, Week, Month
Default: Week
HTTP Mitigator Profiles

Use the HTTP Mitigator Profiles pane to configure a basic HTTP Flood Mitigation profile.
To configure an HTTP Flood Mitigation profile with advanced parameters, use the HTTP Mitigator
Advanced Profiles (on page 164) pane.
HTTP Flood Mitigation profiles defend the applications in your network against server flooding.
Server flood attacks are aimed at specific servers causing denial of service at the server level.
These types of attacks disrupt a server by sending more requests than the server can handle,
thereby preventing access to a service.
Server attacks differ from network-flood attacks either in the attack volume or in the nature of the
requests used in the attack. Server flood attacks use legitimate requests that cannot be
distinguished from regular customer requests.
Before you configure an HTTP Flood Mitigation profile, ensure that HTTP mitigation is enabled and
the global parameters are configured.
To configure a basic HTTP Flood Mitigation profile:

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Profiles.

DDoS Protector
Sensitivity Specifies how sensitive the profile is to deviations from the baseline. High
specifies that the profile identifies an attack when the appliance detects
only a small deviation from the baselines.
Values:
 minor
 low
 medium
 high
Default: medium
Action The action that the profile takes when the profile detects suspicious traffic.
Values:
 Block and Report Blocks and reports on the suspicious traffic.
 Report Only Reports the suspicious traffic.
Packet Report Specifies whether the profile sends samples of attack packets for off-line
analysis.
Default: Enabled
Packet Trace Specifies whether the profile sends attack packets to the specified physical
port.
Default: disable
A change to this parameter takes effect only after you update policies.
HTTP Mitigator Advanced Mitigation Configuration

Check Point recommends that only advanced users modify the values in the HTTP Mitigator
Advanced Mitigation Configuration pane.
To perform advanced configuration for the manual mitigation mode:

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Mitigation
Configuration.

DDoS Protector
Mitigation Failure The number of automatic attempts that the appliance makes before
Condition announcing an anomaly state, meaning the appliance cannot
mitigate the attack.
Values: 1 100
Default: 3
Clear Authentication List Specifies whether the appliance clears the authentication table
On Negative Feedback (which is a white list) every time a challenge state fails to block the
attack.
Default: disable
HTTP Mitigator Advanced Profiles

Use the HTTP Mitigator Advanced Profiles pane to configure an HTTP Flood Mitigation profile with
advanced parameters.
HTTP Flood Mitigation profiles defend the applications in your network against server flooding.
Server flood attacks are aimed at specific servers causing denial of service at the server level.
These types of attacks disrupt a server by sending more requests than the server can handle,
thereby preventing access to a service.
Server attacks differ from network-flood attacks either in the attack volume or in the nature of the
requests used in the attack. Server flood attacks use legitimate requests that cannot be
distinguished from regular customer requests.
Before you configure an HTTP Flood profile, ensure that HTTP mitigation is enabled and the global
parameters are configured.
To configure an HTTP Flood Mitigation profile with advanced parameters:

1. Select DDoS Protector > Denial of Service > HTTP Mitigator > Advanced > Profiles
Configuration.

DDoS Protector
Sensitivity When User-Defined Attack Triggers are not used, this parameter
specifies how sensitive the profile is to deviations from the baseline.
High specifies that the profile identifies an attack when the
appliance detects only a small deviation from the baselines.
Values:
 minor
 low
 medium
 high
Default: medium
Action The action that the profile takes when the profile detects suspicious
traffic.
Values:
 Block and Report Blocks and reports on the suspicious traffic.
 Report Only Reports the suspicious traffic.
Packet Report Specifies whether the profile sends samples of attack packets for
off-line analysis.
Default: Enabled
User Defined Attack Specifies whether the profile sends samples of attack packets for
Triggers off-line analysis.
Default: Enabled
Get and POST The maximum number of GET and POST requests allowed, per
Request-Rate Trigger server per second.
Values:
 0 The profile ignores the threshold.
 1 4,294,967,296
Default: 0

DDoS Protector
Other Request-type The maximum number of requests that are not GET or POST (for
Request-Rate Trigger example, HEAD, PUT, and so on) allowed, per server per second.
Values:
 1 4,294,967,296
Default: 0
Note: If Outbound HTTP BW Trigger is enable and Other
Request-type Request-Rate Trigger is disable, an attack consisting
of other (that is, not GET or POST) requests may cause high
outbound HTTP bandwidth consumption. An attack consisting of
other (that is, not GET or POST) requests may cause high outbound
HTTP bandwidth consumption also if Outbound HTTP BW Trigger is
enable and Other Request-type Request-Rate Trigger is enable too
but the rate does not exceed the threshold. The high outbound HTTP
bandwidth consumption may cause the Outbound HTTP BW Trigger
mechanism to consider the attack to be an anomaly, and the profile
will not mitigate it.
Outbound HTTP BW Trigger The maximum allowed bandwidth, in kilobits per second, of HTTP
responses.
Values:
 1 4,294,967,296
Default: 0
Request-per-Source The maximum number of requests allowed per source IP per

Trigger second.
Values:
 1 4,294,967,296
Default: 5
Request-per-Connection The maximum number of requests allowed from the same

Trigger connection.
Value:
 1 4,294,967,296
Default: 5

DDoS Protector
Request-Rate Threshold The number of HTTP requests per second from a source that
causes the profile to consider the source to be suspicious.
Values: 1 65,535
Default: 5
Request-per-Connection The number of HTTP requests for a connection that causes the
Threshold profile to consider the source to be suspicious.
Values: 1 65,535
Default: 5
Packet Trace Specifies whether the profile sends attack packets to the specified
physical port.
Default: disable
A change to this parameter takes effect only after you update
policies.
Source Challenge Status Specifies whether the profile challenges HTTP sources that match
the real-time signature.
Default: enable
Collective Challenge Status Specifies whether the profile challenges all HTTP traffic toward the
protected server.
Default: enable
Source Blocking Status Specifies whether the profile blocks all traffic from the suspect
sources.
Default: enable

DDoS Protector
Challenge Mode Specifies how the profile challenges suspect HTTP sources.
Values:
 HTTP Redirect The appliance authenticates HTTP traffic using
a 302-Redirect response code.
 JavaScript The appliance authenticates HTTP traffic using a
JavaScript object generated by the appliance.
 Advanced JavaScript DDoS Protector authenticates HTTP
traffic using an obfuscated and polymorphic challenge, which
can overcome advanced attack tools.
Default: HTTP Redirect
Note: The Cloud Authentication option is not relevant for DDoS
Protector, and selecting it may cause unexpected results.
Some attack tools are capable of handling 302-redirect responses.
The HTTP Redirect Challenge Mode is not effective against attacks
that use those tools. The JavaScript Challenge Mode requires an
engine on the client side that supports JavaScript, and therefore,
the JavaScript option is considered stronger. However, the
JavaScript option has some limitations, which are relevant in
certain scenarios.
Limitations when using the JavaScript Challenge Mode:
 If the browser does not support JavaScript calls, the browser
will not answer the challenge.
 When the protected server is accessed as a sub-page through
another (main) page only using JavaScript, the user session will
fail (that is, the browser will not answer the challenge.) For
example, if the protected server supplies content that is
requested using a JavaScript tag, the DDoS Protector JavaScript
is enclosed within the original JavaScript block. This violates
JavaScript rules, which results in a challenge failure.
Example: The request in bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement("script");
js.src="http://mysite.site.com.domain/service
/appMy.jsp?dlid=12345";
documentational"head")[0].appends);
},1000);
</script>
The returned challenge page contains the <script> tag again,
which is illegal, and therefore, it is dropped by the browser
without making the redirect.

DDoS Protector
Other Requests Decision Specifies whether the profile identifies an HTTP flood attack when
Engine the rate of requests that are not GET or POST requests exceeds the
learned baseline.
Default: enable
Note: If Outbound BW Decision Engine is enable and Other
Requests Decision Engine is disable, an attack consisting of other
(that is, not GET or POST) requests may cause high outbound HTTP
bandwidth consumption. An attack consisting of other (that is, not
GET or POST) requests may cause high outbound HTTP bandwidth
consumption also if Outbound BW Decision Engine is enable and
Other Requests Decision Engine is enable too but the rate does not
exceed the threshold. The high outbound HTTP bandwidth
consumption may cause the Outbound HTTP Bandwidth mechanism
to consider the attack to be an anomaly, and the profile will not
mitigate it.
Requests per source Specifies whether the profile identifies an HTTP flood attack when
Decision Engine the rate of requests per source exceeds the learned baseline.
Default: enable
Get and POST global Specifies whether the profile identifies an HTTP flood attack when
requests Decision Engine the rate of GET and POST requests exceeds the learned baseline.
Default: enable
Outbound BW Decision Specifies whether the profile identifies an HTTP flood attack when
Engine the outbound HTTP bandwidth exceeds the learned baseline.
Default: enable
Requests per connection Specifies whether the profile identifies an HTTP flood attack when
Decision Engine the rate of requests per connection exceeds the learned baseline.
Default: enable

DDoS Protector
Authentication Tables
DNS Authentication Table
The DNS authentication table holds the DNS source addresses.
To set the DNS authentication table parameters:

1. Select DDoS Protector > Authentication table > DNS.
Authentication table status Specifies whether the appliance uses the DNS authentication
table (which is a white list) during a DNS challenge state.
Authentication table aging The time, in minutes, that the appliance keeps idle sources in the
DNS Authentication table.
Values: 1 60
Default: 20
You can enter a value even if DNS Flood Protection is not enabled,
and the value will persist.
Authentication table The percentage of the table that is full.

utilization
Clean Table Select the checkbox to clear the authentication table.
TCP Authentication Table

The TCP authentication table holds the TCP source addresses.
To set the TCP authentication table parameters:

1. Select DDoS Protector > Authentication table > TCP.
Authentication table aging The time, in seconds, that the appliance keeps idle sources in
the TCP Authentication table.
Values: 60 3600
Default: 1200
Authentication table utilization (Read-only) The percentage of the table that is currently full.

DDoS Protector
HTTP Authentication Table

The HTTP authentication table holds the number of source-destination couples for protected
HTTP servers. For example, if there are two attacks towards two HTTP servers and the source
addresses are the same, for those two servers, there will be two entries for the source in the
table.
To set the HTTP authentication table parameters:

1. Select DDoS Protector > Authentication table > HTTP.
Authentication table aging The time, in seconds, that the appliance keeps idle sources in
the HTTP Authentication table.
Values: 60 3600
Default: 1200
Authentication table utilization (Read-only) The percentage of the table that is currently full.
TCP Contender Authentication Table

This feature is available only in x412 platforms.
Use the TCP Contender Authentication table pane to monitor the table utilization and clean the
table if necessary.
To monitor the TCP Contender table utilization and clean the table:
1. Select DDoS Protector > Authentication table > TCP-Contender.
2. To clean the table, select Clean Table, and click Set.
Intrusion Protection and Anti-Scanning

Anti-Scanning Global Parameters
Anti-Scanning Protection protects against malicious, scanning activity, which includes zero-day
self-propagating network worms, horizontal scans, and vertical scans. When Anti-Scanning
Protection is enabled, upon detecting an attack, the protection implements the blocking footprint
rule for a predefined, initial blocking duration. When the protection identifies repeated scanning
activities from the same source, the protection extends the blocking duration based on a dynamic
blocking-duration mechanism. This mechanism includes a random factor that sets an
unpredictable blocking duration. When a source continues to scan the network, the appliance can
restart the global Maximal Blocking Duration.

