Professional Documents
Culture Documents
Version 7.6
Legal Notice
The information contained within this document is subject to change without notice. Arbor Networks, Inc.
makes no warranty of any kind with regard to this material, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be liable for
errors contained herein or for any direct or indirect, incidental, special, or consequential damages in
connection with the furnishings, performance, or use of this material.
Copyright © 1999-2015 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks
logo, ArbOS and ATLAS are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks
of their respective owners.
Document Number: PSP-API-76-2015/10
19 October, 2015
Contents
Preface
How to Use Peakflow Documentation 8
Conventions Used in this Guide 9
Contacting the Arbor Technical Assistance Center 11
applyMitigationTemplateByName 81
getMitigationSummaries 82
getMitigationSummariesXML 84
getMitigationStatisticsByIdXML 85
getMitigationStatisticsByNameXML 86
addTmsFilterList 87
editTmsFilterList 89
deleteTmsFilterList 90
Chapter 11: Configuration Management Functions in the Classic SOAP API 171
About the Configuration Management Functions 172
cliRun 174
accountAdd 175
accountDelete 178
accountChangePassword 180
accountChangeGroup 181
Chapter 12: Traffic Report Functions in the Classic SOAP API 183
getTrafficData 184
getTrafficGraph 187
Glossary 191
Index 201
Introduction
This guide provides instructions for the API configurations for your Peakflow deployment and is
intended for network administrators who are responsible for the day-to-day availability of their
company's network infrastructure. Users should have a strong understanding of networking and
the network environment, including topology and traffic.
This guide supports the 7.6 release for all Peakflow appliances.
Additional documentation
Peakflow Help Online help topics from the User Guide and Advanced
Configuration Guide. The Help is context-sensitive to
the Peakflow SP Web UI page from which it is
accessed.
Peakflow SP Managed Services Instructions and information for the managed services
Customer Guide customers who use the Peakflow SP 7.6 Web user
interface.
Introduction
This guide uses typographic conventions to make the information in procedures, commands,
and expressions easier to recognize.
> A navigation path or sequence In the Web UI, select Settings >
of commands. Company.
Navigate to the Account page
(Settings > Account).
In the Web UI, select Mitigation >
Threat Management.
Navigate to the Alerts Ongoing page
(Alerts > Ongoing).
Convention Description
Monospaced bold Information that you must type exactly as shown.
Monospaced A variable for which you must supply a value.
italics
{ } (braces) A set of choices for options or variables, one of which is required. For
example: {option1 | option2}.
[ ] (square brackets) A set of choices for options or variables, any of which is optional. For
example: [variable1 | variable2].
Introduction
The Arbor Technical Assistance Center is your primary point of contact with Arbor Networks®
for all service and technical assistance issues.
Contact methods
You can use the following methods to contact the Arbor Technical Assistance Center:
Web https://support.arbor.net/
Example
PSP-API-76-2015/10
Peakflow SP API Guide
Page 9
Introduction
Peakflow provides SOAP APIs and a Web Services API. These APIs allow you to have
programmatic access to the data on Peakflow appliances.
In this section
This section contains the following topics:
About the SOAP APIs and Arbor Web Services API 16
How Classic SOAP API Calls Map to Current SOAP API Calls 17
Introduction
The Arbor SDK package contains the files for the Arbor Web Services API, the current SOAP
API, and Arbor’s classic SOAP API (released prior to Peakflow SP version 5.5). All APIs do not
provide the same capabilities. This topic briefly describes the advantages of using each API.
Arbor recommends that all classic SOAP users migrate to the current SOAP API to take
advantage of its broader functionality. For more information about migrating to the current
SOAP API, see “How Classic SOAP API Calls Map to Current SOAP API Calls” on the facing
page.
How Classic SOAP API Calls Map to Current SOAP API Calls
Introduction
This topic describes how classic SOAP API calls map to current SOAP API calls. This can help
you transition to using the current SOAP API.
getAlertGraph getDosAlertGraph
getAlertGraphData getDosAlertDetails
getDosAlertDetailsXML (the
impact_bps and impact_pps
values)
getAlertInterfaces getDosAlertDetails
getAlertInterfaceDetails getDosAlertDetails
getAlertInterfacesXML getDosAlertDetailsXML
getAlertRouterInterfacesXML getDosAlertDetailsXML
accountDelete accountDelete
sqlQuery deprecated
getTrafficGraph getTrafficGraph
cliRun cliRun
Introduction
This chapter includes an overview of the Arbor Web Services API and describes its functions.
In this section
This section contains the following topics:
Introduction to the Arbor Web Services API 22
Alerts 23
Traffic 25
Mitigations 27
Managed Object 29
Routers 31
Devices 33
Peakflow SP CP 5500 Appliance 36
Peakflow TMS Appliance 39
Peakflow TMS Ports 42
Portal 44
Reports 46
Introduction
The Arbor Web Services API allows you to easily access the data on a Peakflow SP leader
appliance or a non-leader appliance that has the user interface role by using your Web
browser or cURL. Data is returned in either JSON or XML format.
References
For more information about how to use the Arbor Web Services API, see the following:
Additional references
Reference Description
https://addons.mozilla.org/en- A JSON plug-in that you can use to assist you
US/firefox/addon/10869 with debugging.
Alerts
URL
/arborws/alerts
alerts parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
limit (Optional) The maximum number of alerts to return that match the filter.
filter (Optional) Keywords by which you want to filter search results. You can
enter the same search strings that you can enter in the Search box on the
Alerts pages in the Web UI.
format The format in which you want data returned, which can be one of the
following:
n json
This is the default format.
n xml
cURL example
The following is a cURL example of querying for the top three host alerts in Peakflow SP:
curl -k https://mariner/arborws/alerts -d api_key=1234abc -d
filter=host -d limit=3
HTTPS example
The following is an HTTPS example of querying for all alerts in Peakflow SP:
https://mariner/arborws/alerts?api_key=1234abc&format=xml
Example output
The following is an example of the output returned by the alerts function:
<?xml version="1.0" encoding="utf-8"?>
<alert-list>
<alert_count>100</alert_count>
<page_size>10</page_size>
<page>1</page>
<alert id="81966" type="9" class="2">
Traffic
URL
/arborws/traffic
traffic parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
query An XML query in standard Peakflow SP XML query format. This parameter is
only the XML query, not an entire XML report. Data is returned in the XML
result format, as specified in the Peakflow SP and Threat Management
System (TMS) User Guide.
For current XML report specifications, see “Using Customized Reports” in
the Peakflow SP and Threat Management System (TMS) User Guide.
graph (Optional) When specified, this parameter indicates that you want Peakflow
SP to return a binary PNG graph file of the queried traffic data. If you do not
specify a graph argument, then Peakflow SP returns XML.
cURL example
The following are cURL examples of querying for traffic data, excluding and then including the
graph parameter:
curl -k https://mariner/arborws/traffic -d api_key=1234abc --data-
urlencode query@query.xml
<class type="out"/>
<filter type="customer">
<instance name="CustomerName"/>
</filter>
<filter type="application" binby="1"/>
</query>
</peakflow>
Mitigations
URL
/arborws/mitigations/status
mitigations parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
filter (Optional) Keywords by which you want to filter search results. You can
enter the same search strings that you can enter in the Search box on the
Mitigations pages in the Web UI.
limit (Optional) The maximum number of mitigations to return that match the filter.
format The format in which you want data returned, which can be one of the
following:
n json
This is the default format.
n xml
cURL example
The following is a cURL example of querying for the top three mitigations in Peakflow SP:
curl -k https://mariner/arborws/mitigations/status -d api_key=1234abc -d
limit=3
HTTPS example
The following is an HTTPS example of querying for mitigation data in Peakflow SP:
https://mariner/arborws/mitigations/status?api_key=1234abc&filter=auto-
mitigation
Example output
The following is an example of the output returned by the mitigations function:
<?xml version="1.0" encoding="utf-8"?>
<mitigation-list>
<mitigation type="2" type_name="tms_mitigation" config_id="28"
prefix=""
Managed Object
URL
/arborws/admin/managed_object
managed_object parameters
Name Description
api_key A unique, dedicated key that enables an account group to access this API
data. You must configure the API key in the Peakflow SP Web UI. When you
configure the API key, you must associate it with an account group.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
filter (Optional) Keywords by which you want to filter search results. You can
enter the same search strings that you can enter in the Search box on the
Managed Objects page in the Web UI.
limit (Optional) The maximum number of managed objects to display. The default
is 100.
cURL example
The following is a cURL example of querying for managed objects in Peakflow SP that contain
the word “dorms” in their configurations:
curl -ks https://mariner/arborws/admin/managed_object -d api_
key=1234abc -d filter=”dorms”
HTTPS example
The following is an HTTPS example of querying for the data of no more than 225 managed
objects in Peakflow SP:
https://mariner/arborws/admin/managed_object?api_key=1234abc&limit=225
Example output
The following is an example of the output returned by the managed object function:
{
"current_page":"1",
"total_pages":"3",
"data":[
{
"gid":"680",
"id":"680",
"name":"MyCustomer",
"description":"My+Description",
"tags":"profile,application,fingerprint",
"family":"profile",
"match_type":"cidr_block",
"match":"192.168.0.0/16"
},
{
"gid":"711",
"name":"An Important College",
"description":"Do not change the detection threshold for this.",
"tags":"customer",
"family":"customer",
"match_type":"cidr_blocks",
"match":"198.108.80.0\/21"
}
],
"continued_blob_current":[
],
"continued_blob_next":[
]
}
Routers
URL
/arborws/admin/routers
routers parameters
Name Description
api_key A unique, dedicated key that enables an account group to access this API
data. You must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
filter (Optional) Keywords by which you want to filter search results. You can
enter the same search strings that you can enter in the Search box on the
Configure Routers page in the Web UI.
cURL example
The following is a cURL example of updating a router in Peakflow SP:
curl -k -v https://mariner/arborws/admin/routers -d api_key=1234abc -d
action=update --data-urlencode json@router_update.json
In this example, including “-v” returns an HTTP code. An HTTP code of 200 indicates that the
update was successful. An HTTP code of 400 indicates that there was an error parsing the
JSON.
HTTPS example
The following is an HTTPS example of querying for router data in Peakflow SP:
https://mariner/arborws/admin/routers?api_key=1234abc&action=list
Example output
The following is an example of the output returned by the routers list action:
{"gid":"999",
"name":"xyz123",
"bgp_ip":"",
"bgp_local_ip":"",
"bgp_as":"",
"snmp_ip":"198.108.90.21",
"snmp_community":"public",
"snmp_version":"2",
"snmp_security_level":"noAuthNoPriv",
"snmp_authprotocol":"md5",
"snmp_authusername":"",
"snmp_authpassword":"",
"snmp_privkey":"",
"snmp_contextname":"",
"snmp_nov1hccounters":"",
"snmp_nogetbulk":"",
"flow_ignored":"off",
"flow_ignored_ipv6":"off",
"flow_export_ip":"198.108.90.21",
"flow_sample_rate":"1000",
"flow_use_embedded_sampling_rate":"",
"flow_tcp_flags_missing":"",
"local_as":"",
"default_bgp_router":"
...
}
Devices
URL
/arborws/admin/devices
devices parameters
Name Description
api_key A unique, dedicated key that enables an account group to access this API
data. You must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
filter (Optional) Keywords by which you want to filter search results. You can
search devices by the following:
n name
n description
n tags
cURL example
The following is a cURL example of updating a device in Peakflow SP:
curl -k -v https://mariner/arborws/admin/devices -d api_key=1234abc -d
action=update --data-urlencode json@devices_update.json
Including “-v” returns an HTTP code. An HTTP code of 200 indicates that the update was
successful. An HTTP code of 400 indicates that there was an error parsing the JSON.
HTTPS example
The following is an HTTPS example of querying for device data in Peakflow SP:
https://mariner/arborws/admin/devices?api_key=1234abc&action=list
Example output
The following is an example of the output returned by the devices function:
[
{
"gid": "115",
"ip": "10.8.2.94",
"name": "spdocvm",
"interfaces": "eth0",
"descr": "",
"tags": "",
"type": "cp",
"model_number": "5500",
"full_model": "",
"license_key": "",
"expiration": "",
"license_mode": "flexible",
"full_model_display": "",
"manager": "",
"flow_ignored": "on",
"forensics": "on",
"arf_enabled": "on",
"scrubber_interface": "",
"scrubber_gids": "",
"portal_hostname": "",
"snmp_community": "",
"snmp_v12_support": "",
"snmp_v3_support": "",
"snmp_security_level": "",
"snmp_authprotocol": "",
"snmp_authusername": "",
"snmp_authpassword": "",
"snmp_privkey": "",
"snmp_contact": "",
"snmp_location": "",
"gre_source": "",
"gre_interval": "",
"gre_retries": "",
"gre_keepalives": "",
"gre_source_v6": "",
"gre_interval_v6": "",
"gre_retries_v6": "",
"gre_keepalives_v6": "",
"peer_from": "mitigation",
"offramp_nexthop": "",
"offramp_nexthop_v6": "",
"stacking": "",
"stacking_level": "",
"nblades": "",
"blacklist_offloading": "",
"blacklist_offloading_src_dst": "",
"physical_ports": "",
"logical_ports": "",
"subinterfaces": "",
"dns_sensitivity": "",
"dns_ignore": "",
"flow_export_port": "",
"flow_export_sample_rate": "",
"flow_export_bgp_default": "",
"dpi_deployment_type": "",
"dpi_capabilities": "",
"dpi_reach_src_via_tx_intf": "",
"dpi_l3_forwarding": "",
"dpi_hardware_bypass": "",
"dpi_flow_id_ignore_rx_tags": "",
"dpi_flow_id_ignore_rx_port": "",
"dpi_fail_open": "",
"dpi_routers": "",
"incoming_bw_limit": "0",
"max_mitigations": "",
"offramp_method": "",
"flowspec_route_target": "",
"tms_cluster": "",
"in_tms_cluster": "0",
"rear_10g_only": "",
"fate_sharing_interface": "",
"fate_sharing_nexthop": "",
"fate_sharing_bgppeer": "",
"fate_sharing_gretunnel": "",
"interface_properties": "00",
"routers":
"ar1.chi|ar1.lax|ar1.nyc|br1.chi|br1.lax|br1.nyc|cr1.chi|cr1.lax|cr1.ny
c|mpls1.chi|vr1.lax|vr1.nyc"
}
]
URL
/arborws/admin/cp5500
cp5500 parameters
Name Description
api_key A unique, dedicated key that enables an account group to access this API
data. You must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
filter (Optional) Keywords by which you want to filter search results. You can
search appliances by the following:
n name
n description
n tags
cURL example
The following is a cURL example of updating a CP 5500 appliance in Peakflow SP:
curl -k -v https://mariner/arborws/admin/cp5500 -d api_key=1234abc -d
action=update --data-urlencode json@cp5500_update.json
Including “-v” returns an HTTP code. An HTTP code of 200 indicates that the update was
successful. An HTTP code of 400 indicates that there was an error parsing the JSON.
