Professional Documents
Culture Documents
User Interface Reference
Trademarks
A10 Networks, A10 Thunder, vThunder, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy,
aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Thunder, Unified Service
Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All
other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and pat-
ents pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522,
20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235,
8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All infor-
mation is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be avail-
able upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks’ products and services are subject to A10 Networks’ standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series—GUI Reference
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Net-
works Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
www.a10networks.com
Note: As an alternative to saving the output in a log file captured by your termi-
nal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the CLI Reference for the software version
you are running.)
FIGURE 2 AX 5630
For details about feature support on specific models, see the release notes.
User Documentation
Information is available for ACOS products in the following documents.
These documents are included on the documentation CD shipped with your
product, and also are available on the A10 Networks support site.
Basic Setup
• Installation Guides
Security Guides
• Management Access Security Guide
References
• LOM Reference
• GUI Reference
• CLI Reference
• aFleX Reference
• MIB Reference
• aXAPI Reference
Make sure to use the basic deployment instructions in the Installation Guide
for your Thunder or AX model, and in the System Configuration and
Administration Guide. Also make sure to set up your device’s Lights Out
Management (LOM) interface, if applicable.
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account.
http://www.a10networks.com
http://www.a10networks.com/adc/
Introduction 17
Login.......................................................................................................................................................17
Redirection of HTTP to HTTPS .....................................................................................................20
GUI Features ..........................................................................................................................................21
Mode Tabs and Module Buttons ..................................................................................................21
Menus .............................................................................................................................................23
Main Display Area ..........................................................................................................................24
Global Buttons ...............................................................................................................................24
Save .............................................................................................................................................24
Logout ..........................................................................................................................................24
Help ..............................................................................................................................................24
Show Techsupport .......................................................................................................................24
VRRP-A/HA ..................................................................................................................................25
Action Buttons ...............................................................................................................................26
Tabular Displays ............................................................................................................................27
Action Buttons ..............................................................................................................................27
Navigation Controls ......................................................................................................................28
Display Filters ...............................................................................................................................28
Sorting and Filtering SLB Displays on Monitor Pages ..................................................................29
Configuration Pages ......................................................................................................................30
Graph Display Options ..................................................................................................................32
Data Refresh ................................................................................................................................32
Time Span ....................................................................................................................................33
Web Timeout ..........................................................................................................................................34
System Partitions ..................................................................................................................................34
Option Visibility .....................................................................................................................................35
Monitor Mode 37
Monitor Modules.................................................................................................................................... 37
Monitor Menu Tree ................................................................................................................................ 39
Monitor Mode > Overview..................................................................................................................... 41
Monitor Mode > Overview > Summary ........................................................................................ 41
System Information ...................................................................................................................... 42
Device Information ....................................................................................................................... 43
Feature Configuration .................................................................................................................. 43
CPU Usage Chart ........................................................................................................................ 45
Memory Usage Chart ................................................................................................................... 45
Monitor Mode > Overview > Status .............................................................................................. 46
Virtual Server Status .................................................................................................................... 46
System Log .................................................................................................................................. 47
Monitor Mode > Overview > Statistics ......................................................................................... 48
Monitor Mode > Overview > Performance ................................................................................... 49
Monitor Mode > Overview > Performance > Summary ................................................................ 49
Monitor Mode > Overview > Performance > Overview ................................................................ 50
Monitor Mode > Overview > Performance > Connection ............................................................. 50
Monitor Mode > Overview > Performance > Attack Prevention ................................................... 50
Monitor Mode > SLB.............................................................................................................................. 51
Monitor Mode > SLB > Service ..................................................................................................... 51
SLB Graphs ................................................................................................................................. 52
Monitor Mode > SLB > Service > Virtual Server .......................................................................... 54
Monitor Mode > SLB > Service > Virtual Service ......................................................................... 55
Monitor Mode > SLB > Service > Service Group ......................................................................... 56
Monitor Mode > SLB > Service > Server ..................................................................................... 57
Monitor Mode > SLB > Health Monitor ........................................................................................ 58
Monitor Mode > SLB > Black-White List ..................................................................................... 59
Monitor Mode > SLB > Black-White List > Statistics .................................................................... 59
Monitor Mode > SLB > aFleX ........................................................................................................ 62
Monitor Mode > SLB > Session .................................................................................................... 63
Monitor Mode > SLB > Session > Brief ........................................................................................ 63
Monitor Mode > SLB > Session > Session .................................................................................. 65
Monitor Mode > SLB > Application .............................................................................................. 67
Monitor Mode > SLB > Application > Proxy > Generic ................................................................. 67
Monitor Mode > SLB > Application > Proxy > Fast-HTTP ............................................................ 68
Monitor Mode > SLB > Application > Proxy > HTTP .................................................................... 69
Monitor Mode > SLB > Application > Proxy > SMTP ................................................................... 71
Monitor Mode > SLB > Application > Proxy > TCP ...................................................................... 72
Monitor Mode > SLB > Application > Proxy > DNS Cache .......................................................... 73
Monitor Mode > SLB > Application > Proxy > Diameter ............................................................... 74
Monitor Mode > SLB > Application > Proxy > SIP ........................................................................76
Monitor Mode > SLB > Application > Proxy > SMPP ...................................................................77
Monitor Mode > SLB > Application > Proxy > FIX ........................................................................82
Monitor Mode > SLB > Application > Proxy > Mysql ....................................................................83
Monitor Mode > SLB > Application > Proxy > Mssql ....................................................................84
Monitor Mode > SLB > Application > Connection Reuse .............................................................85
Monitor Mode > SLB > Application > Persistent ...........................................................................85
Monitor Mode > SLB > Application > SSL ....................................................................................86
Monitor Mode > SLB > Application > RAM Caching > Details .....................................................88
Monitor Mode > SLB > Application > RAM Caching > Objects ....................................................90
Monitor Mode > SLB > Application > RAM Caching > Replacement ...........................................91
Monitor Mode > SLB > Application > FTP ....................................................................................91
Monitor Mode > SLB > Application > Net .....................................................................................92
Monitor Mode > SLB > Application > Switch ................................................................................95
Monitor Mode > SLB > Application > Hashed Certificate .............................................................97
Monitor Mode > GSLB ...........................................................................................................................97
Monitor Mode > Security.......................................................................................................................98
Monitor Mode > Security > WAF ...................................................................................................98
Monitor Mode > Security > Authentication ................................................................................102
Monitor Mode > Security > ACL .................................................................................................104
Monitor Mode > Security > ACL > IPv4 ACL .............................................................................104
Monitor Mode > Security > ACL > IPv6 ACL .............................................................................105
Monitor Mode > IP Source NAT ..........................................................................................................105
Monitor Mode > IP Source NAT > Pool ......................................................................................105
Monitor Mode > IP Source NAT > Static NAT ............................................................................106
Monitor Mode > Network.....................................................................................................................107
Monitor Mode > Network > Interface ..........................................................................................107
Statistics Table ...........................................................................................................................107
Statistics Graphs ........................................................................................................................108
Changing the Date and Time Span of the Statistics ...................................................................108
Refreshing Statistics ...................................................................................................................109
Clearing Statistics .......................................................................................................................109
Monitor Mode > Network > Trunk ...............................................................................................109
Monitor Mode > Network > LACP ...............................................................................................110
Monitor Mode > Network > LACP > System ID ..........................................................................110
Monitor Mode > Network > LACP > Counter ..............................................................................110
Monitor Mode > Network > LACP > Trunk .................................................................................110
Monitor Mode > Network > VLAN ...............................................................................................111
Monitor Mode > Network > ARP .................................................................................................111
Monitor Mode > Network > ARP > IPv4 ARP .............................................................................111
Monitor Mode > Network > ARP > IPv6 Neighbor ......................................................................112
Introduction
The A10 Thunder Series and AX Series GUI enables you to manage the
device with a Web browser. The GUI runs as a Web server on the ACOS
device.
Table 1 lists the browser versions supported by the ACOS management GUI
in this release.
The browser used to access the GUI must support encryption keys of 128
bits or longer. Shorter encryption keys (for example, 40 bits) are not sup-
ported. The browser also must support TLS 1.0. Beginning in ACOS
Release 2.6.1-P1, browsers that support only SSL are not supported.
After you upgrade the ACOS device, clear the browser cache to ensure
proper display of the GUI.
Login
To access the GUI:
1. In a Web browser, enter https://ip-addr, where ip-addr is the IP address
of the ACOS device.
A login dialog appears, as shown in Figure 2.
2. Enter a valid user name and password and click OK.
• Default user name: admin
• Default password: a10
FIGURE 2 Login
Note: The ACOS device has a default admin user name and password. A10 Net-
works recommends that you change the password when you first deploy
the switch.
Notes
• The ACOS device supports a maximum of 128 simultaneous manage-
ment sessions. This includes any combination of CLI, GUI, and aXAPI
sessions.
• GUI management sessions are not automatically terminated when you
close the browser window. The session remains in effect until it times
out. To immediately terminate a GUI session, click Logout.
• On this page and on the option menus, “GSLB” options appear only if
you are running a software version that includes Global Server Load
Balancing (GSLB).
If you are already logged into the GUI and want to change the setting for the
next login, you can disable redirection from within the GUI:
1. Select Config Mode > System > Settings.
2. In the Web section of the page, click on the Re-direct HTTP to HTTPS
checkbox to deselect the option.
3. Click OK.
GUI Features
This section describes the display and configuration controls of the GUI.
After you click a mode tab, it darkens to indicate it is active. The inactive
mode is light. The available module buttons are listed on the left. The active
module shows the down arrow and its available sub-modules in light
blue beneath its down arrow.
Shortcut Icon
Some sub-module hyperlinks have the following icon: The icon pro-
vides a shortcut to the configuration page for the sub-module. For example,
if you click this icon next to the “aFleX” hyperlink, the aFleX configuration
page appears.
For example, to navigate to the SLB real server table as shown in Figure 5,
use the following path:
• Monitor Mode > SLB > Service > Server
Menus
The top panel contains the menu bar, to the right of the mode tabs. Menus
change depending on which module and sub-module are currently selected.
Some displays include tables or configuration pages. Others display drop-
down menus of actions or of additional options. The active menu bar item is
highlighted in yellow.
Figure 5 on page 23 shows the menu bar for Monitor Mode > SLB > Ser-
vice. In this example, the Server menu option is selected.
Global Buttons
The banner at the top of the GUI displays the Save, Logout and Help but-
tons, which are always available from anywhere in the GUI.
Note: If the GSLB group synchronization feature is enabled, the ACOS device’s
controller group status (role) appears next to the AX hostname.
Save
The Save button saves configuration changes that are in the running config-
uration to the startup configuration file. When the running configuration
currently has unsaved changes, this button flashes red. Click it to save
changes that have been made since the last save.
Logout
Logout ends the current GUI session. Your login name is shown in paren-
theses. In this example, the login name is “admin”.
Help
Show Techsupport
Clicking the Show Techsupport button generates a techreport log file of sys-
tem information for use when troubleshooting. (See “Obtaining Technical
Assistance” on page 3.)
VRRP-A/HA
• Standby
• Not Configured
• Not-Sync
If both VRRP-A and HA are disabled, the status can appear as follows:
• Shared partition – HA:Not – Configured
Action Buttons
Some lists of configuration items, such as the list of real servers, have the
following buttons:
• Add – Displays a page containing configuration fields for creating a new
item.
• Delete – Deletes the selected items. Select the checkbox next to each
item to be deleted, then click Delete.
• Edit – In most cases, displays a page that allows you to change specific
common parameters for all the selected items.
• Clone – Creates a copy of the selected item. Select the checkbox next to
the item to be cloned, then click Clone.
• Enable – Enables the selected items.
Note: This action does not save configuration changes. To save changes, you
must write them to the startup configuration file. Select the Save option in
the upper right corner of the AX GUI window. (See “Save” on page 24.)
• Cancel – Cancels configuration of the new item and re-displays the table
that lists the configured items.
Tabular Displays
Data and configured items are displayed in tables such as the ones shown in
Figure 5 and Figure 7.
FIGURE 7 Example Tabular Display – Monitor Mode > SLB > Virtual
Server
Action Buttons
Most tabular displays for configuration items have the following action but-
tons:
• Add – Displays a configuration page to add a new item. (Figure 11 on
page 31 shows an example.)
• Delete – Deletes the selected configuration items. To perform this
action, click on the checkboxes next to the items you want to delete,
then click Delete.
Navigation Controls
If a table has more items than can be displayed in a single page, the GUI
displays page navigation controls.
The summary buttons (the arrow buttons; start, left, right, and end) provide
browser-like navigation through the pages of table rows.
The numbers in brackets indicate the entry numbers displayed on the cur-
rent page. The number following the forward slash indicates the total num-
ber of entries that match the display criteria (display filters).
The drop-down list specifies how many rows to display on a single page.
You can select one of the following: 50, 10, 20, 100, or Show All. The
default is 50.
Display Filters
Many tables also provide options to filter the display to show only the
entries you want to see. For example, the SLB real server table (shown in
Figure 5 on page 23) allows you to filter based on name, description, or
both. To filter the display:
1. Select the column by which to filter.
3. Click Find.
To find multiple, similar entries, you can enter the part of the name that is
common for all entries. For example, to display all servers that have “rs” in
the name, make the selections shown in Figure 9.
By default, the rows in the tables displayed on these pages are sorted alpha-
betically by name, in ascending order. For example, the Virtual Server list is
sorted by virtual server name. (See Figure 7 on page 27.)
Resorting by Column
To resort the table rows, click on the up or down icons in the column head-
ers.
Filtering By Name
To filter the display by name:
1. Enter part of a name in the field above the Name column.
To redisplay all rows, clear the filter field, then click on the looking glass
icon or press Enter.
Filtering By Status
To filter the display by a single status value:
1. Select “Status” from the filter drop-down list. The drop-down list to the
right is populated with the possible device status values.
4. To save the advanced filter settings for future use, enter a name in the
field to the right of the Remember button, and click Remember.
The filter name is added to the status values in the drop-down list.
To delete a saved set of advanced filter settings, select the name from the
status drop-down list, then click Delete.
Note: Filtering by status is not supported on the Monitor Mode > Overview >
Status page.
Configuration Pages
Configuration pages enable you to enter configuration information. In some
cases, a configuration page is displayed when you select a menu option. For
example, selecting Config Mode > Network > DNS > DNS displays the
configuration page shown in Figure 10.
FIGURE 10 Example Configuration page - Config Mode > Network > DNS
In other cases, the menu option displays a list of configured items, such as
the list of configured real servers shown in Figure 5 on page 23. To config-
ure a new server, click the Add button, located under the list of servers. The
server configuration page appears, as shown in Figure 11.
FIGURE 11 Example Configuration page – Config Mode > SLB > Service >
Server
Caution: Setting a GUI window to automatically refresh its data will prevent
the web session from timing out. If you set a GUI page to automati-
cally refresh data, do not leave the session unattended if the PC is in
an unsecure location.
You also can disable or re-enable display of individual graphs. To disable
display of a graph, click the check box next to the graph name to clear the
checkbox. For example, to disable display of the Bytes graph in Figure 7 on
page 27, click the Bytes checkbox to clear it.
Data Refresh
Statistics counters start incrementing from 0 after the most recent reboot or
the most recent clear performed by an administrator.
To refresh the display with the latest counter values, click Refresh.
Time Span
The horizontal (x) axis of each graph shows the time span of the data in the
graph. The same time span is used for all four graphs.
4. Select the time. Place the cursor over the hours or minutes counter and
do one of the following:
• To select a later time, click on the hours or minutes counter to scroll
forward.
• To select an earlier time, hold Shift and click on the hours or min-
utes counter to scroll backward.
5. Click x in the upper right corner of the calendar to save the settings and
close the calendar.
The date and time you selected appear in the Start Time or End Time
field.
Web Timeout
Web Timeout is used to prevent blockage of admin access caused by users
who do not log off. The timeout counter indicates the amount of time
remaining before the session is automatically closed.
Select Config Mode > System > Settings > Web to view or set the Web
Timeout value in minutes.
Clicking any ACOS GUI button or menu option also resets the timer.
One minute before a session times out, a timer appears on the left side of the
GUI window, under the Monitor and Config links. You can click the Reset
button under the timer to reset the timer for your GUI session. If you do not
click Reset or another button or menu option before the timer reaches 0, the
session is terminated.
Caution: After the Web timer expires, the ACOS device ends the GUI session.
No warning or confirmation message appears. If you are entering
configuration information but have not yet clicked OK, the configu-
ration information is lost.
System Partitions
Role-Based Administration (RBA) allows the ACOS device to be seg-
mented into multiple administrative domains called “partitions”. If RBA is
configured, the resources accessible to you in the GUI depend on the privi-
lege level for the admin account you use to log in:
• If you are logged in with an admin account that has Root, Read-Write,
or Read-Only privileges, the resources in the shared partition and all pri-
vate partitions are displayed by default.
• If you are logged in with an admin account that has Partition Write
Admin or Partition Read Admin privileges, the GUI presents only the
resources in the device’s shared partition and in your private partition. In
this case, you can view the objects in the shared partition but you cannot
configure them. Depending on your admin privilege level, you can view
only or view and configure the resources in your shared partition.
Resources in other partitions are not accessible.
• If you are logged in with an admin account that has Partition RS Opera-
tor privileges, you can view service port statistics for real servers in the
partition, and disable or re-enable real servers and service ports in the
partition. Admins with this access level can not view additional
resources and can not change the view to another partition.
Admins with Root, Read-write, or Read-only privileges can select the parti-
tion to view. To change the view to another partition:
1. On the title bar, select the private partition from the Partition drop-down
list.
2. Click Yes.
3. Click the Refresh button next to the Partition drop-down list. You must
refresh the page in order for the view change to take effect.
Note: For more information about this feature, see the “Role-Based Administra-
tion” chapter in the A10 Thunder Series and AX Series System Configura-
tion and Administration Guide.
Option Visibility
The GUI display varies with the individual administrative role and system
configuration of the ACOS device and varies most for sections related to
highly-configurable features: aVCS, VRRP-A, and HA.
Monitor Mode
The Monitor Mode enables you to monitor systems and activities controlled
by the ACOS device.
Note: For information about GSLB monitoring options, see “Monitor Mode –
GSLB” on page 306.
Monitor Modules
The Monitor Mode offers the following sub-modules for observing
A10 Thunder Series and AX Series network and performance settings and
operations.
• Overview
• SLB
• GSLB
• Security
• IP Source NAT
• Network
• System
• Zone
• Protocol
Monitor Mode > Security Monitor Mode > Network Monitor Mode > System
• WAF • Interface • Admin
• Admin Session
• Authentication • Trunk
• Admin Locked
• ACL • LACP
• Logging
• IPv4 ACL • System ID
• Logging
• IPv6 ACL • Counter
Monitor Mode > IP Source NAT • Audit
• Trunk
• Pool • Diagnosis
• VLAN
• AXDebug File
• Static NAT • ARP
• AXDebug Config
• IPv4 ARP
• AXDebug Capture
• IPv6 Neighbor
• ShowTech File
• Route • Show Techsupport
• IPv4 Route Table
• aVCS
• IPv4 Forwarding
• Summary
• IPv6 Forwarding
• Statistics
• Images
• HA
• Group
• Status
• Set ID Monitor
• VRRP
• VRID
• Status
• Set ID Monitor
• Host ID
Note: Display of status and configuration options will vary with the your admin-
istrative role and system configuration of the ACOS device. For informa-
tion on the privilege level of administrative roles, see “Preconfigured GUI
Access Roles” on page 447.
