Beruflich Dokumente
Kultur Dokumente
7 July 2006
Table of Contents
Table of Contents
Chapter 1 - Introduction & Overview.............................. 1-1
Introduction ............................................................................. 1-2
Introducing CID ............................................................................. 1-3
CID Overview .......................................................................... 1-5
Content Management Load Balancing ......................................... 1-6
Flow Management ........................................................................ 1-9
Special Protocol Treatment ........................................................ 1-11
Technical Description ................................................................. 1-15
Index...................................................................................... 1
Table of Figures
Figure 1-1 CID Content Load Balancing .............................................. 1-6
Figure 1-2 Flow Management ............................................................. 1-9
Figure 1-3 RADIUS Based Classification........................................... 1-12
Figure 2-1 FTP Proxy Content Management Configuration............... 2-55
Figure 3-1 Transparent CIDs in VLAN ............................................... 3-12
Figure 3-2 VLAN Tagging Example ................................................... 3-19
Figure 4-1 Farm Policy Components ................................................... 4-3
Figure 4-2 URL Table Based Server Direction Configuration ............ 4-12
Figure 4-3 Client Table Configuration ................................................ 4-38
Figure 4-4 CID with Transparent Content Servers............................. 4-45
Figure 4-5 Caching Example.............................................................. 4-54
Figure 4-6 Proxy and Non-Proxy GET Request................................. 4-59
Figure 4-7 CID with Transparent Servers in VLAN Environment ....... 4-61
Figure 4-8 P2P/Kazaa Caching.......................................................... 4-69
Figure 4-9 Local Triangulation Network Setup................................... 4-78
Figure 4-10 Local Triangulation with Returned Cache Pages............ 4-81
Figure 4-11 CID NAT Operation......................................................... 4-91
Figure 4-12 Server Based NAT Configuration ................................... 4-95
Figure 4-13 NAT to Remote Servers................................................ 4-101
Figure 4-14 Farm Based NAT Configuration.................................... 4-106
Figure 5-1 Clients from Networks A & B .............................................. 5-3
Figure 5-2 Network A Client Redirection.............................................. 5-4
Important Notice
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2006 All rights reserved.
The copyright and all other intellectual property rights and trade secrets
included in this guide are owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining
information with respect to the installation and use of the Content Inspection
Director (CID), and may not be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be
kept in strict confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any
part thereof without the prior written consent of Radware.
Safety Instructions
CAUTION
Due to the risks of electrical shock, and energy, mechanical, and fire hazards,
any procedures that involve opening panels or changing components must be
performed by qualified service personnel only.
To reduce the risk of fire and electrical shock, disconnect the device from the
power line before removing cover or panels.
SERVICING
Do not perform any servicing other than that contained in the operating
instructions unless you are qualified to do so. There are no serviceable parts
inside the unit.
HIGH VOLTAGE
Any adjustment, maintenance, and repair of the opened instrument under
voltage should be avoided as much as possible and, when inevitable, should
be carried out only by a skilled person who is aware of the hazard involved.
Capacitors inside the instrument may still be charged even if the instrument
has been disconnected from its source of supply.
GROUNDING
Before connecting this device to the power line, the protective earth terminals
of this device must be connected to the protective conductor of the (mains)
power cord. The mains plug shall only be inserted in a socket outlet provided
with a protective earth contact.
Do not use an extension cord (power cable) without a protective conductor
(grounding).
FUSES
Ensure that only fuses with the required rated current and of the specified type
are used for replacement. The use of repaired fuses and the short-circuiting of
fuse holders must be avoided. Whenever it is likely that the protection offered
by fuses has been impaired, the instrument must be made inoperative and be
secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, ensure the voltage of the
power source matches the requirements of the instrument. Refer to the
Specifications for information about the correct power rating for the device.
TRADEMARKS
CID and Configware are trade names of Radware Ltd. This document contains
trademarks registered by their respective companies.
SPECIFICATION CHANGES
Note: Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a
Class A digital device pursuant to Part 15 of the FCC Rules and EN55022
Class A, EN 50082-1 For CE MARK Compliance. These limits are designed to
provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment
generates, uses and can radiate radio frequency energy and, if not installed
and used in accordance with the instruction manual, may cause harmful
interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user
will be required to correct the interference at his own expense.
CID
If you purchased this device, make note of the following additional instructions.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For
North America, equipment must be installed in accordance to the US National
Electrical Code, Articles 110-16, 110-17, and 110-18 and the Canadian
Electrical Code, Section 12.
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15
A must be incorporated in the building wiring.
DC POWER CONNECTION
1. The equipment shall be connected directly to the DC Supply System
earthing electric conductor.
2. All equipment in the immediate vicinity shall be earthed in the same way,
and shall not be earthed elsewhere.The DC supply system is to be local, for
example within the same premises as the equipment.
3. There shall be no disconnect device between the earthed circuit conductor
of the DC source (return) and the point of connection of the earthing
electrode conductor
• Chapter 9 - Security
This chapter provides a general overview of the APSolute Insite Security
modules and the sub modules within as well as an explanation of the
signatures data base and Radware Security update service (SUS). Also
provided in this chapter is an explanation of the tuning process.
• Chapter 10 - Application Switching Platforms
This chapter provides an explanation of Radwares Application Swithching
Platforms, Device Interfaces, list of specifications, Serial Cable Pin
Assignment and a trouble shooting section
• Appendix A - Troubleshooting
This appendix provides troubleshooting solutions to some common CID
problems, and describes known CID limitations.
• Appendix B - Loopback Interfaces
This appendix describes the loopback alias setup for CID, according to the
operating system. Procedures are included for AIX, HP-UX, UNIX, Linux,
Solaris and Windows NT.
• Appendix C - Regular Expressions
This appendix provides an overview of the basic syntax of regular
expressions used in CID modules.
• Appendix D - Glossary and Abbreviations
The glossary provides explanations of common terms and concepts used in
network configurations.
• Index
Document Conventions
This guide uses the following documentation conventions:
• Command paths in the GUI are presented as: File > Save As.
• Windows systems use a two-button mouse. To drag and drop an object,
click and hold the left mouse button on the object, drag the object to the
target location, then release the button.
• Screen displays can differ slightly from those included in this guide,
depending on the system you use. For example, Microsoft Windows
screens are different from X-Windows screens.
• Various icons are used through the document to indicate the following:
Introducing CID
Radware’s Content Inspection Director (CID) is a smart Internet Traffic
Management (ITM) device that utilizes routing capabilities. The CID
transparently intercepts Internet-bound user traffic and intelligently load
balances the applicable traffic among the content servers.
CID is designed to fulfill the needs of large organizations that require
100% content inspection in conjunction with redundant high-speed
connectivity, but without performance degradation or downtime. To
prevent bottlenecks and single points-of-failure in the gateway content
inspection solution, CID uses load balancing mechanisms to manage
servers and server farms.
Distributing the inspection load across several content inspection
resources, greatly improves network performance and ensures Internet
connectivity uptime.
Separating the different protocols and file types into several content
inspection devices also speeds up the traffic. Features such as
ongoing health checks and transparent fail-over support, ensure that
the content inspection server is not a single point-of-failure and that its
resources are always optimized.
Using CID on your network you can achieve these benefits:
• Speed: Up to 500% increase in content inspection speed.
• Capacity: Increased capacity and volume of inspected traffic
through the aggregation of content inspection servers into farms.
• Secure Web Access: Secure web access with low latency while
maintaining the best content security possible. Web page content is
analyzed in real-time to prevent any malicious content or scripts
from entering the network. Areas that were traditionally considered
bottlenecks, are eliminated.
• Content Security: Improved content inspection speed and
elimination of malicious traffic is ensured by the distribution of
content based on IP protocols such as HTTP, FTP, SMTP and on
traffic file type.
• Scalability: Scalable architecture with Gigabit connectivity
accommodates the needs of high capacity networks. As the need
arises, additional content inspection servers can be added to the
existing content inspection architecture.
Load Balancing
CID includes several advanced load-balancing algorithms that
intelligently distribute traffic between Content Inspection devices.
Several flexible load-balancing algorithms are used for each server
farm. CID Provides the flexibility to utilize any set of these load
balancing techniques for each cluster of Content Inspection devices in
order to optimize traffic flow through the network.
CID allows you to set up heterogeneous server farms, that is farms that
utilize servers of varying performance and load capabilities. CID
intelligently redirects traffic among servers in a farm, based on each
server’s specific performance capabilities. This allows for additional
flexibility when expanding or reducing resources within a farm.
1 4 3 2
Properties:
• CID performs Load Balancing by selecting a server and then
redirecting the client request to the server which maintains client
server persistency.
• The selected server sends the clients request to the Internet which
maintains server site persistency.
• CID receives the reply from the Internet, and sends it to the
relevant server which maintains server site persistency.
• The server returns the reply to the client which maintains client
server persistency.
Server Types
CID supports the following server types:
• Gateway: Server that uses two interfaces.
• Transparent Server: Server that serves the clients transparently,
that is without changing the client’s request.
• Regular Server: Non-transparent server or proxy server.
• Cache Server: Cache server is a proxy server that stores-and-
forwards Web pages.
• Content Server: Other servers, such as anti-virus servers, URL
filtering servers and others which have the ability to check the
content up to Layer 7, search for a specific content and block it
(forbidden URLs, viruses and others).
Spoofing
Server Spoofing is a process of one device talking to another device
using the address of a third device. CID uses the Server Spoofing
capability to enable cache servers to retrieve pages on behalf of the
client with the client's source address.
Flow Management
CID Flow Management feature leverages the Farm Management
capability by sequentially load balancing several server farms, each
providing a different service. Traffic flow is designed for packets that
arrive from the client, are examined by CID, load balanced within a
farm, returned from the selected server to CID, examined again and
load balanced within a different farm, and so on.
The farm selection decision is based on the source IP and on the MAC
address. This way CID can distinguish between clients and servers,
even if the servers use spoofing.
Initially, farms and servers are configured then the policies handling the
different traffic classifications for this farm are defined. Adding farms to
a farm cluster element adds control to the distribution of traffic, by
matching the various polices to the correct farms, including sending the
traffic through multiple farms when a traffic condition meets those
predefined polices.
The example in Figure 1-2 illustrates the flow management concept.
1 8
2 3 4 5 6 7
Properties:
1. The Client sends a request to the Internet. The request packet is
intercepted by the CID.
2. CID redirects the packet to the URL farm which checks the
packet’s content.
3. The URL server returns the packet to the CID.
4. CID then sends the packet to the Cache server which checks the
content.
5. The Cache server returns the packet to the CID.
6. CID sends the packet to the Anti-Virus server which checks the
packet’s content.
7. The Anti-Virus server returns the packet back to the CID.
8. CID then sends the packet to the Internet through the Access
Router.
RADIUS Classification
The RADIUS service allows authenticating and storing of the account
information for network users. CID employs a special feature for the
RADIUS support, RADIUS Based Classification.
With RADIUS Based Classification, CID can provide service to clients,
based on a configured RADIUS profile. The RADIUS profile identifies
the user and allows CID to apply farm policies or cluster flow policies
according to the attributes that are defined in the RADIUS Policy Table.
This capability enables service providers and large networks to identify
dial-up and NATed users by authentication tokens and not by source IP
address. CID monitors the traffic and checks the RADIUS messages
for user privileges. According to this information, CID assigns clients to
networks that are added to the Network Table. The networks can then
be used when defining farm policies, flow clusters, BWM policies and
so on.
CID releases a client from the network table when the NAS (Network
Access Server) sends a RADIUS stop accounting message, or when
the IP address is assigned to a new user.
CID works with RADIUS in the following modes:
• Transparent Mode
In Transparent Mode, CID can be installed between the NAS and
the RADIUS server.
• Proxy Mode
In Proxy Mode, CID can be installed as RADIUS proxy.
Farm1 Farm2
RADIUS Server
Properties:
RADIUS based classification involves the following stages:
1. When the client initiates a dial-up session, the call (whether a
phone or a broadband call) is terminated by the NAS (Network
Access Server), which sends the client username and password to
the RADIUS Server.
POP3
CID supports interception and redirection of POP3 traffic destined to a
POP3 proxy server. POP3 sessions are transparently intercepted and
redirected to the servers. The sessions are intercepted and sent to the
IP address of the server, to open a POP3 session with the proxy agent
of the server. The client is unaware of the POP3 proxy server's
existence, and supposes that it is directly connected to the POP3 host
on the Internet. To provide POP3 support, CID transforms the client's
command
from: USER(user name)
to: USER(user_name#destination_IP)
This transformation allows the POP3 proxy to extract the destination
POP3 host and then to open the POP3 session to that host, on behalf
of the client. This is done transparently to the client or in the destination
IP address that is taken from Layer 3 information of the client request.
FTP
When deploying an FTP proxy server for FTP caching or FTP content
inspection, CID provides special treatment for these servers. CID
intercepts FTP sessions of non-configured client and load balances it
to the FTP proxy server farm. CID transforms the client’s command
from: username:password
to: username:password@destination_IP
This transformation allows the FTP proxy server to extract the original
destination FTP host and then to open the FTP session to that host, on
behalf of the client. This is process is transparent for the client.\
HTTP
When deploying non- transparent cache server (Proxy server), CID can
transform a regular HTTP request into a Proxy format
from: GET HTTP/1.1
to: GET HTTP://HOST/HTTP/1.0
where the host used is the host of the original request.
Technical Description
CID software is managed by a network interface and can run on one of
the following platforms:
• Application Switch 1
• Application Switch 2
• Application Switch 3
• Application Switch 4
• Application Switch 5
Network Management
CID can be managed through the following network interfaces:
• APSolute Insite (SNMP based GUI)
• Secure Web based management
• SSH II
• Telnet
• HP OpenView for Sun Solaris
• Command Line Interface
Note: For the detailed CID platform technical specifications and
physical specifications, please refer to the CID data sheet, through the
Radware Web site: http://www.radware.com/content/products/cid/
techspec
# Description Enable
0 IP Address
1 IP subnet mask
2 Port number
# Description Enable
3 Default router IP address
4 RIP version (0,1,2) [0]
5 Enable OSPF (y/n) [n]
6 OSPF area ID
7 User Name
8 User Password
9 Enable Web Access (y/n) [y]
13 SNMP Configuration
# Description Enable
0 Supported SNMP versions [1 2 3]
1 Community [Public]
# Description Enable
6 Authentication Password radware
4. Enter the number of the parameter for which you require to define
the information.
5. Enter the parameters configuration and click Enter. The value of
the parameter is displayed in the screen.
If you do not require to access this command line, the Startup
Configuration window is automatically displayed.
Note: This startup configuration window appears only when the
device has no previous configuration.
Notes:
• The device enters a default value for the parameters that are
incomplete, with the exception of the IP Address, which is
mandatory. A validity check of all the parameters is then performed.
• An initial default configuration is provided. When a device boots up
for the first time, if the Start-Up is not used for 30 seconds, and a
bootp server is not found within another 30 seconds, default
settings are assigned to the device. The initial default configuration
consists of a private IP Address (192.168.1.1), a subnet mask
(255.255.255.0) port 1, an NMS IP Address (0.0.0.0, allowing any
station to manage the device using SNMP), community string of
public, Telnet, SSH, SSL and WBM are enabled with a default user
of radware with password radware.
To reset the device via the Reset butto from the Device:
1. Press the reset button located on the front panel of the device.
Introducing Upgrades
You can upgrade all Radware devices to newer versions with a
straightforward FLASH process. Depending on the maintenance
contract, you may be eligible for new versions with new features or only
for the maintenance versions.
Performing the CID device upgrade involves two steps:
1. Save the current device configuration.
2. Upgrade the device software.
Radware releases the updated versions of CID software that can be
uploaded to your device.
You can upgrade a device using one of the following methods:
• APSolute Insite
• Web Based Management
A Device Upgrade enables the new features and functions on the
device without altering the existing configuration. In exceptional
circumstances, new firmware versions are incompatible with legacy
configuration files from earlier firmware versions. This most often
occurs when users attempt to upgrade from very old firmware to the
most recently available version.
New major firmware versions require a password. This password can
be obtained from the Radware corporate Web Site. You must obtain
this password before you load the upgrade file onto the Radware
device. If you do not supply the correct password during the upgrade
process, you cannot proceed. In case of a maintenance-only upgrade,
the password is not required.
The password is based on the firmware version file and on the Base
Mac Address of the CID unit.
Notes:
• Before upgrading to a newer software version, it is recommended
to save the existing configuration file.
• Before performing the upgrade process refer to the “Upgrading
Notes” from MRN and RN.
• When using mirroring, it is recommended to use the same CID
software version for the main and for the backup devices. It is
recommended to disable Mirroring on both the active device and
the backup device prior to the upgrading the device.Re-enabling
mirroring should be done only after both active and backup devices
have the same software version.
• When downgrading to a software version that does not support the
current license of the device, the license will be lost. Please contact
Radware's helpdesk for more information.
Product Version
CID 2.10
CSD 4.10
FP 3.21
LP 4.21
WSD 8.10
From these versions forward, the way in which flash memory space is
managed was changed to a File System mechanism. This allows for
the following:
• Use of compact flash in Application Switch 2, 3 and above.
• More flexible memory management
• Prevent boot version changes caused by different memory
allocation requirements (main reason for boot version changes).
• Security upgrades
• Two different software versions in the memory (only one may be
active) - with the possibility to change active version by toggling
between the two.
5. In the New Version text box, type the software version number as
specified in the new software documentation.
Note: If Enable New Version check box is selected (default) the
device operates according to the new version after the software
download process is complete, otherwise the device operates
according to the previous version.
6. Click Set. The status of the upload is displayed in the Progress
Status bar. You are prompted to restart the device.
Upgrading Licenses
You can upgrade software capabilities of CID by means of the licensing
mechanism, for example to add SynApps support. For Application
Switch 3, you can add support for the 10 Gigabit Ethernet Port using
the hardware licensing mechanism.
Note: For more information regarding obtaining licenses, please
contact the Radware Technical Support.
4. In the New Licence Code text box, type your new license code.
5. Click Ok. The Information box prompts you to reset the device in
order to validate the license.
6. Click Ok to perform the reset. The reset may take a few minutes.
A success message is displayed on completion.
5. Click Ok. The Information box prompts you to reset the device in
order to validate the license.
6. Click Ok to perform the reset. The reset may take a few minutes.
A success message is displayed on completion.
APSolute Insite
APSolute Insite is the main management interface for all Radware
devices. This application allows the system administrator to configure,
modify and manage all types of Radware devices in an enterprise
network. Rather than focusing on a single device, APSolute Insite
presents the entire network configuration in a graphical format, with
settings and configuration options organized in a logically related
manner.
Notes:
• For further information regarding APSolute Insite, refer to the
APSolute Insite User Guide.
• For an explanation of how to access statistics about device
performance, and how to work with statistical graphs, refer to the
APSolute Insite User Guide.
Make sure to enable DNS and set DNS servers appropriately, using the
services DNS client commands. The DNS client also enables using
host names rather than IP addresses in commands such as trace-
route, ping, telnet, and so on. The DNS client is configurable also from
APSolute Insite.
Notes:
• For description of the DNS Client, refer to page 2-79.
• For more information concerning CLI commands, refer to the
Radware CLI Reference Manual.
Management Ports
Access to any of the devices can be limited to specified physical
interfaces. Interfaces connected to insecure segments of a network can
be configured to discard some or all kinds of management traffic
directed at the device itself. Administrators may wish to allow certain
types of management traffic to a Radware device, such as SSH, while
denying others (such as SNMP or Telnet). If an intruder attempts to
access the device through a disabled port, the Radware unit does not
allow access and generates syslog and CLI traps as notification.
Users Table
You can create a list of personnel authorized to access the device.
Entries in this table allow access to the Radware device through any
enabled access method (Web, Telnet, SSH, SWBM). When Trace
Status is enabled, users can receive e-mail notifications of changes
made to the device.
Configuring SNMP
The Simple Network Management Protocol (SNMP) is an application
layer protocol that facilitates the exchange of management information
between network devices. SNMP is a part of the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol suite. Radware devices
work with the following versions of SNMP: SNMPv1, SNMPv2 and
SNMPv3.
Network management systems contain two primary elements:
managers and agents. The Manager is the console through which the
network administrator performs network management functions.
Agents are the entities that interface to the actual device being
managed allowing changing or retrieving objects in the device.These
objects are arranged in what is referred to as management information
base (MIB). SNMP is the protocol that allows managers and agents to
communicate for the purpose of accessing these objects.
This section explains how to configure SNMP on CID. Configuration
examples for SNMP versions 1, 2 and 3 are included.
SNMPv3 is composed of 2 layers of communication between the
manager and the agent:
• User Security Model (USM), which provides Secure
Communication, including message integrity and privacy.
• View-Based Access Control Model (VACM), which provides
granular access permissions. For example, a user can have write
access to limited portions or the MIB, and read access to wider
portions.
Note: By default, APSolute Insite connects to the CID device using
SNMPv1.
For example, you can grant Read access to all MIBs starting with
1.3.6.1 but not to MIBs that start with 1.3.6.1.2 and yet, to give access
to MIBs that start with 1.3.6.1.2.1 and 1.3.6.1.5.
SNMP - Access
The Access Table binds the groups, views and security models. This is
the table that grants permissions to the groups, based on the SNMP
version.
You can define the access rights for each group and Security Model in
the VACM Group Access window. Range of objects which can be
accessed for a read, write or notify action is specified through the Read
View Name, Write View Name and the Notify View Name parameters
and depends on the defined Security Model. The Read, Write, and
Notify permissions are configured for Family View names, which are
defined in the VACM - MIB View window, see page 2-37.
Write View Name: Select an item from a list of all the available
views that are configured in the VACM - MIB
View window and provide the Write access
to the Object IDs specified in the selected
view.
Notify View Select an item from a list of all the available
Name: views that are configured in the VACM - MIB
View window and provide the Notify access
to the Object IDs specified in the selected
view.
6. Click Ok to save the setup and exit from the window.
4. From the Target Parameters window, click Add. The Edit Target
Parameters dialog box appears. Set the following parameters
according to the explanations provided:
Name: Name of the new parameter for the
Target Address.
Message Processing Select the model from: SNMP Ver 1;
Model: SNMPVer 2c; SNMP Ver 3
Security Model: Select the security model as
explained on page 2-39.
Possible values: SNMP Ver 1; SNMP
Ver 2c; User Based.
Security Name: Type the security name of the user.
Security Level: Select the security level:
• No Authentication: No
authentication or privacy are
required.
• Auth Not Private:
Authentication is required, but
Privacy is not required
• Auth Private: Both
authentication and privacy are
required
Default: No Authentication.
5. Click Ok to save the setup and click Ok to exit the Target
Parameters and Target Address windows.
Note: The SNMP Community Table is used only for SNMP v1 and v2.
Configuration:
• Web Based Management Access Level: You can set Web Based
Management Access Level to Super (default) or Read Only. This
setting effects both WBM and Secure WBM.
When Web Based Management Access Level is set to Read Only,
then users using Web Based Management or Secure Web Based
Management experience the following limitations:
• Can not change the configuration of the device.
• Can not view the Community Table or User Table.
• Have no access to SSH Public Key Table.
• SSL keys and certificates cannot be viewed.
• Configuration File cannot be sent to the device or received from
the device.
• Software update to the device is not allowed.
• Can not reset the device.
This configuration is accessible using Configware from Services
menu, selecting Web Based Management, or using the CLI
command manage web access-level.
Time-outs are added for logging into CLI through Telnet and SSH. After
establishing of CLI session with the device, user name and password
must be inserted within 30 seconds. In case of 3 incorrect logins, the
terminal is locked for 10 minutes and no further logins are accepted
from that IP address. Once a login is successfully completed, the CLI
session closes after 5 minutes of idle time. not sure if this info here or o
CLI Timeouts
It is possible to configure the timeout for Telnet, SSH and the CLI
sessions. In addition to the session timeout, system administrators can
also configure the authentication timeout. Authentication timeout is the
time that the user has in order to complete the authentication process,
starting from the moment the user established the Telnet or SSH
connection.
