Professional Documents
Culture Documents
Access Management and
DDoS Mitigation Guide
Trademarks
The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS Policy Engine, Affin-
ity, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDsentrie, IP-to-ID, SSL Insight, Thunder, Thunder TPS, UASG, and
vThunder are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. All other
trademarks are property of their respective owners.
Patents Protection
A10 Network products including all AX Series products are protected by one or more of the following U.S. patents:
8977749, 8943577, 8918857, 8914871, 8904512, 8897154, 8868765, 8849938, 8826372, 8813180, 8782751, 8782221,
8595819, 8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322,
8079077, 7979585, 7804956, 7716378, 7665138, 7647635, 7627672, 7596695, 7577833, 7552126, 7392241, 7236491,
7139267, 6748084, 6658114, 6535516, 6363075, 6324286, 5931914, 5875185, RE44701, 8392563, 8103770, 7831712,
7606912, 7346695, 7287084, 6970933, 6473802, 6374300.
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc. This information may contain forward looking statements and therefore is subject to change.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA),
provided later in this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2. sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All infor-
mation is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be avail-
able upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks’ products and services are subject to A10 Networks’ standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series—AAM and DDoS Mitigation Guide
Contents
Introduction 11
Overview................................................................................................................................................ 11
Application Access Management .................................................................................................... 11
Online Certificate Status Protocol ............................................................................................... 12
DDoS Mitigation .............................................................................................................................. 12
Policy-based SLB ........................................................................................................................ 12
SYN Cookies ............................................................................................................................... 12
IP Limiting .................................................................................................................................... 13
ICMP Rate Limiting ..................................................................................................................... 13
Web Application Firewall ............................................................................................................. 13
Slowloris Prevention .................................................................................................................... 14
DNS Application Firewall ............................................................................................................. 14
DNSSEC ..................................................................................................................................... 14
SSL Insight .................................................................................................................................. 14
Geo-location-based VIP Access .................................................................................................. 15
IP Anomaly Filtering 61
Overview ................................................................................................................................................61
IP Anomaly Filters for System-Wide PBSLB .................................................................................. 62
Notes .............................................................................................................................................. 63
Policy-based SLB 67
Overview................................................................................................................................................ 67
Configuring a Black/White List............................................................................................................ 68
Example Black/White List ............................................................................................................... 69
Dynamic Black/White-list Client Entries .......................................................................................... 69
Connection Limit for Dynamic Entries ............................................................................................. 70
Aging of Dynamic Entries ............................................................................................................... 70
Wildcard Address Support in PBSLB Policies Bound to Virtual Ports ............................................ 71
Configuring System-Wide PBSLB....................................................................................................... 71
Displaying and Clearing System-Wide PBSLB Information ............................................................ 73
Configuring PBSLB for Individual Virtual Ports ................................................................................ 73
Displaying PBSLB Information............................................................................................................ 81
Configuration Examples ...................................................................................................................... 81
Example—Sockstress Attack Protection ........................................................................................... 82
System-wide PBSLB Policy Configuration ...................................................................................... 83
Statistics Display ......................................................................................................................... 83
SYN Cookies 87
Overview................................................................................................................................................ 87
SYN Flood Attacks .......................................................................................................................... 87
SYN Flood Attack Counter .............................................................................................................. 88
How ACOS Identifies SYN Flood Attacks ....................................................................................... 88
ACOS SYN-cookie Protection ........................................................................................................ 89
Dynamic SYN Cookies ................................................................................................................... 90
SYN Cookie Buffering ..................................................................................................................... 90
SACK and MSS with Software-based SYN-cookies ....................................................................... 91
SACK ........................................................................................................................................... 91
MSS ............................................................................................................................................. 91
Configurable MSS Source for Proxied SLB Traffic............................................................................ 91
Configuration ........................................................................................................................................ 92
Enabling SYN-cookie Support ........................................................................................................ 92
Configuration with Target VIP and Client-side Router in Different Subnets ................................... 95
IP Limiting 105
Overview ..............................................................................................................................................105
Class Lists .................................................................................................................................... 105
Class List syntax ....................................................................................................................... 106
IP Address Matching ................................................................................................................. 107
Example Class Lists .................................................................................................................. 107
IP Limiting Rules .......................................................................................................................... 108
Match IP Address ...................................................................................................................... 109
Request Limiting and Request-rate Limiting in Class Lists ....................................................... 110
Configuring Source IP Limiting .........................................................................................................112
Configuring a Class List ............................................................................................................... 113
Configuring the IP Limiting Rules ................................................................................................. 116
Applying Source IP Limits ............................................................................................................ 120
Displaying IP Limiting Information ................................................................................................ 122
CLI Examples—Configuration ...................................................................................................... 123
Configure System-Wide IP Limiting With a Single Class .......................................................... 123
Configure System-Wide IP Limiting With Multiple Classes ....................................................... 123
Configure IP Limiting on a Virtual Server .................................................................................. 124
Configure IP Limiting on a Virtual Port ...................................................................................... 124
Configure Class List Entries That Age Out ............................................................................... 125
CLI Examples—Display ................................................................................................................ 126
Class Lists ................................................................................................................................. 126
IP Limiting Rules ....................................................................................................................... 127
IP Limiting Statistics .................................................................................................................. 128
Introduction
Overview
ACOS includes the following security features to help you protect your cus-
tomer traffic:
DDoS Mitigation
Distributed Denial of Service (DDoS) is a type of DoS attack where multi-
ple systems that are infected with a Trojan or malware are used to target a
particular system, which causes a denial of service. A DoS attack is when a
hacker (attacker) mounts an attack from one host. In contrast, in a DDoS
attack, many systems are used simultaneously to launch attacks against a
remote system.
ACOS includes filters that check traffic for IP anomalies that can indicate a
DDoS attack.
Policy-based SLB
Policy-based SLB (PBSLB) allows you to “black list” or “white list” indi-
vidual clients or client subnets. Based on actions that you specify, ACOS
will allow (white list) or drop (black list) traffic from specific client hosts or
subnets in the list.
SYN Cookies
SYN cookies provide protection against a common type of DDoS attack, the
TCP SYN flood attack. To conduct this type of attack, the attacker sends a
IP Limiting
Slowloris Prevention
In addition to WAF, ACOS includes an HTTP security option that prevents
Slowloris attacks, where the attacker attempts to consume resources on the
target system with incomplete HTTP request headers.
DNSSEC
ACOS supports DNS Security Extensions (DNSSEC). In Global Server
Load Balancing (GSLB) deployments, you can use DNSSEC with Hard-
ware Module Security (HSM) to dynamically secure DNS resource records
for GSLB zones.
Note: ACOS also supports DNS caching for DNSSEC, but DNSSEC support
for caching does not require GSLB.
SSL Insight
2. The Logon Portal on the ACOS device intercepts the request and sends a
login page to the client.
8. ACOS creates a cookie, which indicates that the client was successfully
authenticated.
Each subsequent request from the client is expected to contain this
cookie in the HTTP request header.
Logon Portal
The Logon Portal provides one interface that end-users can log in to and
complete a variety of tasks.
The Logon Portal provides the following ways to collect user credentials:
• Basic HTTP – The Logon Portal sends an HTTP 401 (Unauthorized)
message with response code 4, which contains a WWW-Authenticate
HTTP header.
The client browser is expected to send a reply with the Authorization
header, which contains the username and password in Base64-encoded
form.
In both portal types, ACOS sends the credentials from the end-user to a
backend AAA server for authentication.
Note: You can change your password by using the end-user password change
through the Logon Portal only for LDAP. For more information, see
“AAM with LDAP” on page 29.
The client browser displays a login window in which end-users can enter
their username and password. After end-users enter their credentials, the cli-
ent browser sends an HTTP reply that includes the following header, which
contains the username and password in Base64-encoded form:
Authorization: Basic QTEwOlRodW5kZXI=
Form-based Login
A form-based portal uses a set of web pages that contain data forms. End-
users log in and change their passwords by entering the relevant information
into these forms.
The files for these pages must be imported to the ACOS device. You can
import the files in archive files of any of the following formats:
• zip
• tgz
• tar
Note: By default, ACOS does not include Login Portal web pages. However,
Figure 2 and Figure 4 are some examples of some simple pages.
You can customize the error message string that is included in the Logon
form.
The default error message string for login failures is Invalid username or
password. Please try again.
Figure 8 shows the source code for the Change Password page.
Deployment Examples
For examples of AAM deployments that use form-based login, see the fol-
lowing sections or chapters:
• “Form-based Logon with RADIUS” on page 42
Authentication Relay
Authentication relay provides a backend logon service on behalf of authen-
ticated clients.
For more information and deployment examples, see the following sections:
• “Authentication Relay” on page 35
Note: The current release supports this feature for RADIUS and LDAP.
For example, an end-user might have access only to a service on a VIP that
is load balanced by a pair of ACOS devices. In this case, the AAA server
might have the following entries for the end-user:
ACOS1//10.2.4.69/80/http
ACOS2//10.2.4.69/80/http
Note: The actual syntax for the entries depends on the type of AAA server.
Configuration Overview
Deployment of this feature requires some configuration on the ACOS
device and on the AAA server.
END-VENDOR A10-Networks
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
…
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/a10.schema
include /etc/openldap/schema/a10auth.schema
a10auth.schema
Here is the a10auth.schema file:
# a10.schema
#
# This is the ldif version of a10.schema to be used with cn=config.
#
AttributeType ( 1.3.6.1.4.1.22610.2.1.1
NAME 'a10URI'
DESC 'a10URI:ax-serial-number [a10-partition-name
[a10-vip-name [a10-vport]]]'
EQUALITY caseIgnoreMatch
SYNT 1.3.6.1.4.1.1466.115.121.1.15 )
ACOS supports password update for end-users whose accounts are man-
aged in a Lightweight Directory Access Protocol (LDAP) database.
Overview
The AAM Authentication Proxy features can use Basic-HTTP authentica-
tion or web-based forms to obtain user credentials and query backend
LDAP servers to verify the credentials. If a valid end-user’s password has
expired, the Login Proxy allows end-users to change their passwords and
regain access.
• Domain\username
If end-users enter their login name in one of these formats, ACOS uses the
form that is entered instead of the Bind DN form. This is because the Com-
mon Name does not match the account name in Active Directory (AD).
When a client sends a request to a VIP for a secured service, ACOS uses
Basic-HTTP authentication or a web form to prompt users for their creden-
tials. ACOS sends the credentials to an LDAP server for verification.
Logon Proxy
This solution uses a form to prompt users to enter their credentials and veri-
fies the credentials by using a backend LDAP server.
2. ACOS replies with a form with input fields for the end-user credentials.
4. ACOS extracts the credentials from the form and, in a search request,
sends the credentials to the LDAP server.
6. ACOS uses SLB to select a server from the web-server service group
and sends the client’s HTTP request to the server.
The following steps provide a high-level over view of the traffic flow in this
example:
1. The client sends an initial HTTP request to the VIP.
2. ACOS replies with a form with input fields for the end-user credentials.
3. The client browser displays the form in which end-users enter their cre-
dentials.
4. ACOS extracts the credentials and, in a search request, sends the creden-
tials to the LDAP server.
5. The LDAP server finds an entry for the username and password, but the
password has expired.
6. ACOS sends another form to the client with the fields to change the
password.
7. End-users enter the username and the old and new passwords.
9. The client is authenticated, and ACOS uses SLB to select a server and
sends the client’s HTTP request to the server.
11. ACOS caches the credential verification from the LDAP server and for-
wards the server reply to the client.
Configuration Resources
The deployment requires the following resources:
• A zip archive of the web portal files that are required for end-user logon
• A logon-portal profile
• VIP configuration
CLI Example
The following commands import the logon-portal files to the ACOS device:
ACOS(config)#import auth-portal portal.zip use-mgmt-port sftp:
Address or name of remote host []?fileserver1
User name []?admin1
Password []?********
File name [/]?portal.zip
...