DDoS Protector
To configure the global Anti-Scanning Protection parameters:

1. Select DDoS Protector > Intrusion Prevention > Anti-Scanning > Global Parameters.
Anti-Scanning Status Specifies whether Anti-Scanning Protection is enabled.

Anti-Scanning Protection prevents zero-day
self-propagating network worms, horizontal scans, and
vertical scans.
Default: Enabled
Changing the setting of this parameter requires a reboot
to take effect.
Anti-Scanning High Ports Response Specifies whether the Anti-Scanning Protection

emphasizes inspecting scans aimed at ports greater than
1024 (that is, usually unassigned ports).
Values:
 Enabled The Anti-Scanning Protection emphasizes
inspecting scans aimed at ports greater than 1024.
Select this checkbox when using applications that
utilize standard system ports (that is, port values less
than 1024).
 Disabled The Anti-Scanning Protection treats all
the scan activities equally. Clear this checkbox when
using applications utilizing non-standard ports (that
is, port values greater than 1024).
Default: Enabled
When the parameter is enabled and you have legitimate
applications using high-range ports, DDoS Protector is
prone to more false positives.
Anti-Scanning Very Slow Scans Specifies whether Anti-Scanning Protection blocks slow
scans, which can result in very long blocking periods.
When enabled, Anti-Scanning Protection adapts the
blocking interval based on the scanner-activity frequency.
Thus, the appliance will detect the scanner activity again
before the blocking duration elapses. The blocking
duration is calculated as the time between scanning
events multiplied by the Attack Trigger value.
It is recommended to use this option only in exceptional
circumstances, when one scan attempt in 20 minutes is
considered a security threat.
Default: Disabled

DDoS Protector
Anti-Scanning Maximal Blocking The maximum time, in seconds, that the Anti-Scanning
Duration Protection blocks the source of a scan if that source
continues to scan the network.
Values: 20 3600
Default: 80
This setting overrides the maximum time set in the
suspend table parameters.
Advanced - Trusted Ports

You can configure a list of Layer 4 ports on which scanning is allowed. That is, when Anti-Scanning
is enabled, there is no blocking of scans that target these ports.
You must configure and save the profile before you configure the Trusted Port list.
To add a trusted port:

1. Select DDoS Protector > Intrusion Protection > Anti-Scanning > Advanced > Trusted Ports.
2. Click Create.
3. Enter the name of the existing profile.
4. Enter the Layer 4 trusted port on which scanning is allowed. Values: 1 65,535.
5. Click Set.
Anti-Scanning Profiles
Use the Anti-Scanning Profiles pane to create a profile and to activate the protocols to be used in
the profile, which include: TCP, UDP, and ICMP.
You can configure up to 20 Anti-Scanning profiles on a DDoS Protector appliance.
The following describes the recommended settings for rules that include Anti-Scanning profiles:
 Configure policies containing Anti-Scanning profiles using Networks with Source = Any, the
public network and Destination = Protected Network. This assures optimized attack
detection sensitivity. You can set policies using a VLAN tag, MPLS RD, or physical ports.
 It is not recommended to define a network in which the Source and Destination are set to Any,
because it results in lower detection sensitivity.
 When the Direction of a policy is set to One Way, DDoS Protector prevents incoming attacks
only. When the Direction of a policy is set to Two Way, the appliance prevents both incoming
and outgoing attacks. In either case, the appliance inspects incoming and outgoing traffic for
connection scoring.
Before you configure an Anti-Scanning profile, ensure the following:
 Anti-scanning protection is enabled and the global parameters are configured.

DDoS Protector
To create a new IDS Anti-Scanning Profile:

1. Select DDoS Protector > Intrusion Protection > Anti-Scanning > Profiles.
2. Click Create.
Profile Name The name of the profile
TCP State Specifies whether the profile protects against horizontal and vertical TCP
scans, including worm propagation activity, over TCP.
Default: active
UDP State Specifies whether the profile protects against horizontal and vertical UDP
scans, including worm propagation activity, over UDP.
Default: active
ICMP State Specifies whether the profile protects against ping sweeps.
Default: active
Type The type of traffic protected using the Anti-Scanning profile.

Values:
 carrier Detects large scale scanning worms for carrier links.
 gw Detects incoming or outgoing scanning attempts, such as
scanning worms.
 internal Prevents the spreading of worm activity in corporate LANs.
Default: carrier
Sensitivity The level of sensitivity to scanning activities before the profile activates
Anti-Scanning protection. High means few scanning attempts trigger the
Anti-Scanning protection, whereas Very Low means a high number of
scanning attempts trigger the Anti-Scanning protection.
Values: high, medium, low, very low
Default: low

DDoS Protector
Accuracy The accuracy level that determines the minimum number of parameters
used in the footprint. The higher the accuracy, the more parameters
required to appear in the footprint. If DDoS Protector is unable to find a
footprint with the minimum number of parameters for the specified
accuracy level, DDoS Protector does not block the attack. Higher accuracy
means that more parameters are required to appear in the footprint.
Values:
 low Any footprint is allowed (including source IP address only).
 medium A footprint requires at least two attack-source parameters
using the Boolean AND operator.
 high A footprint requires at least three attack-source parameters
using the Boolean AND operator.
Default: medium
SinglePort Specifies whether the DDoS Protector appliance only blocks scans that
are done on a single L4 port. Scans on a single L4 port are usually
network worms. When enabled, DDoS Protector does not block scans that
are done from the same source on multiple L4 ports.
Default: disable
Packet Trace Status Specifies whether the profile sends attack packets to the specified
physical port.
Default: disable
White List and Black List

DDoS Protector exempts packets that match an active White List policy from specified inspection
processes.
For each protection, you can set the direction of the bypass. For example, sessions initiated from
the white list IP address are bypassed, while sessions initiated toward the IP address are
inspected as usual.
Since IP addresses belonging to the White list are not inspected, certain protections are not
applied for the opposite direction. For example, with SYN protection this can cause servers to not
be added to known destinations due to ACK packets not being inspected.
Note: DDoS Protector continues to block packets from a source or destination that is part of an
active attack even after you add the source or destination to the White List per protection.

DDoS Protector
To configure a white list policy:

1. Select DDoS Protector > White List.
White List Parameters

State Specifies whether the policy is active. You can select inactive to
deactivate the policy without removing it from the list.
Default: active
Name The user-defined name for the policy.
SrcNetwork The source of the packets that the policy uses.

Values:
 A Network class
 An IP address
 any
DstNetwork The destination of the packets that the policy uses.
Values:
 A Network class
 An IP address
 any
SrcPortGroup The source Application Port class or application-port number that the
policy uses.
Values:
 An Application Port class
This parameter is relevant only for UDP, TCP, and SCTP traffic. You
cannot use a port group for ICMP, IGMP, or GRE.
DstPortGroup The destination Application Port class or application-port number that

the policy uses.
Values:

DDoS Protector
PhysicalPortGroup The Physical Port class or physical port that the policy uses.
Values:
 A Physical Port class
 The physical ports on the appliance
VLANTag The VLAN Tag class that the policy uses.
Values: A VLAN Tag class
Protocol The protocol of the traffic that the policy uses.

Values:
 Any
 GRE
 ICMP
 ICMPv6
 IGMP
 SCTP
 TCP
 UDP
 L2TP
 GTP
 IP in IP
Default: Any
Direction The direction of the traffic to which the policy relates. This parameter
relates to L4 sessions only.
Values:
 one-direct The protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
 bi-direct The protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: one-direct
Action TBD just noticed this is in the table, but there is no configuration for it,
and it is missing from the documentation April 2014.
ReportAction TBD just noticed this is in the table, but there is no configuration for it,
and it is missing from the documentation April 2014. This maybe should
not be in CPDP.
Description The user-defined description for the policy up to 19 characters.

DDoS Protector
All Modules Bypass Specifies whether the policy includes all specific protection modules.
Values:
 active The specified Classification criteria determine the traffic
that is exempt from security inspection.
 inactive The specified source (that is, the source Network class or
source IP address) and specified protection modules determine the
traffic that is exempt from security inspection.
Default: active
Performance is better when All Modules Bypass is active rather than
having the having the modules enabled individually.
SYN Protection Bypass When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses SYN Protection
inspection.
Default: active
Anti-Scanning Bypass When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Anti-Scanning inspection.
Default: active
Signature Protection When enabled, traffic from the specified source (that is, the source
Bypass Network class or source IP address) bypasses Signature Protection
inspection.
Default: active
HTTP Mitigator Bypass When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses HTTP Flood inspection.
Default: active
Server Cracking When enabled, traffic from the specified source (that is, the source
Bypass Network class or source IP address) bypasses Server Cracking
inspection.
Default: active

DDoS Protector
Black List
DDoS Protector drops packets that match an active Black List rule. The Black List comprises the
traffic that the appliance always blocks without inspection. You use the Black List as policy
exceptions for security policies. The appliance black-lists packets if all the criteria for the policy
evaluate to true.
This feature is not supported on management interfaces.
You enable or disable the Packet Trace feature for all the Black List rules on the appliance. When
the Packet Trace feature is enabled for Black Lists, the DDoS Protector appliance sends
blacklisted packets to the specified physical port.
To configure the Packet Trace status:

1. Select DDoS Protector > Black List.
2. From the Packet Trace Status drop-down list, select enable or disable.
3. Click Set.
To configure a Black List rule:

1. Select DDoS Protector > Black List.
2. Click Create.
Black List Rule Parameters

State Specifies whether the rule is active. You can select inactive to
deactivate the rule without removing it from the list.
Default: active
Name The user-defined name for the rule.
SrcNetwork The source of the packets that the rule uses.

Values:
 A Network class
 An IP address
 any
DstNetwork The destination of the packets that the rule uses.
Values:
 A Network class
 An IP address
 any

DDoS Protector
SrcPortGroup The source Application Port class or application-port number that

the rule uses.
Values:
DstPortGroup The destination Application Port class or application-port number

that the rule uses.
Values:
PhysicalPortGroup The Physical Port class or physical port that the rule uses.
Values:
 A Physical Port class
VLANTag The VLAN Tag class that the rule uses.
Values: A VLAN Tag class
Protocol The protocol of the traffic that the rule uses.

Values:
 Any
 GRE
 ICMP
 ICMPv6
 IGMP
 SCTP
 TCP
 UDP
 L2TP
 GTP
 IP in IP
Default: Any

DDoS Protector
Direction The direction of the traffic to which the rule relates. This parameter
relates to L4 sessions only.
Values:
 one-direct The protection applies to sessions originating from
sources to destinations that match the network definitions of the
rule.
 bi-direct The protection applies to sessions that match the
network definitions of the rule regardless of their direction.
Default: one-direct
Report Action The report action that the appliance takes when it encounters a
packet that matches the rule.
Value:
 report The appliance issues a trap when it encounters a
blacklisted packet.
 no-report The appliance issues no trap when it encounters a
blacklisted packet.
Description The user-defined description for the rule up to 19 characters.
Entry Expiration Timer Specifies the hours and minutes remaining for the rule.
(Hours)
The maximum Expiration Timer is two hours.
Entry Expiration Timer
The Expiration Timer can be used only with dynamic Black List
(Minutes)
rules. The Expiration Timer for a static Black List rule must be set to
0 (zero hours and zero minutes).
When the rule expires (that is, when the Entry Expiration Timer
elapses), the rule disappears from the Black List Policy table when
the table refreshes.
Detector An IP address that can identify the root cause of the black-list rule
identify. This parameter has no affect on the appliance operation.
If a Security Group configured this Black List rule, the Detector
value displays the IP address of the Security Group Sender.
For more information on Security Groups, see the user guide.

