A10 Thunder AX 271-P2 GUI Ref-2013.08.05

Graphical
User Interface Reference
A10 ThunderTM Series and AX Series
Document No.: D-030-01-00-0067

ACOS 2.7.1 8/5/2013
©
2013 A10 Networks, Inc. - All Rights Reserved
Information in this document is subject to change without notice.
Trademarks
A10 Networks, A10 Thunder, vThunder, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGalaxy,
aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Thunder, Unified Service
Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All
other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and pat-
ents pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522,
20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235,
8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.
A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees
to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA),
provided later in this document or available separately. Customer shall not:
1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2) sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All infor-
mation is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be avail-
able upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks’ products and services are subject to A10 Networks’ standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series—GUI Reference
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Net-
works Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
A10 Networks, Inc.

3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)

Tel: +1-888-822-7210 (support – toll-free in USA)
Tel: +1-408-325-8676 (support – direct dial)
Fax: +1-408-325-8666
www.a10networks.com
Collecting System Information

Your A10 Networks device provides a simple method to collect configura-
tion and status information for Technical Support to use when diagnosing
system issues.
To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1. Log into the GUI.
2. On the main page (Monitor Mode > Overview > Summary), click
. This option downloads a text log file.
3. Email the file as an attachment to support@a10networks.com.
Customer Driven Innovation 3 of 494

Document No.: D-030-01-00-0067 – ACOS 2.7.1 8/5/2013
USING THE CLI

1. Log into the CLI.
2. Enable logging in your terminal emulation application, to capture out-
put generated by the CLI.
3. Enter the enable command to access the Privileged EXEC mode of the
CLI. Enter your enable password at the Password prompt.
4. Enter the show techsupport command.
5. After the command output finishes, save the output in a text file.
6. Email the file as an attachment to support@a10networks.com.
Note: As an alternative to saving the output in a log file captured by your termi-
nal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the CLI Reference for the software version
you are running.)
4 of 494 Customer Driven Innovation

About This Document
About This Document
This document describes features of the A10 Networks Advanced Core

Operating System (ACOS). These features are supported on the following
product lines:
• A10 ThunderTM Series Unified Application Service Gateway
• AX Series Advanced Traffic Manager / Application Delivery Controller.
FIGURE 1 A10 Thunder 6430
FIGURE 2 AX 5630
For details about feature support on specific models, see the release notes.

Document No.: D-030-01-00-0067 - ACOS 2.7.1 8/5/2013
About This Document
User Documentation
Information is available for ACOS products in the following documents.
These documents are included on the documentation CD shipped with your
product, and also are available on the A10 Networks support site.
Basic Setup
• Installation Guides
• System Configuration and Administration Guide
Security Guides
• Management Access Security Guide
• Application Access Management and DDoS Mitigation Guide
• Web Application Firewall Guide
Application Delivery Guides

• Application Delivery and Server Load Balancing Guide
• Global Server Load Balancing Guide
References
• LOM Reference
• GUI Reference
• CLI Reference
• aFleX Reference
• MIB Reference
• aXAPI Reference
Make sure to use the basic deployment instructions in the Installation Guide
for your Thunder or AX model, and in the System Configuration and
Administration Guide. Also make sure to set up your device’s Lights Out
Management (LOM) interface, if applicable.
Note: Some guides include GUI configuration examples. In these examples,

some GUI pages may have new options that are not shown in the example
screen images. In these cases, the new options are not applicable to the
examples. For information about any option in the GUI, see the GUI Ref-
erence or the GUI online help.

About This Document
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account.
http://www.a10networks.com
A10 Virtual Application Delivery Community

You can use your A10 support login to access the A10 Virtual Application
Delivery Community (VirtualADC). The VirtualADC is an interactive
forum where you can find detailed information from product specialists.
You also can ask questions and leave comments. To access the VirtualADC,
navigate here:
http://www.a10networks.com/adc/

About This Document

Contents
Obtaining Technical Assistance 3

Collecting System Information...............................................................................................................3
About This Document 5

User Documentation................................................................................................................................6
Audience...................................................................................................................................................7
Documentation Updates .........................................................................................................................7
A10 Virtual Application Delivery Community........................................................................................7
Introduction 17
Login.......................................................................................................................................................17
Redirection of HTTP to HTTPS .....................................................................................................20
GUI Features ..........................................................................................................................................21
Mode Tabs and Module Buttons ..................................................................................................21
Menus .............................................................................................................................................23
Main Display Area ..........................................................................................................................24
Global Buttons ...............................................................................................................................24
Save .............................................................................................................................................24
Logout ..........................................................................................................................................24
Help ..............................................................................................................................................24
Show Techsupport .......................................................................................................................24
VRRP-A/HA ..................................................................................................................................25
Action Buttons ...............................................................................................................................26
Tabular Displays ............................................................................................................................27
Action Buttons ..............................................................................................................................27
Navigation Controls ......................................................................................................................28
Display Filters ...............................................................................................................................28
Sorting and Filtering SLB Displays on Monitor Pages ..................................................................29
Configuration Pages ......................................................................................................................30
Graph Display Options ..................................................................................................................32
Data Refresh ................................................................................................................................32
Time Span ....................................................................................................................................33
Web Timeout ..........................................................................................................................................34
System Partitions ..................................................................................................................................34
Option Visibility .....................................................................................................................................35

Contents
Monitor Mode 37
Monitor Modules.................................................................................................................................... 37
Monitor Menu Tree ................................................................................................................................ 39
Monitor Mode > Overview..................................................................................................................... 41
Monitor Mode > Overview > Summary ........................................................................................ 41
System Information ...................................................................................................................... 42
Device Information ....................................................................................................................... 43
Feature Configuration .................................................................................................................. 43
CPU Usage Chart ........................................................................................................................ 45
Memory Usage Chart ................................................................................................................... 45
Monitor Mode > Overview > Status .............................................................................................. 46
Virtual Server Status .................................................................................................................... 46
System Log .................................................................................................................................. 47
Monitor Mode > Overview > Statistics ......................................................................................... 48
Monitor Mode > Overview > Performance ................................................................................... 49
Monitor Mode > Overview > Performance > Summary ................................................................ 49
Monitor Mode > Overview > Performance > Overview ................................................................ 50
Monitor Mode > Overview > Performance > Connection ............................................................. 50
Monitor Mode > Overview > Performance > Attack Prevention ................................................... 50
Monitor Mode > SLB.............................................................................................................................. 51
Monitor Mode > SLB > Service ..................................................................................................... 51
SLB Graphs ................................................................................................................................. 52
Monitor Mode > SLB > Service > Virtual Server .......................................................................... 54
Monitor Mode > SLB > Service > Virtual Service ......................................................................... 55
Monitor Mode > SLB > Service > Service Group ......................................................................... 56
Monitor Mode > SLB > Service > Server ..................................................................................... 57
Monitor Mode > SLB > Health Monitor ........................................................................................ 58
Monitor Mode > SLB > Black-White List ..................................................................................... 59
Monitor Mode > SLB > Black-White List > Statistics .................................................................... 59
Monitor Mode > SLB > aFleX ........................................................................................................ 62
Monitor Mode > SLB > Session .................................................................................................... 63
Monitor Mode > SLB > Session > Brief ........................................................................................ 63
Monitor Mode > SLB > Session > Session .................................................................................. 65
Monitor Mode > SLB > Application .............................................................................................. 67
Monitor Mode > SLB > Application > Proxy > Generic ................................................................. 67
Monitor Mode > SLB > Application > Proxy > Fast-HTTP ............................................................ 68
Monitor Mode > SLB > Application > Proxy > HTTP .................................................................... 69
Monitor Mode > SLB > Application > Proxy > SMTP ................................................................... 71
Monitor Mode > SLB > Application > Proxy > TCP ...................................................................... 72
Monitor Mode > SLB > Application > Proxy > DNS Cache .......................................................... 73
Monitor Mode > SLB > Application > Proxy > Diameter ............................................................... 74

Contents
Monitor Mode > SLB > Application > Proxy > SIP ........................................................................76
Monitor Mode > SLB > Application > Proxy > SMPP ...................................................................77
Monitor Mode > SLB > Application > Proxy > FIX ........................................................................82
Monitor Mode > SLB > Application > Proxy > Mysql ....................................................................83
Monitor Mode > SLB > Application > Proxy > Mssql ....................................................................84
Monitor Mode > SLB > Application > Connection Reuse .............................................................85
Monitor Mode > SLB > Application > Persistent ...........................................................................85
Monitor Mode > SLB > Application > SSL ....................................................................................86
Monitor Mode > SLB > Application > RAM Caching > Details .....................................................88
Monitor Mode > SLB > Application > RAM Caching > Objects ....................................................90
Monitor Mode > SLB > Application > RAM Caching > Replacement ...........................................91
Monitor Mode > SLB > Application > FTP ....................................................................................91
Monitor Mode > SLB > Application > Net .....................................................................................92
Monitor Mode > SLB > Application > Switch ................................................................................95
Monitor Mode > SLB > Application > Hashed Certificate .............................................................97
Monitor Mode > GSLB ...........................................................................................................................97
Monitor Mode > Security.......................................................................................................................98
Monitor Mode > Security > WAF ...................................................................................................98
Monitor Mode > Security > Authentication ................................................................................102
Monitor Mode > Security > ACL .................................................................................................104
Monitor Mode > Security > ACL > IPv4 ACL .............................................................................104
Monitor Mode > Security > ACL > IPv6 ACL .............................................................................105
Monitor Mode > IP Source NAT ..........................................................................................................105
Monitor Mode > IP Source NAT > Pool ......................................................................................105
Monitor Mode > IP Source NAT > Static NAT ............................................................................106
Monitor Mode > Network.....................................................................................................................107
Monitor Mode > Network > Interface ..........................................................................................107
Statistics Table ...........................................................................................................................107
Statistics Graphs ........................................................................................................................108
Changing the Date and Time Span of the Statistics ...................................................................108
Refreshing Statistics ...................................................................................................................109
Clearing Statistics .......................................................................................................................109
Monitor Mode > Network > Trunk ...............................................................................................109
Monitor Mode > Network > LACP ...............................................................................................110
Monitor Mode > Network > LACP > System ID ..........................................................................110
Monitor Mode > Network > LACP > Counter ..............................................................................110
Monitor Mode > Network > LACP > Trunk .................................................................................110
Monitor Mode > Network > VLAN ...............................................................................................111
Monitor Mode > Network > ARP .................................................................................................111
Monitor Mode > Network > ARP > IPv4 ARP .............................................................................111
Monitor Mode > Network > ARP > IPv6 Neighbor ......................................................................112

Contents
Monitor Mode > Network > Route .............................................................................................. 113

Monitor Mode > Network > Route > IPv4 Route Table .............................................................. 113
Monitor Mode > Network > Route > IPv4 Forwarding ................................................................ 114
Monitor Mode > Network > Route > IPv6 Forwarding ................................................................ 114
Monitor Mode > System...................................................................................................................... 115
Monitor Mode > System > Admin ............................................................................................... 115
Monitor Mode > System > Admin > Admin Session ................................................................... 115
Monitor Mode > System > Admin > Admin Locked .................................................................... 116
Monitor Mode > System > Logging ............................................................................................ 116
Monitor Mode > System > Logging > Logging ........................................................................... 116
Monitor Mode > System > Logging > Audit ................................................................................ 117
Monitor Mode > System > Diagnosis ......................................................................................... 118
Monitor Mode > System > Diagnosis > AXDebug File ............................................................... 118
Monitor Mode > System > Diagnosis > AXDebug Config .......................................................... 119
Monitor Mode > System > Diagnosis > AXDebug Capture ........................................................ 119
Monitor Mode > System > Diagnosis > ShowTech File ............................................................. 123
Monitor Mode > System > Diagnosis > Show Techsupport ....................................................... 123
Monitor Mode > System > aVCS ................................................................................................ 124
Monitor Mode > System > aVCS > Summary ............................................................................ 124
Monitor Mode > System > aVCS > Statistics ............................................................................. 124
Monitor Mode > System > aVCS > Images ................................................................................ 124
Monitor Mode > System > HA ..................................................................................................... 125
Monitor Mode > System > HA > Group ...................................................................................... 125
Monitor Mode > System > HA > Status ...................................................................................... 126
Monitor Mode > System > HA > Set ID Monitor ......................................................................... 127
Monitor Mode > System > VRRP-A ............................................................................................ 127
Monitor Mode > System > VRRP-A > VRID ............................................................................... 127
Monitor Mode > System > VRRP-A > Status ............................................................................. 128
Monitor Mode > System > VRRP-A > Set ID Monitor ................................................................ 129
Monitor Mode > System > VRRP-A > Host ID ........................................................................... 129
Config Mode 131

Config Modules ................................................................................................................................... 131
Config Menu Tree ................................................................................................................................ 133
Config Mode > Get Started ................................................................................................................. 135
Config Mode > Get Started > Basic System .............................................................................. 136
Config Mode > Get Started > Smart Template .......................................................................... 137
Creating an Application .............................................................................................................. 142
Configuration Example ............................................................................................................... 144
Customizing an Application Configuration ................................................................................. 146

Contents
Config Mode – SLB Options 149

Config Mode > SLB..............................................................................................................................149
Config Mode > SLB > Service .....................................................................................................149
Config Mode > SLB > Service > Virtual Server ..........................................................................149
Config Mode > SLB > Service > Virtual Service .........................................................................161
Config Mode > SLB > Service > Service Group .........................................................................162
Config Mode > SLB > Service > Server .....................................................................................171
Config Mode > SLB > Service > Template .................................................................................178
Config Mode > SLB > Service > Class List ................................................................................196
Config Mode > SLB > Service > GLID ........................................................................................203
Config Mode > SLB > Service > Global ......................................................................................206
Config Mode > SLB > Template ..................................................................................................212
Config Mode > SLB > Template > Application > HTTP ..............................................................213
Config Mode > SLB > Template > Application > RAM Caching .................................................221
Config Mode > SLB > Template > Application > SMTP .............................................................224
Config Mode > SLB > Template > Application > SIP .................................................................226
Config Mode > SLB > Template > Application > RTSP ..............................................................231
Config Mode > SLB > Template > Application > Diameter .........................................................232
Config Mode > SLB > Template > Application > Logging ..........................................................235
Config Mode > SLB > Template > Application > External Service .............................................235
Config Mode > SLB > Template > Application > FIX ..................................................................237
Config Mode > SLB > Template > Application > SMPP .............................................................239
Config Mode > SLB > Template > Application > DBLB ..............................................................240
Config Mode > SLB > Template > Connection Reuse ...............................................................240
Config Mode > SLB > Template > L4 > TCP ..............................................................................242
Config Mode > SLB > Template > L4 > UDP .............................................................................244
Config Mode > SLB > Template > Persistent > Cookie Persistence ..........................................246
Config Mode > SLB > Template > Persistent > Destination IP Persistence ...............................248
Config Mode > SLB > Template > Persistent > Source IP Persistence .....................................250
Config Mode > SLB > Template > Persistent > SSL Session ID Persistence ............................253
Config Mode > SLB > Template > SSL > Client SSL .................................................................254
Config Mode > SLB > Template > SSL > Server SSL ................................................................261
Config Mode > SLB > Template > SSL > SSL Cipher ................................................................264
Config Mode > SLB > Template > TCP Proxy ............................................................................266
Config Mode > SLB > Health Monitor ........................................................................................270
Config Mode > SLB > Health Monitor Mode > Health Monitor ...................................................270
Config Mode > SLB > Health Monitor > External Program .........................................................284
Config Mode > SLB > Health Monitor > Health HTTP Post File .................................................284
Config Mode > SLB > Health Monitor Mode > Global ................................................................285
Config Mode > SLB > Black-White List ......................................................................................287
Config Mode > SLB > aFleX ........................................................................................................289

Contents
Config Mode > SLB > SSL Management ................................................................................... 289

Config Mode > SLB > SSL Management > Certificate ............................................................... 290
Config Mode > SLB > SSL Management > Cert Revocation List .............................................. 294
Config Mode > SLB > SSL Management > Expiration Mail ....................................................... 295
Config Mode > SLB > Network Map ........................................................................................... 296
Global Server Load Balancing 299

GSLB Easy Config............................................................................................................................... 299
Configuring GSLB ...................................................................................................................... 300
Configuration Example ............................................................................................................... 302
Monitor Mode – GSLB......................................................................................................................... 306
Monitor Mode > GSLB > Site ..................................................................................................... 306
Monitor Mode > GSLB > Zone ................................................................................................... 307
Monitor Mode > GSLB > Protocol .............................................................................................. 307
Config Mode – GSLB Service Options .............................................................................................. 308
Config Mode > GSLB > FQDN ................................................................................................... 308
Config Mode > GSLB > FQDN Group ........................................................................................ 312
Config Mode > Service > GSLB > Zone ..................................................................................... 314
Config Mode > Service > GSLB > Site ....................................................................................... 320
Config Mode > GSLB > Service IP ............................................................................................. 325
Config Mode > GSLB > DNS Proxy ........................................................................................... 326
Config Mode > Service > GSLB > Geo-location ........................................................................ 329
Config Mode > Service > GSLB > Policy ................................................................................... 331
Config Mode > Service > GSLB > Global .................................................................................. 342
Config Mode – Security Options 345

Config Mode > Security ...................................................................................................................... 345
Config Mode > Security > WAF .................................................................................................. 347
Config Mode > Security > WAF > Bind ...................................................................................... 347
Config Mode > Security > WAF > Template .............................................................................. 349
Config Mode > Security > WAF > Definition .............................................................................. 354
Config Mode > Security > Authentication ................................................................................. 356
Config Mode > Security > Authentication > Bind ....................................................................... 356
Config Mode > Security > Authentication > Template ................................................................ 357
Config Mode > Security > Authentication > Server .................................................................... 358
Config Mode > Security > Authentication > Logon ..................................................................... 360
Config Mode > Security > Authentication > Relay ..................................................................... 361
Config Mode > Security > Authentication > Portal ..................................................................... 362

Contents
Config Mode > Security > Template ...........................................................................................363

Config Mode > Security > Template > Policy .............................................................................364
Config Mode > Security > Template > DNS Firewall ..................................................................369
Config Mode > Security > Network ............................................................................................372
Config Mode > Security > Network > ACL ..................................................................................372
Config Mode > Security > Network > DDos Protection ..............................................................382
Config Mode > Security > Network > ICMP Rate Limiting ..........................................................383
Config Mode – IP Source NAT Options 385

Config Mode > IP Source NAT ............................................................................................................385
Config Mode > IP Source NAT > IPv4 Pool ................................................................................387
Config Mode > IP Source NAT > IPv6 Pool ................................................................................388
Config Mode > IP Source NAT > Group .....................................................................................389
Config Mode > IP Source NAT > ACL Bind ...............................................................................390
Config Mode > IP Source NAT > Interface .................................................................................391
Config Mode > IP Source NAT > NAT Range ............................................................................391
Config Mode > IP Source NAT > Static NAT ..............................................................................392
Config Mode > IP Source NAT > Global .....................................................................................393
Config Mode – Network Options 397

Config Mode > Network.......................................................................................................................397
Config Mode > Network > Interface ............................................................................................397
Config Mode > Network > Interface > LAN .................................................................................398
Config Mode > Network > Interface > Management ...................................................................404
Config Mode > Network > Interface > Transparent ....................................................................407
Config Mode > Network > Interface > Virtual .............................................................................407
Config Mode > Network > Interface > Global .............................................................................410
Config Mode > Network > Trunk .................................................................................................411
Config Mode > Network > LACP .................................................................................................412
Config Mode > Network > VLAN .................................................................................................413
Config Mode > Network > VLAN > VLAN ...................................................................................413
Config Mode > Network > VLAN > MAC ....................................................................................414
Config Mode > Network > VLAN > Global ..................................................................................414
Config Mode > Network > ARP ...................................................................................................415
Config Mode > Network > ARP > IPv4 .......................................................................................415
Config Mode > Network > ARP > IPv6 Neighbor .......................................................................416
Config Mode > Network > ARP > Global ....................................................................................416
Config Mode > Network > Route ................................................................................................416
Config Mode > Network > Route > IPv4 Static ...........................................................................416
Config Mode > Network > Route > IPv6 Static ...........................................................................417
Config Mode > Network > DNS ...................................................................................................418
Config Mode > Network > BPDU-Fwd-Group ............................................................................418