To display the interface type and IP address for a port, move the mouse
pointer over the port’s icon.
Likewise, to display the status of a hard disk, move the mouse pointer over
the icon of the disk.
System Information
Device Information
Feature Configuration
This section lists how many instances of each type of Services resource are
configured. To view the list of configured resources of a specific type, click
on the name. For example, to access the list of configured service groups,
click on “Service Groups”.
The CPU Usage chart shows CPU usage statistics for the most recent 90
seconds.
To display or hide data for a specific CPU, click to expand the chart legend,
then click on the row for the CPU.
Click on a line in the chart for more information about the data portrayed by
the line.
For a larger graph showing a longer timespan, select Monitor Mode >
Overview > Statistics.
For a larger graph showing a longer timespan, select Monitor Mode >
Overview > Statistics.
The virtual server names in the Name column are hyperlinks. You can click
on a virtual server name to display status information for the individual vir-
tual service ports configured on the virtual server.
TABLE 5 Monitor Mode > SLB > SLB > Virtual Server
Field Description
Name Name of the virtual server.
Click on a virtual server name to display statistics for the indi-
vidual virtual service ports on the virtual server.
The icon to the left of the virtual server or individual virtual
port indicates its status:
Shows the state of the virtual server.
TABLE 5 Monitor Mode > SLB > SLB > Virtual Server (Continued)
Field Description
Name If you click on a virtual server name, the individual virtual ports
(cont.) are listed. The state of a virtual port is shown as follows:
For information about sorting and filtering the rows in the table, see “Sort-
ing and Filtering SLB Displays on Monitor Pages” on page 29.
System Log
System log entries are displayed at the bottom of the page. By default, the
100 most recent messages can be viewed on this page. All message levels
are displayed by default and the list is refreshed every 10 seconds by
default. The messages are color-coded to indicate the message level.
2. Click Status.
• Disk Usage
• CPU Usage
To display statistics for a longer time span, select the time span from the
drop-down list located above the Dropped column of the statistics table.
Note: If system statistics are not displayed, collection of them may be disabled.
To collect statistical information, enable the “Stats Data” option. (See
“Config Mode > SLB > Service > Global” on page 206.)
4. Click Save.
To display statistics for a longer time span, select the time span from the
drop-down list located next to the Go button.
Note: To move the calendar popup, click on the bottom row of the calendar and
drag it.
2. Select the End Time using the calendar at the end of the End Time field.
Note: Statistics are available for only the most recent 30 days.
3. Click Go.
Statistics Refresh
To automatically refresh statistics, select the refresh period from the drop-
down list at the right of the drop-down list for the data period. By default,
automatic refresh is disabled.
CPU and memory usage are displayed at the top of the page.
• Current Connections
• New Connections
• L7 Requests
• Connection Reuse
You also can display these graphs by clicking on “Connection Reuse” or the
graphics link at the top of the group of connection reuse statistics on the
Summary page.
You also can display this graph by clicking on “Attack Prevention” or the
graphics link at the top of the group of attack prevention statistics on the
Summary page.
Each page provides the following display control links, located under the
table and above the graph display area:
• Select All – selects all the rows in the table
• Expand All – Expands each row to show its constituents. For example,
clicking this link on the Virtual Server page expands the table to also
show all of the virtual ports on each VIP.
• Collapse All – Collapses all rows in the table to show only the top-level
items (for example, VIPs)
The following checkboxes appear between the table and the graph display
area. Clicking one of these checkboxes toggles display of the corresponding
column in the table.
• Connections
• Packets
• Bytes
• Description
• Request
For additional display options, see “Sorting and Filtering SLB Displays on
Monitor Pages” on page 29.
SLB Graphs
• Current Connections
To display the graphs, click on the icon in the rightmost column for
the resource. The graphs appear below the table.
Note: The icon is available only if statistical data collection is enabled for the
SLB resource. Statistical data collection is disabled by default. To enable
it, select Enabled next to Stats Data on the configuration page for the
resource.
To clear statistics, select the checkboxes next to the items for which you
want to clear the statistics, then click Clear.
Statistics Scope
By default, all configuration items within the selected item are averaged.
For example, if you click on the icon next to a virtual server name,
graphs that are displayed show the statistics for all virtual service ports in
the virtual server.
To display statistics for a longer time span, select the time span from the
drop-down list located next to the Go button.
Note: To move the calendar popup, click on the bottom row of the calendar and
drag it.
2. Select the End Time using the calendar at the end of the End Time field.
Note: Statistics are available for only the most recent 30 days.
3. Click Go.
Statistics Refresh
To automatically refresh statistics, select the refresh period from the drop-
down list at the right of the drop-down list for the data period. By default,
automatic refresh is disabled.
Monitor Mode > SLB > Service > Virtual Server > Virtual Server
Monitor Mode > SLB > Service > Virtual Server > Host/URL Hits
The page displays counters for the number of instances a host or URL was
accessed by users.
2. Select the Host or URL radio button to display the counters by one of
the following options:
• Host – Web host
• URL – URL path on the Web site
3. (optional) In the String field, enter a string to display counters only for
hosts or URLs that match the specified string.
TABLE 7 Monitor Mode > SLB > SLB > Virtual Service
Field Description
Name Name of the virtual service.
Click on this row to display the service-group bindings for
the virtual service. Each binding is listed in following for-
mat:
Portnum (Service-Group)
For example, 80 (rs-http-2)
The icon to the left indicates the status. (For descriptions, see
Table 5 on page 46.)
Current Current number of connections to the virtual service or indi-
Connections vidual service-group binding.
Total Total number of connections to the virtual service or individ-
Connections ual service-group binding since the last time statistics were
cleared.
Packets Forward Total number of packets that the virtual service or individual
service-group binding received from the client and for-
warded to the server since the last time statistics were
cleared.
TABLE 7 Monitor Mode > SLB > SLB > Virtual Service (Continued)
Field Description
Packets Reverse Total number of packets that the virtual service or individual
service-group binding received from the server and reverse-
forwarded to the client since the last time statistics were
cleared.
Bytes Forward Total number of bytes that the virtual service or individual
service-group binding received from the client and for-
warded to the server since the last time statistics were
cleared.
Bytes Reverse Total number of bytes that the virtual service or individual
service-group binding received from the server and reverse-
forwarded to the client since the last time statistics were
cleared.
Statistics Provides access to statistics. (See “SLB Graphs” on
(unlabeled) page 52.)
TABLE 8 Monitor Mode > SLB > SLB > Service Group
Field Description
Name Name of the service group.
Click on this row to display statistics for the individual ser-
vice ports bound to the service group. Each port binding is
shown in the following format:
Portnum (Service-Group)
For example, 80 (rs-http-2)
The icon to the left of the service group name or service port
indicates its status:
TABLE 8 Monitor Mode > SLB > SLB > Service Group (Continued)
Field Description
Packets Forward Total number of packets forwarded to the service group or
individual service member since the last time statistics were
cleared.
Packets Reverse Total number of packets reverse-forwarded from the service
group or individual service member since the last time statis-
tics were cleared.
Bytes Forward Total number of bytes forwarded to the service group or indi-
vidual service member since the last time statistics were
cleared.
Bytes Reverse Total number of bytes reverse-forwarded from the service
group or individual service member since the last time statis-
tics were cleared.
Statistics Provides access to statistics. (See “SLB Graphs” on
(unlabeled) page 52.)
TABLE 9 Monitor Mode > SLB > SLB > Server (Continued)
Field Description
Packets Reverse Total number of packets reverse-forwarded from the real
server or individual server port since the last time statistics
were cleared.
Bytes Forward Total number of bytes forwarded to the real server or individ-
ual server port since the last time statistics were cleared.
Bytes Reverse Total number of bytes reverse-forwarded from the real server
or individual server port since the last time statistics were
cleared.
Statistics Provides access to statistics. (See “SLB Graphs” on
(unlabeled) page 52.)
Note: For dynamically created real servers, this page shows only the first
dynamically created server. To display all dynamically created servers,
use the show slb server command in the CLI.
3. Select the health monitor to use from the Health Monitor drop-down list.
4. To test a specific service, enter the protocol port number for the service
in the Port field.
5. Click Start.
The status of the server or service appears in the Status message area.
Note: If an override IP address and protocol port are set in the health monitor
configuration, the ACOS device will use the override address and port
instead of the address and port you specify here.
Monitor Mode > SLB > Black-White List > Statistics > System
This page shows statistics for system-wide PBSLB. Depending on how the
feature is implemented, the statistics are shown in the System Black-
list/Whitelist Statistics table or the System Class List Statistics table.
Table 11 describes the columns in the System Class List Statistics table.
Monitor Mode > SLB > Black-White List > Statistics > Virtual
Server > Class List
This page shows statistics for PBSLB applied to individual virtual servers,
and implemented using class lists. The table columns are the same as those
described in Table 11 on page 60.
Monitor Mode > SLB > Black-White List > Statistics > Virtual
Server > Black/WhiteList
This page shows statistics for PBSLB applied to individual virtual servers,
and implemented using black/white lists. The table columns are the same as
those described in Table 10 on page 59.
Monitor Mode > SLB > Black-White List > Client Query >
Class List
The page allows you to query PBSLB information based on class list and IP
address.
Select the class list, specify the IP host or subnet address, and click Find.
The table columns are the same as those described in Table 11 on page 60.
Monitor Mode > SLB > Black-White List > Client Query >
Black/WhiteList
The page allows you to query PBSLB information based on black/white list
and IP address.
Select the black/white list, specify the IP host or subnet address, and click
Find.
TABLE 12 Monitor Mode > SLB > Black-White List > Client Query >
Black/WhiteList
Field Description
IP Address Client IP address.
Service Group Service group ID.
Connections Maximum number of new connections allowed.
Limit
Connections Current number of active connections.
Current
An aFleX policy can appear in multiple rows in the table. Each row shows
counters for a different event type.
To clear counters for all events listed for an aFleX policy, select at least one
row for the aFleX policy, then click Clear.
To clear counters only for specific events, select the rows for those events,
then click Clear Event.Monitor Mode > SLB > IP Source NAT
This page shows the session table. The columns displayed differ depending
on the selected radio button.
Display Fields
Table 17 describes the display fields on this page.
Monitor Mode > SLB > Application > Proxy > Generic
This page shows SLB statistics for the generic service type. Statistics are
listed separately for each of the ACOS device’s CPUs.
TABLE 18 Monitor Mode > SLB > Application > Proxy > Generic
Field Description
Current Proxy Number of currently active connections using the generic
Conns proxy.
Total Proxy Total number of connections that have used the generic
Conns proxy.
Client Fail Please contact A10 Networks for information.
Server Fail Please contact A10 Networks for information.
Server Selection Number of times selection of a real server failed.
Failure
TABLE 18 Monitor Mode > SLB > Application > Proxy > Generic (Continued)
Field Description
No Route Failure Please contact A10 Networks for information.
Source NAT Number of source NAT failures.
Failure
Monitor Mode > SLB > Application > Proxy > Fast-HTTP
This page shows SLB statistics for the Fast-HTTP service type. Statistics
are listed separately for each of the ACOS device’s CPUs.
TABLE 19 Monitor Mode > SLB > Application > Proxy > Fast-HTTP
Field Description
Curr Proxy Number of currently active connections using the fast-HTTP
Conns proxy.
Total Proxy Total number of connections that have used the fast-HTTP
Conns proxy.
HTTP Requests Number of HTTP requests received by the fast-HTTP proxy.
HTTP Number of HTTP requests successfully fulfilled (by estab-
Requests(succ) lishing a connection to a real server).
No Proxy Error Number of proxy errors.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
No Tuple Error Number of tuple errors.
Parse Req Fail Number of times the HTTP parser failed to parse a received
HTTP request.
Server Selection Number of times selection of a real server failed.
Fail
Fwd Req Fail Number of forward request failures.
Fwd Req Data Number of forward request data failures.
Fail
Req Retransmit Number of retransmitted requests.
Req Pkt Number of request packets received from clients out of
Out-of-Order sequence.
Server Number of times initial selection of a real server for an
Reselection HTTP request failed (for example, due to a TCP Reset sent
by the server).
Server Premature Number of times the connection with a server closed prema-
Close turely.
Server Conn Number of connections made with servers.
Made
TABLE 19 Monitor Mode > SLB > Application > Proxy > Fast-HTTP
Field Description
Source NAT Number of source NAT failures.
Failure
Data Before These counters show statistics for HTTP compression, in
Compression bytes.
Data After
Compression
Request Over Please contact A10 Networks for information.
Limit
Request Rate Please contact A10 Networks for information.
Over Limit
Out RSTs Please contact A10 Networks for information.
Full proxy tot Total number of fast-HTTP sessions that entered the full
HTTP path.
Full proxy POST Number of fast-HTTP sessions that entered the full HTTP
path due to the POST body content.
Full proxy Number of request packets that used HTTP pipelining.
pipeline
Full proxy fpga Number of fast-HTTP sessions that entered the full HTTP
err path due to an error in FPGA parsing.
Monitor Mode > SLB > Application > Proxy > HTTP
This page shows SLB statistics for the HTTP service type. Statistics are
listed separately for each of the ACOS device’s CPUs.
TABLE 20 Monitor Mode > SLB > Application > Proxy > HTTP
Field Description
Curr Proxy Number of currently active HTTP connections using the
Conns A10 Thunder Series and AX Series device as an HTTP
proxy.
Total Proxy Total number of HTTP connections that have used the
Conns A10 Thunder Series and AX Series device as an HTTP
proxy.
HTTP Requests Total number of HTTP requests received by the HTTP
proxy.
HTTP Number of HTTP requests received by the HTTP proxy that
Requests(succ) were successfully fulfilled by connection to a real server.
HTTP Requests Number of HTTP requests received by the HTTP proxy that
(cache succ) were successfully fulfilled from the cache.
TABLE 20 Monitor Mode > SLB > Application > Proxy > HTTP (Continued)
Field Description
No Proxy Error Number of proxy errors.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
No Tuple Error Number of tuple errors.
Parse Req Fail Number of times the HTTP parser failed to parse a received
HTTP request.
Server Selection Number of times selection of a real server failed.
Fail
Fwd Req Fail Number of forward request failures.
Fwd Req Data Number of forward request data failures.
Fail
Req Retransmit Number of retransmitted requests.
Req Pkt Number of request packets received from clients out of
Out-of-Order sequence.
Server Number of times initial selection of a real server for an
Reselection HTTP request failed (for example, due to a TCP Reset sent
by the server).
Server Premature Number of times the connection with a server closed prema-
Close turely.
Server Conn Number of connections made with servers.
Made
Source NAT Number of source NAT failures.
Failure
Data Before These counters show statistics for HTTP compression, in
Compression bytes.
Data After
Compression
Request Over Please contact A10 Networks for information.
Limit
Request Rate Please contact A10 Networks for information.
Over Limit
Monitor Mode > SLB > Application > Proxy > SMTP
This page shows SLB statistics for the SMTP service type. Statistics are
listed separately for each of the ACOS device’s CPUs.
TABLE 21 Monitor Mode > SLB > Application > Proxy > SMTP
Field Description
Curr Proxy Number of currently active SMTP connections using the
Conns A10 Thunder Series and AX Series device as an SMTP
proxy.
Total Proxy Total number of SMTP connections that have used the
Conns A10 Thunder Series and AX Series device as an SMTP
proxy.
SMTP Requests Total number of SMTP requests received by the SMTP
proxy.
SMTP Number of SMTP requests received by the A10 Thunder
Requests(succ) Series and AX Series device that were successfully fulfilled
(by connection to a real server).
No Proxy Error Number of proxy errors.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
No Tuple Error Number of tuple errors.
Parse Req Fail Number of times parsing of an SMTP request failed.
Server Selection Number of times selection of a real server failed.
Fail
Fwd Req Fail Number of forward request failures.
Fwd Req Data Number of forward request data failures.
Fail
Req Retransmit Number of retransmitted requests.
Req Pkt Number of request packets received from clients out of
Out-of-Order sequence.
Server Number of times a request was forwarded to another server
Reselection because the current server was failing.
Server Premature Number of times the connection with a server closed prema-
Close turely.
Server Conn Number of connections made with servers.
Made
Source NAT Number of source NAT failures.
Failure
Monitor Mode > SLB > Application > Proxy > TCP
This page shows SLB TCP-Proxy statistics. Statistics are listed separately
for each of the ACOS device’s CPUs.
TABLE 22 Monitor Mode > SLB > Application > Proxy > TCP
Field Description
Currently EST Current number of established TCP connections being han-
Conns dled by the proxy.
Active Open Number of connections opened actively.
Conns
Passive Open Number of connections opened passively.
Conns
Connect Attempt Number of TCP connection attempts that failed.
Failures
Total in TCP Total number of TCP packets received by the TCP proxy.
Packets
Total out TCP Total number of TCP packets sent by the TCP proxy.
Packets
Retransmitted Number of TCP packets retransmitted by the TCP proxy.
Packets
Resets Rcvd on Number of TCP Resets received for established connections.
EST Conn
Reset Sent Number of TCP Resets sent by the ACOS device.
Input Errors Number of invalid TCP packets received by the ACOS
device.
Sockets Number of TCP sockets currently allocated.
Allocated
Orphan Sockets Current number of orphan sockets.
Memory Alloc Total memory allocated for TCP.
Total Rx Buffer Total RX buffers allocated for TCP.
Total Tx Buffer Total TX buffers occupied by TCP.
TCP in Current number of TCP connections in the SYN-SNT state.
SYN-SNT State
TCP in Current number of TCP connections in the SYN-RCV state.
SYN-RCV State
TCP in FIN-W1 Current number of TCP connections in the Fin-Wait-1 state.
State
TCP FIN-W2 Current number of TCP connections in the Fin-Wait-2 state.
State
TCP TimeW Current number of TCP connections in the Time Wait state.
State
TABLE 22 Monitor Mode > SLB > Application > Proxy > TCP (Continued)
Field Description
TCP in Close Current number of TCP connections in the Close state.
State
TCP in CloseW Current number of TCP connections in the Close-Wait state.
State
TCP in LastACK Current number of TCP connections in the Last-ACK state.
State
TCP in Listen Current number of TCP connections in the Listening state.
State
TCP in Closing Current number of TCP connections in the Closing state.
State
Monitor Mode > SLB > Application > Proxy > DNS Cache
This page shows proxy statistics for DNS caching.
TABLE 23 Monitor Mode > SLB > Application > Proxy > DNS Cache
Field Description
Total Allocated Total memory allocated for cached entries.
Total Freed Total memory freed.
Total Query Total number of DNS queries received by the ACOS device.
Total Server Total number of responses form DNS servers received by the
Response ACOS device.
Total Cache Hit Total number of times the ACOS device was able to use a
cached reply in response to a query.