HTTPS example
The following is an HTTPS example of querying for CP 5500 appliance data in Peakflow SP:
https://mariner/arborws/admin/cp5500?api_key=1234abc&action=list
Example output
The following is an example of the output returned by the CP 5500 show_schema function:
gid is_u_int16
name is_collector_name
ip is_ip_addr
interfaces is_local_interface
descr is_notnull
tags is_valid_tag_name_list
type is_device_type
model_number is_valid_model_number
full_model is_notnull
license_key is_notnull
expiration is_notnull
full_model_display is_notnull
manager is_collector_gid
flow_ignored is_on_off
forensics is_on_off
arf_enabled is_on_off
scrubber_interface is_notnull
scrubber_gids is_notnull
portal_hostname is_notnull
snmp_community is_notnull
snmp_v12_supportis_enabled_or_disabled
snmp_v3_support is_enabled_or_disabled
snmp_security_level is_snmp_security_level
snmp_authprotocol is_snmp_authpassword
snmp_authusername is_snmp_username
snmp_authpassword is_snmp_authpassword
snmp_privkey is_snmp_authpassword
snmp_contact is_notnull
snmp_location is_notnull
gre_source is_ip_addr
gre_interval is_u_int
gre_retries is_u_int
gre_keepalives is_enabled_or_disabled
peer_from is_notnull
offramp_nexthop is_ip_addr
stackingis_enabled_or_disabled
stacking_level is_valid_stacking_level
nblades is_valid_nblades
physical_ports is_list_of_physical_port_gids
logical_ports is_valid_logical_port_name
subinterfaces is_list_of_subinterface_gids
dns_sensitivity is_dns_sensitivity_threshold
dns_ignore is_dns_ignore_threshold
flow_export_portis_port
flow_export_sample_rate is_sample_rate
flow_export_bgp_default is_bgp_router
dpi_deployment_type is_tms_deployment_type
dpi_capabilitiesis_tms_capabilities
dpi_l3_forwarding is_enabled_or_disabled
dpi_hardware_bypass is_enabled_or_disabled
dpi_flow_id_ignore_rx_tags is_enabled_or_disabled
dpi_flow_id_ignore_rx_port is_enabled_or_disabled
dpi_fail_open is_enabled_or_disabled
dpi_routers is_assoc_mitigation_router
incoming_bw_limit is_notnull
max_mitigations is_notnull
rear_10g_only is_enabled_or_disabled
fate_sharing_interface is_enabled_or_disabled
fate_sharing_nexthop is_enabled_or_disabled
fate_sharing_bgppeer is_enabled_or_disabled
fate_sharing_gretunnel is_enabled_or_disabled
routers is_assoc_collector_router
max_fps is_pos_int
URL
/arborws/admin/tms
tms parameters
Name Description
api_key A unique, dedicated key that enables an account group to access this API
data. You must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
filter (Optional) Keywords by which you want to filter search results. You can
search appliances by the following:
n name
n description
n tags
cURL example
The following is a cURL example of updating a TMS appliance in Peakflow SP:
curl -k -v https://mariner/arborws/admin/tms -d api_key=1234abc -d
action=update --data-urlencode json@tms_update.json
Including “-v” returns an HTTP code. An HTTP code of 200 indicates that the update was
successful. An HTTP code of 400 indicates that there was an error parsing the JSON.
HTTPS example
The following is an HTTPS example of querying for TMS appliance data in Peakflow SP:
https://mariner/arborws/admin/tms?api_
key=1234abc&action=list&filter=tms_Chicago
Example output
The following is an example of the output returned by the TMS function:
[
{
"gid": "1166",
"ip": "10.8.10.49",
"name": "tms_Chicago",
"interfaces": "eth0",
"descr": "Arbor Peakflow collector 8 ",
"tags": "",
"type": "cp",
"model_number": "5500",
"full_model": "CP-5500-10",
"license_key": "*****-*****-*****-*****-*****-*****-*****-*****-
*****",
"expiration": "",
"full_model_display": "CP-5500-10",
"manager": "",
"flow_ignored": "off",
"forensics": "on",
"arf_enabled": "on",
"scrubber_interface": "",
"scrubber_gids": "",
"portal_hostname": "",
"snmp_community": "",
"snmp_v12_support": "",
"snmp_v3_support": "",
"snmp_security_level": "",
"snmp_authprotocol": "",
"snmp_authusername": "",
"snmp_authpassword": "",
"snmp_privkey": "",
"snmp_contact": "",
"snmp_location": "",
"gre_source": "",
"gre_interval": "",
"gre_retries": "",
"gre_keepalives": "",
"peer_from": "mitigation",
"offramp_nexthop": "",
"stacking": "",
"stacking_level": "",
"nblades": "",
"physical_ports": "",
"logical_ports": "",
"subinterfaces": "",
"dns_sensitivity": "",
"dns_ignore": "",
"flow_export_port": "",
"flow_export_sample_rate": "",
"flow_export_bgp_default": "",
"dpi_deployment_type": "",
"dpi_capabilities": "",
"dpi_hardware_bypass": "",
"dpi_flow_id_ignore_rx_tags": "",
"dpi_flow_id_ignore_rx_port": "",
"dpi_fail_open": "",
"dpi_routers": "",
"incoming_bw_limit": "0",
"max_mitigations": "",
"ospf_area": "",
"ospf_interfaces": "",
"ospf_md5": "",
"ospf_hello_interval": "",
"ospf_router_dead_time": "",
"ospf_retransmit_interval": "",
"ospf_transmit_delay": "",
"rear_10g_only": "",
"fate_sharing_interface": "",
"fate_sharing_nexthop": "",
"fate_sharing_bgppeer": "",
"fate_sharing_gretunnel": "",
"routers": "aa1-aa2-aa3-aa4-aa5-aa6-aa7"
}
]
URL
/arborws/admin/tms_ports
tms_ports parameter
Name Description
api_key A unique, dedicated key that enables an account group to access this API
data. You must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
cURL example
The following is a cURL example of querying for TMS appliance port data in Peakflow SP:
curl -ks https://mariner/arborws/admin/tms_ports -d api_key=1234abc
HTTPS example
The following is an HTTPS example of querying for TMS appliance port data in Peakflow SP:
https://mariner/arborws/admin/tms_ports?api_key=1234abc
Example output
The following is an example of the output returned by the TMS ports function:
[
{gid: "33"
name: "tmsx0.0.1"
device: "2360"
type: "subinterface"
action_dns: "1"
action_http: "1"
action_mitigate: ""
address: "10.0.0.1"
description: "Test"
nexthop: "5.6.7.8"
output: "543"
parent: "2369"
snmp_id: "1008"
vlan: "1"
}
Portal
URL
/arborws/portal
portal parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
mitigation_id ID number of the mitigation status to display. This parameter is required if the
id parameter value is mitigation_status.
cURL example
The following is a cURL example of querying for a profiled router alert with an ID of 33 in
Peakflow SP:
curl -ks https://mariner/arborws/portal -d api_key=1234abc -d
id=profiled_router_alert -d &alert_id=33
HTTPS example
The following is an HTTPS example of querying for a mitigation status with an ID of 2 in
Peakflow SP:
https://mariner/arborws/portal?api_key=1234abc&id=mitigation_
status&mitigation_id=2
Reports
URL
/arborws/reports/function
Function Description
/arborws/reports/configured Allows you to view a list of the configured wizard reports in
Peakflow SP.
For more information about this function and its accepted
parameters, see “/arborws/reports/configured” below.
/arborws/reports/results Allows you to view a list of the wizard report results that can
be downloaded from Peakflow SP.
For more information about this function and its accepted
parameters, see “/arborws/reports/results” on the facing
page.
/arborws/reports/configured
The /arborws/reports/configured function accepts the following parameters:
configured parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
Name Description
limit (Optional) The maximum number of wizard reports to return that match the
filter.
format The format in which you want data returned, which can be one of the
following:
n json
This is the default format.
n xml
/arborws/reports/queue
The /arborws/reports/queue function accepts the following parameters:
queue parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
name The name of the configured wizard report that you want to run.
The returned value is one of the following:
n an HTTP status code 204, which indicates success
n an error message
/arborws/reports/results
The /arborws/reports/results function accepts the following parameters:
results parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
Name Description
limit (Optional) The maximum number of wizard reports to return that match the
filter.
format The format in which you want data returned, which can be one of the
following:
n json
This is the default format.
n xml
/arborws/reports/download
The /arborws/reports/download function accepts the following parameters:
download parameters
Name Description
api_key A unique, dedicated key that enables users to access this API data. You
must configure the API key in the Peakflow SP Web UI.
See “Enabling Customers to View Peakflow SP Data in the Web Services
API” in the Peakflow SP and Threat Management System (TMS) User
Guide for more information.
name The name of the configured wizard report that you want to download.
request_time The time of the wizard report result that you want to download, which can
be one of the following:
n last
The “last” parameter downloads the most recent wizard report result.
n time
The “time” parameter is the time at which a wizard report ran, in seconds
and microseconds since the epoch.
format The format in which you want a wizard report returned, which can be one of
the following:
n PDF
n XML
n CSV
cURL example
The following is a cURL example of querying for a list of configured wizard reports in Peakflow
SP:
curl -ks https://mariner/arborws/reports/configured -d api_key=1234abc
HTTPS example
The following is an HTTPS example of downloading a PDF wizard report in Peakflow SP:
https://mariner/arborws/reports/download?api_key=1234abc&name=Camp
peers and apps&request_time=last&format=PDF
Introduction
This chapter includes an introduction to the current SOAP API and how to use it with the PHP
package.
In this section
This section contains the following topics:
Using the Current SOAP API in Peakflow SP 54
Introduction
The current SOAP API in Peakflow SP is implemented by the SP leader appliance or a
non-leader appliance that has the user interface role. You can access the SOAP API using
HTTPS.
Note: The SOAP interface requires Digest Authentication using either the user name “arbor”
and your zone secret as the password or the user name and password of a user whose account
has been assigned the sp_soap capability token.
References
For more information about SOAP API, see the following references:
n SOAP v1.1: http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
n SOAP v1.2: http://www.w3.org/TR/soap/
n WSDL v1.1: http://www.w3.org/TR/wsdl
n XMLSchema: http://www.w3.org/TR/xmlschema-0/
Note: If you do not have SOAP support enabled in your PHP build, you can download a
current PHP source package from http://www.php.net/downloads.php. Follow the building and
installation instructions included with the source package. To enable SOAP support, include
the “--enable-soap” option when running the build’s “configure” script.
Method Procedure
Method 1 Manually edit the endpoint/soap binding section of the Peakflow SP
WSDL to include a FQDN. Replace the string @@HOSTNAME@@ with the
FQDN of the Peakflow SP appliance you plan to send your SOAP
queries to.
Method 2 Programmatically change the endpoint URL within the code. Most
clientside SOAP libraries provide a facility by which you can change
the endpoint URL programatically to redirect the transactions with the
web service.
Using the example XML reports and queries included in the SOAP package
The binby_router.xml file contains an example XML query for use with runXmlQuery().
The XML query format is described in “XML Specifications” of the Peakflow SP and Threat
Management System (TMS) User Guide and in the XML schema files included in the SOAP
package.
Note: As an alternative, you can create your own client interface in Perl, Java, or another
language. Select an appropriate SOAP package for that language and use the
PeakflowSP.wsdl file to generate your own client-side interface.
Introduction
This chapter includes information about the supported Peakflow SP current SOAP API alert
functions.
You can download the PeakflowSP.wsdl file for a complete specification of the data types
used for each current SOAP API alert function’s parameters and return values. The WSDL file
is downloaded as part of the API SDK (Administration > Download Arbor API SDK).