Contents
Config Mode – System Options 421

Config Mode > System........................................................................................................................ 421
Config Mode > System > Settings ............................................................................................. 421
Config Mode > System > Settings > Web .................................................................................. 421
Config Mode > System > Settings > Web Certificate ................................................................. 423
Config Mode > System > Settings > Terminal > CLI .................................................................. 425
Config Mode > System > Settings > Terminal > Banner ............................................................ 426
Config Mode > System > Settings > Log ................................................................................... 427
Config Mode > System > Settings > General ............................................................................. 432
Config Mode > System > Settings > Boot .................................................................................. 441
Config Mode > System > Settings > Action ............................................................................... 441
Config Mode > System > Admin ................................................................................................ 442
Config Mode > System > Admin > Administrator ....................................................................... 442
Config Mode > System > Admin > Partition ............................................................................... 445
Config Mode > System > Admin > Role ..................................................................................... 446
Config Mode > System > Admin > Object Access Control ......................................................... 450
Config Mode > System > Admin > Lockout Policy ..................................................................... 451
Config Mode > System > Admin > External Authentication ....................................................... 452
Authentication Process .............................................................................................................. 454
Config Mode > System > Admin > Change Password ............................................................... 459
Config Mode > System > Settings > Access Control ............................................................... 460
Config Mode > System > Settings > Time ................................................................................. 461
Config Mode > System > SNMP ................................................................................................. 463
Config Mode > System > Maintenance ...................................................................................... 469
Config Mode > System > Maintenance > Upgrade .................................................................... 469
Config Mode > System > Maintenance > Backup ...................................................................... 471
Config Mode > System > Maintenance > Restore > System ..................................................... 471
Config Mode > System > Maintenance > License ..................................................................... 472
Config Mode > System > Console ............................................................................................. 472
Config Mode > System > Config File ......................................................................................... 472
Config Mode > System > aVCS .................................................................................................. 474
Config Mode > System > aVCS > General ................................................................................ 474
Config Mode > System > aVCS > Settings ................................................................................ 474
Config Mode > System > HA ...................................................................................................... 476
Config Mode > System > HA > Global ....................................................................................... 477
Config Mode > HA > Setting > HA Inline Mode .......................................................................... 480
Config Mode > HA > Setting > HA Interface .............................................................................. 481
Config Mode > HA > Config Sync .............................................................................................. 483
Config Mode > System > VRRP-A .............................................................................................. 485
Config Mode > System > VRRP-A > VRRP-A Global ................................................................ 485
Config Mode > System > VRRP-A > VRRP-A Interface ............................................................ 489
Config Mode > VRRP-A > Setting > Failover Policy Template .................................................. 490

Introduction - Login
Introduction
The A10 Thunder Series and AX Series GUI enables you to manage the
device with a Web browser. The GUI runs as a Web server on the ACOS
device.
Table 1 lists the browser versions supported by the ACOS management GUI
in this release.
TABLE 1 GUI Browser Support

Platform
Browser Windows Linux MAC
IE 6.0-9.0 Supported N/A N/A
Firefox 3.5 and higher Supported Supported N/A
Safari 3.0 and above Not Supported N/A Supported
Chrome 5.0 and above Supported Supported Supported
The browser used to access the GUI must support encryption keys of 128
bits or longer. Shorter encryption keys (for example, 40 bits) are not sup-
ported. The browser also must support TLS 1.0. Beginning in ACOS
Release 2.6.1-P1, browsers that support only SSL are not supported.
A screen resolution of at least 1024x768 is required for the GUI to be dis-

played correctly.
After you upgrade the ACOS device, clear the browser cache to ensure
proper display of the GUI.
Login
To access the GUI:
1. In a Web browser, enter https://ip-addr, where ip-addr is the IP address
of the ACOS device.
A login dialog appears, as shown in Figure 2.
2. Enter a valid user name and password and click OK.
• Default user name: admin
• Default password: a10

FIGURE 2 Login
Note: The ACOS device has a default admin user name and password. A10 Net-
works recommends that you change the password when you first deploy
the switch.
After successful login, the Summary screen is displayed, as shown in

Figure 3. The Summary screen provides a high-level view of the AX con-
figuration and status.

FIGURE 3 Monitor Mode > Overview > Summary
The GUI consists of the following main components:

• Mode tabs – Monitor Mode and Config Mode
• Module buttons – use to select a feature area (module) on the ACOS

device
• Menus – move the mouse over a menu to view its commands
• Main display area – where monitoring and configuration is performed

and where management information is displayed
• Global buttons – Save, Logout and Help are always available
These components are described further in “GUI Features” on page 21.

Notes
• The ACOS device supports a maximum of 128 simultaneous manage-
ment sessions. This includes any combination of CLI, GUI, and aXAPI
sessions.
• GUI management sessions are not automatically terminated when you
close the browser window. The session remains in effect until it times
out. To immediately terminate a GUI session, click Logout.
• On this page and on the option menus, “GSLB” options appear only if
you are running a software version that includes Global Server Load
Balancing (GSLB).
Redirection of HTTP to HTTPS

By default, redirection of HTTP to HTTPS is enabled for access to the man-
agement GUI. As a result, even if both HTTP and HTTPS web access are
enabled on an ACOS device interface, HTTP requests sent to the interface
will be redirected to HTTPS.
To disable redirection of HTTP to HTTPS, enter the following command at

the global configuration level of the CLI:
no web-service auto-redir
If you are already logged into the GUI and want to change the setting for the
next login, you can disable redirection from within the GUI:
1. Select Config Mode > System > Settings.
2. In the Web section of the page, click on the Re-direct HTTP to HTTPS
checkbox to deselect the option.
3. Click OK.

Introduction - GUI Features
GUI Features
This section describes the display and configuration controls of the GUI.
Mode Tabs and Module Buttons

The left panel of the GUI has two Mode tabs (Monitor and Config) and
large module buttons for selecting the functional modules, as shown in
Figure 4. Depending on the privilege level configured for the admin who
logs in, some modules may not be available.
FIGURE 4 Modes – Monitor (left) and Config (right)

Module buttons are available on the following two Mode tabs:

• Monitor Mode – described in detail in “Monitor Mode” on page 37
• Config Mode – described in detail in “Config Mode” on page 131
After you click a mode tab, it darkens to indicate it is active. The inactive
mode is light. The available module buttons are listed on the left. The active
module shows the down arrow and its available sub-modules in light
blue beneath its down arrow.
Click sub-module hyperlinks to display information or input fields for that

sub-module. The hyperlink for the selected module is highlighted in red.
Note: Selecting a module button does not automatically select a sub-module

available under the module. The display area continues to contain the
information for the previously selected sub-module until you select a new
sub-module.
Shortcut Icon
Some sub-module hyperlinks have the following icon: The icon pro-
vides a shortcut to the configuration page for the sub-module. For example,
if you click this icon next to the “aFleX” hyperlink, the aFleX configuration
page appears.
How Menu Paths Are Shown in This Document

In this document and other AX documents, to indicate the path you use to
navigate to a specific module, sub-module, and menu option, the selection
sequences are shown as follows:
• Mode > Module > Sub-Module > Menu
For example, to navigate to the SLB real server table as shown in Figure 5,
use the following path:
• Monitor Mode > SLB > Service > Server

FIGURE 5 Monitor Mode > SLB > Service > Server
Menus
The top panel contains the menu bar, to the right of the mode tabs. Menus
change depending on which module and sub-module are currently selected.
Some displays include tables or configuration pages. Others display drop-
down menus of actions or of additional options. The active menu bar item is
highlighted in yellow.
Figure 5 on page 23 shows the menu bar for Monitor Mode > SLB > Ser-
vice. In this example, the Server menu option is selected.

Main Display Area

This is where monitoring and configuration is performed and where man-
agement information is displayed.
Global Buttons
The banner at the top of the GUI displays the Save, Logout and Help but-
tons, which are always available from anywhere in the GUI.
FIGURE 6 Save, Logout, and Help Options
Note: If the GSLB group synchronization feature is enabled, the ACOS device’s
controller group status (role) appears next to the AX hostname.
Save
The Save button saves configuration changes that are in the running config-
uration to the startup configuration file. When the running configuration
currently has unsaved changes, this button flashes red. Click it to save
changes that have been made since the last save.
Logout
Logout ends the current GUI session. Your login name is shown in paren-
theses. In this example, the login name is “admin”.
Help
Clicking the Help button displays context-sensitive online help.
Show Techsupport
Clicking the Show Techsupport button generates a techreport log file of sys-
tem information for use when troubleshooting. (See “Obtaining Technical
Assistance” on page 3.)

VRRP-A/HA
Indicates the current Virtual Router Redundancy Protocol (VRRP-A) or

High Availability (HA) synchronization status of the ACOS device:
• Active
• Standby
• Not Configured
If VRRP-A or HA is configured, the status of synchronization between the

ACOS devices is also shown:
• Sync
• Not-Sync
Clicking on the status provides a shortcut to display VRRP-A/HA statistics,

and is equivalent to selecting Monitor Mode > VRRP-A > VRID or Monitor
Mode > HA > Group.
If both VRRP-A and HA are disabled, the status can appear as follows:
• Shared partition – HA:Not – Configured
• RBA partition – HA:Not – Configured
• L3V partition – Nothing is shown.
If VRRP-A is enabled, the status can appear as follows:

• Shared partition – VRRP-A:Active/Not-Sync
• RBA partition –VRRP-A:Not-Sync
• L3V partition –VRRP-A:Active/Not-Sync
If HA is enabled, the status can appear as follows:

• Shared partition – HA:Active/Not-Sync
• RBA partition – HA:Active/Not-Sync
• L3V partition – HA:Not-Sync

Action Buttons
Some lists of configuration items, such as the list of real servers, have the
following buttons:
• Add – Displays a page containing configuration fields for creating a new
item.
• Delete – Deletes the selected items. Select the checkbox next to each
item to be deleted, then click Delete.
• Edit – In most cases, displays a page that allows you to change specific
common parameters for all the selected items.
• Clone – Creates a copy of the selected item. Select the checkbox next to
the item to be cloned, then click Clone.
• Enable – Enables the selected items.
• Disable – Disables the selected items.
Note: Some pages have checkboxes to select individual items, as well as a

checkbox to select all items. The checkbox for selecting all items selects a
maximum of 500 items.
Most configuration pages have the following action buttons:
• OK – Adds the new item to the ACOS device’s running configuration
(running-config) and re-displays the table that lists the configured items.
Note: This action does not save configuration changes. To save changes, you
must write them to the startup configuration file. Select the Save option in
the upper right corner of the AX GUI window. (See “Save” on page 24.)
• Cancel – Cancels configuration of the new item and re-displays the table
that lists the configured items.

Tabular Displays
Data and configured items are displayed in tables such as the ones shown in
Figure 5 and Figure 7.
FIGURE 7 Example Tabular Display – Monitor Mode > SLB > Virtual
Server
Generally, Monitor displays show statistics whereas Config displays show

configuration information. Some Monitor displays also have a Statistics col-
umn, which contains icons you can click on to display graphs of the statis-
tics. (See “Graph Display Options” on page 32.)
Each tabular display has columns that list the names of the configuration
items. In some of the Config tabular displays, the names of the configura-
tion items are hyperlinks. You can click on the name of a configuration item
to display a configuration page for the item. You also can perform actions
on configuration items by selecting the checkboxes next to the item names,
then clicking an action button. (See Figure 5 on page 23.)
Action Buttons
Most tabular displays for configuration items have the following action but-
tons:
• Add – Displays a configuration page to add a new item. (Figure 11 on
page 31 shows an example.)
• Delete – Deletes the selected configuration items. To perform this
action, click on the checkboxes next to the items you want to delete,
then click Delete.
These buttons are located under the table.

A few displays have other action buttons. These are described where appli-
cable in the operational procedures in the System Configuration and Admin-
istration Guide and Application Delivery and Server Load Balancing
Guide.

Navigation Controls
If a table has more items than can be displayed in a single page, the GUI
displays page navigation controls.
FIGURE 8 Page Navigation Controls
The summary buttons (the arrow buttons; start, left, right, and end) provide
browser-like navigation through the pages of table rows.
The numbers in brackets indicate the entry numbers displayed on the cur-
rent page. The number following the forward slash indicates the total num-
ber of entries that match the display criteria (display filters).
The drop-down list specifies how many rows to display on a single page.
You can select one of the following: 50, 10, 20, 100, or Show All. The
default is 50.
Display Filters
Many tables also provide options to filter the display to show only the
entries you want to see. For example, the SLB real server table (shown in
Figure 5 on page 23) allows you to filter based on name, description, or
both. To filter the display:
1. Select the column by which to filter.
2. Enter a search string.
3. Click Find.
To find multiple, similar entries, you can enter the part of the name that is
common for all entries. For example, to display all servers that have “rs” in
the name, make the selections shown in Figure 9.

FIGURE 9 Display Filter Example
Sorting and Filtering SLB Displays on Monitor Pages
The following Monitor pages provide advanced display filtering options:

• Monitor Mode > Overview > Status
• Monitor Mode > SLB > SLB > Virtual Server
• Monitor Mode > SLB > SLB > Virtual Service
• Monitor Mode > SLB > SLB > Service Group
• Monitor Mode > SLB > SLB > Server
By default, the rows in the tables displayed on these pages are sorted alpha-
betically by name, in ascending order. For example, the Virtual Server list is
sorted by virtual server name. (See Figure 7 on page 27.)
Resorting by Column
To resort the table rows, click on the up or down icons in the column head-
ers.
Filtering By Name
To filter the display by name:
1. Enter part of a name in the field above the Name column.
2. Make sure “Name” is selected in the filter drop-down list.
3. Click on the looking glass icon or press Enter.
To redisplay all rows, clear the filter field, then click on the looking glass
icon or press Enter.

Filtering By Status
To filter the display by a single status value:
1. Select “Status” from the filter drop-down list. The drop-down list to the
right is populated with the possible device status values.
2. Select a status value from the drop-down list.
To filter by more than one status value:

1. Select Advanced to display checkboxes for the status values.
2. Select the checkbox for each status to display.
3. Click on the looking glass icon or press Enter.
4. To save the advanced filter settings for future use, enter a name in the
field to the right of the Remember button, and click Remember.
The filter name is added to the status values in the drop-down list.
To delete a saved set of advanced filter settings, select the name from the
status drop-down list, then click Delete.
Note: Filtering by status is not supported on the Monitor Mode > Overview >
Status page.
Configuration Pages
Configuration pages enable you to enter configuration information. In some
cases, a configuration page is displayed when you select a menu option. For
example, selecting Config Mode > Network > DNS > DNS displays the
configuration page shown in Figure 10.
FIGURE 10 Example Configuration page - Config Mode > Network > DNS
In other cases, the menu option displays a list of configured items, such as
the list of configured real servers shown in Figure 5 on page 23. To config-
ure a new server, click the Add button, located under the list of servers. The
server configuration page appears, as shown in Figure 11.

FIGURE 11 Example Configuration page – Config Mode > SLB > Service >
Server

Graph Display Options

Statistics are available in both tabular and graph displays.
You can modify the data refresh rate and the time span for statistics.
Caution: Setting a GUI window to automatically refresh its data will prevent
the web session from timing out. If you set a GUI page to automati-
cally refresh data, do not leave the session unattended if the PC is in
an unsecure location.
You also can disable or re-enable display of individual graphs. To disable
display of a graph, click the check box next to the graph name to clear the
checkbox. For example, to disable display of the Bytes graph in Figure 7 on
page 27, click the Bytes checkbox to clear it.
The other display options are described in the following sections.
Data Refresh
Statistics counters start incrementing from 0 after the most recent reboot or
the most recent clear performed by an administrator.
To refresh the display with the latest counter values, click Refresh.
You also can enable automatic refresh.

• For system statistics (Monitor Mode > Overview > Statistics), you can
select to refresh at one of the following intervals:
• 1 minute
• 5 minutes
• 10 minutes
• 30 minutes
• For performance statistics (Monitor Mode > Overview > Performance),

you can enter a refresh rate from 5-120 seconds.
By default, automatic refresh is disabled.
To clear the counters, click Clear.

Time Span
The horizontal (x) axis of each graph shows the time span of the data in the
graph. The same time span is used for all four graphs.
To change the time span, do one of the following:

• Select a new span from the pull-down list to the left of the Start Time
field. The spans you can select range from the most recent 30 minutes to
the most recent 30 days.
• Use the calendars to select specific start and end dates and times.
To select a date and time using the calendars:

1. Click the calendar icon next to Start Time or End Time.
(They must be selected separately.)
2. Select the month and year.

• To scroll through years, click double brackets (<< or >>).
• To scroll through months, click a single bracket (< or >).
3. Select the day of the month.

To change the day of the week that starts each week, click the day (Mon,
Tue, and so on).
4. Select the time. Place the cursor over the hours or minutes counter and
do one of the following:
• To select a later time, click on the hours or minutes counter to scroll
forward.
• To select an earlier time, hold Shift and click on the hours or min-
utes counter to scroll backward.
5. Click x in the upper right corner of the calendar to save the settings and
close the calendar.
The date and time you selected appear in the Start Time or End Time
field.
6. Click Go to redraw the graphs using the new time span.

Introduction - Web Timeout
Web Timeout
Web Timeout is used to prevent blockage of admin access caused by users
who do not log off. The timeout counter indicates the amount of time
remaining before the session is automatically closed.
Select Config Mode > System > Settings > Web to view or set the Web
Timeout value in minutes.
Clicking any ACOS GUI button or menu option also resets the timer.
One minute before a session times out, a timer appears on the left side of the
GUI window, under the Monitor and Config links. You can click the Reset
button under the timer to reset the timer for your GUI session. If you do not
click Reset or another button or menu option before the timer reaches 0, the
session is terminated.
Caution: After the Web timer expires, the ACOS device ends the GUI session.
No warning or confirmation message appears. If you are entering
configuration information but have not yet clicked OK, the configu-
ration information is lost.
System Partitions
Role-Based Administration (RBA) allows the ACOS device to be seg-
mented into multiple administrative domains called “partitions”. If RBA is
configured, the resources accessible to you in the GUI depend on the privi-
lege level for the admin account you use to log in:
• If you are logged in with an admin account that has Root, Read-Write,
or Read-Only privileges, the resources in the shared partition and all pri-
vate partitions are displayed by default.
• If you are logged in with an admin account that has Partition Write
Admin or Partition Read Admin privileges, the GUI presents only the
resources in the device’s shared partition and in your private partition. In
this case, you can view the objects in the shared partition but you cannot
configure them. Depending on your admin privilege level, you can view
only or view and configure the resources in your shared partition.
Resources in other partitions are not accessible.
• If you are logged in with an admin account that has Partition RS Opera-
tor privileges, you can view service port statistics for real servers in the
partition, and disable or re-enable real servers and service ports in the
partition. Admins with this access level can not view additional
resources and can not change the view to another partition.

Introduction - Option Visibility
Admins with Root, Read-write, or Read-only privileges can select the parti-
tion to view. To change the view to another partition:
1. On the title bar, select the private partition from the Partition drop-down
list.
A dialog appears, asking you to confirm your partition selection.
2. Click Yes.
3. Click the Refresh button next to the Partition drop-down list. You must
refresh the page in order for the view change to take effect.
System administration tasks, such as saving HA configuration synchroniza-

tion, apply only to the currently selected partition.
Note: For more information about this feature, see the “Role-Based Administra-
tion” chapter in the A10 Thunder Series and AX Series System Configura-
tion and Administration Guide.
Option Visibility
The GUI display varies with the individual administrative role and system
configuration of the ACOS device and varies most for sections related to
highly-configurable features: aVCS, VRRP-A, and HA.
For example, a VRID can be configured on a virtual server only when

VRRP-A is enabled. By default, if VRRP-A is disabled, you will see an HA
Group field shown instead of the VRID field in the virtual server configura-
tion page.
This guide provides a complete survey of status and parameter information

you may encounter in the GUI, but does not guarantee these fields will be
personally accessible for all users. For information on the privilege level of
administrative roles, see “Preconfigured GUI Access Roles” on page 447.