The service-group command binds the template to the service group for the
LDAP server. If the configuration did not use a health monitor, server con-
figuration, and service group for LDAP health checking, the server com-
mand should be used to bind the authentication template directly to the
authentication-server profile.
Authentication Relay
Authentication relay uses a backend LDAP server to verify end-users’ cre-
dentials when they first log on and reuses those credentials to log in to load-
balanced content servers on behalf of the end-users. In this deployment, the
content servers do not need to understand LDAP. Instead, Basic-HTTP
authentication is used between ACOS and the servers.
2. ACOS replies with a form that contains input fields for the end-user cre-
dentials.
3. The client browser displays the form in which end-users enter their cre-
dentials.
6. ACOS uses SLB to select a server and sends the client’s HTTP request
to the server.
7. The server replies with an HTTP 401 (Not Authorized) message with
response code 4 that contains an Authentication header such as the fol-
lowing:
WWW-Authenticate: Basic realm=”realm-name”
9. If the credentials are valid, the server replies with the requested content.
10. ACOS caches the credential verification from the LDAP server and for-
wards the server reply to the client.
Configuration Resources
The deployment requires the following resources:
• A zip archive of the web portal files that are required for end-user login.
• A login-portal profile.
• A VIP configuration.
Note: This is the same logon-portal profile that was used in “Logon Proxy” on
page 30.
ACOS(config)#authentication-logon form-based f1
ACOS(config-form-based authentication lo...)#portal portal.zip logon form.html
failpage error.html changepasswordpage changeform.html
ACOS(config-form-based authentication lo...)#action-url /mylogon.fo
ACOS(config-form-based authentication lo...)#username-variable username
ACOS(config-form-based authentication lo...)#password-variable pwd
The following commands create the SLB configuration for the LDAP
server.
Note: This is the same configuration that was used in “Logon Proxy” on
page 30.
ACOS(config-ldap server)#exit
ACOS(config)#health monitor ldap-sr
ACOS(config-health:monitor)#method ldap run-search BaseDN dc=a10net-
works,dc=com query (objectclass=*) AcceptNotFound
ACOS(config-health:monitor)#slb server ldap-sr 172.16.2.10
ACOS(config-real server)#port 389 tcp
ACOS(config-real server-node port)#health-check ldap-sr
ACOS(config-real server-node port)#authentication-server l1
ACOS(config-real server-node port)#slb service-group sg tcp
ACOS(config-slb svc group)#member ldap-sr:389
Note: This is the same configuration that is used in the other AAM examples in
this chapter.
ACOS(config-authentication template)#slb server rs_http 10.1.2.10
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#no health-check
ACOS(config-real server-node port)#slb service-group http_g_1 tcp
ACOS(config-slb svc group)#member rs_http:80
ACOS(config-slb svc group)#slb virtual-server vip_auth 10.1.2.159
ACOS(config-slb vserver)#port 80 http
ACOS(config-slb vserver-vport)#service-group http_g_1
ACOS(config-slb vserver-vport)#template authentication t1
This chapter provides some examples of RADIUS AAA solutions that use
AAM features and provides information about the following logon options:
• “Basic HTTP Logon with RADIUS” on page 39
4. ACOS decodes the credentials and sends the credentials to the RADIUS
server in an Access-Request message.
6. ACOS uses SLB to select a server from the web-server service group
and sends the client’s HTTP request to the server.
Configuration Resources
This deployment requires the following resources:
• An authentication-server profile for the backend RADIUS server.
• A VIP configuration.
CLI Example
The following commands create an authentication-server profile for the
RADIUS server:
ACOS(config)#authentication-server radius radius_server
ACOS(config-radius server)#host 172.16.2.10
ACOS(config-radius server)#secret a10networks
The following command creates an Basic HTTP logon profile and specifies
the AAA realm name:
ACOS(config-radius server)#authentication-logon http-basic httpbasic
ACOS(config-http basic authentication lo...)#realm example-realm
The following commands create a server configuration for the web server to
which clients will sends requests and adds the server to a service group:
Traffic Walkthrough
The following steps provide a high-level overview of the traffic flow in this
example:
1. The client sends an initial HTTP request to the VIP.
2. ACOS replies with a form with the input fields for the end-user creden-
tials.
The credentials are a username and a password.
3. The client browser displays the form into which the end-user enters their
credentials.
6. ACOS uses SLB to select a server from the web-server service group
and sends the client’s HTTP request to the server.
Configuration Resources
The deployment requires the following resources:
• A zip archive of the web portal files that are required for end-user login.
• A login-portal profile.
• A VIP configuration.
CLI Example
The following commands import the login-portal files to the ACOS device:
ACOS(config)#import auth-portal portal.zip use-mgmt-port sftp:
Address or name of remote host []?fileserver1
User name []?admin1
Password []?********
File name [/]?portal.zip
...
Note: This is the same server, service-group, and VIP configuration that is used
in “Basic HTTP Logon with RADIUS” on page 39.
ACOS(config-authentication template)#slb server rs_http 10.1.2.10
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#no health-check
ACOS(config-real server-node port)#slb service-group http_g_1 tcp
ACOS(config-slb svc group)#member rs_http:80
ACOS(config-slb svc group)#slb virtual-server vip_auth 10.1.2.159
ACOS(config-slb vserver)#port 80 http
ACOS(config-slb vserver-vport)#service-group http_g_1
ACOS(config-slb vserver-vport)#template authentication t1
Overview
You can use OCSP to verify client certificates for access to an HTTPS vir-
tual port. ACOS uses OCSP to authenticate the client, instead of a certifi-
cate revocation list (CRL) that is imported to the ACOS device. When this
feature is configured, the ACOS device acts as an authentication client in
relation to the OCSP server.
Note: In previous releases, the path in a URI for an OCSP server was not
included in authentication requests. This limitation caused the failure of
an authentication request that was used the OSCP server.
You must import the certificate(s) to the ACOS device as part of the config-
uration for OCSP support.
Configuration Resources
The deployment requires the following resources:
• Server certificate and key files that ACOS can present to clients during
the SSL session setup between ACOS and clients
• Authentication-server profile for the OCSP server
• Client-SSL template
CLI Example
The following commands import a server certificate and key to the ACOS
device:
ACOS(config)#import ssl-cert-key bulk use-mgmt-port sftp:
Address or name of remote host []?fileserver1
User name []?admin1
Password []?********
File name [/]?server.pk7
...
ACOS presents the server certificate and public key to clients, as verifica-
tion of the server’s identity. From the client’s perspective, the ACOS device
where the VIP requested by the client is configured is the server.
The url command specifies the IP address and protocol port to which
ACOS will send client certificates for verification.
The cert and key commands specify the local filenames for the certificate
and key files imported onto the ACOS device. In this example, both the cer-
tificate and key are imported as singe file, so the same filename is used for
the certificate and key.
Configuration Resources
The deployment requires the following resources:
• Server certificate and key files that ACOS can present to clients during
an SSL session setup between ACOS and the clients
• Authentication-server profile for each OCSP server
• Client-SSL template
ACOS presents the server certificate and public key to clients, as verifica-
tion of the server identity. From the client’s perspective, the ACOS device
where the VIP requested by the client is configured is the server.
The url command specifies the IP address and protocol port to which
ACOS will send client certificates for verification.
The following commands add the SLB configuration for the web servers.
This is the same configuration used in “One OCSP Server” on page 46.
ACOS(config-client ssl)#slb server s1 20.20.20.30
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#slb server s2 20.20.20.31
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#slb service-group http tcp
ACOS(config-slb svc group)#member s1:80
ACOS(config-slb svc group)#member s2:80
ACOS(config-slb svc group)#slb virtual-server http 2.1.0.100
ACOS(config-slb vserver)#port 443 https
ACOS(config-slb vserver-vport)#service-group http
ACOS(config-slb vserver-vport)#template client-ssl ssl1
Overview
This section shows an example of an AAM solution that includes Kerberos
single sign-on. This solution uses the following AAM features:
• Logon Portal, which includes one of the following ways to collect end-
user credentials:
• Basic HTTP login
• Form-based login
Form-based Login
Figure 15 shows how form-based login is used with RADIUS in this
deployment.
For client requests to HTTP port 8080 on the VIP, ACOS sends a web page
to the client to obtain the end-user’s username and password. ACOS sends
the credentials to a backend RADIUS server for authentication.
OCSP
Figure 16 shows how OCSP is used in this deployment.
For client requests to HTTPS port 443, ACOS uses a backend OCSP server
to validate certificates presented by clients.
Configuration
This section provides information about the resources required to configure
the example in Figure 17 and some CLI examples.
Configuration Resources
The deployment shown in Figure 17 on page 55 requires the following
resources:
• HTTP-Basic login for port 80:
• Authentication-logon profile for basic-HTTP logon
• Authentication-server profile for the backend RADIUS server
• Authentication template for each virtual port, to specify the AAM pro-
files (authentication-logon profile, authentication-relay profile, and
authentication-server) to use
• Server configuration and service group for the application server where
the service principal (service requested by the client) is located
• VIP configuration
CLI Example
The following commands configure the Kerberos AAM deployment shown
in Figure 17 on page 55.
The profile created above, for Basic HTTP login, will be used for login
through virtual port 80. The profile for form-based portal login, created
below, will be for login through virtual port 8080.
One of the profiles is for the OCSP server to be used to verify client certifi-
cates, for clients that request access through virtual port 443. The other
authentication-server profile is for the RADIUS server to be used for
authenticating access to virtual ports 80 and 8080.
ACOS(config-kerberos authentication relay)#authentication-server ocsp ocsp
ACOS(config-ocsp server)#url http://1.0.7.12:778/
ACOS(config-ocsp server)#authentication-server radius radius
ACOS(config-radius server)#host 1.0.7.2
ACOS(config-radius server)#secret ********
The cert and key commands specify the server certificate and key used by
ACOS. ACOS presents the server certificate to clients, on behalf of the
application servers. The client-certificate Require command requires cli-
ents to present their certificates to ACOS. The ca-cert command configures
ACOS to use OCSP to verify client certificates. The command refers to the
authentication-server profile configured above for the OCSP server.
ACOS(config)#import ssl-cert-key bulk use-mgmt-port sftp:
Address or name of remote host []?fileserver1
User name []?admin1
Password []?********
File name [/]?acos.pk7
...
The authentication templates identify the other AAM resources to use for
securing access to the virtual ports. A separate authentication template is
configured for each of the virtual ports.
ACOS(config-client ssl)#slb template authentication normal
ACOS(config-authentication template)#logon http-basic
ACOS(config-authentication template)#relay kdc1
ACOS(config-authentication template)#server radius
ACOS(config-authentication template)#slb template authentication normal-8080
ACOS(config-authentication template)#logon http-form
ACOS(config-authentication template)#relay kdc1
ACOS(config-authentication template)#server radius
ACOS(config-authentication template)#slb template authentication normal-443
ACOS(config-authentication template)#relay kdc1
Each of the virtual ports uses the same service group. However, each virtual
port uses a different authentication template, for a unique set of AAM fea-
tures.
ACOS(config-authentication template)#slb virtual-server vs-http 1.0.9.100
ACOS(config-slb vserver)#port 80 http
ACOS(config-slb vserver-vport)#service-group sg-http
ACOS(config-slb vserver-vport)#template authentication normal
ACOS(config-slb vserver-vport)#port 8080 http
ACOS(config-slb vserver-vport)#service-group sg-http
ACOS(config-slb vserver-vport)#template authentication normal-8080
ACOS(config-slb vserver-vport)#port 443 https
ACOS(config-slb vserver-vport)#service-group sg-http
ACOS(config-slb vserver-vport)#template client-ssl client-ssl
ACOS(config-slb vserver-vport)#template authentication normal-443
• Service Principal – Kerberos term for the service requested by the client.