In this section
This section contains the following topics:
getDosAlertSummaries 58
getDosAlertSummariesXML 63
getDosAlertDetailsXML 64
getDosAlertGraph 65
getDosAlertDetails 66
getDosAlertSummaries
Prototype
getDosAlertSummaries(filter, count)
Accepted parameters
getDosAlertSummaries accepts the following parameters:
getDosAlertSummaries parameters
count unsigned integer The number of alerts to return that match the filter.
The default setting is 10.
Return value
getDosAlertSummaries returns the following value:
DosAlertSummary
DosAlertSummary contains the following summary data about DoS alerts:
DosAlertSummary elements
threshold float The high severity threshold of the misuse type that the
alert traffic has exceeded by the highest percentage.
start dateTime The date and time when an alert started, in the
following ISO 8601 format:
n YYYY-MM-DDThh:mm:ssTZD
stop dateTime (Optional) The date and time at which an alert ended,
in the following ISO 8601 format:
n YYYY-MM-DDThh:mm:ssTZD
max_impact_ float The boundary where the maximum impact values were
boundary observed over the life of an alert.
impact_bps_ float (Optional) The raw data points for the impact values
points (in bps) that are used to generate an alert’s minigraph
in the Web UI.
impact_pps_ float (Optional) The raw data points for the impact values
points (in pps) that are used to generate an alert’s minigraph
in the Web UI.
dos_version unsigned (Optional) The dos version for a DoS Profiled Router
integer alert. A DoS Profiled Router alert has a dos version of
3 if the alert is triggered by a Peakflow SP 7.6
appliance. A DoS Profiled Router alert has a dos
version of 1 if the alert is triggered by a Peakflow SP
5.8 or 6.0 appliance. The alert can be triggered by a
5.8 or 6.0 appliance in a multi-version deployment or
before you upgrade to Peakflow SP 7.6.
AlertResource
AlertResource describes the resource affected by an alert and contains the following
elements:
AlertResource elements
ipVersion unsigned integer Indicates whether the alert was IPv4 or IPv6
traffic.
AlertManagedObject
AlertManagedObject describes the managed object affected by an alert and contains the
following elements:
AlertManagedObject elements
Annotation
Annotation describes an alert annotation and contains the following elements:
Annotation elements
getDosAlertSummariesXML
Prototype
getDosAlertSummaries(filter, count)
Accepted parameters
getDosAlertSummariesXML accepts the following parameters:
getDosAlertSummariesXML parameters
count unsigned integer The number of alerts to return that match the filter.
The default setting is 10.
Return value
getDosAlertSummariesXML returns the following value:
getDosAlertDetailsXML
Prototype
getDosAlertDetailsXML(alertID)
Accepted parameter
getDosAlertDetailsXML accepts the following parameter:
getDosAlertDetailsXML parameter
Return value
getDosAlertDetailsXML returns the following value:
getDosAlertGraph
Prototype
getDosAlertGraph(alertID, width, height)
Accepted parameters
getDosAlertGraph accepts the following parameters:
getDosAlertGraph parameters
width unsigned integer The width that you want the graph to be. If you enter
0 for either the width or the height argument, then
Peakflow SP returns a graph that is 948 x 160.
height unsigned integer The height that you want the graph to be. If you enter
0 for either the width or the height argument, then
Peakflow SP returns a graph that is 948 x 160.
Return value
getDosAlertGraph returns the following value:
getDosAlertDetails
Prototype
getDosAlertDetails(alertID)
Accepted parameter
getDosAlertDetails accepts the following parameter:
getDosAlertDetails parameter
Return value
getDosAlertDetails returns the following value:
About DosAlertDetails
Peakflow SP 7.0 uses two sets of DosAlertDetails as described in the following table:
DosAlertDetails sets
DosAlertDetails 6.0 n DoS Profiled Router alerts that existed before an upgrade to
Peakflow SP 7.0.
n DoS Profiled Router alerts that are triggered on a Peakflow
SP 5.8 or 6.0 appliance in a multi-version deployment.
DosAlertDetails 7.0
DosAlertDetails for DoS 3 alerts contains the following elements:
DosAlertDetailsItem
DosAlertDetailsItem contains the following elements:
DosAlertDetailsItem elements
DosAlertDetailsRates
DosAlertDetailsRates contains the following elements:
DosAlertDetailsRates elements
pps unsigned integer The rate of traffic (in pps) for the duration of an
alert.
DosAlertTopPatternsItem
DosAlertTopPatternItem contains the following elements:
DosAlertTopPatternItem elements
DosAlertTopPatternsDetails
DosAlertTopPatternDetails displays the top (up to 10) traffic patterns from the last 5 minutes of
the selected timeframe of a DoS Host alert or DoS Profiled Router alert.
DosAlertTopPatternDetails contains the following elements:
DosAlertTopPatternDetails elements
bps unsigned integer The rate of traffic (in bps) of a traffic pattern.
pps unsigned integer The rate of traffic (in pps) of a traffic pattern.
DosAlertPacketDistributionBoundary
DosAlertPacketDistributionBoundary contains the following elements:
DosAlertPacketDistributionBoundary elements
DosAlertPacketDistribution
DosAlertPacketDistribution contains the following elements:
DosAlertPacketDistribution elements
DosAlertDetailsRoutersBoundary
DosAlertDetailsRoutersBoundary contains the following elements:
DosAlertDetailsRoutersBoundary elements
DosAlertDetailsRouters
DosAlertDetailsRouters contains the following elements:
DosAlertDetailsRouters elements
max_bps unsigned integer The maximum rate of alert traffic (in bytes)
at a router.
DosAlertDetailsInterfaces
DosAlertDetailsInterfaces contains the following elements:
DosAlertDetailsInterfaces elements
max_bps unsigned integer The maximum rate of alert traffic (in bytes) observed
for an interface.
max_pps unsigned integer The maximum rate of alert traffic (in packets)
observed for an interface.
DosAlertDetails 6.0
DosAlertDetails for DoS 3 alerts contains the following elements:
start dateTime The date and time when an alert started, in the
following ISO 8601 format:
n YYYY-MM-DDThh:mm:ssTZD
bytes_total unsigned integer The total traffic involved in an alert (in bytes).
impact_bps float The raw data points for the impact values (in bps)
observed over the life of an alert. These are the
same data points used to generate graphs for DoS
Alerts in the Web UI.
impact_pps float The raw data points for the impact values (in pps)
observed over the life of an alert. These are the
same data points used to generate graphs for DoS
alerts in the Web UI.
PrefixTraffic
PrefixTraffic contains the following elements:
PrefixTraffic elements
bytes double The amount of alert traffic (in bytes) observed for a
prefix.
PortTraffic
PortTraffic contains the following elements:
PortTraffic elements
bytes double The amount of alert traffic (in bytes) observed for a
port or port range.
ProtocolTraffic
ProtocolTraffic contains the following elements:
ProtocolTraffic elements
number unsigned integer The number for the protocol of the traffic of an alert.
bytes double The amount of alert traffic (in bytes) observed for a protocol.
packets double The amount of alert traffic (in packets) observed for a
protocol.
TcpFlagsTraffic
TcpFlagsTraffic contains the following elements:
TcpFlagsTraffic elements
value unsigned integer The single numeric value, which is the logical OR of
all TCP flag values detected in the traffic of an alert.
packets double The amount of alert traffic (in packets) observed for
a TCP flag.
DosAlertRouter
DosAlertRouter contains the following elements:
DosAlertRouter elements
bytes_total double The amount of alert traffic (in bytes) observed for
a router.
duration unsigned integer The amount of time alert traffic was observed on
a router.
start dateTime The date and time when an alert started, in the
following ISO 8601 format:
n YYYY-MM-DDThh:mm:ssTZD
DosAlertInterface
DosAlertInterface contains the following elements:
DosAlertInterface elements
name string The name of the interface where alert traffic was
observed.
duration unsigned integer The amount of time alert traffic was observed at
an interface.
Introduction
This chapter includes information about the supported Peakflow SP current SOAP API
mitigation functions.
You can download the PeakflowSP.wsdl file for a complete specification of the data types
used for each current SOAP API mitigation function’s parameters and return values. The
WSDL file is downloaded as part of the API SDK (Administration > Download Arbor API
SDK).
In this section
This section contains the following topics:
applyMitigationTemplateById 80
applyMitigationTemplateByName 81
getMitigationSummaries 82
getMitigationSummariesXML 84
getMitigationStatisticsByIdXML 85
getMitigationStatisticsByNameXML 86
addTmsFilterList 87
editTmsFilterList 89
deleteTmsFilterList 90
applyMitigationTemplateById
Prototype
applyMitigationTemplateByID(mitigation_id, template_id, apply_method)
Accepted parameters
applyMitigationTemplateById accepts the following parameters:
applyMitigationTemplateById parameters
Return values
applyMitigationTemplateByID returns the following values:
applyMitigationTemplateByName
Prototype
applyMitigationTemplateByName(mitigation_name, template_name, apply_method)
Accepted parameters
applyMitigationTemplateByName accepts the following parameters:
applyMitigationTemplateByName parameters
Return values
applyMitigationTemplateByName returns the following values:
getMitigationSummaries
Prototype
getMitigationSummaries(filter, max_count)
Accepted parameters
getMitigationSummaries accepts the following parameters:
getMitigationSummaries parameters
Return values
getMitigationSummaries returns the following values:
MitigationSummary
MitigationSummary contains the following data about a mitigation:
MitigationSummary elements
start time dateTime The date and time when a mitigation started, in
the following ISO 8601 format:
n YYYY-MM-DDThh:mm:ssTZD
Annotation
Annotation describes a mitigation annotation and contains the following elements:
Annotation elements
getMitigationSummariesXML
Prototype
getMitigationSummariesXML(filter, max_count)
Accepted parameters
getMitigationSummariesXML accepts the following parameters:
getMitigationSummariesXML parameters
Return value
getMitigationSummariesXML returns the following value:
getMitigationStatisticsByIdXML
Prototype
getMitigationStatisticsByIdXML(id, start, stop)
Accepted parameters
getMitigationStatisticsByIdXML accepts the following parameters:
getMitigationStatisticsByIdXML parameters
start unsigned integer A UNIX timestamp that specifies the start time of a
mitigation.
stop unsigned integer A UNIX timestamp that specifies the stop time of a
mitigation.
Return value
getMitigationStatisticsByIdXML returns the following value:
getMitigationStatisticsByNameXML
Prototype
getMitigationStatisticsByNameXML(name, start, stop)
Accepted parameters
getMitigationStatisticsByNameXML accepts the following parameters:
getMitigationStatisticsByNameXML parameters
start unsigned integer A UNIX timestamp that specifies the start time of a
mitigation.
stop unsigned integer A UNIX timestamp that specifies the stop time of a
mitigation.
Return value
getMitigationStatisticsByNameXML returns the following value:
addTmsFilterList
Prototype
addTmsFilterList(name, type, filters, import_format, description)
Accepted parameters
addTmsFilterList accepts the following parameters:
addTmsFilterList parameters
Return value
addTmsFilterList returns an array with the following values:
editTmsFilterList
Prototype
editTmsFilterList(name, filters, import_format, description)
Accepted parameters
editTmsFilterList accepts the following parameters:
editTmsFilterList parameters
Return value
editTmsFilterList returns an array with the following values:
deleteTmsFilterList
Prototype
deleteTmsFilterList(name)
Accepted parameters
deleteTmsFilterList accepts the following parameters:
deleteTmsFilterList parameter
Return value
deleteTmsFilterList returns the following value:
Introduction
This chapter includes information about the supported configuration management functions in
the Peakflow SP current SOAP API.
You can download the PeakflowSP.wsdl file (Administration > Download Arbor API
SDK) for a complete specification of the data types used for each current SOAP API
function’s parameters and return values.
In this section
This section contains the following topics:
About the Configuration Management Functions 92
cliRun 94
accountAdd 95
accountDelete 97
accountChangePassword 98
accountChangeGroup 99
Introduction
Peakflow SP supports the following configuration management functions:
n cliRun
n accountAdd
n accountDelete
n accountChangePassword
n accountChangeGroup
Output format
The output for all of the Configuration Management functions is returned in the standard
Peakflow SP XML data format with a base64-encoded query-reply text node.
The following XML snippet shows an example result from an accountAdd operation:
<?xml version="1.0"?>
<peakflow version="1.0" release="7.6">
<query-reply name="accountAdd" type="text"> T0s= </query-reply>
</peakflow>
Note: With the exception of the cliRun operation, the normal return value for successful
completion of the operations documented below is OK. The example above reflects the result
from the successful completion of an accountAdd operation—the text node value is the
base64-encoded representation of OK.
Error handling
Errors that occur during the execution of the Configuration Management operations result in
SOAP faults.
The following example shows a typical SOAP fault message (in this case, for the addition of an
account that already exists):
<SOAP-ENV:Envelope SOAP-
ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>Server error</faultstring>
<detail> /detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Note: The faults that are returned by the Peakflow API contain a descriptive string that
explains the nature of the fault in the detail element, as shown above. The faultcode describes
the source of the problem, which is either Client or Server. If the faultcode is Client, then there
was a problem with the parameters submitted to the API. If the faultcode is Server, then
Peakflow encountered a problem while processing the request.
Note: To apply the configuration, a client could parse this output and replay each command
with this same interface.
Important: If you reboot, you will lose any changes that were not committed.
cliRun
Prototype
cliRun(command, timeout)
Accepted parameters
cliRun accepts the following parameters:
cliRun parameters
timeout unsigned integer The number of seconds that the cliRun call is
allowed to run. If the call is not completed in the
specified amount of time, Peakflow SP throws a
fault. If you specify 0 for the timeout, then Peakflow
SP uses the default value of 30 seconds.