Query Not Number of queries that did not pass a packet sanity check.
Passed
Response Not Number of responses that did not pass a packet sanity check.
Passed The ACOS device checks the DNS header and question in
the packet, but does not parse the entire packet.
Response Please contact A10 Networks for information.
Exceed Cache
Size
Response Please contact A10 Networks for information.
Answer Not
Passed
Query Encoded Number of queries that were not cached because the domain
name in the question was encoded in the DNS query packet.
TABLE 23 Monitor Mode > SLB > Application > Proxy > DNS Cache
Field Description
Response Number of queries that were not cached because the domain
Encoded name in the question was encoded in the DNS response
packet.
Query With Number of queries that were not cached because they con-
Multiple tained multiple questions.
Questions
Response With Number of responses that were not cached because they con-
Multiple tained answers for multiple questions.
Questions
Response With Number of responses that contained more than one answer.
Multiple
Answers
Response with Number of responses that had a short time to live (TTL).
Short TTL
Total Aged Out Total number of DNS cache entries that have aged out of the
cache.
Total Aged for Number of cache entries aged out due to their weight value.
Lower Weight
Total Stats Log Total number of logs sent.
Sent
Current Allocate Current memory allocation.
Current Data Current data allocation.
Allocate
Monitor Mode > SLB > Application > Proxy > Diameter
This page shows proxy statistics for Diameter load balancing.
TABLE 24 Monitor Mode > SLB > Application > Proxy > Diameter
Field Description
Current Proxy Number of currently active Diameter connections using the
Conns ACOS device as an Diameter proxy.
Total Proxy Total number of Diameter connections that have used the
Conns ACOS device as an Diameter proxy.
Client Fail Number of times client-side failure terminated connection.
Server Fail Number of times server-side failure terminated connection.
Server Selection Number of times selection of a real server failed.
Failure
No Route Failure Number of times Diameter failed due to route lookup failure.
Source NAT Number of source NAT failures.
Failure
TABLE 24 Monitor Mode > SLB > Application > Proxy > Diameter
Field Description
Concurrent Number of concurrent Diameter sessions.
User Session
acr out Number of Accounting-Request messages sent by the ACOS
device.
acr in Number of Accounting-Request messages received by the
ACOS device.
aca out Number of Accounting-Answer messages sent by the ACOS
device.
aca in Number of Accounting-Answer messages received by the
ACOS device.
cea out Number of Capabilities-Exchange-Answer messages sent by
the ACOS device.
cea in Number of Capabilities-Exchange-Answer messages
received by the ACOS device.
cer out Number of Capabilities-Exchange-Request messages sent by
the ACOS device.
cer in Number of Capabilities-Exchange-Request messages
received by the ACOS device.
dwr out Number of Device-Watchdog-Request messages sent by the
ACOS device.
dwr in Number of Device-Watchdog-Request messages received by
the ACOS device.
dwa out Number of Device-Watchdog-Answer messages sent by the
ACOS device.
dwa in Number of Device-Watchdog-Answer messages received by
the ACOS device.
str out Number of Session-Termination-Request messages sent by
the ACOS device.
str in Number of Session-Termination-Request messages received
by the ACOS device.
sta out Number of Session-Termination-Answer messages sent by
the ACOS device.
sta in Number of Session-Termination-Answer messages received
by the ACOS device.
asr out Number of Abort-Session-Request messages sent by the
ACOS device.
asr in Number of Abort-Session-Request messages received by the
ACOS device.
asa out Number of Abort-Session-Answer messages sent by the
ACOS device.
asa in Number of Abort-Session-Answer messages received by the
ACOS device.
other out Number of Diameter messages of other types (other message
codes) sent by the ACOS device.
TABLE 24 Monitor Mode > SLB > Application > Proxy > Diameter
Field Description
other in Number of Diameter messages of other types received by the
ACOS device.
Monitor Mode > SLB > Application > Proxy > SIP
This page shows proxy statistics for the Session Initiation Protocol (SIP)
service type.
TABLE 25 Monitor Mode > SLB > Application > Proxy > SIP
Field Description
SIP Session Total number of SIP sessions that have been created.
created
SIP Sessions Total number of SIP sessions that have been freed.
freed
Curr SIP Proxy Number of currently active connections using the SIP proxy.
Total SIP Proxy Total number of connections that have used the SIP proxy.
Client message Total number of SIP messages received from clients.
rcvd • Sent to server – Number of SIP messages received by the
client and forwarded to the server.
• Incomplete – Number of packets which contain incom-
plete messages.
• aFleX drop – Number of packets dropped due to an aFleX
policy.
• Connecting server – Number of connected servers.
• Failed – Number of SIP messages received by the client
but not forwarded to the server.
Server message Total number of SIP messages received from servers.
rcvd • Sent to client – Number of SIP messages received by the
server and forwarded to the client.
• Incomplete – Number of packets which contain incom-
plete messages.
• aFleX drop – Number of packets dropped due to an aFleX
policy.
• Failed – Number of SIP messages received by the server
but not forwarded to the client.
Server conn • Created successfully – Number of server connections
created created successfully.
• Failed – Number of failed server connection attempts.
Message parsing Number of SIP messages that failed to be parsed.
failed
TABLE 25 Monitor Mode > SLB > Application > Proxy > SIP
Field Description
Message Total number of SIP messages that failed to be processed.
processing failed • Failed to insert call-id session – Number of SIP messages
failed to be processed because the call-id session was not
inserted into the hash table.
• Failed to insert URI session – Number of SIP messages
failed to be processed because the URI session was not
inserted into the hash table.
Monitor Mode > SLB > Application > Proxy > SMPP
This page shows SLB statistics for the SMPP service type. Statistics are
listed separately for each of the ACOS device’s CPUs.
TABLE 26 Monitor Mode > SLB > Application > Proxy > SMPP
Field Description
SMPP msg Total amount of memory currently in use for SMPP connec-
mem allocated tions.
SMPP msg Total amount of memory cached for SMPP connections.
mem cached
SMPP msg Total amount of memory freed after an SMPP connection has
mem freed closed.
SMPP msg Total amount of memory allocated for the SMPP packet pay-
payload load.
allocated
SMPP msg Total amount of memory freed from the SMPP packet pay-
payload freed load.
Curr SMPP Number of currently active connections using the SMPP
Proxy proxy.
Total SMPP Total number of connections that have used the SMPP proxy.
Proxy
TABLE 26 Monitor Mode > SLB > Application > Proxy > SMPP
Field Description
Client message Total number of SMPP messages received from clients.
rcvd • Sent to server – Number of SMPP messages received by
the client and forwarded to the server.
• Incomplete – Number of packets which contain incom-
plete messages.
• AX responds directly – Number of times the ACOS
device responded directly to a client’s request.
• Drop – Number of packets dropped due to the configured
SMP resource limit.
• Connecting server – Number of times the ACOS device
forwarded a client’s request to the SMPP server.
• Failed – The following counters display the number of
failed connections, listed by the cause:
• Failed to parse
• Failed to process
• Failed to SNAT
• Exceeded buff
• Failed to send
• Server conn start failed
Server message Total number of SMPP messages received from servers.
rcvd • Sent to client – Number of SMPP messages received by
the server and forwarded to the client.
• Incomplete – Number of packets which contain incom-
plete messages.
• Drop – Number of packets dropped due to the configured
SMP resource limit.
• Failed – Number of SMPP messages received by the
server that were not forwarded to the client. The following
counters display the number of failed connections, listed
by cause:
• Failed to parse
• Failed to process
• Failed to sel client conn
• Failed to SNAT
• Exceeded buff
• Failed to send
TABLE 26 Monitor Mode > SLB > Application > Proxy > SMPP
Field Description
Server conn • Created successfully – Number of server connections cre-
created ated successfully.
• Failed – Number of failed server connection attempts,
listed by cause:
• Failed to SNAT
• Failed to construct
• Failed to reserve
• Failed to start
• Server conn already exists
• Failed to insert
Message parsing Number of SMPP messages that the ACOS failed to parse.
failed The following sub-counters describe the cause:
• The packet size too small – Number of SMPP messages
that were not parsed because the message size was less
than 4 bytes.
• Invalid sequence number – SMPP messages are incre-
mented by +1. This counter indicates the total number of
SMPP messages that were not parsed because of an incor-
rect sequence number.
Message Number of times the ACOS could not process the SMPP
processing failed message. The following sub-counters describe the cause:
• No vport – There was no virtual port that matched the des-
tination of the SMPP message.
• Failed to select server – Server selection failure to forward
the SMPP request.
Client conn The following counters apply to SMPP client selection:
selection • Select by request – Number of client connections, selected
by the type of request message.
• Select by roundbin – Number of client connection selected
by the Round Robin algorithm.
• Select by conn – Number of client connections, selected
by the connection type.
• Select failed – Number of times the ACOS failed to select
a client for the SMPP connection.
Server conn The following counters apply to SMPP server selection:
selection • Select by request – Number of server connections,
selected by the type of request message.
• Select by roundbin – Number of server connection
selected by the Round Robin algorithm.
• Select by conn – Number of server connections, selected
by the connection type.
• Select failed – Number of times the ACOS failed to select
a server for the SMPP connection.
TABLE 26 Monitor Mode > SLB > Application > Proxy > SMPP
Field Description
Bind client and Number of times the ACOS successfully forwarded the ini-
server tial BIND message from a client an SMPP server.
Unbind client Number of times the ACOS disconnected the client to an
and server SMPP server.
Receive Total number of ENQUIRE_LINK messages that the ACOS
enquire_link received from the SMPP client or server.
Receive Total number of ENQUIRE_LINK_RESP messages that the
enquire_link_res ACOS received from the SMPP client or server.
p
Send Total number of ENQUIRE_LINK messages that the ACOS
enquire_link device has sent.
Send Total number of ENQUIRE_LINK_RES messages that the
enquire_link_res ACOS device has sent.
p
Put client conn in Please contact A10 Networks for information.
list
Get client conn
from list
Put server conn
in list
Get server conn
from list
Fail to bind Total number of times the ACOS device received a BIND
server message and failed to connect the client to an SMPP server.
Single message Total number of single messages that were sent to the ACOS
and did not require a response.
Transfer msg Number of SMPP messages that the ACOS transferred from
from L4 to L7 a Layer 4 CPU to a Layer 7 CPU.
CPU
Fetch msg from Number of SMPP messages that the ACOS transferred from
L7 CPU the Layer 7 CPU to a Layer 4 CPU.
Transfer msg Number of SMPP messages that the ACOS transferred from
from proxy to the proxy CPU to the connection CPU.
conn CPU
Fetch msg from Number of SMPP messages that the ACOS transferred from
conn CPU the connection CPU to the proxy CPU.
Transfer msg Number of SMPP messages that the ACOS transferred from
from L7 to L4 a Layer 7 CPU to a Layer 4 CPU.
CPU
Transfer msg Number of SMPP messages that the ACOS transferred from
from conn to the connection CPU to the proxy CPU.
proxy CPU
TABLE 26 Monitor Mode > SLB > Application > Proxy > SMPP
Field Description
Fail to dcmsg Please contact A10 Networks for information.
Conn is
deprecated
during dcmsg
Alloc mem failed Number of times a connection failed because the ACOS
device did not have access to sufficient memory resources.
Unexpected error Number of unexpected errors that are not categorized by the
other counters.
Identify L7 CPU Please contact A10 Networks for information.
failed
AX holds msg Number of messages that the ACOS device has received
from a client or server and has yet to forward.
Splited packet Number of times the ACOS split TCP packets which contain
multiple SMPP messages.
Message in Number of SMPP messages that the ACOS processed using
pipeline an HTTP pipeline.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
Monitor Mode > SLB > Application > Proxy > FIX
This page shows SLB statistics for the Financial Information Exchange
(FIX) proxy. Statistics are listed separately for each of the ACOS device’s
CPUs.
TABLE 27 Monitor Mode > SLB > Application > Proxy > FIX
Field Description
Current Proxy Number of currently active connections using the FIX proxy.
Conns
Total Proxy Total number of connections that have used the FIX proxy.
Conns
Client Fail Number of times that the connection was terminated due to
an error on the client side.
Server Fail Number of times that the connection was terminated due to
an error on the server side.
Server Selection Number of times selection of a real server failed.
Failure
No Route Failure Number of times FIX failed due to a route lookup failure.
Source NAT Number of source NAT failures.
Failure
Insert Client IP Number of times that the ACOS inserted the client’s IP
address into tag 11447 and forwarded the recalculated
request packet to the FIX server.
Default Number of times that the ACOS parsed the tag value from a
Switching client’s request and selected a service-group based on a
match with the configured tag keyword.
Sender ID Instances of content switching based on the sender’s
Switching identification tag (SenderCompID).
Target ID Instances of content switching based on the receiver’s
Switching identification tag (TargetCompID).
Monitor Mode > SLB > Application > Proxy > Mysql
This page shows database load-balancing (DBLB) statistics for the MySQL
database system. Statistics are listed separately for each of the ACOS
device’s CPUs.
TABLE 28 Monitor Mode > SLB > Application > Proxy > Mysql
Field Description
Current Proxy Number of currently active connections using the DBLB
Conns proxy.
Total Proxy Total number of connections that have used the DBLB
Conns proxy.
Curr BE Number of currently active, encrypted connections on the
Encryption back-end (BE), between the ACOS and server which pro-
Conns cesses database queries.
Total BE Total number of encrypted connections that have occurred on
Encryption the back-end (BE), between the ACOS and server which pro-
Conns cesses database queries.
Curr FE Number of currently active, encrypted connections on the
Encryption front-end (FE) between the ACOS and client.
Conns
Total FE Total number of encrypted connections that have occurred on
Encryption the front-end (FE) between the ACOS and a client.
Conns
Client FIN Number of TCP connections that were closed from the cli-
ent-side.
Server FIN Number of TCP connections that were closed from the
server-side.
Session err Total number of session errors that occurred while process-
ing DBLB requests.
DB Queries Total number of received database queries.
Note: This counter corresponds to the number of instances
that the aFleX DB_QUERY event was triggered.
DB commands Total number of received database commands.
reply Note: This counter corresponds to the number of instances
that the aFleX DB_COMMAND event was triggered.
Monitor Mode > SLB > Application > Proxy > Mssql
This page shows database load-balancing (DBLB) statistics for the MS-
SQL database system. Statistics are listed separately for each of the ACOS
device’s CPUs.
This page shows SLB connection reuse statistics. Statistics are listed sepa-
rately for each of the ACOS device’s CPUs.
TABLE 30 Monitor Mode > SLB > Application > Connection Reuse
Field Description
Open Persistent Number of new client connections directed to the same
server as previous connections by the persistence feature.
Active Persistent Number of currently active connections that were sent to the
same real server by the persistence feature.
Total Established Total number of established connections.
Total Terminated Total number of terminated connections.
Total Bound Total number of bound connections.
Total Unbound Total number of unbound connections.
Total Delayed Number of connections whose unbinding was delayed.
Unbindings
Total Long Number of responses that took too long.
Responses
Total Missed Number of missed responses to HTTP requests.
Responses
This page shows SLB persistence statistics. Statistics are listed separately
for each of the ACOS device’s CPUs.
TABLE 31 Monitor Mode > SLB > Application > Persistent (Continued)
Field Description
Source IP Number of requests successfully sent to the same server as
Persistent OK previous requests from the same client, based on source-IP
persistence.
Source IP Number of requests that could not be fulfilled by the same
Persistent Fails server as previous requests from the same client, based on
source-IP persistence.
SSL SID Number of requests successfully sent to the same server as
Persistent OK previous requests with the same SSL session ID.
SSL SID Number of requests that could not be fulfilled by the same
Persistent Fails server as previous requests with the same SSL session ID.
Cookie Number of requests successfully sent to the same server as
Persistent OK previous requests with the same persistence cookie.
Cookie Number of requests that could not be fulfilled by the same
Persistent Fails server as previous requests with the same persistence cookie.
Persistent Number of requests in which a persistence cookie was not
Cookie Not found.
Found
This page shows statistics for the ACOS device’s SSL processing module.
TABLE 32 Monitor Mode > SLB > Application > SSL (Continued)
Field Description
Total clientside Total number of client-side SSL sessions since the last time
SSL statistics were cleared.
Connections
Current Number of currently active server-side SSL sessions.
serverside SSL
Connections
Total serverside Total number of server-side SSL sessions since the last time
SSL statistics were cleared.
Connections
Failed SSL Number of SSL sessions in which the SSL security hand-
Handshakes shake failed.
Failed Crypto Number of times an encryption/decryption failure occurred
operations for an SSL record.
SSL Memory Amount of memory in use by the SSL processing module.
Usage
SSL fail CA Number of times an SSL session was terminated due to a
verification certificate verification failure.
HW Context Number of times the encryption processor was unable to
Memory alloc allocate memory.
failed
HW ring full Number of times the AX software was unable to enqueue an
SSL record to the SSL processor for encryption/decryption.
(Number of times the processor reached its performance
limit.)
Record too big Number of oversize SSL records received.
Total times of Total number of times an SSL session ID was reused.
reusing SSL
session(IDs)
Total client ssl Total number of times that the ACOS failed to allocate mem-
context malloc ory for an SSL session. This counter applies only for when
failures an SSL template is defined using aFleX.
Monitor Mode > SLB > Application > RAM Caching > Details
TABLE 33 Monitor Mode > SLB > Application > RAM Caching > Details
Field Description
Cache Hits Number of times a requested page was found in the cache
and served from the cache.
Cache Misses Number of times a requested page was not found in the
cache.
Memory Used Amount of RAM currently used by cached content.
Bytes Served Total number of bytes served from the cache.
Entries Cached Number of objects currently in the cache.
Entries Replaced Number of cached items that were removed to make room
for newer entries, per the replacement policy.
Entries Aged Out Number of entries that were removed because they are older
than their expiration time.
Entries Cleaned Number of cached objects that have aged out and therefore
been removed from the cache.
Total Requests Total number of requests received on all virtual server ports
on which caching is configured.
Cacheable Number of requests that are potentially cacheable.
Requests
No-cache Number of requests with no-cache header directives.
Requests
No-cache Number of responses with no-cache header directives.
Responses
IMS Requests Number of requests that contained an If-Modified-Since
header.
304 Responses Number of 304 – Not Modified responses sent to clients.
Revalidation Number of entries that were successfully revalidated by the
Successes server.
Revalidation Number of times revalidation failed.
Failures
Policy URI Number of times requested content was not cached due to a
nocache URI policy.
Policy URI Number of times a request was cached due to a URI policy.
cache
Policy URI Number of times a request was invalidated due to a URI pol-
invalidate icy.
Content Too Big Number of cacheable items that were not cached because the
file size was larger than the configured maximum content
size.
TABLE 33 Monitor Mode > SLB > Application > RAM Caching > Details
Field Description
Content Too Number of cacheable items that were not cached because the
Small file size was smaller than the configured minimum content
size.
Srvr Resp - Cont Number of responses that contained Content-Length head-
Len ers.
Srvr Resp - Chnk Number of responses that were chunk encoded.
Enc
Srvr Resp - 304 Number of responses that had status code 304.
Status
Srvr Resp - Number of responses that were of other types.