Configurable Parameters:
• "Session Timeout - Timeout (in minutes) required for the device to
maintain connection during periods of inactivity. Default value is 5
minutes for Telnet and SSH and unlimited for the CLI. Optional
values 1 - 120 minutes.
• "Authentication Timeout - Timeout (in seconds) required to
complete the authentication process. Available for Telnet and SSH
only. Default value is 30 seconds. Optional values 10 - 60 second.
Note: In order not to affect the performance of the device, a special
task checks the timeout every 10 second. This means that the
actual timeout can be up to 10 seconds longer.
4. To select the specific physical ports for the application, check the
ports you wish to enable or disable or check Enable All or
Disable All.
5. Click Apply to save the setup. The window remains open.
6. To configure ports for another web management application, from
the Management Ports parameter select the application and the
active ports, as in steps 2 and 3.
7. Click Apply to save the setup and Ok to exit the window.
Access Router
100.1.120
CID
Virtual IP Address
10.1.1.100
Port 1
Users Side 10.1.1.10
Client 1 Client 2
10.1.1.1 10.1.1.2
Properties:
• Network side and users side are on different IP subnets.
• The virtual IP address of the CID is 10.1.1.100.
• Users are not configured to the CID.
• Content servers work in FTP Proxy mode.
• The delimiter ('@') is proxy dependent, and may vary.
• Configuring ftp-session service supports both passive and active
FTP sessions.
Configuration:
1. Define two IP Addresses on the CID:
a. Double click on the CID icon and from the CID Connect to
device window that now appears, type the device‘s IP address:
10.1.1.10 and click Ok.
b. Add the second IP address: Double click on the CID icon. The
CID window appears.
c. Click Add. The Edit CID Interface window appears.
d. From the Edit CID Interface window set the following
parameters according to the explanations provided:
IF Num: F-2
IP Address: 100.1.1.10
Click Ok to exit all windows.
2. Add the default router and a default gateway:
a. Double click on the CID icon. The CID window appears.
b. Click on Networking and select Routing Table. The CID
Routing Table appears.
c. From the CID Routing Table set the following parameters
according to the explanations provided:
Destination IP 0.0.0.0
Address:
Network Mask: 0.0.0.0
Next Hop: 100.1.1.20
IF Number: F-2
Metric: 1
Type: Remote
d. Click Ok to exit all windows:
3. Add the servers:
a. From the CID toolbar, click the Add menu and from the
dropdown menu add a local server by defining the following
parameters according to the explanations provided:
Server Name: Server 1
IP Address: 100.1.1.1
b. Click Add and then click Ok.
c. In the same manner, add the second server by defining the
following parameters according to the explanations provided.
Server Name: Server 2
IP Address: 100.1.1.2
d. Click Add and then click Ok.
4. Add a farm:
a. From the Traffic Redirection window, select the Farms tab and
click Add. The Edit CID Farm window appears.
b. From the Edit CID Farm window that appears, set the following
parameters according to the explanations provided:
Farm Name: (For Example) Farm 1
Multiplexed for Port: Disabled
VIP Address: 10.1.1.100
Admin Status: Selected
Transform Request: Selected
c. Ensure that the Transparent Mode is enabled.
5. Add the servers to the farm:
a. From the CID Traffic Redirection window list of farms, select the
farm and click Add. The Edit CID Farm window appears.
b. From the Edit CID Farm window, click Add. The CID Farm
Servers window appears.
c. From the CID Farm Servers, set the following parameters
according to the explanations provided:
Server Name: Server 1 & Server 2
Transparent Mode: Disabled
Server Delimiter: @
d. Click Add and then Ok.
6. Add a local network:
Configuration
No special configuration is needed by the user in order for CID to
support the FTP Address Multiplexing.
RADIUS Authentication
With RADIUS Authentication, you can use RADIUS servers to
determine whether a certain user may or may not gain access to CID
management, using CLI, Telnet, SSH or Web Based Management. You
can also select whether to use the User Table when RADIUS servers
are not available.
Radware devices provide additional security by authenticating the
users who access the device for management purposes. Before a
management session starts, the Radware device can authenticate the
user with a RADIUS server.
Management Ports
APSolute Insite is the main management interface for all Radware
products. Additional management interfaces that allow you to configure
and operate Radware devices include:
• Web Based Management (WBM)
• Command Line Interface (CLI)
You can connect a CID device to the management interfaces through
the network physical interface or through the serial port. CID supports
the following port types:
• In the network connection: SNMP, HTTP, HTTPS, Telnet, SSH.
• In the serial port connection: RS-232 up to 115 Kbps (default is
19,200 Kbps).
The following table lists the CID physical interfaces and the supporting
management interfaces:
SNMP +
V1, V3
HTTP +
Secure Web: +
Telnet +
SSH +
RS-232 +
Configuration:
1. From the main window select, Device > Add Radware Device
>CID. The CID icon appears in the main window.
2. Double click the CID icon. The CID Connect To Device dialog box
appears.
3. In the CID Connect To Device dialog box, type the Device IP
Address and select the SNMPv3 check box. The SNMPv3 pane
opens.
4. Define SNMPv3 parameters as explained in the previous
example, see page 2-45.
5. Click Ok. The device is connected using SNMPv3.
6. From the main menu, select General > Device Permissions.
The Device Permissions window appears.
7. From the Device Permissions window click SNMP. The SNMP
pane appears containing the following configuration options:
Targets, Views, Users, Community, Access. These options are
explained throughout this configuration example.
8. From the SNMP pane, click Community. The Community window
appears.
9. From the Community window, click Add, then set the following
parameters according to the explanations provided:
Index: SNMPv1 Access
Community Name: password
Security Name: administrator
10. Click Ok when and Ok again to close the Community window.
11. From the SNMP window, click Access. The VACM Group Access
window appears.
12. From the VACM Group Access window, click Add, then set the
following parameters according to the explanations provided:
Group Name: admins
Security Model: SNMPv1
Security Level: No Authentication
Read View Name: iso
Write View Name: None
Notify View Name: iso
13. Click Ok and Ok again to return to the SNMP window.
14. To create a VACM entry for User Administrator and Security
Module SNMPv1, from the SNMP window, click Add. The VACM
Edit Security To Group dialog box appears.
When the SNMPv1 session is initiated to the device with the
community name "password", the device associates the user name
"administrator" with the Group "admins" based on the information from
the VACM Edit Security To Group dialog box. According to the settings
of the VACM Group Access window, only Read permissions are set for
the User Administrator in SNMPv1.
Configuration:
1. From the main window select, Device > Add Radware Device
>CID. The CID icon appears in the main window.
2. Double click the CID icon. The CID Connect To Device dialog box
appears.
3. In the CID Connect To Device dialog box, type the Device IP
Address, use the default Device Community Name and click Ok.
The device is connected using SNMPv1.
4. From the main menu, select General > Device Permissions.
The Device Permissions window appears.
5. Click the SNMP tab. The SNMP tab appears.
6. From the SNMP window, click Community. The Community
window appears.
7. To add a new entry to the Community table, from the Community
window, click Add. The Edit Community dialog box appears.
8. In the Edit Community dialog box, set the following parameters for
the new entry according to the explanations provided:
Index: a descriptive text
Community Name: new_community
Security Name: public
9. Click Ok and return to the main map.
10. Right click on the device icon and click Connect. The CID
Connect To Device dialog box appears.
11. From the CID Connect To Device dialog box, type the new
Community Name and click Ok.
12. Repeat the steps 4-8, and this time delete the old public entry
from the Community Table.
Configuration:
1. From the main window select, Device > Add Radware Device
>CID. The CID icon appears in the main window.
2. Double click the CID icon. The CID Connect To Device dialog box
appears.
3. In the CID Connect To Device dialog box, type the Device IP
Address, use the default Device Community Name and click Ok.
The device is connected using SNMPv1.
4. From the main menu, select Device > Device Permissions. The
Device Permissions window appears.
5. Click the SNMP tab. The SNMP tab appears.
6. From the SNMP window, click Community. The Community
window appears.
7. From the Community window, select the required entry and click
Edit. The Edit Community dialog box appears.
8. In the Community Transport Tag text box, type "nms", click Ok
and Ok again to return to the main SNMP window.
9. From the SNMP window, click Targets. The Target Address
window appears.
10. From the Target Address window, click Notify. The Notify window
appears.
11. From the Notify window, click Add. The Notify Table dialog box
appears. Set the following parameters according to the
explanations provided:
Name: Type a descriptive name.
Tag: NMS
Note: The value must be the same as the
Community Transport Tag in the Community
Table.
12. Click Ok and return to the Target window.
13. From the Target window, click Add to add a new entry to the table
by setting the following parameters according to the explanations
provided:
Name: Type a descriptive name.
Target Address: Type the IP address of the NMS.
Target port: 161
Tag List: nms
Parameters: public-v1
14. Click Ok to close the Target window.
Configuration:
1. From the main window select, Device > Add Radware Device
>CID. The CID icon appears in the main window.
2. Double click the CID icon. The CID Connect To Device dialog box
appears.
3. In the CID Connect To Device dialog box, type the Device IP
Address and select the SNMPv3 check box. The SNMPv3 pane
opens.
4. In the User Name text box, type: administrator.
5. Click Ok. The device is connected using SNMPv3.
6. From the main menu, select Device > Device Permissions. The
Device Permissions window appears.
7. Click the SNMP tab. The SNMP pane appears containing the
following configuration options: Targets, Views, Users, Community,
Access.
8. From the SNMP tab, click Target. The Target Address window
appears.
9. From the Target Address window, click Parameters. The Target
Parameters window appears.
10. From the Target Parameters window, click Add. The Edit Target
Parameters dialog box appears, then set the following parameters
according to the explanations provided:
Name: Secure Traps
Message Processing SNMP Ver 3
Model:
Security Model: User Based
Security Name: Administrator
NTP Support
Network Time Protocol (NTP) enables users to synchronize devices by
distributing an accurate clock across the network. In predefined
intervals, a device sends “time query” messages to the Network Time
Server. The server then sends the date and time to the device.
Enabling or disabling the NTP feature results in different levels of
accuracy. When NTP is disabled, the time and date have to be set
manually for the device. When NTP is enabled, several parameters
need to be configured: the IP address of the Network Time Server, the
polling interval (in seconds), the time zone offset from GMT and the
NTP server port (default 123).
To configure NTP:
DNS Client
You can configure CID to operate as DNS client. When the DNS client
is disabled, IP addresses cannot be resolved. When the DNS client is
enabled, IP addresses can be resolved in the following ways:
• Using the configured DNS servers to which DNS client sends
queries about IP addresses of a hostname.
• Using the pre-defined static table that includes hostnames and IP
addresses.
5. From the Static DNS Table window, set the following parameters
according to the explanations provided:
Host Name: The URL name for which you want to
set the IP address.
IP Address: The IP address of the URL.
6. Click Add to apply. The new client is listed in the Static DNS
Table.
7. Click Ok to apply the setup and exit.
Policy Scheduler
System administrators may require that specific policies will not be
active during certain hours of the day, or a certain policy will only be
activated at a specific time of the day for specific duration time. For
example – a school's library, may want to block instant messaging
during school hours, but allowing instant messages after school hours
or an enterprise may give high priority for mail traffic between 08:00 –
10:00. Generic 10.20 introduces the ability to schedule the activation
and inactivation of specific Bandwidth Management policies. By the
use of the new feature called Event Scheduler the user can now
create “events” which can then be attached to a policy's configurations.
“Events” define the date and time in which an action should be
performed.
Configurable Parameters
For each “event” it is possible to configure the following parameters:
• Name: The name of the event
• Frequency: Whether the event occurs once, daily or weekly.
• Days: If the Frequency chosen is daily or weekly, the user must
configure on which day the event should occur.
• Time (HHMM): The time on the designated day (if multiple days
are chosen then the “Time” value is the same for all configured
days) when the event should occur. The default Time value is 12:00
am (0000).
• Date (DDMMYYYY): If the Frequency chosen is once, then it is
required to configure the date on which the event should occur.
For each Bandwidth Management Policy it is possible to configure the
following parameters:
• Activation Schedule: The name of the Event which activates the
policy
• Inactivation Schedule: The name of the Event which inactivates
the policy
Once an event has been configured it should then be attached to a
Bandwidth Management policy. Once the event occurs, the device
Notifications - General
Most administrators prefer to receive a warning message about a
network or server outage. To help minimize the impact of failure in
devices such as firewalls, routers or application servers, all Radware
devices provide a choice of notification methods:
CLI Traps, Syslog, E-mail.
To send traps by CLI, Telnet and SSH, the command is:
manage terminal traps-outputs set-on
For console only:
manage terminal traps-outputs set normal
CLI Traps
When connected to any Radware product through a serial cable, the
device generates traps when events occur. For example, if a Next Hop
Router fails, CID generates the following error:
10-01-2003 08:35:42 WARNING NextHopRouter 10.10.10.10
Is Not Responding to Ping.
E-mail Notification
You can configure the device to send e-mail messages to users listed
in the device's User Table. For each user, you can set the level of
SNMP Traps notification the user receives. This is done in the Users
table; each user is assigned a level of severity and receives traps
according to that severity or higher.
The severity levels are: Info, Warning, Error and Fatal, see Web Based
Management, page 2-48. When assigned the severity level of Error, the
user receives e-mail traps of events with severity levels of Error and
Fatal. This configuration applies both for SNMP traps and for SMTP
email notifications. SMTP notifications are enabled globally for the
device.
In addition to the SNMP traps, another method of notification has been
added to the device. Using the Send E-mail on Errors option, you can
configure traps to be sent by e-mail to predefined users with different
levels of severity.
Configuration Trace
CID is able to monitor any configuration changes on the device, and
report those changes by sending out e-mail notifications. Every time
the value of a configuration variable changes, information about all the
variables in the same MIB entry is reported to users. Configuration
reports are enabled for each user in the Users Table, see page 2-48.
Note: CID optimizes the mailing process by gathering reports and
sending them in a single notification message once the buffer is full or
once a timeout of 60 seconds expires.
The notification message contains the following details:
• Name of the MIB variable that was changed
• New value of the variable
• Time of configuration change
Syslog
Event traps can also be mirrored to a syslog server. On CID, as on all
Radware products, you can configure the appropriate information,
using the General > Preferences > Traps and SMTP option. Any traps
generated by the Radware device will be mirrored to the specified
syslog server.
The current Radware syslog mechanism enables you to define the
status and the event log server address. You can also define additional
notification criteria such as Facility and Severity, which are expressed
by numerical values. Facility indicates the type of device of the sender,
while Severity indicates the importance or impact of the reported event.
The user defined Facility value is used when the device sends Syslog
messages. The default value is 21, meaning “Local Use 6". The
Severity value is determined dynamically by the device for each
message that is sent.
Event Log
Radware devices keep track of events in the event log. Its is possible to
download the event log for later analysis.
Routing
Chapter 3, Basic Switching & Routing, provides theoretical
explanations about switching and routing in general, describes how
CID participates in the processes of switching and routing, and
presents several aspects of the practical implementation of CID.
This chapter includes the following sections:
• Section 3-1: Port Settings, page 3-2
• Section 3-2: Virtual LAN, page 3-8
• Section 3-3: IP Addressing & Routing, page 3-24
Port Mirroring
Port Mirroring enables the device to duplicate traffic from one physical
port on the device to another physical port on the device. This is useful
for example when an Intrusion Detection System (IDS) device is
connected to one of the ports on the CID device. You can choose to
mirror either received and transmitted traffic, received traffic only, or
transmitted traffic only. You can also decide whether to duplicate the
received broadcast packets.
Configuration Guidelines:
The Port Mirroring feature is configured as follows:
1. From the Set-Up window, select Networking > Port Mirroring.
The Port Mirroring Table window appears.
2. In the Port Mirroring window, click Add. The Edit Port Mirroring
window appears.
Port Trunking
Port Trunking (also known as Link Aggregration) is a method of
increasing bandwidth by combining physical network links into a single
logical link. Link aggregation increases the capacity and availability of
the communications channel between devices - both switches and end
stations - by using the Fast Ethernet and Gigabit Ethernet technology.
Multiple parallel physical links between two devices can be grouped
together to form a single logical link. Link aggregation also provides
load balancing where processing and communications activities are
distributed across several links in a trunk, to prevent single link
overloading. Treating multiple LAN connections as one aggregated
link, ensures the following advantages:
• Higher link availability
• Increased link capacity
• Improvements in existing hardware
No upgrading to higher-capacity link technology is necessary.
Radware devices support port trunking according to the IEEE 802.3ad
standard for link aggregation. Link Aggregation is supported on:
• Links using the IEEE 802.3 MAC
• Point-to-point links
• Links operating in full duplex mode
Aggregation is permitted only among links with same speed and
direction. On Radware devices, bandwidth increments are provided in
units of 100Mbps and 1Gbps respectively.
MAC Client traffic can be distributed across multiple links. To guarantee
the correct ordering of frames at the receiving-end station, all frames
belonging to one conversation must be transmitted through the same
physical link. The algorithm for assigning frames to a conversation
depends on the application environment. Radware devices can define
conversations upon Layer 2, 3 or 4 information, or on combined Layers.
The failure or replacement of a single link within a Link Aggregation
Group does not cause failure from the perspective of a MAC client.
Radware port trunking function allows you to define up to eight trunks.
Up to eight physical links can be aggregated into one trunk. All trunk
configuration is Static.
In port trunking configuration, the port speed and duplex must be fixed
and must not be in the Auto Negotiation mode.
Regular VLAN
A Regular type VLAN can be described as an IP Bridge (a software
bridge) between multiple ports that incorporate all the traffic redirection
of the passing traffic at all layers (Layer 2-Layer 7). Two Protocols can
be used with Regular VLANs:
IP Protocol: The VLAN must be assigned an IP address. All of the
traffic between the ports is intercepted transparently by the CID
application. Packets that need intelligent intervention are checked and
modified by CID and then forwarded to the relevant port. Other packets
are simply switched by CID as if they were on the same wire.
Other Protocol: A VLAN with the protocol "Other" cannot be assigned
an IP address. This type of VLAN is used to bridge the non-IP traffic
through CID. Note that this option can be defined also with the
Switched type VLAN (Switched VLAN protocol) for wire-speed
performance.
Switched VLAN
Switched VLAN provides wire-speed VLAN capabilities implemented
through the hardware switch fabric of the CID device. Depending on
the Protocol defined for the Switched VLAN, frames are treated
accordingly:
Switched VLAN Protocol: Frames arriving at VLAN port are switched
according to Layer 2 information. CID application does not intercept
any traffic.
IP Protocol: Frames arriving at VLAN port are switched according to
Layer 2 information, except for frames with Layer 2 address same as
CID port Layer 2 address. Frames with CID Layer 2 destination are
processed by the CID application and then forwarded accordingly.
VLAN Configuration
In Figure 3-1, CID is configured with two VLANs: Network side VLAN
(with address 100003) and user side VLAN (address 100005). Both
VLANs are defined as Switched type, to gain wire-speed throughput.
To enable CID to perform Traffic Redirection policies on traffic destined
to the Internet, VLAN protocol is set to IP. This requires clients to
configure CID as their default router.
Network
Side VLAN
100003
Internet
Router Server
192.1.1.100 192.1.1.11
P1 P2
Client Client
193.1.1.1 193.1.1.2
To create a VLAN:
1. From the Set-Up window, select Networking > VLAN. The CID
Virtual LAN window appears.
2. To connect a physical port on the device to the VLAN you are
defining, select one of the checkboxes in the Assign Port to
VLAN pane.
3. Set the remaining parameters according to the explanations
provided:
Interface The interface number of the VLAN,
Number: automatically assigned by the management
station.
Type: Select the bridge type.
Regular: The device acts as a bridge.
Switch: The Switch type is a Layer 2 VLAN.
Switched VLAN can be stand-alone or part of
a Regular VLAN.
Protocol: Select the protocol for the VLAN, according to
the VLAN Type: IP or Switch VLAN.
Note: Otherwise the protocol is IP or Other.
4. Click Add. The new VLAN is listed in the CID Virtual LAN table.
Tip: At any stage you can edit any of these parameters (for example
change the protocol) and click Update to apply the new setup.
Bridge Define the Aging Time, that is the period for the
Forwarding unused entries to be retained in the
Table Aging Forwarding Table.
Time:
Note: This counter is reset each time the entry
is used. When the defined Aging Time expires,
unused entries are deleted from the table.
Range (in seconds): 10-3600. Default: 3600.
4. Click Apply to save the setup and click Ok to close the window.
Note: In the Bridge Set-Up tab of the CID Virtual LAN window, you
can monitor, add and edit the bridge forwarding nodes. Refer to
Bridging, page 3-23.
Clients Clients
P1 P2
P3 P4
Clients Clients
Redundancy
When working with VLANs, two CIDs can operate together, one
backing up the other. A special provision in the CID prevents the
occurrence of network-bridging loop. The CID can transparently
intercept traffic not destined to its MAC address through the
configuration of VLANs.
For further information on Redundancy configurations,
refer to Chapter 6, Redundancy.
Bridging
When a VLAN is defined, CID performs bridging among interfaces
assigned to the same VLAN. Bridging within a VLAN means that CID
learns the MAC addresses of frames arriving from each physical
interface, and maintains a list of MAC addresses per interface. When a
frame arrives from one interface, CID looks for the frame destination
addresses within its address list according to the following conditions:
• If the destination address is listed in the same interface of the
source address, CID discards the frame.
• If the destination address is listed in another interface, CID
forwards the frame to the relevant interface.
• If the address is not listed in any interface, CID broadcast the frame
to all interfaces participating the VLAN.
CID enables you to modify the Address lists by registering additional
MAC addresses per interface. This is done from the Bridge Set-Up
menu.
IP Addressing
IP addresses are 32-bit binary numbers, for example:
11000000101010000000000100010100.
Each 32-bit IP address consists of two sub-addresses, one identifying
the network and the other identifying the host to the network, with an
imaginary boundary separating the two.
The location of the boundary between the network and host portions of
an IP address is determined through the use of a subnet mask. A
subnet mask is another 32-bit binary number that acts like a filter when
it is applied to the 32-bit IP address. By comparing a subnet mask with
an IP address, systems can determine which portion of the IP address
relates to the network, and which portion relates to the host.
• Anywhere the subnet mask has a bit set to "1", the underlying bit in
the IP address is part of the network address.
• Anywhere the subnet mask is set to "0", the related bit in the IP
address is part of the host address.
Routing
Routing is the CIDs ability to forward IP packets to their destination
using an IP Routing Table. The IP Routing Table stores information
about destinations and how they can be reached. By default, all
networks directly attached to CID are registered in the IP Routing
Table. Other entries to the table can either be statically configured by
users or dynamically created through a routing protocol. When CID
forwards an IP packet, the IP Routing Table is the resource for
establishing the next-hop IP address and the next-hop interface.
• For a direct delivery, when the destination is a neighboring node,
the next-hop MAC address is the destination MAC address for the
IP packet.
• For an indirect delivery, when the destination is not a neighboring
node, the next-hop MAC address is the address of an IP router
according to the IP Routing Table.
The destination IP address does not change on the path from source to
destination. The destination MAC (Layer 2 information) is manipulated
to move a packet across networks and then the MAC of the destination
host is applied when the packet arrives on the destination network.
Compliance Notes
CID support for IP routing is compliant with the RFC1812 router
requirements. Dynamic addition and deletion of IP interfaces is also
supported. This ensures that extremely low latency is maintained.
The IP router supports RIP I, RIP II and OSPF routing protocols. OSPF
is an intra-domain IP routing protocol, intended to replace RIP in bigger
or more complex networks. OSPF and its MIB are supported as
specified in RFC 1583 and RFC 1850, with some limitations.
To configure routing:
6. From the Set-Up window, select Networking > Routing
Table.The CID Routing Table window appears.
7. Click Add. The Edit Route window appears.
8. From the Edit Route window, set the following parameters
according to the explanations provided:
Destination IP The destination IP address for the route.
Address:
Network The network mask of the destination subnet
Mask: (IP).