Return value
cliRun returns the following value:
accountAdd
Prototype
accountAdd(AccountConfiguration)
Accepted parameter
accountAdd accepts the following parameter:
accountAdd parameter
Note: You can enter an empty value for optional arguments, which indicates that the
parameter is unspecified.
AccountConfiguration
AccountConfiguration contains the following data about an account:
AccountConfiguration elements
Return values
accountAdd returns the following value:
accountDelete
Prototype
accountDelete(name)
Accepted parameter
accountDelete accepts the following parameter:
accountDelete parameter
Return value
accountDelete returns the following value:
accountChangePassword
Prototype
accountChangePassword(name, device, password)
Accepted parameters
accountChangePassword accepts the following parameters:
accountChangePassword parameters
Return value
accountChangePassword returns the following value:
accountChangeGroup
Prototype
accountChangeGroup(name, device, group, capabilityLevel)
Accepted parameters
accountChangeGroup accepts the following parameters:
accountChangeGroup parameters
group string The new account group with which you want to
associate the account.
Return value
accountChangeGroup returns the following value:
Introduction
This chapter includes information about the supported report functions in the current Peakflow
SP SOAP API. These functions retrieve data for configured Wizard reports in the Web UI.
You can download the PeakflowSP.wsdl file for a complete specification of the data types
used for each current SOAP API report function’s parameters and return values. The WSDL
file is downloaded as part of the API SDK (Administration > Download Arbor API SDK).
In this section
This section contains the following topics:
queueReportToRun 102
getReportList 103
getReportListXML 105
getReportResultsList 106
getReportResultsListXML 108
getLastReportResultAsCSV 109
getLastReportResultAsXML 110
getLastReportResultAsPDF 111
getReportResultAsCSV 112
getReportResultAsXML 113
getReportResultAsPDF 114
runXmlQuery 115
getTrafficGraph 117
queueReportToRun
Prototype
queueReportToRun(name)
Accepted parameter
queueReportToRun enters a report into the run queue and accepts the following parameter:
queueReportToRun parameter
Return value
queueReportToRun returns the following value:
getReportList
Prototype
getReportList(filter, count)
Accepted parameters
getReportList returns a list of all configured wizard reports on the system and accepts the
following parameters:
getReportList parameters
Return value
getReportList returns the following value:
ReportConfiguration
ReportConfiguration describes a report’s configuration and contains the following elements:
ReportConfiguration elements
tags string (Optional) One or more tags that are applied to a report.
getReportListXML
Prototype
getReportListXML(filter, count)
Accepted parameters
getReportListXML returns a list of all configured wizard reports on the system and accepts the
following parameters:
getReportListXML parameters
Return value
getReportListXML returns the following value:
getReportResultsList
Prototype
getReportResultsList(filter, count)
Accepted parameters
getReportResultsList returns a list of meta-data about all available configured report results. It
accepts the following parameters:
getReportResultsList parameters
Return value
getReportResultsList returns the following value:
ReportResult
ReportResult describes a report’s results and contains the following elements:
ReportResult elements
tags string (Optional) One or more tags that are applied to a report.
request_time_ dateTime The date and time when an alert started, in the following ISO
iso 8601 format:
n CCYY-MM-DDThh:mm:ss
request_method string The method by which the report was run, which can be one of
the following:
n manual
n scheduled
requested_by string The user configured to receive the report when it is complete.
getReportResultsListXML
Prototype
getReportResultsListXML(filter, count)
Accepted parameters
getReportResultsListXML returns a list of meta-data about all available configured report
results. It accepts the following parameters:
getReportResultsListXML parameters
Return value
getReportResultsListXML returns the following value:
getLastReportResultAsCSV
Prototype
getLastReportResultAsCSV(name)
Accepted parameter
getLastReportResultAsCSV returns the output of the specified wizard report in CSV format.
Note: Wizard reports that contain complex data types (for example, alerts and mitigations) are
not supported in CSV format.
Peakflow SP returns the results in a zip file that contains one CSV file per query in the report. It
accepts the following parameter:
getLastReportResultAsCSV parameter
Return value
getLastReportResultAsCSV returns the following value:
getLastReportResultAsXML
Prototype
getLastReportResultAsXML(name)
Accepted parameter
getLastReportResultAsXML returns the output of the specified wizard report in XML format. It
accepts the following parameter:
getLastReportResultAsXML parameter
Return value
getLastReportResultAsXML returns the following value:
getLastReportResultAsPDF
Prototype
getLastReportResultAsPDF(name)
Accepted parameter
getLastReportResultAsPDF returns the output of the specified wizard report in PDF format. It
accepts the following parameter:
getLastReportResultAsPDF parameter
Return value
getLastReportResultAsPDF returns the following value:
getReportResultAsCSV
Prototype
getReportResultAsCSV(name, request_time)
Accepted parameters
getReportResultAsCSV returns the output of the specified wizard report, at a specified run
time, in CSV format.
Note: Wizard reports that contain complex data types (for example, alerts and mitigations) are
not supported in CSV format.
Peakflow SP returns the results in a zip file that contains one CSV file per query in the report. It
accepts the following parameters:
getReportResultAsCSV parameters
Return value
getReportResultAsCSV returns the following value:
getReportResultAsXML
Prototype
getReportResultAsXML(name, request_time)
Accepted parameters
getReportResultAsXML returns the output of the specified wizard report, at a specified run
time, in XML format. It accepts the following parameters:
getReportResultAsXML parameters
Return value
getReportResultAsXML returns the following value:
getReportResultAsPDF
Prototype
getReportResultAsPDF(name, request_time)
Accepted parameters
getReportResultAsPDF returns the output of the specified wizard report, at a specified run
time, in a PDF file. It accepts the following parameters:
getReportResultAsPDF parameters
Return value
getReportResultAsPDF returns the following value:
runXmlQuery
Prototype
runXmlQuery(query)
Accepted parameter
runXmlQuery accepts the following parameter:
runXmlQuery parameter
For current XML report specifications, see “Using Customized Reports” in the Peakflow SP
and Threat Management System (TMS) User Guide.
...
</query>
</peakflow>
runXmlQuery outputs
The query returns detailed sample data for items matching the query. The results are returned in
the standard Peakflow SP XML data format, as if it was downloaded directly from the Peakflow
SP Web UI.
getTrafficGraph
Prototype
getTrafficGraph(query, graph_configuration)
Accepted parameters
getTrafficGraph accepts the following parameters:
getTrafficGraph parameters
graph_ string An XML representation that specifies the following for the graph:
configuration n (Optional) the title of the graph
n (Optional) the y-axis label
n (Optional) the width of the graph
n (Optional) the height of the graph
n (Optional) whether you want to include a legend with the
graph
<peakflow version=\"2.0\">
<graph id=\"graph1\">
<title>Google Daily Traffic</title>
<ylabel>bps</ylabel>
<width>800</width>
<height>300</height>
<legend>1</legend>
</graph>
</peakflow>
Return value
getTrafficGraph returns the following value:
Introduction
Peakflow SP supports its classic SOAP API, which allows you to have programmatic access to
the data on Peakflow SP appliances. This chapter includes an introduction to the classic
SOAP API and how to use it with the Python and PHP package. Information about using the
classic SOAP API with Java is described in the next chapter.
Important: The classic SOAP API has been deprecated and support is limited to bugs that
break the service completely. The classic SOAP API is maintained only as a courtesy to
customers until they can migrate to the current SOAP API or to the Arbor Web Services API.
Individual functions in the classic SOAP API may not work in releases after Peakflow SP 7.0.
In this section
This section contains the following topics:
Using the SOAP API in Peakflow SP 122
Getting Started 124
Installing the Peakflow SP SOAP Python Client 125
Viewing Classic SOAP API Examples in PHP 126
Introduction
The SOAP API in Peakflow SP is implemented by the SP leader appliance or a non-leader
appliance that has the user interface role. You can access the SOAP API using HTTPS.
Note: The SOAP interface requires Digest Authentication using either the user name “arbor”
and your zone secret as the password or the user name and password of a user whose account
has been assigned the sp_soap capability token.
References
For more information about SOAP API, see the following references:
n SOAP v1.1: http://www.w3.org/TR/2000/NOTE-SOAP-20000508/
n WSDL v1.1: http://www.w3.org/TR/wsdl
n XMLSchema: http://www.w3.org/TR/xmlschema-0/
n ZSI (a Python SOAP framework) documentation: http://pywebsvcs.sourceforge.net/zsi.html
Note: There is a known bug with Digest Authentication in ZSI that causes all calls to the
SOAP API to fail. See http://sourceforge.net/p/pywebsvcs/bugs/285/ for information about
the bug and how to fix it.
n Java (Oracle Technology Network): http://www.oracle.com/technetwork/java/index.html
n Apache Axis: http://ws.apache.org/axis/
The files in these packages provide an XML specification for the Peakflow SP XML Query and
XML Report formats. XML reports always include an XML query. XML queries are not used
outside of an XML report, except with the SOAP API call getTrafficData().
For an example of an XML report query, see the samples in the SOAP package or Appendix B,
“XML Specifications” in the Peakflow SP and Threat Management System (TMS) User Guide.
<service name="PeakflowSPService">
<port name="PeakflowSPPort" binding="tns:PeakflowSPBinding">
<soap:address location="https://peakflowsp/cgi-bin/soap"/>
</port>
</service>
Method Procedure
Method 1 1. Set the FQDN on the Peakflow SP appliance using the following
command: / system name set host.domain.ext.
2. Change the name of the appliance in the SP configuration using
the following command: / services sp devices rename
oldnamenewname
Note: You must download the WSDL file from the Peakflow SP Web
UI in order to show the changed address. The WSDL file is downloaded
as part of the API SDK (Administration > Download Arbor API
SDK).
Method 3 Programmatically change the endpoint URL within the code. Most
client-side SOAP libraries provide a facility by which you can change
the endpoint URL programatically to redirect the transactions with the
web service.
Getting Started
Introduction
The Peakflow API works well with the following:
n Python using the ZSI 1.5 SOAP package
Note: There is a known bug with Digest Authentication in ZSI that causes all calls to the
SOAP API to fail. See
http://sourceforge.net/tracker/index.php?func=detail&aid=2936589&group_
id=26590&atid=387667 for information about the bug and how to fix it.
n PHP
n Java and Apache Axis 1.4
This topic provides information about and instructions for using Python as well as Java and
Apache Axis with the Peakflow API.
Using the example XML reports and queries included in the SOAP package
The binby_router.xml file contains an example XML query for use with getTrafficData(). The file
report.xml contains an example XML report for use with getTrafficGraph().
The XML query format is described in Appendix B, “XML Specifications” of the Peakflow SP
and Threat Management System (TMS) User Guide and in the XML schema files included in
the SOAP package.
Note: As an alternative, you can create your own client interface in Perl, Java, or another
language. Select an appropriate SOAP package for that language and use the
PeakflowSP.wsdl file to generate your own client-side interface.
Introduction
This topic describes how to install the Peakflow SP SOAP Python client.
Procedure
To install the Peakflow SP SOAP Python client:
1. Download the Arbor SDK from the Web UI (Administration > Download Arbor API
SDK).
The example SOAP clients are located in the Classic folder.
2. Install the following third-party packages:
l py-ZSI 1.5–You can download the ZSI 1.5 package for Python from
http://pywebsvcs.sourceforge.net/zsi.html.
l pyXML 0.6 or later–You can download the XML package for Python from
http://python.org.
l Python 2.3 or later–You can download Python from
http://python.org.
3. Run the sudo Python setup application. This installs the necessary sp.soap Python library
into your Python site-packages location.
4. Test the script by running the following:
./soap_client.py -h leader_appliance -z zone_secret \ -c
getAlertSummaries -o offset=0 -o count=10
where:
leader_appliance = the name of the leader appliance
zone_secret = the word or phrase that is used by all appliances in the system for
internal communication
5. Run the following command to get its usage and a list of examples:
./soap_client.py -h
Note: There is a known bug with Digest Authentication in ZSI that causes all calls to the
SOAP API to fail. See
http://sourceforge.net/tracker/index.php?func=detail&aid=2936589&group_
id=26590&atid=387667 for information about the bug and how to fix it.
Introduction
The PHP SOAP client shows examples of the classic SOAP API written in PHP. You can use
the examples to determine how to use many of the Peakflow SP classic SOAP API calls. Arbor
recommends using PHP because it is easy to use and well-supported.
Note: If you do not have SOAP support enabled in your PHP build, you can download a
current PHP source package from http://www.php.net/downloads.php. Follow the building and
installation instructions included with the source package. To enable SOAP support, include
the “--enable-soap” option when running the build’s “configure” script.
Introduction
This chapter provides information about and instructions for using Java and Axis with the
classic Peakflow SOAP API.
In this section
This section contains the following topics:
Prerequisites for Using Java/Axis with the SP SOAP Interface 128
Configuring Certificates 130
Generating the Client Proxy Code 132
Using the Client Proxy Code 133
Using the Utility Package 135
Working with the Sample Code for Java/Axis 136
Building and Running the Sample Projects 138
Fault Handling 147
Capturing the XML Request and Response 148
Introduction
This topic describes the component and configuration prerequisites for using Java/Axis with the
classic SP SOAP Interface.