Other
Cache Resp - No Number of objects received from the content server that
Comp were uncompressed.
Cache Resp - Number of objects received from the content server that
Gzip were compressed using gzip.
Gzip is an encoding format produced by the file compression
program “gzip” (GNU zip) as described in RFC 1952 (Lem-
pel-Ziv coding [LZ77] with a 32 bit CRC).
Cache Resp - Number of objects received from the content server that
Deflate were compressed using deflate.
Deflate is the “zlib” format defined in RFC 1950 in combi-
nation with the “deflate” compression mechanism described
in RFC 1951.
Cache Resp - Number of objects received from the content server that
Other were compressed using compress.
Compress is the encoding format produced by the common
UNIX file compression program “compress” (adaptive Lem-
pel-Ziv-Welch coding [LZW]).
Entry create Counter used by A10 technical support for troubleshooting.
failures
Monitor Mode > SLB > Application > RAM Caching > Objects
TABLE 34 Monitor Mode > SLB > Application > RAM Caching > Objects
Field Description
Host Virtual port number on which RAM caching is enabled.
Object URL URL from which the cached object was obtained by the
ACOS device.
Bytes Length of the cached object.
Type Indicates whether the cached object has a Content-Length
header, is compressed, or is chunk-encoded:
• CL – Content-Length header
• CP – Compressed
• CE – Chunk-encoded
Status Status of the entry:
• FR – Fresh
• ST – Stale
• IN – Incomplete
• FA – Failed
• UN – Unknown
• R – The entry must be revalidated.
Expires in Number of seconds the object can remain unused before it
ages out.
Monitor Mode > SLB > Application > RAM Caching > Replacement
This page displays the distribution of requests for cached objects. Distribu-
tion is shown for only one RAM caching virtual port at a time. To display
request distribution for a different virtual port, select the virtual server and
port from the Virtual Server and Port drop-down lists.
TABLE 35 Monitor Mode > SLB > Application > RAM Caching >
Replacement
Field Description
Frequency Shows the frequency of requests. Entries listed for 1/256
(one in 256 requests) are the least requested, whereas entries
listed for 128 are the most requested.
Total Shows the total number of objects for the request frequency.
This page shows Layer 4 SLB statistics. Statistics are listed separately for
each of the ACOS device’s CPUs.
TABLE 37 Monitor Mode > SLB > Application > Net (Continued)
Field Description
TCP SYN cookie Number of times a TCP SYN cookie failure occurred.
failed
NAT no session Number of times non-ICMP traffic to a NAT IP address was
drops dropped because there was no matching session.
vport not Number of times traffic was dropped because the requested
matching drops virtual port was not available.
No SYN pkt Number of SYN packets dropped.
drops
No SYN pkt Number of SYN packets dropped due to a TCP FIN.
drops - FIN
No SYN pkt Number of SYN packets dropped due to a TCP Reset.
drops - RST
No SYN pkt Number of SYN packets dropped due to an ACK.
drops - ACK
Conn Limit Number of packets dropped because the server connection
drops limit has been reached.
Conn Limit Number of connections reset because the server connection
resets limit had been reached.
Conn rate limit Number of connections dropped by connection rate limiting.
drops
Conn rate limit Number of connections reset by connection rate limiting.
resets
Proxy no sock Number of packets dropped because the proxy did not have
drops an available socket.
aFleX drops Number of packets dropped due to an aFleX policy.
Session aged out Number of sessions that have aged out.
TCP Session Number of TCP sessions that have aged out.
aged out
UDP Session Number of UDP sessions that have aged out.
aged out
Other Session Number of sessions of other types (not TCP or UDP) that
aged out have aged out.
TCP no SLB Number of non-SLB TCP packets received by the ACOS
device.
UDP no SLB Number of non-SLB UDP packets received by the ACOS
device.
SYN Throttle Number of SYN packets that have been throttled.
Inband HM retry Number of times the ACOS device retried an inband health
check, because a SYN-ACK was not received for the previ-
ous SYN.
Inband HM Number of times the ACOS device reassigned a client’s traf-
reassign fic to another server, because the initial server exceeded the
maximum number of retries allowed by the inband health
check.
Fast aging set Please contact A10 Networks for information.
TABLE 37 Monitor Mode > SLB > Application > Net (Continued)
Field Description
Fast aging reset Please contact A10 Networks for information.
TCP invalid drop Please contact A10 Networks for information.
SYN stale sess Please contact A10 Networks for information.
drop
Anomaly out of Number of packets that matched an IP anomaly out-of-
sequence sequence filter.
Note: To configure IP anomaly filters, see “Config Mode >
Security > Network > DDos Protection” on page 382.
Anomaly zero Number of packets that matched an IP anomaly zero-win-
window dow filter.
Anomaly bad Number of packets that matched an IP anomaly bad-content
content filter.
Anomaly pbslb Number of packets that matched an IP anomaly bad-content
drop filter used for PBSLB.
No resource drop Please contact A10 Networks for information.
Reset unknown Please contact A10 Networks for information.
conn
RST L7 on Number of times a Layer 7 connection was reset due to
failover failover.
ignore msl Number of packets dropped by the ignore-tcp-msl option.
BW-Limit Number of packets dropped because they exceeded the band-
Exceed drop width limit.
BW-Watermark Number of packets dropped because they exceeded the band-
drop width watermark limit.
L4 CPS exceed Number of packets dropped because they exceeded the
drop Layer 4 Connections Per Second (CPS) limit.
NAT CPS exceed Number of packets dropped because they exceeded the NAT
drop CPS limit.
L7 CPS exceed Number of packets dropped because they exceeded the
drop Layer 7 CPS limit.
SSL CPS exceed Number of packets dropped because they exceeded the SSL
drop CPS limit.
SSL TPT exceed Number of packets dropped because they exceeded the SSL
drop TPT limit.
SSL TPT-Water- Number of packets dropped because they exceeded the tem-
mark drop plate SSL TPT limit.
L3V Conn Limit Number of IP packets dropped because they exceeded the
Drop L3V connection limit.
This page shows SLB switching statistics. Statistics are listed separately for
each of the ACOS device’s CPUs.
TABLE 38 Monitor Mode > SLB > Application > Switch (Continued)
Field Description
IP Fragment Number of fragments dropped due to overlap.
Overlap Drops
IP Fragment Number of successfully reassembled IP fragments.
Reasm Oks
IP Fragment Number of fragment reassembly failures.
Reasm Fails
Anomaly Land Number of packets dropped by an IP land attack filter.
Attack Drops Note: This statistic and the other Anomaly statistics show
how many packets were dropped by DDoS protection filters.
For the ACOS device to drop these packets, the correspond-
ing DDoS protection options must be enabled. (See “Config
Mode > Security > Network > DDos Protection” on
page 382.)
Anomaly IP Number of packets dropped by an IP option filter.
Option Drops
Anomaly Ping- Number of packets dropped by a ping-of-death filter.
of-Death Drops
Anomaly All Number of packets dropped by a frag filter.
Frag Drops
Anomaly TCP Number of packets dropped by a tcp-no-flag filter.
No Flag Drops
Anomaly SYN Number of packets dropped by a tcp-syn-frag filter.
Frag Drops
Anomaly TCP Number of packets dropped by a tcp-syn-fin filter.
SYN Fin Drops
Anomaly Any Number of packets dropped by any type of hardware-based
Drops DDoS protection filter.
BPDUs Number of Bridge Protocol Data Units (BPDUs) received.
Received
BPDUs Sent Number of Bridge Protocol Data Units (BPDUs) sent.
ACL Denys Number of times traffic was not forwarded due to a deny rule
in an Access Control List (ACL).
This counter also includes traffic dropped due to the l3-vlan-
fwd-disable action in ACL rules.
SYN rate Number of packets dropped because the TCP SYN threshold
exceeded Drop had been exceeded.
Packet Error Number of packets dropped due to a packet error.
Drops
IPv6 Frag Reasm Number of successfully reassembled IPv6 fragments.
OKs
IPv6 Frag Reasm Number of IPv6 fragment reassembly failures.
Fails
IPv6 Frag Number of IPv6 fragments that were invalid.
Invalid Pkts
Bad Pkt Drop Number of bad packets dropped.
TABLE 38 Monitor Mode > SLB > Application > Switch (Continued)
Field Description
IP Frag Exceed Number of fragmented IP packets that were dropped because
Drop they exceeded the allowed maximum.
This page displays hash entries for server certificates created by the ACOS
device for SSL intercept.
Optionally, you can filter the display to show only the entries for a specific
server IP address or name.
TABLE 39 Monitor Mode > SLB > Application > Hashed Certificate
Field Description
Real Server IP address and protocol port of the real server.
hit times Number of times the hash entry has been used for subsequent
requests to the server and port.
idle time Number of seconds since the last “hit” on this cache entry.
expires after Maximum number of seconds this entry can remain idle
before being cleared from the table.
• Authentication
TABLE 42 Monitor Mode > Security > ACL > IPv4 ACL
Column Description
ID/Name ID or name of the ACL.
Usage/Remark/ Shows the following information:
Content • Usage – Lists the system resources to which the ACL is
applied. For example, if the ACL is applied to an Ethernet
interface, the interface number is shown.
Each system resource name in the list is a hyperlink. You
can click on the resource name to navigate to the configu-
ration page for that resource.
• Remark – Shows the remark added to the ACL, if config-
ured.
• Content – Shows the rules defined in the ACL. The rules
are shown in their CLI syntax.
Hits(data plane) Number of times traffic has matched the ACL.
Note: The Hits counter is not applicable to ACLs applied to
the management port.
TABLE 43 Monitor Mode > Security > ACL > IPv6 ACL
Column Description
Name Name of the ACL.
Remark/Content Shows the following information:
• Remark – Shows the remark added to the ACL, if config-
ured.
• Content – Shows the rules defined in the ACL. The rules
are shown in their CLI syntax.
Hits(data plane) Number of times traffic has matched the ACL.
Note: The Hits counter is not applicable to ACLs applied to
the management port.
Note: Information is shown for the data interfaces only, not the out-of-band
management interfaces.
Statistics Table
Table 46 describes the columns in the table in the upper half of the page.
Statistics Graphs
By default, the following graphs are shown in the lower half of the page:
• Packet send and receive statistics
The graphs are for the currently selected interface only (by default,
Ethernet 1). To display graphs for a different interface, click on the row of
information for that interface in the table.
You can hide one or more of the graphs by deselecting the checkbox for the
graph. As soon as you deselect or reselect a graph, the GUI refreshes the
page to hide or redisplay the graph.
These selection fields do not affect the display of statistics in the table.
To display statistics for a longer time span, select the time span from the
drop-down list located above the Dropped column of the statistics table.
Note: To move the calendar popup, click on the bottom row of the calendar and
drag it.
2. Select the End Time using the calendar at the end of the End Time field.
Note: Statistics are available for only the most recent 30 days.
3. Click Go.
Refreshing Statistics
Clearing Statistics
To clear statistics, click Clear. The counters are returned to 0 and begin
incrementing again.
This page displays configuration information for the specified LACP trunk.
This page displays the entries in the ACOS device’s IPv4 ARP table.
TABLE 51 Monitor Mode > Network > ARP > IPv4 ARP
Column Description
IP Address IP address of the device.
MAC Address MAC address of the device.
Type Indicates whether the entry is static or dynamic.
Age For dynamic entries, the number of seconds since the entry
was last used.
TABLE 51 Monitor Mode > Network > ARP > IPv4 ARP (Continued)
Column Description
State State of the ARP entry. The state can be one of the following:
• Incomplete
• Reachable
• Stale
• Delay
• Probe
• Failed
• No ARP
• Permanent
• None
Interface AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN ID VLAN through which the device that has the MAC address
can be reached.
TABLE 52 Monitor Mode > Network > ARP > IPv6 Neighbor
Column Description
IPv6 Address IP address of the device.
MAC Address MAC address of the device.
Type Indicates whether the entry is static or dynamic.
Age For dynamic entries, the number of seconds since the entry
was last used.
State State of the ARP entry. The state can be one of the following:
• Incomplete
• Reachable
• Stale
• Delay
• Probe
• Failed
• No ARP
• Permanent
• None
TABLE 52 Monitor Mode > Network > ARP > IPv6 Neighbor (Continued)
Column Description
Interface AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN ID VLAN through which the device that has the MAC address
can be reached.
Monitor Mode > Network > Route > IPv4 Route Table
By default, IP routes of all types are displayed. To filter the display, select a
route type from the drop-down list above the Destination IP field.
TABLE 53 Monitor Mode > Network > Route > IPv4 Route Table
Column Description
Destination IP Subnet at the other end of the route.
Network Mask Network mask for the subnet.
Next Hop IP address of the router to which the ACOS device sends
traffic to reach the destination subnet.
Interface AX interface through which traffic is sent to the next hop.
Type Origin of the route information:
• Connected – The route is to a directly connected subnet.
• OSPF – The route came from OSPF.
• IS-IS – The route came from IS-IS.
• Static – The route was manually configured by an ACOS
device admin.
TABLE 54 Monitor Mode > Network > Route > IPv4 Forwarding
Column Description
Prefix Subnet at the other end of the route.
Next Hop IP address of the router to which the ACOS device sends
traffic to reach the destination subnet.
Interface AX interface through which traffic is sent to the next hop.
Distance Metric value (cost) of the route.
Index Index number of this FIB entry.
TABLE 55 Monitor Mode > Network > Route > IPv6 Forwarding
Column Description
Prefix Subnet at the other end of the route.
Next Hop IP address of the router to which the ACOS device sends
traffic to reach the destination subnet.
Interface AX interface through which traffic is sent to the next hop.
Distance Metric value (cost) of the route.
This page lists the admin sessions that are currently active. Your session is
indicated by a blue dot next to the Start Time column.
The session that currently has write access is indicated by Yes in the Config
Mode column.
To clear a session, select the checkbox next to the session, and click Delete.
TABLE 56 Monitor Mode > System > Admin > Admin Session
Column Description
Start Time System time when the management session started.
User Name Name of the AX admin who opened this session.
IP Address IP address from which the admin logged in.
Config Mode Indicates whether the admin currently has write access. Only
one admin can have write access at a time.
Type Indicates the management type the session is using: CLI,
Web (GUI), or aXAPI.
Partition Partition to which the admin is assigned.
For admins with Partition Write, Partition Read, or Partition
RS Operator privileges, the partition name is the name of the
private partition to which the admin is assigned.
For admins with Root, Read Write, or Read Only privileges,
the partition name is “shared”, unless the admin has changed
partitions. (See “System Partitions” on page 34.)
Role Admin role assigned to the admin. The admin role specifies
the type of access allowed for each GUI page. (See “Config
Mode > System > Admin > Role” on page 446.)
This page lists the admin accounts that have been locked due to excessive
invalid login attempts.
To unlock an admin account, select the checkbox next to the admin name,
and click Unlock.
TABLE 57 Monitor Mode > System > Admin > Admin Locked
Column Description
Name Name of the AX admin.
Role Admin role assigned to the admin. The admin role specifies
the type of access allowed for each GUI page. (See “Config
Mode > System > Admin > Role” on page 446.)
Current Partition System partition the admin is locked out of.
Trusted Host IP host or subnet address from which the admin must log in.
Lockout Time If the account is locked, indicates how long the account has
been locked.
Scheduled Indicates how long the account will continue to be locked.
Unlock
This page displays the system log (syslog). Messages in the ACOS device’s
local log buffer are displayed.
By default, messages of all log levels are displayed. To filter the display to
show messages of a specific level, select the message level from the drop-
down list above the Date/Time field.
4. Click Save.
3. Click Export.
6. Click Save.
3. Click Delete.
From this page, you can manage entries of saved AXDebug filter configura-
tions and quickly enable AXDebug filter configuration settings on the
ACOS.
• Click the Add button to be redirected to the AXDebug Capture page.
• Select one or more checkboxes and click Export to save the AXdebug
output.
TABLE 60 Monitor Mode > System > Diagnostics > AXDebug Config
Field Description
File Name Name of the AXDebug filter.
Timeout Span of time that statistics are captured by the filter.
Count Maximum number of packets the filter can capture.
Length Packet length the filter can capture.
Incoming Ethernet interfaces for incoming traffic.
Outgoing Ethernet interfaces for outgoing traffic.
Filter ID Identification number associated with the filter.
4. In the Packet Length field, specify the packet length to capture. You can
enter a value between 64 to 1518. The default is 1518.
6. In the Maximum Packets Per CPU field, enter the maximum number of
packets this filter will capture per CPU. You can enter a value between 0
to 65535. The default is 0.
7. Set a Timeout, in minutes, for the length of time that statistics are cap-
tured. You can enter a value between 0 to 65535. The default is 5 min-
utes.
The Filter section provides options to configure the AXDebug filter and
apply identification values. See Table 61 for available options in this sec-
tion.
TABLE 61 Monitor Mode > System > Diagnostics > AXDebug Config
Field Description Supported Values
Config File Name Name of the AXDebug filter. String
Default: Not set
Filter ID Identification number associated with the filter. 1-32
Default: 1
Protocol Selects a Layer 3protocol and, optionally, protocol number or One of the following:
valid IPv4 or IPv6 address. The filter matches with the speci- • IP
fied protocol.
• IPv6
• ARP
• Neighbor
• TCP
• UDP
• ICMP
• ICMPv6
• Number
Based on the selected
protocol, you can con-
figure the following:
• Protocol Number –
1-65535
• Valid IPv4 or IPv6
address
Default: IP
IP Address/ Matches on the specified IPv4 or IPv6 address. IPv4 or IPv6 address
Netmask Default: Not set
Port Matches on the specified range of protocol port numbers. The start and end of the
range can be a value of
1-65535.
Default: 1 to 65535
TABLE 61 Monitor Mode > System > Diagnostics > AXDebug Config
Field Description Supported Values
Offset Match on the specified length of bytes and value of those bytes The starting position
within the packet. Each text box for input corresponds to a dif- can be 1-65535 bytes.
ferent parameter: The beginning and end
• The first ext box, farthest to the left, is the starting position of the filter range can
within the packet. be 1-65535 bytes.
• The second text box, in the center, is the beginning of the The operator can be one
range for consecutive bytes to filter. of the following:
• The third text box, farthest to the right, is the end of the range • <
for consecutive bytes to filter. • <=
• >
• >=
• =
• Range
Default: 1 length 1 < 1
9. When you are satisfied with your configuration, select one of the fol-
lowing options:
• Capture – Saves the AXDebug file and redirects you to the AXDe-
bug File page. The new entry appears in the AXDebug File table
display.
• Save Config File – Saves the AXDebug file and immediately
applies the configuration. The entry appears in the AXDebug File
table display.
The ACOS device periodically generates files that contains system and
diagnostic information. These files are referred to as “techsupport” files,
and are used by A10 Networks technical support when helping to resolve
system issues.
3. Click Export.
6. Click Save.
3. Click Delete.
This page displays global virtual chassis parameters, and lists the current
role (vMaster or vBlade) of each device in the virtual chassis.
This page displays High Availability (HA) status information for the ACOS
device.
This page displays High Availability (HA) statistics for the ACOS device.
This page monitors heartbeat messages and lists the Set IDs that are
observed on the network. Refresh this page to reflect the current Set IDs.