Next Hop: The IP address of the next hop towards that
destination subnet. The next hop must reside
on a subnet which is local to the device.
IF Number: The IF (interface) Index number of the local
interface or VLAN through which the next hop of
this route is reached.
Metric: Number of hops to the destination network.
Type: Define how remote routing is handled,
Values: Remote (Forwards packets); Reject
(Discards packets); Local (read-only).
Default: Remote
9. Click Ok to close all the windows.
To configure RIP:
1. From the Set-Up window, select Networking > RIP. The CID RIP
Parameters window appears.
2. From the CID RIP Parameters window, set the following
parameters according to the explanations provided:
Leak OSPF Controls redistribution of routes from OSPF to
Routes: RIP. When enabled, all routes learned through
(checkbox) OSPF are advertised into RIP.
Note: For information about OSPF, refer to a
description on page 3-32.
Leak Static Controls redistribution of routes from static
Routes: routes to RIP. When enabled, you define all the
(checkbox) static routes in the Routing Table.
Enable RIP: Check to enable this protocol.
(checkbox)
3. Click Edit. In the CID Edit RIP window that appears.
4. From the CID Edit RIP window, set the following parameters
according to the explanations provided:
IP Address: The IP address of the current interface.
(read-only)
Outgoing RIP: Select the type of RIP to be sent:
• RIP Version 1: Sends RIP updates
compliant with RFC 1058.
• RIP Version 2: Multicasts RIP-2
updates.
• Do Not Send: No RIP updates are sent.
Default: RIP Version 1
Incoming RIP: Select the type of RIP to be received:
• RIP 1: Accepting RIP 1.
• RIP 2: Accepting RIP 2.
• Do Not Receive: No RIP updates are
accepted.
Default Metric: Select the Metric for the default route entry in
RIP updates, originated on this interface.
Default: 0.
Note: 0 (Zero) indicates that no default route
must be originated; in this case, a default
route through another router may be
propagated.
Virtual Distance: Define the virtual number of hops assigned
to the interface. This enables fine-tuning of
the RIP routing algorithm.
Default: 1
Status: Define the status of the RIP in the router.
Values: Valid; Invalid. Default: Valid.
Switching
Chapter 4, Basic Application Switching, describes the farm and server
management concepts and the related features. This chapter also
provides examples of common configurations of application switching
and load balancing schemes as implemented in Content Inspection
Director (CID).
This chapter includes the following main sections:
• Section 4-1: Farm Management, page 4-2
• Section 4-2: Server Management, page 4-25
• Section 4-3: Server Load Balancing, page 4-36
• Section 4-4: Cache Load Balancing, page 4-53
• Section 4-5: Local Triangulation, page 4-77
• Section 4-6: Server Spoofing, page 4-86
• Section 4-7: Network Address Translation, page 4-88
Service
Network
Farm
Dispatch Methods
Dispatch Methods are the load balancing algorithms that determine
how the client requests are distributed between servers in the farm.
CID receives requests for service from clients and decides to which
server to direct each request. During this process, CID finds the best
server to provide the requested service. The criteria by which CID
selects the best server are defined by the Dispatch Method.
Dispatch Methods are defined only for new sessions. Existing sessions
are handled by the Client Table, see
You can define the Dispatch Method during the process of CID Farm
configuration, according to farm characteristics and users’ needs.
Criteria may vary for different applications. For example, the number of
users is a significant factor for a Web farm, while the amount of traffic
can be more important for an FTP farm.
The following Dispatch Methods are available on CID:
• Cyclic
• Fewest Number of Users
• Fewest Number of Users - Local
• Least Amount of Traffic
• Least Amount of Traffic - Local
• NT- 1
• NT- 2
• Private - 1
• Private - 2
• Destination Hashing
• Source Hashing
• HM Load Statistics
• WCCP
For example, Server 1 & Server 2 can provide service A and service B.
These servers are used as part of Farm A to provide service A and as
part of Farm B to provide service B. When the client’s request for
service A is sent to Farm A, which uses this Dispatch Method, CID
looks for a server with the fewest number of requests for service A. The
requests for service B that exist on the same servers are not
considered by CID.
NT- 1 and NT-2. When either method is selected, CID queries the
farm servers for Windows NT SNMP statistics. CID forwards the farm’s
clients to the least busy server according to the servers’ reported
statistics. You can select from a list of statistics. The parameters are
considered according to the weights that you define in the first
Windows NT weights scheme for the NT-1, and second Windows NT
weights scheme for the NT-2.
Note: To use these Dispatch Methods, you need to configure the
Windows NT scheme and set the weight of the statistics parameters.
For configuration guidelines, see page 4-20.
Private - 1 and Private - 2. CID queries the farms’ servers for
private SNMP parameters, as defined in the first private weights
scheme. The ratios of users on the servers is balanced according to
the statistics.
When either mentod is selected, CID queries the farm’s servers for
private SNMP parameters according to a predefined private weights
scheme. The ratios of sessions on the servers is balanced according to
the statistics. You need to define which MIB variables are queried and
to set the private weights scheme. The parameters are considered
according to the weights that you define in the first private weights
scheme for the Private-1 and second private weights scheme for the
Private-2.
Note: To use these Dispatch Methods, you need to configure the
Private scheme and set the weight of the statistics parameters. For
configuration guidelines, see page 4-20.
Destination Hashing. CID uses a deterministic algorithm to
convert the URL or IP address of the site to a numerical value, which is
assigned to a specific cache server. This method is uncommon and can
be used when there are several customers sharing the same cache
Clients
www.site.com
CID
192.0.0.5
www.cnn.com
192.0.0.8 www.radware.com
Server 1 Server 2
130.0.0.1 130.0.0.2
192.0.0.20
Farm
1.1.1.1
The URL Table can operate in various modes according to the Content
Based Rule. Selection of the Content Based Rule depends on these
network configuration parameters:
• Address
• Host Name
• URL Match
• HTTP
• MIME Type
• P2P
For the descriptions of these parameters and configuration of the
Content Based Rules, refer to page 4-21.
Configuring Farms
Port Multiplexing
Port Multiplexing is a port address translation that allows CID to accept
traffic destined to a specific port and translate that traffic to a different
port before forwarding it to a server farm. When client requests for
service are destined to a configured Multiplexed Farm Port, CID
changes the destination port of the request to the configured
Multiplexed Server Port before forwarding the request to the selected
server.
The process of the address translation includes the following stages:
1. The client sends the request for service using a destination port of
the farm, for example HTTP port 80.
2. When this port is the configured Multiplexed Farm Port, then
before forwarding the request, CID changes the destination port.
Note: Server Weight is not supported when the Cyclic Dispatch Method
is selected in the farm to a particular server in the farm. The new
destination is configured according to the predefined Multiplexed
Server Port parameter.
Table 4-2 lists the Content Based Rules and provides their short
deceptions.
Parameter Description
Host Name CID checks the HTTP data of the sessions and
identifies the host name for the request (such as
www.company.com). The URL Table entries are host
names and not IP addresses. Requests for known host
names are redirected to the server that was chosen for
this host name.
If the session carries a new host name, a new server is
chosen, the session is redirected, and a new entry is
made into the URL Table. When working in this mode,
CID performs delayed binding.
Parameter Description
HTTP Match CID can redirect requests based on: HTTP header;
HTTP request contents; the request method itself
(GET, POST), or additional message headers.
Headers contain additional information about the
request, such as browser type, connection type
(persistent or not), cookies, destination host. If the
administrator wishes to direct a category of clients (for
example, Netscape users) to a specific cache server,
he can direct them to the Internet, or block users with
certain characteristics. When working in this mode,
CID performs delayed binding.
Parameter Description
The MIME Type rule should be used for load balancing anti-virus
servers.
Servers Overview
Farm servers are logical entities that are associated with application
services provided by physical servers that run these applications.
The process of adding and configuring servers in the CID farm consists
of two main stages:
1. Adding physical servers
2. Setting up farm servers
Adding physical servers means adding the hardware elements to the
network and defining them as servers. This is done using APSolute
Insite after the actual installation of the physical server is performed.
For each service provided by a physical server, you can define a farm
server and attach it to the farm that provides this service. Configuring
farm servers means organizing the servers the way you use their
services.
A physical server that provides multiple services may participate in
multiple farms. In each farm this physical server is represented by a
unique farm server that provides one specific service. Each service is
accosted with a farm, and you can define its own load balancing
scheme and customized health checks. By that way, in case one of the
services provided by a physical server is not available, other services
can still be used.
To enable tracking of all the farm servers associated with the specific
physical server, farm servers are organized in groups, identified by the
server name. All farm servers with the same server name are
considered by CID as running on the same physical server.
Farm server parameters are configured per farm and per server and
control the process of providing a particular service.
Physical server configuration is performed for each Server Name, and
applies to all farm servers on the same CID with the same name,
implying they all run on the same machine.
Server Types
Server types are:
• Regular: A local server, which is the default server type.
• Local Triangulation: local server that has the feature enabling it to
send the response from server directly to client, bypassing CID.
Server Parameters
• Server Description: A free text field that allows you to type a
description for each server. The Server Description can be up to 80
characters long.
• Server Weight: Weight of the server in a farm is server’s priority, or
server’s importance. You can define that a particular server in a
farm has more weight than other servers. This means that more
traffic is forwarded to this server than to other servers.
Server weights operate as ratios. For example, when the Dispatch
Method is set to Least Number of Users, the weights determine the
ratio of the number of users between the servers. If the Least
Amount of Traffic method is used, the weights determine the ratio
of the amount of traffic between the servers. The weight ranges
from 1 to 10,000. A server with weight 2 receives twice the amount
of traffic as a server with weight 1. The default weight is 1.
Note: Server Weight is not supported when the Cyclic Dispatch Method
is selected in the farm.
• Connection Limit: Connection Limit is the maximum number of
users that can be directed to a server for a service provided by the
farm. The number of users depends on the Sessions Mode,
because it is determined by the number of active entries in the
Client Table for sessions destined to the specific server.
When the Regular mode is selected, all the requests for service
from a single client IP destined to the same server are reflected by
a single entry in the Client Table.
When the Entry Per Session or Server Per Session modes are
selected, the number of active entries destined to the same server
is higher that in the Regular mode.
Physical Servers
Physical servers are hardware units configured to operate as an
integral part of the network. Before setting up a physical server, you
must connect the server to the CID device on the hardware level. Once
hardware connections are completed, you can start adding physical
servers to the APSolute Insite map. The parameters of the physical
server are defined globally and are applied to all the farm servers that
use the physical server.
Table 4-3 describes physical servers’ setup parameters.
Parameter Description
Server Name The physical server name. The Server name defines
the name of the farm servers group that are
associated with this physical server. Adding a new
server to a farm using a Server Name that was
already defined in another farm, implies that it is the
same physical server.
Parameter Description
For Multiplexed Farm / Server Port there are pre-defined values: FTP,
HTTP, SMTP, DNS, NNTP, HTTPS, Disable, or any port number.
The default value is Disable, meaning port multiplexing is not used for
the server.
For example, the Server port is 8080 and it is defined during the server
configuration process. The Farm port is 80 and it is defined during the
farm configuration process.
Clients
www.site.com
CID
192.0.0.5 www.radware.com
192.0.0.8
Server 1 Server 2
130.0.0.1 130.0.0.2
192.0.0.20
Server Types
CID supports several types of content servers. Each server can be
installed in a one-leg configuration or in a two-leg configuration. All
server types may be configured in the regular mode (using their own IP
address) or spoofed mode (using the clients IP address) including:
• Gateway: A Gateway is a server that uses two interfaces: the
interface that receives, processes and forwards the traffic, and the
interface that the traffic is forwarded to. The name of the gateway
server indicates its location in the network topology. Gateways
need to be part of the traffic flow - in most cases these servers are
bottlenecks in the network due to their limited processing power.
When CID load balances gateways, it moves the servers from the
traffic flow and also ensures that the packet that leaves the second
interface of the selected server returns to the same server.
When using gateways, CID sends the packet to the MAC address
of the server, and the server uses the client's IP address as the
source IP (spoofing).
• Transparent Server: A server that serves the clients transparently.
When CID forwards traffic to a transparent server, it sends the
traffic to the server's MAC address, while the destination IP is the
IP address of the real site's IP, and the client’s requests remain
unchanged.
Configuring Servers
P1 P2
Server Server
100.1.1.2 100.1.1.1
Properties:
• Network side and user side are on different subnets.
• The virtual IP address of CID is 10.1.1.100.
• Users are not configured on CID and thus traffic is transparently
inspected by CID.
• Content servers are transparent.
• Content servers use port 80 for the HTTP traffic.
Note: An example of CID configuration with transparent servers in
a VLAN environment is provided on page 4-61.
Configuration:
1. Define the interfaces for ports 1 and 2.
a. From the main window double click on the CID icon. The CID
Connect to device window appears. Type the device‘s IP
address: 10.1.1.10 and click Ok.
b. Double click on the CID icon again.The Content Inspection
Director window appears.
c. In the CID window, click Add. The Edit CID window appears.
d. From the Edit CID window, set the following parameters
according to the explanations provided:
IF Num: F-2
IP Address: 100.1.1.10
Network Mask: 255.255.255.0
Broadcast Type
Forward Broadcast Selected
VLAN Tag 0
e. Click Ok. The Edit CID window remains open.
2. Define the default gateway:
a. From the Set-Up window, select Networking > Routing
Table.The CID Routing Table appears.
b. From the CID Routing Table, click Add. The Edit Route window
appears.
c. From the Edit Route window, set the following parameters
according to the explanations provided:
Destination IP 0.0.0.0
Address:
Network Mask: 0.0.0.0.
Next Hop: 100.1.1.20
IF Number: F-1
Metric: 1
Type: Remote
d. Click Ok to exit all windows.
Alias Port
An Alias Port enables CID to work with non-standard ports. For
example, if a Web server works on the TCP port 81 which, unlike port
80, is not a standard, CID treats this port as an HTTP port.
What is Caching?
The role of caching is to store the frequently accessed Web content, in
order to shorten response time and save network bandwidth.
Figure 4-5 illustrates a caching configuration example.
When the first user, User A, types the URL:
http://www.radware.com in the browser, the cache gets the
request for this page but does not have the content. The cache gets the
Web page from the original Web server for radware.com and keeps
the page in its local storage, such as memory or disk. The cache then
replies to the user with the requested Web content. When User B tries
to access the same Web page later on, the cache gets the request
again, finds the content on its local storage and replies to the user
without having to go to the origin Web server. User B gets the response
much more quickly than User A. The network bandwidth is saved
because the cache does not have to access to the origin server over
the Internet again.
www.radware.com/home/logo.gif
User A
User B www.radware.com/home/logo.gif
Client Types
There are two types of clients in a cache server environment:
• Configured Clients: Configured clients are clients that configure
their Web browser (or mail client) to use a content/proxy server.
When the client's Web browser is configured to use a proxy server,
all the HTTP requests are sent to the proxy server using the cache
server's IP as the destination IP address (Layer 3), cache server
port number (Layer 4) and proxy request type (Layer 7).
• Intercepted Clients: Intercepted clients send regular requests that
are directed to their default gateway. The destination IP address is
the IP address of the Internet Web site (Layer 3), the destination
port is the application port number and the request type is a regular
HTTP request (Layer 7).
Client-Server Combinations
CID supports several combinations of clients and servers; in situations
where there are many clients on a network with a proxy server, CID has
the ability to intercept the clients’ requests and change them from an
HTTP request to a PROXY request. This is an advantage because
there is no need to configure the entire network to use the proxy server,
but it still forces all clients to use the proxy server.
Table 4-4 shows the available combinations of clients and types of
cache servers:
Internet
Content
Router
Inspection
10.1.1.20
Server
10.1.1.4
Network Side P2
IP VLAN Virtual IP
Interface CID Address
10.1.1.1 10.1.1.100
User Side P1
Client Client
10.1.12 10.1.1.3
Properties:
• Network side and user side are on different subnets.
• The virtual IP address of CID is 10.1.1.100.
• Users are non-configured to CID, thus intercepted by CID.
• Cache servers are transparent.
• Cache servers use port 80 for HTTP traffic.
Configuration:
1. Define an IP VLAN that includes ports 1 and 2.
a. Double click on the CID icon. The CID window appears.
b. From the CID window, select Networking > VLAN. The CID
Virtual LAN window appears.
c. From the CID Virtual LAN window, click the Set-Up tab. The
Set-Up pane appears.
d. From the Set-Up pane, set the following parameters according
to the explanations provided:
Assign Port to VLAN F1 - Selected
F2 - Selected
Type: Regular
Protocol: IP
2. Enable the VLAN Forwarding policy:
a. From the CID Virtual LAN window, select the Parameters tab
and select the VLAN Forwarding policy checkbox.
b. Click Ok to apply the setup and exit the window.
3. Define an IP interface with the address 10.1.1.1 to be associated
with the VLAN.
a. Double click on the CID icon. The CID window appears.
• If an IP interface with the 10.1.1.1 address is already
defined, edit the interface to associate the 10.1.1.1 address
with the VLAN (10000X).
• If there is no defined IP interface with the 10.1.1.1 address,
define one.
4. Define the default gateway:
P2P/Kazaa Caching
CID provides support for Peer-to-Peer (P2P) sharing technology. P2P
technology enables individual users running Kazaa Media Desktop
(KMD) application to connect to each other directly, without the need
for a central point of management. CID supports caching of Kazaa v1
and Kazaa v2.
CID supports Kazaa sessions which are initiated by the uploader and
the downloader. Support for sessions initiated by the downloader is
required in cases where the remote Kazaa peer is located behind a
firewall.
CID accelerates Kazaa v2 caching by initially intercepting all traffic
destined to a predefined port range, and then performs delayed binding
to search for Kazaa signatures. This method reduces false positive
cases, which results in non-Kazaa traffic cache redirection.
Notes:
• Kazaa v2 protocol uses a range of ports. CID intercepts the Kazaa
port range, however this parameter is network dependent, and the
values of 1000-6000 are a general recommended value.
• Kazaa v1 can use also Content Based Rule = IP Address, as there
is no need to search for a signature within the packets.
Internet
Virtual IP
Router
Address
10.1.1.20
10.1.1.100
P2
IP VLAN I/F
P3 10.1.1.1
CID
Server P2P P1
10.1.1.4
Clients
Configuration:
1. Define an IP VLAN that includes ports 1 and 2:
a. Double click the CID icon. The Set-Up window appears.
b. In the Set-Up window, select Networking > VLAN. The CID
Virtual LAN window appears.
c. From the CID Virtual LAN window, click on the Set-Up tab. The
Set-Up pane appears.
d. From the Set-Up pane, set the following parameters according
to the explanations provided:
Assign Port to VLAN F1 - Selected
F2 - Selected
F3 - Selected
Type: Regular
Protocol: IP
2. Enable VLAN Forwarding policy:
a. From the CID Virtual LAN window, select the Parameters tab
then select VLAN Forwarding Policy checkbox.
b. Click Ok to apply the setup and exit the window.
3. Define an IP interface with the address 10.1.1.1 to be associated
with the VLAN.
a. Double click the CID icon. The Set-Up window appears.
b. In the Set-Up window click Add. The Interface window appears.
c. In the Interface window, set the following parameters according
to the explanations provided:
• If an IP interface with the 10.1.1.1 address is already
defined, edit the interface to associate the 10.1.1.1 address
with the VLAN (1000X).
• If there is no defined IP interface with the 10.1.1.1 address,
define one.
4. Define the default gateway:
a. From the Set-Up window select Networking > Routing Table.
The CID Routing Table appears.
b. From the CID Routing Table click Add. The Edit Route
window appears.
c. From the Edit Route window, set the following parameters
according to the explanations provided:
Destination IP Address: 0.0.0.0
Network Mask: 0.0.0.0.
c. From the CID Classes window, click Add Regular, then set the
following parameters according to the explanations provided:
Filter for Kazaa session initiated by uploader:
Service Name: Kazaa uploader
Protocol: TCP
Destination Port: any
Source Range: From: 1000; To: 6000
Filter for Kazaa session initiated by downloader:
Service Name: Kazaa downloader
Protocol: TCP
Destination Port: From: 1000; To: 6000
Source Range: Any
d. Click Ok and then Ok again. From the CID Classes window,
click Update Active Classes.
8. Create a new Service Group for Kazaa v2, containing the two
regular filters that you defined.
a. From the CID Classes window, select Add Group.
b. From the Basic Services list, select the predefined services;
Kazaa uploader, Kazaa downloader and then click Add
Service and click Ok.
9. Add a new policy for HTTP:
a. From the Farm Policies window, click Modify Farm Policy and
then click HTTP, then set the following parameters according to
the explanations provided:
Policy Name: http
Index: 1
Service Type: Grouped Service
Service: Kazaa
Source Address: Any
Destination Address: Any
Direction: One way
Description: Example
Operational Status: Active
Cluster Farm: 10.1.1.100
b. Click Add Policy and then click Ok.
Note: Ensure that:
• The default router of the CID is the internet router at 10.1.1.20.
• The default router of the content server is CID.
10. To operate the load balancing in a VLAN network topology, set
your VLAN to be a regular VLAN type.
CID
1 2
Clients Servers
Router
10.1.1.20
Internet
Properties:
• CID is installed in a one-leg topology.
• Network side subnet and server side subnet are on the same LAN.
All connections can be made to the same switch.
• The virtual IP address of CID is 10.1.1.100.
• Servers support non-transparent proxy.
• Servers are configured with loopback adaptor with an IP address
which is the same as the CID virtual IP.
• Clients use a proxy server with IP address 10.1.1.100.
Configuration:
1. Connect the device:
a. Double click the CID icon. The Set-Up window appears.
b. In the Set-Up window type the device‘s IP address: 10.1.1.10.
c. Click Ok.
2. Add a default gateway:
d. From the Set-Up window, select Networking > Routing Table.
The CID Routing Table window appears.
e. From the CID Routing Table window, click Add. The Edit Route
dialog box appears.
f. From the Edit Route dialog box, set the following parameters
according to the explanations provided:
Destination IP 0.0.0.0
Address:
Network Mask: 0.0.0.0
Next Hop: 10.1.1.20
IF Number: F-1
Metric: 1
Type: Remote
g. Click Ok to close all windows.
3. Add the servers:
a. From the CID toolbar, click Add and select a local server.
Note: To add servers you must be in Map view and then link them
to the device.
b. Double click the Server icon. The Server window appears.
c. From the Server window, set the following parameters
according to the explanations provided:
Server Name: Server 1
Admin Status: Selected
Recovery Time: 0
Warm-up Time 0
Connection Limit: 0
IP Address: 10.1.1.3
Global Server: Cleared
d. Click Add and then Ok.
e. In the same manner, add a second server by setting the
following parameters according to the explanations provided:
Server Name: Server 2
Admin Status: Selected
Recovery Time: 0
Warm-up Time: 0
Connection Limit: 0
IP Address: 10.1.1.4
Global Server: Cleared
f. Click Add and then Ok.
4. Add a farm:
a. From the Traffic Redirection window, click the Farm tab and
then click Add. The Edit CID Farm window appears.
b. From the Edit CID Farm window, set the following parameters
according to the explanations provided:
Farm Name: Type the farm name, for example:
Farm 1
Multiplexed for Port: Disable/uncheck.
VIP Address: 10.1.1.100
Admin Status: Select/check.
Content Based Rule: Address
c. Click Apply. Edit CID window remains open.
5. Add the servers to the farm:
a. From the Edit CID window, click Add. The CID Farm Server
window appears.
Properties:
• CID is installed in one-leg topology with default gateway 10.1.1.20.
• Clients are not configured to use a proxy server.
• Clients are configured with CID as their default gateway.
• Clients use HTTP traffic on port 80.
• Servers support transparent proxy mode (no need to define a
loopback adapter).
• Servers are configured with router 10.1.1.20 as their default
gateway.
Configuration:
1. Follow steps 1-7 as explained in: CID with Local Triangulation,
page 4-81.
2. When adding servers in CID Farm Servers window, set the
following parameters according to the explanations provided:
Server Name: Type the server name.