Introduction - Option Visibility

Monitor Mode - Monitor Modules
Monitor Mode
The Monitor Mode enables you to monitor systems and activities controlled
by the ACOS device.
Note: For information about GSLB monitoring options, see “Monitor Mode –
GSLB” on page 306.
Monitor Modules
The Monitor Mode offers the following sub-modules for observing
A10 Thunder Series and AX Series network and performance settings and
operations.
• Overview
• SLB
• GSLB
• Security
• IP Source NAT
• Network
• System

Monitor Mode - Monitor Modules
FIGURE 12 Monitor Mode

Monitor Mode - Monitor Menu Tree
Monitor Menu Tree

The Monitor module has the following sub-modules and menu options.
Monitor Mode > Overview Monitor Mode > SLB

• Summary • Service • Session
• Virtual Server • Brief
• Status
• Virtual Service • Session
• Statistics
• Service Group
• Application
• Performance • Server • Proxy
• Summary
• Health Monitor • Connection Reuse
• Overview
• Persistent
• Black-White List
• Connection
• Statistics • SSL
• Attack Prevention
• RAM Caching
• Client Query
• FTP
• Black/WhiteList
• Net
• aFleX
• Switch
• Hashed Certificate
Monitor Mode > GSLB

• Site
• Zone
• Protocol

Monitor Mode - Monitor Menu Tree
Monitor Mode > Security Monitor Mode > Network Monitor Mode > System
• WAF • Interface • Admin
• Admin Session
• Authentication • Trunk
• Admin Locked
• ACL • LACP
• Logging
• IPv4 ACL • System ID
• Logging
• IPv6 ACL • Counter
Monitor Mode > IP Source NAT • Audit
• Trunk
• Pool • Diagnosis
• VLAN
• AXDebug File
• Static NAT • ARP
• AXDebug Config
• IPv4 ARP
• AXDebug Capture
• IPv6 Neighbor
• ShowTech File
• Route • Show Techsupport
• IPv4 Route Table
• aVCS
• IPv4 Forwarding
• Summary
• IPv6 Forwarding
• Statistics
• Images
• HA
• Group
• Status
• Set ID Monitor
• VRRP
• VRID
• Status
• Set ID Monitor
• Host ID

Monitor Mode - Monitor Mode > Overview
Monitor Mode > Overview

The Monitor sub-modules show basic status and configuration information
for the ACOS device.
Note: Display of status and configuration options will vary with the your admin-
istrative role and system configuration of the ACOS device. For informa-
tion on the privilege level of administrative roles, see “Preconfigured GUI
Access Roles” on page 447.
Monitor Mode > Overview > Summary

This page is the first page displayed when you log onto the GUI. The page
shows configuration and status information for the device.
The graphical representation of the ACOS device shows the following

information:
• Link status of the Ethernet data interfaces:
– 1-Gigabit interface is up.
– 1-Gigabit interface is down.
– 10-Gigabit copper interface is up.
– 10-Gigabit copper interface is down.
– 10-Gigabit fiber interface is up.
– 10-Gigabit fiber interface is down.
– 40-Gigabit fiber interface is up.
– 40-Gigabit fiber interface is down.
• Status of the local storage (SSD or disk):

• Green – The SSD or disk is active.
• Red – The SSD or disk is inactive.

To display the interface type and IP address for a port, move the mouse
pointer over the port’s icon.
Likewise, to display the status of a hard disk, move the mouse pointer over
the icon of the disk.
System Information
Table 2 describes the types of information shown in this section.
TABLE 2 Monitor Mode > Overview > Summary - System Information

Field Description
Serial Number Serial number of the ACOS device.
Current Time Current system time when the page was displayed.
Startup Mode Image area from which the system image and startup-config
were loaded after the most recent reboot.
Software System image version that is currently running.
Version
Advanced Core Labels the image location for the system images listed
OS below.
On Disk Software image versions installed on the hard disk or Solid
State Drive (SSD).
The image listed on the left is in the primary image area of
the hard disk or SSD. The image listed on the right is in the
secondary image area.
On Compact Software image versions installed on the compact flash.
Flash The image listed on the left is in the primary image area of
the compact flash. The image listed on the right is in the sec-
ondary image area.
Firmware Firmware version running on the device.
Version
aFleX Engine Version of the aFleX processing engine running on the
Version device.
aXAPI Version Versions of the AX Series XML Application Programming
Interface (aXAPI) supported by the device.
Last Config System time when the running-config was most recently
Saved At saved to the startup-config.
Technical Web link to access the A10 Networks support site.
Support

Device Information
TABLE 3 Monitor Mode > Overview > Summary - Device Information

Field Description
CPU Count shows the number of CPUs in the system. The count
Count / Status includes the Control CPU and the Data CPUs.
Status shows the aggregate status of the CPUs.
CPU Current temperature inside the chassis.
Temperature
Disk Usage Size of the hard disk or SSD and the amount that contains
data.
Fan Status Operational status of the system fans, and the rotations per
minute (RPMs) of each fan.
System Voltage System voltage information.
Power Supply Status of the power supplies.
Feature Configuration
This section lists how many instances of each type of Services resource are
configured. To view the list of configured resources of a specific type, click
on the name. For example, to access the list of configured service groups,
click on “Service Groups”.
TABLE 4 Monitor Mode > Overview > Summary - Feature Configuration

Field Description
Service Groups Number of Server Load Balancing (SLB) service groups
configured on the device.
A service group is a set of real servers and service ports.
Virtual Servers Number of Server Load Balancing (SLB) virtual servers
configured on the device.
A virtual server is the server to which clients send requests.
The ACOS device selects real servers from the service group
bound to the virtual server to fulfill the client requests.
Servers Number of SLB real servers configured on the device.


Field Description
GSLB Sites Number of Global Server Load Balancing (GSLB) sites con-
figured on the device.
GSLB extends SLB load balancing to global geographic
scale, by modifying DNS query replies to clients so that cli-
ents are directed to the best site.
GSLB Zones Number of GSLB zones configured on the device. A GSLB
zone is the domain managed by GSLB.
PBSLBs Number of black/white lists imported for use by Policy-
Based SLB.
PBSLB allows you to “black list” or “white list” individual
clients or client subnets. For clients that you allow, you can
specify the SLB service group to use. You also can specify
the action to perform (drop or reset) on new connections that
exceed the configured connection threshold for the client
address.
aFleX Number of aFleX policies imported onto the ACOS device.
aFleX policies are scripts written using an A10 Networks
Tcl-like scripting language. You can configure aFleX poli-
cies to perform custom SLB tasks not supported by the AX
standard features. For more information, see the
A10 Thunder Series and AX Series aFleX Scripting Lan-
guage Reference.
WAF Definitions Number of WAF policy files (WAF definitions) configured
on the device. A WAF definition defines a set of rules for
WAF security filters.
SSL State of the SSL Acceleration module on the ACOS device.
Acceleration
VRRP-A/High This display varies with VRRP-A or HA configuration:
Availability • If VRRP-A is enabled, this field displays the state of the
Virtual Router Redundancy Protocol (VRRP-A) feature.
VRRP-A provides system-level redundancy, using up to 8
ACOS devices. If one ACOS device becomes unavailable,
another ACOS device takes over to continue servicing cli-
ents.
• If HA is enabled, this field displays the state of the High
Availability (HA) feature.
HA provides system-level redundancy using a pair of
ACOS devices. If one ACOS device becomes unavailable,
the other ACOS device takes over to continue servicing
clients.


Field Description
HA Connection State of the connection mirroring feature (also called “ses-
Mirror sion synchronization”).
Connection mirroring is an optional part of HA configura-
tion. When configured, this feature enables the ACOS
devices to share information about active client sessions. If a
failover occurs, client sessions continue uninterrupted.
CPU Usage Chart
The CPU Usage chart shows CPU usage statistics for the most recent 90
seconds.
To display or hide data for a specific CPU, click to expand the chart legend,
then click on the row for the CPU.
Click on a line in the chart for more information about the data portrayed by
the line.
For a larger graph showing a longer timespan, select Monitor Mode >
Overview > Statistics.
Memory Usage Chart

The Memory Usage chart shows memory usage statistics for the most recent
90 seconds. Click on a line in the chart for more information about the data
portrayed by the line.
For a larger graph showing a longer timespan, select Monitor Mode >
Overview > Statistics.

Monitor Mode > Overview > Status

This page shows status information for all virtual servers configured on the
device. It also shows Syslog entries for all areas of the system.
Virtual Server Status
Virtual server status is displayed at the top of the page.
The virtual server names in the Name column are hyperlinks. You can click
on a virtual server name to display status information for the individual vir-
tual service ports configured on the virtual server.
Each service port under a virtual server is listed as follows:

(protocol/portnum/service-group)
For example, TCP port 80 in service group “sg-80-1” is listed as follows:

(TCP/80/sg-80-1)
Table 5 describes the columns in this display.
TABLE 5 Monitor Mode > SLB > SLB > Virtual Server
Field Description
Name Name of the virtual server.
Click on a virtual server name to display statistics for the indi-
vidual virtual service ports on the virtual server.
The icon to the left of the virtual server or individual virtual
port indicates its status:
Shows the state of the virtual server.
– Running. All virtual ports on the virtual server are Run-

ning.
– Functional Running. Some of the virtual ports are Run-

ning or Functional Running, but at least one of them is not Run-
ning.
– Partial Running. At least one virtual port is Running or

Functional Running, but at least one other virtual port is Down.
– Down. All the virtual ports are Down.
– Disabled. The virtual server has been administratively

disabled.

TABLE 5 Monitor Mode > SLB > SLB > Virtual Server (Continued)
Field Description
Name If you click on a virtual server name, the individual virtual ports
(cont.) are listed. The state of a virtual port is shown as follows:
– Running. All members (real servers and ports) in all

service groups bound to the virtual port are up.
– Functional Running. At least one member in a service

group bound to the virtual port is up, but not all members are
up.
– Down. All members in all service groups bound to the

virtual port are down.
– Disabled. The virtual port has been administratively dis-

abled.
Current Current number of connections to the virtual server.
Connections
Total Total number of connections to the virtual server since the last
Connections time statistics were cleared.
Packets Total number of packets sent to the virtual server since the last
RX time statistics were cleared.
Packets Total number of packets received on the virtual server since the
TX last time statistics were cleared.
Bytes RX Total number of bytes sent to the virtual server since the last
time statistics were cleared.
Bytes TX Total number of bytes received on the virtual server since the
last time statistics were cleared.
For information about sorting and filtering the rows in the table, see “Sort-
ing and Filtering SLB Displays on Monitor Pages” on page 29.
System Log
System log entries are displayed at the bottom of the page. By default, the
100 most recent messages can be viewed on this page. All message levels
are displayed by default and the list is refreshed every 10 seconds by
default. The messages are color-coded to indicate the message level.
To change any of these settings:

1. Select Configure > System > Settings > Log.
2. Click Status.
3. Change settings, then click OK.

Monitor Mode > Overview > Statistics

This page shows graphs for the following system statistics:
• Memory Usage
• Disk Usage
• CPU Usage
By default, statistics for the last 30 minutes are shown.
To display statistics for a longer time span, select the time span from the
drop-down list located above the Dropped column of the statistics table.
Note: If system statistics are not displayed, collection of them may be disabled.
To collect statistical information, enable the “Stats Data” option. (See
“Config Mode > SLB > Service > Global” on page 206.)
To export a copy of the statistics as a tar.gz file:

1. Click Export.
2. Navigate to the save location.
3. Optionally, edit the filename too.
4. Click Save.

Monitor Mode > Overview > Performance

The Monitor Mode > Overview > Performance options display feature per-
formance statistics.
Statistics Time Span
drop-down list located next to the Go button.
To display statistics for a specific time span:

1. Select the Start Time:
a. Click the calendar icon at the end of the Start Time field. A calendar
is displayed.
b. Select the date or leave the date set to the current date.
c. Edit the time or use the time value shown (the current system time
when you open the calendar).
Note: To move the calendar popup, click on the bottom row of the calendar and
drag it.
2. Select the End Time using the calendar at the end of the End Time field.
Note: Statistics are available for only the most recent 30 days.
3. Click Go.
Statistics Refresh
To automatically refresh statistics, select the refresh period from the drop-
down list at the right of the drop-down list for the data period. By default,
automatic refresh is disabled.
Monitor Mode > Overview > Performance > Summary

This option displays summary performance statistics for Layer 4-7 features.
Graphs are available for some groups of statistics. To display graphs, click
on the link at the top of the group of statistics or click on the icon.
CPU and memory usage are displayed at the top of the page.

Monitor Mode > Overview > Performance > Overview
This option displays graphs for the following performance statistics:

• Throughput
• Current Connections
• New Connections
• L7 Requests
You also can display these graphs by clicking on “Performance” or the

graphics link at the top of the group of performance statistics on the Sum-
mary page.
Monitor Mode > Overview > Performance > Connection

This option displays graphs for the following connection-reuse statistics:
• HTTP Proxy Connections
• Connection Reuse
You also can display these graphs by clicking on “Connection Reuse” or the
graphics link at the top of the group of connection reuse statistics on the
Summary page.
Monitor Mode > Overview > Performance > Attack Prevention
This option displays a graph of SYN cookie statistics.
You also can display this graph by clicking on “Attack Prevention” or the
graphics link at the top of the group of attack prevention statistics on the
Summary page.

Monitor Mode - Monitor Mode > SLB
Monitor Mode > SLB

The Monitor Mode > SLB options display status information and statistics
for Layer 4-7 features.
Monitor Mode > SLB > Service

The pages in this sub-module display Server Load Balancing (SLB) statis-
tics. Each page shows statistics counters for connections, packets, and
bytes.
• Virtual Server – Displays a row of statistics for each virtual server. Click
on a virtual server name to display statistics for the individual virtual
service ports on the virtual server.
• Virtual Service – Displays a row of statistics for each virtual service.
Click on a virtual service name to display statistics for that virtual ser-
vice.
• Service Group – Displays a row of statistics for each service group.
Click on a service group name to display statistics for the individual real
service ports in the service group.
• Server – Displays a row of statistics for each real server. Click on a real
server name to display statistics for the individual real service ports on
the server.
Each page provides the following display control links, located under the
table and above the graph display area:
• Select All – selects all the rows in the table
• Unselect All – deselects all the rows in the table
• Expand All – Expands each row to show its constituents. For example,
clicking this link on the Virtual Server page expands the table to also
show all of the virtual ports on each VIP.
• Collapse All – Collapses all rows in the table to show only the top-level
items (for example, VIPs)

The following checkboxes appear between the table and the graph display
area. Clicking one of these checkboxes toggles display of the corresponding
column in the table.
• Connections
• Packets
• Bytes
• Description
• Request
For additional display options, see “Sorting and Filtering SLB Displays on
Monitor Pages” on page 29.
SLB Graphs
If statistical data collection is enabled for an SLB resource, the following

graphs are available for that resource:
• Throughput In Bits
• Current Connections
To display the graphs, click on the icon in the rightmost column for
the resource. The graphs appear below the table.
Note: The icon is available only if statistical data collection is enabled for the
SLB resource. Statistical data collection is disabled by default. To enable
it, select Enabled next to Stats Data on the configuration page for the
resource.
To clear statistics, select the checkboxes next to the items for which you
want to clear the statistics, then click Clear.
Statistics Scope
By default, all configuration items within the selected item are averaged.
For example, if you click on the icon next to a virtual server name,
graphs that are displayed show the statistics for all virtual service ports in
the virtual server.
To display graphs for an individual configuration item, click on

the icon next to that item.

Statistics Time Span

drop-down list located next to the Go button.

is displayed.
drag it.
3. Click Go.
Statistics Refresh
To automatically refresh statistics, select the refresh period from the drop-
down list at the right of the drop-down list for the data period. By default,
automatic refresh is disabled.

Monitor Mode > SLB > Service > Virtual Server
The following pages display monitor information for virtual servers.
Monitor Mode > SLB > Service > Virtual Server > Virtual Server
The page shows SLB statistics for virtual servers.
TABLE 6 Monitor Mode – Virtual Server

Field Description
Name Name of the virtual server.
Click on this row to display statistics for individual service
ports. Each port is listed in following format:
Protocol/Portnum
For example, TCP/80
Click on the row for a port to display statistics for each ser-
vice group binding that uses the port. These rows are shown
in the following format:
Portnum (Service-Group)
For example, 80 (rs-http-2)
The icon to the left indicates the status. (For descriptions, see
Table 5 on page 46.)
Current Current number of connections to the virtual server or indi-
Connections vidual service.
Total Total number of connections to the virtual server or individ-
Connections ual service since the last time statistics were cleared.
Packets Forward Total number of packets that the virtual server or individual
virtual service received from the client and forwarded to the
server since the last time statistics were cleared.
Packets Reverse Total number of packets that the virtual server or individual
virtual service received from the server and reverse-for-
warded to the client since the last time statistics were cleared.
Bytes Forward Total number of bytes that the virtual server or individual
virtual service received from the client and forwarded to the
server since the last time statistics were cleared.
Bytes Reverse Total number of bytes that the virtual server or individual
virtual service received from the server and reverse-for-
warded to the client since the last time statistics were cleared.
Statistics Provides access to statistics. (See “SLB Graphs” on
(unlabeled) page 52.)

Monitor Mode > SLB > Service > Virtual Server > Host/URL Hits
The page displays counters for the number of instances a host or URL was
accessed by users.
To display Host/URL counters:

1. From the Virtual Server drop-down menu, select the name of a virtual
server and corresponding port number.
2. Select the Host or URL radio button to display the counters by one of
the following options:
• Host – Web host
• URL – URL path on the Web site
3. (optional) In the String field, enter a string to display counters only for
hosts or URLs that match the specified string.
Monitor Mode > SLB > Service > Virtual Service
The page shows SLB statistics for individual virtual services.
TABLE 7 Monitor Mode > SLB > SLB > Virtual Service
Field Description
Name Name of the virtual service.
Click on this row to display the service-group bindings for
the virtual service. Each binding is listed in following for-
mat:
The icon to the left indicates the status. (For descriptions, see
Current Current number of connections to the virtual service or indi-
Connections vidual service-group binding.
Total Total number of connections to the virtual service or individ-
Connections ual service-group binding since the last time statistics were
cleared.
Packets Forward Total number of packets that the virtual service or individual
service-group binding received from the client and for-
warded to the server since the last time statistics were
cleared.

TABLE 7 Monitor Mode > SLB > SLB > Virtual Service (Continued)
Field Description
Packets Reverse Total number of packets that the virtual service or individual
service-group binding received from the server and reverse-
forwarded to the client since the last time statistics were
cleared.
Bytes Forward Total number of bytes that the virtual service or individual
service-group binding received from the client and for-
warded to the server since the last time statistics were
cleared.
Bytes Reverse Total number of bytes that the virtual service or individual
service-group binding received from the server and reverse-
forwarded to the client since the last time statistics were
cleared.
Monitor Mode > SLB > Service > Service Group

The page shows SLB statistics for service groups.
TABLE 8 Monitor Mode > SLB > SLB > Service Group
Field Description
Name Name of the service group.
Click on this row to display statistics for the individual ser-
vice ports bound to the service group. Each port binding is
shown in the following format:
The icon to the left of the service group name or service port
indicates its status:
– The service group or service is up.
– The service group or service is down.

Type Layer 4 transport protocol used by services in the service
group, TCP or UDP.
Current Current number of connections to the service group or indi-
Connections vidual service.
Total Total number of connections to the service group or individ-
Connections ual service since the last time statistics were cleared.

TABLE 8 Monitor Mode > SLB > SLB > Service Group (Continued)
Field Description
Packets Forward Total number of packets forwarded to the service group or
individual service member since the last time statistics were
cleared.
Packets Reverse Total number of packets reverse-forwarded from the service
group or individual service member since the last time statis-
tics were cleared.
Bytes Forward Total number of bytes forwarded to the service group or indi-
vidual service member since the last time statistics were
cleared.
Bytes Reverse Total number of bytes reverse-forwarded from the service
group or individual service member since the last time statis-
tics were cleared.
Monitor Mode > SLB > Service > Server
The page shows SLB statistics for real servers.
TABLE 9 Monitor Mode > SLB > SLB > Server

Field Description
Name Name of the real server.
Click on this row to display statistics for individual service
ports. Each port is shown in the following format:
Protocol/Portnum
For example, TCP/80
The icon to the left of the server name or port number indi-
cates its status:
– The server or port is up.
– The server or port is down.