This page monitors heartbeat messages and lists the Set IDs that are
observed on the network. Refresh this page to reflect the current set IDs.
The Host ID helps to identify the peer devices that are learned through
heartbeat messages. The Host ID indicates which devices are configured as
VRRP-A peers.
Config Mode
The Config Mode is where you can view and change the configuration of
the ACOS device.
Note: For information about GSLB configuration options, see “Config Mode –
GSLB Service Options” on page 308.
Config Modules
The Config Mode offers the following sub-modules for setting
A10 Thunder Series and AX Series network and performance parameters:
• Get Started
• SLB
• GSLB
• Security
• IP Source NAT
• Network
• System
• Destination IP • Site
Persistence
• Service IP
• Source IP Persistence
• SSL Session ID • DNS Proxy
Persistence • Geo-location
• SSL
• Policy
• Client SSL
• Server SSL • Global
• SSL Cipher
• TCP Proxy
Config Mode > Security Config Mode > Network Config Mode > System
• WAF • Interface • Settings
• Bind • LAN • Web
• Template • Management • Web Certificate
• Definition • Transparent • Access Control
• Virtual • Time
• Authentication
• Global • Terminal
• Bind
• Log
• Template • Trunk
• General
• Server
• LACP
• Boot
• Logon
• VLAN • Action
• Relay
• VLAN
• Portal • Admin
• MAC
• Administrator
• Template
• Global
• Policy • Partition
• ARP • Role
• DNS Firewall
• IPv4 • Object Access Control
• Network • IPv6 Neighbor • Lockout Policy
• ACL
• Global • External Authentication
• DDos Protection
• Route • Change Password
• ICMP Rate Limiting
• IPv4 Static • SNMP
Config Mode > IP Source NAT • IPv6 Static
• Maintenance
• IPv4 Pool • DNS • Upgrade
• BPDU-Fwd-Group • Backup
• IPv6 Pool
• Restore
• Group • License
• ACL Bind • Console
• Interface • Config File
• NAT Range • aVCS
• Static NAT • General
• Settings
• Global
This chapter describes the options under Get Started. For information about
the other Config options, see the following:
• “Config Mode – SLB Options” on page 149
• Smart Template
Note: For information about GSLB Easy Config, see “GSLB Easy Config” on
page 299.
For information about the system settings, see the following sections:
• Management IP address and default gateway – See “Config Mode >
Network > Interface > Management” on page 404.
• Admin and enable passwords – See “Config Mode > System > Admin
> Administrator” on page 442.
• Time/Date settings – See “Config Mode > System > Settings > Time”
on page 461.
• DNS hostname, suffix, and servers – See “Config Mode > Network >
DNS” on page 418.
• SNMP state, community string, and trap state – See “Config Mode >
System > SNMP” on page 463.
• External syslog server – See “Config Mode > System > Settings >
Log” on page 427.
• Static route – See “Config Mode > Network > Route” on page 416.
The GUI uses the input you provide to create the SLB resources required for
implementing the application. These resources include real and virtual
server configurations, service groups, health monitors, IP NAT pools (if
applicable), and other templates related specifically to these resources.
Note: Deleting an application created using a smart template does not delete the
individual SLB resources created for the application.
Table 67 lists the smart templates available in this release. The SSL column
indicates whether you will need to either create a self-signed certificate, or
import an SSL server certificate and key, before using the smart template.
Creating an Application
1. If the application you plan to create requires an SSL server certificate
and key, create a self-signed certificate, or import the certificate and key
onto the ACOS device. (See “Config Mode > SLB > SSL Management”
on page 289.)
2. Select Config Mode > Get Started > Smart Template > .
3. Select the smart template for the type of application you plan to create.
(See Table 67 on page 138.)
6. Enter the virtual port number in the Virtual Server Port field.
7. Select a radio button for the virtual port type in the Virtual Server Port
Type field.
8. If SSL is required, select the certificate and key from the Cert and Key
drop-down lists.
To use a self-signed certificate, select the certificate name in both the
Cert and Key drop-down lists.
Note: If SSL is optional, first select Yes next to Using SSL to display the Cert
and Key selection fields.
Note: If IP source NAT is optional, first select Yes next to Using NAT to display
the input fields.
10. In the Server section, enter information about the real servers:
• Server – Enter or select the IP address of the real server.
• Port – Enter the protocol port number on the real server.
Click Add. Repeat for each server.
11. Click OK. The GUI creates the SLB resources for the application and
displays them in a list.
To view or modify a resource, select the Customize checkbox, then click
on its name in the Detail list. When the configuration page for the
resource is listed, click Help to access information about the configura-
tion options. (For more information, see “Customizing an Application
Configuration” on page 146.)
12. Click Return. The new application appears in the application list.
(To access this list later, select Config Mode > Get Started > Smart Tem-
plate.)
Configuration Example
The example GUI pages in the following figures configure an HTTP load
balancing application.
First, click the Create icon and select the name of a smart template for the
application you want to configure.
FIGURE 17 Config Mode > Get Started > Smart Template - Create
Click OK.
Note: For information about GSLB configuration options, see “Config Mode –
GSLB Service Options” on page 308.
The following configuration sections are displayed when you click Add or
click on a virtual server name.
• General
• Port
The Health column indicates the health of the virtual servers. Place the
mouse cursor over a health icon for more information.
You can view or edit the configuration of a virtual port directly from the list
of virtual servers. Click on the Edit icon ( ) next to the virtual server
name. Clicking on the icon displays a list of the virtual ports configured on
the virtual server. (See Figure 24.) To access the configuration page for a
virtual port, click on the port number.
(cont.)
All configured virtual services are listed on the Virtual Service page, regard-
less of the GUI option used to configure them.
To configure a new virtual service, click Add. To edit an existing one, click
on the virtual service name.
This option displays the configured service groups. To access the configura-
tion page, click Add or click on a service group name.
(cont.)
The following configuration sections are displayed when you click Add or
click on a real server name.
• General
• Port
The Health column indicates the health of the server. Place the mouse cursor
over the health icon for more information.
The Template pages enable you to display and configure configuration tem-
plates for real servers, real ports, virtual servers, and virtual ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual server or port.
• If a parameter is set (or changed from its default) in both a template and
on the individual server or port, the setting on the individual server or
port takes precedence.
• If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual server or port, the set-
ting in the template takes precedence.
To view and configure server and port templates, select the following
options:
• Template > Server
The default settings in the templates are the same as the default settings for
the parameters that can be set in the templates.
If you are upgrading an ACOS device that has a configuration saved under a
previous release, the default server and port templates are automatically
bound (applied to) the servers and ports in the configuration. This does not
change the configuration or operation of the servers and ports themselves,
since the default server and port templates use the default settings for all
parameters, unless overridden by parameter settings on the individual serv-
ers and ports.
Caution: Before changing a default template, make sure the changes you plan
to make are applicable to all servers or ports that use the template.
Config Mode > SLB > Service > Template > Server
The Server Template page lists the configured server templates. This page is
displayed when you click Add or click on a server template name.
(cont.)
Config Mode > SLB > Service > Template > Server Port
The Server Port Template page lists the configured server port templates.
This page is displayed when you click Add or click on a server port tem-
plate name.
Table 72 lists the server port template parameters you can configure.
(cont.)
Config Mode > SLB > SLB > Template > Virtual Server
The Virtual Server Template page lists the configured virtual server tem-
plates. This page is displayed when you click Add or click on a virtual
server template name.
Table 73 lists the virtual server template parameters you can configure.
Config Mode > SLB > Service > Template > Virtual Server Port
The Virtual Server Port Template page lists the configured virtual server
port templates. This page is displayed when you click Add or click on a vir-
tual server port template name.
Table 74 lists the virtual server port template parameters you can configure.
This page enables you to import or configure a class list for IP limiting or
DNS caching.
To edit a class list, click on the class list name. (See “Editing a Class List in
the GUI” on page 203.)
The following sections describe the IP limiting and DNS caching features
and how to configure them.
IP Limiting
IP limiting enables you to limit client traffic. Separate limits can be config-
ured for each of the following:
• Concurrent connections
• Connection rate
Note: In the current release, Layer 7 request limiting applies only to the HTTP,
HTTPS, and fast-HTTP virtual port types.
Using class lists, you can configure different classes of clients, and apply a
separate set of IP limits to each class. You also can exempt specific clients
from being limited.
The ACOS device can support up to 255 class lists. Each class list can con-
tain up to 8 million host IP addresses and 64,000 subnets.
Note: The age option applies only to host entries (IPv4 /32 or IPv6 /128). The
age option is not supported for subnet entries.
Note: If you use a class-list file that is periodically re-imported, the age for
class-list entries added to the system from the file does not reset when the
class-list file is re-imported. Instead, the entries are allowed to continue
aging normally. This is by design.
• ; comment-string – Contains a comment. Use a semi-colon ( ; ) in front
of the comment string.
Note: The ACOS device discards the comment string when you save the class
list.
IP Address Matching
By default, the ACOS device matches class-list entries based on the source
IP address of client traffic. Optionally, you can match based on one of the
following instead:
• Destination IP address – Matches based on the destination IP address
instead of the source IP address.
• IP address in HTTP request – Matches based on the IP address in a
header in the HTTP request. You can specify the header when you
enable this option.
DNS Caching
DNS caching per-VIP enables you to tightly control caching behavior. You
can configure the following:
• DNS caching on per-VIP basis
Parameters for DNS caching per VIP are configured in the following places:
• Class list (See “Config Mode > SLB > Service > Class List” on
page 196.)
• DNS Firewall template (See “Config Mode > Security > Template >
DNS Firewall” on page 369.)
4. In the Name field, enter the filename to use for the imported class list.
7. Click Open. The path and filename appear in the Source field. Go to
step 10.
8. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
9. Select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.
10. In the Host field, enter the directory path and filename.
11. If needed, change the protocol port number in the port field. By default,
the default port number for the selected file transfer protocol is used.
12. In the Location field, specify the directory path and filename.
13. In the User and Password fields, enter the username and password
required for access to the remote server.
3. Click Add.
Note: If the class list contains 100 or more entries, it is recommended to use the
File option.
A class list can be exported only if you use the File option.
7. If you select Explicit, you can configure class entries of the following
types:
• String – To create a class list with string entries, perform step 8.
• IP Address – To create a class list with IP address entries, perform
step 9.
• DNS – To create a class list with DNS caching, perform step 10.
If you select Implicit, only the IP Address and DNS options are avail-
able.
Note: Make sure to use the same number when you configure the IP limiting
rule.
d. To make the entry temporary, assign an age to the entry. You can
specify 1-2000 minutes. The entry is removed from the class list
after the age expires.
e. Click Add.
f. Repeat for each entry.
g. Click Ok.
Note: The Age option applies only to host entries (IPv4 /32 or IPv6 /128). The
Age option is not supported for subnet entries.
4. Click OK.
Note: You can directly edit a class list’s text in the GUI only if the class list was
saved to a standalone file (File option), not to the configuration file (Con-
fig option).
If the GUI input fields for the class list appear, instead of the file text,
either the configuration has not been saved since the class list was created,
or the class list was written to the configuration file instead of a stand-
alone file.
Note: The request limit and request-rate limit options, when configured in a pol-
icy template, are applicable only in policy templates that are bound to vir-
tual ports. These options are not applicable in policy templates bound to
virtual servers (rather than individual ports), or in policy templates used
for system-wide PBSLB.
The request limit and request-rate limit options apply only to HTTP, fast-
HTTP, and HTTPS virtual ports. The over-limit logging, when used with
the request-limit or request-rate-limit option, always lists Ethernet port 1
as the interface.
Match IP Address
By default, the ACOS device matches class-list entries based on the source
IP address of client traffic. Optionally, you can match based on one of the
following instead:
• Destination IP address – matches based on the destination IP address in
packets from clients.
• IP address in client packet header – matches based on the IP address in
the specified header in packets from clients. If you do not specify a
header name, this option uses the IP address in the X-Forwarded-For
header.
Note: The Source NAT Pool option is applicable only to transparent traffic, not
to SLB traffic.
Config Mode > SLB > Service > Global > Settings
Config Mode > SLB > Service > Global > Monitor Resource
From this page you can configure thresholds for Symmetric Multi-
Processing (SMP) resources. SMP resources are allocated from the global
connection session memory pool across the ACOS device’s CPUs and used
for multiple features (source IP persistence, SSL encryption, and so on).
The options on this page allow you to administratively cap the use of SMP
resources on a global scale, and by individual CPU, to improve system
performance and reduce the risk of system outage.
Based on the SMP resource needs of a feature, the ACOS device partitions
global memory resources into different pool sizes and allocates the smallest
pool of memory necessary for the feature. You can limit the allocation of
SMP resources, globally or per CPU, by the following size types:
• Type0 – 32 bytes
• Type1 – 64 bytes
• Type2 – 128 bytes
• Type3 – 256 bytes
• Type4 – 512 bytes
When a type of pool size is in use, even partially, the global memory is
reduced by the amount for that pool type. Only when the entire pool type is
freed, is the memory added back into the global memory pool.
• SMP Type0 to Type4 – Limits use of the total global memory
resource pool.
• Conn Type0 to Type4 – Limits use of the global memory by individ-
ual CPU.
For each field on this page, you can enter a value between 32767 to
256000000 (256 million). The default is 32767.
Config Mode > SLB > Service > Global > Log Rate Limiting
This page enables you to configure rate-limiting settings for logging.
Config Mode > SLB > Template > Application > HTTP
The following configuration sections are displayed when you click Add or
click on a template name.
• HTTP
• Header Erase
• Header Insert
• App Switching
• Redirect Rewrite
• Compression
Config Mode > SLB > Template > Application > RAM Caching
The RAM Caching and Policy sections are displayed when you click Add or
click on a template name.
Table 78 lists the parameters you can configure in RAM Caching templates.
Notes:
• If a URI matches the pattern in more than one policy rule, the rule with the most specific match is used.
• In the current release, matching is performed based on containment. All URIs that contain the pattern string
match the rule. For example, the following policy matches all URIs that contain the string “.jpg” and sets the
cache timeout for the matching objects to 7200 seconds: policy uri .jpg cache 7200
• Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For example, if the
string pattern contains “*”, it is interpreted literally, as the “*” character.
Config Mode > SLB > Template > Application > SMTP
The following configuration sections are displayed when you click Add or
click on a template name.
• SMTP
Config Mode > SLB > Template > Application > SIP
The SIP configuration section is displayed when you click Add or click on a
template name.
Config Mode > SLB > Template > Application > RTSP
This option displays the configured RTSP templates.
The RTSP configuration section is displayed when you click Add or click
on a template name.
Config Mode > SLB > Template > Application > Diameter
Notes:
• To place the message duplication configuration
into effect, you must unbind the Diameter tem-
plate from the Diameter virtual port, then rebind
it.
• A Diameter template in which message duplica-
tion is configured can be bound to only a single
virtual port.
AVP Custom AVP values to insert into Capabilities- Default: Not set
Exchange-Request messages sent by the ACOS
device to Diameter servers.
For each custom AVP value to insert, you must
specify the following information:
• Code – Diameter AVP number.
The Mandatory option sets the AVP mandatory
flag on. By default, this flag is off (not set).
• Type – Specifies the data format of the value to
insert. You can select INT32, INT64, or String.
• Value – Specifies the value to insert.
You can add up to 6 custom AVPs.
Config Mode > SLB > Template > Application > Logging
This option displays the configured logging templates. You can use logging
templates to send logs over TCP to external servers. This feature can be use-
ful for external HTTP logging for HTTP load-balanced traffic and for con-
tent served from the ACOS RAM cache.
Config Mode > SLB > Template > Application > External Service
This option displays the configured external-service templates. You can use
external-service templates for steering traffic to external servers for addi-
tional processing, based on application. For example, external-service tem-
plates enable deployment of ACOS for the following solutions:
• Redirection of Internet Content Adaptation Protocol (ICAP) traffic, such
as Skyfire Rocket Optimizer traffic
• Redirection of traffic to external URL filtering servers
Config Mode > SLB > Template > Application > FIX
Config Mode > SLB > Template > Application > SMPP
The SMPP Template configuration section is displayed when you click Add
or click on a template name.
Config Mode > SLB > Template > Application > DBLB
The Connection Reuse section is displayed when you click Add or click on
a template name.
Table 88 lists the parameters you can configure in connection reuse tem-
plates.
Note: Due to the way the connection-reuse feature operates, backend sessions
with servers will not be reused in either of the following cases:
• The Limit Per Server option is set to a very low value, lower than the
number of data CPUs on the ACOS device.
• The Keep Alive Connections option is set to a lower value than the
limit-per-server option.
The TCP section is displayed when you click Add or click on a template
name.
The UDP section is displayed when you click Add or click on a template
name.
Config Mode > SLB > Template > Persistent > Cookie Persistence
The Cookie Persistence section is displayed when you click Add or click on
a template name.
Table 91 lists the parameters you can configure in cookie persistence tem-
plates.
Config Mode > SLB > Template > Persistent > Destination IP Persistence
Config Mode > SLB > Template > Persistent > Source IP Persistence
The Source IP Persistence section is displayed when you click Add or click
on a template name.
(cont.)
Config Mode > SLB > Template > Persistent > SSL Session ID Persistence
The SSL Session ID Persistence section is displayed when you click Add or
click on a template name.
Table 94 lists the parameters you can configure in SSL session-ID persis-
tence templates.
Config Mode > SLB > Template > SSL > Client SSL
The following configuration sections are displayed when you click Add or
click on a template name.
• Client SSL
• SSL Cipher
Table 95 lists the parameters you can configure in client SSL templates.
Config Mode > SLB > Template > SSL > Server SSL
The following configuration sections are displayed when you click Add or
click on a template name.
• Server SSL
• SSL Cipher
Table 96 lists the parameters you can configure in Server SSL templates.
Config Mode > SLB > Template > SSL > SSL Cipher
Beginning in this release, you have the option to assign a priority value to
each cipher in the SSL Cipher template. In this case, the ACOS device tries
to use the ciphers based on priority. If the client supports the cipher that has
the highest priority, that cipher is used. If the client does not support the
highest-priority cipher, the ACOS device attempts to use the cipher that has
the second-highest priority, and so on.
More than one cipher can have the same priority. In this case, the strongest
(most secure) cipher is used.
Note: An SSL cipher template takes effect only when you apply it to a client-
SSL template or server-SSL template.
2. Click Add.
6. Click Add.
8. Click OK.
To place the cipher template into effect, bind it to a client-SSL or server-
SSL template. The cipher template then applies to clients that access virtual
ports that use the client-SSL or server-SSL template.
The TCP Proxy section is displayed when you click Add or click on a tem-
plate name.
You can configure health methods on the ACOS device by configuring set-
tings for the type of service you are monitoring. You also can configure
health monitors externally using Tcl scripts and import the monitors for use
by the ACOS device.
Config Mode > SLB > Health Monitor Mode > Health Monitor
The following configuration sections are displayed when you click Add or
click on a health monitor name.
• Health Monitor
• Method
Note: In the Method section, you can select Internal or External. Leave the
method set to Internal if you want to configure a method using method
settings available on the ACOS device. In this case, select the service type
from the Type drop-down list.