DDoS Protector
Detector Security Module A DDoS Protector security module that can identify the root cause of
the black list rule. This parameter has no affect on the appliance
operation.
If a Security Group configured this Black List rule, the Detector
Security Module value displays the DDoS Protector security module
of the Security Group Sender.
Values:
 Admin The default value in the context of a user-defined,
dynamic Black List rule.
 Server Cracking Displays if a Security Group configured this
Black List rule and it was the Server Cracking module of the
Security Group Sender that detected the threat.
 Anti-Scan Displays if a Security Group configured this Black
List rule and it was the Anti-Scanning module of the Security
Group Sender that detected the threat.
 Vision Reporter
 Connection Limit
 Application Security
 Syn Protection
 HTTP Flood
 Behavioral DoS
 DNS Flood
Default: Admin
For more information on Security Groups, see the user guide.
Dynamic Specifies whether the rule implements the Expiration Timer.

Default: Disabled
Changing the configuration of this option takes effect only after you
update policies
Black List Packet Report Specifies whether the appliance sends sampled attack packets to
Black-List and White-List Entries and Storage Capabilities

DDoS Protector defines black-list and white-list entries using rules, software entries, and
DME-hardware entries. Rules are user-defined. Software entries are single-network entries or
range entries derived from the classes in the user-defined rule. Black-list and white-list entries
defined in the software may result in performance degradation. Hardware entries are DME
representations of the software entries. The hardware entries vary between platforms, based on
the type of DME the platform has.

DDoS Protector
To avoid performance degradation, DDoS Protector defines black-list and white-list entries as
hardware entries in the DME as much as possible, according to the following logic:
 On platforms with no DME, there are no hardware entries. There is no DME in x06 platforms.
 On x412 platforms:
 The hardware entries are subnets only.
 DDoS Protector can treat 800 IPv4 or 400 IPv6 hardware entries in the DME, and treats the rest
as software entries.
Maximum Black-List and White-List Entries

DDoS Protector Series Maximum Black-List Maximum Maximum Hardware
and Hardware Type and White-List Rules Software Entries Entries
x06 5000 5000 N/A
x412 5000 5000 800 IPv4 subnet entries,

400 IPv6 subnet entries
Maximum Black-List and White-List Entries

DDoS Protector Series Maximum Black-List Maximum Maximum Hardware
and Hardware Type and White-List Rules Software Entries Entries
x06 5000 5000 N/A
x016 without DME 5000 5000 N/A
x016 with DME 5000 5000 1000 IPv4 entries
x412 5000 5000 800 IPv4 subnet entries,

400 IPv6 subnet entries
Black-White List Precedence

Use the Precedence pane to specify whether the white list or the black list takes precedence when
a packet matches both.
To configure black-white list precedence:

1. Select DDoS Protector > Black-White Lists > Precedence.
2. Configure the parameter and click Set.

DDoS Protector
Black or White List Values:

Precedence
 White List Takes Precedence If a packet matches both a White
List rule and a Black List rule, DDoS Protector processes the
packet as belonging to the White List rule.
 Black List Takes Precedence If a packet matches both a White
List rule and a Black List rule, DDoS Protector processes the
packet as belonging to the Black List rule.
Default: White List Takes Precedence
Policies
Network Protection Policies
The Network Protection policy protects your configured networks using protection profiles.
Before you configure Network Protection policy and profiles, ensure that you have enabled all the
required protections and configured the corresponding global protection parameters.
Each Network Protection consists of two parts:
 The classification that defines the protected network segment.
 The action to be applied when an attack is detected on the matching network segment. The
action defines the protection profiles to be applied to the network segment, and whether the
malicious traffic should be blocked. Malicious traffic is always reported.
To configure a Network Protection policy:

1. Select DDoS Protector > Policies > Table.
Name The name of the Network Protection policy.
Direction The direction of the traffic to which the policy relates.

Values:
 oneway The protection applies to sessions originating from
sources to destinations that match the network definitions of
the policy.
 twoway The protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One Way

DDoS Protector
Source Address The source of the packets that the rule uses.
Values:
 A Network class configured in the Classes menu
 An IP address
 any Any IP address
Default: any
Destination Address The destination of the packets that the rule uses.
Values:
 A Network class configured in the Classes menu
 An IP address
 any Any IP address
Default: any
Inbound Physical Port Group The Physical Port class or physical port that the rule uses.
Values:
 A Physical Port class configured in the Classes menu
 None
Note: If you specify a management port or a Physical Port class
with a management port, the Network Protection policy can
support only Signature Protection and BDoS Protection.
Vlan Tag Group The VLAN Tag class that the rule uses.
Values:
 A VLAN Tag class configured in the Classes menu
 None
State Specifies whether the policy is enabled.
Default: active

DDoS Protector
Action The default action for all attacks under this policy.
Values:
 Block and Report The malicious traffic is terminated and a
security event is generated and logged.
 Report Only The malicious traffic is forwarded to its
destination and a security event is generated and logged.
Signature-specific actions override the default action for the
policy.
Signatures Profile The Signature Protection profile applied to the network segment
defined in this policy.
Connection Limit Profile The Connection Limit profile applied to the network segment
Out-Of-State Profile The Out-of-State profile applied to the network segment defined
in this policy.
Behavioral Dos Profile The BDoS profile applied to the network segment defined in this
policy.
SYN Protection Profile The SYN Flood profile applied to the network segment defined in
this policy.
DNS protection Profile The DNS Protection profile applied to the network segment
Packet Trace Specifies whether the policy sends attack packets to the specified
physical port.
Default: disable
Packet Trace configuration on Specifies whether the configuration of the Packet Trace feature
policy takes precedence here, on this policy, takes precedence over the configuration of
the Packet Trace feature in the associated profiles.
Default: disable
Note: A change to this parameter takes effect only after you
update policies.

DDoS Protector
Packet Report Specifies whether the policy sends sampled attack packets to
Default: disable
Note: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled.
Anti Scanning Profile The Anti-Scanning profile to be applied to the network segment
PPS Profile The Connection PPS Limit profile to be applied to the network
segment defined in this policy.
MPLS RD Group The MPLS route distinguisher (RD) class that the policy uses. The
appliance dynamically associates the MPLS tag value with
configured MPLS RD values installed between P and PE routers
Values:
 An MPLS RD class configured in the Classes menu
 None
Packet Report configuration Specifies whether the configuration of the Packet Reporting
on policy takes precedence feature here, on this policy takes precedence over the
configuration of the Packet Reporting feature in the associated
profiles.
Default: enable
Quarantine State Specifies whether the appliance quarantines all outbound Web
traffic from internal hosts in the destination segment in the
network policy after matching a signature configured with
Web-quarantine option enabled.
To enable this option, the value for the Direction field must be
twoway.
Default: disable
Service Discovery Profile The Service Discovery profile that the Network Protection policy
uses to identify HTTP servers to protect.
Leave the field empty if you do not want to implement the Service
Discovery (on page 206) feature.

DDoS Protector
Policies Resources Utilization

Use the Policies Resources Utilization pane to view statistics relating the user-defined policies to
the utilization of the DME.
The Policies Resources Utilization pane is supported only on x412 platforms.
The values that the appliance exposes are the calculated according to the configured
values even before running the Update Policies command.
To view statistics relating the user-defined policies to the utilization of the DoS
Mitigation Engine:
Select DDoS Protector > Policies > Resources View.
Note: If any of the following values is close to the maximum, the resources for the appliance are
exhausted.
Resources View Parameters

Total Number of Policies The total number of policies in the context of the DME, which is
double the number of network policies configured in the appliance.
Sub Policies Utilization The percentage of DME resource utilization from the entries of
sub-policies.
In the context of the DME, a sub-policy is a combination of the
following:
 Source-IP-address range
 Destination-IP-address range
 VLAN-tag range
HW Entries Utilization The percentage of resource utilization from the HW entries in the
context of the DME.
Policies Resources Utilization Table Parameters

Policy Name The name of the policy.
Direction The direction of the policy.

Values: inbound, outbounds
Num of HW Entries The number of DME hardware entries that the policy uses.
Num of Sub-Policies The number of DME sub-policy entires that the policy uses.

DDoS Protector
Policies Import
Use the Network Protection Policies Import pane to import a Network Protection policy.
To import a Network Protection policy:

1. Select DDoS Protector > Policies > Import.
Update Policy Values:

 Enabled After successfully uploading a template to a
appliance, an Update Policies (Activate Latest Changes) action
is automatically initiated.
 Disabled After successfully uploading a template to a
appliance, an Update Policies (Activate Latest Changes) action
is required to activate the uploaded policy.
Default: Enabled
Override Existing Values:

Configuration
 Enabled The template adds the policy and profile
configurations, and any baselines. If a policy or profile with the
same name exists in a target appliance, the template
overwrites it.
 Disabled The template adds the policy and profile
configurations, and any baselines. If a policy or profile name
exists in a target appliance, the update fails.
Default: Enabled
Import to Instance The identifier or the DDoS Protector hardware instance onto
which to add the template.
Values: Instance 0, Instance 1
Default: Instance 0
Policy File The filepath of the template file.
Policies Export
Use the Network Protection Policies Export pane to export a Network Protection policy.
You can export and import Network Protection policies. The exported information is referred to as
a template. The template can include the policy configuration (that is, the definitions and security
settings) and/or policy baselines. A template from a Network Protection policy can include the
baselines from the associated DNS and/or BDoS profiles.
Templates do not include the following information:
 DDoS Protector setup and network configuration For example, appliance time, physical
ports, and so on.
DDoS Protector
 DDoS Protector security settings The protections that a policy template uses must be
supported and enabled globally in the target DDoS Protector appliance (that is, the target
DDoS Protector appliance into which you are importing the policy template). For example, if
you export a Network Protection policy that includes a BDoS Protection profile, the DDoS
Protector appliance into which you are importing the policy template must have BDoS
Protection enabled globally (Configuration perspective, Setup > Security Settings > BDoS
Protection > Enable BDoS Protection).
 Custom signatures.
To export a Network Protection policy:

1. Select DDoS Protector > Policies > Export.
3. Follow the instructions for opening or saving the template file.
The default filename uses the following format:
policy_<PolicyName>_<DeviceName>__<ddMMyyyy>_<hhmmss>.txt
Example:
policy_MyPol012_MyDevice_19052014_145044.txt
Configuration Specifies whether DDoS Protector exports the template with the
configuration of the policy.
Default: Enabled
Behavioral DoS Baseline Specifies whether DDoS Protector exports the template with the
current BDoS normal-traffic baseline of the policy.
Default: Enabled
DNS Protection Baselines Specifies whether DDoS Protector exports the template with the
current DNS normal-traffic baseline of the policy.
Default: Enabled
User Signature Profile Specifies whether DDoS Protector exports the template with the
current user-defined signature protection profile of the policy.
Default: Enabled
Policies Delete
Use the Network Protection Policies Delete pane to delete a Network Protection policy and all
associated configuration objects.
To delete a policy and all associated configuration objects:

1. Select DDoS Protector > Policies > Delete.

DDoS Protector
Update Policies Values:

 Enabled After successfully deleting the policy, an Update
Policies (Activate Latest Changes) action is automatically
initiated.
 Disabled After successfully deleting the policy, an Update
Policies (Activate Latest Changes) action is required for the
configuration to take effect.
Default: Enabled
Global - Suspend Table - Parameters

The Suspend Table to define that for certain attacks, in addition to the action defined in the attack,
the appliance should also suspend traffic from the IP address that was the source of the attack,
for a time.
The period for which a source is suspended is set according to the following algorithm:
 The first time a source is suspended, the suspension time is according to the Minimal Aging
Time configured for the Suspend Table.
 Each time the same source is suspended again the suspension length is doubled, until it
reaches the Maximum Aging Time set for the Suspend Table.
 Once the suspension length has reached the maximum length allowed, it will remain constant
for each additional suspension.
Use the Suspend Table Parameters pane to set the tuning parameters for the Suspend Table.
To set the suspend table parameters:

1. Select DDoS Protector > Global > Suspend Table Parameters.
Suspend Table min time The time, in seconds, for which the DDoS Protector appliance
suspends first-time offending source IP addresses.
Default: 10
Suspend Table max time The maximal time, in seconds, for which the DDoS Protector
appliance suspends a specific source. Each time the DDoS
Protector appliance suspends the same source, the
suspension length doubles until it reaches the Maximal Aging
Timeout.
Default: 600

DDoS Protector
Suspend Table max same source The number of times the DDoS Protector appliance suspends
entries the same source IP address before the DDoS Protector
appliance suspends all traffic from that source IP address
regardless of the specified Suspend Action. For example, if
the value for this parameter is 4 and the specified Suspend
Action is SrcIP-DstIP-SrcPort-DstPort, the DDoS Protector
appliance suspends all traffic from a source IP address that
had an entry in the Suspend list more than four times, even if
the destination IP address, source port, and destination ports
were different for the previous updates to the Suspend table.
This parameter is irrelevant when the specified Suspend
Action is SrcIP.
Values:
 0 The appliance does not implement the feature.
 1 10
Default: 0
Global - Suspend Table

Use the Suspend Table pane to view and monitor attacks that are currently in the Suspend Table.
To view the suspend table:

Select DDoS Protector > Global > Suspend Table > Table.
Source IP The IP address from which traffic was suspended.
Dest IP The IP address to which traffic was suspended (0.0.0.0 means traffic
to all destinations was suspended).
Dest Port The application port to which traffic was suspended (0 means all
ports).
Protocol Values: TCP, UDP
Module The internal, higher-level module that identified the entry in the
Suspend Table.
Classification Object Type The internal, classification-object Type that identified the entry in
the Suspend Table.
Values: Policy, Server Protection
Classification Object Name The internal, lower-level classification module that identified the
entry in the Suspend Table, for example: Connection Limit.

DDoS Protector
Reporting
Reporting Global Parameters
Use the Reporting Global Parameters pane to enable DDoS Protector reporting channels and set
the polling time parameters of the Alert Table and the Log File.
To define global reporting parameters:

1. Select DDoS Protector > Reporting > Global Parameters.
Report Interval The frequency, in seconds, at which the reports are sent though
the reporting channels.
Values: 1 65,535
Default: 5
Max Alerts per Report The maximum number of attack events that can appear in each
report (sent within the reporting interval).
Values: 1 2000
Default: 1000
Report Per-Attack The number of events for a specific attack during a reporting
Aggregation Threshold interval, before the events are aggregated to a report. When the
number of the generated events exceeds the Aggregation
Threshold value, the IP address value for the event is displayed
as 0.0.0.0, which specifies any IP address.
Values: 1 65,535
Default: 5
SNMP Traps Sending When enabled, the appliance uses the traps reporting channel.
Default: enable
Syslog Sending When enabled, the appliance uses the syslog reporting channel.
Default: disable
Terminal Echo When enabled, the appliance uses the Terminal Echo reporting
channel.
Default: disable
Email Sending When enabled, the appliance uses the e-mail reporting channel.
Default: disable

DDoS Protector
SNMP Traps Sending Risk The minimal risk level for the reporting channel. Attacks with the
specified risk value or higher are reported.
Values:
 info
 low
 medium
 high
Default: low
Email Sending Risk The minimal risk level for the reporting channel. Attacks with the
Values:
 info
 low
 medium
 high
Default: low
Terminal Echo Risk The minimal risk level for the reporting channel. Attacks with the
Values:
 info
 low
 medium
 high
Default: low
Syslog Sending Risk The minimal risk level for the reporting channel. Attacks with the
Values:
 info
 low
 medium
 high
Default: low

DDoS Protector
Syslog Sending Severity The minimal severity for the sending of syslog reports for
appliance-health events and audit events. Events with the
specified severity value or higher are reported. Device-health
events include all events related to appliance health, for
example, temperature, fan failure, CPU, tables, resources, and
so on. Audit events include all events related to user operations,
for example, login attempts and configuration changes.
Values (in order or severity):
 debug
 info
 warning
 error
 fatal
Default: info
Traps Sending Severity The minimal severity for the sending of traps for
appliance-health and audit events. Events with the specified
severity value or higher are reported. Device-health events
include all events related to appliance health, for example,
temperature, fan failure, CPU, tables, resources, and so on. Audit
events include all events related to user operations, for example,
login attempts and configuration changes.
Values (in order or severity):
 debug
 info
 warning
 error
 fatal
Default: info
Destination UDP Port The port used for packet reporting.

Values: 1 65,535
Default: 2088
Security Log Status When enabled, the appliance uses the security logging reporting
channel.

DDoS Protector
Reporting Packet Reporting

It is possible to configure the appliance to send a capture of the attack packet along with the
security event.
The attack capture is viewed from APSolute Vision.
To set the packet reporting parameters:

1. Select DDoS Protector > Reporting > Packet Report.
Packet Report Global Limit The maximum number of packets that the appliance can send
within the Report Interval.
Values: 1 65,535
Default: 100
Destination IP Address The destination IP address for the packet reports.

Default: 0.0.0.0
Status Specifies whether the DDoS Protector appliance sends sampled

attack packets along with the attack event.
Default: Enabled
Top Ten Attacks

Predefined attack reports help you to explore Security attack patterns over time. Check Point has
created predefined reports for specific types of attack analysis. Attacks can be ranked by volume
and by type. Predefined reports also include reports for groups of attacks, or attacks relating to a
specific module.
Predefined reports allow you to focus attention on specific threats. Attack information is
pre-sorted, with the most important security event information plotted in easily read charts, for
your convenience.
To generate a predefined report:

1. Select DDoS Protector > Reporting > Top Ten Attacks.

DDoS Protector
Choose type Select the type of attack report you want.

Values:
 Top Attacks The top ten attacks, according to packet count per attack.
 Top Attack Sources The top attacks according to attack sources per IP
address.
 Top Attack Destinations The top attacks according to attack destinations
per IP address.
 Top Attacks by Category The top ten attack groups (Intrusions, DoS,
Anomalies, SYN Floods, and Anti-Scanning), calculated according to packet
count per group.
 Top Attacks by Risk The attacks ranked by severity of risk: that is,
High/Medium/Low, by displaying a breakdown of all attack over a set period
of time according to the attack severity.
Seconds The number of seconds (retroactive from the current time) for the report.
Data Reporting Target Addresses

The appliance can store up to 10 target addresses for data reporting.
To create a target address for data reporting:

1. Select DDoS Protector > Reporting > Data Report > Address.
2. In the ip-address text box, enter the IP address.
3. Click Set.
To delete a target address for data reporting:

1. Select DDoS Protector > Reporting > Data Report > Address.
2. Select the relevant row, and click Delete.
Security Log
Showing Security Logs
All events and alerts are logged in an all-purpose cyclic log file. The log file can be obtained at any
time.
The size of log file is limited. When the number of entries is beyond the permitted limit, the oldest
entries are overwritten. You are notified regarding the status of the log file utilization. The
notifications appear when the file is 80% utilized and 100% utilized.

DDoS Protector
To show security alerts:

1. Select DDoS Protector > Reporting > Security Log > Show.
2. Click the Attack Index number.
Attack Index The number of the entry in the table.
ID
Attack Name The name of the attack that was detected.
Attack Source Address The source IP address of the attack.
Attack Destination Address The destination IP address of the attack.
Message Type The current status of the event.

Values:
 started An attack containing more than one security event has
been detected (some attacks contain multiple security events,
such as DoS, Scans, and so on).
 occurred (Signature-based attacks) Each packet matched
with signatures was reported as an attack and dropped.
 ongoing The attack is currently taking place, the time
between Started and Terminated (for attacks that contain
multiple security events, such as DoS, Scans, and so on).
 terminated There are no more packets matching the
characteristics of the attack, and the appliance reports that the
attack has ended.
Attack Time The date and time that the attack started, in dd-MM-yyyy hh:mm:ss
format.
Date The date that the report was generated.
Src Port TCP/UDP source port.
Dst Port TCP/UDP destination port.
Context The context in which the attack was recognized.
Protocol The transmission protocol used.

Values: TCP, UDP, ICMP, IP
Physical Port The actual port on the appliance from which the attack arrived. The
value of N/A or 0 in this field indicates that the MPLS RD is not
available.
Vlan Tag The VLAN tag. The value of N/A or 0 in this field indicates that the
MPLS RD is not available.

DDoS Protector
MPLS Tag The Multiprotocol Label Switching tag. The value of N/A or 0 in this
field indicates that the MPLS RD is not available.
MPLS RD The Multiprotocol Label Switching Route Distinguisher. This value

is used to generate reports for each customer. The value of N/A or
0 in this field indicates that the MPLS RD is not available.
Context The context.
Service The security service that detected the attack: Application Security,
DoS Shield, Generic.
Policy Name The policy that was used to detect the attack.
Packet Count The number of packets in the attack since the latest trap was sent.
Byte Count The number of Kilobytes that were dropped/forwarded.
Action Values:
 drop The packet is discarded.
 proxy The packet is forwarded to the defined destination.
 Reset Source Sends TCP-Reset packet to the packet Source
IP.
 Reset Destination Sends TCP-Reset packet to the destination
address.
 Default Performs the Action Mode that is specified in the
Application Security Global Parameters pane.
Risk How dangerous the attack is.
Values: high, low, medium, info
GUID The global unique identifier of the log entry.
Instance The hardware instance that processed the attack.

Values: 0, 1
Category The security module that detected the attack.
Security Log Clear

Use the Security Log Clear pane to clear the previously created log.
To clear the security log:

1. Select DDoS Protector > Reporting > Security Log > Clear.
2. Click Set.

DDoS Protector
Packet Trace
Use the following procedure to configure the packet trace parameters.
To configure packet trace:

1. Select DDoS Protector > Reporting > Packet Trace.
Enable Packet Trace Specifies whether the feature is disabled or enables the feature and
on Physical Port specifies the physical port to which the DDoS Protector appliance sends
identified attack traffic (when the Packet Trace feature is enabled in the
policy or profile).
Values:
 none The Packet Trace feature is disabled.
 The physical, inspection ports (that is, excluding the management ports)
Default: none
Note: A change to this parameter takes effect only after you update
policies.
DDoS Protector x06 models support the Packet Trace functionality only
for dropped traffic.
Max Packet Rate The maximum number of packets per second that the Packet Trace
feature sends.
Values: 1 200,000
Default: 50,000
policies.
Packet Length The maximum length, in bytes, of dropped packets that the Packet Trace
feature sends. DDoS Protector can limit the size of Packet Trace sent
packets only for dropped packets. That is, when a rule is configured with
Report Only (as opposed to Block), the Packet Trace feature sends the
whole packets.
Values: 64 1550
Default: 1550
policies.
If you are interested only in the packet headers of the dropped packets,
to conserve resources, modify the minimal value, 64.