IP Anomaly Filtering
Overview
IP anomaly filtering detects and drops packets that contain the common sig-
natures of DDoS attacks.
• Out-of-sequence packet
• TCP-SYN-FIN – Drops all TCP packets in which both the SYN and FIN
flags are set
• TCP-SYN-frag – Drops incomplete (fragmented) TCP Syn packets,
which can be used to launch TCP Syn flood attacks
• Zero-length TCP window
• Out-of-sequence packet
When these filters are enabled, the ACOS device checks for these anomalies
in new HTTP or HTTPS connection requests from clients.
Note: In the current release, these filters are supported only for HTTP and
HTTPS traffic.
Threshold
The threshold specifies the number of times the anomaly is allowed to occur
in a client’s connection requests.
Note: The thresholds are not tracked by the PBSLB policies that are bound to
individual virtual ports.
Notes
• All IP anomaly filters are supported for IPv4. All IP anomaly filters
except IP-option filtering are supported for IPv6.
• DDoS protection is hardware-based on the following models:
• Thunder 6430S, Thunder 6430, and Thunder 5430S
• AX 3200-12, AX 3400, and AX 5200-11
DDoS protection is software-based on the other models.
• DDoS detection applies only to Layer 3, Layer 4, and Layer 7 traffic.
Layer 2 traffic is not affected by the feature. Layer 4 and Layer 7 DDoS
applies only to software releases in which Server Load Balancing (SLB)
is supported.
• All IP anomaly filters except “IP-option” apply to IPv4 and IPv6. The
“IP-option” filter applies only to IPv4.
• The ping-of-death option drops all IP packets that are longer than
32000 bytes on the following models:
• Thunder 3030S, Thunder 1030S, and Thunder 930
• AX 1030, AX 2500, AX 2600, AX 3000, and AX 3030
The option drops IP packets longer than 65535 bytes on the other mod-
els.
Configuration
All of the IP anomaly filters that are described in this chapter are disabled
by default. You can enable individual IP anomaly filters on the entire sys-
tem.
2. Select the check box next to each type of DDoS protection filter that you
want to enable.
To enable all of the filters, select the Drop All check box.
3. Click OK.
CLI Example
The following command enables DDoS protection against ping-of-death
attacks:
ACOS(config)#ip anomaly-drop ping-of-death
For more information, see the online help or the GUI Reference Guide.
For system-wide PBSLB, you also can enter the following command:
show pbslb client [ipaddr]
In the output of this command, the counters for a dynamic client are reset to
0 when a client’s dynamic entry ages out.
Policy-based SLB
This chapter describes policy-based SLB (PBSLB) and how to configure it.
Overview
ACOS allows you to “black list” or “white list” individual clients or client
subnets. Based on actions you specify, ACOS will allow (white list) or drop
(black list) traffic from specific client hosts or subnets in the list.
For traffic that is allowed, you can specify the service group to use. You can
also specify the action to perform (drop or reset) on new connections that
exceed the configured connection threshold for the client address. For
example, you can configure ACOS to respond to DDoS attacks from a client
by dropping excessive connection attempts from the client.
For each IP address (host or subnet) in a black/white list, add a row using
the following syntax:
Note: The conn-limit is a coarse limit. The larger the number you specify, the
coarser the limit. For example, if you specify 100, the ACOS device limits
the total connections to exactly 100; however, if you specify 1000, the
device limits the connections to a maximum of 992.
If the number in the file is larger than the supported maximum (32767),
the parser uses the longest set of digits in the number that you enter that
makes a valid value. For example, if the file contains 32768, the parser
will use 3276 as the value. As another example, if the file contains
111111, the parser uses 11111 as the value.
The first row assigns a specific host to group 4. On the ACOS device, if the
drop action is assigned to this group, the client is black listed. The second
row black lists an entire subnet, by assigning it to the same group (4). The
third row sets the maximum number of concurrent connections for a spe-
cific host to 20. The fourth row assigns a specific host to group 2 and speci-
fies a maximum of 20 concurrent connections.
Note: The ACOS device allows up to three parser errors when reading the file.
After the third parser error, the device stops reading the file.
In this example, all clients who do not match a static entry in the list are
assigned to group 1 and are limited to 20 concurrent connections.
The ACOS device supports up to 8 million dynamic client entries for sys-
tem-wide PBSLB. Once this limit is reached, the ACOS device does not
track connections or anomaly counters for additional clients.
You can set the timeout to 1-127 minutes, and the default is 5 minutes.
If client-lockup is enabled, the timeout for a locked up client does not begin
decrementing until the lockup expires. For more information, see “Client
Lockup” on page 72.
• The connection limit applies collectively to all clients that do not have a
static entry in the list.
• Client lockup
This command specifies the name of the black/white list to use for the pol-
icy.
[no] system pbslb id id {drop | reset}
[logging minutes]
You can enter which action to take for clients in a group that is configured in
the black/white list:
• drop – Drops the connections.
The logging option enables logging. The minutes option specifies how often
messages can be generated.
This command specifies the action to take for clients who either exceed the
connection limit that is specified in the black/white list or exceed the thresh-
old of any of the new IP anomaly filters. You can use one or both of the fol-
lowing options:
• reset – Resets all new connection attempts from the client. If you omit
this option, new connection attempts are dropped instead.
• lockup – Continues to apply the over-limit action to all new connection
attempts from the client for the specified number of minutes.
The logging option enables logging. The minutes option specifies how often
messages can be generated.
[no] system pbslb timeout minutes
This command sets the timeout for dynamic black/white-list entries. You
can specify 1-127 minutes, and the default is 5 minutes.
Note: If the lockup option is used with the system pbslb over-limit command,
aging of the dynamic entry for a locked up client begins only after the
lockup expires.
Client Lockup
The over-limit rule in a system-wide PBSLB policy includes an optional
lockup period. If the lockup period is configured, the ACOS device contin-
ues to enforce the over-limit action for the duration of the lockup.
For example, if the over-limit action is drop and a client exceeds the con-
nection limit that is specified in the black/white list, the ACOS device con-
tinues to drop all connection attempts from the client until the lockup
expires.
Note: This feature is supported only in software releases that support Server
Load Balancing (SLB).
To configure PBSLB:
1. Remotely configure a black/white list or configure the list on the ACOS
device.
Note: If you remotely configured the list, import the list to the ACOS device.
2. Optionally, modify the sync interval for the list. ACOS regularly syn-
chronizes with the list to make sure the ACOS version is current.
Note: These steps assume that the real servers, service groups, and virtual serv-
ers have already been configured.
2. Click Add.
5. Click OK.
Note: On the Virtual Service page, if the Use default server selection when
preferred method fails check box is selected on the virtual port, log mes-
sages will never be generated for server-selection failures. To ensure that
log server-selection failure messages are generated, deselect the check
box on the virtual port. Failures that occur because a client exceeds the
PBSLB connection limit are still logged.
d. Click Add.
The group settings appear in the PBSLB list.
e. Repeat the steps above for each group.
9. Click OK.
• The url specifies the file transfer protocol, directory path, and filename.
The following URL format is supported: tftp://host/file
• The period seconds option specifies how often the ACOS device re-
imports the list to ensure that changes to the list are automatically repli-
cated on the ACOS device. You can specify 60 – 86400 seconds. The
default is 300 seconds.
Note: A TFTP server is required on the computer and the TFTP server must be
running when you enter the bw-list command.
Note: If you use the load option, the CLI cannot accept any new commands
until the load is completely finished. As a result, for large black/white
lists, loading can take a while. Do not abort the load process, because this
step can also interrupt periodic black/white-list updates. If you acciden-
tally abort the load process, repeat the command by entering the load
option and allow the load to complete.
Enter this command at the global configuration level of the CLI. The com-
mand creates the template and changes the CLI to the configuration for the
template, where the following PBSLB-related commands are available.
2. To bind a black/white list to the virtual ports that use this template, enter
the following command:
[no] bw-list name file-name
3. To specify the action to take for clients in the black/white list, enter the
following commands:
[no] bw-list id id
service {service-group-name | drop | reset}
[logging [minutes] [fail]]
The following list provides additional information about the options for this
command:
• id – Group ID in the black/white list.
4. To specify the action to take for traffic that is over the limit, enter the
following command:
[no] bw-list over-limit
{lockup min | logging min | reset}
The following list provides additional information about the options for the
command:
• lockup min – Continues to apply the over-limit action to all new con-
nection attempts from the client, for the specified number of minutes
(1-127).
• logging min – Generates a log message when traffic goes over the
limit. The min option specifies the log interval and can be 1-255 min-
utes.
The name is the name that you assign to the list when you import the list.
The following list provides additional information about the options for this
command:
• The id is a group ID in the black/white list and can be from 1 to 1,000.
This command specifies the action to take for traffic that is over the limit.
• drop – Drops new connections until the number of concurrent connec-
tions on the virtual port falls below the port’s connection limit. (The
connection limit is set in the black/white list.)
• reset – Resets new connections until the number of concurrent connec-
tions on the virtual port falls below the connection limit.The connection
threshold is set in the black/white list.
The name option specifies a virtual server name. If you use this option, sta-
tistics are displayed only for that virtual server. Otherwise, statistics are
shown for all virtual servers.
Configuration Examples
The following commands import black/white list sample-bwlist.txt onto the
ACOS device:
ACOS(config)#bw-list sample-bwlist tftp://myhost/TFTP-Root/ACOS_bwlists/sam-
ple-bwlist.txt
ACOS(config)#show bw-list
In this example, the ACOS device drops all new connection attempts from a
client if either of the following situations occur:
• The client already has 20 active connections and attempts to open a new
HTTP or HTTPS connection.
• The client exceeds any of the IP anomaly thresholds.
Statistics Display
The following command shows system-wide statistics for the new IP anom-
aly filters:
ACOS(config)#show slb l4
Total
IP out noroute 20061
TCP out RST 0
TCP out RST no SYN 0
...
(Establish Reset
Virtual Server Port Blacklist/whitelist GID Connection # Drop)
System bwlist-wc 1 12 0 0
2 0 0 0
The Age column indicates how many seconds are left before a dynamic
entry ages out. For clients who are currently locked out of the system, the
value in the Lockup column indicates how many minutes the lockup will
continue. For locked up clients, the age value is 0 until the lockup expires.
After the lockup expires, the age is set to its full value (120 seconds in this
example).
IP address: 40.40.40.168
Netmask length: 32
Type: Dynamic
Group ID: 1
Connection limit (0 = no 6
limit):
Age: 0 second
Lockup time: 5 minute
Out of sequence: 0
Zero window: 6
Bad content: 6
SYN Cookies
Overview
SYN cookies protect against TCP SYN flood attacks. When SYN cookies
are enabled, the ACOS device can continue to serve legitimate clients
during TCP SYN flood attacks, while preventing illegitimate traffic from
consuming system resources.
Legitimate
Request
Possible SYN
Flood attack
In Figure 18, you can see that a normal 3-way TCP handshake includes a
SYN request from the client, the SYN-ACK reply from the ACOS device,
and finally, an ACK from the client to the ACOS device.
However, the mechanism by which SYN flood attacks can cripple a net-
work is by sending many SYN requests to a network device. The device
responds to these SYN requests with SYN-ACKs but then waits for
responses from the client that never arrive. The bogus requests create many
“half-open” sessions that waste system memory and other system resources.
The oversubscribed state reduces the device’s free resources and prevents it
from accepting requests from legitimate clients. Enabling SYN cookies can
help mitigate the damage caused by such DoS attacks by preventing these
attacks from consuming system resources.
Note: It may take up to 10 milliseconds for the ACOS device to detect and
respond to the crossover of either option.