To use an imported script as the method, click External.
To enter an operator:
Click the radio button next to the list of operators.
2. Select the operator.
3. Click Add.
Config Mode > SLB > Health Monitor > External Program
This page allows you to create an external program for use as a health mon-
itor.
Enter a name and description for the monitor, then copy and paste the script
into the Definition field and click OK. The name must end with “.tcl”.
Config Mode > SLB > Health Monitor > Health HTTP Post File
This page allows you to import a file containing POST data to use with an
HTTP or HTTPS health check. Use this option if you need to use a POST
data payload longer than 255 bytes. An imported POST data file can contain
a payload of up to 2 Kbytes.
3. Click Open. The path and filename appear in the Source field. Go to
step 10.
4. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
5. Select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.
7. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
9. In the User and Password fields, enter the username and password
required for access to the remote server.
Config Mode > SLB > Health Monitor Mode > Global
This page enables you to globally change the default settings for health
monitor parameters.
Globally changing a health monitor parameter changes the default for that
parameter. For example, if you globally change the interval from 5 seconds
to 10 seconds, the default interval becomes 10 seconds.
Note: Global health monitor parameter changes automatically apply to all new
health monitors configured after the change. To apply a global health
monitor parameter change to health monitors that were configured before
the change, you must reboot the ACOS device.
Table 100 lists the health monitor parameters you can globally change.
3. In the Name field, enter the name to use for the imported list.
7. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
8. Select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.
10. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
11. In the Location field, specify the directory path and filename.
12. In the User and Password fields, enter the username and password
required for access to the remote server.
Click Add or the name of an existing aFleX policy to display the aFleX con-
figuration page.
From this page, enter the name for the policy, and copy or modify the script
in the Definition field. Click OK to confirm your configuration.
3. Click OK.
4. The aFleX script table reappears. If the script still contains syntax errors,
the errors are displayed above the table.
Beginning with ACOS Release 2.7.0, you can export SSL certificates in the
following formats:
• PEM
In addition to these formats, you also have the option to export an SSL Cer-
tificate as a PKCS #7 (P7B) file.
3. Click Create.
6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
Note: If you need to create a wildcard certificate, use an asterisk as the first part
of the common name. For example, to create a wildcard certificate for
domain example.com and it sub-domains, enter the following common
name: *.example.com
7. From the Key Size drop-down list, select the length (bits) for the key.
8. Click OK. The ACOS device generates the self-signed certificate and its
key. The new certificate and key appear in the certificate list. The certif-
icate is ready to be used in client-SSL and server-SSL templates.
3. Click Create.
Note: If you need to create a request for a wildcard certificate, use an asterisk as
the first part of the common name. For example, to request a wildcard cer-
tificate for domain example.com and it sub-domains, enter the following
common name: *.example.com
7. Enter a passphrase.
8. From the Key Size drop-down list, select the length (bits) for the key.
9. Click OK. The ACOS device generates the certificate key and the certif-
icate signing request (CSR), and displays the CSR. The CSR is dis-
played in the Request Text field.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while click-
ing Download.
b. Click Save.
c. Navigate to the save location.
d. Click Save again.
Note: If you prefer to copy-and-paste the CSR, make sure to include everything,
including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END
CERTIFICATE REQUEST-----”.
11. When you receive the certificate from the CA, import it onto the ACOS
device. (See “Importing a Certificate and Key” below.)
Note: If you are importing a CA-signed certificate for which you used the
ACOS device to generate the CSR, you do not need to import the key. The
key is automatically generated on the ACOS device when you generate
the CSR.
1. Select Config Mode > SLB > SSL Management, if not already selected.
2. On the menu bar, select Certificate. (This option also applies to certifi-
cate chain files.)
3. Click Import.
4. In the Name field, enter a name for the certificate or key. This is the
name you will refer to when adding the certificate or key to a client-SSL
or server-SSL template.
7. Click Open. The path and filename appear in the Source field. Go to
step 15.
8. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
9. To copy-and-paste the certificate file directly into the GUI, select Text
next to Import Certificate From (if not already selected), then copy-and-
paste the certificate into the Content field. Go to step 15.
11. Select the file transfer protocol: HTTP, HTTPS, FTP, TFTP, RCP, SCP,
or SFTP.
12. In the URL field, enter the directory path and filename.
13. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
14. In the User and Password fields, enter the username and password
required for access to the remote server.
15. Next to Import Key from, select the source for the key:
• Local – The key is on the PC you are using to run the GUI, or is on
a PC or server in the local network.
• Remote – The key is on a remote server.
• Text – You plan to copy-and-paste the text of the key directly into a
field on the GUI page.
16. Depending on the option you selected in step 15, specify the import set-
tings or copy-and-paste the key into the Content field.
3. Select the certificate. (Click the checkbox next to the certificate name.)
4. From the Export Format drop down menu, select the certificate format:
PEM, DFR, or PFX.
5. Click Export.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while click-
ing Export.
6. Click Save.
Config Mode > SLB > SSL Management > Cert Revocation List
The Cert Revocation List page enables you to manage Certificate Revoca-
tion Lists (CRLs).
Importing a CRL
You can locally import a CRL. Place it on the PC that is running the GUI or
CLI session, or onto a PC or file server that be locally reached over the net-
work.
1. Select Config Mode > SLB > SSL Management, if not already selected.
3. Click Import.
6. Click Open. The path and filename appear in the Source field. Go to
step 12.
7. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
8. Select the file transfer protocol: HTTP, HTTPS, FTP, TFTP, RCP, SCP,
and SFTP.
10. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
11. In the User and Password fields, enter the username and password
required for access to the remote server.
Exporting a CRL
1. Select Config Mode > SLB > SSL Management, if not already selected.
3. Select the CRL. (Click the checkbox next to the CRL name.)
4. Click Export.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while click-
ing Export.
5. Click Save.
Config Mode > SLB > SSL Management > Expiration Mail
This page enables you to configure the ACOS device to send email notifica-
tion when an SSL certificate is about to expire. This feature sends a daily
email listing the certificates that are about to expire or that have recently
expired.
2. In the Email Address field, enter the email addresses to which to send
the notifications. You can specify up to 2 email addresses. Use a space
between them.
3. In the Before field, specify how many days before expiration to begin
sending notification emails. You can specify 1-5. The default is 5.
4. On the Interval field, specify how many days after expiration to con-
tinue sending notification emails. You can specify 1-5. The default is 2.
6. Click OK.
Search for SLB objects that share a relationship with a virtual server in a
particular network using the following relationship sequence: From a Vir-
tual Server to a Virtual Server Port or a Service Group, to a Server.
Note: The search field supports partial matches, but does not support wildcard
characters.
2. Use filters to sort the information you wish to view. Specify a maximum
of 5 filters:
a. From the drop down to the right of Virtual Server, search for infor-
mation on SLB objects such as Virtual Servers, Virtual Server Ports,
Service Group, Service Group Member, Server, Health Monitor,
aFleX, Access List, Source NAT Pool, Certificate, or any templates.
b. From the drop down to the right of the IP Address, you can search
either by specifying the IP Address or choose Status to search for
objects that are Enabled, Disabled, Running, Functional Running,
Partial Running, or Stopped.
3. Click on a service group list page, server page, health monitor page, or
SSL certificate page, to display a micro pop-up window that will display
content similar to the network map page. This makes it easy to identify
relationships among SLB objects. The following displays a server
micro-popup that you can view from the Service Group window:
The network map feature also displays role based administration (RBA)
relationship in the virtual server, service group, server, and different tem-
plate pages. This means that when an RBA object refers to a shared object,
their relationship will be shown in the network map. While the layout for all
RBA objects is the same, the only difference in RBA is the inability to click
on a hyperlink to be redirected to another module.
To configure GSLB services using the GSLB Easy Config page, the follow-
ing information is required:
• Zone name – Name of the DNS domain containing the services to be
managed by GSLB. For example, if GSLB will be provided for
www.example.com, the zone name is “example.com”.
• DNS mode (proxy or server):
• Proxy – This ACOS device acts as a proxy for an external DNS
server.
• Server – This ACOS device directly responds to address queries for
the zone’s services. (The ACOS device still forwards other types of
queries to the external DNS server.)
• Service information:
• Name – String to uniquely identify the service configuration on the
ACOS device
• Type – FTP, TFTP, HTTP, HTTPS, IMAP4, LDAP, NNTP, POP3,
SMTP, TELNET, or Other.
• IP address – IP address at which this ACOS device can reach the
service. You also must specify how the IP address is connected to
this ACOS device:
• SLB direct-conn real server – IP address belongs to a real server
connected to this ACOS device.
• SLB self-service device – IP address is a VIP configured on this
ACOS device.
After you use the GSLB Easy Config options to configure these parameters,
the GUI creates the GSLB resources for the configuration.
Note: GSLB has many additional options that you can modify based on your
deployment requirements. For information about specific options, see the
following:
• “Config Mode – GSLB Service Options” on page 308
Configuring GSLB
1. Select Config Mode > Get Started > GSLB Easy Config.
6. To enable Server Mode, select the check box, or clear the check box to
select Proxy Mode for the service.
10. Enter the VIP address of the service in the VIP address field.
11. Enter the IP address of the site SLB device in the Device Address field.
12. Enter the VIP address of the service in the VIP address field.
19. Click Return. The GSLB Easy Config page is redisplayed. You can con-
figure another zone or navigate to another GUI page.
Configuration Example
The example GUI pages in the following figures configure GSLB for an
HTTP service. The network topology for the example is shown in
Figure 25.
• Site-East
The GSLB controller is configured to act as the DNS server for “exam-
ple.com”. When a client sends a DNS request for “www.example.com”, the
GSLB controller selects an IP address based on the GSLB policy. By
default, a site IP address located near the client is selected, based on infor-
mation in the Internet Assigned Numbers Authority (IANA) geo-location
database on the GSLB controller.
The GSLB controller replies to the client’s DNS query with the selected site
IP address. The client then sends the HTTP request to the specified site.
First, enter the zone name and service name, and then select the service type
from the drop-down menu.
FIGURE 26 Config Mode > Get Started > GSLB Easy Config
On the next page that appears, enter a site name and click Add. Then, click
on the site name to access the configuration page for that site.
FIGURE 27 Config Mode > Get Started > GSLB Easy Config - Service
Configuration
Enter the IP information for the service. Select the appropriate radio button
in the Service IPs section, and enter the Device Address, VIP and Port.
Click Add. Click Return.
FIGURE 28 Config Mode > Get Started > GSLB Easy Config - Site
Configuration for Site-East
FIGURE 29 Config Mode > Get Started > GSLB Easy Config - Site
Configuration, Service IP added
Enter the next site name, click Add. Then, click on the site name and enter
the IP information as before. Click Add, and then click Return.
Verify the complete configuration, then click Finish again to display the
Detailed information for all of the sites.
TABLE 103 Monitor Mode > SLB > GSLB > Zone
Field Description
Zone Zone name.
Service Service type and service name.
Received Number of DNS queries received for the service.
Queries
Sent Responses Number of DNS replies sent to clients for the service.
Proxy Number of DNS replies sent to clients by the ACOS device
as a DNS proxy for the service.
Cache Number of cached DNS replies sent to clients by the ACOS
device for the service. (This statistic applies only if the DNS
cache option is enabled in the policy.)
Server Number of DNS replies sent to clients by the ACOS device
as a DNS server for the service. (This statistic applies only if
the DNS server option is enabled in the policy.)
Sticky Number of DNS replies sent to clients by the ACOS device
to keep the clients on the same site. (This statistic applies
only if the DNS sticky option is enabled in the policy.)
Backup If the backup-alias option is configured, this field shows the
CNAME that will be returned by GSLB.
This page shows statistics for the GSLB protocol running on this ACOS
device.
Note: If this ACOS device will be the GSLB controller, use all the configuration
pages. If this ACOS device will be only a site ACOS device, go to “Con-
fig Mode > Service > GSLB > Global” on page 342. Enable the Run
GSLB as Site SLB Device option and click OK. Do not configure any
other GSLB parameters.
Click
Configuration fields appear in the GSLB Service IP
section (located to the right).
Template Binds a template to the site. To use the bw-cost met- Name of a configured GSLB template
ric, use this option to bind a GSLB SNMP template Default: Not set
to the site.
Weight Assigns a weight to the site. If the weighted-site 1-100
metric is enabled in the policy and all metrics before Default: 1
weighted-site result in a tie, the site with the highest
weight is selected.
GSLB Service IP Section
Service IP Type Specifies the way in which the service is connected Default: SLB direct-conn real server
to this ACOS device :
• SLB direct-conn real server – The ACOS device
you currently are configuring for GSLB is
directly connected to the real server.
• SLB self-service device – The ACOS device you
currently are configuring for GSLB is also the
ACOS device that is configured to perform SLB
for the VIP that provides the service to clients.
This is the VIP bound to a service group contain-
ing the real servers on which the service is
located.
• SLB device – The service is load balanced by
another ACOS device.
(See the row below for the options that match your
selection.)
This page allows you to perform the following actions for a zone:
• Add
• Delete
• Enable
• Disable
The Zone section is displayed when you click Add or click on a GSLB zone
name.
Zone Parameters
Table 106 lists the GSLB zone parameters.
1. In the Name field, enter the fully-qualified domain name of the mail server for the zone.
2. If more than one MX record will be configured for the zone, enter the priority of this MX record in the Priority
field. The priorities of the MX records determine the order in which the mail server should attempt to deliver mail
to the MX hosts. The MX record with the lowest priority number has the highest priority and is tried first. The pri-
ority can be 0-65535. There is no default.
3. Click Add.
Use this section to configure general settings for the service. The action can
be one of the following:
• Not set (default)
• Reject – Rejects DNS queries from the local DNS server and returns the
“Refused” message in replies.
Note: The no-response option is not valid with the Static or as-replace option.
To add an A record:
1. Select the VIP from the VIP Order drop-down list.
5. If the GSLB ACOS device will act as the DNS server for this service IP
address, select Static. To use this option, you also must enable the Server
Mode option in the GSLB policy.
6. To assign a weight to the service, enter the value in the Weight field. If
the weighted-ip metric is enabled in the policy and all metrics before
weighted-ip result in a tie, the service on the site with the highest weight
is selected. The weight can be 1-100. By default, the weight is not set.
7. Enter the Time to Live in the TTL field, ranging from 1-2147483647.
8. Click Add.
The VIP addresses are placed in the DNS reply in the order they appear in
this section, starting with the VIP at the top of the list. To re-order the VIP
addresses, select the row for one of the A records and click Move Up or
Move Down.
2. If more than one MX record will be configured for the same service,
enter the priority of this MX record in the Priority field. The priorities of
the MX records determine the order in which the mail server should
attempt to deliver mail to the MX hosts. The MX record with the lowest
priority number has the highest priority and is tried first. The priority
can be 0-65535. There is no default.
3. Click Add.
To configure an alias, enter the alias in the Name field, then click Add.
Enter the record name in the Name field, then click Add.
Enter the a string value for the text record, then click Add.
Geo-location Section
Use this section to configure geo-location parameters for the service.
1. In the Geo-location field, enter the geo-location name.
2. To configure an alias for the geo-location, enter the alias name in the
Alias field.
3. To set a DNS action for the geo-location, click Action and select the
action from the drop-down list:
• Forward Response – Forwards responses to the local DNS server,
but does not forward queries to the Authoritative DNS server.
• Forward Both – Forwards queries to the Authoritative DNS server,
and forwards responses to the local DNS server.
• Forward Query – Forwards queries to the Authoritative DNS server,
but does not forward responses to the local DNS server.
• Drop – Drops DNS queries from the local DNS server.
• Reject – Rejects DNS queries from the local DNS server and returns
the “Refused” message in replies.
4. To use a GSLB policy other than the zone’s policy (the default setting),
click Policy and select the policy from the drop-down list.
5. Click Add.
This page allows you to perform the following actions for a site:
• Add
• Delete
• Enable
• Disable
Site Parameters
The following configuration sections are displayed when you click Add or
click on a GSLB site name.
• General
• SLB-Device
• Template
• IP-Server
• Geo-location
• Options
The Service IP and Port sections are displayed when you click Add or click
on a service name.
The following configuration sections are displayed when you click Add or
click on a DNS proxy name.
• Proxy
• GSLB Port
Source NAT IP address pool to use for IP source Network Name of a configured IP address pool
Pool Address Translation (NAT). Default: Not set
aFleX Name of an aFleX policy. Name of an aFleX policy that has been
imported onto the ACOS device.
Default: Not set
UDP Template UDP template to use. Name of a configured template.
If the template you want to use is not already con- Default: The AX default UDP tem-
figured, you can select “create” to configure it. In plate is used. (See the “SLB Parame-
this case, when you click OK after configuring the ters” chapter in the A10 Thunder
template, you are returned to this section. Series and AX Series Application
Delivery and Server Load Balancing
Guide.)
The geo-location options enable you to import and load (activate) geo-loca-
tion databases and to find information in the currently loaded geo-location
database.
Config Mode > Service > GSLB > Geo-location > Import
This option displays sections listed in Table 110.
Config Mode > Service > GSLB > Geo-location > Find
This page lists the geo-locations on the ACOS device. To display sub-range
locations within a geo-location, click on the geo-location name.
2. Click Find.
• Metric
• DNS Options
• Geo-location
• Auto Map
Note: In ACOS Release 2.7.0, all ACOS models and software do not have any
code for Passive round trip time (RTT) for the time difference between
receiving a TCP SYN and a TCP ACK for the TCP connection for GSLB.
The code was completely removed starting from 2.7.0 because there was
no single customer using this round trip time capability for GSLB.
This page displays the global GSLB settings you can configure.
• aRDT
• Connection Load
• Num Session
• Least Response
The GSLB protocol is required in order to collect the site information pro-
vided for these metrics.
Note: The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required.
WAF
The WAF filters communication between users and Web applications to
protect Web servers and sites from unauthorized access and malicious pro-
grams. This new layer of security examines incoming end-user requests,
output from Web servers, and access to Web site content to safeguard
against Web attacks and protect sensitive information hosted on Web serv-
ers.
AAM
Application Access Management (AAM) is a suite of security features for
optimizing Authentication, Authorization, and Accounting (AAA) for cli-
ent-server traffic. AAM includes the following features:
• Logon Portal – The Logon Portal provides a single sign-on interface for
end-users. ACOS obtains the end-user’s credentials through a basic
HTTP request-reply exchange or using a web-based form, then uses a
backend AAA server to verify the credentials.
• Online Certificate Status Protocol (OCSP) – OCSP is a network compo-
nent that provides certificate verification services. OCSP eliminates the
need to import certificate revocation list (CRL) files onto the ACOS
device. Instead, the CRLs are maintained on the OCSP responder
(server). When a client sends its certificate as part of a request for a
secured service, ACOS sends the certificate to the OCSP responder for
verification, before allowing the client to access secured services.
• Authentication Relay – Authentication Relay offloads your AAA serv-
ers. ACOS contacts backend AAA servers on behalf of clients. After a
server responds, ACOS caches the reply and uses the cached reply for
subsequent client requests.