Local Triangulation: Select.
Transparent Mode: Select.
NAT Types
Network Address Translation is the ability to hide the IP addresses of
the clients from the servers. Using this feature causes CID to replace
the original source IP of a request with the configured NAT IP before
forwarding the request to the server.
These are the NAT types:
• Client
• Server
• Server Based
• Farm Based
Client NAT
When client NAT addresses are configured, the NATed IP address
range has to be specified. Up to 128 ranges of NAT addresses can be
configured. Farm addresses are defined for the Farm Based NAT and
the server addresses are defined for the Server Based NAT. When a
client matching to a farm policy approaches a farm, CID selects a
server and NATs the client IP address and port using the configured
NAT address range for a farm or a server. The reply arriving from the
server to CID replaces the NAT address and port with the original client
address and port, before forwarding the reply to the client. When no
NAT addresses are configured in the NAT Addresses Table, Client NAT
is not performed.
Client NAT provides the following capabilities:
• In the installation process, client NAT enables the enforcement of
the return path, so that no special configuration, such as default
gateway or an explicit route, is required on the servers.
• A server, or a firewall in front of the servers, is able to verify that
traffic came through CID, for example in order to limit access to the
servers, thus providing higher security.
4 Return
Destination
Address: 10.1.1.1 10.1.1.1
Servers
100.1.1.1
Properties:
1. Client 10.1.1.1. sends a request, which is intercepted by CID.
2. CID performs load balancing and selects a server to forward the
clients request. When selected, CID replaces clients original
source address with a NAT address (20.1.1.1 in this example).
3. The server sends a reply to the client using the NAT Address
20.1.1.1 as the destination address.
4. CID receives the reply packet, replaces the destination address
20.1.1.1 with the clients original address 10.1.1.1 and sends it to
the client.
To enable NAT:
1. Double click the CID icon. The Set-Up window appears.
2. From the Set-Up window, enable/check NAT.
Redundancy
In a redundant CID scenario, the same NAT Addresses and farm
policies should be configured on both CID devices.
Client Table mirroring should not be used with Client NAT, as Client
NAT entries in the Client Table are not mirrored.
Note: For more information about redundancy, see Chapter 6,
Redundancy
Internet
Router
100.1.1.20
Port 1
100.1.1.10
CID
Virtual IP Address:
10.1.1.100
Port 2
10.1.1.10
Clients Servers
10.1.1.1 20.1.1.1
10.1.1.2 20.1.1.2
Properties:
• Network side and user side are on the same subnets.
• The virtual IP address of the CID is 10.1.1.100.
• Users are configured with CID at their default gateway.
• Clients are NATed with the following addresses 10.1.1.200 and
10.1.1.201, cache assigned to a different server.
Configuration:
1. Connect the device and define the interfaces for ports 1 and 2.
a. Double click the CID icon and from the Set-Up window that
appears, type the IP address for the device: 10.1.1.20,
b. Click Ok.
c. Double click the CID icon again. The Set-Up window appears.
d. In the Set-Up window, click Add. The Interface window
appears.
e. In the Interface window, set the following parameters
according to the explanations provided:
IF Num: F-2
IP Address: 100.1.1.10
Network Mask: 255.255.255.0
Broadcast Type: Onefill
Forward Broadcast: Selected
VLAN Tag: 0
f. Click Ok. The CID window remains open.
2. Define the default gateway:
a. From the Set-Up window, select Networking > Routing Table.
The Routing Table window appears.
b. In the Routing Table window , click Add. The Edit Physical
Route window appears.
c. From the Edit Physical Route window, set the following
parameters according to the explanations provided:
Destination IP 0.0.0.0
Address:
Users
101.1.1.10
Router
Port 1
10.1.1.20
Port 1
10.1.1.100
Properties:
• Network side and users side are on the same subnet.
• Remote content inspection server is on a different subnet:
101.1.10.
• Users are configured to the CID.
• Clients sent to the remote server are NATed using IP Address
200.1.1.1.
Configuration:
1. Define the interface for Port 1.
a. Double click the CID icon. The Set-Up window appears.
b. In the Set-Up window type the IP address for the device:
10.1.1.100, and click Ok.
2. Define the default gateway:
a. From the Set-Up window, select Networking > Routing Table.
The CID Routing Table appears.
b. In the CID Routing Table, click Add. The Edit Route window
appears.
c. In the Edit Route window, set the following parameters
according to the explanations provided
Destination IP 0.0.0.0
Address:
Network Mask: 0.0.0.0
Next Hop: 10.1.1.20
IF Number: F-1
Metric: 1
Type: Remote
d. Click Ok.
3. Add a server:
Note: To add a server you must be in Map view and then link the
server to the device by using the Link button.
a. From the CID main toolbar, click Add and from the dropdown
menu add a local server.
b. Double click the Server icon. The Server window appears.
c. From the Server window, set the following parameters
according to the explanations provided:
Server Name: Server
Admin Status: Selected
Recovery Time: 0
Warm-up Time: 0
Connection Limit: 0
IP Address: 10.1.1.10
Global Server: Cleared
d. Click Ok.
4.Add a farm to the CID:
a. From the CID main window, click APSOlute OS >Traffic
Redirection. The Traffic Redirection window appears.
b. In the Traffic Redirection window, click Farms > Add. The
Farm window appears.
c. In the Farm window, set the following parameters according to
the explanations provided:
Farm Name: (For example) Farm 1
Multiplexed for Port: Disable
VIP Address: 10.1.1.100
Admin Status: Selected
d. Click Ok. The Edit CID Farm window remains open.
5. Add the server to the farm:
a. From the Farm window, click Add. The CID Servers window
appears.
b. From the Server Name parameter, add the server and click Ok.
6. Add a network:
a. From the Traffic Redirection window, select the desired farm
and click Farm Policies. The Farm Policies window appears.
b. From the Farm Policies window, click Classes > Networks >
Modify > Add then set the following parameters according to
the explanations provided:
Network Mode: IP Range
Network Name: Local
From Address: 10.1.1.1.
To Address: 10.1.1.2
c. Click Ok and then Ok again and then click Update Active
Classes.
1 4
Servers
Network B
Network A
Network B 2 3 4 5 6 7
Network A
Network B 2 3 4 5
Farm 1 Farm 2
Internet
192.168.1.254
Figure 5-5 Cache Farm and URL Filter Farm in Spoofed Mode
d. From the Edit CID Farm window, click the Traffic Settings tab,
then set the following parameters according to the explanations
provided:
Dispatch Method: Cyclic (can be any)
Content Based Rule: Host Name Mode
Use URL Table: Use URL Table
Transform Request: Do not check.
Server Keeps Client Check/select.
IP:
e. Click Ok.
f. Add a second farm as explained in step 10. in the Edit CID
Farm window, set the following parameters according to the
explanations provided:
Farm Name: URL Filter Farm
Multiplexed for Port: Disable
VIP Address: 1.1.1.2
Admin Status: Selected
g. Bind servers to the URL Filter Farm as explained in step 9. Add
servers with the following addresses: 192.168.1.202 and
192.168.1.203.
h. After adding the two cache servers, click the Traffic Settings tab
and set the following parameters according to the explanations
provided:
Dispatch method: Cyclic (can be any)
Content Based Rule: Host Name
Use URL Table: Use URL Table
Transform Request: Cleared
Server Keeps Client Check/select.
IP:
i. Click Ok.
12. Create a farm cluster:
a. From the Traffic Redirection window, click Cluster > Add. The
Farm Cluster dialog box appears.
b. In the Cluster Name parameter, type a relevant name, for
example, Cluster1 and click Apply.
c. From the Farm Address parameter, select the URL Filter Farm
(1.1.1.2) and click Add.
d. Click Add again to add the Cache Farm (1.1.1.1) to the cluster.
Now, when a packet arrives to the cluster, first it is forwarded to
the URL filter farm. After being inspected, the packet is sent to
the cache server and then to the Internet.
13. Create a cluster policy:
a. From the Cluster tab, highlight the farm cluster you created and
click Policies. The CID Farm Cluster Policies window appears.
Note: You may be prompted to enable BWM and to reboot the
CID, if so click Ok and follow instructions.
b. From the CID Farm Cluster Policies window, click the Modify
tab and click Add. The Edit Policy window appears.
c. From the Edit Policy window, click New Network. The Edit
Network Table dialog box appears.
d. From the Edit Network Table dialog box set the following
parameters according to the explanations provided:
Network Name: Local Network
Network Mode: IP Range
From Address: 192.168.1.10
To Address: 192.168.1.100
e. From the Edit Policy window, set the following parameters
according to the explanations provided:
Policy Name: HTTP Traffic
Service Type: Regular Service
Service Name: HTTP
Source: Local Network
Destination: Any
Farm Cluster: Cluster 1
f. Click Ok.
g. Click Update Active Policies.
Figure 5-6 Cache Farm and URL Filter Farm in Non-Spoofed Mode
a. From the CID main toolbar, click Add and from the dropdown
menu add a local server.
b. Double click on the Server icon.The Server window appears.
20. From the Edit Network Table, set the following parameters
according to the explanations provided:
Network Mode: IP Range
Network Name: Local Network
From Address: 192.168.1.10
To Address: 192.168.1.100
21. Create another network for the URL Filters as explained
previously by setting the following parameters according to the
explanations provided:.
From Address: 192.168.1.202
To Address: 192.168.1.203
22. Click Ok twice to return to the Farm Policy window and click
Update Active Classes.
23. Add a new policy, right click Modify Farm Policy and then click
Add, then set the following parameters according to the
explanations provided:
Policy Name: Clients
Service Type: Regular Service
Service: HTTP
Source Address: Local Network
Destination Address Any
Direction: Oneway
Farm Cluster: 1.1.1.2
24. Click Add Policy.
Note: This policy intercepts all the HTTP traffic of the clients and
sends it to the URL filter.
URL Policies
CID allows you to set traffic redirection policies based on the URL
content in the HTTP GET request. You can block specific URLs, to
make CID avoid retrieving data from the site and reset the connection.
You may also configure CID to avoid caching certain sites, and route
clients directly to the Internet. The URL Policies window is used to
configure those preferred sites.
You can select one of three policies for each URL in the Policies table:
• Direct: This policy can be used for real-time or non-cacheable
pages, for example news and stock quote requests. CID does not
send these requests to a cache server; but sends them directly to
the Internet, thus saving time and providing a quick response.
• Block: This policy effectively enforces limited control on clients.
When a client requests a particular site that has been blocked, CID
disallows the request to that URL. Good examples of this are adult
entertainment or gambling sites.
• Local Server: This policy enables the CID to direct a specific URL
to a specific cache server within a certain cache farm. It is a
powerful way to enforce limited control on clients.
URLs can be manually configured or they can be loaded from the list.
When implementing URL policies, system administrators are required
to set the Content Based Rule to URL Match, to enable the users to
configure the URL Policies Table.
URL Match
In this mode, the CID analyzes the URL in all client HTTP requests.
The URL string of the client request is parsed and decisions are based
on whether a match is made to a set of predefined criteria or not.
The URL Match policies are configured per cache farm. Each policy
instructs the CID to forward the request to a local cache server, forward
directly to the Internet, or block the request in case a URL string
matches the string in the policy. Also for each cache farm, a “default”
policy is created that defines for CID what to do if no matching URL
Match polices are found - send direct or to a local cache.
For example, a farm can be configured to send all traffic to the Internet
by default and a policy can be set to send all requests with “gif” to the
local servers. This would cause only the requests for pictures in the.gif
format to be redirected to the cache servers.
Up to 50 URL Match policies can be configured per farm.
HTTP Match
CID can make load balancing decisions based on the HTTP header
information. When CID works in the HTTP Match mode, any HTTP
header field can be used, allowing CID to search in the HTTP reply
packet for any field, such as the user-agent, the accept-language, the
host, or the content-type field.
When implementing HTTP Match policies, you can set one of three
policies for each URL that is listed in the table:
• Direct: This policy can be used for sending traffic directly to the
Internet, without sending it to the servers. When CID load balances
anti-viruses, it searches in the Content-Type field for the trusted
files and sends the trusted files directly to the Internet.
• Block: This policy effectively enforces limited control on clients.
When a client requests a particular content that has been blocked,
CID disallows the request to that traffic type. URLs can be blocked
using this mode. CID searches for the host field of the HTTP
header and blocks predefined hosts. CID can also block specific
file types, based on the Content-Type field.
• Local Server: This policy enables CID to direct specific traffic to a
specific cache server within a certain cache farm, thus effectively
enforcing limited control on clients. When CID servers reverse the
cache servers, it is possible to redirect clients to the cache servers
based on their language or browser type.
Notes:
• When configuring the URL Match Table, it is recommended to add
values in the format of '.jpg ' (with a space) rather than '.jpg'. This is
not required for content-type values (should remain '/jpg').
• When configuring values such as '.jpg ' in the URL Match table, it is
recommended to configure additional HTTP content-type matches
in addition to '/jpg' such as '/jpeg' and '/jpe'.
Examples:
jpg /jpg, /jpeg, /jpe
tif /tif, /tiff
mpeg /mpeg,/mpg,/mpe
html /htm, /html
Server 1 Server 2
192.168.1.100 192.168.1.101
Configuration:
1. Double click the CID icon. The CID Connect to Device window
appears.
2. Type the device‘s IP address (for this example 192.168.1.253)
and click Ok.
3. Assign ports to VLAN.
a. Double click the CID device icon again.The Set-Up window
appears.
b. In the Set-Up window, select Networking > VLAN. The CID
Virtual LAN window appears.
10.10.1.100 10.10.1.101
10.10.2.100 10.10.2.101
Figure 5-8 Dual Interface Gateway Servers with MIME Type Support
Properties:
• Connect the local network and the access router to ports 1 and 2.
• Connect the anti-virus servers to port 3 and 4 (network 10.10.1.0)
and port 5 and 6 (network 10.10.2.0).
• Set the default gateway of the anti-virus servers to 10.10.2.1.
• Set a static route on the anti-virus server to route network
192.168.1.0/24 to 10.10.1.1 (to enable the anti-virus server to
return the traffic back to the CID).
Configuration:
1. Double click on the CID deviceicon. The CID Connect to device
window appears. Type the device‘s IP address (for this example
192.168.1.253) and click Ok.
2. Assign ports to VLAN:
a. Double click on the CID icon. The Set-Up window appears.
b. From the Networking menu, select VLAN. The Virtual LAN
window appears.
c. Select VLAN 100001 and assign ports 1 and 2 to the VLAN.
Click Update.
d. Click Add and add VLAN 100002 and VLAN 100003.
e. Assign ports 3 & 4 to VLAN 100002, and ports 5 & 6 to VLAN
100003. Click Update and Ok.
3. In the Set-Up window select the existing interface (192.168.1.253)
click Edit.The Interface window appears. Set the IF Num to
100001 and then click Ok.
4. Create two more interfaces:
a. Double click on the CID icon. The Set-Up window appears.
b. Click Add. The nterface window appears.
c. From the Interface window, set the following parameters
according to the explanations provided:
VLAN 100002: 10.10.1.1
VLAN 100003: 10.10.2.1
5. Add a static route to the default gateway:
a. From the Set-Up window select Networking >Routing Table.
The Routing Table appears.
b. Click Add. The Edit Physical Route window appears.
c. From the Edit Physical Route window set the following
parameter according to the explanation provided:
Next Hop Router: 192.168.1.254
6. Add a local server:
a. From the main toolbar, click Add and from the dropdown menu
add a Local server by defining the following parameters
according to the explanations provided:
Server Name: Server 1
IP Address: 10.10.1.100
10.10.2.100
Click Add and then click Ok.
7. Add the second server as explained in the previous step and set
these parameters:
Server Name: Server 2
IP Address: 10.10.1.101
10.10.2.101
Click Add and then click Ok.
8. Create a farm:
a. From the CID main window, select APSolute OS > Traffic
Redirection. The CID Traffic Redirection window appears.
b. Click Farm > Add. The Farm window appears.
c. In the Farm window, set the following parameters according to
the explanations provided:
Farm Name: Anti_Virus_Farm
VIP Address: 1.1.1.1
9. Add the servers to the farm:
a. In the Farm window click Add.The Farm Servers window
appears.
b. From the CID Farm Servers window, set the following
parameters according to the explanations provided:
Server Name: Server 1
Server Address: 192.168.1.100
Transparent Mode: Selected
c. Add the second server. Click Ok.
10. In the Farm window select Traffic Settings. The Traffic Settings
pane appears.
11. In the Traffic Settings pane, set following parameters according to
the explanations provided:
Dispatch Method: Cyclic
Content Based Rule: MIME Type
Use URL Table: Do not use URL Table
Transform Request: Cleared
Server Spoofing: Selected
Trap All Ports: Cleared
Click Ok.
12. From the main window, select APSolute OS > Traffic
Redirection > Redirection. The Redirection pane appears.
13. In the Redirection pane, ensure that the Match Method is set to
URL Match and click Add. The URL Match window appears.
14. In the URL match window, set the following parameters according
to the explanations provided:
Farm IP: 1.1.1.1
URL Match Policy: Direct
Matching URL: gif, jpeg, avi, mid, tiff
URL Description: Type the relevant URL Description.
15. From the Redirection tab, set the Match Method to HTTP Match,
click Ok. The HTTP Match window appears. In the HTTP Header
field type: content-type.
Click Ok.
16. From the Traffic Redirection window, select Redirection and
Token Match window appears:
Farm IP: 1.1.1.1
Mode: Direct
Token Value (type in) /extension/gif/jpg/avi/mid
17. From the Traffic Redirection window click Farms , select the
Anti_Virus farm (1.1.1.1) and click Farm Policies. The Farm
Policies window appears.
18. In the Farm Policies window click Classes and then Networks.
The Network Table appears.
19. In the Network Table select the Modify tab and then click Add.
The Network Table appears.
20. In the Network Table set the following parameters according to
the explanations provided:
Network Name: Local Net
Network Mode: IP Mask
IP Address: (according to this example)
192.168.1.0
Address Mask: 255.255.255.0
21. From the Classes window, right click Grouped and select New
Service, then set the following parameters according to the
explanations provided:
Service Name: Virus_Scan
Basic Services: Select the protocols supported by the
anti-virus: HTTP; SMTP; FTP
Click Add Service and then Ok.
22. Create a new farm policy:
a. From the Farm Policies window right click on Modify Farm
Policies and click Add and set the following parameters
according to the explanations provided:
Policy Name: Virus Scan
Index: 1
Service Type: Grouped Service
Service: Virus_Scan
Source Address: Local_net
Destination Address: Any
Direction: Oneway
192.168.1.253
Server 1 Server 2
192.168.1.100 192.168.1.101
Figure 5-9 Single Interface Proxy Servers with MIME Type Support
Configuration:
1. Connect the device.
a. Double click on the CID device icon. The CID Connect to
device window appears.
b. Type the device‘s IP address (for this example 192.168.1.253)
and click Ok.
2. Add ports to the VLAN:
a. Double click on the CID icon again.The Set-Up window
appears.
Access Router
100.1.120
CID
Virtual IP Address
10.1.1.100
Port 1
Users Side 10.1.1.10
Client 1 Client 2
10.1.1.1 10.1.1.2
Properties:
• Network side and users side are on different IP subnets.
• The virtual IP address of the CID is 10.1.1.100.
• Users are not configured to the CID.
• Content servers work in FTP Proxy mode.
• The delimiter ('@') is proxy dependent, and may vary.
• Configuring ftp-session service supports both passive and active
FTP sessions.
Configuration:
1. Define two IP Addresses on the CID:
a. Double click on the CID icon and from the CID Connect to
device window that now appears, type the device‘s IP address:
10.1.1.10 and click Ok.
b. Add the second IP address: Double click on the CID icon. The
Set-Up window appears.
c. Click Add. The Interface window appears.
d. In the Interface window set the following parameters according
to the explanations provided:
IF Num: F-2
IP Address: 100.1.1.10
Click Ok to exit all windows.
2. Add the default router and a default gateway:
a. Double click on the CID icon. The Set-Up window appears.
b. In the Set-Up window, select Networking > Routing Table.
The Routing Table window appears.
c. From the Routing Table, click Add. The Edit Physical Route
window appears.
d. In the Edit Physical Route Table window, set the following
parameters according to the explanations provided:
Destination IP 0.0.0.0
Address:
Network Mask: 0.0.0.0
Next Hop: 100.1.1.20
IF Number: F-2
Metric: 1
Type: Remote
e. Click Ok to exit all windows:
3. Add the servers:
a. From the main toolbar, click the Add (+ ) and from the
dropdown menu add a local server by defining the following
parameters according to the explanations provided:
Server Name: Server 1
IP Address: 100.1.1.1
b. Click Add and then click Ok.
c. In the same manner, add the second server by defining the
following parameters according to the explanations provided.
Server Name: Server 2
IP Address: 100.1.1.2
d. Click Add and then click Ok.
4. Add a farm:
a. From the Traffic Redirection window, select Farms. The Farm
pane appears.
b. In the Farm pane click Add. The Farm window appears.
c. In the Farm window, set the following parameters according to
the explanations provided:
Farm Name: (For Example) Farm 1
Multiplexed for Port: Disabled
VIP Address: 10.1.1.100
Admin Status: Selected
Transform Request: Selected
d. Ensure that the Transparent Mode is enabled.
5. Add the servers to the farm:
a. In the Traffic Redirection window list of farms, select the farm
and click Add. The Farm window appears.
b. In the Farm window, click Add. The CID Farm Servers window
appears.
c. In the CID Farm Servers, set the following parameters
according to the explanations provided:
Server Name: Server 1 & Server 2
Configuration
No special configuration is needed by the user in order for CID to
support the FTP Address Multiplexing.
POP3 Support
CID supports interception and redirection of POP3 (Post Office
Protocol) traffic destined to an anti-virus server. POP3 sessions are
transparently intercepted and redirected to the servers. The sessions
are intercepted and sent to the IP address of the server, opening a
POP3 session with the proxy agent of the server. Because the client is
unaware of the server's existence, the client believes that it is directly
connected to the POP3 host on the Internet.
To provide POP3 support, CID transforms the client's “USER”
command from USER[username] to:
USER[user_name#destination_IP]. This transformation allows
the anti -virus to extract the destination POP3 host and then to open
the POP3 session to that host, on behalf of the client. This is done
transparently to the client.
Router
100.1.120
CID
Virtual IP Address
10.1.1.100
Port 1
Users Side 10.1.1.10
Client 1 Client 2
10.1.1.1 10.1.1.2
c. Click Ok.
5. Add the servers to the farm:
a. In the Traffic Redirection window, select the farm and then click
Add. The Farm window appears.
b. In the Farm window, click Add. The CID Farm Servers window
appears.
c. In the CID Farm Servers window, set the following parameters
according to the explanations provided
Server Name: Server 1 & Server 2
Farm 1 Farm 2
RADIUS Server
NAS Secret
NAS and RADIUS server share a “secret” that uses a combination of
password encryption and response authentication. A RADIUS server
can be configured to use different secrets, according to the source IP of
the received packet (NAS IP). When CID is used as the RADIUS proxy,
the source IP is always the CID IP, so the RADIUS can use only one
secret.
For this reason, the Proxy RADIUS needs to use another table with the
following record structure:
NAS IP NAS Secret
HTTPS
Before CID forwards HTTPS traffic to the cache server it first tries to
send the HTTPS GET request to the server to check if the server is
capable to treat HTTPS traffic. IF the server replies with the HTTP code
200 Ok, the CID forwards all the HTTPS traffic to the servers.
Otherwise, the CID redirects all HTTPS traffic directly to the Internet.
Proxy SSL
CID supports SSL tunneling for intercepted clients. CID traps HTTPS
sessions (port 443), encapsulates the session with a HTTP header and
opens a session to the server on behalf of the client, using the
CONNECT command. To the server this appears as if the client is a
configured client, and is therefore supported by all server vendors that
support configured clients.
AV Gateway CT100
192.168.1.200 192.168.1.150
HTTPS
HTTP
There are two types of SSL Content Check configuration, which are:
• Spoofed AV Gateway
• Proxy AV Gateway
The following sections describe how to configure each type.