SACK
The ACOS device includes the Sack-Permitted option in TCP SYN health
check packets that are sent to servers.
MSS
The lowest MSS value that is supported by any of the servers in the service
group is the MSS value that is used by the ACOS device for software-based
SYN-cookies.
If ACOS receives different MSS sizes from multiple real servers, ACOS
bases the value on the smallest MSS value received.
Note: The current release does not support configuration of this option using the
GUI.
To configure ACOS to base the MSS in replies from VIPs to clients on the
interface MTU and MSS value received from clients in SYNs, use the fol-
lowing command at the global configuration level of the CLI:
[no] slb use-mss-tab
Configuration
The following sections describe how to enable SYN-cookie support and
configure advanced features.
5. Click OK.
Non-FPGA Models
To enable SYN-cookie support on non-FPGA models:
1. Click Config Mode > SLB > Service > Server.
5. In the Port section, select the TCP port and click Edit or Add.
6. If you are configuring a new port, select TCP in the Type drop-down
list.
Non-FPGA Models
To enable software-based SYN cookies, enter the following command at the
virtual-port level:
[no] syn-cookie
Note: Optionally, to modify the threshold for TCP handshake completion, enter
the following command at the global configuration level of the CLI:
[no] ip tcp syn-cookie threshold seconds
You can specify 1-100 seconds, and the default is 4 seconds.
CLI Example
The following commands globally enable SYN cookie support and enable
Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5:
ip tcp syn-cookie threshold <timeout: 1-100>
Timeout: timeout for syn-cookie, default is 4 sec
ACOS(config)#syn-cookie on-threshold 50000 off-threshold 30000
ACOS(config)#ip tcp syn-cookie ?
AX5200-11(config)#ip tcp syn-cookie ?
threshold SYN cookie expire threshold
AX5200-11(config)#ip tcp syn-cookie thr
AX5200-11(config)#ip tcp syn-cookie threshold ?
<1-100> seconds (default is 4)
There are three different thresholds that can be configured on the ACOS
device. When these free system memory thresholds are breached, the num-
ber of buffers that are allocated to each session and the TCP window size
are reduced. This reduction in the TCP window size is an attempt to prevent
the client from sending data faster than the ACOS device is capable of
receiving it.
Note: By default, each TCP session is allocated 10 buffers and the TCP window
size is set to 8K.
These thresholds are based on system memory usage, and they are configu-
rable.
The current release does not support configuration of this option by using
the GUI.
You do not have to change the system memory usage thresholds from the
default settings. However, you can modify these thresholds by entering the
following CLI commands at the global config level:
How it works
The SYN Cookie Time Interval Statistics feature uses the show slb attack-
prevention command to display output for SYN cookie statistics as a rate.
Output from the CLI command shows the number of packets that were sent
or received by the ACOS device over the following, non-editable time inter-
vals:
• Current
• 1 second
• 5 seconds
• 30 seconds
• 1 minute
• 5 minutes
To display SYN-cookie statistics, click Monitor Mode > SLB > Applica-
tion > Switch.
The following fields in the output of the show slb l4 command allow you to
view TCP traffic in terms of legitimate traffic and attacks:
• L4 SYN attack – Displays a running counter of the number of packets
that the ACOS device considers to be from a SYN flood attack. This
assumption is based on the fact that the device did not receive an ACK
from the client.
• L4 TCP Established – Shows a running counter of TCP packets that the
ACOS device considers to be from legitimate clients. When SYN cook-
ies are enabled and a legitimate client sends a SYN request, the ACOS
device responds with a SYN ACK. If the ACOS device receives an
ACK, the packet is considered safe.
• 1 second
• 5 seconds
• 30 seconds
• 1 minute
• 5 minutes
Table 2 shows the fields that appear in the CLI output of the show slb
attack-prevention command.
Total
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
...
L4 SYN attack 30
...
Total
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
...
Table 3 shows the limitations that are associated with using SYN flood
attack counters under a variety of conditions.
IP Limiting
Overview
IP limiting provides the following benefits:
• Configuration flexibility – You can apply source IP limiting on a sys-
tem-wide basis, on individual virtual servers, or on individual virtual
ports.
• Class lists – You can configure different classes of clients, and apply a
separate set of IP limits to each class. You also can exempt specific cli-
ents from being limited.
• Separate limits can be configured for each of the following:
• Concurrent connections
• Connection rate
• Concurrent Layer 7 requests
• Layer 7 request rate
Note: Layer 7 request limiting applies only to the HTTP, HTTPS, and fast-
HTTP virtual port types.
Class Lists
A class list is a set of IP host or subnet addresses that are mapped to IP lim-
iting rules. The ACOS device can support up to 255 class lists, and each
class list can contain up to 8 million host IP addresses and 64,000 subnets.
Note: Class lists can be configured only in the shared partition. A policy tem-
plate that is configured in the shared or the private partition can use a
class list that is configured in the shared partition.
• The network-mask – Specifies the mask, and IPv4 and IPv6 are sup-
ported.
To configure a wildcard IP address, enter 0.0.0.0 /0 or ::/0. The wildcard
address matches on all addresses that do not match any entry in the class
list.
• glid num | lid num – Specifies the ID of the IP limiting rule that you can
use to match clients. You can use a system-wide (global) IP limiting rule
or an IP limiting rule that was configured in a policy template.
Consider the following information:
• To use an IP limiting rule that was configured at the global configu-
ration level, enter the glid num option.
• To use an IP limiting rule that was configured at the same level in
the same policy template as the class list, enter the lid num option.
To exclude a host or subnet from being limited, do not specify an IP lim-
iting rule.
• age minutes – Removes a host entry from the class list after the specified
number of minutes. You can specify up to 2000 minutes.
When you assign an age value, the host entry remains in the class list for
the specified period. After the age expires (reaches 0), the host entry is
removed from the class list in the next minute.
You can use the age option with IP limiting options in the LID or GLID
to temporarily control client access. The traffic limiting settings in the
LID or GLID that were assigned to the host entry take effect only until
the age expires.
Note: The age option applies only to host entries, such as IPv4 /32 or IPv6 /128
and is not supported for subnet entries.
Note: If you use a class-list file that is periodically re-imported, the age for the
class-list entries that were added to the system from the file do not reset
when the class-list file is re-imported. Instead, the entries continue to age
normally. This is by design.
IP Address Matching
By default, the ACOS device matches the class-list entries that are based on
the source IP address of client traffic. Optionally, you can also match based
on the following information:
• Destination IP address – Matches based on the destination IP address
instead of the source IP address.
• IP address in HTTP request – Matches based on the IP address in a
header in the HTTP request. You can specify the header when you
enable this option.
Here is an example of a very simple class list, which matches on all clients
and uses an IP limiting rule that was configured at the global configuration
level:
0.0.0.0/0 glid 1
Here is an example with more options:
1.1.1.1 /32 lid 1
2.2.2.0 /24 lid 2 ; LID 2 applies to every single IP of this subnet
0.0.0.0 /0 lid 10 ; LID 10 applied to every undefined single IP
3.3.3.3 /32 glid 3 ; Use global LID 3
4.4.4.4 /32 ; No LID is applied (exception list)
IP Limiting Rules
IP limiting rules specify connection and request limits for clients, and each
IP limiting rule has the following parameters:
• Limit ID – Number from 1-31 that identifies the rule.
Note: When the class-list options request limit and request-rate limit are config-
ured in a policy template, the options are applicable only in policy tem-
plates that are bound to virtual ports. These options are not applicable in
policy templates that are bound to virtual servers or in policy templates
that are used for system-wide PBSLB. For more information, see
“Request Limiting and Request-rate Limiting in Class Lists” on page 110.
The request limit and request-rate limit options apply only to HTTP, fast-
HTTP, and HTTPS virtual ports. The over-limit logging, when used with
the request-limit or request-rate-limit option, always lists Ethernet port 1
as the interface.
Match IP Address
By default, the ACOS device matches class-list entries that are based on the
source IP address of client traffic. You can also match based on one of the
following options:
• Destination IP address – Matches based on the destination IP address in
packets from the clients.
• IP address in client packet header – Matches based on the IP address in
the specified header in packets from clients.
If you do not specify a header name, this option uses the IP address in
the X-Forwarded-For header.
Clients must comply with all IP limiting rules that are applicable to the cli-
ent. For example, if you configure system-wide IP limiting and also config-
ure IP limiting on a virtual server, clients must comply with the system-
wide IP limits and with the IP limits that are applied to the virtual server that
is accessed by the client.
2. Click Import.
3. Enter the file name to use for the imported class list.
5. Click OK.
2. Click Add.
Note: If the class list contains 100 or more entries, you should select the File
option. A class list can be exported only if you select File.
Note: Ensure that you use the same number when you configure the IP limiting
rule.
c. To make the entry temporary, enter an age value.
You can enter a value of up to 2000 minutes, and the value is
removed from the class list after the age expires.
d. Click Add.
e. Repeat for each entry.
6. Click OK.
The file-name specifies the name that the class list will have on the ACOS
device. The url specifies the file transfer protocol, username (if required),
and directory path.
You can enter the complete URL on the command line or press Enter to dis-
play a prompt for each part of the URL. If you enter the complete URL and
a password is required, you will be prompted for the password.
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
• sftp://[user@]host/file
You also can export class lists to a remote server by entering the following
command:
export class-list file-name url
The file option saves the class list as a separate file. Without this option, the
class list is saved in the startup-config instead. If the class list contains 100
or more entries, enter the file option, which is valid only when you create
Note: A class list can be exported only if you use the file option.
The class-list command creates the class list if it is not already configured,
and changes the CLI to the configuration level for the list:
[no] ipaddr /network-mask [glid num | lid num]
After you configure the IP limiting rules and class list and add the class list
to the policy, you can activate the IP limits. For more information, see
“Applying Source IP Limits” on page 120.
6. Click OK.
4. Click OK.
This command creates an IP limiting rule and changes the CLI to the con-
figuration level for the rule. The num option specifies the rule ID, and can
be 1-31. For information about the valid values and defaults, see “IP Limit-
ing Rules” on page 108.
These commands are the same as the ones available at the IP limiting rule
configuration level in policy templates. For more information, see “Config-
uring IP Limiting Rules in a Policy Template” on page 118.
3. If you are creating a new virtual server, enter the name, virtual IP
address, and other settings in the General section.
5. If you are creating a new virtual server, configure the virtual port set-
tings as applicable to your deployment.
6. Click OK.
2. On the Virtual Server Port configuration page, select the policy tem-
plate from the Policy Template drop-down list.
3. Click OK.
Note: You cannot use the system template policy command and the system
pbslb command in the same configuration.
To display statistics for the feature, use the CLI. (See the following section.)
CLI Examples—Configuration
The examples in this section show how to configure IP limiting.
The following commands configure the class list global, which matches on
all clients and uses IP limiting rule 1:
ACOS(config)#class-list global
ACOS(config-class list)#0.0.0.0/0 glid 1
ACOS(config-class list)#exit
The following command imports the class list used by the policy:
ACOS(config)#import class-list global_list ftp:
Address or name of remote host []?1.1.1.2
User name []?ACOSadmin
Password []?*********
File name [/]?global_list
The following command imports the class list used by the policy:
ACOS(config)#import class-list vs_list ftp:
Address or name of remote host []?1.1.1.2
User name []?ACOSadmin
Password []?*********
File name [/]?vs_list
The following command imports the class list used by the policy:
ACOS(config)#import class-list vp_list ftp:
Address or name of remote host []?1.1.1.2
User name []?ACOSadmin
Password []?*********
File name [/]?vp_list
Note: The template includes an LID that sets the connection limit to 0. The LID
also resets and logs connection attempts.