Current Current number of connections to the real server or individ-
Connections ual service.
Total Total number of connections to the real server or individual
Connections service since the last time statistics were cleared.
Packets Forward Total number of packets forwarded to the real server or indi-
vidual server port since the last time statistics were cleared.

TABLE 9 Monitor Mode > SLB > SLB > Server (Continued)
Field Description
Packets Reverse Total number of packets reverse-forwarded from the real
server or individual server port since the last time statistics
were cleared.
Bytes Forward Total number of bytes forwarded to the real server or individ-
ual server port since the last time statistics were cleared.
Bytes Reverse Total number of bytes reverse-forwarded from the real server
or individual server port since the last time statistics were
cleared.
Note: For dynamically created real servers, this page shows only the first
dynamically created server. To display all dynamically created servers,
use the show slb server command in the CLI.
Monitor Mode > SLB > Health Monitor

The page enables you to send on-demand health checks to servers and indi-
vidual services. To perform an on-demand health check:
1. Enter the IP address of the server to be tested in the IP Address field.
2. Select the IP version, IPv4 or IPv6.
3. Select the health monitor to use from the Health Monitor drop-down list.
4. To test a specific service, enter the protocol port number for the service
in the Port field.
5. Click Start.
The status of the server or service appears in the Status message area.
Note: If an override IP address and protocol port are set in the health monitor
configuration, the ACOS device will use the override address and port
instead of the address and port you specify here.

Monitor Mode > SLB > Black-White List

The pages in this sub-module display Black/White List information for Pol-
icy-Based SLB (PBSLB).
Monitor Mode > SLB > Black-White List > Statistics

These pages show statistics for Policy-Based SLB (PBSLB).
Monitor Mode > SLB > Black-White List > Statistics > System
This page shows statistics for system-wide PBSLB. Depending on how the
feature is implemented, the statistics are shown in the System Black-
list/Whitelist Statistics table or the System Class List Statistics table.
Table 10 describes the columns in the System Blacklist/Whitelist Statistics

table.
TABLE 10 Monitor Mode – Blacklist/Whitelist Statistics

Field Description
GID Group ID.
Established Number of client connections established to the black/white-
list group and protocol port.
Reset(A) Number of client connections reset due to the Reset action in
a PBSLB policy.
Dropped(A) Number of client connections that were dropped due to the
Drop action in a PBSLB policy.
Reset(COL) Number of client connections reset because they were over
the connection limit specified in a PBSLB policy.
Dropped(COL) Number of client connections that were dropped because
they were over the connection limit specified in a PBSLB
policy.
Server Select Number of times selection of a real server failed.
Failure

Table 11 describes the columns in the System Class List Statistics table.
TABLE 11 Monitor Mode – Class List Statistics

Field Description
Source Client IP address.
Destination VIP address.
Flag Indicates whether the row of information applies to connec-
tions or requests:
• C – The statistics listed in this row are for connections.
• R – The statistics listed in this row are for HTTP requests.
Current Current number of connections or requests.
Rate Current connection or request rate, which is the number of
connections or requests per second.
Over Limit Number of times client connections or requests exceeded the
configured limit.
Over Rate Limit Number of times client connections or requests exceeded the
configured rate limit.
Monitor Mode > SLB > Black-White List > Statistics > Virtual
Server > Class List
This page shows statistics for PBSLB applied to individual virtual servers,
and implemented using class lists. The table columns are the same as those
described in Table 11 on page 60.
Monitor Mode > SLB > Black-White List > Statistics > Virtual
Server > Black/WhiteList
This page shows statistics for PBSLB applied to individual virtual servers,
and implemented using black/white lists. The table columns are the same as
those described in Table 10 on page 59.
Monitor Mode > SLB > Black-White List > Client Query >
Class List
The page allows you to query PBSLB information based on class list and IP
address.
Select the class list, specify the IP host or subnet address, and click Find.
The table columns are the same as those described in Table 11 on page 60.

Monitor Mode > SLB > Black-White List > Client Query >
Black/WhiteList
The page allows you to query PBSLB information based on black/white list
and IP address.
Select the black/white list, specify the IP host or subnet address, and click
Find.
TABLE 12 Monitor Mode > SLB > Black-White List > Client Query >
Black/WhiteList
Field Description
IP Address Client IP address.
Service Group Service group ID.
Connections Maximum number of new connections allowed.
Limit
Connections Current number of active connections.
Current
Monitor Mode > SLB > Black-White List > Black/WhiteList

The page shows information for the black/white lists used by PBSLB.
TABLE 13 Monitor Mode > Black-White List > Black/WhiteList

Field Description
Name Name of the black/white list.
URL Location of the black/white list.
Size Size of the black/white list.
Last Updated System time when the black/white list was last updated on
the ACOS device.
Download Times Date and time when the black/white list was downloaded
onto the ACOS device.

Monitor Mode > SLB > aFleX

This page shows statistics for aFleX policies used on the ACOS device.
Table 14 describes the fields on this page.
TABLE 14 Monitor Mode > SLB > aFleX

Field Description
Name Name of the aFleX policy.
Event Type Type of event used in the aFleX policy.
Total Executions Total number of times the aFleX policy has been triggered
by the event.
Failures Total number of times the aFleX policy failed.
Aborts Total number of times the aFleX policy was aborted.
An aFleX policy can appear in multiple rows in the table. Each row shows
counters for a different event type.
To clear counters for all events listed for an aFleX policy, select at least one
row for the aFleX policy, then click Clear.
To clear counters only for specific events, select the rows for those events,
then click Clear Event.Monitor Mode > SLB > IP Source NAT
The pages in this sub-module display statistics for IP source NAT.

Monitor Mode > SLB > Session

The pages in this sub-module display session information.
Monitor Mode > SLB > Session > Brief
This page displays summary statistics for all session types.
TABLE 15 Monitor Mode > SLB > Session > Brief

Field Description
TCP Established Number of established TCP sessions.
TCP Half Open Number of half-open TCP sessions. A half-open session is
one for which the AX series device has not yet received a
SYN ACK from the backend server.
UDP Number of UDP sessions.
Non TCP/UDP Number of IP sessions other than TCP or UDP sessions.
IP Session This counter applies specifically to IP protocol load balanc-
ing. (See the “IP Protocol Load Balancing” chapter in the AX
Series Application Delivery and Server Load Balancing
Guide.)
Other Number of internally used sessions. As an example, internal
sessions are used to hold fragmentation information.
Reverse NAT Number of reverse-NAT TCP sessions.
TCP
Reverse NAT Number of reverse-NAT UDP sessions.
UDP
Curr Free Conn Number of Layer 4 sessions currently available.
Conn Count Number of connections.
Conn Freed Number of connections freed after use.
TCP SYN Half Number of half-open TCP sessions. These are sessions that
Open are half-open from the client’s perspective.

TABLE 15 Monitor Mode > SLB > Session > Brief

Field Description
Conn SMP Alloc Statistics used by A10 Technical Support.
Conn SMP Free
Conn SMP Aged
Conn Type 0
Available
Conn Type 1
Available
Conn Type 2
Available
Conn Type 3
Available
Conn Type 4
Available
Conn SMP Type
0 Available
Conn SMP Type
1 Available
Conn SMP Type
2 Available
Conn SMP Type
3 Available
Conn SMP Type
4 Available

Monitor Mode > SLB > Session > Session
This page shows the session table. The columns displayed differ depending
on the selected radio button.
Table 16 describes the display control features on this page.
TABLE 16 Display Control Features

Field Description
all Displays information for all session types.
ipv4 Displays information for IPv4 sessions. The following
address options are supported:
• Source IP – Displays IPv4 sessions that have the specified
source IP address.
• Source Port – Displays IPv4 sessions that have the speci-
fied source protocol port number, 1-65535.
• Destination IP – Displays IPv4 sessions that have the
specified destination IP address.
• Destination Port – Displays IPv4 sessions that have the
specified destination protocol port number, 1-65535.
ipv6 Displays information for IPv6 sessions.
For parameter descriptions, see above.
ipv4v6 Displays information for IPv4-IPv6 or IPv6-IPv4 sessions.
The following address options are supported:
• Source IP – Displays IPv4 or IPv6 sessions that have the
specified source IP address.
• Source Port – Displays IPv4 or IPv6 sessions that have the
specified source protocol port number, 1-65535.
• Destination IP – Displays IPv4 or IPv6 sessions that have
the specified destination IP address.
• Destination Port – Displays IPv4 or IPv6 sessions that
have the specified destination protocol port number, 1-
65535.
persist Displays information for persistent sessions.
The drop-down menu displays sessions of the specified per-
sistence type:
• src-ip – Displays source-IP persistent sessions.
• dst-ip – Displays destination-IP persistent sessions.
• ssl-sid – Displays SSL-session-ID persistent sessions.
• uie – Displays sessions that are made persistent by the
aFleX persist uie command.
Note: This option is not applicable to IPv6 migration
releases.
For column descriptions, see ipv4 above.

TABLE 16 Display Control Features

Field Description
sip Displays information for Session Initiation Protocol (SIP)
sessions.
For column descriptions, see ipv4v6 above.
radius Displays information for RADIUS servers.
Display Fields
Table 17 describes the display fields on this page.
TABLE 17 Display Fields

Field Description
Prot Transport protocol
Forward Source Client IP address when connecting to a VIP.
Notes:
• For DNS sessions, the client’s DNS transaction ID is
shown instead of a protocol port number.
• The output for connection-reuse sessions shows 0.0.0.0
for the forward source and forward destination addresses.
• For source-IP persistent sessions, if the option to include
the client source port (incl-sport) is enabled in the persis-
tence template, the client address shown in the Forward
Source column includes the port number.
• IPv4 client addresses -- The first two bytes of the dis-
played value are the third and fourth octets of the client
IP address. The last two bytes of the displayed value
represent the client source port. For example,
“155.1.1.151:33067” is shown as “1.151.129.43”.
• IPv6 client addresses -- The first two bytes in the dis-
played value are a “binary OR” of the first two bytes of
the client’s IPv6 address and the client’s source port
number. For example, “2001:ff0:2082:1:1:1:d1:f000”
with source port 38287 is shown as
“b58f:ff0:2082:1:1:1:d1:f000”.
Also see the output examples below.
Note: For information about session table entries for Fire-
wall Load Balancing (FWLB), see the AX Series System
Configuration and Administration Guide.
Forward Dest VIP to which the client is connected.

TABLE 17 Display Fields

Field Description
Reverse Source Real server’s IP address.
Note: If the ACOS device is functioning as a cache server
(RAM caching), asterisks (*) in this field and the Reverse
Dest field indicate that the ACOS device directly served the
requested content to the client from the AX RAM cache. In
this case, the session is actually between the client and the
ACOS device rather than the real server.
Reverse Dest IP address to which the real server responds.
• If source NAT is used for the virtual port, this address is
the source NAT address used by ACOS device when con-
necting to the real server.
• If source IP NAT is not used for the virtual port, this
address is the client IP address.
Age Number of seconds since the session started.
Hash CPU ID.
Flags This value is used by A10 Technical Support.
Type This value is used by A10 Technical Support.
RADIUS ID For RADIUS load balancing sessions, shows the RADIUS
request ID.
Monitor Mode > SLB > Application

The pages in this sub-module display detailed statistics for SLB services.
Monitor Mode > SLB > Application > Proxy > Generic
This page shows SLB statistics for the generic service type. Statistics are
listed separately for each of the ACOS device’s CPUs.
TABLE 18 Monitor Mode > SLB > Application > Proxy > Generic
Field Description
Current Proxy Number of currently active connections using the generic
Conns proxy.
Total Proxy Total number of connections that have used the generic
Conns proxy.
Client Fail Please contact A10 Networks for information.
Server Fail Please contact A10 Networks for information.
Server Selection Number of times selection of a real server failed.
Failure

TABLE 18 Monitor Mode > SLB > Application > Proxy > Generic (Continued)
Field Description
No Route Failure Please contact A10 Networks for information.
Source NAT Number of source NAT failures.
Failure
Monitor Mode > SLB > Application > Proxy > Fast-HTTP
This page shows SLB statistics for the Fast-HTTP service type. Statistics
are listed separately for each of the ACOS device’s CPUs.
TABLE 19 Monitor Mode > SLB > Application > Proxy > Fast-HTTP
Field Description
Curr Proxy Number of currently active connections using the fast-HTTP
Conns proxy.
Total Proxy Total number of connections that have used the fast-HTTP
Conns proxy.
HTTP Requests Number of HTTP requests received by the fast-HTTP proxy.
HTTP Number of HTTP requests successfully fulfilled (by estab-
Requests(succ) lishing a connection to a real server).
No Proxy Error Number of proxy errors.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
No Tuple Error Number of tuple errors.
Parse Req Fail Number of times the HTTP parser failed to parse a received
HTTP request.
Fail
Fwd Req Fail Number of forward request failures.
Fwd Req Data Number of forward request data failures.
Fail
Req Retransmit Number of retransmitted requests.
Req Pkt Number of request packets received from clients out of
Out-of-Order sequence.
Server Number of times initial selection of a real server for an
Reselection HTTP request failed (for example, due to a TCP Reset sent
by the server).
Server Premature Number of times the connection with a server closed prema-
Close turely.
Server Conn Number of connections made with servers.
Made

TABLE 19 Monitor Mode > SLB > Application > Proxy > Fast-HTTP
Field Description
Failure
Data Before These counters show statistics for HTTP compression, in
Compression bytes.
Data After
Compression
Request Over Please contact A10 Networks for information.
Limit
Request Rate Please contact A10 Networks for information.
Over Limit
Out RSTs Please contact A10 Networks for information.
Full proxy tot Total number of fast-HTTP sessions that entered the full
HTTP path.
Full proxy POST Number of fast-HTTP sessions that entered the full HTTP
path due to the POST body content.
Full proxy Number of request packets that used HTTP pipelining.
pipeline
Full proxy fpga Number of fast-HTTP sessions that entered the full HTTP
err path due to an error in FPGA parsing.
Monitor Mode > SLB > Application > Proxy > HTTP
This page shows SLB statistics for the HTTP service type. Statistics are
TABLE 20 Monitor Mode > SLB > Application > Proxy > HTTP
Field Description
Curr Proxy Number of currently active HTTP connections using the
Conns A10 Thunder Series and AX Series device as an HTTP
proxy.
Total Proxy Total number of HTTP connections that have used the
Conns A10 Thunder Series and AX Series device as an HTTP
proxy.
HTTP Requests Total number of HTTP requests received by the HTTP
proxy.
HTTP Number of HTTP requests received by the HTTP proxy that
Requests(succ) were successfully fulfilled by connection to a real server.
HTTP Requests Number of HTTP requests received by the HTTP proxy that
(cache succ) were successfully fulfilled from the cache.

TABLE 20 Monitor Mode > SLB > Application > Proxy > HTTP (Continued)
Field Description
Parse Req Fail Number of times the HTTP parser failed to parse a received
HTTP request.
Fail
Fail
Server Number of times initial selection of a real server for an
Reselection HTTP request failed (for example, due to a TCP Reset sent
by the server).
Close turely.
Made
Failure
Data Before These counters show statistics for HTTP compression, in
Compression bytes.
Data After
Compression
Request Over Please contact A10 Networks for information.
Limit
Request Rate Please contact A10 Networks for information.
Over Limit

Monitor Mode > SLB > Application > Proxy > SMTP
This page shows SLB statistics for the SMTP service type. Statistics are
TABLE 21 Monitor Mode > SLB > Application > Proxy > SMTP
Field Description
Curr Proxy Number of currently active SMTP connections using the
Conns A10 Thunder Series and AX Series device as an SMTP
proxy.
Total Proxy Total number of SMTP connections that have used the
Conns A10 Thunder Series and AX Series device as an SMTP
proxy.
SMTP Requests Total number of SMTP requests received by the SMTP
proxy.
SMTP Number of SMTP requests received by the A10 Thunder
Requests(succ) Series and AX Series device that were successfully fulfilled
(by connection to a real server).
Parse Req Fail Number of times parsing of an SMTP request failed.
Fail
Fail
Server Number of times a request was forwarded to another server
Reselection because the current server was failing.
Close turely.
Made
Failure

Monitor Mode > SLB > Application > Proxy > TCP
This page shows SLB TCP-Proxy statistics. Statistics are listed separately
for each of the ACOS device’s CPUs.
TABLE 22 Monitor Mode > SLB > Application > Proxy > TCP
Field Description
Currently EST Current number of established TCP connections being han-
Conns dled by the proxy.
Active Open Number of connections opened actively.
Conns
Passive Open Number of connections opened passively.
Conns
Connect Attempt Number of TCP connection attempts that failed.
Failures
Total in TCP Total number of TCP packets received by the TCP proxy.
Packets
Total out TCP Total number of TCP packets sent by the TCP proxy.
Packets
Retransmitted Number of TCP packets retransmitted by the TCP proxy.
Packets
Resets Rcvd on Number of TCP Resets received for established connections.
EST Conn
Reset Sent Number of TCP Resets sent by the ACOS device.
Input Errors Number of invalid TCP packets received by the ACOS
device.
Sockets Number of TCP sockets currently allocated.
Allocated
Orphan Sockets Current number of orphan sockets.
Memory Alloc Total memory allocated for TCP.
Total Rx Buffer Total RX buffers allocated for TCP.
Total Tx Buffer Total TX buffers occupied by TCP.
TCP in Current number of TCP connections in the SYN-SNT state.
SYN-SNT State
TCP in Current number of TCP connections in the SYN-RCV state.
SYN-RCV State
TCP in FIN-W1 Current number of TCP connections in the Fin-Wait-1 state.
State
TCP FIN-W2 Current number of TCP connections in the Fin-Wait-2 state.
State
TCP TimeW Current number of TCP connections in the Time Wait state.
State

TABLE 22 Monitor Mode > SLB > Application > Proxy > TCP (Continued)
Field Description
TCP in Close Current number of TCP connections in the Close state.
State
TCP in CloseW Current number of TCP connections in the Close-Wait state.
State
TCP in LastACK Current number of TCP connections in the Last-ACK state.
State
TCP in Listen Current number of TCP connections in the Listening state.
State
TCP in Closing Current number of TCP connections in the Closing state.
State
Monitor Mode > SLB > Application > Proxy > DNS Cache
This page shows proxy statistics for DNS caching.
TABLE 23 Monitor Mode > SLB > Application > Proxy > DNS Cache
Field Description
Total Allocated Total memory allocated for cached entries.
Total Freed Total memory freed.
Total Query Total number of DNS queries received by the ACOS device.
Total Server Total number of responses form DNS servers received by the
Response ACOS device.
Total Cache Hit Total number of times the ACOS device was able to use a
cached reply in response to a query.
Query Not Number of queries that did not pass a packet sanity check.
Passed
Response Not Number of responses that did not pass a packet sanity check.
Passed The ACOS device checks the DNS header and question in
the packet, but does not parse the entire packet.
Response Please contact A10 Networks for information.
Exceed Cache
Size
Response Please contact A10 Networks for information.
Answer Not
Passed
Query Encoded Number of queries that were not cached because the domain
name in the question was encoded in the DNS query packet.