DDoS Protector
Attack Database
Attack Database Version
The read-only Attack Database Version pane shows the version of the current attack database.
To show the attack database version:

Select DDoS Protector > Attack Database > Version.
Attack Database Send To Device

Application Security module uses the Application Security Signature File Update feature for
constant updates of the signatures database. All appliances with the Application Security module
are updated using the latest Application Security Signature file, which is a database that contains
a list of updated attacks.
The update of the Application Security Signature File is performed per appliance using the Send
Attack Database to Device pane.
You can download an updated Application Security Signature file from the Check Point Web site
every Monday. If an emergency update is required, the web site is updated in addition to weekly
updates.
To show the attack database version:

1. Select DDoS Protector > Attack Database > Send to Device.
2. In the File field, type the name of the file, or click Browse to navigate to the relevant file.
Activate Latest Changes

If you edit the parameters of a basic filter or an advanced filter, which is bound to the existing
policy, you need to update the policy with the recent changes.
To activate the latest changes:

1. Select DDoS Protector > Update Policies.
2. Click Set.
Packet Anomaly Attacks

Packet Anomaly protection detects and provides protection against packet anomalies. Generally
whenever a packet matching one of the predefined checks arrives it is automatically blocked,
discarded, and reported. However you may wish to allow certain anomalous traffic to flow through
the appliance without inspection.
Use the Packet Anomalies Table pane to allow certain packets to pass through the appliance
without inspection as well as defining the risk factor.
This feature is not supported on management interfaces.
When the Packet Trace feature is enabled for Packet Anomaly Protection, the appliance sends
anomalous packets to the specified physical port. You enable or disable the Packet Trace feature
for all the packet-anomaly protections configured on the appliance.
DDoS Protector
To configure the Packet Trace status:

1. Select DDoS Protector > Packet Anomalies > Table.
2. From the Packet Trace Status drop-down list, select enable or disable.
3. Click Set.
To configure the packet anomalies parameters:

1. Select DDoS Protector > Packet Anomalies > Table.
2. Select the relevant ID from the table.
Packet Anomaly Table Parameters

ID (Read-only) The ID number for the packet-anomaly protection.
Name (Read-only) The name of the packet-anomaly protection.
Risk The risk associated with the trap for the specific anomaly.
Values: Info, Low, Medium, High
Default: Info
Action The action that the appliance takes when the packet anomaly is detected. The
action is only for the specified packet-anomaly protection.
Values:
 block The appliance discards the anomalous packets and issues a trap.
 report The appliance issues a trap for anomalous packets. If the Report
Action is Process, the packet goes to the rest of the appliance modules. If
the Report Action is Bypass, the packet bypasses the rest of the appliance
modules.
 no-report The appliance issues no trap for anomalous packets. If the
Report Action is Process, the packet goes to the rest of the appliance
modules. If the Report Action is Bypass, the packet bypasses the rest of the
appliance modules.

DDoS Protector
Report Action The action that the DDoS Protector appliance takes on the anomalous packets
when the specified Action is report or no-report. The Report Action is only for
the specified packet-anomaly protection.
Values:
 bypass The anomalous packets bypass the appliance.
 process The DDoS Protector modules process the anomalous packets. If
the anomalous packets are part of an attack, DDoS Protector can mitigate
the attack.
You cannot select process for the following packet-anomaly protections:
 104 Invalid IP Header or Total Length
 107 Inconsistent IPv6 Headers
 131 Invalid L4 Header Length
Default Configuration of Packet-Anomaly Protections

Anomaly Description
Unrecognized L2 Format Packets with more than two VLAN tags, L2 broadcast, or L2
multicast traffic.
(This anomaly is available
only on x412 platforms. This ID: 100
anomaly cannot be
Default Action: No Report
sampled.)
Default Report Action: Process
Default Risk: Low
Incorrect IPv4 Checksum The IP packet header checksum does not match the packet header.
(This anomaly is available ID: 103
only on x412 platforms. This
Default Action: Drop
anomaly cannot be
sampled.) Default Report Action: Process
Default Risk: Low
Invalid IPv4 Header or Total The IP packet header length does not match the actual header
Length length, or the IP packet total length does not match the actual
packet length.
ID: 104
Report Action: Bypass
Default Risk: Low

DDoS Protector
Anomaly Description
TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1.
ID: 105
Default Action: Report
Default Risk: Low
Inconsistent IPv6 Headers Inconsistent IPv6 headers.

ID: 107
Report Action: Bypass You cannot select Process for this
packet-anomaly protection.
Default Risk: Low
IPv6 Hop Limit Reached IPv6 hop limit is not greater than 1.
ID: 108
Default Action: Report
Default Risk: Low
Unsupported L4 Protocol Traffic other than UDP, TCP, ICMP, or IGMP.

ID: 110
Default Risk: Low
Invalid TCP Flags The TCP flags combination is not according to the standard.
ID: 113
Default Risk: Low
Source or Dest. Address The IP packet source address or destination address is equal to the
same as Local Host local host.
ID: 119
Default Risk: Low

DDoS Protector
Anomaly Description
Source Address same as The source IP address and the destination IP address in the packet
Dest Address (Land Attack) header are the same. This is referred to as a LAND, Land, or LanD
attack.
ID: 120
Default Risk: Low
L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero.
ID: 125
Default Risk: Low
Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid.
ID: 131
Report Action: Bypass You cannot select Process for this
packet-anomaly protection.
Default Risk: Low
Broadcast Destination MAC The L2 destination MAC is all F values that is, 0xFFFFFFFFFFFF.
Address
ID: 132
Default Risk: Low
Report Action: Process
Multicast Destination MAC The L2 destination MAC has multicast values that is, a
Address destination MAC address where the low-order bit of the first byte is
set.
ID: 133
Default Risk: Low
Report Action: Process

DDoS Protector
Service Discovery
Service Discovery Global Parameters
Use the Service Discovery feature in a Network Protection policy to identify HTTP servers in a
specified network and protect the discovered servers with the default HTTP-flood-mitigator
profile.
The Service Discovery mechanism discovers HTTP servers by identifying HTTP responses.
Therefore, in order to use Service Discovery, the DDoS Protector appliance needs to be in a
topology where it can inspect both HTTP requests and HTTP responses.
The details of the discovered servers are contained in the Server Protection table.
When a discovered server is no longer active for a specified period, the Service Discovery
mechanism can remove the server from the table.
To implement the Service Discovery feature, when you configure a Network Protection policy, you
specify the Service Discovery profile to use in the policy.
Note: The Service Discovery mechanism does not create audit events when adding or removing
servers.
To configure the global parameters of the Service Discovery feature:

1. Select DDoS Protector > Service Discovery > Global Parameters.
2. Configure the following parameters, and click Set.
Mechanism Status Specifies whether the DDoS Protector appliance uses Service Discovery
feature.
Default: enable
Tracking Time The time, in minutes, that the Service Discovery mechanism tracks a
server sending HTTP responses. The Service Discovery mechanism uses
the Tracking Time and the specified number of HTTP responses during
the Tracking Time to determine whether to protect the server.
Values: 1- 60
Default: 5
Revalidation Time Specifies how often, in days, the Service Discovery mechanism
revalidates the discovered servers.
Values:
 1 365
 disable Once identified, the Service Discovery mechanism never
revalidates a server to protect.
Default: 7

DDoS Protector
Service Discovery Profiles

To implement the Service Discovery feature, when you configure a Network Protection policy, you
specify the Service Discovery profile to use in the policy. DDoS Protector configures a default
Service Discovery profile, ServiceDiscovery_Default. You can modify ServiceDiscovery_Default
profile. You can also configure additional Service Discovery profiles to use in your Network
Protection policies.
The Service Discovery profile can be specified in multiple Network Protection policies, which may
have overlapping network ranges. The Service Discovery mechanism protects the discovered
server only with the first policy that matches.
To configure a Service Discovery profile:

1. Select DDoS Protector > Service Discovery > Profiles.
Profile Name The name of the Service Discovery profile.

HTTP Profile The HTTP-flood mitigator profile for the server.

Default: HTTP_Default
The server is protected with the profile configuration that exists when
the server is added to the Server Protection table. If the configuration of
the profile changes, the new configuration protects only the
subsequently added/discovered servers.
The profile configuration includes the parameters Action and Packet
Trace, but the DDoS Protector appliance ignores the values. Instead, the
appliance uses the Action and Packet Trace values that are configured
in the Network Protection policy.
Responses per Minute The average number of HTTP responses per minute during the Tracking
Time (specified globally) that causes the Service Discovery mechanism
to protect the server. If the total value is reached before the Tracking
Time elapses (Responses per Minute × Tracking Time), the Service
Discovery mechanism adds the server to the Server Protection table
immediately.
Values: 1 5000
Default: 100
Automatic Removal Specifies whether the Service Discovery mechanism removes the server
from the Server Protection table if, after the Revalidation Time, the
server does not meet the Tracking-Time-Responses-per-Minute
criteria.
Values: Yes, No
Default: No

DDoS Protector
Restore Default Configuration

Use the Restore Default Configuration pane to run the Restore Default Configuration action.
DDoS Protector supports default protection profiles, which you can use in your Network
Protection policies and are used in the default Network Protection policy.
You cannot delete the default protection profiles, but you can change their parameters.
The Restore Default Configuration action reconfigures the default protection profiles in existing
Network Protection policies with the default values, and then reboots the appliance.
DDoS Protector supports default profiles for the following protections:
 DoS Signatures Uses the Dos-All profile as the default profile. You can use the Dos-All
profile in your Network Protection policies or you can use no DoS Shield protection. You cannot
modify the profile.
 BDoS Supports the NetFlood_Default default protection profile. By default, the profile is
enabled.
 DNS Supports the DNSFlood_Default default protection profile. By default, the profile is
enabled.
 SYN Protection Supports the SYNFlood_Default default protection profile. By default, the
profile is enabled, and includes all static SYN-protection attacks (that is, FTP Control, HTTP,
HTTPS, IMAP, POP3, RPC, RTSP, SMTP, and Telnet).
 OOS Protection Supports the OOSFlood_Default default protection profile. By default, the
profile is enabled.
For BDoS, DNS, SYN, Out-of-State protections, you can also create your own protection profiles,
and use them instead of the default protection profiles.
The Restore Default Configuration action does not affect user-defined protection profiles.
Since BDoS and DNS baselines are not part of the profiles, BDoS and DNS protections keep their
values during the Restore Default Configuration operation.
To restore the default configuration:

1. Select DDoS Protector > Restore Default Configuration.
2. Click Set.

CHAPTE R 7
Security
In This Section:
Management Ports .....................................................................................................209
Ports Access ...............................................................................................................209
SNMP ...........................................................................................................................210
Ping Physical Ports Table ..........................................................................................216
Users ...........................................................................................................................216
Certificates ..................................................................................................................218
Management Ports
Use the Management Ports Table pane to enable or disable access to a management port.
To set the management ports:

1. Select Security > Management Ports.
2. Select a port.
Port Number (Read-only) The identifier of the selected management port.
SNMP Specifies whether the port allows access with SNMP.
TELNET Specifies whether the port allows access with TELNET.
SSH Specifies whether the port allows access with SSH.
WEB Specifies whether the port allows access with WEB.
SSL Specifies whether the port allows access with SSL.
Ports Access
You can specify how unbound UDP and TCP ports respond to SYN packets.
To set the port unreachable status:

1. Select Security > Ports Access.
2. From the Port Unreachable Status drop-down list, select the required value, as follows:
 Enabled Unbound TCP ports answer SYN packets with an RST. Unbound UDP ports
answer SYN packets with a port-unreachable message.
 Disabled The appliance drops SYN or UDP packets without sending a reply. When the
appliance uses this option, the appliance does not expose itself to the network.
Default: Enabled
3. Click Set.
Security
SNMP
SNMP Global Parameters
DDoS Protector can work with SNMPv1, SNMPv2, and SNMPv3.
Use the SNMP Global Parameters pane to configure the SNMP global parameters.
To configure the SNMP global parameters:

1. Select Security > SNMP > Global Parameters.
Supported SNMP Versions (Read-only) The SNMP version currently supported.
Supported SNMP Version After The SNMP versions that will be supported by the SNMP agent
Reset after resetting the appliance. Select the checkboxes of the
SNMP version to support.
SNMP Ports The UDP port on which the agent listens for SNMP requests.
SNMP Status The status of the SNMP agent.