ACOS(config)#slb template policy 1
ACOS(config-policy)#class-list name local
ACOS(config-policy)#class-list lid 30
ACOS(config-policy-policy lid)#conn-limit 0
ACOS(config-policy-policy lid)#over-limit-action reset log
ACOS(config-policy-policy lid)#exit
ACOS(config-policy)#exit
CLI Examples—Display
This section shows example show command output for IP limiting.
Class Lists
The following command displays the class-list files on the ACOS device:
ACOS#show class-list
The following commands show the closest matching entries for specific IP
addresses in class list test:
ACOS#show class-list test 1.1.1.1
1.1.1.1 /32 glid 1
ACOS#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However,
since the class list does not contain an entry for 1.1.1.2 but does contain a
wildcard entry (0.0.0.0), the wildcard entry is shown.
IP Limiting Rules
The following command the configuration of each standalone IP limiting
rule:
ACOS#show glid
glid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
glid 2
conn-limit 20000
conn-rate-limit 2000 per 10
request-limit 200
request-rate-limit 200 per 1
over-limit-action reset log 3
IP Limiting Statistics
The following command shows IP limiting statistics for the entire system:
ACOS#show pbslb system
System LID statistics (lid 1):
Current connection: 1
Current connection rate: 0/s
Total over connection limit number: 0
Total over connection rate limit number: 0
ICMP rate limiting monitors the rate of ICMP traffic and drops ICMP pack-
ets when the configured thresholds are exceeded.
Note: Unless otherwise specified, the term ICMP rate limiting also applies to
ICMPv6 rate limiting.
Configuration
You can configure ICMP rate limiting filters globally, on an Ethernet inter-
face, and in virtual server templates. If you configure ICMP rate limiting fil-
ters at more than one of these levels, all filters are applicable.
Note: Specifying a maximum rate (lockup rate) and lockup time is optional. If
you do not specify them, lockup does not occur.
Log messages are generated only if the lockup option is used and a lockup
occurs. Otherwise, the ICMP rate-limiting counters are still incremented,
but log messages are not generated.
Note: The maximum rate must be higher than the normal rate.
6. Click OK.
7. Click OK.
Note: This option is applicable only in software releases that support SLB.
1. Click Config Mode > SLB > Service > Template > Virtual Server.
5. To configure the lockup time, select the Lockup Status check box, and
enter the following values:
• Lockup Rate
• Lockup Period
6. Click OK.
CLI Example
The following commands configure a virtual server template that sets ICMP
rate limiting:
ACOS(config)#slb template virtual-server vip-tmplt
ACOS(config-vserver)#icmp-rate-limit 25000 lock 30000 60
Overview
ACOS includes an HTTP template option that specifies the maximum num-
ber of seconds that are allowed for all parts of a request header to be
received. If the entire request header is not received in the specified amount
of time, ACOS terminates the connection.
4. Click OK.
To change the request-header wait time in an HTTP template, enter the fol-
lowing command at the configuration level for the template:
[no] req-hdr-wait-time seconds
Note: For many more HTTP security options, see the Web Application Firewall
Guide.
Overview
This feature introduces the following logging commands to detect and log
security-related events:
• system anomaly log
This command logs IP anomalies.
• system attack log
Each of these commands can be accessed and enabled at the global configu-
ration level. By default, ACOS runs system checks every 30 seconds. If
ACOS detects any changes, the appropriate log is printed.
CLI Example
The following CLI example shows the log output that is generated by the
system anomaly log command:
Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the TCP NO
FLAG profile have been detected. Previous 531, Current 6999
Jun 23 2013 14:50:46 Warning [SYSTEM]:IP Anomaly packets matching the LAND
ATTACK profile have been detected. Previous 531, Current 6999
The following CLI example shows the log output that is generated by the
system attack log command:
Jun 23 2013 14:40:45 Warning [SYSTEM]:IP packets matching the TCP SYN ATTACK
profile have been detected. Previous 0, Current 820711
Jun 23 2013 14:39:45 Warning [SYSTEM]:IP packets matching the TCP ACK ATTACK
profile have been detected. Previous 0, Current 2754803
The following CLI example shows the log output that is generated by the
system pbslb log command:
Feb 16 2014 02:38:51 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB
ZERO WINDOW profile have been detected. Previous 0, Current 12
Feb 16 2014 02:20:10 Warning [SYSTEM]:IP Anomaly packets matching the PBSLB
ZERO WINDOW profile have been detected. Previous 0, Current 11
Overview
The DNS Application Firewall (DAF) provides security for DNS VIPs.
The DAF examines DNS queries addressed to a VIP to ensure that the que-
ries are formed properly (not malformed). If a malformed DNS query is
detected, depending on the action that you specified in the DNS security
policy, the ACOS device takes one of the following actions:
• Drops the query
This feature parses DNS queries that are based on the following RFCs:
• “RFC 1034: Domain Names – Concepts and Facilities” at
https://www.ietf.org/rfc/rfc1034.txt
• “RFC 1035: Domain Names – Implementation and Specification” at
https://www.ietf.org/rfc/rfc1035.txt
• “RFC 2671 – Extension Mechanisms for DNS (EDNS0)” at
http://tools.ietf.org/html/rfc2671
DNS sanity checking on virtual-port type UDP is performed only for client
requests. For a DNS client request to pass the sanity check, all of the follow-
ing conditions must be met:
• Flags.qr == 0 (first bit in flags)
For a client request to pass the sanity check, all of the following conditions
must be met:
• Flags.qr == 0 (first bit in flags)
For a server response to pass the sanity check, all of the following condi-
tions must be met:
• Flags.qr == 1 (first bit in flags)
• Flags.opcode <=5
• Flags.rcode == 0
• qdcount > 0
Configuration
To configure DNS security for a DNS virtual port:
1. Create a DNS template and specify the DNS security action in the tem-
plate.
2. Click Add.
7. Click OK.
2. To enable DNS security and specify the action to take for malformed
DNS queries, enter the following commands:
[no] malformed-query
{drop | forward service-group-name}
The drop option drops malformed queries, and the forward option
sends the queries to the specified service group.
With both options, the malformed queries are blocked from being pro-
cessed by the DNS virtual port to which the template has been applied.
Configuration Examples
This section includes the following examples:
• “DNS Application Firewall Setup” on page 142
The following commands configure the real server and service group:
ACOS(config)#slb server dns-sec1 10.10.10.88
ACOS(config-real server)#port 53 udp
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
ACOS(config)#slb service-group dns-sec-grp udp
ACOS(config-slb svc group)#member dns-sec1:53
ACOS(config-slb svc group)#exit
The following commands bind the service group and DNS template to the
DNS virtual port on a virtual server:
ACOS(config)#slb virtual-server dnsvip1 192.168.1.53
ACOS(config-slb vserver)#port 53 udp
ACOS(config-slb vserver-vport)#service-group dns-sec-grp
ACOS(config-slb vserver-vport)#template dns dns-sec
Since the drop action is specified, malformed DNS queries that are sent to
the virtual DNS server are dropped by the ACOS device.
DNSSEC Support
Overview
An ACOS device that is configured as a Global Server Load Balancing
(GSLB) controller can act as an authoritative DNS server for a domain
zone. As the authoritative DNS server for the zone, the ACOS device sends
records in response to requests from DNS clients. The ACOS device sup-
ports the ability to respond to client requests for the following types of well-
known resource records:
• A
• AAAA
• CNAME
• NS
• MX
• PTR
• SRV
• TXT
This potential security hole opens the door for possible forgeries, which
makes DNS vulnerable to “man-in-the-middle” attacks, DNS cache poison-
ing attacks, and other types of online attacks that could be used to forge
DNS data, hijack traffic, and to potentially steal sensitive information from
the user.
Note: DNSSEC for GSLB is not supported in proxy mode for this release.
4. The Root DNS Server does not have the requested IP address, but in an
attempt to point the Caching DNS server in the right direction, it
responds to the request with a Name Server (NS) record.
The record contains the IP of the Top Level Domain (TLD) server for
the .org domain.
5. The Caching DNS server now has the IP address for the name server
that manages the .org domain, so it sends an address request on behalf of
the client to the TLD DNS server for the .org domain.
6. The TLD Server does not have the requested IP address, but again, the
TLD server points the Caching DNS server in the right direction by pro-
viding an NS record that contains the IP address for the next name
server in the DNS hierarchy, which is the authoritative DNS server for
the example.org subdomain.
7. Now that it has the IP address needed to reach the authoritative DNS
server for the example.org domain, the Caching DNS server sends a
request for zone1.example.org to this authoritative DNS server.
8. The authoritative DNS server does not have the requested information,
but it can get the Caching DNS server one step closer to its destination
by providing the NS record for the authoritative DNS server for the
zone1.example.org domain.
10. The ACOS device, which is the authoritative DNS server for
zone1.example.org, has the IP address that the client needs. It sends the
requested IP address to the Caching DNS server.
11. The Caching DNS server sends the IP address, that is provided by the
ACOS device, to the DNS resolver in the client’s browser.
The client now has the IP address needed to reach the server in the
zone1 subdomain.
The recursive lookup process remains largely unchanged, with the higher
level DNS servers pointing to lower level servers in the DNS hierarchy to
move the request closer to the authoritative server for the desired domain.
Figure 21 shows the resolution process for an address query from the DNS
resolver on a client for the zone1.example.org IP address.
1. The DNS resolver on the client sends an address query for the IP
address of a host under zone1.example.org.
2. The Caching DNS server, which does not have the address, forwards the
request to the root server.
4. The Caching DNS server sends the address query to the TLD server for
the .org domain.
5. The TLD server does not have the requested address, so it points the
Caching DNS server to the Authoritative DNS server for example.org.
The Caching DNS server sends an NS record with the IP address of the
authoritative server for example.org, and the TLD server signs the NS
record with the private key in the RRSIG record.
6. The Caching DNS server sends the address query to the Authoritative
DNS server for example.org.
7. The Authoritative DNS server for example.org does not have the
requested address, so it responds to the caching server’s request by send-
ing the NS record (signed with the RRSIG record).
This NS record contains the IP address of the Authoritative DNS server
for zone1.example.org. The server sends the DS record for the
zone1.example.org server to the Caching DNS server.
8. The Caching DNS server sends the address query to the Authoritative
DNS server for zone1.example.org, which happens to be the ACOS
device.
9. The Caching DNS server reaches the Authoritative DNS server for
zone1.example.org.
The Authoritative DNS server replies with an SOA record, the requested
A record, and RRSIG records that contains the private key, which is
used to sign the SOA and A records.
10. The Caching DNS server asks the ACOS device for its DNSKEY
record, which is where the public key for the zone is advertised.
This public key is needed to unlock the resource records and check the
hash values back up the chain.
11. The ACOS device sends its DNSKEY record with an RRSIG record that
was used to sign the DNSKEY record.
The RRSIG record contains the private key.
13. The Authoritative DNS server for example.org sends its DNSKEY
record with an RRSIG record and the private key that was used to sign
the DNSKEY record.
14. The Caching DNS server then asks the TLD server for .org for its DNS-
KEY record.
15. The TLD server sends its DNSKEY record with an RRSIG record that
was used to sign the DNSKEY record.
The Caching DNS server now has all the private/public key pairs and
has validated all of the links in the chain of trust. It can now send the
trusted response to the DNS resolver on the client.
The Chain of Trust allows the client’s DNS resolver to know that all of the
DNS servers in the chain have vouched for one another, starting from the
Root DNS Server and continuing down to the lowest-level DNS server.
Starting from the lower left, the Authoritative DNS Server for the
zone1.example.org domain, has a DNS key record (DNSKEY). This DNS-
KEY record contains the public Zone Signing Key (ZSK) for zone1. The
ZSK is used to sign other record types, such as A records, for the zone. The
DNSKEY record is signed by another key, the Key Signing Key (KSK),
which also belongs to this zone.