Configuration Guidelines:
Setting up a configuration to enable an SSL Content Check involves
the following general steps:
1. Configuring the network and port group for the users’ side
2. Adding and configuring farms
3. Adding and configuring farm clusters
4. Configuring content check policies for farms, traffic protocols and
gateways.
Notes:
• Configuring CID in the VLAN mode requires setting the network
default gateway also in CID.
• When configuring farm servers, the Traffic Settings > Transform
Request option must be disabled for all Farms which handle
HTTPS traffic.
• The farm’s content based rule must be set to IP Address mode.
• If the scanning of clients’ HTTP traffic needs to be accelerated,
Radware recommends configuring a separate Farm for the AV
Gateway and setting the farm to operate in MIME-type mode.
• Each client session generates N+1 entries in the Client Table, were
N is the number of farms in the CID configuration.
HTTPS
HTTP
Service: HTTPS
Source Address: Users
Destination Address: Any
Direction: OneWay
Cluster Farm: HTTPS-CT
Inbound Physical Port N/A
Group:
d. To configure a policy for the AV Gateway, set the following
parameters according to the explanations provided:
Index: 3
Service Type: Filter
Service: HTTP
Source Address: Users
Destination Address: Any
Direction: OneWay
Cluster Farm: HTTP-AV-CT
Inbound Physical Port N/A
Group:
3 2
1’ 1
AV Gateway
192.168.1.201
HTTPS
HTTP
Figure 5-16 illustrates the HTTP traffic flow when the AV Gateway
works in the Proxy Mode.
HTTPS
HTTP
Properties:
• Using a Proxy AV gateway requires different farm clusters to be set
up for the traffic: one farm for the HTTP traffic and another farm for
the HTTPS traffic.
• Clients must have two configured proxy IP addresses: one for the
HTTPS traffic and one for the HTTP traffic.
• A direct farm/cluster policy cannot be configured to the proxy
server.
• NAT can be included in the farm properties. However, NAT must
always be configured at the last Farm in the traffic chain to access
the Internet.
Configuration Guidelines:
To set up a client SSL Content Check in conjunction with an AV
Gateway operating in the Proxy Mode, CID is configured with the
following policies:
• Client’s regular HTTP traffic
• Client’s HTTPS traffic
• CT100 to AV Gateway traffic
• AV Gateway to CT100 traffic
DNS Services
DNS Services comprises of the client and the server.
DNS Client
Each CID has a DNS Client that allows to identify the destination IP
address of a specific URL. When CID needs to forward requests
directly to the Internet without sending them to a content server, the
device also needs to identify the content server’s IP address. CID can
be configured with the addresses of two DNS servers to use for
resolution. The DNS Client has to be enabled when using the following:
• URL policies (CID has to resolve the IP address of the URL)
• Preferred sites
• HTTP Page connectivity check
• NSLOOKUP from the CLI
DNS Client also supports the use of hostnames for the following
services: NTP, RADIUS, Ping, Trace-route and Mail-Traps. In addition,
the DNS Client support feature enables directing the configured client
to the Internet.
You can configure CID to operate as DNS client. When the DNS client
is disabled, IP addresses cannot be resolved. When the DNS client is
enabled, IP addresses can be resolved in the following ways:
• Using the configured DNS servers to which DNS client sends
queries about IP addresses of a hostname.
• Using the pre-defined static table that includes hostnames and IP
addresses.
4. In the DNS Primary Address text box, type the address of the
primary DNS server that is used to query IP addresses of
hostnames.
5. In the DNS Alternate Address text box, type the address of the
backup DNS server that is used to query IP addresses of
hostnames in case the primary server is not in service.
6. To display the dynamic DNS table in the CLI, type the following
command:
services dns nslookup <hostname>
The DNS table is displayed.
DNS Server
CID supports DNS Server functionality, resolving an IP address of a
Farm URL address. The DNS Server enables the user to configure a
static DNS table, by assigning pairs of URL and IP addresses.
Internet
Router Users
Network A
Port 1 Port 1
MAC A MAC C
CID 1 CID 2
Port 2 Port 2
MAC B MAC D
Network B
Server 2 Server 2
Interface Grouping
To provide a complete solution for redundancy against all failures, CID
employs a mechanism called Interface Grouping. If CID notices that
one of its physical ports is down, it intentionally brings all other active
ports down.
When a physical port on CID goes down, because of a cable failure,
switch port failure, hub failure, or other problems, CID performs the
following tasks:
• CID examines the configuration to see if any IP addresses were
configured on the port that just went down.
• If there were IP addresses configured on the port that went down,
CID deactivates all other active ports.
• If there were no IP addresses configured on the port that went
down, nothing happens and normal operation continues.
Notes:
• Using Regular VLAN, when any of the ports associated with a
VLAN is down, Interface Grouping is triggered.
• Using Switched IP VLAN, Interface Grouping is triggered only when
all ports on a Switched IP VLAN are down.
Mirroring
Mirroring enables a redundant Backup device to maintain a copy of the
dynamic tables of the Main device, by sending a snapshot of the Client
Table information contained on the Main device to the Backup device. If
the Main device fails, the Backup device seamlessly resumes the
sessions, ensuring that the request for service is forwarded to the same
server in the farm which handled the session before the Main device
failure. Mirroring is recommended for use with very state sensitive and
long term sessions, such as Telnet or FTP. However, this feature
should not be activated with HTTP applications where sessions are
short and a reload mechanism is built-in or transparent. Mirroring
should not be used in conjunction with the Dynamic Session ID Tacking
feature. When enabling Mirroring on a Backup CID, the device must be
reset. Setting up Mirroring affects the general CID performance.
Notes:
• When setting up mirroring, it is recommended to use the same CID
software version for the main and for the backup devices.
• Server NAT and Outbound NAT sessions are not mirrored. This
implies that such sessions have to be re-established after a
redundancy take over.
• It is not recommended to use mirroring in conjunction with Layer 7
features that requires Delayed Bind. This includes Dynamic
session ID Persistency, Layer 7 Policies, SSL ID tracking so on.
Proprietary ARP
The proprietary method, the CID platform employs the Address
Resolution Protocol (ARP) to check the availability of the partner. The
ARP method ensures that the Radware device is available and that the
network connections between the devices are up.
If the Main device fails, the Backup device takes control and continues
seamlessly operating between clients and servers that had been
established on the primary device.
With Proprietary ARP redundancy, the Backup device manages the
polling process by continuously polling the Main device, using the ARP
protocol, see Table 6-1. When the Main device fails, the teaching
process is realized when the Backup device sends broadcast ARPs
informing its network neighbors that the IP Addresses of the Main
device are now associated with its own MAC Addresses. This ensures
that all traffic destined to the IP Addresses of the Main device arrives to
the Backup device.
Parameter Description
Polling Interval How often the Backup device polls the Main
device (in seconds).
Default: 3.
3. From the Device Name dropdown list, select the device for which
you want to set the advanced parameters.
4. To enable Backup Fake ARP, select the Backup Fake ARP
checkbox and click Ok.
5. To enable Backup device in VLAN, select the Backup device in
VLAN checkbox and click Ok.
Internet
Router
100.1.1.20 Users
Port 1 Port 1
100.1.1.10 100.1.1.11
CID 1 CID 2
Virtual IP Address
Regular 100.1.1.100
Port 1 Port 2
100.1.1.11 100.1.1.11
Server 1 Server 2
10.1.1.1 10.1.1.2
Properties:
• Network Side and server side are different on different subnets.
• Virtual IP addresses served by the CIDs: the 100.1.1.100
addresses are usually handled by CID 1.
• Servers 10.1.1.1 and 10.1.1.2 are assigned to the farm that is
managed by CID.
100.1.1.10 100.1.1.11
7. In the Redundancies window, click Add and set Polling Interval
and Timeout for each entry.
8. In the Redundancies window, click Advanced Settings and set
for each device:
For the Main device: Select Interface Grouping, see page
6-7.
For the Backup device: When needed, select Backup
Interface Grouping, see page 6-7.
Select the Backup Fake ARP
checkbox, see page 6-12.
9. Set up mirroring, see page 6-8.
Note: Make sure that CID settings on the Main and Backup
devices are corresponding. For example, every farm which is
active on the main device is set as backup on the backup device,
similarly for Virtual DNS Addressees, and so on.
10. To trigger an automatic configuration update of the secondary
device in a redundant configuration, from the Redundancies
window, click Copy Configuration.
The configuration file of the Main device is used, and is modified as
needed. Then the file is sent to the backup device. The old
configuration in the backup device is deleted.
Note: The Copy Configuration button is enabled only when at
least one IP Interface is set for redundancy.
11. Click Ok to accept your preferences and exit the window. The
redundancy relation is visually displayed on the map.
Internet
Router Users
100.1.1.20 100.1.1.x
Network Side
CID 1 CID 2
IP VLAN IP VLAN
Interface Interface
Port 2 Port 2
100.1.1.10 100.1.1.11
Server Side
Server 1 Server 2
100.1.1.1 100.1.1.2
Properties:
• Network side and server side are on the same IP subnet.
• The virtual IP address of the CID is 100.1.1.100.
Internet
Router Users
100.1.1.20
Port 1 Port 1
100.1.1.10 100.1.1.11
CID 1 CID 2
Virtual Addresses
Regular 100.1.1.100 Backup
Backup 100.1.1.101 Regular
Port 2 Port 2
10.1.1.10 10.1.1.11
Properties:
• Network side and server side are on different subsets.
• Virtual IP Addresses served by the CIDs: the 100.1.1.100 address
is usually handled by CID 1, while the 100.1.1.101 address is
handled by CID 2.
• Servers 10.1.1.1 and 10.1.1.2 are assigned to the farms that are
managed by CID 1. Servers 10.1.1.3 and 10.1.1.4 are assigned to
the farms managed by CID 2. Each CID has its own group of
servers.
Note: If a server is configured in an active farm on CID 1, it cannot
be configured as a server in an active farm on CID 2. This is
because the server can have only one of the CIDs configured as its
default router.
For example, CID 1 does not hold the information of the sessions
that are sent to the farms of CID 2, and therefore is unable to send
it back to the client correctly.
If CID 1 fails and its farm is configured as a backup farm on CID 2,
the traffic to the farm is managed by CID 2. The server still sends
the traffic to its default router, but CID 2 takes over the failing CID 1
and handles the traffic correctly.
Introducing VRRP
VRRP (Virtual Router Redundancy Protocol) is a standard protocol that
enables dynamic router redundancy. This means that if the Main device
fails, VRRP ensures that the Backup device takes over, and traffic is
forwarded to it.
VRRP is based on the Virtual Router (VR) concept. A VR has a Virtual
Router Identifier (VRID) and one or more IP addresses associated with
it. Each VR has a VRMAC, which is a MAC address associated with the
VR. This saves the need for a MAC address update in case of a fail-
over. The VRMAC address is determined by the VRID, and does not
need to be configured manually.
Typically, the same VR is configured on multiple devices to achieve
redundancy between them for the VR. Each device has a priority for a
VR, the main device for the VR is the device with the highest priority.
Using VRRP, the main device constantly sends advertisements to other
VRRP routers, to indicate that it is online. When the advertisements
stop, the main device is assumed to be inactive. A new Main device is
then selected for this VR, that is the device with the next highest priority
for that VR.
For a typical Main-Backup scenario, a VR is required for each interface
of CID. In a standard CID setup, 2 VRs are required:
VR-I For the Internet side of CID, is associated to the IP
address of the main CID and to the farm IP Address.
VR-S For the server side of CID.
You need to configure all VRs on each CID device, and associate the
appropriate IP addresses with each VR.
Typically, the physical address of the external side of CID and the farm
address are associated with VR-I. The physical address of the server
side of the CID is associated with VR-S.
You need to set a priority for each VR on each CID. The priorities for all
VRs on the main CID may be 255, to indicate it is the Main device, and
a lower value on the backup device.
Using VRRP, it is possible to set up more than one redundant CID to
backup a main CID with hierarchy.
associated either with the VR for the external side of the CID or
with the internal one, depending on the configuration.
Note: Up to 255 IP Addresses can be associated with a single
VRID.
10. Click Ok to apply the setup and exit the window.
Internet
Router
100.1.1.20
Port 1 Port 1
100.1.1.10 100.1.1.11
CID 1 CID 2
Virtual Address
Regular 100.1.1.100 Backup
Port 2 Port 2
10.1.1.10 10.1.1.11
Server Server
10.1.1.1 10.1.1.2
Properties:
• Network side and server side are on different subnets.
• Virtual IP addresses served by the CIDs are 100.1.1.100, usually
handled by CID 1.
• Servers 10.1.1.1 and 10.1.1.2 are assigned to the farm that is
managed by CID 1.
• Redundancy is performed using VRRP protocol.
Interface: F-2
VRID: 10
Enable Virtual Router: Selected
Priority: 255
Primary IP: 10.1.1.10
e. Access the Associated IP Addresses Table by clicking on
Associated IP. The Associated IP Address window appears.
f. In the Associated IP Address window, set the following
parameters according to the explanations provided:
Interface: F-1
VRID: 100
IP Address: 100.1.1.100 (Farm IP Address)
Interface: F-2
VRID: 10
IP Address IP Address 10.1.1.10 (CID IP
Address)
g. Click Add.
5. Set the VRRP for CID 2 (Backup Device).
a. In the same window, set the backup device VRRP. In the Edit
VRRP table, set the following parameters according to the
explanations provided:
Interface: F-1
VRID: 100
Enable Virtual Router: Selected
Priority: 100
Primary IP: 100.1.1.11
Interface: F-2
VRID: 10
Enable Virtual Router: Selected
Priority: 100
Interface: F-2
VRID: 10
IP Address IP Address 10.1.1.10 (CID IP Address)
d. Click Add.
6. In the Redundancies window, click Advanced Redundancy. The
Advanced Redundancy window appears.
7. In the Advanced Redundancy window, select the Interface
Grouping checkbox for the main device.
8. From the Advanced Redundancy dialog box, select the Backup
Interface Grouping checkbox for the backup device if required.
Internet
Router
100.1.1.20
Port 1 Port 1
100.1.1.10 100.1.1.11
CID 1 CID 2
Virtual Addresses
Regular 100.1.1.100 Backup
Backup 100.1.1.101 Regular
Port 2 Port 2
10.1.1.10 10.1.1.11
Properties:
• Network side and server side are on different subnets.
• Virtual IP Addresses served by the CIDs: the 100.1.1.100 address
is usually handled by CID 1, while the 100.1.1.101 address is
handled by CID 2.
• Servers 10.1.1.1 and 10.1.1.2 are assigned to the farms that
managed by CID 1. Servers 10.1.1.3 and 10.1.1.4 are assigned to
the farms managed by CID 2. Each CID has its own group of
servers.
Note: If a server is configured in an active farm on CID 1, it cannot
be configured as a server in an active farm on CID 2.
This is because the server can have only one of the CIDs
configured as its default router, for example, CID 1. Traffic coming
from CID 2 is not returned through it but through CID 1. CID 1 does
not hold the information of the sessions that are sent to the farms of
CID 2 and therefore is unable to send the information back to the
client correctly.
If CID 1 whose farm was configured as a backup farm on CID 2
fails, the traffic to the farm is managed by CID 2. The server still
sends the traffic to the default router, but CID 2 takes over the
failing CID 1 and handles the traffic correctly.
Configuration:
This configuration is the same as in Example on page 6-31, however in
this example, each device is both active and backup.
1. Set the default gateway of the servers that belong to active farms of
CID 1 (Server 1 and Server 2) to the IP address of CID 1 using
10.1.1.10.
Set the default gateway of the servers that belong to active farms of
CID 2 (Server 3 and Server 4) to the IP address of CID 2 using
10.1.1.11.
2. Add Main device and backup device to the APSolute Insite map,
set IP addresses and routing as needed.
3. Add Server 1 and Server 2 to the map, set Farm 1 with Server 1
and Server 2 on CID 1 and on CID 2.
To set Redundancy Mode, click Traffic Redirection > (select the
Farm) Edit > Traffic Settings and set the Redundancy Mode
Interface: F-1
VRID: 101
Enable Virtual Router: Selected
Priority: 100
Primary IP: 100.1.1.10
Interface: F-2
VRID: 10
Interface: F-2
VRID: 11
Enable Virtual Router: Selected
Priority: 100
Primary IP: 10.1.1.10
6. Click Ok. The Edit VRRP Table window closes.
7. Perform the same procedure for CID 2 by setting the following
parameters according to the explanations provided:
Interface: F-1
VRID: 100
Enable Virtual Router: Selected
Priority: 255
Primary IP: 100.1.1.11
Interface: F-1
VRID: 101
Enable Virtual Router: Selected
Priority: 100
Primary IP: 100.1.1.11
Interface: F-2
VRID: 10
Enable Virtual Router: Selected
Priority: 255
Primary IP: 10.1.1.11
Interface: F-2
VRID: 11
Enable Virtual Router: Selected
Priority: 100
Primary IP: 10.1.1.11
8. Click Ok. The Edit VRRP Table window closes.
9. Access the Associated IP Addresses Table by clicking on
Associated IP. The Associated IP Address window appears.
10. From the Associated IP Address window, set the following
parameters according to the explanations provided
Interface: F-1
VRID: 100
IP Address IP Address 100.1.1.10 (Farm IP Address)
Interface: F-1
VRID: 101
IP Address IP Address 100.1.1.101 (Farm IP Address)
Interface: F-1
VRID: 100
IP Address IP Address 100.1.1.10 (CID IP Address)
Interface: F-1
VRID: 101
IP Address IP Address 100.1.1.11 (CID IP Address)
Interface: F-2
VRID: 10
IP Address IP Address 10.1.1.10 (CID IP Address)
Interface: F-2
VRID: 11
IP Address IP Address 10.1.1.11 (CID IP Address)
11. Click Add.
12. Define Interface Grouping.
a. From the Redundancies window, click Advanced
Redundancy. The Advanced Redundancy window appears.
b. Select the Interface Grouping checkbox.
13. Click Ok and Ok again. The redundancy configuration is
complete.
Figure 6-7 illustrates the scheme for a direct server connection with
VRRP and Routing.
Routers or switches
External
Side
CID CID
Switch IP Switch IP
VLAN on VLAN on Internal
CID-L CID-R Side
Server Server
Configuration Notes:
• This configuration is supported with VRRP and Switched IP VLAN
only.
• Servers are connected directly to the interfaces of CID. A cross
cable is required in order to connect two CID devices (using Giga,
or Fast Ethernet ports).
• The interfaces to which the servers are connected and the interface
used for connecting the CID devices, are associated to a Switched
IP VLAN. This puts all the servers on a single switch. An IP address
should be associated with the Switched IP VLAN in each device.
• The CID farm and redundancy configurations remain as usual.
Figure 6-8 illustrates the scheme for a direct server connection with
VRRP and Bridging.
Routers or
Switches
External
Side
CID CID
Switch IP Switch IP
VLAN on VLAN on
CID-L CID-R
Internal
Side
Server Server
Configuration Notes:
• Only a single Switched IP VLAN can be part of a Regular VLAN.
The number of physical interfaces that can participate in a Regular
VLAN (with or without a Switched IP VLAN) is not limited.
• Associate an IP address with the Regular VLAN in each device.
• Both the CID farm configuration and the CID redundancy
configuration function as usual.
• The default gateway of servers must be also used as the default
gateway of CID.
• CID sends VRRP advertisements only on ports that participate in
the Regular VLAN but do not participate in the Switched VLAN.
Ensure that the CID devices have an active connection between
such ports.
Internet
Router
100.1.1.20
Port 1 Port 1
100.1.1.10 100.1.1.11
CID 1 CID 2
Port 3
Port 4 Port 4 Switched
Switched
IP VLAN IP VLAN
10.1.1.10 Dual NO 10.1.1.11
Server Users
10.1.1.1 10.1.1.2
Properties:
• Servers are directly connected to CID, possibly with dual NIC.
• Network side and server side are on different subnets.
• The virtual IP address served by the CIDs is 100.1.1.100, usually
handled by CID 1.
• Servers 10.1.1.1 and 10.1.1.2 are assigned to the farm managed
by CID 1.
• Redundancy is performed using the VRRP protocol.
a. From the main toolbar, click Add and from the dropdown menu
add a local server. The Server icon appears in the map area.
b. Double click on the Server icon. The Server window appears.
c. In the Server window, set the following parameters for each
server: For the first server, set:
Server Name: Server 1
IP Address: 10.1.1.1
Add the second server by setting the following parameters
according to the explanations provided:
Server Name: Server 2
IP Address: 10.1.1.2
d. Click Ok.
4. Add farm to CID 1.
a. Select the CID device icon, and the Server 1 and Server 2
icons.
b. From the CID toolbar, click Link. The Farm window appears.
c. In the Farm window, set the following parameters according to
the explanations provided:
Device: CID 1
Farm Name: Farm 1
Active Farm: Enabled
VIP Address: 100.1.1.100
d. In the Farm window, click the Traffic Settings tab and set the
Redundancy Mode parameter to Primary.
e. Click Ok.
5. Add servers to Farm 1.
a. In the Farm window, click Farm Servers > Add. The Farm
Servers window appears.
b. In the Farm Servers window, set the following parameters for
each server: For the first server, set:
Server Name: Server 1
Server Address: 10.1.1.1
Interface: 100002
VRID: 10
Enable Virtual Selected
Router:
Priority: 255
Primary IP: 10.1.1.10
Interface: 1
VRID: 100
Associated IP: 100.1.1.10 (CID IP Address)
Interface: 100002
VRID: 10
Associated IP: 10.1.1.10 (CID IP Address)
11. Click Ok.
Note: When using dual NIC, where the active NIC is determined by
ping to the default gateway, set a virtual DNS with IP 10.1.1.20 on
CID. This IP should be the default gateway of the servers.
In the Associated IP Addresses Table window configure the
following entries: Interface=100002, VRID=10, Associated
IP=10.1.1.20.
Interface: 100002
VRID: 10
Enable Virtual Router: Selected
Priority: 100
Primary IP: 10.1.1.11
e. Click Ok.
f. In the Redundancies window, click Associated IP. The
Associated IP Address window appears.
Interface: 1
VRID: 100
Associated IP: 100.1.1.10 (Main CID IP Address)
Interface: 100002
VRID: 10
Associated IP: 10.1.1.10 (Main CID IP Address)
h. Click Ok.
i. When using servers with dual NIC, where active NIC is
determined using ping to default gateway, configure a virtual
DNS with IP address 10.1.1.20, with Redundancy Mode on the
Backup. In the Associated IP Address pane, set the following
parameters according to the explanations provided:
Interface: 100002
VRID: 10
Associated IP: 10.1.1.120
Module
The Health Monitoring module, implemented on all Radware IAS
(Intelligent Application Switching) products, is responsible for checking
the health of the network elements such as servers, firewalls, and Next
Hop Routers (NHRs) that are managed by the IAS device.
The Health Monitoring module determines which network elements are
available for service, to enable the IAS device to load balance traffic
among the available resources.
Traffic management decisions are based mainly on the availability of
the load balanced elements and on other resources on the data path.
The module provides flexible configuration for health monitoring of the
load balanced elements. The module supports various pre-defined and
user defined checks, and enables you to create dependencies between
health checks of different elements.
Checked Element
A Checked Element is a network element that is managed and load
balanced by the Radware device. For example, CID-checked elements
are the Farm Servers and NHRs. The health of a checked element may
depend on a network element that the IAS device does not load
balance. For example, the health of a server managed by CID may
depend on the health of a database server or other application servers,
which are not load balanced by the CID.
Health Check
A Health Check defines how to test the health of any network element
(not necessarily a Checked Element). A check configuration includes
such parameters as: the check method, the TCP/UDP port to which the
test should be sent, time interval for the test, its timeout, the number of
retries, and more. These parameters are explained in detail in the
Regular Health Check section.
A network element can be tested using one or several Health Checks.