TABLE 23 Monitor Mode > SLB > Application > Proxy > DNS Cache
Field Description
Response Number of queries that were not cached because the domain
Encoded name in the question was encoded in the DNS response
packet.
Query With Number of queries that were not cached because they con-
Multiple tained multiple questions.
Questions
Response With Number of responses that were not cached because they con-
Multiple tained answers for multiple questions.
Questions
Response With Number of responses that contained more than one answer.
Multiple
Answers
Response with Number of responses that had a short time to live (TTL).
Short TTL
Total Aged Out Total number of DNS cache entries that have aged out of the
cache.
Total Aged for Number of cache entries aged out due to their weight value.
Lower Weight
Total Stats Log Total number of logs sent.
Sent
Current Allocate Current memory allocation.
Current Data Current data allocation.
Allocate
Monitor Mode > SLB > Application > Proxy > Diameter
This page shows proxy statistics for Diameter load balancing.
TABLE 24 Monitor Mode > SLB > Application > Proxy > Diameter
Field Description
Current Proxy Number of currently active Diameter connections using the
Conns ACOS device as an Diameter proxy.
Total Proxy Total number of Diameter connections that have used the
Conns ACOS device as an Diameter proxy.
Client Fail Number of times client-side failure terminated connection.
Server Fail Number of times server-side failure terminated connection.
Failure
No Route Failure Number of times Diameter failed due to route lookup failure.
Failure

Field Description
Concurrent Number of concurrent Diameter sessions.
User Session
acr out Number of Accounting-Request messages sent by the ACOS
device.
acr in Number of Accounting-Request messages received by the
ACOS device.
aca out Number of Accounting-Answer messages sent by the ACOS
device.
aca in Number of Accounting-Answer messages received by the
ACOS device.
cea out Number of Capabilities-Exchange-Answer messages sent by
the ACOS device.
cea in Number of Capabilities-Exchange-Answer messages
received by the ACOS device.
cer out Number of Capabilities-Exchange-Request messages sent by
the ACOS device.
cer in Number of Capabilities-Exchange-Request messages
received by the ACOS device.
dwr out Number of Device-Watchdog-Request messages sent by the
ACOS device.
dwr in Number of Device-Watchdog-Request messages received by
the ACOS device.
dwa out Number of Device-Watchdog-Answer messages sent by the
ACOS device.
dwa in Number of Device-Watchdog-Answer messages received by
the ACOS device.
str out Number of Session-Termination-Request messages sent by
the ACOS device.
str in Number of Session-Termination-Request messages received
by the ACOS device.
sta out Number of Session-Termination-Answer messages sent by
the ACOS device.
sta in Number of Session-Termination-Answer messages received
by the ACOS device.
asr out Number of Abort-Session-Request messages sent by the
ACOS device.
asr in Number of Abort-Session-Request messages received by the
ACOS device.
asa out Number of Abort-Session-Answer messages sent by the
ACOS device.
asa in Number of Abort-Session-Answer messages received by the
ACOS device.
other out Number of Diameter messages of other types (other message
codes) sent by the ACOS device.

Field Description
other in Number of Diameter messages of other types received by the
ACOS device.
Monitor Mode > SLB > Application > Proxy > SIP
This page shows proxy statistics for the Session Initiation Protocol (SIP)
service type.
TABLE 25 Monitor Mode > SLB > Application > Proxy > SIP
Field Description
SIP Session Total number of SIP sessions that have been created.
created
SIP Sessions Total number of SIP sessions that have been freed.
freed
Curr SIP Proxy Number of currently active connections using the SIP proxy.
Total SIP Proxy Total number of connections that have used the SIP proxy.
Client message Total number of SIP messages received from clients.
rcvd • Sent to server – Number of SIP messages received by the
client and forwarded to the server.
• Incomplete – Number of packets which contain incom-
plete messages.
• aFleX drop – Number of packets dropped due to an aFleX
policy.
• Connecting server – Number of connected servers.
• Failed – Number of SIP messages received by the client
but not forwarded to the server.
Server message Total number of SIP messages received from servers.
rcvd • Sent to client – Number of SIP messages received by the
server and forwarded to the client.
plete messages.
• aFleX drop – Number of packets dropped due to an aFleX
policy.
• Failed – Number of SIP messages received by the server
but not forwarded to the client.
Server conn • Created successfully – Number of server connections
created created successfully.
• Failed – Number of failed server connection attempts.
Message parsing Number of SIP messages that failed to be parsed.
failed

TABLE 25 Monitor Mode > SLB > Application > Proxy > SIP
Field Description
Message Total number of SIP messages that failed to be processed.
processing failed • Failed to insert call-id session – Number of SIP messages
failed to be processed because the call-id session was not
inserted into the hash table.
• Failed to insert URI session – Number of SIP messages
failed to be processed because the URI session was not
inserted into the hash table.
Monitor Mode > SLB > Application > Proxy > SMPP
This page shows SLB statistics for the SMPP service type. Statistics are
TABLE 26 Monitor Mode > SLB > Application > Proxy > SMPP
Field Description
SMPP msg Total amount of memory currently in use for SMPP connec-
mem allocated tions.
SMPP msg Total amount of memory cached for SMPP connections.
mem cached
SMPP msg Total amount of memory freed after an SMPP connection has
mem freed closed.
SMPP msg Total amount of memory allocated for the SMPP packet pay-
payload load.
allocated
SMPP msg Total amount of memory freed from the SMPP packet pay-
payload freed load.
Curr SMPP Number of currently active connections using the SMPP
Proxy proxy.
Total SMPP Total number of connections that have used the SMPP proxy.
Proxy

Field Description
Client message Total number of SMPP messages received from clients.
rcvd • Sent to server – Number of SMPP messages received by
the client and forwarded to the server.
plete messages.
• AX responds directly – Number of times the ACOS
device responded directly to a client’s request.
• Drop – Number of packets dropped due to the configured
SMP resource limit.
• Connecting server – Number of times the ACOS device
forwarded a client’s request to the SMPP server.
• Failed – The following counters display the number of
failed connections, listed by the cause:
• Failed to parse
• Failed to process
• Failed to SNAT
• Exceeded buff
• Failed to send
• Server conn start failed
Server message Total number of SMPP messages received from servers.
rcvd • Sent to client – Number of SMPP messages received by
the server and forwarded to the client.
plete messages.
• Drop – Number of packets dropped due to the configured
SMP resource limit.
• Failed – Number of SMPP messages received by the
server that were not forwarded to the client. The following
counters display the number of failed connections, listed
by cause:
• Failed to parse
• Failed to process
• Failed to sel client conn
• Failed to SNAT
• Exceeded buff
• Failed to send

Field Description
Server conn • Created successfully – Number of server connections cre-
created ated successfully.
• Failed – Number of failed server connection attempts,
listed by cause:
• Failed to SNAT
• Failed to construct
• Failed to reserve
• Failed to start
• Server conn already exists
• Failed to insert
Message parsing Number of SMPP messages that the ACOS failed to parse.
failed The following sub-counters describe the cause:
• The packet size too small – Number of SMPP messages
that were not parsed because the message size was less
than 4 bytes.
• Invalid sequence number – SMPP messages are incre-
mented by +1. This counter indicates the total number of
SMPP messages that were not parsed because of an incor-
rect sequence number.
Message Number of times the ACOS could not process the SMPP
processing failed message. The following sub-counters describe the cause:
• No vport – There was no virtual port that matched the des-
tination of the SMPP message.
• Failed to select server – Server selection failure to forward
the SMPP request.
Client conn The following counters apply to SMPP client selection:
selection • Select by request – Number of client connections, selected
by the type of request message.
• Select by roundbin – Number of client connection selected
by the Round Robin algorithm.
• Select by conn – Number of client connections, selected
by the connection type.
• Select failed – Number of times the ACOS failed to select
a client for the SMPP connection.
Server conn The following counters apply to SMPP server selection:
selection • Select by request – Number of server connections,
selected by the type of request message.
• Select by roundbin – Number of server connection
selected by the Round Robin algorithm.
• Select by conn – Number of server connections, selected
by the connection type.
• Select failed – Number of times the ACOS failed to select
a server for the SMPP connection.

Field Description
Bind client and Number of times the ACOS successfully forwarded the ini-
server tial BIND message from a client an SMPP server.
Unbind client Number of times the ACOS disconnected the client to an
and server SMPP server.
Receive Total number of ENQUIRE_LINK messages that the ACOS
enquire_link received from the SMPP client or server.
Receive Total number of ENQUIRE_LINK_RESP messages that the
enquire_link_res ACOS received from the SMPP client or server.
p
Send Total number of ENQUIRE_LINK messages that the ACOS
enquire_link device has sent.
Send Total number of ENQUIRE_LINK_RES messages that the
enquire_link_res ACOS device has sent.
p
Put client conn in Please contact A10 Networks for information.
list
Get client conn
from list
Put server conn
in list
Get server conn
from list
Fail to bind Total number of times the ACOS device received a BIND
server message and failed to connect the client to an SMPP server.
Single message Total number of single messages that were sent to the ACOS
and did not require a response.
Transfer msg Number of SMPP messages that the ACOS transferred from
from L4 to L7 a Layer 4 CPU to a Layer 7 CPU.
CPU
Fetch msg from Number of SMPP messages that the ACOS transferred from
L7 CPU the Layer 7 CPU to a Layer 4 CPU.
from proxy to the proxy CPU to the connection CPU.
conn CPU
Fetch msg from Number of SMPP messages that the ACOS transferred from
conn CPU the connection CPU to the proxy CPU.
from L7 to L4 a Layer 7 CPU to a Layer 4 CPU.
CPU
from conn to the connection CPU to the proxy CPU.
proxy CPU

Field Description
Fail to dcmsg Please contact A10 Networks for information.
Conn is
deprecated
during dcmsg
Alloc mem failed Number of times a connection failed because the ACOS
device did not have access to sufficient memory resources.
Unexpected error Number of unexpected errors that are not categorized by the
other counters.
Identify L7 CPU Please contact A10 Networks for information.
failed
AX holds msg Number of messages that the ACOS device has received
from a client or server and has yet to forward.
Splited packet Number of times the ACOS split TCP packets which contain
multiple SMPP messages.
Message in Number of SMPP messages that the ACOS processed using
pipeline an HTTP pipeline.

Monitor Mode > SLB > Application > Proxy > FIX
This page shows SLB statistics for the Financial Information Exchange
(FIX) proxy. Statistics are listed separately for each of the ACOS device’s
CPUs.
TABLE 27 Monitor Mode > SLB > Application > Proxy > FIX
Field Description
Current Proxy Number of currently active connections using the FIX proxy.
Conns
Total Proxy Total number of connections that have used the FIX proxy.
Conns
Client Fail Number of times that the connection was terminated due to
an error on the client side.
Server Fail Number of times that the connection was terminated due to
an error on the server side.
Failure
No Route Failure Number of times FIX failed due to a route lookup failure.
Failure
Insert Client IP Number of times that the ACOS inserted the client’s IP
address into tag 11447 and forwarded the recalculated
request packet to the FIX server.
Default Number of times that the ACOS parsed the tag value from a
Switching client’s request and selected a service-group based on a
match with the configured tag keyword.
Sender ID Instances of content switching based on the sender’s
Switching identification tag (SenderCompID).
Target ID Instances of content switching based on the receiver’s
Switching identification tag (TargetCompID).

Monitor Mode > SLB > Application > Proxy > Mysql
This page shows database load-balancing (DBLB) statistics for the MySQL
database system. Statistics are listed separately for each of the ACOS
device’s CPUs.
TABLE 28 Monitor Mode > SLB > Application > Proxy > Mysql
Field Description
Current Proxy Number of currently active connections using the DBLB
Conns proxy.
Total Proxy Total number of connections that have used the DBLB
Conns proxy.
Curr BE Number of currently active, encrypted connections on the
Encryption back-end (BE), between the ACOS and server which pro-
Conns cesses database queries.
Total BE Total number of encrypted connections that have occurred on
Encryption the back-end (BE), between the ACOS and server which pro-
Curr FE Number of currently active, encrypted connections on the
Encryption front-end (FE) between the ACOS and client.
Conns
Total FE Total number of encrypted connections that have occurred on
Encryption the front-end (FE) between the ACOS and a client.
Conns
Client FIN Number of TCP connections that were closed from the cli-
ent-side.
Server FIN Number of TCP connections that were closed from the
server-side.
Session err Total number of session errors that occurred while process-
ing DBLB requests.
DB Queries Total number of received database queries.
Note: This counter corresponds to the number of instances
that the aFleX DB_QUERY event was triggered.
DB commands Total number of received database commands.
reply Note: This counter corresponds to the number of instances
that the aFleX DB_COMMAND event was triggered.

Monitor Mode > SLB > Application > Proxy > Mssql
This page shows database load-balancing (DBLB) statistics for the MS-
SQL database system. Statistics are listed separately for each of the ACOS
device’s CPUs.
TABLE 29 Monitor Mode > Application > Proxy > Mssql

Field Description
Current Proxy Number of currently active connections using the DBLB
Conns proxy.
Total Proxy Total number of connections that have used the DBLB
Conns proxy.
Curr BE Number of currently active, encrypted connections on the
Encryption back-end (BE), between the ACOS and server which pro-
Total BE Total number of encrypted connections that have occurred on
Encryption the back-end (BE), between the ACOS and server which pro-
Curr FE Number of currently active, encrypted connections on the
Encryption front-end (FE) between the ACOS and client.
Conns
Total FE Total number of encrypted connections that have occurred on
Encryption the front-end (FE) between the ACOS and a client.
Conns
Client FIN Number of TCP connections that were closed from the client
side.
Server FIN Number of TCP connections that were closed from the
server-side.
Session err Total number of session errors that occurred while process-
ing DBLB requests.
DB Queries Total number of received database queries.
Note: This counter corresponds to the number of instances
that the aFleX DB_QUERY event was triggered.
DB commands Total number of received database commands.
reply Note: This counter corresponds to the number of instances
that the aFleX DB_COMMAND event was triggered.

Monitor Mode > SLB > Application > Connection Reuse
This page shows SLB connection reuse statistics. Statistics are listed sepa-
rately for each of the ACOS device’s CPUs.
TABLE 30 Monitor Mode > SLB > Application > Connection Reuse
Field Description
Open Persistent Number of new client connections directed to the same
server as previous connections by the persistence feature.
Active Persistent Number of currently active connections that were sent to the
same real server by the persistence feature.
Total Established Total number of established connections.
Total Terminated Total number of terminated connections.
Total Bound Total number of bound connections.
Total Unbound Total number of unbound connections.
Total Delayed Number of connections whose unbinding was delayed.
Unbindings
Total Long Number of responses that took too long.
Responses
Total Missed Number of missed responses to HTTP requests.
Responses
Monitor Mode > SLB > Application > Persistent
This page shows SLB persistence statistics. Statistics are listed separately
for each of the ACOS device’s CPUs.
TABLE 31 Monitor Mode > SLB > Application > Persistent

Field Description
URL Hash Number of requests successfully sent to the primary server
Persistent selected by URL hashing. The primary server is the one that
OK(primary) was initially selected and then re-used based on the hash
value.
URL Hash Number of requests that were sent to another server (a sec-
Persistent ondary server) because the primary server selected by URL
OK(secondary) hashing was unavailable.
URL Hash Number of requests that could not be fulfilled using URL
Persistent Fails hashing.

TABLE 31 Monitor Mode > SLB > Application > Persistent (Continued)
Field Description
Source IP Number of requests successfully sent to the same server as
Persistent OK previous requests from the same client, based on source-IP
persistence.
Source IP Number of requests that could not be fulfilled by the same
Persistent Fails server as previous requests from the same client, based on
source-IP persistence.
SSL SID Number of requests successfully sent to the same server as
Persistent OK previous requests with the same SSL session ID.
SSL SID Number of requests that could not be fulfilled by the same
Persistent Fails server as previous requests with the same SSL session ID.
Cookie Number of requests successfully sent to the same server as
Persistent OK previous requests with the same persistence cookie.
Cookie Number of requests that could not be fulfilled by the same
Persistent Fails server as previous requests with the same persistence cookie.
Persistent Number of requests in which a persistence cookie was not
Cookie Not found.
Found
Monitor Mode > SLB > Application > SSL
This page shows statistics for the ACOS device’s SSL processing module.
TABLE 32 Monitor Mode > SLB > Application > SSL

Field Description
Number of SSL Total number of SSL processing modules on the device.
Modules
SSL Module n ID number of the SSL module to which the following statis-
tics apply.
Number of Number of SSL encryption/decryption processing engines
Enabled Crypto that are enabled.
Engines
Number of Number of SSL encryption/decryption processing engines
Available Crypto that are available on the device.
Engines
Number of Number of SSL encryption/decryption requests handled by
Requests the SSL module.
Handled
Current Number of currently active client-side SSL sessions.
clientside SSL
Connections

TABLE 32 Monitor Mode > SLB > Application > SSL (Continued)
Field Description
Total clientside Total number of client-side SSL sessions since the last time
SSL statistics were cleared.
Connections
Current Number of currently active server-side SSL sessions.
serverside SSL
Connections
Total serverside Total number of server-side SSL sessions since the last time
SSL statistics were cleared.
Connections
Failed SSL Number of SSL sessions in which the SSL security hand-
Handshakes shake failed.
Failed Crypto Number of times an encryption/decryption failure occurred
operations for an SSL record.
SSL Memory Amount of memory in use by the SSL processing module.
Usage
SSL fail CA Number of times an SSL session was terminated due to a
verification certificate verification failure.
HW Context Number of times the encryption processor was unable to
Memory alloc allocate memory.
failed
HW ring full Number of times the AX software was unable to enqueue an
SSL record to the SSL processor for encryption/decryption.
(Number of times the processor reached its performance
limit.)
Record too big Number of oversize SSL records received.
Total times of Total number of times an SSL session ID was reused.
reusing SSL
session(IDs)
Total client ssl Total number of times that the ACOS failed to allocate mem-
context malloc ory for an SSL session. This counter applies only for when
failures an SSL template is defined using aFleX.

Monitor Mode > SLB > Application > RAM Caching > Details
This page shows statistics for the RAM caching feature.
TABLE 33 Monitor Mode > SLB > Application > RAM Caching > Details
Field Description
Cache Hits Number of times a requested page was found in the cache
and served from the cache.
Cache Misses Number of times a requested page was not found in the
cache.
Memory Used Amount of RAM currently used by cached content.
Bytes Served Total number of bytes served from the cache.
Entries Cached Number of objects currently in the cache.
Entries Replaced Number of cached items that were removed to make room
for newer entries, per the replacement policy.
Entries Aged Out Number of entries that were removed because they are older
than their expiration time.
Entries Cleaned Number of cached objects that have aged out and therefore
been removed from the cache.
Total Requests Total number of requests received on all virtual server ports
on which caching is configured.
Cacheable Number of requests that are potentially cacheable.
Requests
No-cache Number of requests with no-cache header directives.
Requests
No-cache Number of responses with no-cache header directives.
Responses
IMS Requests Number of requests that contained an If-Modified-Since
header.
304 Responses Number of 304 – Not Modified responses sent to clients.
Revalidation Number of entries that were successfully revalidated by the
Successes server.
Revalidation Number of times revalidation failed.
Failures
Policy URI Number of times requested content was not cached due to a
nocache URI policy.
Policy URI Number of times a request was cached due to a URI policy.
cache
Policy URI Number of times a request was invalidated due to a URI pol-
invalidate icy.
Content Too Big Number of cacheable items that were not cached because the
file size was larger than the configured maximum content
size.

TABLE 33 Monitor Mode > SLB > Application > RAM Caching > Details
Field Description
Content Too Number of cacheable items that were not cached because the
Small file size was smaller than the configured minimum content
size.
Srvr Resp - Cont Number of responses that contained Content-Length head-
Len ers.
Srvr Resp - Chnk Number of responses that were chunk encoded.
Enc
Srvr Resp - 304 Number of responses that had status code 304.
Status
Srvr Resp - Number of responses that were of other types.
Other
Cache Resp - No Number of objects received from the content server that
Comp were uncompressed.
Cache Resp - Number of objects received from the content server that
Gzip were compressed using gzip.
Gzip is an encoding format produced by the file compression
program “gzip” (GNU zip) as described in RFC 1952 (Lem-
pel-Ziv coding [LZ77] with a 32 bit CRC).
Deflate were compressed using deflate.
Deflate is the “zlib” format defined in RFC 1950 in combi-
nation with the “deflate” compression mechanism described
in RFC 1951.
Other were compressed using compress.
Compress is the encoding format produced by the common
UNIX file compression program “compress” (adaptive Lem-
pel-Ziv-Welch coding [LZW]).
Entry create Counter used by A10 technical support for troubleshooting.
failures

Monitor Mode > SLB > Application > RAM Caching > Objects
This page displays information about cached objects.
TABLE 34 Monitor Mode > SLB > Application > RAM Caching > Objects
Field Description
Host Virtual port number on which RAM caching is enabled.
Object URL URL from which the cached object was obtained by the
ACOS device.
Bytes Length of the cached object.
Type Indicates whether the cached object has a Content-Length
header, is compressed, or is chunk-encoded:
• CL – Content-Length header
• CP – Compressed
• CE – Chunk-encoded
Status Status of the entry:
• FR – Fresh
• ST – Stale
• IN – Incomplete
• FA – Failed
• UN – Unknown
• R – The entry must be revalidated.
Expires in Number of seconds the object can remain unused before it
ages out.