Requirements
The information and examples included in this chapter use the following configuration:
n Java JDK 5.0 Update 9 or higher
n Apache Axis 1.4 -- http://ws.apache.org/axis/
Note: Due to a known issue in the Axis 1.4 release build (AXIS-2394), you may want to use
an Axis 1.4 nightly build for Peakflow SP SOAP client development.
n Apache Commons HttpClient, version 3.1 -- http://hc.apache.org/httpclient-3.x/
Note: In Peakflow SP versions 5.0 and later, clients must support HTTP Digest
Authentication. To enable this behavior, the Commons HTTPSender is selected as the
HTTP transport in client-config.wsdd. Clients must also either force HTTP/1.0 or disable
chunked encoding with the present server implementation. The Java client example forces
HTTP/1.0 for SOAP transactions. To disable chunked encoding instead, use the following
Java statement:
pfspStub._setProperty
(org.apache.axis2.transport.http.HTTPConstants.CHUNKED,”false”)
n Apache Commons Codec, version 1.2 or higher -- http://commons.apache.org/codec/
Classpath notes
The Axis toolkit has a number of jar files that Java must be able to find. These include the
following:
n axis.jar
n axis-ant.jar
n axis-schema.jar
n commons-discovery-0.2.jar
n commons-logging-1.0.4.jar
n jaxrpc.jar
n saaj.jar
n wsdl4j-1.5.1
n log4j-1.2.8.jar (or whatever is appropriate for your chosen logging implementation)
Note: All of these Axis class .jar files should be added to the AXISCLASSPATH environment
variable.
In addition, the following classes from the Apache Commons project must be somewhere in
your classpath:
n commons-httpclient-3.1.jar
n commons-codec-1.2.jar
Note: This guide assumes that variables were configured as described in the “Classpath
Setup” section of the Axis Installation Guide. As such, this guide includes simpler, rather than
detailed, references to variables like AXIS_HOME and AXISCLASSPATH.
For more information, see the following page detailing the Axis classpath:
http://ws.apache.org/axis/java/install.html#ClasspathSetup
Digest authentication
Starting with version 5.0, Peakflow SP uses Digest authentication for HTTPS connections.
You must configure your Java Axis environment to perform Digest authentication in order to use
the Peakflow SP Java SOAP client. The Peakflow SP Java client examples are configured to
perform Digest authentication by default, using the Apache Commons HttpClient.
Configuring Certificates
Introduction
All Peakflow API calls are encrypted with SSL (as HTTPS) to protect the privacy of your data.
Use of the Peakflow API is therefore subject to SSL certificate configuration.
When you use a browser to display an SSL encrypted site, you may be prompted to configure a
certificate if the certificate was not issued by a trusted certificate authority or if there is another
certificate issue. However, when you attempt to make an SSL connection programmatically,
there is not an automated mechanism for interactive prompting. Because of this, a connection
that normally results in a prompt for the user results in a failed connection for a Web service
client application.
Before using the Peakflow API, you must configure the Java environment to accept the
certificate of the Peakflow appliance. You can download the certificate from the Peakflow
appliance and then install it into a system-wide Java keystore as described below.
Note: A password is required to change the cacerts keystore (the keytool will prompt you for
this password). The default password for the cacerts keystore is changeit. You may want to
change this for security purposes.
Completion of these steps configures the Java environment to allow connections to the
Peakflow appliance.
Introduction
To generate Web service client proxy code for the Peakflow API, use the WSDL2Java tool that
is provided with Axis. WSDL2Java is part of the org.apache.axis.wsdl package and uses the
following syntax:
java [-cp <classpath>] org.apache.axis.wsdl.WSDL2Java [options]
You can use the WSDL2Java tool to process remote WSDL documents that are specified by
URL or local WSDL documents that are specified by path. The generated client code is
created in a package hierarchy rooted in the current working directory.
Note: For WSDL documents specified by URL, WSDL2Java connects to the Web service
server and then downloads the WSDL document and process.
If successful, the generated client proxy code is created as a PeakflowSP package, rooted in
the current working directory. A directory hierarchy appropriate for this package (for example,
PeakflowSP/PeakflowSP/… ) is created in the current directory.
Introduction
The following sections detail the steps required to use the generated client proxy code in a
Java/Axis project.
Task Overview
After the client proxy code is generated, perform the following required tasks to begin using the
Peakflow API:
1. Import the classes into your Java project.
2. Create and initialize the necessary interface objects.
3. Supply the proper authentication credentials to the interface.
4. Import and add handling for the AxisFault class for SOAP faults.
5. Add proper handling of response values.
The following code shows an example of these steps for creating and initializing the pfspPort
object:
PeakflowSPServiceLocator pfspLocator = new PeakflowSPServiceLocator();
PeakflowSPPort pfspPort = pfspLocator.getPeakflowSPPort();
Note: Verify that you have your Java Axis environment configured to perform Digest
authentication.
The following code shows an example of these steps to set up authentication:
PeakflowSPBindingStub pfspStub = (PeakflowSPBindingStub)pfspPort;
pfspStub.setUsername("arbor");
pfspStub.setPassword("<<zonesecret>>");
Note: For users who do not have the sp_soap capability, the SOAP interface requires
authentication using the user name arbor and their zone secret as the password.
Note: You must use the proper exception handling with try-catch blocks that include handling
of the AxisFault class for SOAP faults. AxisFaults represent the error conditions that can
occur during SOAP operations with Java/Axis.
For more information about AxisFaults and their content, see “Fault Handling” on page 147.
Response handling
The output for all of the Configuration Management functions are returned in the standard
Peakflow SP XML data format with a base64-encoded query-reply text node.
The following XML snippet shows an example result from an accountAdd operation:
<?xml version="1.0"?>
<peakflow version="1.0" release="7.6">
<query-reply name="accountAdd" type="text"> T0s= </query-reply>
</peakflow>
Note: With the exception of the cliRun operation, the normal return value for successful
completion of the operations documented below is OK. The example above reflects the result
from the successful completion of an accountAdd operation—the text node value is the
base64-encoded representation of OK.
A Peakflow SP SOAP client application will need to parse the returned XML blob to extract the
query-reply text node. The value of this text node is base64-encoded and must be decoded to
get the plaintext result value.
Note: The Peakflow SP Utility package (described in the next section) includes helper
functions to assist with the processing of response values.
Introduction
A Peakflow SP Utility package was created with some simple helper functions that you might
find useful while developing Peakflow SP SOAP client code with Java/Axis. The sample code,
discussed in the sections below, uses this package. The use of this package is not required but
provides a shared codebase of common methods and allows for the samples themselves to be
as simple as possible with a minimum of code duplication. The utility package provides simple
functions to handle base64 encoding and decoding as well as a helper function to parse and
decode a Peakflow SP response value.
Procedure
To import the Peakflow SP Utility classes into your Java project:
1. Confirm that the directory hierarchy (PeakflowSPUtil), containing the Peakflow utility class
(available within the Peakflow SP SOAP Package), is located within your project
directory. If it is not, copy it there.
2. Add the following import statement to your referencing Java class:
import PeakflowSPUtil.*;
Example
You can use the simple utility functions within the PeakflowSPUtil package once they are
imported into your project. The functions are all static member functions within the PfSPUtil
class and can be called without creation of a class instance.
The following code is an example of how to use the getResultFromXML function:
try
{
...
String strResultXML = pfspPort.cliRun(strCommand);
System.out.println(PfSPUtil.getResultFromXML(strResultXML));
...
}
catch(AxisFault e)
{
e.printStackTrace();
}
Introduction
This section provides a few example projects that integrate all of the elements discussed earlier
into applications that use the classic Peakflow API to query and display data from the Peakflow
appliance. The SDK includes the source code and the necessary project files and scripts.
Note: An existing pfspproxy client proxy package is included but is intended to be only a
placeholder.
For information on generating the PeakflowSP package, see “Generating the Client Proxy
Code” on page 132.
Introduction
You can use the script files in the SDK to build and run the sample projects after you perform
the following actions:
n either replace the client proxy code or change the endpoint URL
n update the user name and password to customize the sample code for your Peakflow
appliance
The script files are located in the project directories (pfspsample1, pfspsample2). Use the
build scripts (build.sh for Unix; build.cmd for Windows) to build a project, and then use the
test scripts (testit.sh for Unix; testit.cmd for Windows) to run a project.
Sample 1 listing
The following example shows the listing of the first sample project:
import java.io.BufferedReader;
import java.io.InputStreamReader;
import org.apache.axis.AxisFault;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import PeakflowSP.*;
import PeakflowSPUtil.*;
try
{
PeakflowSPServiceLocator pfspLocator = new PeakflowSPServiceLocator();
// The client proxy code can be customized for a particular Peakflow
SP installation by either:
//
// (1) Generating the client proxy code from the WSDL document
downloaded
// directly from the Peakflow SP interface (from the
Scripting Interface
// page or the Scoped UI Settings page).
// (2) Or, by programmatically modifying the endpoint using
the code below.
// To do so, uncomment the code below and change 'peakflowsp' to
the address of
// the Peakflow SP box.
//
// String strAddress = pfspLocator.getPeakflowSPPortAddress();
// String strNewAddress = strAddress.replaceAll("@@HOSTNAME@@",
"peakflowsp");
// pfspLocator.setPeakflowSPPortEndpointAddress(strNewAddress);
while(true)
{
System.out.println("");
int nChoice = 0;
try { nChoice = Integer.valueOf(input).intValue(); }
catch (NumberFormatException e) { continue; }
if (nChoice == 0)
break;
else if (nChoice == 1)
{
String strPassword = "sample";
String strGroup = "arbor_user";
String strMenu = ""; // Use default
String strTimezone = ""; // Use default
String strScope = ""; // Use default
String strRealname = "Java/Axis1 Sample Account";
String strEmail = "";
System.out.println("");
System.out.println("Calling PeakflowSPPort.accountAdd(" +
toQuotedString(strAccountName) + "," + toQuotedString(strPassword) +
"," + toQuotedString(strGroup) + "," + toQuotedString(strMenu) + "," +
toQuotedString(strTimezone) + "," + toQuotedString(strScope) + "," +
toQuotedString(strRealname) + "," + toQuotedString(strEmail) + ")");
System.out.println("");
try
{
String strResultXML = pfspPort.accountAdd(strAccountName, strPassword,
strGroup, strMenu, strTimezone, strScope, strRealname, strEmail);
System.out.println("PeakflowSPPort.accountAdd return value = " +
PfSPUtil.getResultFromXML(strResultXML));
}
catch(AxisFault e)
{
// e.printStackTrace();
Element[] details = e.getFaultDetails();
for(int nIndex = 0; nIndex < details.length; ++nIndex)
{
Node textNode = details[0].getFirstChild();
System.out.println(textNode.getNodeValue());
}
}
catch(Exception e)
{
e.printStackTrace();
}
}
else if (nChoice == 2)
{
System.out.println("");
System.out.println("Calling PeakflowSPPort.accountDelete(" +
toQuotedString(strAccountName) + ")");
System.out.println("");
try
{
String strResultXML = pfspPort.accountDelete(strAccountName);
System.out.println("PeakflowSPPort.accountDelete return value = " +
PfSPUtil.getResultFromXML(strResultXML));
}
catch(AxisFault e)
{
// e.printStackTrace();
Element[] details = e.getFaultDetails();
for(int nIndex = 0; nIndex < details.length; ++nIndex)
{
Node textNode = details[0].getFirstChild();
System.out.println(textNode.getNodeValue());
}
}
catch(Exception e)
{
e.printStackTrace();
}
System.out.println("");
System.out.println("Press <ENTER> to continue ...");
stdin.readLine();
}
}
catch (Exception e)
{
System.out.println("An exception was encountered: " + e);
e.printStackTrace();
}
}
Sample 1 output
The output of the first sample project that demonstrates the addition and deletion of accounts
will be similar to the following:
PeakflowSP Java/Axis1 SOAP Sample #1
Choice: 1
Choice: 2
Calling PeakflowSPPort.accountDelete("PfSPSampleUser")
Choice: 0
Sample 2 listing
The following example shows the listing of the second sample project:
import java.io.BufferedReader;
import java.io.InputStreamReader;
import org.apache.axis.AxisFault;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import PeakflowSP.*;
import PeakflowSPUtil.*;
try
{
PeakflowSPServiceLocator pfspLocator = new PeakflowSPServiceLocator();
pfspStub.setUsername("arbor");
pfspStub.setPassword("<<zonesecret>>");
System.out.println("");
System.out.println("Entering Pseudo-CLI Mode ('/x' to exit)...");
System.out.println("");
while(true)
{
try
{
System.out.print("# ");
String strCommand = stdin.readLine();
if (strCommand.compareToIgnoreCase("/x") == 0)
{
System.out.println("");
System.out.println("Exiting Pseudo-CLI Mode...");
System.out.println("");
return;
}
System.out.println(PfSPUtil.getResultFromXML(strResultXML));
}
catch(AxisFault e)
{
// e.printStackTrace();
Element[] details = e.getFaultDetails();
for(int nIndex = 0; nIndex < details.length; ++nIndex)
{
Node textNode = details[0].getFirstChild();
System.out.println(textNode.getNodeValue());
}
}
}
}
catch (Exception e)
{
System.out.println("An exception was encountered: " + e);
e.printStackTrace();
}
}
Sample 2 output
The output of the second sample project that allows for the execution of specified CLI
commands for Peakflow will be similar to the following (subject to the commands specified):
Entering Pseudo-CLI Mode ('/x' to exit)...