Method
Health check methods are applications or protocols that the IAS device
uses to check the health of network elements. For example, a method
can be Ping, HTTP or other. Although the Health Monitoring module
provides a wide array of predefined methods, user defined methods
are also supported. In addition, method-specific arguments can be
configured for each method.
For a complete list of supported health check methods, refer to Health
Check Methods, page 7-25.
Global Configuration
The Health Monitoring module is configured in several ways; using the
Health Monitoring feature in APSolute Insite, from Web Based
Management or via CLI.
Setting up the Health Monitoring module on an IAS device involves the
following steps:
1. To enable the Health Monitoring Module; in the Health Monitoring
Settings window, set the Health Monitoring parameter to Monitoring
Enabled.
2. Set the Connectivity Method of each farm to Disabled. This allows
the device to use the results of the Health Monitoring Module to
determine the status of the servers in this farm.
Note: APSolute Insite supports both farm-oriented and server-oriented
Health Monitoring configurations. The farm-oriented configuration
automates and simplifies the Health Monitoring configuration process
for large configurations containing farms with multiple servers.
SSL Certificate This file is used by the device when the Web
File: server requires a Client Certificate during the
SSL handshake.
Default: Client Certificate generated by the
device.
SSL Private Key This file is used by the device when the Web
File: server requires a key during the SSL
handshake.
Default: Private Key generated by the device.
5. Click Ok to apply the setup. The window closes.
3. In the Health Check DB window, click Add. The Device Edit Health
Check window appears. In this window you can create a new
entry for the Health Check DB.
4. Set up the Regular check parameters for the device according to
the explanations provided:.
Health Check Type the name of the new check.
Name:
Action Macro
Radware devices support a wide range of health monitoring checks,
allowing for highly granular checks and monitoring capabilities. The
results of these checks is always a status, either “Active” or “Down”.
The Action Macro feature complements this capability and allows
performing an action based on the status of a health check. The action
is performed by running a predefined macro file, which is bound to the
health check.
Configuration of the feature involves the following stages:
1. Define the relevant health checks in the Health Checks DB window.
2. Record the macro files you wish to execute upon receiving a trap
from the device.
3. Through the Health Check Actions window, available by clicking
the Action button in the CID Health Check DB window, bind the
health checks and the macro files.
Groups
You must associate a Health Check to a Checked Element. You can
also define whether the check is Mandatory or not, and set the Group
Number.
2. From the Group Check Name dropdown list, select the name of
the required Health Check Group.
3. From the Element Name dropdown list, select the name of the
network element to check. The Regular checks you defined for
this Checked Element appear in the Edit Health Check Group
table.
4. From the Enable column, select the checks required for this group
for this Checked Element.
5. Click Apply. The health check Group is configured.
6. Continue to configure new groups or click Ok to exit the window.
3. From the Health Checks Per Farm window, click Add. The Edit
Active Health Check window appears.
4. From the Edit Active Health Check window, select from the
following options:
Predefined Methods
Table 7-1 describes the predefined Health Check Methods and their
configurable arguments.
Method
Description
Name
Citrix APP Using the Citrix Application Browsing check, the Health
Browsing Monitoring Module sends a "Hello" request to the Citrix server.
The Citrix server in reply, sends the list of applications running
on the server. The Health Monitoring Module, compares the
application available on the server based on the Citrix's reply
with a list of up to four applications, configured by the user. In
case all the users' configured applications are running on the
Citrix server, the check passes. In case there are no configured
applications, the Health Monitoring Module completed the
handshake. This check uses UDP port 1604 by default.
Configurable Arguments: The user can configure up to four
applications running on the server at any given time.
Citrix ICA Using the Citrix ICA check, the Health Monitoring Module
initiates a connection to the Citrix server, using TCP port 1494
and performs a Citrix handshake. This check passes when the
Health Monitoring Module identifies the Citrix's reply within the
first reply packet.
Method
Description
Name
Method
Description
Name
Fix When the module performs the FIX health check, it creates a
FIX packet and sends it to the FIX server (after the TCP
handshake). A successful check is a check where in the reply
packet, the "TestReqID" value is the same as the one that the
user configured; the "SenderCompID" is the configured value
of the "TargetCompID" field and vice versa and the FIX version
is the same as the configured value.
Arguments:
• TestReqID - Test Request identification - This text is
appended to tag TestReqID (112) that is sent as the
message Note: The TestReqID field is a non-mandatory
field; The device sends the number of seconds passed
since 01/01/1970 in case the user did not configure that
field.
• SenderCompID - Used as a standard header field by
the FIX protocol. This field is mandatory.
• TargetCompID - Used as a standard header field by the
FIX protocol. This field is mandatory.
• FIX Version - The FIX version which will be used by the
check. This field is mandatory.
Method
Description
Name
LDAP Module performs a Bind and Unbind session with the LDAP
server, using an anonymous username. The Bind operation
initiates a session between a client and a server and allows the
authentication of the client to the server. The Unbind operation
terminates a protocol session. Default port for the LDAP health
check is the well-known LDAP UDP port 389. When needed,
the user can set another value in the Destination Port field.
LDAPS The module performs the above LDAP health check using
secured SSL channel.
Method
Description
Name
Physical Module checks the status of the physical interface. When the
Port link is up, the check passes.
Arguments: Physical port number
Method
Description
Name
SIP TCP The Session Initiation Protocol (SIP) is an IETF standard for
initiating an interactive user session that involves multimedia
elements such as video, voice, chat, gaming etc. SIP works in
the application layer of the OSI model (Layer 7). SIP can
establish multimedia sessions or Internet telephony calls, and
modify or terminate them.
Health Monitoring Module allows now to perform Health
Monitoring checks on SIP servers. The SIP health check is
done using the OPTIONS method. This method is used to
query SIP proxies and end-points as to their capabilities. The
capabilities themselves are not relevant to the health check,
what is relevant, is the "200 OK" response from the server. The
module uses port 5060 by default.
Arguments:
Request URI: The request's destination. (mandatory)
• From: The user should specify what the "logical name"
of the device is. (mandatory)
• Max Forwards: The default is 1
• Acceptable Response Codes: 200 is the default.
When an unacceptable response code is received - the
check fails.
• Content Match: a content that must be matched in the
response for it to be considered successful.
• Match Mode: defines whether the content must appear
in the reply or must not appear in the reply.
Method
Description
Name
SIP UDP Same as SIP TCP, but running over the UDP protocol
SNMP The module sends an SNMP GET request, and validates the
value in the reply. When the returned value is lower than the
Min. Value or higher than the Max. Value, the check fails. When
the returned value is higher than the No New Sessions Value,
the bound element is set to No New Sessions. The results of
the SNMP check can be used for a load balancing decision, as
in Private Parameters Load Balancing Algorithms.
Note: For a device to consider the outcome of the check in the
load balancing decisions, the farm’s Dispatch Method should
be set to Response Time.
Arguments: SNMP Object ID to be checked; Community; Min.
Value; Max. Value; No New Sessions Value; Use Results For
Load Balancing
Method
Description
Name
SSL Hello Module sends an SSL Hello packet to the server (using SSL3),
and waits for an SSL Hello reply. The session is then closed
(using a RESET command).
Note: Since generating SSL keys on the server is a time
consuming process, it is recommended to use a timeout of 3 to
5 seconds.
Arguments: SSL Versions: V23 or V30. SSL v30 means that
pure SSLv3 is used, SSLv23 means that the client sends an
SSLv2 request to open an SSLv3 session (in Explorer, for
example)
Method
Description
Name
TCP Port Module checks the availability of the specified TCP port.
Arguments: Complete TCP Handshake.
Sets whether the check sends an ACK packet before the RST
packet or not. Setting this parameter to Yes results in the TCP
handshake flow: SYN, SYN_ACK, ACK, RST. Setting this
parameter to No results in the TCP handshake flow: SYN,
SYN_ACK, RST.
UDP Port Module checks the availability of the specified UDP port. This
check does not test the server's availability, but the
application's availability within the server. This is due to the
nature of UDP: when the UDP application is operational, no
reply is received; when the UDP application is not operational,
an ICMP message UDP Port Unreachable is sent, so that the
absence of a reply indicates the application’s availability. This
means that when the server is down, the application might still
be considered as running. Therefore, the UDP Port check
should always be used in combination with another server
availability check, for example Ping or ARP.
Method Arguments
You can configure arguments specific to each Health Check Method.
In APSolute Insite Health Check configuration window, you can use the
Method Arguments button to view and edit arguments for the selected
Method.
When using Web Based Management, CLI, Telnet or SSH, you can
configure the additional arguments using a string with this format:
ARG=VAL|ARG=VAL|
Following each argument, the equation sign should appear, then the
required value. A “|” sign is used as a delimiter between the arguments.
No extra spaces are allowed.
Table 7-2 lists the additional configurable method arguments for each
Check Method, and details mandatory arguments, default values, and
more.
Table 7-2 Health Check Method Arguments
Note: User Defined Checks are available for TCP checks only.
Internet
Server
10.1.1.1
CID
VIP-H 100.1.1.101
VIP-F 100.1.1.102
VIP-R 100.1.1.103
Server
10.1.1.2
Properties:
• There are 2 servers in this configuration, each server providing
these services: HTTP, FTP and RTP.
• CID checks the servers using HTTP Page, FTP and RTSP.
• In order to minimize load on the servers, CID pings each physical
server every 5 seconds, and issues each application check every
20 seconds.
Configuration:
1. From the main window, select APSolute OS >Traffic Redirection
> Farm Parameters. The Farm Table window appears.
2. From the Farm Table window, define 3 farms:
• VIP-H for HTTP
• VIP-F for FTP
• VIP-R for RTSP
For each farm, add two servers: 10.1.1.1 and 10.1.1.2.
b. In the same manner for the second server, set the following
parameters according to the explanations provided:
Check Name: Server2 - HTTP
Destination IP Address: 10.1.1.2
7. Define the third set of check parameters for the servers:
a. In the Health Monitoring Health Check DB window, open the
Check Table window and click Insert. For the first server, set
the following parameters according to the explanations
provided:
Check Name: Server1 - RTSP
Method Name: RTSP
Destination IP Address: 10.1.1.1
Interval: 20
Hostname: /movies/disney.asf
Path: /
b. In the same manner for the second server, set the following
parameters according to the explanations provided:
Check Name: Server2 - RTSP
Destination IP Address: 10.1.1.2
8. Define the third set of check parameters for the servers:
a. From Health Monitoring > Check Table, open the Check
Table window and click Insert. For the first server, set the
following parameters according to the explanations provided:
Check Name: Server1 - Physical
Method Name: Ping
Destination IP Address: 10.1.1.1
Interval: 5
b. In the same manner for the second server, set the following
parameters according to the explanations provided:
Check Name: Server2 - Physical
Destination IP Address: 10.1.1.2
Note: The Interval for this check is shorter than for the previous
checks.
9. From the Regular Checks Table, configure the following:
Web
Server Internet
10.1.1.1
CID
Web VIP 100.1.1.100
Server
10.1.1.2
DB Server
10.1.1.51
Properties:
• CID checks the Web servers using the HTTP Check Method, with a
search string.
• For each Web server, at least one database server should function.
If both database servers are down, each of the Web servers is
considered to be out of service.
Configuration:
1. From the main window select, APSolute OS > Traffic Redirection
> Farm Parameters. The Farm Table window appears.
2. From the Farm Table window, set the following parameters
according to the explanations provided:
Server Farm: 100.1.1.100
Web Server 1: 10.1.1.1
Web Server 2: 10.1.1.2
3. From Health Monitoring > Global Parameters, verify that Health
Monitoring is set to Monitoring Module (page 7-7).
4. From Traffic Redirection > Farm Parameters, ensure that the
relevant farm's Connectivity Method is set to Disabled.
5. From Health Monitoring >Health Check DB Table, click Insert.
6. Configure 2 Web servers:
a. For the first Web server, set the following parameters according
to the explanations provided:
Check Name: Web Server 1 – HTTP
Method Name: HTTP
Destination IP Address: 10.1.1.1
Destination Port: 80
Host Name: www.radware.com
Path: /index.html
Match String: Enter Username:
Match Mode: String Exists
b. For the second Web server, set the following parameters
according to the explanations provided:
Check Name: Web Server 2 – HTTP
Destination IP Address: 10.1.1.2
7. Configure 2 Database servers:
Configuration:
1. From the User Defined Methods, define the following sequence:
Scheduler Algorithm
The scheduler takes packets from the many queues and forwards
them. The scheduler operates through one of two algorithms: Cyclic
and CBQ (Class-Based Queuing).
With the Cyclic algorithm, the scheduler gives each priority a
preference ratio of 2:1 over the immediately adjacent lower priority. In
other words, a 0 queue has twice the priority of a 1 queue, which has
twice the priority of a 2 queue, and so on. The scheduler systematically
goes through queues of the same priority when it is time to forward a
packet with this priority.
The CBQ algorithm has the same packet-forwarding pattern as the
WFQ algorithm, with one significant difference. The CBQ algorithm is
aware of a predefined bandwidth configured per policy. As policies are
configured, they can be given a minimum (guaranteed) allotted
bandwidth number, in Kbps (see Guaranteed Bandwidth, page 8-12).
Note: Unless CBQ is used, policies cannot be configured with an
associated bandwidth.
Application Classification
Application Classification is defined as Per Packet or Per Session. If
Application Classification is defined as Per Packet, the device classifies
every packet that flows through it. In this mode, every single packet
must be individually classified.
If Application Classification is defined as Per Session, all packets are
classified by session. An intricate algorithm is used to classify all
packets in a session until a “best fit” policy is found, fully classifying the
Classification Modes
The following classification modes are available:
• Policies: The device classifies each packet or session by matching
it to policies configured by the user.
• Diffserv: The device classifies packets only by the DSCP
(Differentiated Services Code Point) value.
• ToS: The device classifies packets only by the ToS (Type of
Service) bit value.
• Global RED: Global RED monitors the capacity of all the queues
(i.e., the global set of queues) and randomly discards TCP packets
before the classifier sees them.
• Weighted RED (WRED): The RED algorithm is deployed per
queue (instead of for all the packets in all the queues) and the
priority of the queue has an effect on whether or not a packet gets
dropped.
• Service: Defines the traffic type. The Service configured per policy
can allow the policy to consider other aspects of the packet, such
as the protocol (IP/TCP/UDP), TCP/UDP port numbers, bit patterns
at any offset in the packet, and actual content (such as URLs or
Cookies) deep in the upper layers of the packet. Available Services
are very granular. The default value is none, which covers all
protocols.
• Inbound Physical Port Group: Classifies only traffic received on
physical interfaces of the device. Enables you to set different
policies for identical traffic classes that are received on different
interfaces of the device.
• VLAN Tag Group: Defines VLAN traffic classification according to
VLAN ID tags.
• Traffic Flow Identification: Defines what type of traffic flow is to
be limited via this policy. The available options are:
• None
• Client (source IP)
• Session (source IP and port)
• Connection (source IP and destination IP)
• FullL4Session (source and destination IP and port)
• SessionCookie (must configure cookie identifier)
• Cookie Field Identifier: A string that identifies the cookie field
whose value must be used to determine the different traffic flows.
• Max Number of HTTP Requests per Second: This parameter
limits the number of HTTP requests per second per traffic flow.
Using the field, you can limit the number of HTTP GET/POST and
HEAD requests, arriving from the same user per second. The
Bandwidth Management module keeps track of new requests per
second per traffic flow, whether the traffic flow identification is
SessionCookie or any other parameter.
Note: This is required only when Traffic Flow Identification is set to
SessionCookie. In such a case, the Bandwidth Management
classifier searches for the Cookie Field Identifier followed by “=”
and classifies flows according to the value.
Action
The action determines the access given to traffic. Possible values
include:
• Forward: The connection is accepted and traffic is forwarded to its
destination. This is the default value.
• Block: All packets are dropped.
• Block and Reset: All packets are dropped. In TCP traffic, an RST
packet is sent to the client.
• Block and Bi-directional Reset: All packets are dropped. In TCP
traffic, an RST packet is sent to both client and server.
Priority
If the action associated with the policy is “forward”, then the packet is
classified according to the configured priority. There are nine available
options: Real-time forwarding and priorities 0 through 7.
Guaranteed Bandwidth
If the scheduler is configured to use the CBQ algorithm, the policy can
be assigned a minimum (guaranteed) bandwidth. The scheduler will
not allow packets that were classified through this policy to exceed this
allotted bandwidth, unless borrowing is enabled. The maximum
bandwidth configured for the entire device, as described above,
overrides per-policy bandwidth configurations. In other words, the sum
of the guaranteed bandwidth for all the policies cannot be higher than
the total device bandwidth.
Borrowing Limit
Borrowing can be enabled when the scheduler operates through the
CBQ algorithm. If enabled, the scheduler can borrow bandwidth from
queues that can spare it, to forward packets from queues that have
exceeded (or are about to exceed) their allotted amount of bandwidth.
The combination of Guaranteed Bandwidth and Borrowing Limit fields
value causes the bandwidth allotted to a policy to behave as follows:
Guaranteed Borrowing Limit Policy Bandwidth
Bandwidth
0 0 Burstable with no limit, no
minimum guaranteed.
X 0 Burstable with no limit, minimum
of X guaranteed.
0 Y Burstable to Y, no minimum
guaranteed.
X Y (Y>X) Burstable to Y, minimum of X
guaranteed.
X X Non-burstable, X guaranteed.
Policy Groups
You can define several bandwidth borrowing domains on a device by
organizing policies in groups. Bandwidth that is not utilized by a specific
policy in a group is allocated proportionally to the other policies.
Allowing policies to borrow from each other prevents starvation and
utilizes the bandwidth more efficiently. Only policies that participate in a
specific group can share bandwidth.
The total bandwidth available for a policy group is the sum of the
Guaranteed Bandwidth values of all policies in the group.
Packet Marking
Packet Marking refers to Differentiated Services Code Point (DSCP) or
Diffserv. It enables the device to mark the matched packet with a range
of bits.
Policy Index
The Policy Index or order is a number that determines the order of the
policy in the entire policy database. When the classifier receives a
packet, it tries to find a policy that matches the packet. The classifier
searches the policy database starting with policy #1, in descending
order. Once a policy is matched, the process is stopped. Using this
logic, the very last policy configured should be the policy that is
enforced on all packets that do not match any other policies. In other
words, the last configured policy is the “default” policy.
Note: It is recommended to configure the most frequently used policies
first.
Activation/Inactivation Schedule
Sometimes it is required in the networks that specific policies in a
network must remain inactive during certain hours of the day, or a
certain policy is activated in the middle of the night. For example, a
school library may want to block instant messaging during school
hours, but allow it after school hours, or an enterprise may assign high
priority to mail traffic between 08:00-10:00.
Services
A very advanced and granular set of services can be configured within
the Bandwidth Management system. Services are configured
separately from policies. As each policy is configured, it can be
associated with a configured Service.
The Service associated with a policy in the policy database can be a
basic filter, an advanced filter, or a filter group. This provides
tremendous flexibility for the classifier as it essentially gives the system
a large number of possibilities for packet identification.
Basic Filters
The basic building block of a Service is a basic filter. A basic filter is
made up of the following components:
• Protocol: The specific protocol that the packet should carry. The
possible choices are IP, TCP, UDP and ICMP. If the protocol is
configured as “IP”, all IP packets (including TCP and UDP) are
considered. When configuring TCP or UDP protocol, some
additional parameters are also available:
• Destination Port (From-To): Destination port number for the
selected protocol. For example, for HTTP, the protocol would
be configured as TCP and the destination port as 80. The port
configuration can also allow for a range of ports to be
configured.
• Source Port (From-To): Similar to the destination port, the
source port that a packet should carry to match the filter.
• Offset Mask Pattern Condition (OMPC): The OMPC is a means
by which any bit pattern can be located for a match at any offset in
the packet. This can help in locating specific bits in the IP header,
for example. TOS and Diff-serv bits are perfect examples of where
OMPCs can be useful. It is not mandatory to configure an OMPC
per filter. However, if an OMPC is configured, the packet needs to
match the configured protocol (and ports) AND the OMPC.
Content
When the configured protocol is TCP or UDP, it is possible to search for
any text string in the packet. Like OMPCs, a text pattern can be
searched for at any offset in the packet. HTTP URLs are perfect
examples of how a text search can aid in classifying a session.
The service editor allows you to choose between multiple types of
configurable content: URL, hostname, HTTP header field, cookie, mail
domain, mail to, mail from, mail subject, file type, regular expression,
and text. If the content type is “URL”, for example, then the session is
assumed to be HTTP with a GET, HEAD, or POST method. The
classifier searches the URL following the GET/HEAD/POST to find a
match for the configured text. In this case, the configured offset is
meaningless, since the GET/HEAD/POST is in a fixed location in the
HTTP header. If the content type is “text”, then the entire packet is
searched for the content text, starting at the configured offset.
By allowing a filter to take the actual content of a packet/session into
account, the classifier gains a powerful way to recognize and classify
an even wider array of packets and sessions.
Like Impacts, the configuration of content rules is not mandatory.
However, if a content rule exists in the filter, then the packet needs to
match the configured protocol (and ports), the configured OMPC (if one
exists), AND the configured content rule.
In order for filter group FG1 to be a match, either advanced filter AF1,
basic filter F4, or basic filter F6 have to match the packet being
classified.
Radware devices are preconfigured with a set of basic filters and group
filters that represent applications commonly found in most networks.
Service
Description Filter Name
Name
ERP/CRM
sap Basic
Database
Service
Description Filter Name
Name
Peer-to-Peer
Service
Description Filter Name
Name
Internet
ip IP traffic
telnet
tftp Basic
udp Basic
Instant Messaging
Service
Description Filter Name
Name
mail Group
smtp Basic
imap Basic
pop3 Basic
Networks
What is a Network?
A Network a logical entity that consists of a group of IP addresses
linked together by a network IP and subnet or a range of IP addresses
(from-to), and is identified by a name. A Network can be configured
separately and individual elements of the Network list can then be used
in the individual policy. An entry in the Network list is known as a
configured “name” and can be either an IP/Mask combination or an IP
range. For example, network “net1” can be 10.0.0.0/255.0.0.0 and
network “net2” can be from 10.1.1.1 to 10.1.1.7. The Network list allows
either configuration.
The Bandwidth Management module allows multiple Networks to have
the same configured “name”. This allows a Network with the name
“net1” to actually encompass multiple disjointed IP address ranges.
Essentially, this makes the Network “name” a logical pointer to all
ranges configured with that name. This further facilitates the
configuration and management of the system.
Configuration Guidelines
To configure a Network:
• In the main window, select
APSolute OS > Classes > Networks > Modify > Add.
Port Groups
Port Groups enable you to set different policies for identical traffic
classes that are received on different interfaces of the device. For
example, you can allow HTTP access to the main server only to traffic
entering the device via physical interface 3. This provides greater
flexibility in configuration. You should first configure Port Groups.
Configuration Guidelines
Configuration Guidelines
Configuration
1. In the main window, select APSolute OS > BWManagement. The
Bandwidth Management window appears.
2. In the Bandwidth Management window, click Access Control &
BWM Parameters. The BWM Global Parameters window
appears.
3. In the BWM Global Parameters window, set the following
parameters according to the explanations provided:
Classification Mode: Policies
Application Classification: Per Session
Scheduling Algorithm: CBQ
4. Click Ok to apply the setup and close the window.
5. Configure the required Physical Port Group:
a. In the Bandwidth Management window, click Port Groups. The
Port Groups window appears.
b. In the Port Groups window, click Physical Port Groups.
c. Select the Modify Table tab and click Add. The Edit Physical
Port Group window appears.
d. In the Groups text box, enter a new group: FTP ports.
e. Select the port 5 and port 7 checkboxes.
f. Click Ok.
6. Configure the required VLAN Tag Groups:
a. In the Port Groups window, click VLAN Tag Groups.
b. Select the Modify Table tab and click Add. The Edit VLAN Tag
Groups window appears.
c. In the Edit VLAN Tag Groups window, create two separate
entries for the Citrix VLAN by setting the following parameters
according to the explanations provided:
Group Name: Citrix VLAN
Group Mode: Discrete
VLAN Tag: 2 (first)
7 (second)
d. Click Ok and then click Update Modifications.