• AAA Health Monitoring and Load Balancing – You can use ACOS SLB
to load balance authentication traffic among a group of AAA servers.
ACOS supports custom health checks for LDAP, RADIUS, Kerberos,
and OCSP.
More Information
The GUI pages for configuring WAF and AAM features are described in
this document. However, for information about how to use these features to
deploy security solutions for your network, see the following:
• Web Application Firewall Guide
From the Bind page, you can configure the ACOS to override the WAF set-
tings applied to the HTTP/HTTPS virtual port with another set of WAF set-
tings, using an HTTP policy template. You can configure rules in the HTTP
template to match on URLs, hostnames, or cookie names in traffic.
3. Select OK.
TABLE 113 Config Mode > Security > WAF > Bind
Parameter Description and Syntax Supported Values
WAF Section
Name Name of the virtual service. Configured virtual service
The names in the drop-down list are in the following Default: not set
format:
_VIPname_Type_Portnum
WAF WAF policy template to bind to the virtual service. Configured WAF template
Default: not set
HTTP Policy HTTP policy template to bind to the virtual service, Configured HTTP policy template
for use overriding WAF template settings. Default: not set
The pages in this section provide configuration options to create WAF tem-
plates and specify HTTP policies to override template application for differ-
ent types of client traffic.
Config Mode > Security > WAF > Template > WAF
From the WAF template page, you can quickly enforce security filters for
communication between clients and web servers.
Config Mode > Security > WAF > Template > HTTP Policy
You can configure ACOS to override the WAF settings applied to the
HTTP/HTTPS virtual port with another set of WAF settings, using an HTTP
policy template. You can configure rules in the HTTP template to match on
URLs, hostnames, or cookie names in traffic.
Note: For the WAF to operate, it is still required to bind a WAF template
directly to the virtual port, to use as the virtual port’s primary WAF tem-
plate. HTTP policy templates can be used only to override the primary
WAF template with secondary WAF template, based on the match rules in
the HTTP policy template.
5. Click OK.
Note: Match options are always applied in the order shown above, regardless of
the order in which the rules appear in the configuration. The WAF tem-
plate associated with the rule that matches first is used.
Note: If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than one
of them, the most-specific match is always used.
• Bot Check
• XSS Check
• SQLIA Check
If one of these checks is enabled and a WAF definition file is not specified,
the default WAF policy file is applied.
Note: You cannot edit or delete default files. However, you can create and apply
new files to WAF checks at your own discretion. A10 Networks advises
copying a default WAF policy file and customizing the contents to fit your
specific demands.
Notes
• You cannot edit or delete default files. However, you can create and
apply new files to WAF checks at your own discretion. A10 Networks
advises copying a default WAF definition file and customizing the con-
tents to fit your specific demands.
• You can click on the name of an existing file to edit it in the GUI. You
can delete an existing file by selecting the checkbox located on the left
of its name, then clicking the Delete button.
• You can copy the contents of an existing policy file by selecting the
checkbox located on the left of its name, then clicking the Clone button.
This page enables you to bind security resources to service ports (virtual
ports on VIPs). The buttons on this page enable you to perform the follow-
ing actions:
• Add – Create a new virtual port.
The Add, Edit, and Clone buttons display a configuration page for the vir-
tual port.
In the current release, the security bindings you can configure using this
page apply only to HTTP virtual ports.
This page displays the configured authentication templates. From this page,
you can edit or delete existing templates, and create new ones.
TABLE 116 Config Mode > Security > Authentication > Template
Parameter Description Supported Values
Authentication Template Section
Name Name of the template. String of 1-31 characters
Default: Not set
Authentication Specifies whether the template applies to a single Authentication Server or Service
Server/Service AAA server or a group of servers: Group radio button
Group • Authentication Server – Use this option if you are Default: Authentication Server
binding a single AAA server to the template.
Selecting this radio button activates the Authenti-
cation Server drop-down list. Select the authenti-
cation-server profile for the AAA server from the
list.
• Service Group – Use this option if you are bind-
ing a set of AAA servers to the template. Select-
ing this radio button activates the Service Group
drop-down list. Select the service group that con-
tains the AAA servers.
Authentication Binds an authentication-relay profile to the tem- Configured authentication-relay
Relay plate. profile
Default: Not set
Authentication Binds an authentication-logon profile to the tem- Configured authentication-logon
Logon plate. profile
Default: Not set
Logout URL Web page to serve to end-users after they log out. Default: Not set
Logout Idle Maximum amount of time an authenticated end-user 1-86400 seconds
Timeout session can be idle before being terminated by Default: 300
ACOS.
TABLE 117 Config Mode > Security > Authentication > Server
Parameter Description Supported Values
Authentication Server Section
Name Name of the profile. String of 1-31 characters
Default: Not set
Type AAA server type. OCSP, RADIUS, or LDAP
Default: OCSP
The following options apply if you select OCSP.
URL Address of the OSCP responder, in the following Valid hostname or IP address
format: Default: Not set
http://hostname-or-ipaddr[:port-num]/
Responder CA Filename of the OCSP responder’s CA certificate. CA certificate file imported onto the
Note: You must import the file onto the ACOS ACOS device
device. Default: Not set
Responder Cert Filename of the OCSP responder’s certificate. Server certificate file imported onto
Note: You must import the file onto the ACOS the ACOS device
device. Default: Not set
The following options apply if you select RADIUS.
Host Hostname or IP address of the RADIUS server. Valid hostname or IP address
Default: Not set
Secret Shared secret (password) used for securing String up to 128 characters long
Confirm Secret RADIUS traffic between ACOS and the RADIUS Default: Not set
server. The same string must be used by ACOS and
the server.
Port Protocol port on which the server listens for 1-65535
RADIUS traffic. Default: 1812
Retry Maximum number of times ACOS will send the 1-32
same request before giving up. Default: 5
Interval Maximum number of seconds ACOS will wait for a 1-1024 seconds
reply to a request before resending the request. Default: 3 seconds
Authorization Checks the list of allowed URIs provided by the Selected or unselected
Check AAA server. (This capability requires configuration Default: Unselected
on the ACOS device and on the AAA server. For
information, see the Application Access Manage-
ment and DDoS Mitigation Guide.)
TABLE 117 Config Mode > Security > Authentication > Server
Parameter Description Supported Values
The following options apply if you select LDAP.
Host Hostname or IP address of the LDAP server. Valid hostname or IP address
Default: Not set
Port Protocol port on which the server listens for LDAP 1-65535
traffic. Default: 389
Administrator’s Distinguished Name (DN) of the LDAP admin String
DN account required for access to the server. Default: Not set
Admin Secret Admin password. String
Password Default: Not set
Password Maximum amount of time an end-user’s password 1 - 4294967295 seconds
Expiration Time can be cached. Default: Not set
Search Base LDAP server’s search base. String
Default: Not set
Timeout Maximum number of seconds ACOS waits for the 1-255 seconds
LDAP server to respond to a request. If a request Default: 10 seconds
times out, ACOS aborts that request.
Authorization Checks the list of allowed URIs provided by the Selected or unselected
Check AAA server. (This capability requires configuration Default: Unselected
on the ACOS device and on the AAA server. For
information, see the Application Access Manage-
ment and DDoS Mitigation Guide.)
Use UID Uses the UID instead of the CN for the admin name. Selected or unselected
Default: Unselected
TABLE 118 Config Mode > Security > Authentication > Logon
Parameter Description Supported Values
Authentication Logon Section
Name Name of the profile. String of 1-31 characters
Default: Not set
Type Authentication-logon profile type: HTTP Basic or Form Based
• HTTP Basic – The Logon Portal sends an HTTP Default: HTTP Basic
401 (Unauthorized) message with response code
4, containing a WWW-Authenticate HTTP
header. The client browser is expected to send a
reply with the Authorization header, containing
the username and password in Base64-encoded
form.
• Form Based – The Logon Portal uses a set of web
pages to collect user credentials.
Note: Form-based logon requires a set of Logon
Portal files, which must be imported onto the ACOS
device. (See “Config Mode > Security > Authenti-
cation > Portal” on page 362.)
The following options apply if you select HTTP Basic.
Realm Name of the realm secured by the AAA server. Default: Not set
Retry Number of times ACOS will resend the authentica- 1-32
tion request to the client, to allow the end-suer to re- Default: 3
enter their credentials.
The following options apply if you select Form Based.
Portal Zip archive of web portal files. Zip archive imported onto the ACOS
Note: This file must be imported onto the ACOS device
device. (See “Config Mode > Security > Authenti- Default: Not set
cation > Portal” on page 362.)
Action URL URL for the POST action to be performed by the Valid URL string; for example:
client browser after the end-user enters their creden- mylogon.fo
tials. Default: Not set
Username Name of the data field for the username entered into String
Variable the logon form by the end-user. Default: Not set
Password Name of the data field for the password entered into Default: Not set
Variable the logon form by the end-user.
TABLE 119 Config Mode > Security > Authentication > Relay
Parameter Description Supported Values
Authentication Relay Section
Name Name of the profile. String
Default: Not set
Type Type of authentication ACOS uses to log onto con- HTTP Basic or Kerberos
tent servers on behalf of authenticated clients: Default: Not set
• HTTP Basic – ACOS uses Basic-HTTP authenti-
cation to log onto content servers on behalf of cli-
ents authenticated by a backend AAA server.
• Kerberos – ACOS uses Kerberos.
The following options apply if you select Kerberos.
KDC Hostname or IP address of the Kerberos Key Distri- Valid hostname or IP address
bution Center (KDC). Default: Not set
Port Protocol port number on which the KDC listens for 1-65535
requests. Default: 88
Timeout Maximum number of seconds ACOS waits for the 1-255 seconds
Kerberos server to respond to a request. If a request Default: 10
times out, ACOS aborts that request.
Realm Name of the realm (domain) secured by the Ker- String
beros server. Default: Not set
AX KDC Kerberos admin account name required to log onto String
Account the KDC. Default: Not set
AX KDC Password required for logging onto the KDC. String
Password Default: Not set
This page lists the zip archives imported onto the ACOS device for use with
form-based authentication. You can use this page to import new archives,
and to delete any archives that are no longer needed.
2. In the File Name field, enter a name for the file. This is the name you
will need to refer to when using the file in an AAM deployment.
5. Click Open. The path and filename appear in the Source field. Go to
step 12.
6. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
7. Select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.
8. In the Host field, enter the hostname or IP address of the server where
the archive is located.
10. If needed, change the protocol port number n the port field. By default,
the default port number for the selected file transfer protocol is used.
11. In the User and Password fields, enter the username and password
required for access to the remote server.
The Policy page displays the configured policy templates. This page is dis-
played when you click Add or click on a template name.
Table 120 lists the parameters you can configure in policy templates.
(cont.)
(cont.)
The DNS Firewall configuration section is displayed when you click Add or
click on a template name.
Note: DNS Firewall templates are not supported with stateless load-balancing
methods.
Table 121 lists the parameters you can configure in DNS Firewall templates.
The ACL pages enable you to configure and apply Access Control Lists
(ACLs).
An ACL can contain multiple rules. Each rule contains a single permit or
deny statement. Rules are added to the ACL in the order you configure
them. The first rule you add appears at the top of the ACL.
3. Click Add.
4. Configure the options for the rule. (See Table 122 on page 374 and
Table 123 on page 376.)
5. When finished configuring the rule, click OK. The rule list is redis-
played, containing the new rule.
Each row in the ACL tables is a separate ACL rule. You can configure mul-
tiple rules in the same ACL. In this case, they still appear as separate rows,
with the same ACL number.
The ACOS device applies the ACL rules in the order they are listed, starting
at the top of the table. The first rule that matches traffic is used to permit or
deny that traffic. After the first rule match, no additional rules are compared
against the traffic.
If you need to re-order the rules within an ACL, you can do so by dragging-
and-dropping the rules to their new position.
Anywhere an ACL can be used, this document describes how to apply the
ACL.
Config Mode > Security > Network > ACL > Standard
This option lists the configured standard ACLs. For configuration informa-
tion, see the following topics:
• “Configuring an ACL Rule” on page 372
The Standard section is displayed when you click Add or click on an ACL
number.
Config Mode > Security > Network > ACL > Extended
This option lists the configured extended ACLs. For configuration informa-
tion, see the following topics:
• “Configuring an ACL Rule” on page 372
The Extended section is displayed when you click Add or click on an ACL
number.
Config Mode > Security > Network > ACL > IPv6
This option lists the configured IPv6 ACLs. For configuration information,
see the following topics:
• “Configuring an ACL Rule” on page 372
The IPv6 section is displayed when you click Add or click on an ACL num-
ber.
Table 125 lists the DDoS protection options. All options are supported for
IPv4. All options except IP Option are supported for IPv6.
Config Mode > Security > Network > ICMP Rate Limiting
The ICMP Rate Limiting option globally enables protection against denial-
of-service (DoS) attacks.
Table 126 lists the ICMP Rate Limiting parameters you can configure.
• “Config Mode > IP Source NAT > IPv6 Pool” on page 388
• “Config Mode > IP Source NAT > ACL Bind” on page 390
• “Config Mode > IP Source NAT > NAT Range” on page 391
• “Config Mode > IP Source NAT > Static NAT” on page 392
To configure dynamic IP Source NAT, you can use the IPv4, IPv6, Group,
Binding, and Interface options.
To configure static IP source NAT, you can use the NAT Range, Global, and
Interface options.
The IPv4 Pool section is displayed when you click Add or click on an IPv4
pool name.
The IPv6 Pool section is displayed when you click Add or click on an IPv6
pool name.
The Group section is displayed when you click Add or click on a pool group
name.
2. Select a configured pool or pool group from the NAT Pool drop-down
list.
3. To set the TCP Maximum Segment Life (MSL) for NATted sessions,
enter the maximum number of seconds in the MSL field. You can enter
1-1800 seconds. This option is only available for IPv4.
Note: This option is useful for servers running older TCP/IP stacks, which may
wait up to 240 seconds (4 minutes) after a FIN before allowing a new
TCP connection.
4. Click Add.
6. Click OK.
2. Select Inside from the IPv4 or IPv6 Direction drop-down list, if not
already selected.
3. Click Add.
5. Click OK.
The NAT Range section is displayed when you click Add or click on a range
list name.
The Static NAT Range section is displayed when you click Add or click on
a static translation name.
Note: The timeout values specify the minimum timeout. The actual time a ses-
sion may remain idle is up to 60 seconds later than the configured time-
out.
Note: Access to configuration options will vary with your administrative role
and system configuration of the ACOS device. For information on the
privilege level of administrative roles, see “Preconfigured GUI Access
Roles” on page 447.
The LAN page shows the configuration settings for the ACOS device’s
Ethernet data interfaces.
To disable interfaces, select the checkbox next to each interface you want to
disable, then click Disable. Likewise, to re-enable interfaces, select the
checkbox next to each interface you want to enable, then click Enable.
• IPv4
• IPv6
• VIP
• LACP
• VRRP-A or HA
Table 133 lists the parameters you can configure on Ethernet data interfaces.
ICMPv6 Rate Configures ICMPv6 rate limiting for the interface, State: Enabled or Disabled
Limiting to protect against denial-of-service (DoS) attacks. Normal Rate – 1-65535 packets per
When you select the ICMPv6 Rate Limit Status second
checkbox, the following configuration fields Lockup Rate – 1-65535 packets per
appear: second
• Normal Rate – Maximum number of ICMPv6 Lockup Period – 1-16383 seconds
packets allowed per second on the interface. If
the AX interface receives more than the normal
rate of ICMPv6 packets, the excess packets are Default: Disabled
dropped until the next one-second interval Specifying a maximum rate (lockup
begins. rate) and lockup time is optional. If
you do not specify them, lockup does
• Lockup Rate – Maximum number of ICMPv6
not occur.
packets allowed per second before the ACOS
device locks up ICMPv6 traffic on the interface.
When ICMPv6 traffic is locked up, all ICMPv6
packets are dropped until the lockup expires.
• Lockup Period – Number of seconds for which
the ACOS device drops all ICMPv6 traffic on the
interface, after the maximum rate is exceeded.
IP addresses are added to an interface in the order you configure them. The
addresses appear in show command output and in the configuration in the
same order.
The first IP address you add to an interface becomes the primary IP address
for the interface. If you remove the primary address, the next address in the
list (the second address to be added to the interface) becomes the primary
address.
The ACOS device automatically generates a directly connected route to
each IP address. If you enable redistribution of directly connected routes by
OSPF or IS-IS, those protocols can advertise the routes to the IP addresses.
The ACOS device does not support multiple OSPFv2 networks on the same
data interface. One OSPFv2 network configuration can enable at most one
network per interface.
For example, assume a data port has 3 IP addresses configured that belong
to 3 separate subnets, S1, S2, and S3. If you configure network S4 with area
A.B.C.D, and S4 contains S1, S2, and S3, then only S1 will be running
OSPF. S2 and S3 will not be known to other OSPF routers.
The Management page shows the configuration settings for the ACOS
device’s out-of-band management port.
The following configuration sections are displayed when you click on the
Management menu option:
• General
• IPv4
• IPv6
Note: The ACOS device allows the same IP address to be configured as the
ACOS device’s global IP address, and as a NAT pool address. However,
in Layer 2 (transparent) deployments, if you do configure the same
address in both places, and later delete one of the addresses, you must
reload the ACOS device to place the change into effect
Table 134 lists the parameters you can configure on the Ethernet manage-
ment port.
The Transparent page enables you to specify the global IP address of the
ACOS device, if deploying the device in transparent (Layer 2) mode.
Note: Note: If you are deploying in gateway (Layer 3) mode, see “Config Mode
> Network > Interface > LAN” on page 398.
The following configuration sections are displayed when you click on the
Transparent menu option:
• IPv4
• IPv6
Table 135 lists the global IP address parameters you can configure.
The Virtual page shows the configuration settings for the ACOS device’s
Virtual Ethernet (VE) data ports.
• IPv6
• VIP
Note: You must create the VE before you can configure it here. To create a VE,
see “Config Mode > Network > VLAN” on page 413.
Table 136 lists the parameters you can configure on VE data interfaces.
This page shows and allows you to change global interface settings.
Notes:
• On non-FPGA models, after you enable (or dis-
able) jumbo frame support, you must save the
configuration and reboot to place the change into
effect.
• If jumbo support is enabled on a non-FPGA
model and you erase the startup-config, the
device is rebooted after the configuration is
erased.
For additional information, and a list of models that
support jumbo frames, see the System Configuration
and Administration Guide.
The Trunk section is displayed when you click Add or click on a trunk num-
ber.
Note: In cases where LACP settings on the local device (the ACOS device) and
the remote device at the other end of the link differ, the settings on the
device with the higher priority are used.
Note: If the LACP trunk has more candidate members than are allowed by the
device at the other end of the link, LACP selects the interfaces with the
highest port priority values as the active interfaces. The other interfaces
are standbys, and are used only if an active interface goes down.
• MAC
• Global
This page lists the configured Virtual LANs (VLANs). A VLAN is a set of
Ethernet data ports configured as a separate Layer 2 collision domain.
The VLAN section is displayed when you click Add or click on a VLAN
number.
This page displays the aging timer for dynamic (learned) MAC entries. An
entry that remains unused for the duration of the aging time is removed
from the MAC table.