The next level up in the DNS hierarchy corresponds to the next “label” in
the example.org domain, and it has a record called the Delegation Signer
(DS). The DS record contains a hash, or message digest, of the public Key
Signing Key (KSK), which belongs to the Authoritative DNS Server for the
node below, zone1.example.org.
The DNS resolver (or the Caching DNS Server) can compare the hash value
for any of the nodes in the Chain of Trust, and the values should match. If
the hash values in a DS record cannot be recreated from the DNSKEY
record, it indicates that the packet that contains the key record may have
been tampered, cannot be trusted, and should be discarded.
However, if the hash value is correct, this indicates that the Chain of Trust is
unbroken and that the DNSKEY record for the Authoritative DNS Server
that is associated with the zone1.example.org domain is correctly linked to
the DS record above. In turn, the DNSKEY record for the Authoritative
DNS Server that is associated with the example.org domain is correctly
linked to the DS record above. This process of DNSKEY records being
linked with the DS record of the node above continues all the way to the
Root DNS Server.
The client’s DNS resolver knows that the Root DNS Server is legitimate
because of the “trust anchor”, which consists of information for the Root
DNS Server, is included in the resolver software that is installed on the cli-
ent. This “trust anchor” minimizes the chance that a client could access a
corrupt root DNS server.
Because of this anchor, the client knows the Root DNS Server can be
trusted, and the client can infer that all of the other nodes in the Chain of
Trust can also be trusted. Because the hash values match all the way down
the line, this is an indication that the Chain of Trust is intact, and that the cli-
ent’s DNS resolver can trust the Authoritative DNS Server for zone1.exam-
ple.org, which is located at the bottom of the Chain of Trust in the DNS
hierarchy.
When HSM and DNSSEC are enabled, ACOS uses the following key gen-
eration and rollover settings for DNSSEC:
• Key size – Length of the keys in bits.
You can specify 1024-4096 bits, and the default length for ZSKs and
KSKs is 2048 bits.
• Lifetime – Maximum amount of time that a dynamically generated key
remains valid.
• Rollover time – Amount of time to wait after a new key becomes active,
before generating that key’s replacement.
The lifetime and rollover time each can be from 1 to 2,147,483,647 seconds,
which is approximately 68 years. Here are the default lifetime and rollover
time for ZSKs and KSKs:
• ZSKs – The default lifetime is 7,776,000 seconds (90 days), and the
default rollover time is 7,171,200 seconds (83 days).
• KSKs – The default lifetime is 31,536,000 seconds (365 days), with
rollover time 30,931,200 seconds (358 days).
When DNSSEC is enabled, HSM generates a KSK for the GSLB zone, gen-
erates a ZSK for the zone, and signs it with the KSK. The following type of
messages appear in the log:
Note: ACOS generates the following type of messages when key regeneration
occurs.
Log Buffer: 30000 Jul 31 2013 06:49:13 Notice [DNS]:succeed to reload the signature of
zone "test.com"
Jul 31 2013 06:48:58 Notice [CLI]: DNSSEC module:succeed to generate ZSK
test.com_zsk_2013-07-31-06-48-58 for zone test.com
Jul 31 2013 06:48:58 Notice [CLI]: DNSSEC module:please transfer the DS RR of zone
test.com to the parent zone for the initial process.
Jul 31 2013 06:48:58 Notice [CLI]: DNSSEC module:succeed to generate KSK test.com_k-
sk_2013-07-31-06-48-57 for zone test.com
Starting at the bottom of the output, the first message indicates the success-
ful generation of a KSK for child zone test.com. The next message is a
reminder to copy the DS resource record for the key to the authoritative
Although key generation and rollover are automatic, ACOS does not auto-
matically send the DS record for the new KSK to the parent zone. This part
of the process must be performed manually. If the default key generation
and rollover settings are used, this process needs to be performed once a
year.
The commands to import or export DNSSEC key files are the same as in
previous releases:
{export | import} dnssec-ds child-zone-name
{url-profile | {[use-mgmt-port] url}}
{export | import} dnssec-dnskey child-zone-name
{url-profile | {[use-mgmt-port] url}}
After you enable DNSSEC, wait about a minute for key generation to be
fully completed. You can use the export dnssec-ds command to copy the
DS resource record for the zone to the DNS server that is authoritative for
the parent zone.
The start option initiates the rollover for the key type that you specified.
To change the lifetime and rollover settings for ZSKs and KSKs, enter the
following commands at the configuration level for the DNSSEC template:
[no] ksk lifetime seconds [rollover-time seconds]
[no] zsk lifetime seconds [rollover-time seconds]
For information about the supported values, see “Key Generation and Roll-
over Parameters” on page 155.
Note: HSM is required for DNSSEC, and the manual key generation of DNS-
SEC ZSKs or KSKs is not supported.
Configuration
To configure DNSSEC:
1. Configure an HSM template.
The current release does not support DNSSEC configuration by using the
GUI.
2. To specify the passphrase (PIN) that is required to access the HSM inter-
face:
[no] password hsm-passphrase
To create the template and enter the configuration level of the CLI, enter the
following commands:
[no] dnssec template {default | template-name}
To modify the default DNSSEC template, enter the default option. To cre-
ate a new template, enter a different name.
The following commands are available at the configuration level for the
template.
DNSSEC Template
Command Description
[no] algorithm
{RSASHA1 |
RSASHA256 |
RSASHA512} Cryptographic algorithm that is used to encrypt
DNSSEC keys.
[no]
combinations-
limit num Maximum number of combinations per Resource
Record Set (RRset), where RRset is defined as
all the records of a particular type for a particular
domain, such as all of the “quad-A” (IPv6)
• combinations-limit – 31
• enable-nsec3 – disabled
• signature-validity-period – 10
For DNS over UDP, enter the udp option, and for DNS over TCP, enter the
dns-tcp option.
Standalone Operation
The ACOS device does not need to be a member of a GSLB controller
group to run DNSSEC. GSLB is still required with standalone DNSSEC
operation, but you do not need to configure a GSLB controller group.
The current release does not support DNSSEC configuration by using the
GUI.
Configuration Example
Here is the configuration from a device configured for DNSSEC:
hsm template hsm1 softhsm
password encrypted /+mboU9rpJM8EIy41dsA5zwQjLjV2wDn-
PBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
!
dnssec template dt1
zsk lifetime 120000 rollover-time 119000
ksk lifetime 240000 rollover-time 220000
signature-validity-period 11
dnskey-ttl 5
hsm hsm1
!
slb virtual-server vs-1 10.105.1.111
port 53 udp
name _1.1.1.1_UDP_53
gslb-enable
port 53 dns-tcp
name _1.1.1.1_DNS-TCP_53
gslb-enable
!
gslb service-ip vip-1 1.0.0.1
no health-check
port 80 tcp
no health-check
port 21 tcp
!
gslb service-ip vip-2 1.0.0.2
no health-check
port 80 tcp
no health-check
port 21 tcp
!
gslb service-ip vip-3 1.0.0.3
no health-check
port 80 tcp
no health-check
port 21 tcp
no health-check
!
SSL Insight
This chapter describes the SSL Insight feature (previously known as SSL
Intercept) and how to configure it.
Overview
SSL Insight allows third-party traffic inspection devices to examine
encrypted traffic “in the clear”. The traffic inspection devices can be fire-
walls, Data Loss Prevention (DLP) appliances, email protection systems,
and so on. To perform SSL Insight, a pair of ACOS devices is placed on
either side of the traffic inspection devices.
One of the inside ACOS devices intercepts traffic from inside clients,
decrypts the traffic, and sends it to the traffic inspection devices. If the traf-
fic inspection devices allow the traffic, the devices forward the traffic to the
external ACOS device. The external ACOS device encrypts the traffic again
before sending it to its destination.
Note: You can deploy one ACOS device on either side of the traffic inspection
devices or, for redundancy, you can deploy an HA / VRRP-A set on either
side.
If the policies on the traffic inspection device permit the email to be sent,
the external ACOS device encrypts the email again and sends it to the exter-
nal email server. You can optionally attach a protocol analyzer to the ACOS
device and use the traffic mirroring feature to send the unencrypted traffic to
the traffic analyzer. (This is not shown in Figure 24.)
SSL Operation
Figure 25 shows a more detailed view of the SSL Insight process.
2. The inside ACOS device selects a traffic inspection device, decrypts the
request, and sends the request to the traffic inspection device.
4. The external ACOS device encrypts the request and sends it to the exter-
nal server.
6. The external ACOS device decrypts the reply and sends it back though
the same traffic inspection device.
8. The inside ACOS device encrypts the reply and sends it to the client.
The inside ACOS device completes the following SSL operations for SSL
Insight:
• Negotiates the SSL sessions with inside clients
From the inside client’s perspective, the SSL session is between the client
and the external server. However, the SSL session is actually between the
inside ACOS device and the client.
SSL Insight requires inside client devices to trust the credentials of the
ACOS device. Typically, this is accomplished by importing the same self-
signed certificate and private key to the inside ACOS device that is installed
on other inside resources that need to be trusted by clients. In the client
browser certificate store, the self-signed certificate functions as a CA-
signed certificate.
The inside ACOS device uses the certificate during the SSL handshake with
inside clients, as seen in Figure 26.
The outside ACOS device completes the following SSL operations for SSL
Insight:
• Negotiates SSL sessions with external servers
• Decrypts traffic from external servers before sending the traffic to the
traffic inspection devices
• Encrypts client requests before sending the requests to external servers
Configuration
This section provides information about the tasks you need to complete to
configure and use SSL Insight. For configuration examples, see
“Configuration Example” on page 190.
The outside ACOS devices, the inside ACOS devices, and the traffic inspec-
tion devices all are in the same subnet.
Wildcard VIPs
SSL Insight uses wildcard VIPs, which is a VIP with one of the following
addresses:
• 0.0.0.0 (IPv4)
• :: (IPv6)
The following steps provide an overview of the traffic flow through the
wildcard VIPs:
1. The inside client at 172.16.242.36 sends an encrypted request to
mail.example.com.
2. The outbound wildcard VIP on the inside ACOS device intercepts the
SSL request.
The ACOS device decrypts the traffic and sends it to a traffic inspection
device.
3. The traffic inspection device sends the approved traffic, in the clear, to
an outside ACOS device.
4. The outbound wildcard VIP on the outside ACOS device intercepts the
traffic.
The ACOS device encrypts the traffic, and sends it to the server.
6. The encrypted response traffic from the server is decrypted by the out-
side ACOS device and sent to the traffic inspection device.
7. The traffic inspection device sends the approved reply in the clear to the
inside ACOS device.
• 0 (UDP)
• 0 (Others)
On each of these virtual ports, the destination NAT and port translation is
disabled.
Each of these virtual ports do not use a service group, but use the following
options:
• Use-rcv-hop-for-resp – This option sends reply traffic for the session
back through the same traffic inspection device to the outside ACOS
devices.
• Use-default-if-no-server – This option overrides the default ACOS
behavior when selection of a service-group member fails. By default,
the ACOS device drops the traffic.
However, since these ports do not use a service group, this option is
required to change the default behavior, which in this case, is to forward
• 0 (UDP)
• 0 (Others)
Note: The wildcard VIPs in the example deployment in this chapter all use
ACLs.
Service Groups
The sample deployment in this chapter uses the following service groups.
The service groups for the traffic inspection devices contain members that
represent the paths through the traffic inspection devices. When you create
the real server configuration for a traffic inspection device, use the IP
address of the ACOS interface on the other side of the traffic inspection
device.
On an inside ACOS device, there are TCP and UDP service groups that
each contain members with the following options:
• Name of a real server configuration that consists of the IP address of the
outside ACOS device on the other end of the traffic inspection device
• Port 0
2. Import the root CA-signed certificate for the content servers and the cer-
tificate’s private key.
This certificate must be one that is trusted by inside clients.