Default: Enabled
SNMP User Table

Use the User Based Security Model pane to define users that can connect to the appliance and
store the access parameters for each SNMP user.
The Configuration file of the appliance, which contains SNMPv3 users with authentication, can
only be used by the specific appliance that the users configured. When exporting the configuration
file to another appliance, the passwords need to be re-entered, since passwords (of SNMPv3
users) cannot be exported from one appliance to another. Therefore, there must be at least one
user in the user table (to be able to change the password) in case the configuration file is uploaded
to another appliance.
To configure a new user:

1. Select Security > SNMP > User Table.
User Name The name of the new user.
Authentication Protocol The algorithm used for authentication.
Authentication Password A password required in case authentication is used.

Security
Privacy Protocol The algorithm used for encryption.
Privacy Password A password used to identify the user.
SNMP Community Table

You can map community strings into user names and vice versa using the SNMP Community
Table. This table restricts the range of addresses from which SNMP requests are accepted and to
which traps may be sent.
The SNMP Community Table is used only for SNMP versions 1 and 2.
To configure the SNMP community table:

1. Select Security > SNMP > Community Table.
Index A descriptive name for this entry.
Community Name The community string.
Security Name The user name associated with the community string.
Transport Tag Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps may be sent. The target addresses identified by
this tag are defined in the Target Address table. If this string is empty,
addresses are not checked when an SNMP request is received or when a
trap is sent. If this string is not empty, the transport tag must be contained in
the value of the Tag List of at least one entry in the Target Address table.
SNMP Groups Table

You can associate users with groups in the Groups Table. Access rights are defined for groups of
users.
To configure the groups table:

1. Select Security > SNMP > Groups Table.

Security
Security Model The security model associated with this group.
Security Name A relevant security name.
Group Name The access control policy for a group of users.
SNMP Access Table

You can define the access rights for each group and security model in the VACM Group Access
pane.
To configure the parameters of the SNMP access table:

1. Select Security > SNMP > Access Table.
Group Name The name of your group.
Security Model Values:

 SNMP v1
 SNMP v2c
 User Based
Security Level Values:
 No Authentication
 Auth Not Private
 Auth Private
ReadView Name The name of one or more entries in the View Tree Family Table. Specifies
which objects in the MIB tree are readable by this group.
WriteView Name The name of one or more entries in the View Tree Family Table. Specifies
which objects in the MIB tree are writable by this group.
NofifyView Name The name of one or more entries in the View Tree Family Table. Specifies
which objects in the MIB tree can be accessed in notifications (traps) by this
group.

Security
SNMP View Table

Use the View Table pane to define subsets of the MIB tree for use in the Access Table. Different
entries may have the same name. The union of all entries with the same name defines the subset
of the MIB tree and can be referenced in the Access Table through its name.
To set the view table parameters:

1. Select Security > SNMP > View Table.
View Name The name of this entry.
Subtree The object ID of a subtree of the MIB.
Subtree Mask The subtree mask.
Type Specifies whether objects defined in this entry should be included or excluded
in the MIB view.
Default: included
SNMP Notify Table

Use the Notify Table pane to select management targets that receive notifications and the type of
notification to be sent to each selected management target. The Tag parameter identifies a set of
target addresses. An entry in the SNMP Target Address (on page 215) table that contains a tag
specified in the Notify table receives notifications.
To configure SNMP notification settings:

1. Select Security > SNMP > Notify Table.
Name A descriptive name for this entry; for example, the type of notification.
Tag A string that defines the target addresses that are sent with this notification. All
target addresses that have this tag in their tag list are sent with this
notification.

Security
SNMP Target Parameters

The Target Parameters table defines message-processing and security parameters that are used
in sending notifications to a particular management target. Entries in the Target Parameters table
are referenced in the Target Address table.
To set the target parameters:

1. Select Security > SNMP > Target Parameters Table.
Name The name of the target parameters entry.

Message Values: SNMPv1, SNMPv2c, SNMPv3

Processing
Default: SNMPv1
Security Model The SNMP version that represents the required Security Model.
Security models are predefined sets of permissions that can be used by the
groups. These sets are defined according to the SNMP versions. By selecting
the SNMP version for this parameter, you determine the permissions set to be
used.
Values:
 SNMPv1
 SNMPv2c
 User Based That is, SNMPv3
Default: SNMPv1
Security Name If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.
Security Level Specifies whether the trap is authenticated and encrypted before it is sent.
Values:
 noAuthNoPriv No authentication or privacy are required.
 authNoPriv Authentication is required, but privacy is not required.
 authPriv Both authentication and privacy are required.
Default: No Authentication

Security
SNMP Target Address

In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation
of traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is
selected for reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the
range of addresses from which SNMP requests are accepted and to which SNMP traps may be
sent. If the Transport Tag of an entry in the community table is not empty it must be included in
one or more entries in the Target Address Table.
To set the SNMP target parameters:

1. Select Security > SNMP > Target Address Table.
Name The name of the target address entry.
Address-Port The IP address of the management station and TCP port to be used as the
target of SNMP traps. The format of the values is <IP address >-<TCP port>,
where <TCP port> must be 162. For example, if the value for Address-Port is
1.2.3.4-162, 1.2.3.4 is the IP address of the management station and 162 is
the port number for SNMP traps.
Tag List Specifies sets of target addresses. Tags are separated by spaces. The tags
contained in the list may be tags from the Notify table or Transport tags from
the Community table.
Each tag can appear in more than one tag list. When a significant event
occurs on the network appliance, the tag list identifies the targets to which a
notification is sent.
Mask A subnet mask of the management station.
Parameters The set of target parameters to be used when sending SNMP Traps. Target
parameters are defined in the Target Parameters table.
Traps Security Specifies whether the appliance sends security-event traps to the target
Sending address. Security events include all events related to attack detection and
mitigation: start, ongoing, occurred, sampled, and terminated.
Default: Enabled
Traps Health Specifies whether the appliance sends appliance-health event traps to the
Sending target address. Device-health events include all events related to appliance
health, for example, temperature, fan failure, CPU, tables, resources, and so
on.
Default: Enabled

Security
Traps User Audit Specifies whether the appliance sends audit-event traps to the target
Sending address. Audit events include all events related to user operations, for
example, login attempts and configuration changes.
Default: Enabled
Ping Physical Ports Table

You can define which physical interfaces can be pinged. When a ping is sent to an interface for
which ping is not allowed, the packet is discarded. By default, all the interfaces of the appliance
allow pings.
To configure physical ports to allow ping:

1. Select Security > Ping Physical Ports Table.
2. Select a Port Number link.
3. In the Ping Device field, select Enable or Disable, as required.
4. Click Set.
Users
You can configure a list of users who are authorized to access that appliance through any enabled
access method (Web, Telnet, SSH, SWBM). When configuration tracing is enabled, users can
receive e-mail notifications of changes made to the appliance.
To configure the user-access authentication method:

1. Select Security > Users.
2. From the Authentication Method drop-down list, configure the parameter, and click Set.
User Authentication Method Parameter

Authentication
Method
Values:
 Local User Table The appliance uses the User Table to authenticate
access.
 Radius and Local User Table The appliance uses the RADIUS servers
to authenticate access. If the request to the RADIUS server times out,
the appliance uses the User Table to authenticate access.
7.32 Default: Local User Table

Security
To configure the users table:

1. Select Security > Users.
Security Users Table Parameters

User Name The name of the user.
Password The text password for the user.
Email Address The e-mail address of the user to which notifications will be sent.
Severity The minimum severity level of traps sent to this user.

Values:
 None The user receives no traps.
 Info The user receives traps with severity info or higher.
 Warning The user receives Warning, Error, and Fatal traps.
 Error The user receives Error and Fatal traps.
 Fatal The user receives Fatal traps only.
Default: None
Trace Status When enabled, the specified user receives notifications of

configuration changes made in the appliance.
Every time the value of a configurable variable changes, information
about all the variables in the same MIB entry is reported to the
specified users. The appliance gathers reports and sends them in a
single notification message when the buffer is full or when the
timeout of 60 seconds expires.
The notification message contains the following details:
 Name of the MIB variable that was changed
 New value of the variable
 Time of configuration change
 Configuration tool that was used
 User name, when applicable
User Access Level
Values: readwrite, readonly, none
Default: readwrite
SSH public key name The name of the SSH public key.

Security
Certificates
Certificates Table
Use the Certificates Table pane to manage keys and certificates.
Create and Delete functionality is available only when you are connected with a secure protocol,
such as HTTPS.
To update an entry:
1. Select Security > Certificates > Table.
2. Click the entry name.
3. To create a new certificate, click Create.
To create an entry:
2. Click Create.
Name The name of the entry.
Entry Type Values:

 Key
 Signing Request
 Certificate
 Intermediate CA Certificate
 Certificate of Client CA
Key Size Values: 512, 1024, 2048
Key Passphrase The key password (the same that you use to export the key from the
web server).
Common Name The domain name of the organization. For example,

www.checkpoint.com
Locality The name of the city.
State or Province The state or province.
Organization The name of the organization.
Organization Unit The department/unit within the organization.
Country Name The country of residence.