This page enables you to change the traffic limits for VLANs. You can set
global limits for all VLANs, as well as per-VLAN limits.
Table 140 lists the VLAN traffic limits you can configure.
The IPv4 ARP configuration section is displayed when you click Add or
click on a static ARP entry.
The IPv6 Neighbor configuration section is displayed when you click Add
or click on a static IPv6 neighbor entry.
The Global section enables you to change the ARP timeout, which is used to
age out dynamic ARP table entries. By default, dynamic ARP entries age
out after 300 seconds (5 minutes). You can change the global ARP timer to
60-86400 seconds.
The Static Route section is displayed when you click Add or click on an
IPv4 static route.
Table 143 lists the parameters you can configure for IPv4 static routes.
The Static Route section is displayed when you click Add or click on an
IPv6 static route.
Table 144 lists the parameters you can configure for IPv6 static routes.
Note: Access to configuration options will vary with your administrative role
and system configuration of the ACOS device. For information on the
privilege level of administrative roles, see “Preconfigured GUI Access
Roles” on page 447.
• aXAPI
• Preference
You also can use this page to replace the web certificate. Replacing the cer-
tificate with a CA-signed certificate prevents the certificate warning from
being displayed by your browser when you log onto the GUI. You can
install child certificate and key, and up to 3 chain certificates. After import-
ing the certificate files, click OK to place the change into effect.
2. Click Export.
All web management certificates, keys, and chain certificates are down-
loaded.
3. Import the key for the child certificate. The options are the same as
those for importing the child certificate.
4. Import the chain certificates, if applicable. The options are the same as
those for importing the child certificate.
5. Click OK.
If you need to reset the web certificate using the CLI instead, enter the fol-
lowing command at the global configuration level of the CLI:
web-service certificate-reset
Config Mode > System > Settings > Terminal > CLI
Table 147 lists the parameters you can configure in this section.
To restore all CLI access settings to the default values, click the Reset To
Default button.
Caution: The Reset To Default option also resets the enable password to its
default value (empty – no password).
Config Mode > System > Settings > Terminal > Banner
The banner sections enable you to configure the banner messages displayed
in the CLI. By default, the messages shown in bold type in the following
example are displayed:
login as: admin
Welcome to AX
Using keyboard-interactive authentication.
Password:
Last login: Thu Feb 7 13:44:32 2008 from
192.168.1.144
If you configure a banner message that occupies multiple lines, you must
specify the end marker. The end marker is a simple string up to 2-characters
long, each of the which must be an ASCII character from the following
range: 0x21-0x7e. Pressing Enter at the end of each line is not necessary.
The multi-line banner text starts from the first line and ends at the marker. If
the end marker is on a new line by itself, the last line of the banner text will
be empty. If you do not want the last line to be empty, put the end marker at
the end of the last non-empty line.
1. To configure a banner:
a. Select the banner type, single-line or multi-line.
b. If you selected multi-line, enter the end marker value in the End
Marker field.
c. Enter the message in the Login Banner or Exec Banner field.
If the message is a multi-line message, you can add line breaks by
pressing Enter / Return at the end of every line. Do not type the end
marker at the end of the message. The GUI automatically places the
end marker at the end of the message text in the configuration.
2. If you are configuring both messages, repeat step 1 for the other mes-
sage.
3. Click OK.
• Status – Configures display of the log on the Monitor Mode > Overview
> Status page
Table 148 lists the system log parameters you can configure.
2. In the SMTP Server field, enter the hostname or IP address of the SMTP
server.
3. If the SMTP server does not use the default SMTP port, enter the correct
SMTP Server Port field.
4. In the Mail From field, enter the sending email address for emailed log
messages.
3. In the Logging Email Filter section, click Add. A configuration page for
the filter appears.
Note: The conditions must be selected in the order described here. Otherwise,
the filter will be invalid. If you accidentally configure an invalid filter,
you can click Clear to remove the filter conditions and start again.
a. Select the message severity level from the first drop-down list, at the
upper left, and click Add. To add more severity levels, repeat this
step for each severity level.
b. Optionally, select a software module from the second drop-down
list, to the right of the first drop-down list. Then click Add. To add
more modules, repeat this step for each module.
c. Optionally, enter a regular expression to specify message text to
match on, in the lower left entry field. Then click Add.
d. Select the operator from the drop-down list in the lower right field,
and click Add.
7. Click OK. The new filter appears in the Logging Email Filter section on
the Log page.
FIGURE 34 Config Mode > System > Settings > Log - Add (Logging Email
Filter)
FIGURE 35 Config Mode > System > Settings > Log (Logging Email Filter
added)
This menu option provides the following suboptions for configuring general
system parameters:
• Threshold
• TFTP
• Resource Usage
• PBSLB
Note: The Buffer Drop and Buffer Usage options are not applicable to some
device types. The options are applicable to hardware-based ACOS models
and SoftAX.
Config Mode > System > Settings > General > Threshold
This option enables you to specify event thresholds for utilization of system
resources. If utilization of a system resource crosses the configured thresh-
old, a log message is generated. If applicable, an SNMP trap is also gener-
ated.
Config Mode > System > Settings > General > TFTP
This option enables you to increase the TFTP block size.
The TFTP block size is the maximum packet length the ACOS TFTP client
can use when sending or receiving files to or from a TFTP server. You can
specify from 512-32768 bytes. The default is 512 bytes.
Increasing the TFTP block size can provide the following benefits:
• TFTP file transfers can occur more quickly, since fewer blocks are
required to a send a file.
• File transfer errors due to the server reaching its maximum block size
before a file is transferred can be eliminated.
To determine the maximum file size a block size will allow, use the follow-
ing formula: 1K-blocksize = 64MB-filesize
Increasing the TFTP block size of the ACOS device only increases the max-
imum block size supported by the ACOS device. The TFTP server also
must support larger block sizes. If the block size is larger than the TFTP
server supports, the file transfer will fail and a communication error will be
displayed on the CLI terminal.
If the TFTP block size is larger than the IP Maximum Transmission Unit
(MTU) on any device involved in the file transfer, the TFTP packets will be
fragmented to fit within the MTU. The fragmentation will not increase the
number of blocks; however, it can re-add some overhead to the overall file
transmission speed.
Config Mode > System > Settings > General > Resource Usage >
Global
This page enables you to reconfigure the system capacity for certain system
resources.
Table 150 lists the resource capacities you can configure. The supported val-
ues and defaults may differ depending on the ACOS model.
Config Mode > System > Settings > General > Resource Usage >
Template
This page allows you to configure resource templates for Layer 2/3 parti-
tions. Once defined, you can bind or unbind a resource template to a partic-
ular partition. You can also apply a sample template to multiple partitions.
Table 151 lists the resource usage templates you can configure. The sup-
ported values and defaults may differ depending on the ACOS model.
Config Mode > System > Settings > General > PBSLB
This page allows you to configure system-wide Policy-Based SLB
(PBSLB). System-wide PBSLB enables you to control access through the
ACOS device based on source or destination IP address.
For traffic that is allowed access, you also can enforce connection limits and
connection-rate limits. Additionally, you can specify the action to take for
traffic that exceeds the connection limit or connection-rate limit.
Specifically, the following traffic limiting options are available if you use a
class list:
• Connection limiting – Maximum number of concurrent connections
allowed for a client.
• Connection-rate limiting – Maximum number of new connections
allowed for a client within a specified period.
• Request limiting – Maximum number of concurrent Layer 7 requests
allowed for a client.
• Request-rate limiting – Maximum number of Layer 7 requests allowed
for a client within a specified period.
If you use a black/white list, the only one of these options that is supported
is connection limiting.
Note: To exclude a host or subnet from being limited, do not specify an IP limit-
ing rule.
Here is an example of a very simple class list. This list matches on all cli-
ents and uses an IP limiting rule configured at the global configuration
level:
0.0.0.0/0 glid 1
Here is an example with more options:
1.1.1.1 /32 lid 1
2.2.2.0 /24 lid 2
0.0.0.0 /0 lid 10
3.3.3.3 /32 glid 3
4.4.4.4 /32
This menu option displays the boot image location from which the system
image will be loaded the next time the ACOS device is rebooted.
The ACOS device always tries to boot using the Hard Disk first. The Com-
pact Flash is used only if the hard drive is unavailable. You can select the
primary or secondary image area on each boot device.
Table 153 lists the admin parameters displayed in the admin table.
The Admin section is displayed when you click Add or click on an admin
name.
Table 153 lists the parameters you can configure in this section.
This page enables you to configure a private partition for Application Deliv-
ery Partitioning (ADP)
Note: For information about ADP, see the System Configuration and Adminis-
tration Guide.
Note: If you delete a partition, resources associated with the partition are perma-
nently deleted. This includes SSL certificates and keys, and aFleX scripts.
These resources are deleted even if you reload or reboot without saving
the configuration. In this case, the partition configuration is restored but
the resources are still gone.
The Partition table lists the private partitions that are configured on the
ACOS device. The partition name and the logo file associated with the par-
tition are shown.
The Partition section is displayed when you click Add or click on a partition
name.
Table 154 lists the parameters you can configure in this section.
Admin roles enable you to restrict the GUI options an admin is authorized
to use. For each GUI page, the admin role specifies whether the admin is
allowed to access (view) the page. If the admin is allowed to access the
page, the role specifies whether the admin has read-only or read-write privi-
leges for the page.
You can assign an admin to a preconfigured role or a custom role that you
configure. You also can customize the preconfigured roles. Table 155 lists
the preconfigured roles and the types of GUI page access allowed by each
one.
• 2 – ReadWriteAdmin
• 3 – SystemAdmin
• 4 – NetworkAdmin
• 5 – NetworkOperator
• 6 – SLBServiceAdmin
• 7 – SLBServiceOperator
• 8 – PartitionReadWrite
• 9 – PartitionNetworkOperator
• 10 – PartitionSLBServiceAdmin
• 11 – PartitionSLBServiceOperator
• 12 – PartitionReadOnly
The following letters indicate the access privileges for the GUI page:
• R – Read-only
• W – Read-write
Note: If you plan to use a custom role, first see “Configuring a Custom Role” on
page 450.
1. Select Config Mode > Settings > Admin > Administrator and click Add.
4. If configuring an RBA partition admin, select the partition from the Par-
tition drop-down list.
5. Click OK.
2. Click Add.
5. Click OK.
Config Mode > System > Admin > Object Access Control
This page provides configuration options for Object Access Control (OAC).
This page enables you to configure the admin lockout policy. Admin lock-
out is a feature that disables an admin account after a specified number of
invalid login attempts (login attempts using the wrong password).
To set the lockout policy, select the Lockout Policy menu option. The Lock-
out Policy section appears.
Table 157 lists the parameters you can configure in this section.
Config Mode > System > Admin > External Authentication > Gen-
eral
This page enables you to configure authentication for admin access.
• Authentication Type – Specifies the authentication sources to be used
and the order in which to use them. You can specify one or more of the
following, in any order:
• Local (the local admin database on the ACOS device)
• RADIUS
• TACACS+
• LDAP
Note: By default, the settings applied above also apply to the console port. If
you leave the console authentication policy set to None, the settings above
are used.
• Disable Local – Disables automatic local authentication of the “admin”
account. Without this option, the “admin” account is always authenti-
cated locally, regardless of the authentication configuration used for the
other admin accounts.
5. Click on either the Enabled or Disabled radio button for the Login Privi-
lege Mode.
7. Click OK.
Customer Driven Innovation 453 of 494
Document No.: D-030-01-00-0067 – ACOS 2.7.1 8/5/2013
A10 Thunder Series and AX Series—GUI Reference
Config Mode – System Options - Config Mode > System
Authentication Process
You can specify whether to check the local database or the remote server
first. Figure 37 and Figure 38 show the authentication processes used if the
ACOS device is configured to check remote AAA servers (RADIUS, LDAP
or TACACS+) first.
Config Mode > System > Admin > External Authentication >
RADIUS
This page enables you to configure RADIUS servers.
Table 158 lists the RADIUS server parameters you can configure.
Config Mode > System > Admin > External Authentication >
LDAP
This page enables you to configure the Lightweight Directory Access Proto-
col (LDAP).
Config Mode > System > Admin > External Authentication >
TACACS+
Table 160 lists the TACACS+ server parameters you can configure.
Enables you to change the password for the admin account under which you
are currently logged in.
Note: This option takes effect only if there are no other open admin sessions
using the same admin name.
You can enable or disable management access, for individual access types
and interfaces. You also can use an ACL to permit or deny management
access through the interface by specific hosts or subnets.
2. To use an ACL to control access, select the ACL from the ACL drop-
down list in the row for the interface.
3. After selecting the settings for all the interfaces, click OK.
To reset the access settings to the defaults listed in Table 161, click Reset to
Default.
For example, if you disable Telnet access to a data interface, but you also
enable access to the interface using an ACL with permit rules, the ACL per-
mits Telnet (and all other) access to the interface, for traffic that matches the
permit rules in the ACL.
Each ACL has an implicit deny any rule at the end. If the management traf-
fic’s source address does not match a permit rule in the ACL, the implicit
deny any rule is used to deny access.
On data interfaces, you can disable or enable access to specific services and
also use an ACL to control access. However, on the management interface,
you can disable or enable access to specific services or control access using
an ACL, but you can not do both.
Note: You do not need to configure Daylight Savings Time. The ACOS device
automatically adjusts the time for Daylight Savings Time based on the
timezone you select.
Note: If you change the ACOS timezone or system time, the statistical database
is cleared. This database contains general system statistics (performance,
and CPU, memory, and disk utilization) and SLB statistics. For example,
in the GUI, the graphs displayed on the Monitor Mode > Overview page
are cleared.
Note: If the system clock is adjusted while OSPF or IS-IS is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and IS-IS before adjusting the system clock.
This page enables you to configure the system time and date. You can use
one of the following methods:
• Set the ACOS device to synchronize with a Network Time Protocol
(NTP) server.
• Set the ACOS device to synchronize with the local system time on the
PC you are using to access the GUI.
• Manually set the date and time.
• Community
• Trap
• Trap List
Notes
• Some traps are triggered by a configurable threshold. The thresholds in
the trap descriptions below are the default thresholds. To change an
event threshold, use the monitor command at the global configuration
level of the CLI.
• You can configure SNMPv1 and v2c settings using the GUI. To config-
ure SNMPv3 settings, use the CLI.
• The System Drop Packet trap is not applicable to some device types.
The trap is applicable to hardware-based ACOS models and SoftAX.
(cont.)
(cont.)
This menu option displays the Upgrade page, which you can use to upgrade
the system image on the ACOS device.
Note: For complete upgrade instructions, see the release notes for the software
release to which you plan to upgrade.
The Local and Remote location options work the same as described in
Table 164 on page 469.
Config Mode > System > Maintenance > Restore > System
You can restore the A10 Thunder Series and AX Series to a saved backup
configuration from a previously saved backup file on either a local or a
remote host.
This option displays a page for selecting the location from where to restore
the ACOS configuration. This option restores the startup-config file, aFleX
files, and SSL certificates and keys saved in the system backup.
The Local and Remote location options work the same as described in
Table 164 on page 469.
Note: Reload option – When performing a restore, allow five minutes for the
backup procedure to complete, during which time the system performs a
full reload and will be offline. The actual time may vary depending on
system parameters.
To install a license, copy-and-paste the license key into the License field
and click Update.
Note: The maximum size of a configuration file that you can add or modify is
256 kB.
You can use this page to perform the following configuration management
tasks:
• Display individual configuration files.
4. To use another configuration file as a template, select the file from the
Copy drop-down list.
6. Click OK.
4. Click OK.
3. Click Delete.
3. Click Diff.
Note: Before configuring this feature, see the “Virtual Chassis System” chapter
in the System Configuration and Administration Guide.
Notes
• Access to configuration options will vary with your administrative role
and system configuration of the ACOS device. For information on the
privilege level of administrative roles, see “Preconfigured GUI Access
Roles” on page 447.
• Before configuring any HA options, see the “High Availability” chapter
in the System Configuration and Administration Guide for detailed
information about how HA works and how to configure it.
• Beginning in ACOS Release 2.7.0, heartbeat messages in Layer 2 Inline
mode deployments are sent in unicast packets with the unicast MAC
address and unicast IP address of the peer ACOS device in the HA pair.
They no longer are sent in IP multicast packets addressed to IP multicast
destination MAC and IP addresses. Like previous releases, they also are
not sent as broadcasts.
This applies to all models. This change does not require any configura-
tion changes and should not affect the operation of your HA deploy-
ment.
• Group
• Floating IP Address
• Status Check
Table 168 lists the configuration options in the General section for HA
inline mode.
This page enables you to synchronize the Layer 4-7 configuration informa-
tion on the ACOS devices in an HA pair.
Requirements
Session synchronization (connection mirroring) is required for config sync.
Config sync uses the session synchronization link. To enable session syn-
chronization, see “Config Mode > System > HA > Global” on page 477.
SSH management access must be enabled on both ends of the link. (See
“Config Mode > System > Settings > Access Control” on page 460.)
Note: This option is applicable only if you are logged on with Root or Super
Admin privileges.
• GSLB
• Data files (see below)
The items listed above that appear in the configuration file are cop-
ied to the other ACOS device’s running-config.
• Data Files – Copies only the SSL certificates and private-key files,
aFleX files, External health heck files, and black/white-list files to
the other ACOS device
• Running-config – Copies everything listed for the All option, except
the data files, from this ACOS device’s running-config
• Startup-config – Copies everything listed for the All option, except
the data files, from this ACOS device’s startup-config
Note: In some cases, reload either is automatic or is not allowed. See the “Syn-
chronizing HA Information” section in the “High Availability” chapter of
the System Configuration and Administration Guide.
7. Click OK.
Notes
• VRRP-A is supported only on ACOS devices that are deployed in gate-
way (route) mode. Transparent mode (inline) deployments are not sup-
ported. For transparent/inline deployments, use the High Availability
(HA) feature instead.
• Access to configuration options will vary with your administrative role
and system configuration of the ACOS device. For information on the
privilege level of administrative roles, see “Preconfigured GUI Access
Roles” on page 447.
• VRRP-A is the A10 Networks implementation of the High Availability
protocol that is completely different from the industry-standard imple-
mentation of Virtual Router Redundancy Protocol (VRRP). For pur-
poses of operational familiarity, it borrows concepts from VRRP, but is
significantly different from VRRP. VRRP-A will not inter-operate with
VRRP.
In this release, VRRP-A, a High Availability (HA) implementation, is
mutually exclusive of the HA feature and is configured separately and
not as part of the HA functionality.
• VRID
• Floating IP Address
• VRRP-A Tracking
Table 170 lists the configuration options in the VRRP-A Global section.
When you click on an interface name, the VRRP-A Interface section is dis-
played.
Table 171 lists the configuration options in the VRRP-A Interface section.
Config Mode > VRRP-A > Setting > Failover Policy Template
This page allows you to view and create Failover Policy Templates. In
response to policy-based failover, the weight assigned to an event is
deducted from the total weight of the ACOS device and is used to determine
the Active/Standby status of devices within a pair.
Corporate Headquarters
www.a10networks.com