4. Create real server configurations for the paths through the traffic inspec-
tion devices and add the devices to the TCP and UDP service groups.
3. Create real server configurations for the paths through the traffic inspec-
tion devices and add the devices to the TCP and UDP service groups.
4. Create a real server configuration for the default gateway router to the
Internet.
5. Create a separate service groups for ports 443, TCP port 0, and UDP
port 0.
GUI Configuration
For the steps to configure SSL Insight by using the GUI, see the
SSL Insight Deployment Guide.
CLI Configuration
This section provides information about configuring SSL Insight by using
the CLI.
Note: If you use a Virtual Ethernet (VE) interface to connect to the traffic
inspection device, you need to enable promiscuous mode only on the VE.
The ACOS device automatically enables the promiscuous mode on each
of the Ethernet ports in the VLAN that belongs to the VE.
To import the root CA-signed certificate that is used by the content servers,
and the certificate’s private key, enter the following commands at the global
configuration level:
The type option specifies the certificate file type, and the default is pem.
This option is not applicable when you import the private key.
In each command, the use-mgmt-port option uses the ACOS device’s man-
agement port to import the certificate. If you do not use this option, the
ACOS device uses a data interface instead.
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• rcp://[user@]host/file
• http://[user@]host/file
• https://[user@]host/file
• sftp://[user@]host/file
2. To specify the CA-signed certificate to use for SSL connections with cli-
ents:
forward-proxy-ca-cert certificate-name
3. To specify s the private key for the CA-signed certificate, enter this
command:
forward-proxy-ca-key private-key-name
3. To disable the Layer 4 health check, enter the following command at the
configuration level for the port:
no health-check
Note: Do not use the fire-wall command, because this command is not applica-
ble to SSL Insight.
Outbound VIP
To configure an outbound VIP:
1. Enter the following command at the global configuration level of the
CLI:
slb virtual-server name 0.0.0.0 [acl acl-id]
2. To add an HTTPS virtual port to the VIP, enter the following command
at the configuration level for the VIP:
port portnum https
For the portnum, specify the HTTPS port number (typically, 443).
4. To bind the client-SSL template to the wildcard VIP, enter the following
command:
template client-ssl template-name
Wildcard Ports
To configure wildcard ports:
1. Exit back one level to return to the server configuration level.
3. To disable the destination NAT and port translation, enter the following
command:
no-dest-nat
Inbound VIP
To configure the inbound VIP, enter the following commands:
slb virtual-server name 0.0.0.0 [acl acl-id]
port 0 {tcp | udp | others}
use-rcv-hop-for-resp
use-default-if-no-server
no-dest-nat
2. To add wildcard TCP and UDP ports, enter the following commands at
the configuration level for the path:
port 0 tcp
port 0 udp
3. To disable the Layer 4 health check for each port, enter the following
command:
no health-check
Note: Do not use the fire-wall command, because this command is not applica-
ble to SSL Insight.
3. To binds the service group for the SSL port on the gateway router to the
wildcard VIP, enter the following command at the configuration level
for the virtual port:
service-group group-name
4. To bind the server-SSL template to the wildcard VIP, enter the following
commands:
template server-ssl template-name
5. To disables destination NAT and enables port translation, enter the fol-
lowing command:
no-dest-nat port-translation
Wildcard Ports
To configure wildcard ports:
1. Exit back one level to return to the server configuration level.
Inbound VIP
To configure the inbound VIP, enter the following commands:
slb virtual-server name 0.0.0.0 [acl acl-id]
port 0 {tcp | udp | others}
no-dest-nat
service-group group-name
Use this command to bind the port to the service group for the paths through
the traffic inspection devices.
Configuration Example
The following sections show how to implement the SSL Insight deployment
in Figure 29 by using the CLI.
The following commands access the configuration level of the CLI and
change the hostname:
ACOS>enable
Password:********
ACOS#config
ACOS(config)#hostname ACOS-Inside-Primary
The following commands configure static routes to the network on the side
of the outside ACOS devices that connects to the Internet. The next-hop IP
address of each route is the floating IP address of a VRID on the outside
ACOS devices. Specifically, these are the floating IP addresses that belong
to the VRIDs for the VLANs that contain the traffic inspection devices.
ACOS-Inside-Primary(config)#ip route 20.1.1.0 /24 10.1.240.11
ACOS-Inside-Primary(config)#ip route 20.1.1.0 /24 10.1.250.11
SSL Configuration
The following commands import the root CA-signed certificate that is used
by the content servers and the certificate’s private key:
ACOS-Inside-Primary(config)#slb ssl-load certificate ca.cert.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-cert.pem
ACOS-Inside-Primary(config)#slb ssl-load private-key ca.key.pem scp:
Address or name of remote host []?192.168.1.111
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem
The following commands configure the wildcard VIP to intercept all out-
bound traffic that originates from the inside network:
ACOS-Inside-Primary(config)#access-list 100 permit ip any any vlan 10
ACOS-Inside-Primary(config)#slb virtual-server outbound_wildcard 0.0.0.0 acl
100
ACOS-Inside-Primary(config-slb vserver)#port 0 tcp
ACOS-Inside-Primary(config-slb vserver-vport)#name Inside1_in_to_out
ACOS-Inside-Primary(config-slb vserver-vport)#service-group LB_Paths_TCP
ACOS-Inside-Primary(config-slb vserver-vport)#no-dest-nat
ACOS-Inside-Primary(config-slb vserver-vport)#port 0 udp
ACOS-Inside-Primary(config-slb vserver-vport)#name Inside1_in_to_out_UDP
VRRP-A Configuration
The following commands specify the VRRP-A device ID for this ACOS
device, add the ACOS device to VRRP-A set 1, and enable VRRP-A on the
device:
ACOS-Inside-Primary(config)#vrrp-a device-id 1
ACOS-Inside-Primary(config)#vrrp-a set-id 1
ACOS-Inside-Primary(config)#vrrp-a enable
The following commands configure the VRID for the inside ACOS devices’
interface with the inside client network:
ACOS-Inside-Primary(config)#vrrp-a vrid default
ACOS-Inside-Primary(config-vrid-default)#floating-ip 10.1.1.1
ACOS-Inside-Primary(config-vrid-default)#priority 200
ACOS-Inside-Primary(config-vrid-default)#tracking-options
ACOS-Inside-Primary(config-vrid-tracking)#interface ethernet 1 priority-cost
60
ACOS-Inside-Primary(config-vrid-tracking)#interface ethernet 2 priority-cost
60
ACOS-Inside-Primary(config-vrid-tracking)#interface ethernet 20 priority-cost
60
The following commands configure the VRID for the VLAN that contains
the second traffic inspection device (PSG2):
ACOS-Inside-Primary(config-vrid-tracking)#vrrp-a vrid 16
ACOS-Inside-Primary(config-vrid)#floating-ip 10.1.250.1
ACOS-Inside-Primary(config-vrid)#priority 200
ACOS-Inside-Primary(config-vrid)#tracking-options
ACOS-Inside-Primary(config-vrid-tracking)#interface ethernet 1 priority-cost
60
ACOS-Inside-Primary(config-vrid-tracking)#interface ethernet 2 priority-cost
60
ACOS-Inside-Primary(config-vrid-tracking)#interface ethernet 20 priority-cost
60
ACOS-Inside-Primary(config-vrid-tracking)#exit
ACOS-Inside-Primary(config-vrid)#exit
The following command configures the VRRP-S interface that connects this
ACOS device to its VRRP-A peer:
ACOS-Inside-Primary(config)#vrrp-a interface ethernet 18 vlan 99
The configuration on the inside secondary ACOS device is the same as the
configuration on the inside primary ACOS device, except for the following
device-specific parameters:
• Hostname – The hostname is configured with a unique value to make it
simpler to identify the device.
• VRRP-A device ID – This value must be unique in the set of ACOS
devices that are backed up by VRRP-A (the VRRP-A set).
Hostname Configuration
ACOS(config)#hostname ACOS-Inside-Secondary
Path Configuration
ACOS-Inside-Secondary(config-client SSL template)#slb server PSG1_Path
10.1.240.11
ACOS-Inside-Secondary(config-real server)#port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)#no health-check
ACOS-Inside-Secondary(config-real server-node port)#port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)#no health-check
ACOS-Inside-Secondary(config-real server-node port)#port 8080 tcp
ACOS-Inside-Secondary(config-real server-node port)#no health-check
ACOS-Inside-Secondary(config-real server-node port)#slb server PSG2_Path
10.1.250.11
ACOS-Inside-Secondary(config-real server)#port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)#no health-check
ACOS-Inside-Secondary(config-real server-node port)#port 0 tcp
ACOS-Inside-Secondary(config-real server-node port)#no health-check
ACOS-Inside-Secondary(config-real server-node port)#port 8080 tcp
ACOS-Inside-Secondary(config-real server-node port)#no health-check
ACOS-Inside-Secondary(config-real server-node port)#slb service-group LB_-
Paths_UDP udp
ACOS-Inside-Secondary(config-slb svc group)#member PSG1_Path:0
ACOS-Inside-Secondary(config-slb svc group)#member PSG2_Path:0
ACOS-Inside-Secondary(config-slb svc group)#slb service-group LB_Paths_TCP tcp
ACOS-Inside-Secondary(config-slb svc group)#member PSG1_Path:0
ACOS-Inside-Secondary(config-slb svc group)#member PSG2_Path:0
ACOS-Inside-Secondary(config-slb svc group)#slb service-group SSL tcp
VRRP-A Configuration
ACOS-Inside-Secondary(config)#vrrp-a device-id 2
ACOS-Inside-Secondary(config)#vrrp-a set-id 1
ACOS-Inside-Secondary(config)#vrrp-a enable
ACOS-Inside-Secondary(config)#vrrp-a vrid default
ACOS-Inside-Secondary(config-vrid-default)#floating-ip 10.1.1.1
ACOS-Inside-Secondary(config-vrid-default)#priority 180
ACOS-Inside-Secondary(config-vrid-default)#tracking-options
ACOS-Inside-Secondary(config-vrid-tracking)#interface ethernet 1 priority-cost
60
ACOS-Inside-Secondary(config-vrid-tracking)#interface ethernet 2 priority-cost
60
ACOS-Inside-Secondary(config-vrid-tracking)#interface ethernet 20 priority-
cost 60
ACOS-Inside-Secondary(config-vrid-tracking)#vrrp-a vrid 15
ACOS-Inside-Secondary(config-vrid)#floating-ip 10.1.240.1
ACOS-Inside-Secondary(config-vrid)#priority 180
ACOS-Inside-Secondary(config-vrid)#tracking-options
ACOS-Inside-Secondary(config-vrid-tracking)#interface ethernet 1 priority-cost
60
The following commands configure static routes to the network on the cli-
ent side of the inside ACOS devices. The next-hop IP address of each route
is the floating IP address of a VRID on the inside ACOS devices. Specifi-
cally, these are the floating IP addresses that belong to the VRIDs for the
VLANs that contain the traffic inspection devices.