Security
Certificate Expiry (Read-only) The date of expiry in DDD MMM dd hh:mm:ss yyyy format.
Example: SAT SEP 01 08:29:40 2012
Email Default email address for the organization.
Certificate Validity The number of days for which the certificate is valid.
To delete an entry:
2. Select the checkbox in the row with the entry.
3. Click Delete.
Exporting PKI Components

You can export Public Key Infrastructure (PKI) components when you are connected with a secure
protocol, such as HTTPS.
To export a PKI component:

1. Select Security > Certificates > Export.
2. Configure the parameters, and click Show to view the component details, or click Export, to
export the component from the appliance.
A dialog message displays asking if you want to open or save the component file. If you click
Open, the file will be opened in a browser window.
Name The name of the component.
Type Values:
 Key
 Certificate
 Certificate and Key
Format (Read-only) The format for the specified Type.
Passphrase The password (the same that you use to export the key from the Web server).
Text The certificate text, which you can enter.
Importing a PKI Component

You can import Public Key Infrastructure (PKI) components when you are connected with a secure
protocol, such as HTTPS.
A certificate that you import cannot include a header or footer. (Header and footer example:
-----BEGIN PUBLIC KEY-----, -----END PUBLIC KEY-----) If the certificate that you want

Security
to import includes a header or footer, you must remove it before importing it. Common external
applications such as openssl or ssh-keygen may include a header and footer when they generate a
certificate. A certificate that DDoS Protector generates does not include a header or footer.
To import a PKI component:

1. Select Security > Certificates > Export.
2. Configure the parameters, and click Import.
Name The name of the component
Type Values:
 Key
 Certificate
 Certificate and Key
 Intermediate CA Certificate
 Certificate of Client CA
 SSH Public Key
Format (Read-only) The format for the specified Type.
Passphrase The password (the same that you use to export the key from the Web Server).
Text The certificate text, which you can enter.
Certificate File Browse to the certificate file to import.
Certificate Default Values

The certificate is a digitally signed indicator that identifies the server or user. This is usually
provided in the form of an electronic key or value. You can set the default values to your
specifications.
To configure default values for certificates:

1. Select Security > Certificates > Default Values.
Certificate Common The domain name of the organization. For example,

www.checkpoint.com
Certificate Locality The name of the city.
Certificate State Or The state or province.

Province
Certificate Organization The name of the organization.

Security
Certificate Organization The department/unit within the organization.

Unit
Certificate Country The country of residence.

Name
Certificate Email The default email address for the organization.

CHAPTE R 8
Classes
In This Section:
Modify ..........................................................................................................................222
View Active ..................................................................................................................232
Activate Latest Changes .............................................................................................233
Modify
Modify Networks
You can view active networks, as well as configure new ones. You can define networks that are
used by the appliance (active) and you can define networks that are kept in a separate database
until they are required (inactive).
You can add, modify and delete these networks according to your requirements.
A network class is identified by a name and defined by a network address and mask, or by a range
of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2
can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2
can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration.
Using classes enables you to define a network comprised of multiple subnets and/or IP ranges, all
identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and
10.1.1.1 to 10.1.1.7.
You can use network classes in the following:
 Black lists
 White lists
 Network-protection policies to match source or destination traffic
To configure a network class:

1. Select Classes > Modify Networks.
Name The name of the network class.

The network name is case-sensitive.
The network name cannot be an IP address.
Sub Index When you define multiple network classes with the same name,
you must assign each instance a different sub-index number.
The numbers do not need to be sequential or in order.

Classes
Address The network address.

(For an IP Mask entry only)
Mask The mask of the subnet, which you can enter in either of the
following ways:
(For an IP Mask entry only)
 A subnet mask in dotted decimal notation for example,
255.0.0.0 or 255.255.0.0.
 An IP prefix, that is, the number of mask bits for example,
8 or 16
From IP The first IP address in the range.
(For an IP Range entry only)
To IP The last IP address in the range.

(For an IP Range entry only)
Mode Specifies whether the network is defined by a subnet and mask,

or by an IP range.
Values: IP Mask, IP Range
Modify Services
Basic Filters
Use Services to filter traffic. Services classify traffic based on criteria for Layers 3 7. A Service is
a configuration of a basic filter, which may combine with logical operators to achieve more
sophisticated filters (AND Group filters and OR Group filters). DDoS Protector supports a long list
of predefined basic filters. A basic filter includes attributes that specify parameters such as
protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the
filter can include a text string.
A basic filter includes the following components:
 Protocol The specific protocol that the packet should carry. The choices are IP, TCP, UDP,
ICMP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and UDP)
will be considered.
When configuring TCP or UDP, the following additional parameters are available:
 Destination Port (From-To) Destination port number for that protocol. For example, for
HTTP, the protocol would be configured as TCP and the destination port as 80. The port
configuration can also allow for a range of ports to be configured.
 Source Port (From-To) Similar to the destination port, the source port that a packet
should carry in order to match the filter can be configured.
 Offset Mask Pattern Condition (OMPC) The OMPC is a means by which any bit pattern can
be located for a match at any offset in the packet. This can aid in locating specific bits in the IP
header, for example. TOS and DiffServ bits are perfect examples of where OMPCs can be
useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured,
Classes
there should be an OMPC match in addition to a protocol (and source/destination port) match.
In other words, if an OMPC is configured, the packet needs to match the configured protocol
(and ports) and the OMPC.
 Content Specifications When the protocol of a basic filter is TCP or UDP, you can search for
any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the
packet. HTTP URLs are perfect examples of how a text search can help in classifying a session.
You can choose from the many types of configurable content for example, URL, hostname,
HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so
on.
When the content type is URL, for example, the module assumes the session to be HTTP with a
GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to
find a match for the configured text. In this case, the configured offset is meaningless, since
the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the
module searches the entire packet for the content text, starting at the configured offset.
By allowing a filter to take actual content of a packet/session into account, the module can
recognize and classify a wider array of packets and sessions.
Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule
exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if
one exists) and the Content Rule.
Note: If you edit the parameters of the filter, which is bound to the existing policy, you need to
activate the latest changes.
To configure a basic filter:

1. Select Classes > Modify > Services > Basic Filters.
Name The Name of the filter.
Protocol Values:
 IP
 TCP
 UDP
 ICMP
 NonIP
 ICMPV6
 SCTP
Default: IP
Note: Do not choose the NonIp option. It produces unexpected results.

Classes
Source App. Port The Layer-4 source port or source-port range for TCP, UDP, or SCTP
traffic.
Values: A value in the range 0 65,535; value ranges (for example, 30
400) greater than the Source Port Range From value; dcerpc, dns,
ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn,
my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell,
rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
Destination App. Port The Layer-4 destination port or destination-port range for TCP, UDP,
or SCTP traffic.
Values: values in the range 0 65,535; value ranges (for example, 30
400) greater than the Destination Port Range From value; dcerpc, dns,
ftp, h225, http, https, imap, irc, ldap, ms-sql-m, ms-sql-s, msn,
my-sql, oracle, ntp, pop3, priviledged-services, radius, rexec, rshell,
rtsp, sccp (skinny), sip, smb, smtp, snmp, ssh, ssl, sunrpc, telnet, tftp
OMPC Offset The location in the packet where the data starts being checked for
specific bits in the IP or TCP header.
Values: 0 1513
Default: 0
OMPC Offset Relative To Specifies to which OMPC offset the selected offset is relative.
Values:
 None
 IPv4 Header
 IPv6 Header
 IP Data
 L4 Data
 ASN1
 Ethernet
 L4 Header
Default: None
OMPC Mask The mask for OMPC data. The value must be defined according to the
OMPC Length parameter.
Values: Must comprise eight hexadecimal symbols
Default: 00000000

Classes
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts
to find. The value must be defined according to the OMPC Length
parameter. The OMPC Pattern must contain eight hexadecimal
symbols. If the value for the OMPC Length parameter is smaller than
Four Bytes, you need to pad the OMPC Pattern with zeros. For
example, if OMPC Length is two bytes, the OMPC Pattern can be
abcd0000.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Condition Values:

 None
 Equal
 Not Equal
 Greater Than
 Less Than
Default: None
OMPC Length Values:

 None
 One Byte
 Two Bytes
 Three Bytes
 Four Bytes
Default: None
Content Offset The location in the packet at which the checking of content starts.
Values: 0 1513
Default: 0
Distance A range that defines the allowed distance between two content
characters. If the distance is beyond the specified range, it is
recognized as an attack.
Content The value of the content search.

Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @
ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdef
ghijklmnopqrstuvwxyz{|}~

Classes
Content Type The specific content type to search for.

Values:
 None
 URL A URL in the HTTP request URI.
 Text Text anywhere in the packet.
 Hostname A hostname in the HTTP header. The host names in
the Hostname List of an L7 Policy are not algorithmically related to
a host name configured for a basic filter.
 Header Field A header field in the HTTP header.
 Expression Text anywhere in the packet represented by a
regular expression specified in the Content field.
 Mail Domain The Mail Domain in the SMTP header.
 Mail To The Mail To SMTP header.
 Mail From The Mail From SMTP header.
 Mail Subject The Mail Subject SMTP header.
 File Type The type of the requested file in the HTTP GET
command (for example, JPG, EXE, and so on).
 Cookie The HTTP cookie field. The Content field includes the
cookie name, and the Content Data field includes the cookie value.
 Normalized URL A normalized URL in the HTTP request URI.
 POP3 User The POP3 User field in the POP3 header.
 URI Length Filters according to URI length.
 FTP Command Parses FTP commands to commands and
arguments, while normalizing FTP packets and stripping Telnet
opcodes.
 FTP Content Scans the data transmitted using FTP, normalizes
FTP packets and strips Telnet opcodes.
 Generic Url The generic URL in the HTTP Request URI. No
normalization procedures are taken. GET/HEAD/POST is not
required when this type is selected. This is applicable for protocols
like SIP, BitTorrent, and so on.
 Generic Header In the HTTP Request URI. No normalization
procedures are taken. GET/HEAD/POST is not required when this
type is selected. This is applicable for protocols like SIP,
BitTorrent, and so on.
 Generic Cookie In the HTTP Request URI. No normalization
procedures are taken. GET/HEAD/POST is not required when this
type is selected. This is applicable for protocols like SIP,
BitTorrent, and so on.
Default: None

Classes
Content End Offset The location in the packet at which the checking of content ends.
Values: 0 1513
Default: 0
Content Data Refers to the search for the content within the packet.
Content Coding The encoding type of the content to search for (as specified in the
Content field).
Values:
 None
 Case Sensitive
 HEX
 International
Default: None
Content Data Coding The encoding type of the content data to search for (as specified in the
Content Data field).
Values:
 None
 Case Sensitive
 HEX
 International
Default: None
Description A description of the filter.
Session Type The specific session type to search for.

Values: None, Ftp Control, Ftp Data, Ftp All, Tftp Control, Tftp Data,
Tftp All, Rshell Control, Rshell Data, Rshell All, Rexec Control, Rexec
Errors, Rexec All, H225 Control, H245 session, H225 All, SIP Signal,
SIP Media Control, SIP Audio, SIP All
Default: None
Session Type Direction The specific direction of the specified session type to search for.
Values: All, Request, Reply
Default: None

Classes
AND Groups
An AND Group filter is a combination of basic filters with a logical AND between them.
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3).
You cannot modify or delete predefined AND Groups.
In case you edit the parameters of the AND group, which is bound to the existing policy, you need
to activate the latest changes.
To configure an AND group:

1. Select Classes > Modify Services > AND Group.
AND Group Name The name of the AND Group.
Basic Filter Name The basic filter for this AND Group.
OR Groups
An OR Group Filter is a combination of basic filters and/or AND filters with a logical OR between
them. DDoS Protector supports a set of predefined, static OR Groups. The predefined OR Groups
are based on the predefined basic filters.
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a
packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6.
 You cannot modify or delete predefined OR Groups.
In case you edit the parameters of the OR group, which is bound to the existing policy, you need to
activate the latest changes.
To add a new OR group:

1. Select Classes > Modify Services> OR Groups.
OR Group Name The name of the OR Group

Classes
Filter Name The filter for this OR Group, which can be a Basic filter or an AND Group.
Filter Type Values:

 Static The OR Group is predefined.
 Regular The OR Group is user-defined.
Modify Application Port Groups

Application classes are groups of Layer-4 ports for UDP and TCP traffic. Each class is identified by
its unique name, and you can define multiple Layer-4 ports in a single class. You cannot modify
the predefined application classes for standard applications; however, you can add entries for the
class. You can add and modify user-defined classes to the Application Port Group table.
To view the application port groups parameters:

1. Select Classes > Modify > Appl. Port Groups.
Name The name of the Application Port Group.

To associate a number of ranges with the same port group, use the same name
for all the ranges that you want to include in the group. Each range appears as
a separate row with the same name in the Application Port Group table.
From Port The first port in the range.
To Port The last port in the range. To define a group with a single port, set the same
value for the From Port and To Port fields.
Modify Physical Port Groups

You can define network segments using definitions of physical ports. Use physical port classes to
classify traffic according to physical ports in security policies.
To configure a physical port groups:

1. Select Classes > Modify > Port Groups.
Group Name The name of the Port Group.
Inbound Port The inbound port associated with the Port Group.