Monitor Mode > SLB > Application > RAM Caching > Replacement
This page displays the distribution of requests for cached objects. Distribu-
tion is shown for only one RAM caching virtual port at a time. To display
request distribution for a different virtual port, select the virtual server and
port from the Virtual Server and Port drop-down lists.
TABLE 35 Monitor Mode > SLB > Application > RAM Caching >
Replacement
Field Description
Frequency Shows the frequency of requests. Entries listed for 1/256
(one in 256 requests) are the least requested, whereas entries
listed for 128 are the most requested.
Total Shows the total number of objects for the request frequency.
Monitor Mode > SLB > Application > FTP

This page shows SLB statistics for the FTP service type.
TABLE 36 Monitor Mode > SLB > Application > FTP

Field Description
Total Control Total number of FTP control sessions load-balanced by the
Sessions A10 Thunder Series and AX Series device.
Total ALG Total number of Application Layer Gateway (ALG) packets.
Packets
ALG Packets Number of ALG packets that have been retransmitted.
Rexmitted
Out of Number of times an FTP control session could not be estab-
Connections lished because none of the real servers had available connec-
tions.
Total Data Total number of FTP data sessions load-balanced by the
Sessions A10 Thunder Series and AX Series device.
Out of Number of times an FTP data session could not be estab-
Connections lished because none of the real servers had available connec-
tions.

Monitor Mode > SLB > Application > Net
This page shows Layer 4 SLB statistics. Statistics are listed separately for
each of the ACOS device’s CPUs.
TABLE 37 Monitor Mode > SLB > Application > Net

Field Description
IP out noroute Number of IP packets that could not be routed.
TCP out RST Number of TCP Resets sent.
TCP out RST no Number of Resets sent for which there was no SYN.
SYN
TCP out RST L4 Number of TCP Reset packets the ACOS device has sent as
proxy a Layer 4 proxy.
TCP out RST Number of TCP Resets sent in response to a TCP ACK
ACK attack attack.
TCP out RST Number of TCP Reset packets the ACOS device has sent due
aFleX to an aFleX.
TCP out RST Number of TCP Reset packets the ACOS device has sent due
stale sess to stale TCP sessions.
TCP out RST Number of TCP Reset packets the ACOS device has sent as
TCP proxy a TCP proxy.
TCP SYN Number of TCP SYN packets received.
received
TCP SYN cookie Number of TCP SYN cookies sent.
snt
TCP SYN cookie Number of TCP SYN cookie send attempts that failed.
snt fail
TCP received Number of TCP packets received.
UDP received Number of UDP packets received.
L2 DSR received Number of Level 2 DSR packets received.
L3 DSR received Number of Level 3 DSR packets received.
Server sel failure Number of times selection of a real server failed.
Source NAT Number of times a source NAT failure occurred.
failure
Source NAT no Number of times there was no route to the destination for
fwd route Layer 3 NAT traffic.
Source NAT no Number of times there was no route to the source for Layer 3
rev route NAT traffic.
Source NAT Number of times an ICMP error related to source NAT
ICMP Process occurred.
Source NAT Number of times an ICMP error related to source NAT
ICMP No Match occurred, and there was no matching session for the traffic.

TABLE 37 Monitor Mode > SLB > Application > Net (Continued)
Field Description
TCP SYN cookie Number of times a TCP SYN cookie failure occurred.
failed
NAT no session Number of times non-ICMP traffic to a NAT IP address was
drops dropped because there was no matching session.
vport not Number of times traffic was dropped because the requested
matching drops virtual port was not available.
No SYN pkt Number of SYN packets dropped.
drops
No SYN pkt Number of SYN packets dropped due to a TCP FIN.
drops - FIN
No SYN pkt Number of SYN packets dropped due to a TCP Reset.
drops - RST
No SYN pkt Number of SYN packets dropped due to an ACK.
drops - ACK
Conn Limit Number of packets dropped because the server connection
drops limit has been reached.
Conn Limit Number of connections reset because the server connection
resets limit had been reached.
Conn rate limit Number of connections dropped by connection rate limiting.
drops
Conn rate limit Number of connections reset by connection rate limiting.
resets
Proxy no sock Number of packets dropped because the proxy did not have
drops an available socket.
aFleX drops Number of packets dropped due to an aFleX policy.
Session aged out Number of sessions that have aged out.
TCP Session Number of TCP sessions that have aged out.
aged out
UDP Session Number of UDP sessions that have aged out.
aged out
Other Session Number of sessions of other types (not TCP or UDP) that
aged out have aged out.
TCP no SLB Number of non-SLB TCP packets received by the ACOS
device.
UDP no SLB Number of non-SLB UDP packets received by the ACOS
device.
SYN Throttle Number of SYN packets that have been throttled.
Inband HM retry Number of times the ACOS device retried an inband health
check, because a SYN-ACK was not received for the previ-
ous SYN.
Inband HM Number of times the ACOS device reassigned a client’s traf-
reassign fic to another server, because the initial server exceeded the
maximum number of retries allowed by the inband health
check.
Fast aging set Please contact A10 Networks for information.

TABLE 37 Monitor Mode > SLB > Application > Net (Continued)
Field Description
Fast aging reset Please contact A10 Networks for information.
TCP invalid drop Please contact A10 Networks for information.
SYN stale sess Please contact A10 Networks for information.
drop
Anomaly out of Number of packets that matched an IP anomaly out-of-
sequence sequence filter.
Note: To configure IP anomaly filters, see “Config Mode >
Security > Network > DDos Protection” on page 382.
Anomaly zero Number of packets that matched an IP anomaly zero-win-
window dow filter.
Anomaly bad Number of packets that matched an IP anomaly bad-content
content filter.
Anomaly pbslb Number of packets that matched an IP anomaly bad-content
drop filter used for PBSLB.
No resource drop Please contact A10 Networks for information.
Reset unknown Please contact A10 Networks for information.
conn
RST L7 on Number of times a Layer 7 connection was reset due to
failover failover.
ignore msl Number of packets dropped by the ignore-tcp-msl option.
BW-Limit Number of packets dropped because they exceeded the band-
Exceed drop width limit.
BW-Watermark Number of packets dropped because they exceeded the band-
drop width watermark limit.
L4 CPS exceed Number of packets dropped because they exceeded the
drop Layer 4 Connections Per Second (CPS) limit.
NAT CPS exceed Number of packets dropped because they exceeded the NAT
drop CPS limit.
L7 CPS exceed Number of packets dropped because they exceeded the
drop Layer 7 CPS limit.
SSL CPS exceed Number of packets dropped because they exceeded the SSL
drop CPS limit.
SSL TPT exceed Number of packets dropped because they exceeded the SSL
drop TPT limit.
SSL TPT-Water- Number of packets dropped because they exceeded the tem-
mark drop plate SSL TPT limit.
L3V Conn Limit Number of IP packets dropped because they exceeded the
Drop L3V connection limit.

Monitor Mode > SLB > Application > Switch
This page shows SLB switching statistics. Statistics are listed separately for
each of the ACOS device’s CPUs.
TABLE 38 Monitor Mode > SLB > Application > Switch

Field Description
L2 Forward Number of packets that have been Layer 2 switched.
L3 IP Forward Number of packets that have been Layer 3 routed.
IPv4 No Route Number of IPv4 packets that were dropped due to routing
Drop failures.
L3 IPv6 Forward Number of IPv6 packets that have been Layer 3 routed.
IPv6 No Route Number of IPv6 packets that were dropped due to routing
Drop failures.
L4 Process Number of packets that went to a VIP or NAT for processing.
Incorrect Length Number of packets dropped due to incorrect protocol length.
Drop Note: A high value for this counter can indicate a packet
length attack.
Protocol Down Number of packets dropped because the corresponding pro-
Drop tocol was disabled.
Unknown Number of packets dropped because the protocol was
Protocol Drop unknown.
TTL Exceeded Number of packets dropped due to TTL expiration.
Drop
Link Down Drop Number of packets dropped because the outgoing link was
down.
SRC Port Packet drops because of source port suppression.
Suppresion
VLAN Flood Number of packets that have been broadcast to a VLAN.
IP Fragment Number of IPv4 fragments that have been received.
Received
ARP Request Number of ARP requests that have been received.
Received
ARP Response Number of ARP responses that have been received.
Received
Forward Kernel Number of packets received by the kernel from data inter-
faces.
IP(TCP) Number of IP TCP fragments received.
Fragment
Received
IP Fragment Number of overlapping fragments received.
Overlap

TABLE 38 Monitor Mode > SLB > Application > Switch (Continued)
Field Description
IP Fragment Number of fragments dropped due to overlap.
Overlap Drops
IP Fragment Number of successfully reassembled IP fragments.
Reasm Oks
IP Fragment Number of fragment reassembly failures.
Reasm Fails
Anomaly Land Number of packets dropped by an IP land attack filter.
Attack Drops Note: This statistic and the other Anomaly statistics show
how many packets were dropped by DDoS protection filters.
For the ACOS device to drop these packets, the correspond-
ing DDoS protection options must be enabled. (See “Config
Mode > Security > Network > DDos Protection” on
page 382.)
Anomaly IP Number of packets dropped by an IP option filter.
Option Drops
Anomaly Ping- Number of packets dropped by a ping-of-death filter.
of-Death Drops
Anomaly All Number of packets dropped by a frag filter.
Frag Drops
Anomaly TCP Number of packets dropped by a tcp-no-flag filter.
No Flag Drops
Anomaly SYN Number of packets dropped by a tcp-syn-frag filter.
Frag Drops
Anomaly TCP Number of packets dropped by a tcp-syn-fin filter.
SYN Fin Drops
Anomaly Any Number of packets dropped by any type of hardware-based
Drops DDoS protection filter.
BPDUs Number of Bridge Protocol Data Units (BPDUs) received.
Received
BPDUs Sent Number of Bridge Protocol Data Units (BPDUs) sent.
ACL Denys Number of times traffic was not forwarded due to a deny rule
in an Access Control List (ACL).
This counter also includes traffic dropped due to the l3-vlan-
fwd-disable action in ACL rules.
SYN rate Number of packets dropped because the TCP SYN threshold
exceeded Drop had been exceeded.
Packet Error Number of packets dropped due to a packet error.
Drops
IPv6 Frag Reasm Number of successfully reassembled IPv6 fragments.
OKs
IPv6 Frag Reasm Number of IPv6 fragment reassembly failures.
Fails
IPv6 Frag Number of IPv6 fragments that were invalid.
Invalid Pkts
Bad Pkt Drop Number of bad packets dropped.

Monitor Mode - Monitor Mode > GSLB
TABLE 38 Monitor Mode > SLB > Application > Switch (Continued)
Field Description
IP Frag Exceed Number of fragmented IP packets that were dropped because
Drop they exceeded the allowed maximum.
Monitor Mode > SLB > Application > Hashed Certificate
This page displays hash entries for server certificates created by the ACOS
device for SSL intercept.
Optionally, you can filter the display to show only the entries for a specific
server IP address or name.
TABLE 39 Monitor Mode > SLB > Application > Hashed Certificate
Field Description
Real Server IP address and protocol port of the real server.
hit times Number of times the hash entry has been used for subsequent
requests to the server and port.
idle time Number of seconds since the last “hit” on this cache entry.
expires after Maximum number of seconds this entry can remain idle
before being cleared from the table.
Monitor Mode > GSLB

For descriptions of the counters displays in the GSLB sub-module, see
“Monitor Mode – GSLB” on page 306.

Monitor Mode - Monitor Mode > Security
Monitor Mode > Security

The pages of the security sub-module contain monitor information for
ACOS security features:
• WAF
• Authentication
• Access Control List (ACL)
Monitor Mode > Security > WAF

This page displays counters for WAF security checks.
TABLE 40 Monitor Mode > Security > WAF

Field Description
Requests Total number of HTTP requests.
Requests denied Total number of deny responses to HTTP requests.
Bad Bot Check Counters for bot checking:
• Success – Total number of requests that included a bot.
• Failed – Total number of requests that were screened for
bots and did not match.
Buffer Overflow Counters for buffer overflow checks:
Check • URL too long – Total number of requests that included
URL headers which exceeded the configured limit.
• Cookie too long – Total number of requests that included
cookies which exceeded the configured limit.
• Headers too long – Total number of requests that included
headers which exceeded the configured limit.
• POST body too long – Total number of POST requests
with content length which exceeded the configured limit.
• Too many cookies – Total number of requests that were
denied because they exceeded the configured cookie limit.
• Too many headers – Total number of requests that were
denied because they exceeded the configured header limit.
Allowed HTTP Counters for allowed HTTP methods:
Methods Check • Success – Total number of requests that contained only a
method that is present in the Allowed HTTP Methods list.
• Failed – Total number of requests that contained a method
that is not in the Allowed HTTP Methods list.


Field Description
HTTP Protocol Counters for responses that adhere to HTTP protocol:
Check • Success – Number of requests that followed valid HTTP
protocol.
• Failed – Total number of requests that did not adhere to
HTTP protocol.
Referer Check Counters for referer header validation for incoming requests:
• Success – Number of requests that passed the referer
header check.
• Failed – Number of requests that did not pass the referer
header check.
• No Referer (Redirect) – Number of requests that did not
contain a referer header.
URI White List URI White List counters:
Check • Success (Match) – Number of requests that matched crite-
ria in the URI White List and were accepted.
• Failed – Number of requests that did not match criteria in
the URI White List and were denied.
URI Black List URI Black List counters:
Check • Success – Number of requests that did not match criteria
in the URI Black List and were accepted.
• Failed (Match) – Number of requests that matched criteria
in the URI Black List and were denied.
URL Check URL Check counters:
• Learned – Number of URL paths learned during Learning
Mode and added to the URL Check list.
• Success – Number of requests that matched the URL
Check list and were accepted.
• Failed – Number of requests that did not match the URL
Check list and were denied.
Form Counters for Web form consistency:
Consistency • Success – Number of requests that passed the Web form
Check consistency check.
• Failed – Number of requests which did not match the orig-
inal structure of the Web form and were denied.
Form CSRF Tag Counters for the CSRF check on Web form field tags in
Check outbound responses:
• Success – Number of requests that passed the check.
• Failed – Number of requests which did not match the
nonce for the Web form and denied.


Field Description
CCN Mask Counters for credit card numbers masked in requests. This
counter is separated into the following credit card types:
• Amex
• Diners
• Visa
• MasterCard
• Discover
• JCB
SSN Mask Counters for US social security number checks:
• US SSN’s masked – Total number of SSN numbers that
the WAF discovered and masked.
PCRE Mask Counters for custom PCRE pattern checks:
• PCRE’s masked – Total number of custom PCRE string
matches the WAF discovered and masked.
Cookie Counters for cookie encryption:
Encryption • Encrypt Success
• Encrypt Failed
• Encrypt Limit Exceeded
• Encrypt Skipped
• Decrypt Success
• Decrypt Failed
SQLIA Check Counters for the SQL Inject Attack (SQLIA) check:
• URL Success – Number of requests that passed the
SQLIA check for the URL.
• URL Sanitized – Total number of requests that the URL
component was sanitized of an SQL attack pattern and
accepted.
• URL Failed – Number of requests that contained an
SQLIA in the URL.
• POST Success – Number of requests that passed the
SQLIA check for the POST body.
• POST Sanitized – Total number of requests that the POST
body component was sanitized of an SQL attack pattern
and accepted.
• POST Failed – Number of requests that contained an
SQLIA in the POST body.
• Rejected – Total number of requests that were denied
because they contained an SQL injection attack.


Field Description
XSS Check Counters for cross-site scripting (XSS) attacks:
• Cookie Success – Number of requests that passed the
cookie inspection portion of the XSS check.
• Cookie Sanitized – Number of requests that contained an
XSS attack in the cookie, was sanitized, and accepted.
• Cookie Failed – Number of requests that contained a n
XSS attack in the cookie and was denied.
• URL Success – Number of requests that passed the URL
inspection portion of the XSS check.
• URL Sanitized – Number of requests that contained an
XSS attack in the URL, was sanitized, and accepted.
• URL Failed – Number of requests that contained a n XSS
attack in the URL and was denied.
• POST Success – Number of requests that passed the
POST body inspection portion of the XSS check.
• POST Sanitized – Number of requests that contained an
XSS attack in the POST body, was sanitized, and
accepted.
• POST Failed – Number of requests that contained a n XSS
attack in the POST body and was denied.
Response Code Total number of response codes hidden from server replies
Hidden before the replies were forwarded.
Response Total number of response headers that WAF sanitized and
headers filtered forwarded.
Learning updates Number of additional rules generated from the WAF learning
mechanisms when the WAF is operating in Learning Mode.

Monitor Mode > Security > Authentication

The pages of this section display monitor information for Application
Access Management (AAM) features.
TABLE 41 Monitor Mode > Security > Authentication

Column Description
Authentication Statistics Section
No. of requests Total number of client authentication requests.
No. of responses Total number of AAA server replies.
No. of misses Total number of times authentication failed, for any reason
counted by other statistics below.
A10authd Statistics Section
Opened socket Internal statistics used by A10 Technical Support for moni-
Open socket toring or troubleshooting the ACOS authentication process.
failed
Created timer
Create timer
failed
Total request
OCSP / RADIUS / LDAP / KERBEROS
This section lists counters for each AAA server by type.
Request Number of requests sent to the server.
Response Number of responses received from the server.
success
Response failure Number of requests sent to the server which did not receive a
response.
Response error Number of requests that were sent to the ACOS device, but
not processed due to an error.
Response Number of times ACOS sent a request to the server and the
timeout server response time exceeded the configured timeout.
Response other Counter for miscellaneous responses, not applicable to any
other counters.
A10authd RADIUS Statistics Section
Authorization Number of RADIUS Authentication requests that succeeded.
success
Authorization Number of RADIUS Authentication requests that failed.
failure
Authorize Number of RADIUS Authorization requests that succeeded.
success
Authorize failure Number of RADIUS Authorization requests that failed.

TABLE 41 Monitor Mode > Security > Authentication (Continued)

Column Description
Timeout error Number of aborted requests because the RADIUS server
response time exceeded the configured timeout.
Other error Number of miscellaneous authentication errors, not applica-
ble to any other counters.
A10authd LDAP Statistics Section
Bind success Number of times the ACOS device sent a BIND message to
the LDAP server and successfully opened a connection.
Bind failure Number of times the ACOS device sent a BIND message to
the LDAP server and did not open a connection.
Search success Number of times an LDAP database search succeeded.
Search failure Number of times an LDAP database search failed.
Authorize Number of LDAP Authorization requests that succeeded.
success
Authorize failure Number of LDAP Authorization requests that failed.
Timeout error Number of aborted requests because the LDAP server
A10authd Kerberos Statistics Section
kerberos request Number of requests sent to the Kerberos server.
send
kerberos request Number of responses received from the Kerberos server.
get
Timeout error Number of aborted requests because the Kerberos server

Monitor Mode > Security > ACL

The pages of this section display monitor information for access control
lists (ACLs).
Monitor Mode > Security > ACL > IPv4 ACL

This page lists the configured IPv4 ACLs.
TABLE 42 Monitor Mode > Security > ACL > IPv4 ACL
Column Description
ID/Name ID or name of the ACL.
Usage/Remark/ Shows the following information:
Content • Usage – Lists the system resources to which the ACL is
applied. For example, if the ACL is applied to an Ethernet
interface, the interface number is shown.
Each system resource name in the list is a hyperlink. You
can click on the resource name to navigate to the configu-
ration page for that resource.
• Remark – Shows the remark added to the ACL, if config-
ured.
• Content – Shows the rules defined in the ACL. The rules
are shown in their CLI syntax.
Hits(data plane) Number of times traffic has matched the ACL.
Note: The Hits counter is not applicable to ACLs applied to
the management port.