ACOS-Outside-Primary(config)#ip route 10.1.1.0 /24 10.1.240.1
ACOS-Outside-Primary(config)#ip route 10.1.1.0 /24 10.1.250.1
SSL Configuration
The following commands configure the server-SSL template:
ACOS-Outside-Primary(config)#slb template server-ssl SSLIntercept_ServerSide
ACOS-Outside-Primary(config-server SSL template)#forward-proxy-enable
Path Configuration
The following commands configure the paths through the traffic inspection
devices to the router on the inside client network:
ACOS-Outside-Primary(config-client SSL template)#slb server server-gateway
20.1.1.253
ACOS-Outside-Primary(config-real server)#port 0 tcp
ACOS-Outside-Primary(config-real server-node port)#no health-check
ACOS-Outside-Primary(config-real server-node port)#port 0 udp
ACOS-Outside-Primary(config-real server-node port)#no health-check
ACOS-Outside-Primary(config-real server-node port)#port 443 tcp
ACOS-Outside-Primary(config-real server-node port)#no health-check
The following commands configure the wildcard VIP to intercept all out-
bound traffic that originates from the inside network:
ACOS-Outside-Primary(config)#access-list 100 permit ip any any vlan 15
ACOS-Outside-Primary(config)#access-list 100 permit ip any any vlan 16
ACOS-Outside-Primary(config)#slb virtual-server outside_in_to_out 0.0.0.0 acl
100
ACOS-Outside-Primary(config-slb vserver)#port 0 tcp
ACOS-Outside-Primary(config-slb vserver-vport)#service-group SG_TCP
ACOS-Outside-Primary(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)#no-dest-nat
ACOS-Outside-Primary(config-slb vserver-vport)#port 0 udp
ACOS-Outside-Primary(config-slb vserver-vport)#service-group SG_UDP
ACOS-Outside-Primary(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)#no-dest-nat
ACOS-Outside-Primary(config-slb vserver-vport)#port 8080 http
ACOS-Outside-Primary(config-slb vserver-vport)#name ReverseProxy_Wildcard
ACOS-Outside-Primary(config-slb vserver-vport)#service-group SG_443
ACOS-Outside-Primary(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS-Outside-Primary(config-slb vserver-vport)#template server-ssl outside-
intercept
ACOS-Outside-Primary(config-slb vserver-vport)#no-dest-nat port-translation
VRRP-A Configuration
The following commands specify the VRRP-A device ID for this ACOS
device, add the ACOS device to VRRP-A set 2, and enable VRRP-A on the
device:
ACOS-Outside-Primary(config)#vrrp-a device-id 3
ACOS-Outside-Primary(config)#vrrp-a set-id 2
ACOS-Outside-Primary(config)#vrrp-a enable
The following commands configure the VRID for the VLAN that contains
the first traffic inspection device (PSG1):
ACOS-Outside-Primary(config-vrid-tracking)#vrrp-a vrid 5
ACOS-Outside-Primary(config-vrid)#floating-ip 10.1.240.11
ACOS-Outside-Primary(config-vrid)#priority 200
ACOS-Outside-Primary(config-vrid)#tracking-options
ACOS-Outside-Primary(config-vrid-tracking)#interface ethernet 1 priority-cost
60
ACOS-Outside-Primary(config-vrid-tracking)#interface ethernet 2 priority-cost
60
ACOS-Outside-Primary(config-vrid-tracking)#interface ethernet 20 priority-cost
60
The following commands configure the VRID for the VLAN that contains
the second traffic inspection device (PSG2):
ACOS-Outside-Primary(config-vrid-tracking)#vrrp-a vrid 6
ACOS-Outside-Primary(config-vrid)#floating-ip 10.1.250.11
ACOS-Outside-Primary(config-vrid)#priority 200
ACOS-Outside-Primary(config-vrid)#tracking-options
ACOS-Outside-Primary(config-vrid-tracking)#interface ethernet 1 priority-cost
60
ACOS-Outside-Primary(config-vrid-tracking)#interface ethernet 2 priority-cost
60
ACOS-Outside-Primary(config-vrid-tracking)#interface ethernet 20 priority-cost
60
The configuration on the outside secondary ACOS device is the same as the
configuration on the inside outside ACOS device, with the exception of the
following device-specific parameters:
• Hostname
• VRRP-A device ID
• Interface IP addresses
Hostname Configuration
ACOS(config)#hostname ACOS-Outside-Secondary
SSL Configuration
ACOS-Outside-Secondary(config)#slb template server-ssl SSLIntercept_ServerSide
ACOS-Outside-Secondary(config-server SSL template)#forward-proxy-enable
Path Configuration
ACOS-Outside-Secondary(config-client SSL template)#slb server server-gateway
20.1.1.253
ACOS-Outside-Secondary(config-real server)#port 0 tcp
ACOS-Outside-Secondary(config-real server-node port)#no health-check
ACOS-Outside-Secondary(config-real server-node port)#port 0 udp
ACOS-Outside-Secondary(config-real server-node port)#no health-check
ACOS-Outside-Secondary(config-real server-node port)#port 443 tcp
ACOS-Outside-Secondary(config-real server-node port)#no health-check
ACOS-Outside-Secondary(config-real server-node port)#slb service-group SG_TCP
tcp
ACOS-Outside-Secondary(config-slb svc group)#member server-gateway:0
ACOS-Outside-Secondary(config-real server-node port)#slb service-group SG_UDP
UDP
ACOS-Outside-Secondary(config-slb svc group)#member server-gateway:0
ACOS-Outside-Secondary(config-real server-node port)#slb service-group SG_443
tcp
ACOS-Outside-Secondary(config-slb svc group)#member server-gateway:443
ACOS-Outside-Secondary(config-slb svc group)#exit
ACOS-Outside-Secondary(config)#access-list 100 permit ip any any vlan 15
ACOS-Outside-Secondary(config)#access-list 100 permit ip any any vlan 16
ACOS-Outside-Secondary(config)#slb virtual-server outside_in_to_out 0.0.0.0
acl 100
ACOS-Outside-Secondary(config-slb vserver)#port 0 tcp
ACOS-Outside-Secondary(config-slb vserver-vport)#service-group SG_TCP
ACOS-Outside-Secondary(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)#no-dest-nat
ACOS-Outside-Secondary(config-slb vserver-vport)#port 0 udp
ACOS-Outside-Secondary(config-slb vserver-vport)#service-group SG_UDP
ACOS-Outside-Secondary(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS-Outside-Secondary(config-slb vserver-vport)#no-dest-nat
ACOS-Outside-Secondary(config-slb vserver-vport)#port 8080 http
ACOS-Outside-Secondary(config-slb vserver-vport)#name ReverseProxy_Wildcard
VRRP-A Configuration
ACOS-Outside-Secondary(config)#vrrp-a device-id 4
ACOS-Outside-Secondary(config)#vrrp-a set-id 2
ACOS-Outside-Secondary(config)#vrrp-a enable
ACOS-Outside-Secondary(config)#vrrp-a vrid default
ACOS-Outside-Secondary(config-vrid-default)#floating-ip 20.1.1.1
ACOS-Outside-Secondary(config-vrid-default)#priority 180
ACOS-Outside-Secondary(config-vrid-default)#tracking-options
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 1 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 2 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 20 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#vrrp-a vrid 5
ACOS-Outside-Secondary(config-vrid)#floating-ip 10.1.240.11
ACOS-Outside-Secondary(config-vrid)#priority 180
ACOS-Outside-Secondary(config-vrid)#tracking-options
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 1 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 2 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 20 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#vrrp-a vrid 6
ACOS-Outside-Secondary(config-vrid)#floating-ip 10.1.250.11
ACOS-Outside-Secondary(config-vrid)#priority 180
ACOS-Outside-Secondary(config-vrid)#tracking-options
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 1 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 2 priority-
cost 60
ACOS-Outside-Secondary(config-vrid-tracking)#interface ethernet 20 priority-
cost 60
ACOS-Inside-Primary(config)#vrrp-a interface ethernet 18 vlan 99
Configuration
To configure SSL Insight bypass, add a set of bypass rules to the client-SSL
template that is bound to the HTTPS virtual port. Each rule contains a match
option and all or part of the SNI string on which to match.
With these methods, you can configure rules that use the following match
options.
Match Options
Here are the list of match options:
• Equals – matches only if the SNI value completely matches the speci-
fied string.
• Starts-with – matches only if the SNI value starts with the specified
string.
• Contains – matches if the specified string appears anywhere within the
SNI value.
• Ends-with – matches only if the SNI value ends with the specified
string.
The match options are always applied in the order shown, regardless of the
order in which the rules appear in the configuration.
Case Sensitivity
By default, matching is case sensitive. For example, the following rule
matches on SNI strings that contain “aa” but not on strings that contain
“AA”:
forward-proxy-bypass contains aa
• “AA”
• “aA”
• “Aa”
Note: The current release supports case-insensitivity only for class-list entries
that are created in the CLI.
4. Click Add.
2. Click Import.
For more information, see the online help or GUI Reference Guide.
2. Click Add.
6. Select IP Address.
Note: A class list can contain entries for only one IP version.
9. Click OK.
2. To configure the class list in the CLI, enter the following commands:
[no] class-list list-name ac [file filename]
Enter this command at the global configuration level to create the list
and access the configuration level for it. The file option saves the list as
a file that you can export. Without this option, the class-list entries are
saved in the configuration file instead.
Note: The ac option is required. This specifies that the list type is Aho-Corasick.
2. To bind the class list to the template, enter the following command:
forward-proxy-bypass class-list list-name
This command binds the class list to the template.
Overview
You can control access to a VIP that is based on the geo-location of the cli-
ent. You also can configure ACOS to perform one of the following actions
for client traffic, depending on the location of the client:
• Drop the traffic
• If the traffic was configured using a black/white list, send the traffic to a
specific service group
Note: This feature requires that you load a geo-location database but does not
require any other configuration of GSLB. The ACOS system image
includes the Internet Assigned Numbers Authority (IANA) database. By
default, the IANA database is not loaded. For more information about
loading the database, see “Loading the IANA Geo-location Database” on
page 216.
Note: Geo-location-based VIP access works only if the class list is imported as a
file. The CLI does not support configuration of class-list entries for this
application.
The following commands import the class list to the ACOS device, config-
ure a policy template, and bind the template to a virtual port. The connec-
tion limits that are specified in the policy template apply to clients that send
requests to the virtual port.
TH3030B-Active#
4. Apply the policy template to the virtual port for which you want to con-
trol access.
The syntax is the same in both methods. The black/white list must be a text
file that contains entries (rows) in the following format:
L "geo-location" group-id #conn-limit
3. Click OK.
2. Click Add.
8. Click Add.
4. Click Add.
Note: You can also import a custom geo-location database. For information, see
the A10 Thunder Series and AX Series Global Server Load Balancing
Guide.
3. If you are configuring a new VIP, enter the name and IP address for the
server.
4. To apply the policy template to a virtual port, enter the following com-
mand at the configuration level for the virtual port:
[no] template policy template-name
CLI Example
The following command imports black/white list geolist to the ACOS
device:
ACOS(config)#import bw-list geolist scp://192.168.1.2/root/geolist
Note: The template is configured to drop traffic from clients in the geo-location
mapped to group 1 in the list.
ACOS(config)#slb template policy geoloc
ACOS(config-policy)#bw-list name geolist
ACOS(config-policy)#bw-list id 1 drop
ACOS(config-policy)#exit
Full-Domain Checking
By default, when a client requests a connection, the ACOS device checks
the connection count only for the specific geo-location level of the client. If
the connection limit for that specific geo-location level has not been
reached, the client’s connection is permitted. The permit counter is incre-
mented only for that specific geo-location level.
Using the default behavior, the connection request from the client at
US.CA.SanJose is allowed even though CA has reached its connection limit.
A connection request from a client at US.CA is allowed. However, a con-
nection request from a client whose location match is US is denied.
After these three clients are permitted or denied, the connection permit and
deny counters are incremented as follows:
• US – Deny counter is incremented by 1.
When full-domain checking is enabled, the ACOS device checks the current
connection count not only for the client’s specific geo-location, but for all
geo-locations higher up in the domain tree. Based on full-domain checking,
all three connection requests from the clients in the example above are
denied because the US domain has reached its connection limit.
The counters for each domain are updated in the following way:
• US – Deny counter is incremented by 1.
• Deny
• Connection number
• Connection limit
Note: You should enable or disable this option before enabling PBSLB. Chang-
ing the state of this option when PBSLB is running can cause the related
statistics counters to be incorrect.
www.a10networks.com
224