7. Add two networks:
a. In the Bandwidth Management window, click Classes. The
Classes window appears.
b. In the Classes window, click Networks. The Network Table
window appears.
c. Select the Modify tab and click Add. The Edit Network Table
window appears.
d. In the Edit Network Table window, set the following parameters
according to the explanations provided:
Network Name: FTP Servers
Network Mode: IP Range
From Address: Create three separate entries for
the FTP Servers with the following
IP addresses:
20.10.1.3
20.10.1.7
20.10.3.17
To Address: The same as the From Address.
e. In the same manner, add the second network by setting the
following parameters according to the explanations provided:
Network Name: Internal
Port Bandwidth
In order to optimize the queuing algorithm, it is essential for the
Bandwidth Management module to be aware of the maximum available
ports’ bandwidth. This can be configured via the BWM Port Bandwidth
table. By default, the maximum available throughput is determined by
the port type - 100 Mbps for FE ports and 1Gbps for Giga ports. The
queuing mechanism only starts functioning upon link saturation.
Configuring the maximum throughput is the only way of determining if
the link is saturated.
Interface Classification
To increase performance, the Bandwidth Management module can be
configured to exclude traffic running through certain physical ports and/
or VLANs from the classification effort. In this way, valuable processing
time can be saved while enabling a simpler method of configuring the
device.
You may cancel classification according to Port or according to VLAN.
Security Introduction
Radware’s CID isolates, detects, and blocks application attacks at
multi-Gigabit speed, protecting against viruses, worms, DoS attacks
and intrusions, and anomalies. CID provides secure Internet
connectivity with high performance, maintaining the legitimate traffic of
end users and customers.
CID performs deep packet inspection at multi-Gigabit speed to provide
security from the network layer up to the application layer. The system
implements a multi-layer approach to security that combines several
mechanisms for attack detection, with advanced mitigation tools that
focus on:
• Intrusions
• DoS
• Anomalies
• SYN Flood
• Anti-Scanning
Detecting
The security modules detect known and unknown attacks. Known
attacks are detected by searching for attack signatures within the
scanned packets. The security modules use a constantly updated
signatures database for attack detection. Known attack detection is
applied by defining Protection Policies. A profile binds together network
addresses and physical ports with a profile of attack protection.
Unknown attacks are detected using protocol anomaly inspection. The
security modules detect IP and UPI protocol anomalies using the
Anomaly module/tool. The protocol anomaly inspection can detect
anomalies on layer 3, 4, and 7 protocols.
Protecting
The security modules protect network and application level resources
against attacks destined for the internal IP addresses of the network
elements or attacks destined for the device. Protection is provided for
Preventing
The security modules enable real-time prevention of attacks within the
defined network. The attack attempts are blocked by terminating the
sessions as they are recognized, either by dropping the malicious
packets or by resetting the connection. Both source and destination
reset options are supported.
The security modules also protect against network port scanning using
the Anti-Scanning module/tool. Hackers perform scanning prior to
launching an attack, looking for open TCP or UDP ports on the target
machine. Blocking this scanning prevents attacks from being launched.
Reporting
When a security module detects an attack, it reports the security event.
An event consists of complete traffic information, including source and
destination IP addresses, TCP/UDP port numbers, physical interface,
date and time of attack, and so on. Event information is registered
internally via the device log file and alerts table, or externally via the
Syslog channel, SNMP Traps, or e-mails.
Using Configware Insite, you can produce advanced statistic reports,
for example, top attacks, total attack traffic, attacks per IP address, and
more.
Security Modules
CID Security comprises the following modules:
• Intrusions
• DoS/DDoS
• SYN Floods
• Anomalies
• Anti-Scanning
Intrusions
Intrusion prevention is a security technology that attempts to identify
potential intrusions into computer systems and prevent their damage
by blocking attacks.
Application level attacks are aimed at mission critical applications.
These attacks threaten application integrity and bring networks and
applications down. Most attacks target web applications, and therefore
cannot be blocked by access control devices.
The CID Intrusions module provides protection against application
specific attacks, which are targeted to damage various network
resources and disable the attacked system. These attacks include the
following categories:
• Web Server attacks aiming to damage or exploit web servers.
• E-mail attacks, for example, sending worms via E-mail.
• Attacks on services, such as FTP or RPC.
DoS/DDoS
When hackers send mass volumes of traffic, they overload networks or
servers, thus causing denied access for real users. This is known as
Denial of Service (DoS) or Distributed Denial of Service (DDoS)
attacks. DoS Shield samples traffic flowing through the device and
limits the bandwidth of traffic that was recognized as DoS attack using
predefined action.
SYN Floods
A SYN flood attack is a denial of service attack where the attacker
sends a huge amount of please-start-a-connection packets and no
follow up packets.
CID provides protection against any type of SYN flood attack,
irrespective of the tools that are used to launch the attack. This
protection service utilizes a mechanism called SYN Cookies that
performs delayed binding (terminates TCP sessions) and inserts a
certain signature into the TCP sequence field.
Anomalies
To avoid detection, hackers may use evasion techniques, such as
splitting packets and sending attacks in fragments. An attack that
contains fragmented packets is called Protocol Anomaly attack. The
Protocol Anomaly attacks are detected and blocked using the Protocol
Anomaly Protection mechanism.
The Anomalies module provides protection using two sub-groups:
• Protocol Anomaly Protection
• HTTP Anomaly Protection
Protection against Protocol Anomaly attacks is achieved by dropping
the malicious packets.
Anti-Scanning
Prior to launching an attack, a hacker normally tries to identify which
TCP and UDP ports are open. An open port represents a service,
application, or backdoor. Ports that are unintentionally left open can
create a serious security problem.
The Anti-Scanning module provides a mechanism aimed at preventing
hackers from gaining this information by blocking and altering server
replies sent to the hacker.
This module provides protection against network and port scanning by
protecting against known scanning tools and scanning tools awaiting
the positive reply (SYN-ACK for TCP or UDP reply). The filters in this
group block all traffic returned from the scanned server.
You can set the following general security settings in the Security
Parameters window:
• Application Security
• DoS Shield
• Protocol Anomaly Protection
Session-Drop
Mechanism Status When enabled, terminates the whole
session when a single malicious
packet is recognized.
Minimum Risk Level The device will scan traffic only for
attacks with a risk level equal or higher
than the value of this parameter. This
parameter is valid only for signature-
based attacks (Application Security
and DoS Shield).
• High
• Medium
• Low
• Info - An IPS attack for which the
Risk parameter is set to Info is an
IDS signature.
2. Select the Start Protection checkbox.
3. To terminate the whole session if a single malicious packet is
recognized, check Session-Drop Mechanism Status.
4. Click Ok. You will be prompted to reboot the device.
5. Click Ok to reboot CID. You can start using the Intrusions, DoS/
DDoS, Anomalies, and Anti-Scanning security modules.
Behavioral DoS
The B-DoS security policy contains security profiles that are activated
within predefined ranges of ports/VLANs, or within a predefined
network.
Note: Prior to configuring the Behavioral DoS shield module you
must enable it .
Defining Connectivity
When creating a security policy, you must initially define connectivity.
This is performed by defining either port groups/VLANs or IP address
ranges for each policy in the Connect & Protect Table.
Policies are represented by rows in the Connect & Protect Table. For
each row, you can set connectivity and security services according to
the module breakdown (Intrusions, DoS/DDoS, Anomalies, SYN Flood,
Anti-Scanning).
5. Click the Modify Table tab. The Modify Table pane appears.
6. Select the table entry for the group that you would like to modify.
7. Click Edit. The Edit Physical Port Group window appears.
8. Check the ports that you would like to add to the group.
9. Click Ok. The port group is updated.
Configuring VLANs
You can define which VLANs are to be scanned.
VLAN Tag To: The last VLAN tag in the range. Set VLAN
Tag To if Group Mode is set to range.
5. Click Ok. The Edit VLAN Tag Groups window closes.
Configuring Networks
You can set the network IP address range that is to be scanned.
Suspend Table
The Suspend Table allows you in addition to defining the action to be
taken for attacks also to set the device to suspend traffic from the IP
address that was the source of the attack for a defined period of time.
The Suspend Action is available as an option for the attack types:
• Intrusions
• Anomalies
• Anti-Scanning
• DoS/DDoS
Profile Description
Profile Description
Manual Update
If you have an updated file that was downloaded manually from the
Radware website, you can upload the signatures file to CID manually.
2. In the Upload Attacks table, check the devices to which you want
to send the signatures database update.
Note: You must choose only the devices that have an Application
Security Signature File Update Service Agreement with Radware
Support.
3. Click Browse and navigate to the signature file that you
downloaded from the Radware Security Zone (http://
www.radware.com/content/security/attack/weeklyupdates.asp).
4. Click Send Attacks File To Selected Devices. An upload
progress bar and progress message are displayed for each
selected device.
5. Click Ok. The selected devices are updated.
Note: The End Hour option must not be enabled for this task.
11. In the Upload Attacks table, check the devices to which you want
to send the signatures database update.
Note: Select only devices that have an Application Security
Signature File Update Service Agreement with Radware Support.
12. Click Browse and navigate to the signature file that you
downloaded from the Radware Security Zone (http://
www.radware.com/content/security/attack/weeklyupdates.asp).
13. Click Send Attacks File to Selected Devices. An upload
progress bar and progress message are displayed for each
selected device.
14. Click Ok. The selected devices are updated.
Introduction to Intrusions
The Intrusions Prevention module provides advanced intrusion
detection and prevention capabilities. The Intrusions module provides
maximum protection for network elements, hosts, and applications by
preventing various intrusion attempts including worms, Trojan horses,
buffer overflow, and other application oriented attacks.
Types of Attacks
Attack recognition is performed by comparing each packet to the set of
signatures stored in the Signatures database.
The attacks handled by the Intrusions module can be divided into the
following types:
• Network-Oriented Attacks
• Operating-System Oriented Attacks
• Application-Oriented Attacks
Network-Oriented Attacks
Network-based attacks use network layer packets, such as IP, TCP,
UDP, or ICMP packets to either learn about or damage a destination
host.
Examples include malformed packets that can cause a server to crash,
such as Ping of Death, or a ping packet in which the source address is
the same as the destination address, like in Land Attack.
Application-Oriented Attacks
Application-oriented attacks are designed to break into application
servers. Such attacks can be recognized by searching for known
signatures of each application in the packets, for example, a specific
path or a particular command that appears in a packet.
Attacks of the application-oriented type attempt to exploit vulnerabilities
in the applications. Intrusion Prevention protects against these attacks
by enabling web-related protection policies.
For example:
• SQL Injection Attacks
• Cross-Site Scripting Attacks
Each filter (Figure 9-4) contains one specific signature. Filters are
detectors that scan and classify the predefined traffic. The filter’s main
purpose is to match the specific packet within the traffic scanned by this
filter and the attack signature from the Radware Attack Signatures
database (see Managing the Signatures Database, page 9-25).
An attack can employ one or more filters. When more than one filter is
used, the scanning process represents a logical AND relation between
the filters involved. This means that the classification mechanisms of all
filters applied to the same attack are involved in the scanning process,
or in other words, the traffic is checked for all the signatures defined in
the attack’s filters.
Note: For each custom attack, you must define custom filters. You
cannot use filters from other attacks when you define a custom attack.
An attack’s settings parameters define how the malicious packet is
tracked and treated once its signature is recognized. Each attack is
bound to a “Tracking” function that defines how the packet is handled
when it is matched with the signature. The main purpose of these
functions is to determine whether the packet is harmful and to take an
appropriate action. There are two types of match functions:
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Filter Parameters
The parameters of each filter are divided into the following categories:
• Description Parameters
• Protocol Definition Parameters
• OMPC (Bit pattern) Definition Parameters
• Content Definition Parameters
Description Parameters
Description parameters (Table 9-4) are the user-defined descriptions of
the custom attack.
Parameter Description
Parameter Description
Application Port The group of Layer 4 ports for UDP and TCP
Groups traffic only. Each group is identified by its
unique name. Each group name can be
associated with a number of entries in the
Application Port Groups table.
The values can be: 0 - 65535.
Parameter Description
Source Port Group Intended for UDP and TCP traffic only.
Select from the list of groups configured in the
Application Port Groups table.
Parameter Description
OMPC Pattern The fixed size pattern within the packet that
the OMPC rule attempts to find.
Possible values: a combination of
hexadecimal numbers (0-9, a-f).
The value must be defined according to the
OMPC Length parameter. The OMPC Pattern
parameter definition must contain eight
symbols. If the OMPC Length value is lower
than fourBytes, you need complete it with
zeros. For example, if OMPC Length is
twoBytes, OMPC Pattern can be: abcd0000.
Default value: 00000000.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Content Type File Type: The type of the requested file in the
(cont.) http GET command (jpg, exe, and so on).
Parameter Description
Parameter Description
Affected Products
The MSBlast worm affects the following Microsoft products:
• Microsoft Windows NT® 4.0
• Microsoft Windows NT 4.0 Terminal Services Edition
• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows Server™ 2003
Impact
A remote attacker could exploit these vulnerabilities to execute
arbitrary code with Local System privileges or to cause a
denial-of-service condition.
Protection is obtained by adding two custom attacks and grouping them
together.
Introducing DoS/DDoS
Radware’s security scheme provides organizations with extensive
Denial of Service (DoS) detection and protection capabilities while
maintaining high network throughput.
When hackers send mass volumes of traffic, they overload networks or
servers, thus causing denied access for real users. This is known as
Denial of Service (DoS) or Distributed Denial of Service (DDoS)
attacks.
DoS occurs as a result of various types of flooding caused by hackers,
such as UDP, TCP, and ICMP. The DoS/DDoS module provides
protection against packet flooding, thereby preventing denial of service.
Another challenge when mitigating DoS attacks is to deal with hackers,
who are becoming increasingly sophisticated. A basic DoS attack
floods the network with TCP, UDP, or ICMP packets that are generated
by common tools available on the Internet. Basic SYN attacks can be
accommodated by detecting incomplete TCP requests. However,
hackers may also use new techniques and tools, such as Naphta,
which creates a Connection Attack by completing a TCP handshake
without any data traffic.
Another type of DoS attack can be caused by one or few packet
attacks. These attacks exploit a server or network vulnerability, such as
buffer overflows, Ping of Death, Land Attack, and so on.
Incoming Packet
Match
Activate
Compare to Match Attacks
Currently Active Attacks List
No
Match Pre-Configured Action
Termination Threshold for a duration of the Aging Period for that attack.
The Aging Period allows you to set a number of Sampling Time
periods. In order for the attack to be considered over, the counters for
the attack must not cross the Termination Threshold during the
configured Sampling Time periods. The attacks’ status then reverts to
Dormant and, its termination is reported to the management station.
You can also preconfigure an attack as Currently Active. In that case,
every packet passing through the device is always matched against
that attack filter, regardless of the Attack Termination Threshold.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Filter Parameters
The parameters of each filter are divided into the following categories:
• Description Parameters
• Protocol Definition Parameters
• OMPC (Bit pattern) Definition Parameters
• Content Definition Parameters
Description Parameters
Description parameters (Table 9-4) are the user-defined descriptions of
the custom attack.
3. In the Modify pane, click Add and define the following parameters
according to the explanations provided:
Name: A user-defined group name.
From Port: Define the first port in the range.
To Port: Define the last port in the range.
Notes:
• To define a group with a single port, set the same value for the
From Port and To Port parameters.
• To associate a number of ranges with the same port group, use the
same group name for all the ranges that you want to include in one
group.
4. Click Ok. A new row appears in the Application Port Groups table.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Filter Parameters
The parameters of each filter are divided into the following categories:
• Description Parameters
• Protocol Definition Parameters
• OMPC (Bit pattern) Definition Parameters
• Content Definition Parameters
Description Parameters
Description parameters (Table 9-4) are the user-defined descriptions of
the custom attack.
5. In the Attack Name field, enter the new user-defined name for the
attack group.
6. Click Ok to return to the Connect & Protect Table window.
7. From the All Dos Attacks list, select the attacks you want to
include in the group and move them to the Selected Attacks pane
by clicking the Add button.
Editing Attacks
To edit an attack:
1. From the main APSolute Insite window, open the APSolute OS
menu and select Security. The Connect & Protect Table window
appears.
2. In the Connect & Protect Table window, double-click inside the
DoS/DDoS column. The Settings pane appears.
3. From the All DoS Attacks list, select the attack group that you
want to edit and click Edit Attack. The Attack Configuration
window appears.
4. Edit the parameters of the group (see Custom Attack Groups,
page 9-64).
5. Click Ok. Your preferences are recorded.
Notes:
• Note that the B-DoS module is based on anomalous traffic
detection and signature creation on the fly. The average time for a
new signature creation may vary between 10 and 30 seconds.
Flood attacks usually take place for minutes or hours.
• For more information about the B-DoS module underlying
technology, please click on the following link: http://
www.radware.com/content/document.asp?_v=about&document=6560
Quota Settings
The B-DoS quota limits are the percentage of total inbound and
outbound bandwidth that a specific protocol is permitted to use.
Sampling Status
The Sampling status allows you to aggregate Traffic Statistics in order
to improve performance levels.
When down sampling is enabled the system screens only part of the
traffic. The down sampling mechanism dynamically selects the most
appropriate portion of traffic that need to be examined in order to
preserve the system’s resources while maintaining minimal sampling
error. High sampling errors increase the chances for false positive
detections.
Bypass Footprints
Flood attacks commonly disrupt networks by using all or most available
network bandwidth.
You can configure CID to detect and block network flood attacks by
defining attack footprints. Attack Footprints are selected fields in the
packet header or payload. CID automatically detects the footprints and
generates filters to protect against the attack.
For an explanation of the bypass types and values for each attack
group, See Footprint Bypass Fields, page 9-117.
Default
Footprint ICM IGM
UDP TCP Bypass Range
Type P P
Values
TCP NR NR + NR 0 - (2^32-1)
Sequence
Number
IP ID Number + + + + 0 - (2^16-1)
DNS ID + NR NR NR 0 - (2^16-1)
Source IP + + + + 0.0.0.0.
255.255.255.
255
ToS + + + + 1 - 255
Default
Footprint ICM IGM
UDP TCP Bypass Range
Type P P
Values
Destination + NR + nr 0 - (2^16-1)
Port
Destination IP + + + + 0.0.0.0 -
255.255.255.
255
ICMP/IGMP NR + NR + 0-255
Message
Type
TTL + + + + 0-255
1 SYN
2 SYN-ACK
3 ACK
4 HTTP-GET
New Client Entry
SYN
SYN-ACK
ACK
HTTP-GET
To enable Layer 4:
1. From the main APSolute Insite window, right-click the CID icon and
select SetUp. The SetUp window appears.
2. In the SetUp window, click Global. The Global pane appears.
3. In the Global pane, select Session Table Settings and click Edit
Settings. The Session Table Settings window appears.
4. In the Session Table Settings window, enter the following values:
Session Table Status: Enabled
Session Table Lookup Mode: Full Layer 4
5. Click Ok to exit all windows.
Note: When using the SYN Flood Protection Filters (that are part of
the Security module), you must set the inbound and outbound
traffic to operate in the Process mode.
Parameter Description
Parameter Description
Parameter Description
4. In the SYN Flood Settings pane, click View SYN Order. The SYN
Protection Policies window appears, as shown below:
7. In the Modify pane, click Add and set the following parameters
according to the explanations provided:
Name: A user-defined group name for the
application port.
From Port: The first port in the range.
To Port: The last port in the range.
Notes:
• To define a group with a single port, assign the same value to From
Port and To Port.
• To associate a number of ranges with the same group, use the
same group name for all the ranges that you want to include in the
group.
8. Click Ok. A new row appears in the Application Port Group table.
9. Click Ok. The Application Port Group window closes.
10. From the Destination App. Port Group drop-down list, select a
group that was defined in the Application Port Groups table.
11. In the Attack Description field, enter a description of the attack.
12. Click Ok. The SYN Attack Configuration window closes, and a
new user-defined attack appears in the All Regular Filters pane of
the Connect & Protect Table window.
Parameter Description
Parameter Description
Anomalies Introduction
To avoid IDS, hackers may use evasion techniques, such as splitting
packets and sending attacks in fragments. An attack that contains
fragmented packets is called a Protocol Anomaly attack. Protocol
Anomaly attacks are detected and blocked using the Protocol Anomaly
Protection mechanism.
Protocol Anomaly attacks are recognized by the packet’s size. In a
Protocol Anomaly attack, the size of the fragmented packets exceeds
the boundaries of the predefined length. Protection against Protocol
Anomaly attacks is achieved by dropping the suspect packets.
HTTP Anomalies
Hackers split the URL across multiple packets. This attack enables
hackers to insert malicious data into the web server.
When the size of the URI packet exceeds the lower boundary of the
predefined length, the packet may contain fragmented URI. When the
size of the URI packet exceeds the higher boundary of the predefined
length, the buffer overflow is indicated.
Protocol Anomalies
The Protocol Anomalies group contains signatures of miscellaneous
protocol misbehaviors. Signatures in this group prevent the usage of
miscellaneous Protocol Anomalies that could indicate a new
exploitation of a protocol vulnerability or a DoS attack.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Filter Parameters
The parameters of each filter are divided into the following categories:
• Description Parameters
• Protocol Definition Parameters
• OMPC (Bit pattern) Definition Parameters
• Content Definition Parameters
Description Parameters
Description parameters (Table 9-4) are the user-defined descriptions of
the custom attack.
3. In the Modify pane, click Add and set the following parameters
according to the explanations provided:
Name: A user-defined group name.
From Port: Define the first port in the range.
To Port: Define the last port in the range.
Notes:
• To define a group with a single port, set the same value for the
From Port and To Port parameters.
• To associate a number of ranges with the same port group, use the
same group name for all the ranges that you want to include in one
group.
4. Click Ok. A new row appears in the Application Port Groups table.
Introduction to Anti-Scanning
Prior to launching an attack, hackers usually try to identify what TCP
and UDP ports are open. An open port represents a service,
application, or backdoor. Open ports that were left open unintentionally
can create a serious security problem. Application Security provides a
mechanism intended to prevent hackers from gaining this information
by blocking and altering server replies sent to the hacker.
Network Scanning
Legitimate traffic is sent to a recipient in order to learn about the system
and the applications, intending to perpetrate future attacks. As the
packets sent by the attacker are legitimate, analyzing the whole flow of
traffic is the only way to detect the scanning.
Anti-Scanning Module
The Anti-Scanning module provides protection against network and
port scanning. The Scanning Tool contains signatures of miscellaneous
network scanning tools. These signatures protect the network from the
scanning tools that attempt to scan your network.
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Filter Parameters
The parameters of each filter are divided into the following categories:
• Description Parameters
• Protocol Definition Parameters
• OMPC (Bit pattern) Definition Parameters
• Content Definition Parameters
Description Parameters
Description parameters (Table 9-4) are the user-defined descriptions of
the custom attack.
7. In the Modify pane, click Add. The Edit Application Port Groups
window appears.
8. In the Edit Application Port Groups window, set the following
parameters according to the explanations provided:
Name: A user-defined group name.
From Port: The first port in the range.
To Port: The last port in the range.
Notes:
• To define a group with a single port, assign the same value to From
Port and To Port.
• To associate a number of ranges with the same port group, use the
same group name for all the ranges that you want to include in the
group.
9. Click Ok. A new row appears in the Application Port Group table.
Editing Attacks
To edit an attack:
1. From the main APSolute Insite window, open the APSolute OS
menu and select Security. The Connect & Protect Table window
appears.
2. In the Connect & Protect Table window, double-click inside the
Anti-Scanning column. The Settings pane appears.
3. In the All Anti-Scanning Attacks list, select the attack that you
want to edit and click Edit. The Attack Group Configuration
window appears.
4. Edit the parameters of the group (see Custom Attack Groups,
page 9-64).