# / ?
# / services sp show
# /x
Fault Handling
Introduction
You must properly handle AxisFaults in your application. This means having the proper catch
blocks to catch exceptions of this type and then processing them accordingly.
See “Generating the client proxy code with WSDL2Java” on page 132.
AxisFault fields
The following table shows the AxisFault fields returned by the Peakflow API and what they
mean:
AxisFault fields
Field Description
faultCode The faultCode field describes the source of the problem, which is
either Client or Server.
n If the faultCode is Client, it means that there was a problem with
the parameters submitted to the API.
n If the faultCode is Server, it means that Peakflow encountered an
unexpected problem while processing the request.
faultString A descriptive string that explains the source of the error.
n If the faultCode is Client, the faultString will be “Client Error”.
n If the faultCode is Server, the faultString will be “Server
Error”.
details A descriptive string that explains the nature of the fault.
Example: The accountAdd operation may result in an AxisFault for
an existing account with the same name, as shown in “About the
Configuration Management Functions” on page 172. This type of
details would look like:
“Local user already exists "PfSPSampleUser": ...“
Introduction
It may be helpful to capture the XML request and response messages for debugging purposes.
Axis allows you to log these messages to a file of your choice. To do this, you must create a
client-config.wsdd in the application’s working directory.
Example
The following example shows the content of the client-config.wsdd that accomplishes this:
<!-- Save this file as "client-config.wsdd" in the working directory
of your Axis client. Axis will load it automatically. The
configuration here tells Axis to save all incoming and outgoing
XML into a file named "axis.log"
-->
<deployment xmlns="http://xml.apache.org/axis/wsdd/"
xmlns:java="http://xml.apache.org/axis/wsdd/providers/java">
<handler name="log" type="java:org.apache.axis.handlers.LogHandler"/>
<globalConfiguration>
<requestFlow>
<handler type="log"/>
</requestFlow>
<responseFlow>
<handler type="log"/>
</responseFlow>
</globalConfiguration>
<transport name="http"
pivot="java:org.apache.axis.transport.http.HTTPSender"/>
</deployment>
Note: All of the sample Java/Axis projects include a client-config.wsdd, configured as shown
above.
Introduction
This chapter includes information about the supported alert functions in the Peakflow SP
classic SOAP API.
You can download the PeakflowSPClassic.wsdl file for a complete specification of the
data types used for each classic SOAP API alert function’s parameters and return value. The
WSDL file is downloaded as part of the API SDK (Administration > Download Arbor API
SDK).
In this section
This section contains the following topics:
getAlertSummaries 150
getAlertInterfaces 155
getAlertInterfaceDetails 158
getAlertInterfacesXML 163
getAlertRouterInterfacesXML 165
getAlertGraph 167
getAlertGraphData 168
getAlertStatisticsRaw and sqlQuery 170
getAlertSummaries
Prototype
getAlertSummaries(filter, count, offset )
Accepted parameters
getAlertSummaries accepts the following parameters:
getAlertSummaries parameters
offset unsigned integer Designates to skip the first offset alerts (sorted
by alert ID).
AlertSummaryFilter elements
AlertSummaryFilter is a complex type that contains the following elements:
AlertSummaryFilter element
Return values
getAlertSummaries returns the following values:
offset unsigned integer The offset of the returned alerts (as sorted by
alert ID).
AlertSummary elements
The AlertSummary record describes a single alert and contains the following elements:
AlertSummary elements
AlertCharacterization
AlertCharacterization describes alert traffic and contains the following elements:
AlertCharacterization elements
Example: PHP
The following is a PHP example of calling the getAlertSummaries SOAP function for an alert,
skipping the five most recent alerts and returning the two alerts prior to that:
$count = 2;
$offset = 5;
$filter = array('parentProfile' => 'myCustomer');
Prints:
Array
(
[count] => 2
[offset] => 5
[summaries] => Array
(
[0] => stdClass Object
(
[alertId] => 345389
[active] => 0
[srcCidr] => 0.0.0.0/0
[dstCidr] => 2.3.2.5/32
[direction] => Incoming
[startTime] => 1254248832
[stopTime] => 1254249153
[type] => TCP RST
[importance] => 0
[profile] => myCustomer
[characterization] => stdClass Object
(
[src] => 1.1.2.1/32
[dst] => 2.3.3.5/32
[srcPorts] => 1296-1297
[dstPorts] => 80-81
[protocols] => -
[tcpFlags] => 31
)
[tcpFlags] => 29
)
Example: Python
The following is a Python example of calling the getAlertSummaries SOAP function for an
alert, skipping the five most recent alerts and returning the two alerts prior to that:
soap_client.py -h my_sp_leader -z my_zone_secret -c getAlertSummaries
-o count=2 -o offset=5
getAlertInterfaces
Prototype
getAlertInterfaces(alertId)
Accepted parameters
getAlertInterfaces accepts the following parameter:
getAlertInterfaces parameters
Return values
getAlertInterfaces returns the following value:
AlertInterface elements
AlertInterface contains the following elements:
AlertInterface elements
Example: PHP
The following is an example of calling the getAlertInterfaces SOAP function using PHP:
$alertId = 344317;
$result = $client->getAlertInterfaces($alertId);
if (is_soap_fault($result)) {
$result = array(
'faultcode' => $soap_result->faultcode,
'faultstring' => $soap_result->faultstring
);
}
print_r($result);
Prints:
Array
(
[0] => stdClass Object
(
[name] => GigabitEthernet0/2.0
[descr] => myCustomer VLAN
[ip] => 1.1.2.2
[snmp_index] => 29
[iface_id] => 1179678
[mean_bps] => 6289.000000
[mean_pps] => 107.000000
[max_bps] => 17702.000000
[max_pps] => 314.000000
)
Example: Python
The following is an example of calling the getAlertInterfaces SOAP function using Python:
soap_client.py -h myleader -z mysecret -c getAlertInterfaces -o
alertId=344317
getAlertInterfaceDetails
Prototype
getAlertInterfaceDetails(alertId, interfaceIp)
Accepted parameters
getAlertInterfaceDetails accepts the following parameters:
getAlertInterfaceDetails parameters
interfaceIp string The IP address of the interface that saw traffic for the
specified alert.
Return values
getAlertInterfaceDetails returns the following value:
AlertInterfaceDetail
AlertInterfaceDetail contains details about the alert traffic seen on the specified interface for a
specified alert and contains the following elements:
AlertInterfaceDetail elements
meanBitsPerSec float The average traffic rate in bps for all alert
traffic matching the type and typeData
attributes.
meanPktsPerSec float The average traffic rate in pps for all alert
traffic matching the type and typeData
attributes.
Example: PHP
The following is an example of calling the getAlertInterfaceDetails SOAP function using PHP:
$alertId = 344317;
$interfaceIp = '1.1.2.2';
);
}
print_r($result);
Prints:
Array
(
[0] => stdClass Object
(
[type] => tcpFlag
[typeData] => 31
[totalBytes] => 1084141
[totalPkts] => 19038
[meanBytesPerPkt] => 56.946160
[meanBitsPerSec] => 48184.044444
[meanPktsPerSec] => 105.766667
)
Example: Python
The following is an example of calling the getAlertInterfaceDetails SOAP function using
Python:
soap_client.py -h myleader -z mysecret -c getAlertInterfaceDetails
-o alertId=344317 -o interfaceIp=1.1.2.2
getAlertInterfacesXML
Prototype
getAlertInterfacesXML(alertId)
Accepted parameter
getAlertInterfacesXML accepts the following parameter:
getAlertInterfacesXML parameters
Return values
getAlertInterfacesXML returns an XML version of the same values as the getAlertInterfaces
function.
For more information about the getAlertInterfaces return values, see “Return values” on page
155.
Example: PHP
The following is an example of calling the getAlertInterfacesXML SOAP function using PHP:
$alertId = 344317;
$result = $client->getAlertInterfacesXml($alertId);
if (is_soap_fault($result)) {
$result = array(
'faultcode' => $soap_result->faultcode,
'faultstring' => $soap_result->faultstring
);
}
print_r($result);
Prints:
<?xml version="1.0"?>
<peakflow version="1.0" release="7.6">
<query-reply name="getAlertInterfaces-query" type="soap">
<interface name="GigabitEthernet0/2.0" descr="myCustomer VLAN"
gid="1179678" snmp_index="29" ip="1.1.2.2" sample_id="" max_bps="17702"
mean_bps="6289" max_pps="314" mean_pps="107"/>
</query-reply>
</peakflow>
Example: Python
The following is an example of calling the getAlertInterfacesXML SOAP function using Python:
soap_client.py -h myleader -z mysecret -c getAlertInterfacesXml
-o alertId=344317
getAlertRouterInterfacesXML
Prototype
getAlertRouterInterfacesXML(alertId)
Accepted parameter
getAlertRouterInterfacesXML accepts the following parameter:
getAlertRouterInterfacesXML parameter
Return value
getAlertRouterInterfacesXML returns the following value:
Example: PHP
The following is an example of calling the getAlertRouterInterfacesXML SOAP function using
PHP:
$alertId = 344317;
$result = $client->getAlertRouterInterfacesXml($alertId);
if (is_soap_fault($result)) {
$result = array(
'faultcode' => $soap_result->faultcode,
'faultstring' => $soap_result->faultstring
);
print_r($result);
Prints:
<?xml version="1.0"?>
<peakflow version="1.0" release="7.6">
<query-reply name="getAlertRouterInterfaces" type="soap">
<router am_start="-1.0" am_stop="-1.0" exp_bps="0.0" exp_pps="500.0"
expected="500.0" importance="0" ip="198.110.209.9" lrm="0.0589" max_
bps="17702" max_pps="314" mean_bps="6289" mean_pps="107"
name="myrouter" rate_unit="pps" router_gid="18" router_id="18" rtr_
addr="164720326" sample_id="" type="router" >
<interface descr="myCustomer VLAN" gid="1179678" iface_id="1179678"
ip="1.1.2.3" max_bps="17702" max_pps="314" mean_bps="6289" mean_
pps="107" name="GigabitEthernet0/2.0" router_address="9.1.9.9" router_
gid="18" sample_id="" snmp_index="29" />
</router>
</query-reply>
</peakflow>
Example: Python
The following is an example of calling the getAlertRouterInterfacesXML SOAP function using
Python:
soap_client.py -h myleader -z mysecret -c getAlertRouterInterfacesXml
-o alertId=344317
getAlertGraph
Prototype
getAlertGraph(alertId, size)
Accepted parameters
getAlertGraph accepts the following parameters:
getAlertGraph parameters
size string The size of the graph, which can be one of the
following:
n small (for a thumbnail)
n large (for 600x400)
n larger (for 800x600)
Return values
getAlertGraph returns the following value:
getAlertGraphData
Prototype
getAlertGraphData(alertId, unit, limit, element_limit)
Accepted parameters
getAlertGraphData accepts the following parameters:
getAlertGraphData parameters
unit string Specifies the type of data that you want returned. You can type
either bps or pps.
Note: This parameter is optional.
limit unsigned Specifies the number of data points to return for each network
integer element. Data is sampled over the life of an alert to return an even
distribution of points.
Note: This parameter is optional, and the default setting is 100.
element_ unsigned Specifies the number of network elements for which you want the
limit integer system to return data.
Note: This parameter is optional, and the default setting is 100.
Return values
getAlertGraphData returns the following value:
Example
The following is an example of calling the getAlertGraphData function using PHP:
<?xml version="1.0" encoding="utf=8"?>
Introduction
This chapter includes information about the supported configuration management functions in
the Peakflow SP classic SOAP API.
You can download the PeakflowSPClassic.wsdl file for a complete specification of the
datatypes used for each classic SOAP API function’s parameters and return value. The WSDL
file is downloaded as part of the API SDK (Administration > Download Arbor API SDK).
In this section
This section contains the following topics:
About the Configuration Management Functions 172
cliRun 174
accountAdd 175
accountDelete 178
accountChangePassword 180
accountChangeGroup 181
Introduction
Peakflow SP supports the following configuration management functions:
n cliRun
n accountAdd
n accountDelete
n accountChangePassword
n accountChangeGroup
You can download the PeakflowSPClassic.wsdl file for a complete specification of the
data types used for each classic SOAP API function’s parameters and return value. The WSDL
file is downloaded as part of the API SDK (Administration > Download Arbor API SDK).
Output format
The output for all of the Configuration Management functions are returned in the standard
Peakflow SP XML data format with a base64-encoded query-reply text node.
The following XML snippet shows an example result from an accountAdd operation:
<?xml version="1.0"?>
<peakflow version="1.0" release="7.6">
<query-reply name="accountAdd" type="text"> T0s= </query-reply>
</peakflow>
Note: With the exception of the cliRun operation, the normal return value for successful
completion of the operations documented below is OK. The example above reflects the result
from the successful completion of an accountAdd operation—the text node value is the
base64-encoded representation of OK.
Error handling
Errors that occur during the execution of the Configuration Management operations result in
SOAP faults.
The following example shows a typical SOAP fault message (in this case, for the addition of an
account that already exists):
<SOAP-ENV:Envelope SOAP-
ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>Server error</faultstring>
<detail> /detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Note: The faults that are returned by the Peakflow API contain a descriptive string that
explains the nature of the fault in the detail element, as shown above. The faultcode describes
the source of the problem, which is either Client or Server. If the faultcode is Client, then there
was a problem with the parameters submitted to the API. If the faultcode is Server, then
Peakflow encountered a problem while processing the request.