Monitor Mode - Monitor Mode > IP Source NAT
Monitor Mode > Security > ACL > IPv6 ACL

This page lists the configured IPv6 ACLs.
TABLE 43 Monitor Mode > Security > ACL > IPv6 ACL
Column Description
Name Name of the ACL.
Remark/Content Shows the following information:
• Remark – Shows the remark added to the ACL, if config-
ured.
• Content – Shows the rules defined in the ACL. The rules
are shown in their CLI syntax.
Hits(data plane) Number of times traffic has matched the ACL.
Note: The Hits counter is not applicable to ACLs applied to
the management port.
Monitor Mode > IP Source NAT

The following sections display monitoring information for IP source NAT.
Monitor Mode > IP Source NAT > Pool

This page shows statistics for dynamic IP source NAT.
TABLE 44 Monitor Mode > IP Source NAT > Pool

Field Description
Pool IP pool name.
Start IP Address First IP address in the pool.
End IP Address Last IP address in the pool.
ACL ACLs bound to the pool, and the number of times traffic
matched the ACLs.
To display the ACL list, click on the plus sign.

Monitor Mode - Monitor Mode > IP Source NAT
TABLE 44 Monitor Mode > IP Source NAT > Pool (Continued)

Field Description
Port Usage Number of sessions currently being NATted for the address.
Each session counted here uses a unique TCP or UDP proto-
col port. ICMP traffic does not cause this counter to incre-
ment.
Total Used Total number of sessions that have been NATted for the
source address.
Total Freed Number of NATted sessions that have been terminated, thus
freeing up a port for another session.
Failed Number of dynamic NAT attempts that failed.
Monitor Mode > IP Source NAT > Static NAT

This page shows statistics for static IP source NAT.
TABLE 45 Monitor Mode > IP Source NAT > Static NAT

Field Description
Source Address Source address bound to a NAT address.
Port Usage Number of sessions currently being NATted for the address.
Each session counted here uses a unique TCP or UDP proto-
col port. ICMP traffic does not cause this counter to incre-
ment.
Total Used Total number of sessions that have been NATted for the
source address.
Total Freed Number of NATted sessions that have been terminated, thus
freeing up a port for another session.

Monitor Mode - Monitor Mode > Network
Monitor Mode > Network

The Monitor Mode > Network options display status information and statis-
tics for Layer 2 and Layer 3 features.
Monitor Mode > Network > Interface

This page shows configuration information and statistics for the ACOS
device’s Ethernet interfaces. The upper half of the page shows statistics in a
table. The lower half shows graphs for the same statistics.
Note: Information is shown for the data interfaces only, not the out-of-band
management interfaces.
Statistics Table
Table 46 describes the columns in the table in the upper half of the page.
TABLE 46 Monitor Mode > Network > Interface

Column Description
IP Address IP address configured on the interface.
Note: If the ACOS device is deployed in transparent mode,
the individual interface addresses are all “0.0.0.0/0”.
Speed Speed and mode (full-duplex or half-duplex) configured on
the interface.
Packets Number of packets received (RX) and transmitted (TX) on
the interface.
Bytes Number of bytes received (RX) and transmitted (TX) on the
interface.
Errors Number of receive (RX) or transmitted (TX) errors on the
interface.
Other Errors Number of received (RX) or transmitted (TX) errors that
were not counted in the Error column.

Statistics Graphs
By default, the following graphs are shown in the lower half of the page:
• Packet send and receive statistics
• Bits per second send and receive statistics
• RX and TX error statistics
• Other error statistics
The graphs are for the currently selected interface only (by default,
Ethernet 1). To display graphs for a different interface, click on the row of
information for that interface in the table.
You can hide one or more of the graphs by deselecting the checkbox for the
graph. As soon as you deselect or reselect a graph, the GUI refreshes the
page to hide or redisplay the graph.
These selection fields do not affect the display of statistics in the table.
Changing the Date and Time Span of the Statistics

drop-down list located above the Dropped column of the statistics table.

is displayed.
drag it.
3. Click Go.

Refreshing Statistics
To manually refresh the statistics, click Refresh. To set them to be refreshed

automatically, select the refresh rate from the drop-down list next to the
Refresh button.
Clearing Statistics
To clear statistics, click Clear. The counters are returned to 0 and begin
incrementing again.
Monitor Mode > Network > Trunk

The page show status information for the trunk interfaces configured on the
ACOS device.
TABLE 47 Monitor Mode > Network > Trunk

Column Description
Trunk ID ID assigned to the trunk by the admin who configured it.
Name Name of the trunk.
Status Operation status of the trunk, Up or Down.
Member List Ethernet interfaces that are members of the trunk, and the
status of each interface:
• config – Configuration status, either enabled (green
checkmark) or disabled (red X).
• operation – Operational status, either up (green up arrow)
or down (red down arrow).
Ports Threshold Indicates the minimum number of ports that must be up in
order for the trunk to remain up.
If the number of up ports falls below the configured thresh-
old, the AX automatically disables the trunk’s member ports.
The ports are disabled in the running-config. The ACOS
device also generates a log message and an SNMP trap, if
these services are enabled.
Ports Threshold Indicates how many seconds the ACOS device waits after a
Timer port goes down before marking the trunk down, if the ports
threshold is exceeded.

Monitor Mode > Network > LACP

The LACP sub-module displays information for dynamic trunking with the
Link Aggregation Control Protocol (LACP).
Monitor Mode > Network > LACP > System ID
This page displays the LACP system ID of the ACOS device.
Monitor Mode > Network > LACP > Counter
This page displays configuration information for the specified LACP trunk.
TABLE 48 Monitor Mode > Network > LACP > Counter

Field Description
Port Port ID of the LACP trunk and aggregate Ethernet ports.
LACPDUs Link Aggregate Control Protocol Data Units.
Marker The packet type exchanged between LACP partners to facili-
tate traffic from the old to new member port.
Pckt err Number of times an LACP packet was not sent successfully,
or number of times parsing of a received LACP packet indi-
cated an error.
Monitor Mode > Network > LACP > Trunk
This page displays configuration information for LACP trunks.
TABLE 49 LACP Trunk Summary

Field Description
Admin Key n Displays statistics for LACP trunk of Admin Key n.
• bandwidth
• mtu
• duplex mode
• hardware type
• type
• additional parameter
• ref count

TABLE 49 LACP Trunk Summary (Continued)

Field Description
Summary Displays configuration and status information for the LACP
trunk.
Detail Displays detailed LACP trunk information.
Monitor Mode > Network > VLAN

This page lists the configured Virtual Local Area Networks (VLANs) on the
ACOS device.
TABLE 50 Monitor Mode > Network > VLAN > VLAN

Column Description
Interface AX interface through which the VLAN that has the
displayed MAC address can be reached.
MAC Address MAC address of the device.
Type Indicates whether the entry is dynamic or static.
Index The VLAN entry’s position in the VLAN table.
Monitor Mode > Network > ARP

The following pages display information for the Address Resolution Proto-
col (ARP) table and IPv6 neighbor table.
Monitor Mode > Network > ARP > IPv4 ARP
This page displays the entries in the ACOS device’s IPv4 ARP table.
TABLE 51 Monitor Mode > Network > ARP > IPv4 ARP
Column Description
IP Address IP address of the device.
Type Indicates whether the entry is static or dynamic.
Age For dynamic entries, the number of seconds since the entry
was last used.

TABLE 51 Monitor Mode > Network > ARP > IPv4 ARP (Continued)
Column Description
State State of the ARP entry. The state can be one of the following:
• Incomplete
• Reachable
• Stale
• Delay
• Probe
• Failed
• No ARP
• Permanent
• None
Interface AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN ID VLAN through which the device that has the MAC address
can be reached.
Monitor Mode > Network > ARP > IPv6 Neighbor
This page displays the entries in the IPv6 Neighbor table.
TABLE 52 Monitor Mode > Network > ARP > IPv6 Neighbor
Column Description
IPv6 Address IP address of the device.
Type Indicates whether the entry is static or dynamic.
Age For dynamic entries, the number of seconds since the entry
was last used.
State State of the ARP entry. The state can be one of the following:
• Incomplete
• Reachable
• Stale
• Delay
• Probe
• Failed
• No ARP
• Permanent
• None

TABLE 52 Monitor Mode > Network > ARP > IPv6 Neighbor (Continued)
Column Description
Interface AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN ID VLAN through which the device that has the MAC address
can be reached.
Monitor Mode > Network > Route

The pages of this section display monitor information for IP routes.
Monitor Mode > Network > Route > IPv4 Route Table
This page lists the routes in the IPv4 route table.
By default, IP routes of all types are displayed. To filter the display, select a
route type from the drop-down list above the Destination IP field.
TABLE 53 Monitor Mode > Network > Route > IPv4 Route Table
Column Description
Destination IP Subnet at the other end of the route.
Network Mask Network mask for the subnet.
Next Hop IP address of the router to which the ACOS device sends
traffic to reach the destination subnet.
Interface AX interface through which traffic is sent to the next hop.
Type Origin of the route information:
• Connected – The route is to a directly connected subnet.
• OSPF – The route came from OSPF.
• IS-IS – The route came from IS-IS.
• Static – The route was manually configured by an ACOS
device admin.

Monitor Mode > Network > Route > IPv4 Forwarding
Displays the IPv4 Forwarding Information Base (FIB).
TABLE 54 Monitor Mode > Network > Route > IPv4 Forwarding
Column Description
Prefix Subnet at the other end of the route.
Distance Metric value (cost) of the route.
Index Index number of this FIB entry.
Monitor Mode > Network > Route > IPv6 Forwarding

Displays the IPv6 Forwarding Information Base (FIB).
TABLE 55 Monitor Mode > Network > Route > IPv6 Forwarding
Column Description
Prefix Subnet at the other end of the route.
Distance Metric value (cost) of the route.

Monitor Mode - Monitor Mode > System
Monitor Mode > System

The pages in the System sub-module allow you to manage admin sessions
and display the system log.
Monitor Mode > System > Admin

This option has pages for managing admin sessions.
Monitor Mode > System > Admin > Admin Session
This page lists the admin sessions that are currently active. Your session is
indicated by a blue dot next to the Start Time column.
The session that currently has write access is indicated by Yes in the Config
Mode column.
To clear a session, select the checkbox next to the session, and click Delete.
TABLE 56 Monitor Mode > System > Admin > Admin Session
Column Description
Start Time System time when the management session started.
User Name Name of the AX admin who opened this session.
IP Address IP address from which the admin logged in.
Config Mode Indicates whether the admin currently has write access. Only
one admin can have write access at a time.
Type Indicates the management type the session is using: CLI,
Web (GUI), or aXAPI.
Partition Partition to which the admin is assigned.
For admins with Partition Write, Partition Read, or Partition
RS Operator privileges, the partition name is the name of the
private partition to which the admin is assigned.
For admins with Root, Read Write, or Read Only privileges,
the partition name is “shared”, unless the admin has changed
partitions. (See “System Partitions” on page 34.)
Role Admin role assigned to the admin. The admin role specifies
the type of access allowed for each GUI page. (See “Config
Mode > System > Admin > Role” on page 446.)

Monitor Mode > System > Admin > Admin Locked
This page lists the admin accounts that have been locked due to excessive
invalid login attempts.
To unlock an admin account, select the checkbox next to the admin name,
and click Unlock.
TABLE 57 Monitor Mode > System > Admin > Admin Locked
Column Description
Name Name of the AX admin.
Role Admin role assigned to the admin. The admin role specifies
the type of access allowed for each GUI page. (See “Config
Mode > System > Admin > Role” on page 446.)
Current Partition System partition the admin is locked out of.
Trusted Host IP host or subnet address from which the admin must log in.
Lockout Time If the account is locked, indicates how long the account has
been locked.
Scheduled Indicates how long the account will continue to be locked.
Unlock
Monitor Mode > System > Logging

The pages in the Logging sub-module allow you to display system log and
audit log messages.
Monitor Mode > System > Logging > Logging
This page displays the system log (syslog). Messages in the ACOS device’s
local log buffer are displayed.
By default, messages of all log levels are displayed. To filter the display to
show messages of a specific level, select the message level from the drop-
down list above the Date/Time field.
To export a copy of the log as a tar.gz file:

1. Click Export.

3. Optionally, edit the filename too.
4. Click Save.
To clear the entries from the log, click Clear
TABLE 58 Monitor Mode > System > Logging > Logging

Column Description
Date/Time System date and time when the audit log message was gener-
ated.
Level Security level of the message.
Module System module that generated the message.
Description The message text.
Monitor Mode > System > Logging > Audit

This page displays the audit log. The audit log lists changes made by AX
admins.
Note: Command auditing is disabled by default. To enable command auditing,

see “Config Mode > System > Settings > Log” on page 427.
TABLE 59 Monitor Mode > System > Logging > Audit

Column Description
Date/Time System date and time when the audit log message was gener-
ated.
User User account from which the change was made.
Description Change made by the user.

Monitor Mode > System > Diagnosis

The pages of the Diagnosis sub-module allows you to manage diagnostic
files. You can use these options to export and delete the following types of
files:
• AXDebug File – Export or delete AXdebug output.
• AXDebug Config – Manage entries of saved AXDebug filter configura-

tions and quickly enable AXDebug filter configuration settings on the
ACOS.
• AXDebug Capture – Configure the settings for an ACOS deviceDebug
filter with the option to immediately apply the newly configured AXDe-
bug filter.
• ShowTech File – Export files that are used by A10 Networks technical
support.
• Show Techsupport – Export system information as a file and save this
file to your local drive.
Monitor Mode > System > Diagnosis > AXDebug File

The AXDebug File page lists the AXdebug packet log files on the ACOS
device. These files are created when the AXdebug options are used in the
CLI.
Exporting AXDebug Files

1. Select Config Mode > System > Diagnosis > AXDebug File.
2. Select the checkbox next to each file to be exported.
3. Click Export.
4. Select Save File and click OK (Firefox), or click Save (Internet

Explorer).
5. Navigate to the location where you want to save the file.
6. Click Save.
Deleting AXDebug Files

1. Select Config Mode > System > Diagnosis > AXDebug File.
2. Select the checkbox next to each file to be deleted.
3. Click Delete.

Monitor Mode > System > Diagnosis > AXDebug Config
From this page, you can manage entries of saved AXDebug filter configura-
tions and quickly enable AXDebug filter configuration settings on the
ACOS.
• Click the Add button to be redirected to the AXDebug Capture page.
• Click the Capture button to be redirected to the AXDebug File page.
• Select one or more checkboxes and click Export to save the AXdebug
output.
TABLE 60 Monitor Mode > System > Diagnostics > AXDebug Config
Field Description
File Name Name of the AXDebug filter.
Timeout Span of time that statistics are captured by the filter.
Count Maximum number of packets the filter can capture.
Length Packet length the filter can capture.
Incoming Ethernet interfaces for incoming traffic.
Outgoing Ethernet interfaces for outgoing traffic.
Filter ID Identification number associated with the filter.
Monitor Mode > System > Diagnosis > AXDebug Capture

From the AXDebug Capture page you can save a combination of AXDebug
filter options as an ACOS deviceDebug Capture file. You can edit the filters
of an existing file, or save the revised file under a new file name.
The following procedure describes how to save an ACOS deviceDebug

Capture file:
1. In the Capture File field, enter a name for the saved AXDebug file.
2. To save AXDebug statistics for inbound traffic, select the checkbox in

the Incoming Interface selection. From the Unselected column, drag the
names of one or more Ethernet data interfaces to the Selected column,
as shown below:

FIGURE 13 AXDebug Capture – Interface Selection
FIGURE 14 AXDebug Capture – Add Selected Interface
3. To save AXDebug statistics for outbound traffic, select the checkbox in

the Outgoing Interface selection. From the Unselected column, drag the
names of one or more Ethernet data interfaces to the Selected column.
4. In the Packet Length field, specify the packet length to capture. You can
enter a value between 64 to 1518. The default is 1518.
5. In the Maximum Packets field, enter the maximum number of packets

this filter will capture. You can enter a value between 0 to 65535. The
default is 3000.
6. In the Maximum Packets Per CPU field, enter the maximum number of
packets this filter will capture per CPU. You can enter a value between 0
to 65535. The default is 0.
7. Set a Timeout, in minutes, for the length of time that statistics are cap-
tured. You can enter a value between 0 to 65535. The default is 5 min-
utes.
8. Enter a number of Maximum Files to permit in the AXDebug configura-

tion. You can enter a value between 1 to 65535. The default is 100.
The Filter section provides options to configure the AXDebug filter and
apply identification values. See Table 61 for available options in this sec-
tion.

Field Description Supported Values
Config File Name Name of the AXDebug filter. String
Default: Not set
Filter ID Identification number associated with the filter. 1-32
Default: 1
Protocol Selects a Layer 3protocol and, optionally, protocol number or One of the following:
valid IPv4 or IPv6 address. The filter matches with the speci- • IP
fied protocol.
• IPv6
• ARP
• Neighbor
• TCP
• UDP
• ICMP
• ICMPv6
• Number
Based on the selected
protocol, you can con-
figure the following:
• Protocol Number –
1-65535
• Valid IPv4 or IPv6
address
Default: IP
IP Address/ Matches on the specified IPv4 or IPv6 address. IPv4 or IPv6 address
Netmask Default: Not set
Port Matches on the specified range of protocol port numbers. The start and end of the
range can be a value of
1-65535.
Default: 1 to 65535

Field Description Supported Values
Offset Match on the specified length of bytes and value of those bytes The starting position
within the packet. Each text box for input corresponds to a dif- can be 1-65535 bytes.
ferent parameter: The beginning and end
• The first ext box, farthest to the left, is the starting position of the filter range can
within the packet. be 1-65535 bytes.
• The second text box, in the center, is the beginning of the The operator can be one
range for consecutive bytes to filter. of the following:
• The third text box, farthest to the right, is the end of the range • <
for consecutive bytes to filter. • <=
• >
• >=
• =
• Range
Default: 1 length 1 < 1
9. When you are satisfied with your configuration, select one of the fol-
lowing options:
• Capture – Saves the AXDebug file and redirects you to the AXDe-
bug File page. The new entry appears in the AXDebug File table
display.
• Save Config File – Saves the AXDebug file and immediately
applies the configuration. The entry appears in the AXDebug File
table display.

Monitor Mode > System > Diagnosis > ShowTech File
The ACOS device periodically generates files that contains system and
diagnostic information. These files are referred to as “techsupport” files,
and are used by A10 Networks technical support when helping to resolve
system issues.
This page lists the techsupport files on the ACOS device.
Exporting techsupport Files

1. Select Config Mode > System > Diagnosis > ShowTech File.
2. Select the checkbox next to each file to be exported.
3. Click Export.
4. Select Save File and click OK (Firefox), or click Save (Internet

Explorer).
5. Navigate to the location where you want to save the file.
6. Click Save.
Deleting techsupport Files

1. Select Config Mode > System > Diagnosis > ShowTech File.
2. Select the checkbox next to each file to be deleted.
3. Click Delete.
Monitor Mode > System > Diagnosis > Show Techsupport

This page enables you to export system information into a file that can be
used by A10 technical support to help resolve system issues. To export the
system information, click Export.

Monitor Mode > System > aVCS

The pages in the aVCS sub-module display information related to the AX
Series Virtual Chassis System (aVCS).
Note: You must activate aVCS to view these pages.
Monitor Mode > System > aVCS > Summary
This page displays global virtual chassis parameters, and lists the current
role (vMaster or vBlade) of each device in the virtual chassis.
Monitor Mode > System > aVCS > Statistics
This page displays counters and detailed statistics.
Monitor Mode > System > aVCS > Images
This page lists installed aVCS-capable AX software images.
Table 62 describes the fields of this page.
TABLE 62 Monitor Mode > System > aVCS > Images

Column Description
Image Name File name of the image.
Type The image file type can be one of the following:
• hd_pri – Image is located in the primary image area of the
SSD or disk.
• hd_sec – Image is located in the secondary image area of
the SSD or disk.
• cf_pri – Image is located in the primary image area of the
compact flash.
• cf_sec – Image is located in the secondary image area of
the compact flash.
• ext – Extended image, used for staged upgrades during
which multiple AX software versions run in the virtual
chassis.