Classes
Modify VLAN Tag Groups

You can define network segments using VLAN tags. Use VLAN tag classes (groups) to classify
traffic according to VLAN tags in security policies.
Each DDoS Protector appliance supports a maximum 64 VLAN Tag groups. Each VLAN Tag group
can contain a maximum 32 discrete tags and 32 ranges. That is, in effect, each managed appliance
supports up to 642 definitions.
To configure a VLAN tag class:

1. Select Classes > Modify > VLAN Tag Groups.
Group Name The name of the VLAN tag group.
VLAN Tag The VLAN tag number.

(for Discrete mode only)
VLAN Tag From The first VLAN tag in the range.

(for Range mode only)
You cannot modify this field after creating the VLAN group.
VLAN Tag To The last VLAN in the range.

(for Range mode only)
Group Mode The VLAN mode.

Values:
 Discrete An individual VLAN tag, as defined in the interface
parameters of the appliance.
 Range A group of sequential VLAN tag numbers, as defined
in the interface parameters of the appliance.
Modify MAC Groups

MAC groups identify traffic whose source or destination is a transparent network appliance.
To configure a MAC address class:

1. Select Classes > Modify MAC Groups.
Group Name The name of the MAC address group.
MAC Address The MAC address associated with the group.

Classes
View Active
View Active Networks
You can view the active network classes that are configured on the appliance.
To view the active network class configuration:

Select Classes > View Active > Networks.
View Active Services

The Basic Filters (on page 223) constitute protection against a specific attack, meaning that each
Basic Filter has a specific attack signature and protection parameters.
To show the parameters of the basic filter:

1. Select Classes > View Active > Services > Basic Filters.
2. Select the name of the filter whose parameters you want to view.
The AND Groups (on page 229) represents a logical AND between two or more Basic Filters. Some
attacks have a complex signature comprised of several patterns and content strings. These
attacks require more than one basic filter to protect against them.
You can create the AND Groups using the user-defined Basic Filters only.
To show the parameters of the AND group:

1. Select Classes > View Active > Services > AND Groups.
The OR Groups (on page 229) represents a logical OR between two or more Basic Filters or AND
Groups.
To show the active OR group table:

1. Select Classes > View Active > Services > OR Groups.
Viewing Application Port Groups

You can view the active Application Port Group classes that are configured on the appliance.
To view the active application port groups:

Select Classes > View Active > Appl. Port Groups.
View Active Physical Port Groups

You can view the active Application Port Group classes that are configured on the appliance.
To view the active physical port groups:

Select Classes > View Active > Port Groups.

Classes
View Active VLAN Tag Groups

You can view the active VLAN Tag Group classes that are configured on the appliance.
To view the active VLAN tag groups:

Select Classes > View Active > VLAN Tag Groups.
View Active MAC Groups

You can view the active MAC Group classes that are configured on the appliance.
To view the active MAC groups:

Select Classes > View Active > MAC Groups.
Activate Latest Changes

Use the Activate Latest Changes pane to activate all the latest changes made to configuration of
the appliance.
To activate latest policy changes:

1. Select either Classes > Update Policies.
2. Click Set.

CHAPTE R 9
Performance
In This Section:
Element Statistics.......................................................................................................234
Element Statistics
IP Packet Statistics
To show the IP packet statistics:
Select Performance > Element Statistics > IP.
IP Receivers The total number of input datagrams received from interfaces, including those
received in error.
IP Header The number of input datagrams discarded due to header error due to errors in
Errors their IP headers, including bad checksums, version number mismatch, their
format errors, time-to-live exceeded, errors discovered in processing their
options, and so on.
IP Discarded The total number of input datagrams discarded. Note: This counter does not
include any datagrams discarded while awaiting re-assembly.
IP Successfully The total number of input datagrams successfully delivered to IP user-

Delivered protocols (including ICMP).
IP Out Requests The total number of IP datagrams, which local IP user-protocols (including
ICMP) supplied to IP in requests for transmission.
IP Out Discards The total number of IP datagrams, which local IP user-protocols (including
ICMP) supplied to IP in requests for transmission.
SNMP
To show the SNMP element statistics:
Select Performance > Element Statistics > SNMP.
SNMP Received Packets The total number of messages delivered to the SNMP entity from
the transport service.

Performance
SNMP Sent Packets The total number of SNMP messages that were passed from the
SNMP protocol entity to the transport service.
SNMP successful 'Get' The total number of MIB objects that have been retrieved
requests successfully by the SNMP protocol entity as the result of receiving
valid SNMP Get-Request and Get-Next PDUs.
SNMP successful 'Set' The total number of MIB objects that have been altered
requests successfully by the SNMP protocol entity as the result of receiving
valid SNMP Set-Request PDUs.
SNMP 'get' requests The total number of SNMP Get-Request PDUs processed PDUs that
have been accepted and processed by the SNMP protocol entity.
SNMP 'get-next' requests The total number of SNMP Get-Request PDUs that have been
accepted and processed by the SNMP protocol entity.
SNMP 'set' requests The total number of SNMP Set-Request PDUs that have been
accepted and processed by the SNMP protocol entity.
SNMP Out TooBig The total number of SNMP PDUs that were generated by the SNMP
protocol entity and for which the value of the error-status field is
tooBig.
SNMP Out NoSuchName The total number of SNMP PDUs that were generated by the SNMP
protocol entity and for which the value of the error-status is
noSuchName.
SNMP Out BadValue The total number of SNMP PDUs that were generated by the SNMP
badValue.
SNMP Out GenErrs The total number of SNMP PDUs that were generated by the SNMP
genErr.
SNMP Out Get-Responses The total number of SNMP Get-Response PDUs that have been
generated by the SNMP protocol entity.
SNMP Out Traps The total number of SNMP Trap PDUs that have been generated by
the SNMP protocol entity.

Performance
IP Router
To show the IP router element statistics:
Select Performance > Element Statistics > IP Router.
IP Forwarded The number of input datagrams for which this entity was not
their final IP destination, as a result of which an attempt was
made to find a route to forward them to that final destination. In
entities, which do not act as IP Gateways, this counter will
include only those packets that were Source-Routed via this
entity, and the Source-Route option processing was successful.
IP Unknown Protocol The number of locally-addressed datagrams received

successfully but discarded because of an unknown or
unsupported protocol.
IP Out No Routes The number of IP datagrams discarded because no route could

be found to transmit them to their destination. This counter
includes any packets counted in ipForwDatagrams which meet
this "no-route" criterion. Note that this includes any datagrams,
which a host cannot route because all of its default gateways are
down. Note: This counter includes any packets counted in
ipForwDatagrams, which meet this "no-route" criterion. It also
includes any datagrams that a host cannot route because all of
its default gateways are down.
IP Fragments Received The number of IP fragments received which needed to be

reassembled at this entity.
IP Fragments successfully The number of IP datagrams successfully re-assembled.

reassembled
IP Fragments failed The number of failures detected by the IP re-assembly

reassembly algorithm (for whatever reason: timed out, errors, etc). Note:
This is not necessarily a count of discarded IP fragments since
some algorithms (notably the algorithm in RFC 815) can lose
track of the number of fragments by combining them as they are
received.
IP datagrams successfully The number of IP datagrams that have been successfully

fragmented fragmented at this entity.
IP datagrams The number of IP datagrams that have been discarded because

discarded failed they needed to be fragmented at this entity but could not be,
fragmentation e.g., because their Do not Fragment flag was set.
IP datagram fragments The number of IP datagram fragments that have been generated
generated as a result of fragmentation at this entity.
Valid routing entries discarded N/A

Performance
IP Fragments successfully The number of IP datagrams successfully re-assembled.

reassembled
Accelerator Utilization
Use the Accelerator Utilization pane to show statistics for each accelerator.
To show the accelerator utilization:

Select Performance > Element Statistics > Accelerator.
Accelerator The name of the accelerator. The accelerator named Flow_Accelerator_0 is

one logical accelerator that uses several CPU cores. The accelerator named
HW Classifier is the string-matching engine (SME).
CPU The CPU number for the accelerator.
Forwarding The percentage of CPU cycles used.
Other The percentage of CPU resources used for other tasks, such as aging and so
on.
Idle The percentage of free CPU resources.

CP DDoSProtector 6.14 Guide

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CP DDoSProtector 6.14 Guide

Hochgeladen von

Copyright:

Verfügbare Formate

13 October 2016

Latest Version of this Document

02 March 2016 First release of this document

DDoS Protector Overview

-of-service (DoS) attacks within seconds

Network Flood Protection

Server Flood Protection

Application Layer Protection

DDoS Protector User Guide 6.14 | 8

To download the support file:

DDoS Protector User Guide 6.14 | 9

Configuration > Send to Device

To send the configuration file to an appliance:

Configuration > Receive from Device

To download the configuration file

Logfile > Show

To view the log file:

Logfile > Clear

To clear the error log:

DDoS Protector User Guide 6.14 | 10

Logfile > Download

To download the error log:

To update the software:

Index The index of the version in the Software List.

Valid The version validity.

Active The status of the version.

Version The version number.

DDoS Protector User Guide 6.14 | 11

To reboot the appliance:

DDoS Protector User Guide 6.14 | 12

Location The geographic location of the appliance.

Contact Person The person or people responsible for the appliance.

System Up The time elapsed since the last reset.

System Time The current user-defined appliance time, in hh:mm:ss format.

System Date The current user-defined appliance date, in dd/mm/yyyy format.

Type The appliance type.

Platform The hardware platform type.

Device The appliance name.

Ports The number of ports on the appliance.

Ports Config The ports configuration.

HW Version The hardware version.

SW Version The software version.

DDoS Protector User Guide 6.14 | 13

Build The software build date, time, and version number.

Throughput License The throughput license (limit).

Version State The version state; for example, "Final."

APSolute OS The APSolute OS build date, time, and version number.

Network Driver The network driver version.

RAM Size The amount of RAM, in GB.

Flash Size The size of the flash (permanent) memory, in MB.

Hard Disk(s) The number of hard disks installed.

Registered Specifies whether the appliance is registered.

Date The date of version.

Time The time of version.

Up Time The time the appliance has been up.

Serial Number The serial number of the appliance.

Active Boot The active boot version.

Secondary Boot The secondary boot version.

Power Supply The power supply status.

DoS Mitigator The DoS Mitigator type.

SME The SME type.

Utilization > SME Utilization

DDoS Protector User Guide 6.14 | 14

Utilization > Device Resource Utilization