Note: To apply the configuration, a client could parse this output and replay each command
with this same interface.
Important: If you reboot, you will lose any changes that were not committed.
cliRun
Prototype
cliRun(command)
Accepted parameters
cliRun accepts the following parameters:
cliRun parameter
Return value
cliRun returns the following value:
accountAdd
Prototype
accountAdd(name, password, group, capabilityLevel, device, menu, timezone, realname, email)
Accepted parameters
accountAdd accepts the following parameters:
accountAdd parameters
password string The password for the account that you want to add.
menu string The UI menu system that you want the user of this
account to view.
Note: This parameter is optional.
timezone string The time zone associated with the account that you
want to add.
Note: This parameter is optional.
realname string The full name of the user whose account you want
to add.
Note: This parameter is optional.
email string The email address of the user whose account you
want to add.
Note: This parameter is optional.
Note: You can enter an empty value for optional arguments, which indicates that the
parameter is unspecified.
Return values
accountAdd returns the following value:
Example: PHP
The following is an example of calling the accountAdd SOAP function in PHP:
$user = 'arborman';
$pass = 'Yarhar13';
$group = 'arbor_admin';
$capabilityLevel = 'admin';
$device = 'global';
$realname = 'Arbor Man';
Prints:
<?xml version="1.0"?>
<peakflow version="1.0" release="5.5">
<query-reply name="accountAdd" type="text">
T0s=
</query-reply>
</peakflow>
Example: Python
The following is an example of calling the accountAdd SOAP function in Python:
soap_client.py -h myleader -z mysecret -c accountAdd
-o name=arborman -o password=Yarhar13 -o group=arbor_admin
-o capabilityLevel=admin -o device=global -o realname="Arbor Man"
accountDelete
Prototype
accountDelete(name)
Accepted parameter
accountDelete accepts the following parameter:
accountDelete parameter
Return value
accountDelete returns the following value:
Example: PHP
The following is an example of calling the accountDelete SOAP function in PHP:
$user = 'arborman';
$device = 'global';
Prints:
<?xml version="1.0"?>
<peakflow version="1.0" release="7.6">
</query-reply>
</peakflow>
Example: Python
The following is an example of calling the accountDelete SOAP function in Python:
soap_client.py -h myleader -z mysecret -c accountDelete
-o name=arborman -o -o device=global
accountChangePassword
Prototype
accountChangePassword(name, password, device)
Accepted parameters
accountChangePassword accepts the following parameters:
accountChangePassword parameters
Return value
accountChangePassword returns the following value:
accountChangeGroup
Prototype
accountChangeGroup(name, group, device, capabilityLevel)
Accepted parameters
accountChangeGroup accepts the following parameters:
accountChangeGroup parameters
group string The new account group with which you want to
associate the account.
Return value
accountChangeGroup returns the following value:
Introduction
This chapter includes information about the supported traffic report functions in the Peakflow
SP classic SOAP API.
You can download the PeakflowSPClassic.wsdl file for a complete specification of the
datatypes used for each classic SOAP API traffic report function’s parameters and return
value. The WSDL file is downloaded as part of the API SDK (Administration > Download
Arbor API SDK).
In this section
This section contains the following topics:
getTrafficData 184
getTrafficGraph 187
getTrafficData
Prototype
getTrafficData(query)
Accepted parameter
getTrafficData accepts the following parameter:
getTrafficData parameter
For current XML report specifications, see “Using Customized Reports” in the Peakflow SP
and Threat Management System (TMS) User Guide.
</query>
</peakflow>
getTrafficData outputs
The query returns detailed sample data for items matching the query. The results are returned in
the standard Peakflow SP XML data format, as if it was downloaded directly from the Peakflow
SP Web UI.
Example: PHP
The following is an example of calling the getTrafficData SOAP function using PHP:
$query = <<<END
<?xml version="1.0" encoding="utf-8"?>
<peakflow version="1.0">
<query id="query1" type="traffic">
<time start_ascii="24 hours ago" end_ascii="now"/>
<unit type="bps"/>
<search limit="100" timeout="30"/>
<filter type="application" binby="1"/>
</query>
</peakflow>
END;
$result = $client->getTrafficData($query);
if (is_soap_fault($result)) {
$result = array(
'faultcode' => $soap_result->faultcode,
'faultstring' => $soap_result->faultstring
);
}
print_r($result);
Prints:
<?xml version="1.0"?>
<peakflow version="1.0" release="7.6">
<query id="query1" type="traffic">
<time start_ascii="24 hours ago" end_ascii="now"/>
<unit type="bps"/>
Example: Python
The following is an example of calling the getTrafficData SOAP function using Python:
# cat > query.xml
<?xml version="1.0" encoding="utf-8"?>
<peakflow version="1.0">
<query id="query1" type="traffic">
<time start_ascii="24 hours ago" end_ascii="now"/>
<unit type="bps"/>
<search limit="100" timeout="30"/>
<filter type="application" binby="1"/>
</query>
</peakflow>
^D
getTrafficGraph
Prototype
getTrafficGraph(query)
Accepted parameter
getTrafficGraph accepts the following parameter:
getTrafficGraph parameter
For current XML report specifications, see “Using Customized Reports” in the Peakflow SP
and Threat Management System (TMS) User Guide.
<peakflow version=”1.0”>
<report id=”my_report”>
...
</report>
</peakflow>
Return value
getTrafficGraph returns the following value:
Example: PHP
The following is an example of calling the getTrafficGraph SOAP function using PHP:
$report = <<<END
<?xml version="1.0" encoding="utf-8"?>
<peakflow version="1.0">
<report id="myapplications">
<name>my_applications</name>
<timezone>US/Eastern</timezone>
<query id="query1" type="traffic" flag="map_names">
<time start_ascii="24 hours ago" end_ascii="now"/>
<unit type="bps"/>
<search limit="100" timeout="30"/>
<filter type="application" binby="1"/>
</query>
<graph id="graph">
<title>Traffic per Application</title>
<dataset>query1</dataset>
<type name="stacked" default="yes">
<class>in</class>
<class>out</class>
</type>
<options>
<ylabel>%unit (-In / + Out)</ylabel>
<width>600</width>
<height>400</height>
</options>
</graph>
<chart id="mychart">
<dataset>query1</dataset>
<column id="CHECKBOX"/>
<column id="NAME"/>
<column id="IN"/>
<column id="OUT"/>
<column id="TOTAL" flag="default"/>
</chart>
<output>
<file format="tar"/>
</output>
</report>
</peakflow>
END;
$result = $client->getTrafficGraph($report);
file_put_contents($result, 'graph.png');
Example: Python
The following is an example of calling the getTrafficGraph SOAP function using Python:
cat > report.xml
<?xml version="1.0" encoding="utf-8"?>
<peakflow version="1.0">
<report id="myapplications">
<name>my_applications</name>
<timezone>US/Eastern</timezone>
<query id="query1" type="traffic" flag="map_names">
<time start_ascii="24 hours ago" end_ascii="now"/>
<unit type="bps"/>
<search limit="100" timeout="30"/>
<filter type="application" binby="1"/>
</query>
<graph id="graph">
<title>Traffic per Application</title>
<dataset>query1</dataset>
<type name="stacked" default="yes">
<class>in</class>
<class>out</class>
</type>
<options>
a
AAA (Authentication, Authorization, & Accounting) — This is an acronym used to describe the process of
authorizing access to a system, authenticating the identity of users, and logging their behaviors.
ACL (Access Control List) — A list composed of rules and filters stored in a router to allow, deny, or otherwise
regulate network traffic based on network parameters such as IP addresses, protocol types, and port
numbers.
AES (Advanced Encryption Standard) — A commonly used encryption block cipher adopted as the standard of
the U.S. government.
AIF (ATLAS Intelligence Feed) — Real-time threat information that is an Arbor-maintained feed consisting of a
database of security threats and signatures that automatically updates each minute and DDoS regular
expressions that are used by TMS to mitigate attacks. Peakflow SP regularly downloads this information
and uses it to detect and block emerging botnet attacks and application-layer attacks.
anomaly — An event or condition in the network that is identified as an abnormality when compared to a
predefined illegal traffic pattern.
anonymous statistic sharing — A service whereby service providers and enterprise businesses share
anonymized statistics on ongoing attacks in order to provide a Internet-wide view of ongoing attacks.
API (Application Programming Interface) — A well-defined set of function calls providing high-level controls for
underlying services.
appliance — A Peakflow server that gathers network statistics from adjacent routers via either packet capture
or flow and performs first-order traffic analysis. Anomalous activities are compressed into alert
messages that are periodically sent to the listening leader.
ARP (Address Resolution Protocol) — A protocol for mapping an IP address to a physical machine address.
AS (Autonomous System) — A collection of IP networks and routers under the control of one entity and
assigned a single ASN for purposes of BGP routing.
ASCII (American Standard Code for Information Interchange) — A coded representation for standard
alphabetic, numeric, and punctuation characters, also referred to as “plain text.”
ASN (Autonomous System Number) — A unique number assigned to an autonomous system for purposes of
BGP routing.
AS Path (Autonomous System Path) — The ASNs that comprise a packet's path through the internet using
BGP.
ATLAS (Active Threat Level Analysis System) — A globally scoped threat analysis network that analyzes data
from darknets and the Internet’s core backbone to provide information to participating customers about
malware, exploits, phishing, and botnets.
b
backbone router — An OSPF router with all operational interfaces within 0.0.0.0.
baseline — A description of typical traffic patterns over a period of time. Baselines are generated by reducing
collections of fine-grained profiles into a more monolithic data representation that includes a
chronological component.
BGP (Border Gateway Protocol) — The core routing protocol of the Internet.
binning — Grouping data into chunks or "bins" usually defined by time periods, for example, traffic for the last 24
hours.
blackhole routing — A technique to route traffic to null interfaces that can never forward the traffic.
c
CA (Certificate Authority) — A third party which issues digital certificates for use by other parties. CAs are
characteristic of many public key infrastructure (PKI) schemes.
CAR (Committed Access Rate) — A tool for managing bandwidth that provides the same control as ACL with
the additional property that traffic can be regulated based on bandwidth usage rates in bits per second.
CIDR (Classless Inter-Domain Routing) — Method for classifying and grouping Internet addresses.
CIDR Group — CIDR addresses grouped together to share a common managed object configuration. The
equivalent of Peakflow DoS "detection groups."
cflowd — Developed to collect and analyze the information available from NetFlow. It allows the user to store
the information and enables several views of the data. It produces port matrices, AS matrices, network
matrices, and pure flow structures.
challenge packets — Information sent by a TMS model to an unknown host in response to a request from the
unknown host. The unknown host must provide a valid response to the challenge packets. If it does not,
the TMS model refuses the request and adds the unknown host to the blacklist. Several TMS
countermeasures use challenge packets to authenticate unknown hosts.
chargen — The character generator protocol that was used for testing the TCP/IP protocol.
CLI (Command Line Interface) — A user interface that uses a command line, such as a terminal or console (as
opposed to a graphical user interface).
client — The component of client/server computing that uses a service offered by a server.
Collector — An appliance that gathers network information from adjacent routers through flow and performs
first-order traffic analysis. Anomalous events are compressed into event messages that are then sent to
the listening leader.
commit — The process of saving a configuration change so that the changes take effect on the Peakflow SP
system.
customer — A managed object that defines traffic for a business or organization who purchases Internet service
from an internet service provider. Note, this type of managed object should be used to define most
managed services clients.
customer edge router — A router within a customer's network connected to an ISP's customer peering edge.
d
Dark IP — Regions of the IP address space that are reserved or known to be unused.
DDoS (Distributed Denial of Service) — An interruption of network availability typically caused by many,
distributed malicious sources.
designated router — The router designated by other routers (via the OSPF protocol) as the sender of link state
advertisements.
DHCP (Dynamic Host Configuration Protocol) — A protocol used to distribute IP addresses to host machines,
which has a list of available addresses.
DNS (Domain Name System) — A system that translates numeric IP addresses into meaningful, human-
consumable names and vice-versa.
DoS (Denial of Service) — An interruption of network availability typically caused by malicious sources.
DoS alert — A notification indicating an event or condition in the network that is identified as a statistical
abnormality when compared to typical traffic patterns gleaned from previously collected profiles and
baselines or that matches a predefined illegal traffic pattern.
e
encryption — The process by which plain text is scrambled in such a way as to hide its content.
ESP (Encapsulating Security Payload) — An IPSec protocol for establishing secure tunnels. See “IPSec
(Internet Protocol Security) ” on the facing page.
exploit — Tools intended to take advantage of security holes or inherent flaws in the design of network
applications, devices, or infrastructures.
f
failover — Configuring two appliances so that if one appliance fails, the second appliance takes over the duties
of the first, ensuring continued service.
fate sharing — Putting a mitigation out of service when a part of the mitigation’s deployment fails or becomes
unreachable. Fate sharing can occur when a dependent interface loses link, a nexthop becomes
unreachable, a BGP peer is down, a GRE tunnel is down, one or more TMS appliances or TMS clusters
are out of service, or the leader appliance becomes unreachable. For example, if nexthop fate sharing is
configured for a TMS appliance and the nexthop used by a mitigation becomes unreachable, then the
mitigation is put out of service.
FCAP — A fingerprint expression language that describes and matches traffic information.