5. Click Ok. Your preferences are recorded.
Parameter Description
Parameter Description
To configure IP fragments:
1. From the main APSolute Insite window, open the APSolute OS
menu and select Security. The Connect & Protect Table window
appears.
2. In the Connect & Protect Table window, click Settings. The
Security Settings window appears.
TCP Reassembly
CID detects and prevents TCP traffic evasion techniques. Application
level attacks, such as worms, viruses, Trojans, and buffer overflow,
require deep packet inspection capability in order to be detected while
being transferred over network protocol. As the detection engine is
signature-based, there may be cases where the attack signature is split
among two or more packets within a TCP application flow. In such
cases, the signature detection engine may be bypassed.
To prevent the appearance of application level attacks, CID inspects
Level 7 attack signatures within a TCP stream regardless of the actual
location of the signature in the data stream.
To support Content Type (Level 7) filters, the TCP Reassembly feature
performs protocol parsing according to the content field. For example,
when applying an HTTP URL filter on the traffic, the device extracts the
URI field from each HTTP-GET packet within a TCP session, and
reassembles the specific field over several packets.
TCP Reassembly is effective for attack signatures in Intrusions,
Anomalies, Anti-Scanning, and Application Security for DoS.
TCP Reassembly is applied on TCP data portions and on application
data according to the Content Type in the filter.
Notes:
• The TCP Reassembly feature is supported on SME platforms only.
• TCP Reassembly is performed for consecutive packets only.
When an attack is located, it is reported by name. No indication is
provided whether the attack was detected on a reassembled stream.
The device sends the reassembled datagram as evidence of the attack.
Event Parameters
Devices send various types of information about a security event
(attack).
Parameter Description
Physical Port The actual port on the device from which the
attack arrived.
Parameter Description
Parameter Description
Reporting Channels
CID supports the following reporting channels:
• Traps
• Email Traps
• Logs
• Syslog Messages
Sending Traps
Traps can be sent from the device to any computer that you choose.
You must enable the device to send SNMP traps to other computers,
for example to the management station, by defining the computers as
targets.
Trap Notification is set up through the device’s Target Address table.
For example, to ensure that the management station receives traps,
configure its IP address into the Target Address table. You can specify
SNMP parameters and select which type of notification it receives. In
the Community Table, you can designate that specific users are
allowed access to the traps.
Note: After configuring the device to send SNMP traps, enable the
device to start sending traps.
Email Traps
E-mail traps can be sent to specific users in a similar manner to the
way in which SNMP traps are sent.
Logging
When the device recognizes security events, they are logged in an
all-purpose cyclic Log File. The device’s Log File can be accessed at
any time, but it is limited in size. When the number of entries is beyond
the permitted limit, the oldest entries are overwritten. You are notified
regarding the status of the Log File utilization. The notifications appear
when the file is 80% utilized and 100% utilized.
To start the logging process, configure one or more devices to perform
logging.
Syslog Messages
Syslog messages can be sent to a syslog station in a similar manner to
the way SNMP traps are sent.
Security Reports
Security Reports enable reporting capabilities, such as user-defined
Reports, Geographical Security Map, Multi Device Dashboard,
enhanced data management in the Attack Log, as well as data
correlation capabilities between the Security Reports and Attacks Log.
The reports are presented by graphs, views, and tools, which enable
you to understand attack activity and its impact on your network. You
can view attack activity over time, types of attacks, the attack risk level,
attack bandwidth, and attack sources and destinations.
The Security Reporting module allows you to view filters and create
predefined/user-defined reports, as well as a unified filtering and
reporting mechanism. Each view filter can be defined by the user and
can be used for both the Events Log and Reports view. In addition, the
predefined reports list is used for both the Events Log and Reports
view. For example, you can display a Top 10 Attacks report in the
Events Log, and switch to the Reports view to see the relevant
information in a graphical view. The same information is displayed in
two different views. You can also choose to apply a viewing filter in the
Reports view and then switch to Attacks Log to display the information
after the filtering process.
The Security Reporting module allows you to view information in eight
different views, including:
• Dashboard View: Displays the Security Radar and dashboard pie
charts.
• Attacks Log View: Displays the Attacks Event log, including all
trap parameters.
• Reports View: Displays the different Security Reports in a
graphical view (bar, plot, and so on).
• Geographical Map: Displays a geographical map of the world with
indications of the sources of attacks.
• Attacks Log and Reports Split View: Displays both the Attacks
Log and Reports in a split screen view. The applied view filters
affect both simultaneously.
• Attacks Log and Packet Data View: Displays both the Attacks
Log and Packet Capture Data in a split screen view.
Application Switch 1
Application Switch 2
Application Switch 3
Application Switch 4
Application Switch 5
Application Switch 1
Feature Description
Reset: Allows you to reset the device
Feature Description
This display indicates the display mode of the
Port LEDs as follows: From top line, left to right:
Mode Indication
LNK: LNK - Link Status
FE: Ethernet Mode (for fast ethernet
ports only)
COL: Collisions
ERR: Errors
ACT: ACTIVITY
FD: Duplex Mode
TX: Transmission Activity
RX: Receiving Activity
RS-232C Console Port
Feature Description
Mode Indication
FD: On - Indicates Full Duplex mode.
Off - Indicates half Duplex mode.
COL: On - Indicates collisions are occur-
ring
ERR On - indicates errors are occurring.
TX Flashing indicates that the port is
transmitting data
RX Flashing indicates that the port is
receiving data.
The status LEDs for the 8 fast Ethernet Ports
Feature Description
Power Socket The socket to which the power cable is connected
Application Switch 2
Feature Description
These LEDs indicate the status of the following:
PWR: The device is powered.
SYS: The application is currently running. This
LED is off when the application is still loading or
has failed.
FAN: When lit, indicates that the fans are not
operational.
RST: Reset button.
Gigabit Ethernet Port (1-5) and LED. The LED
indicates the following information:
Upper LED:
On - Physical connection detected.
Off - No physical connection detected.
Middle LED:
Lit Green - Port is receiving data.
Lit Red - Receive loss or no physical connection
Lower LED:
Lit Green - Port is transmitting data
Lit Red - Transmission faults
Feature Description
Mode: Allows you to change the display mode of
the Fast Ethernet Port LEDs.
Feature Description
Power Socket The socket to which the power cable is connected
Power Switch On / Off power
Act Boot DipSwitch 1 (First left) this switch determines the
active boot on the device.
Switch “Down” Boot 1 is active.
Switch “Up” Boot 2 is active
RS-232C RS-232C Console Port for out-of-band manage-
ment
Compact Flash Insertion point for Compact Flash Card
Application Switch 3
Feature Description
These LEDs indicate the status of the following:
PWR: The device is powered.
SYS: The application is currently running. This
LED is off when the application is still loading or
has failed.
FAN: When lit, indicates that the fans are not
operational.
RST: Reset button
The 10 Gigabit Ethernet Port and LEDs. The
LED indicates the following information:
Upper LED:
On - Physical connection detected.
Off - No physical connection detected.
Middle LED:
Lit Green - Port is receiving data.
Lit Red - Receive loss or no physical connection
Lower LED:
Lit Green - Port is transmitting data
Lit Red - Transmission faults
Feature Description
Gigabit Ethernet Ports (G1-G8) and LEDs. The
LED indicates the following information:
Upper LED:
On - Physical connection detected
Off - No physical connection detected
Middle LED:
Lit Green - Port is receiving data
Lit Red - Receive loss or no physical connection
Lower LED:
Lit Green - Port is transmitting data
Lit Red - Transmission faults
Fast Ethernet Ports (F1-F16) and LEDs
Left LED:
Lit green - Indicates 100BaseT mode.
Flashing green - Indicates that data is being
transferred via the port in 100BaseT mode
Lit Yellow - Indicates 10BaseT mode
Flashing yellow - Indicates that data is being
transferred via the port in 10BaseT mode
Off indicates no link.
Reset: Resets the device.
Feature Description
Power Socket The socket to which the power cable is connected
Power Switch On / Off power
Feature Description
Act Boot DipSwitch 1 (First left) this switch forces the
device to use the internal flash application version
after a reboot has occurred.
Switch “Down” device reboots from compact flash
(default).
Switch “Up” device reboots from internal flash.
RS-232C RS-232C Console Port for out-of-band manage-
ment.
Compact Flash Insertion point for Compact Flash Card.
Application Switch 4
Feature Description
Gigabit Ethernet Ports (G1-G8) and LEDs. The
LED indicates the following information:
When the LED is illuminated this indicates that
the port is connected.
When the LED is flashing this indicates that there
is activity on this port.
Fast Ethernet Ports (F1-F16) and LEDs
Left LED:
Lit green - Indicates 100BaseT mode.
Flashing green - Indicates that data is being
transferred via the port in 100BaseT mode
Lit Yellow - Indicates 10BaseT mode
Flashing yellow - Indicates that data is being
transferred via the port in 10BaseT mode
Off indicates no link.
Feature Description
On the Copper ports – G1 to G12 you have two
LEDs on each port. The left LED indicated Link/
Activity or No Link and the right LED indicated the
speed on the port.
Feature Description
Power Socket The socket to which the power cable is connected
Power Switch On / Off power
Act Boot DipSwitch 1 (First left) this switch forces the
device to use the internal flash application version
after a reboot has occurred.
Switch “Down” device reboots from compact flash
(default).
Switch “Up” device reboots from internal flash.
RS-232C RS-232C Console Port for out-of-band manage-
ment.
Compact Flash Insertion point for Compact Flash Card.
Ethernet Port Ethernet Port (for debugging purposes only -
Radware R&D only).
Application Switch 5
Feature Description
Gigabit Ethernet Ports (XG-1 / XG-2) and LEDs.
The LED indicates the following information:
When the LED is illuminated this indicates that
the port is connected.
When the LED is flashing this indicates that there
is activity on this port.
Feature Description
Reset: Resets the device.
Feature Description
Power Socket The socket to which the power cable is connected
Power Switch On / Off power
Act Boot DipSwitch 1 (First left) this switch forces the
device to use the internal flash application version
after a reboot has occurred.
Switch “Down” device reboots from compact flash
(default).
Switch “Up” device reboots from internal flash.
RS-232C RS-232C Console Port for out-of-band manage-
ment.
Compact Flash Insertion point for Compact Flash Card.
Ethernet Port Ethernet Port (for debugging purposes only -
Radware R&D only).
7. Turn on the power to the unit. When the device is connected and
operating properly, the PWR and System Ok indicators on the front
panel are lit continuously.
LAN Connections
The cables used for LAN Connections differ as follows:
Fast Ethernet Port: Standard UTP or STP Ethernet
cable, RJ45 connector.
Gigabit Ethernet Port: 1000BaseSX fiber optic cable - SC
connector.
10 Gigabit Ethernet 10 GBaseLR fiber optic cable.
Port:
Note: ASl version 2 and ASll can use both cross and straight cables
when Auto Negotiation is enabled.
Interfaces - Introduction
Radware Application Switch platforms may have as few as 8 network
interfaces and as many as 24. It is helpful to understand interface-
indexing conventions before you perform configuration tasks such as
displaying interface status and setting physical parameters (such as
speed, duplex mode or auto-negotiation) via the command line
interface (in web-based management and Insite interface description
makes it easier to understand interface-index convention).
Note: On the back of the device there is an ethernet port. This port is
for R&D debugging purposes only. It has no other use.
>u
port ( "com1", "com2" or Enter to choose the default ("com1")):
com1
baud rate (valid baudrate) or Enter to choose the current: 19200
Specification Table
AS4
Feature AS1 AS2 AS3 A5
System
Memory
Network Interfaces
AS4
Feature AS1 AS2 AS3 A5
Power
Power Supply Auto- Auto- Auto- Auto-range Auto-range
range range range
100v- 240v 100v- 240v
90v - 90v - 90v -
50-60Hz single or dual 50-60Hz
264v 264v 264v
power supply single or
50-60Hz 50-60Hz 50-60Hz dual power
Or
single or single or supply
Or
dual dual 38-72VDC
Or
38- power power
supply supply single / double
72VDC 38-72VDC
Or single /
double
38-
72VDC
single /
double
AS4
Feature AS1 AS2 AS3 A5
Dimensions
Height 44 mm 44 mm 44 mm 88 mm 88 mm
(1U) (1U) (1U)
88 mm 88 mm
(2U) for (2U) for
dual dual
power power
supply supply
Environmental
AS4
Feature AS1 AS2 AS3 A5
Certifications
1000Base-SX (Multi-Mode)
Agilent
• HFBR-5710LP
Finisar
• FTRJ-8519P1BNL
1000Base-SX (Multi-Mode)
Stratos Lightwave
• MGBC-20-4-1-SV
Finisar
• FTR-8519-3D
1000BaseT
3.3V
DLink
• DGS-711
5V
Finisar
• FCM-8520-3
Note: There are two revisions of Application Switch 2. Revision 4
requires 5v Gbics and revision 3 requires 3.3v Gbics. Revision 4 can
be identified by the title “CN2” on the label on the back panel of the
device, and revision 3 has the title “CN1”.
1000Base-SX (Multi-Mode)
Agilent
• HFBR-5710LP
Finisar
• FTRJ-8519P1BNL
1000BaseT
dataMate
• DM7041-L
CD 1 1 - 1 - -
RxD 2 2 2 2 RxD
TxD 3 3 3 3 TxD
DTR 4 4 - 4 - -
GND 5 5 - 5 5 GND
DSR 6 6 - 6 - -
RTS 7 7 - 7 - -
CTS 8 8 - 8 - -
RI 9 9 - 9 - -
The device Power LED • Check that the If the problem persists,
is lit, however the there serial cable is please contact Radware
is no console response. properly connected Technical Support.
to the device.
• Check that the
serial port
parameters,
including speed,
are correctly
configured.
The Device LEDs are lit Connect to device serial If the problem persists,
however the device port and open terminal please contact Radware
does not communicate connection. If fatal error Technical Support.
via the LAN ports. messages appear on
the terminal and no
product prompt appears
this indicates an
incomplete boot
process.The following
process should be
implemented to
eliminate possible
causes:
1. Stop during boot
countdown and
erase configuration
(q1 command)
2. Reboot ("@") and
fill in connectivity
data (IP address) in
Startup
Configuration
window.Should the
problem persist,
check in the
release notes if the
product matches
the running boot
version. If not,
update boot .
• Pinging: If, when pinging the farm, the CID device does not reply,
the reason may be that the device does not have access to an
available cache server in the farm. The device requires at least one
available cache server in the farm in order to reply. If the farm does
not respond to the ping, you can ping the physical interface,
• If the interface replies and the device receives the ping request,
there is a problem with the content inspection server and not
the device.
• If there is no reply from the device, the problem is between the
device and the workstation, or the pinging to the physical
interface was disabled.
Table Size
URL Table 65K
CID
Farm IP: 10.1.1.100
IP: 10.1.1.10
Server 1
IP: 10.1.1.1
Loopback:
10.1.1.100 Def
router: 10.1.1.20
Server 2
IP: 10.1.1.2
Router Loopback: 10.1.1.100
IP: 10.1.1.20 Def router: 10.1.1.20
Server 3
IP: 10.1.1.3
Loopback: 10.1.1.100
Def router: 10.1.1.20
Servers are defined in the CID, along with their IP addresses, and are
configured as Local Triangulation participants. For more information,
see Local Triangulation, page 4-80.
When Internet traffic from clients arrives at a CID farm, CID selects the
least busy server as its destination and forwards the request to it, using
the predefined loopback IP (farm IP). The server then sends the reply
directly to the default gateway, saving the need to go through CID.
'^' and '$'. These symbols indicate the beginning and end of a string,
respectively, as follows:
• "^The": Matches any string that starts with "The"
• "of despair$": Matches a string that ends in the substring "of
despair"
• "^abc$": A string that starts and ends with "abc" – this can only
be "abc"
• "notice": A string that has the text "notice" within it.
If neither of the two characters is used (as in the last example), this
means that the pattern may occur anywhere within the string – and is
not "hooked" to any of the edges.
Symbols '*', '+', and '?' indicate the number of times a character
or a sequence of characters may occur. These symbols mean "zero or
more", "one or more", and "zero or one" respectively.
For example:
• "ab*": Matches a string that has an a followed by zero or more
b's ("a", "ab", "abbb", etc.)
• "ab+": Same, but there is at least one ”b” ("ab", "abbb", etc.)
• "ab?": There might be one or no ”b”
• "a?b+$": A possible ”a” followed by one or more ”b”'s ending a
string
Bounds can also be used. Bounds are defined inside the brace
brackets and indicate ranges in the number of occurrences:
• "ab{2}": Matches a string that has an ”a” followed by exactly two
”b”'s ("abb");
• "ab{2,}": Matches a string that has at least two ”b”'s ("abb",
"abbbb", etc.);
• "ab{3,5}": Matches a string that has from three to five ”b”'s
("abbb", "abbbb", or "abbbbb").
The first number of a range must always be specified, for example:
"{0,2}", not "{,2}").
Symbols '*', '+', and '?' denote the same as bounds "{0,}",
"{1,}" and "{0,1}", respectively.
To quantify a sequence of characters, they must be defined within
parentheses:
• "a(bc)*": Matches a string that has an ”a” followed by zero or
more copies of the sequence "bc";
• "a(bc){1,5}": Matches a string that has one to five copies of
”bc”.
The '|' symbol is an OR operator:
• "hi|hello": Matches a string that includes either "hi" or "hello".
• "(b|cd)ef" is a string that includes either "bef" or "cdef".
• "(a|b)*c" is a string that has a sequence of alternating ”a”’s and
”b”'s ending with ”c”.
A period ('.') stands for any single character:
• "a.[0-9]": Matches a string that has an a followed by a single
character and a digit.
IP Interface
An IP interface on CID is comprised of two components: an IP address
and an associated interface. The associated interface is either a
physical interface or a virtual interface (VLAN). IP Routing is performed
between CID IP interfaces, while Bridging is performed within an IP
interface that contains an IP address associated with a VLAN.
CID was designed to intercept HTTP requests and to redirect them to a
content inspection server farm. The first assumption in designing a CID
network is that the CID resides on the path between the clients and the
Internet and content inspection servers. This placement is required by
the role of CID in the network - CID needs to intercept the outgoing
client requests and to manipulate the packets returning from the
content inspection servers to the clients.
Except for the setup that involves local triangulation or transparent
proxy, all traffic must travel physically through the CID. This includes
traffic from the users to the Internet and from the content inspection
server farm back to the users.
Users who are statically configured to use a content inspection server,
should be configured to the CID virtual address. This address is the
access IP address for the content inspection servers.
NAS
Network-attached storage (NAS) is hard disk storage that is set up with
its own network address rather than being attached to the department
computer that is serving applications to a network's workstation users.
NNTP
NNTP (Network News Transfer Protocol) is the predominant protocol
used by computer clients and servers for managing the notes posted
on Usenet news groups. NNTP replaced the original Usenet protocol,
UNIX-to-UNIX Copy Protocol (UUCP). NNTP servers manage the
global network of collected Usenet news groups and include IAS
(Internet Access Provider) servers. An NNTP client is included as part
of any Web browser.
Physical Interface
One of the Fast Ethernet or Application Switch ports of the CID. In the
Fast Ethernet platform, a CID can have either 2 or 4 physical
interfaces, depending on the hardware configuration. In the Application
Switch platform, the CID can have up to 10 physical interfaces.
Physical IP Address
An IP address assigned to a CID interface. This address belongs to the
CID and is used for SNMP management and for routing purposes.
RADIUS Protocol
Remote Authentication Dial-In User Service, or RADIUS, is a standard
in [RFCs 2865 and 2866] used for centralizing network authentication
of remote access users.
RADIUS is a client-server authentication and authorization access
protocol used to authenticate users attempting to connect to a network
device. The Access Server (BAS) functions as a client, passing user
information to one or more RADIUS servers. User access is either
granted or denied to the device based on the response received from
the RADIUS servers.
The RADIUS clients send UDP authentication requests, typically over
port 1812, with MD5 encrypted passwords to the RADIUS
authentication server and act on responses sent back by the server.
VLAN types
Two types of IP VLANs are commonly encountered when configuring a
CID. Either VLAN can be used depending on the CID configuration
requirements.
Regular: A Regular VLAN provides transparent bridging within the
VLAN. This means that when two stations communicate within the
VLAN, they are aware of each other's MAC addresses. For example, if
stations A and B are on two different CID ports that belong to the same
VLAN, during communication A knows B's MAC address and B knows
A's address. In addition, Regular VLAN also supports redundancy and
transparent proxy features.
Broadcast And Unicast: This is a special VLAN which allows bridging
using standard proxy ARP techniques. For example, stations on one
VLAN port of the CID believe that all stations on other CID ports
belonging to this VLAN have the same MAC address. This one MAC
address is actually the MAC of the CID. It may be necessary to use this
VLAN type in CID configurations to ensure that packets are destined to
the MAC address of the CID during end station to server
communications.1
Acronym Meaning
ARP Address Resolution Protocol
AS Autonomous System
AS Application Switch
AV Anti Virus
BGP Border Gateway Protocol
CID Content Inspection Director
CIDR Classless Interdomain Routing
CSD Cache Server Director
CW ConfigWare
CWIS Configware Insite
DGW Default Gateway
DHCP Dynamic Host Configuration Protocol
DMZ Demilitarized Zone
DNS Domain Name System
DSL Digital Subscriber Loop
EGP Exterior Gateway Protocol
EIGRP Enhanced Interior Gateway Protocol
FDDI Fiber Distributed Digital Interface
FE Fast Ethernet
FP Fire Proof
FTP File Transfer Protocol
FW Firewall
GARP Gracious Address Resolution Protocol
GTLD GenericTop Level Domain
GUI Graphic User Interface
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocols Secure
HW Hardware
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
IGP Interior Gateway Protocol
IGRP Interior Gateway Routing Protocol
IP Internet Protocol
ISDN Intergrated Services Digital Network
ISO International Standards Organization
ISP Internet Services Provider
ITM Internet or Intelligent Traffic Management
LAN Local Area Network
LB Load Balancer/Balancing
LLC Logical Link Control
LP LinkProof
LRP Load Reporting Protocol
MAC Media Access Control
MAN Metropolitan Area Network
MED Multi-Exit Discriminator
MIME Multi-Purpose Internet Mail Extension
NAP Network Access Point
NAS Network Attached Storage
NAT Network Address Translation
NetBEUI NetBIOS Extended User Interface
NetBIOS Network Basic Input/Output System
NHR Next Hop Router
NIC Network Interface Card
NP Network Proximity
NTP Network Time Protocol
NNTP Network News Transfer Protocol
OSI Open Systems Interconnect
OSPF Open Shortest Path First
Index
A Port Groups 8-26
Action 8-12 Predefined Filters 8-21
Action Macro 7-14 Rules 8-12
Activation/Inactivation Schedule 8-15 Services 8-19
Active 9-75 VLAN Tag Groups 8-27
Admin Status 4-28 Bandwidth Management Module 8-2
Advanced CID Features Bandwidth Management Policies 8-8
Chapter 5-1 Basic Filters 8-19
Advanced Filters 8-20, 9-81 Borrowing Limit 8-13
Alternate Default Gateway 3-28 Bridging, in VLAN 3-23
Application Classification 8-4
Application Security 9-1 C
Attacks Dynamic Information 9-196 Cache Load Balancing 4-57
Cache Server Types 4-58
B CID Limitations (Appendix A) A-5
Backup Device in VLAN 6-12 Classification 8-37
Backup Fake ARP 6-12 Classification Modes 8-5
Backup Interface Grouping 2-70 Client NAT 4-28
Backup Interface Grouping, Redundancy Client Table 4-37
6-6 Client Types 4-57
Bandwidth Limit 4-28 Configured Clients 4-57
Bandwidth Management 8-3 Connection Limit 4-27
Borrowing Limit 8-13 Content 8-20
Classes 8-18 Content Parameters 9-59, 9-90, 9-102,
Classification Criteria 8-9 9-152, 9-167
Guaranteed Bandwidth 8-12
Networks 8-25 D
Policy Groups 8-13 Daylight Saving Time Support 2-78
Default Gateway, setup 3-27