Fibre Channel — Gigabit-speed network technology primarily used for storage networking.
firewall — A security measure that monitors and controls the types of packets allowed in and out of a network,
based on a set of configured rules and filters.
flow — Flow is a characterization of the network traffic. It defines the traffic that is seen. It provides Peakflow SP
with information from layers 1, 3, and 4 for the traffic that traverses a network.
flowspec — A BGP-based IETF standard for exchanging flexible firewall and ACL rules implemented by Juniper
routers utilizing JunOS 7.3 or later.
FQDN (Fully Qualified Domain Name) — A complete domain name, including both the registered domain name
and any preceding node information.
g
GMT (Greenwich Mean Time) — A deprecated world time standard, replaced by UTC.
GRE (Generic Routing Encapsulation) — A tunneling protocol commonly used to build VPNs.
h
host — A networked computer (client or server); in contrast to a router or switch.
HTTP (HyperText Transfer Protocol) — A protocol used to transfer or convey information on the World Wide
Web. Its original purpose was to provide a way to publish and retrieve HTML pages.
HTTPS (HyperText Transfer Protocol over SSL) — The combination of a normal HTTP interaction over an
encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport mechanism.
i
IANA (Internet Assigned Numbers Authority) — An entity that oversees global IP address allocation, DNS root
zone management, and other Internet protocol assignments. It is operated by ICANN.
ICMP (Internet Control Message Protocol) — An IP protocol that delivers error and control messages between
TCP/IP enabled network devices, for example, ping packets.
IETF (Internet Engineering Task Force) — An Internet standards organization that develops draft documents
and RFC documents defining protocols for the Internet.
IGMP (Internet Group Management Protocol) — A communications protocol used to manage the membership
of Internet Protocol multicast groups.
intelligent filtering — A feature that adds the ability to work with an integrated filtering device to automatically
filter traffic.
IMAP (Internet Message Access Protocol) — An application layer Internet protocol that allows a local client to
access email on a remote server. (Also known as Internet Mail Access Protocol, Interactive Mail Access
Protocol, and Interim Mail Access Protocol.)
IP (Internet Protocol) — A connectionless network layer protocol used for packet delivery between hosts and
devices on a TCP/IP network.
IPS (Intrusion Prevention System) — A computer security device that exercises access control to protect
computers from exploitation.
IPSec (Internet Protocol Security) — A suite of protocols for securing Internet Protocol (IP) communications by
authenticating and/or encrypting each IP packet in a data stream.
ISP (Internet Service Provider) — A business or organization that provides to consumers access to the Internet
and related services.
l
LAN (Local Area Network) — A typically small network that is confined to a small geographic space.
leader — A designated Peakflow appliance that accepts alert messages from one or more normal devices and
performs second-order traffic analysis in order to identify and visualize potential attacks. (These were
referred to as "Controllers" in previous Peakflow products.)
m
MAC (Media Access Control) Address — A unique hardware number associated with a networking device.
managed object — User-defined network objects used to classify logical portions of your network or network
traffic. Managed objects can be customers, peers, profiles, VPNs, or VPN sites.
MDI (Media Dependent Interface) — An Ethernet port connection that allows network hubs or switches to
connect to other hubs or switches without a null-modem or Ethernet crossover cable.
MIB (Management Information Base) — A database used by the SNMP protocol to manage devices in a
network. Your SNMP polling device uses this to understand Peakflow SNMP traps.
MPLS label — An identifying string for packets using the MPLS protocol.
mitigation — The process of using recommendations from Peakflow SP to apply policies to your network to
reduce the effects of a worm or DoS attack.
mitigation device — A device that filters network traffic passing through it based upon a ruleset provided by
Peakflow SP. This can be either a dedicated network device (Peakflow TMS appliance or Flowspec
capable router) or a Peakflow SP appliance with software mitigation enabled.
MPLS (Multiprotocol Label Switching) — A packet-switching protocol developed by the Internet Engineering
Task Force (IETF) initially to improve switching speeds, but other benefits are now seen as being more
important.
MS (Managed Services) — A Peakflow SP appliance that has the ability to provide a Web UI to allow
customers a special, restricted access to the Peakflow SP system.
MTU (Maximum Transmission Unit) — The size (in bytes) of the largest packet that a given layer of a
communications protocol can efficiently forward.
multicast — Protocols that address multiple IP addresses with a single packet (as opposed to unicast and
broadcast protocols).
n
NAT (Network Address Translation) — Rewriting the source and destination addresses of IP packets as they
pass through a router or firewall.
NetFlow — A technology developed by Cisco Systems, Inc. that allows routers and other network devices to
periodically export information about current network conditions and traffic volumes.
netmask — A dotted quad notation number used by routers determine which part of the address is the network
address and which part is the host address.
network object — Network objects are portions of your network or network traffic and include both managed
objects (customers, peers, profiles, VPNs, or VPN sites) and physical network objects (routers and
interfaces).
NIC (Network Interface Card) — A hardware component that maintains a network interface connection.
NTP (Network Time Protocol) — A protocol that is used to synchronize clock times in a network of computers.
o
OC-3 — A fiber optic network line with transmission speeds of up to 155.52 Mbit/s.
OC-12 — A fiber optic network line with transmission speeds of up to 622.08 Mbit/s.
offnet — Traffic that leaves the network through a BGP boundary and is not destined for a configured customer
entity.
p
packet — A unit of data transmitted across the network that includes control information along with actual
content.
PCC (Packet Capture Collector) — Packet capture is a method of passively monitoring network traffic to create
flow information. The packet capture mode on a Peakflow appliance can be used in cases where flow
from routers is unavailable or unwanted.
PE (Provider Edge) Router — A router in a service provider's network that is connected to a customer edge
router.
peer — A managed object that describes other networks that are peering with yours.
peer to peer — (Sometimes abbreviated P2P) a computer network that relies primarily on the computing power
of the clients in the network rather than concentrating it in a relatively low number of servers. P2P
networks are typically used for connecting nodes via largely ad hoc connections.
POP (Post Office Protocol) — A TCP/IP email protocol for retrieving messages from a remote server.
port — A field in TCP and UDP protocol, packet headers that corresponds to an application level service (for
example TCP port 80 corresponds to HTTP).
profile — A managed object that defines an arbitrary subset of network traffic that does not fit any of the other
managed object types.
protocol — A well-defined language used by networking entities to communicate with one another.
q
QoS (Quality of Service) — A method of providing different priority to different traffic, or guaranteeing a certain
level of performance to a data flow for a particular traffic type.
r
RADIUS (Remote Authentication Dial In User Service) — A client/server protocol that enables remote access
servers to communicate with a central server to authenticate dial-in users and authorize their access to
the requested system or service.
RDN (Registered Domain Name) — A domain name as registered, without any preceding node information (for
example, “arbor.net” instead of www.arbor.net).
refinement — The process of continually gathering information about anomalous activity seen.
remediation — The process of minimizing attack damage by taking the recommendations from Peakflow SP and
applying reasonable changes to the network.
remote BGP routeviews — External route servers maintained by Arbor Networks which provide information on
route availability with remote ASNs.
RFC (Request For Comments) — An IETF document that defines a protocol or other standard for Internet
communications.
route distinguisher — An address qualifier that is prepended to an IPv4 address to create a unique VPN-IPv4
address.
route target — A VPN identifier. A VPN might require more than one route target.
router — A device that connects one network to another. Packets are forwarded from one router to another until
they reach their ultimate destination.
s
scoping — The container managed object within which a managed services customer's traffic view is restricted.
secret key — A secret shared only between a sender and receiver of data.
SFlow — A standard similar to NetFlow which describes a mechanism to capture traffic data in switched or
routed networks.
site-of-origin — A BGP extended community attribute that identifies the VPN site from which a route originates.
skins — Sets of UI parameters, including menus, used to facilitate different Peakflow SP workflows.
SMTP - (Simple Mail Transfer Protocol) — The de facto standard protocol for email transmissions across the
Internet.
smurf attack — A DDoS attack that exploits misconfigured network devices to broadcast large numbers of
ICMP packets to all the computer hosts on a network.
SNMP (Simple Network Management Protocol) — A standard protocol that allows routers and other network
devices to export information about their routing tables and other state information.
spoofing — A situation in which one person or program successfully masquerades as another by falsifying data
(usually the IP address) and thereby gains an illegitimate advantage.
SSDP (Simple Service Discovery Protocol) — A network protocol that is used to advertise and discover
network services and devices.
SSH (Secure Shell) — A command line interface and protocol for securely getting access to a remote
computer. SSH is also known as Secure Socket Shell.
SSL (Secure Sockets Layer) — A protocol for secure communications on the Internet for such things as web
browsing, email, instant messaging, and other data transfers.
t
TACACS+ (Terminal Access Controller Access Control System +) — An authentication protocol common to
UNIX networks that allows a remote access server to forward a user’s login password to an
authentication server to determine whether that user is allowed to access a given system.
target — A victim host or network of a worm or other malicious denial of service (DoS) attacks.
TCP (Transmission Control Protocol) — A connection-based, transport protocol that provides reliable delivery of
packets across the Internet.
TCP/IP — A suite of protocols that controls the delivery of messages across the Internet.
Telnet — A TCP protocol used primarily for unencrypted CLI communications (usually deprecated and replaced
by SSH).
TMS (Threat Management System) — A Peakflow SP appliance designed for intelligent traffic filtering and
DNS monitoring in conjunction with a Peakflow SP deployment.
u
UDP (User Datagram Protocol) — An unreliable, connectionless, communication protocol.
UNC (Universal Naming Convention) — A standard which originated from UNIX for identifying servers, printers,
and other resources in a network.
uptime — The time elapsed since a given host or server was last rebooted.
URI (Uniform Resource Identifier) — A protocol, login, host, port, path, etc. in a standard format used to
reference a network resource, (for example http://arbor.net/).
UTC (Universal Time Coordinated) — The time zone at zero degrees longitude which replaced GMT as the
world time standard.
v
VLAN (Virtual Local Area Network) — Hosts connected in an infrastructure that simulates a local area network,
when the hosts are remotely located, or to segment a physical local network into smaller, virtual pieces.
VoIP (Voice over Internet Protocol) — Routing voice communications (such as phone calls) through an IP
network.
VPN (Virtual Private Network) — A private communications network often used within a company, or by several
companies or organizations, to communicate confidentially over a public network using encrypted
tunnels.
w
WAN (Wide Area Network) — A computer network that covers a broad area. (Also, Wireless Area Network
meaning a wireless network.)
WEP (Wired Equivalent Privacy) — A security scheme for wireless networks intended to provide comparable
confidentiality to a traditional wired network (in particular it does not protect users of the network from
each other).
worm — A self propagating program, usually used to spread a malicious payload across networked computers.
x
XML (eXtensible Markup Language) — A metalanguage written in Standard Generalized Markup Language
(SGML) that allows one to design a markup language for easy interchange of documents on the World
Wide Web.
b g
binby_router.xml file 55 getAlertGraph 167
getAlertGraphData 168
c getAlertInterfaceDetails 158
getAlertInterfaces 155
classic SOAP API getAlertInterfacesXML 163
building and running sample projects 138 getAlertRouterInterfacesXML 165
capturing the XML request and response 148 getAlertStatisticsRaw 170
configuring certificates 130 getAlertSummaries 150
fault handling 147 getDosAlertDetails 66
generating the client proxy code 132 getDosAlertDetailsXML 64
getDosAlertGraph 65
getDosAlertSummaries 58
getDosAlertSummariesXML 63
r
getLastReportResultAsCSV 109 report function
getLastReportResultAsPDF 111 getLastReportResultAsCSV 109
getLastReportResultAsXML 110 getLastReportResultAsPDF 111
getMitigationStatisticsByIdXML 85 getLastReportResultAsXML 110
getMitigationStatisticsByNameXML 86 getReportList 103
getMitigationSummaries 82 getReportListXML 105
getMitigationSummariesXML 84 getReportResultAsCSV 112
getReportList 103 getReportResultAsPDF 114
getReportListXML 105 getReportResultAsXML 113
getReportResultAsCSV 112 getReportResultsList 106
getReportResultAsPDF 114 getReportResultsListXML 108
getReportResultAsXML 113 getTrafficGraph 117
getReportResultsList 106 queueReportToRun 102
getReportResultsListXML 108 runXmlQuery 115
getTrafficData 184 reports 46
getTrafficGraph 117, 187 routers 31
using a report with 187
s
m SDK
managed_object 29 downloading 16
mitigation function SOAP
addTmsFilterList 87 endpoint address 54, 122
applyMitigationTemplateById 80 SOAP API
applyMitigationTemplateByName 81 about 16
deleteTmsFilterList 90 configuration management functions 92, 172
editTmsFilterList 89 recommendations 55, 123
getMitigationStatisticsByIdXML 85 using 22, 54, 122
getMitigationStatisticsByNameXML 86 using Java/Axis 128
getMitigationSummaries 82 SOAP package
getMitigationSummariesXML 84 components 122
mitigations 27 example query 55, 124
sqlQuer 170
o support, contacting 11
optimal performance
recommendations 55, 123
t
tms 39
p tms_ports 42
traffic 25
PHP client traffic report function
requirements 54 getTrafficData 184
portal 44 getTrafficGraph 187
Python client typographic conventions
installing 125 commands and expressions 10
procedures 9
q w
queueReportToRun 102
Web Services
alerts 23
cp5500 36
devices 33
managed_object 29
mitigations 27
portal 44
reports 46
routers 31
tms 25, 39
tms_ports 42
WSDL file
about 54
x
XML
editing for SOAP 115, 184
XML report
creating 187
writing manually 116, 185