Monitor Mode > System > HA

The HA sub-module displays High Availability (HA) information for the
ACOS device.
Monitor Mode > System > HA > Group
This page displays High Availability (HA) status information for the ACOS
device.
TABLE 63 Monitor Mode > System > HA > Group

Column Description
HA Group ID ID of the HA group.
Local Status Indicates whether this ACOS device is in Active or Standby
mode.
Local Priority Priority value assigned to this HA group on this ACOS
device.
Peer Status Indicates whether the other ACOS device in the HA pair is in
Active or Standby mode.
Note: If the status is Incompatible Version, the ACOS
devices are running different software versions and the HA
feature is not compatible between the two versions. This
message is normal during upgrade, after one of the ACOS
devices has been upgraded and before the other device is
upgraded. If the devices are not being upgraded, it is recom-
mended to upgrade one of the devices so that they both are
running the same software version.
Peer Priority Priority value assigned to this HA group on the other ACOS
device.
Forced Standby Indicates whether the group has been forced by an admin to
change from Active to Standby status.

Monitor Mode > System > HA > Status
This page displays High Availability (HA) statistics for the ACOS device.
TABLE 64 Monitor Mode > System > HA > Status

Column Description
Config Sync Shows the status of configuration synchronization between
Status this ACOS device and its HA peer.
Last System time when the configuration synchronization
Synchronized At between this ACOS device and its HA peer last occurred.
Connectivity Shows the number of HA interfaces designated as server
Server Ports interfaces that are currently up.
Connectivity Shows the number of HA interfaces designated as router
Router Ports interfaces that are currently up.
HA Packets Sent Shows the number of HA hello (heartbeat) packets sent by
this ACOS device.
HA Packets Shows the number of HA hello packets received by this
Received ACOS device.
HA Conn Sync Shows the number of HA connection synchronization (ses-
Sent sion mirroring) packets sent by this ACOS device.
HA Conn Sync Shows the number of HA connection synchronization pack-
Received ets received by this ACOS device.
HA Errors Shows HA error statistics:
• In Duplicated HA ID – Number of incoming HA hello
(heartbeat) packets that had the same HA ID as the HA ID
of this ACOS device (the local ACOS device).
• In Invalid Group – Number of incoming HA hello packets
that had an invalid group ID.
• Version Mismatch – Number of incoming HA hello pack-
ets that had a packet version mismatch.
• HA Set ID Mismatch – Number of incoming HA hello
packets that had an HA set ID mismatch.
• Missed Heartbeat – Total number of heartbeat (hello)
packets expected from the peer HA device that were not
received.
• Inaccurate Timer – Number of times HA internal timers
detected a variance.

TABLE 64 Monitor Mode > System > HA > Status (Continued)

Column Description
HA Ports Shows statistics for each HA interface:
• Port – Data port that connects this device (the Local
device) to the peer device.
• Sent – Number of hello (heartbeat) messages sent on the
interface.
• Received – Number of hello messages received on the
interface.
• Missed Heartbeat – Number of hello messages that were
expected to be received on the interface but did not arrive.
Layer 2 Inline (Inline mode only) Shows the interface number used to com-
mode municate with the peer HA device.
Monitor Mode > System > HA > Set ID Monitor
This page monitors heartbeat messages and lists the Set IDs that are
observed on the network. Refresh this page to reflect the current Set IDs.
Monitor Mode > System > VRRP-A

This sub-module displays Virtual Router Redundancy Protocol (VRRP-A)
information for the ACOS device.
Monitor Mode > System > VRRP-A > VRID
This page displays configuration parameters for VRRP-A.
TABLE 65 Monitor Mode > System > VRRP-A > VRID

Column Description
VRID Virtual router ID.
Unit VRRP-A device ID.
“Local” indicates this ACOS device. “Peer” indicates
another ACOS device in the same VRRP-A set.
Local Status Indicates whether this ACOS device is in Active or Standby
mode.
Local Weight The weight assigned to this ACOS device.
Local Priority The priority value assigned to this ACOS device.
Forced Standby Indicates whether the ACOS device has been forced into
standby mode administratively.
Peer Device The VRRP-A peer of the local device.

TABLE 65 Monitor Mode > System > VRRP-A > VRID

Column Description
Peer Status Indicates whether the other ACOS device in the VRRP-A
pair is in Active or Standby mode.
Note: If the status is Incompatible Version, the ACOS
devices are running different software versions and the
VRRP-A feature is not compatible between the two versions.
This message is normal during upgrade, after one of the
ACOS devices has been upgraded and before the other
device is upgraded. If the devices are not being upgraded, it
is recommended to upgrade one of the devices so that they
both are running the same software version.
Peer Weight The weight of the peer device.
Peer Priority Priority value assigned to this VRID, on the other ACOS
device.
Monitor Mode > System > VRRP-A > Status

This page displays the VRRP-A statistics for the ACOS device.
TABLE 66 Monitor Mode > System > VRRP-A > Status

Column Description
Conn Sync Pkts Number of connection (session) synchronization packets
sent by this partition for the VRID.
Conn Query Pkts Number of session synchronization query packets sent by
this partition for the VRID. Query packets are sent by the
standby device to request session information.
Conn Sync Number of creation packets for synchronized connections
Create Session sent by this partition for the VRID.
Pkts
Conn Sync Number of update packets for synchronized connections sent
Update Age Pkts by this partition for the VRID.
Conn Sync Number of delete packets for synchronized connections sent
Delete Session by this partition for the VRID.
Pkts
Conn Sync Number of creation packets for persistent synchronized con-
Create Persist nections sent by this partition for the VRID.
Session Pkts
Conn Sync Number of update packets for persistent synchronized con-
Update Persist nections sent by this partition for the VRID.
Age Pkts
Conn Sync Number of delete packets for persistent synchronized con-
Delete Persist nections sent by this partition for the VRID.
Session Pkts

TABLE 66 Monitor Mode > System > VRRP-A > Status

Column Description
VRRP-A Errors Shows VRRP-A error statistics:
• Duplicate Device ID – Number of incoming VRRP-A
hello (heartbeat) packets that had the same VRRP-A ID as
the VRRP-A ID of this ACOS device (the local ACOS
device).
• Set ID Mismatch – Number of incoming VRRP-A hello
packets that had a VRRP-A set ID mismatch.
• Version Mismatch – Number of incoming hello packets
that had a different VRRP-A software version than the one
running on this device.
• Error Port – Number of hello messages received from a
non-existent port.
• Error Device ID – Number of hello messages received
from an invalid device ID (any device ID higher than 8).
Peer • Peer ID – Device ID of the peer device, and the VRID.
• IP Address – IP address of the active peer for the VRID.
The active peer is the device to which this device (the
local device) sends sessions for synchronization.
VRRP-A Ports • Peer ID – ID of another ACOS device in the VRRP-A set.
• VRID – Virtual router ID.
• Port – Data port that connects this device (the Local
device) to the peer device.
• Received – Number of hello messages received on the
interface.
• Missed – Number of hello messages that were expected to
be received on the interface that did not arrive.
Monitor Mode > System > VRRP-A > Set ID Monitor
This page monitors heartbeat messages and lists the Set IDs that are
observed on the network. Refresh this page to reflect the current set IDs.
Monitor Mode > System > VRRP-A > Host ID
The Host ID helps to identify the peer devices that are learned through
heartbeat messages. The Host ID indicates which devices are configured as
VRRP-A peers.


Config Mode - Config Modules
Config Mode
The Config Mode is where you can view and change the configuration of
the ACOS device.
Note: For information about GSLB configuration options, see “Config Mode –
GSLB Service Options” on page 308.
Config Modules
The Config Mode offers the following sub-modules for setting
A10 Thunder Series and AX Series network and performance parameters:
• Get Started
• SLB
• GSLB
• Security
• IP Source NAT
• Network
• System
These configuration sub-modules have multiple unique, menu-selectable

options for system parameter configuration. The sections in this chapter and
the following chapters describe each configuration sub-module.

Config Mode - Config Modules
FIGURE 15 Config Mode

Config Mode - Config Menu Tree
Config Menu Tree

Config Mode > Get Started
• Basic System
• Smart Template
• GSLB Easy Config
Config Mode > SLB

• Template • Health Monitor
• Service
• Application • Health Monitor
• Virtual Server
• HTTP • External Program
• Virtual Service
• RAM Caching • Health HTTP Post File
• Service Group
• SMTP • Global
• Server
• Template • SIP • Black-White List
• Server • RTSP
• aFleX
• Server Port • Diameter
• SSL Management
• Virtual Server • Logging
• External Service • Certificate
• Virtual Server Port
• Cert Revocation List
• Class List • FIX
• Expiration Mail
• GLID • SMPP
• Global • DBLB • Network Map
• Settings • Connection Reuse
• Monitor Resource • L4 Config Mode > GSLB
• Log Rate Limiting • TCP • FQDN
• UDP
• FQDN Group
• Persistent
• Cookie Persistence • Zone
• Destination IP • Site
Persistence
• Service IP
• Source IP Persistence
• SSL Session ID • DNS Proxy
Persistence • Geo-location
• SSL
• Policy
• Client SSL
• Server SSL • Global
• SSL Cipher
• TCP Proxy

Config Mode - Config Menu Tree
Config Mode > Security Config Mode > Network Config Mode > System
• WAF • Interface • Settings
• Bind • LAN • Web
• Template • Management • Web Certificate
• Definition • Transparent • Access Control
• Virtual • Time
• Authentication
• Global • Terminal
• Bind
• Log
• Template • Trunk
• General
• Server
• LACP
• Boot
• Logon
• VLAN • Action
• Relay
• VLAN
• Portal • Admin
• MAC
• Administrator
• Template
• Global
• Policy • Partition
• ARP • Role
• DNS Firewall
• IPv4 • Object Access Control
• Network • IPv6 Neighbor • Lockout Policy
• ACL
• Global • External Authentication
• DDos Protection
• Route • Change Password
• ICMP Rate Limiting
• IPv4 Static • SNMP
Config Mode > IP Source NAT • IPv6 Static
• Maintenance
• IPv4 Pool • DNS • Upgrade
• BPDU-Fwd-Group • Backup
• IPv6 Pool
• Restore
• Group • License
• ACL Bind • Console
• Interface • Config File
• NAT Range • aVCS
• Static NAT • General
• Settings
• Global

Config Mode - Config Mode > Get Started
Config Mode > System

• HA
• VRRP-A
• HA Global
• VRRP-A Global
• HA Inline Mode
• VRRP-A Interface
• HA Interface
• Failover Policy Template
• Config Sync
This chapter describes the options under Get Started. For information about
the other Config options, see the following:
• “Config Mode – SLB Options” on page 149
• “Config Mode – Network Options” on page 397
• “Config Mode – System Options” on page 421
• “Config Mode – Security Options” on page 345
• “Config Mode – IP Source NAT Options” on page 385
Config Mode > Get Started

The Get Started options provide access to the following quick configuration
pages:
• Basic System
• Smart Template
• GSLB Easy Config
Note: For information about GSLB Easy Config, see “GSLB Easy Config” on
page 299.

Config Mode > Get Started > Basic System

This page provides easy access to basic system settings. To expand display
of a section or change settings, click on the link above the settings. To
change a password, click on the icon.
FIGURE 16 Config Mode > Get Started > Basic System
For information about the system settings, see the following sections:
• Management IP address and default gateway – See “Config Mode >
Network > Interface > Management” on page 404.
• Admin and enable passwords – See “Config Mode > System > Admin
> Administrator” on page 442.
• Time/Date settings – See “Config Mode > System > Settings > Time”
on page 461.
• DNS hostname, suffix, and servers – See “Config Mode > Network >
DNS” on page 418.
• SNMP state, community string, and trap state – See “Config Mode >
System > SNMP” on page 463.
• External syslog server – See “Config Mode > System > Settings >
Log” on page 427.
• Static route – See “Config Mode > Network > Route” on page 416.

Config Mode > Get Started > Smart Template

The GUI provides a set of templates that simplify configuration of popular
SLB solutions.
To configure an SLB application using a smart template, you need to enter

only a few items of information:
• Application name – A string to identify the application settings within
the GUI
• Virtual IP (VIP) address and protocol port – IP address and Layer 4 port
to which clients will send requests
• Real server IP addresses and protocol ports – IP addresses and Layer 4
ports on the backend servers. The ACOS device maps these to the VIP
address and port for load balancing.
• Source NAT addresses – If source NAT is required, you will need to
enter the starting and ending IP addresses in the pool, and the network
mask.
• SSL server certificates and keys – You can use a self-signed certificate
created on the ACOS device, or a certificate file and key imported onto
the ACOS device. The certificate must be created or imported before
you can use the smart template to create an application.
Additional parameters are automatically set based on the application. You

can edit them if needed.
The GUI uses the input you provide to create the SLB resources required for
implementing the application. These resources include real and virtual
server configurations, service groups, health monitors, IP NAT pools (if
applicable), and other templates related specifically to these resources.
Note: Deleting an application created using a smart template does not delete the
individual SLB resources created for the application.

Table 67 lists the smart templates available in this release. The SSL column
indicates whether you will need to either create a self-signed certificate, or
import an SSL server certificate and key, before using the smart template.
TABLE 67 SLB Smart Templates

Application SLB Resources Created by the
Template Description GUI SSL
Apache Web Configures HTTP load balancing for • Real server configuration N*
Server 2.2 Apache v2.2 web servers. • Virtual server configuration
• Health monitor
• IP source NAT pool
• Server port template
• Connection-reuse template
• Cache template
• HTTP template
• Client-SSL template
• Cookie-persistence template
Basic DNS Configures DNS firewall applications, • Real server configurations N
which protect backend DNS servers • Virtual server configuration
from attacks and enhance response time
• UDP service group
to client queries.
• UDP template
Note: In the current release, this smart
template supports configuration of mal-
formed query filtering but does not sup-
port configuration of per-VIP DNS
caching.
Basic FTP Configures FTP load balancing. • Real server configurations N
• Virtual server configuration
• TCP service group
Basic HTTP Configures HTTP load balancing. • Real server configurations N
If NAT is required, the following
resources also are created:
Basic HTTPS Configures HTTPS load balancing. • Real server configurations Y

TABLE 67 SLB Smart Templates (Continued)

Basic StarTTLS Configures secure Simple Mail Transfer • Real server configurations Y
Protocol (SMTP) mail using • Virtual server configuration
STARTTLS.
• SMTP template
Citrix XenApp Configures load balancing for Citrix • Virtual server N
6.5 Xenapp 6.5. • Service group
• Health monitor
• Source-IP persistence template
Financial Configures load balancing for secure • Real server configurations N
Information securities transactions using FIX. • Virtual server configuration
eXchange (FIX)
• TCP health monitor
IBM WebSphere Configures load balancing for IBM • Virtual server configuration N*
8.0 WebSphere 8.0. • Service group
• Health monitor
• Cache template
• HTTP template
Juniper Configures load balancing for Juniper • Real server configurations N
Networks SA Networks SA Series SSL VPN appli- • Virtual server configuration
Series SSL VPN ances.
• HTTPS health monitor
resource also is created:


Microsoft Configures load balancing for Microsoft • Real server configurations N*
Exchange Server Office Exchange servers. • Virtual server configuration
• HTTP health monitor
• HTTP template
• RAM caching template
• TCP-proxy template
If SSL is used, the following resources
also are created:
• Server-SSL template
Microsoft IIS 7.0 Configures load balancing for Microsoft • Virtual server configuration N*
IIS 7.0 . • Service group
• Health monitor
• Cache template
• HTTP template
Microsoft Office Configures load balancing for Microsoft • Real server configurations Y
Communica- Office Communications servers. • Virtual server configuration
tions Server
• HTTP template


Microsoft Office Configures load balancing for Microsoft • Real server configurations N*
SharePoint Office SharePoint servers. • Virtual server configuration
Server
• HTTP template
• RAM caching template
also are created:
Oracle Configures load balancing for Oracle • Real server configurations Y
Application Application servers. • Virtual server configuration
Server
• HTTP template
Oracle Configures load balancing for Oracle • Real server configurations N*
WebLogic 12c WebLogic servers. • Virtual server configuration
Application
• HTTP/HTTPS health monitor
• Server port term plate
• HTTP template (for basic deploy-
ment) or HTTPS (for advanced
deployment)
also are created:


Windows 2008 Configures load balancing for Windows • Real server configurations Y
Terminal 2008 Terminal Services in Gateway • Virtual server configuration
Services Server Role.
Gateway Server
Role • HTTPS health monitor
• HTTP template
Windows 2008 Configures load balancing for Windows • Real server configurations N
Terminal 2008 Terminal Services Remote Desk- • Virtual server configuration
Services Remote top.
Desktop
• TCP template
Windows 2008 Configures load balancing for Windows • Real server configurations Y
Terminal 2008 Terminal Services Web Access. • Virtual server configuration
Services Web
Access Role
• TCP template
*. SSL is optional.
Creating an Application
1. If the application you plan to create requires an SSL server certificate
and key, create a self-signed certificate, or import the certificate and key
onto the ACOS device. (See “Config Mode > SLB > SSL Management”
on page 289.)
2. Select Config Mode > Get Started > Smart Template > .
3. Select the smart template for the type of application you plan to create.
(See Table 67 on page 138.)
4. Enter a name for the application in the Name field.
5. Enter the VIP address in the Virtual Server Address field.
6. Enter the virtual port number in the Virtual Server Port field.
7. Select a radio button for the virtual port type in the Virtual Server Port
Type field.

8. If SSL is required, select the certificate and key from the Cert and Key
drop-down lists.
To use a self-signed certificate, select the certificate name in both the
Cert and Key drop-down lists.
Note: If SSL is optional, first select Yes next to Using SSL to display the Cert
and Key selection fields.
9. If IP source NAT is required, enter the IP pool information in the follow-

ing fields:
• NAT Start IP Address – The beginning (lowest-numbered) IP
address in the pool.
• NAT End IP Address – The ending (highest-numbered) IP address
in the pool.
• NAT Netmask – The network mask.
Note: If IP source NAT is optional, first select Yes next to Using NAT to display
the input fields.
10. In the Server section, enter information about the real servers:
• Server – Enter or select the IP address of the real server.
• Port – Enter the protocol port number on the real server.
Click Add. Repeat for each server.
11. Click OK. The GUI creates the SLB resources for the application and
displays them in a list.
To view or modify a resource, select the Customize checkbox, then click
on its name in the Detail list. When the configuration page for the
resource is listed, click Help to access information about the configura-
tion options. (For more information, see “Customizing an Application
Configuration” on page 146.)
12. Click Return. The new application appears in the application list.
(To access this list later, select Config Mode > Get Started > Smart Tem-
plate.)

Configuration Example
The example GUI pages in the following figures configure an HTTP load
balancing application.
First, click the Create icon and select the name of a smart template for the
application you want to configure.
FIGURE 17 Config Mode > Get Started > Smart Template - Create

Enter the required information.
FIGURE 18 Basic HTTP Application - Configuration Page
Click OK.
FIGURE 19 Basic HTTP Application - Verification Page

Note: For an explanation of the Customize checkbox, see “Customizing an

Application Configuration” on page 146.
The new application appears in the application list.
FIGURE 20 Application List
Customizing an Application Configuration
You can customize individual application parameters, either while creating

the application or later. In either case, begin by accessing the parameters
from the verification page (Figure 19 on page 145).
1. Access the verification page for the application:
• During configuration of a new application, remain on the Verifica-
tion page and go to step 2.
• If the application is already configured:
a. Select Config Mode > Get Started > Smart Template.
b. Click on the application name.
2. Select the Customize checkbox. When selected, this checkbox displays

hyperlinks to the individual SLB resources for the application. (See
Figure 21 on page 147.)
3. Click on the name of the resource to customize. For example, in

Figure 21, to customize the virtual server configuration, click on
“app_HTTP-app_vserver”.
The configuration page for the resource appears.

FIGURE 21 Verification Page - Customize checkbox selected
FIGURE 22 Verification Page - Hyperlink for an SLB resource selected

FIGURE 23 Virtual Server Configuration Page

Config Mode – SLB Options - Config Mode > SLB
Config Mode – SLB Options
This chapter describes the SLB configuration options.

• “Config Mode > SLB > Service” on page 149
• “Config Mode > SLB > Template” on page 212
• “Config Mode > SLB > Health Monitor” on page 270
• “Config Mode > SLB > Black-White List” on page 287
• “Config Mode > SLB > aFleX” on page 289
• “Config Mode > SLB > SSL Management” on page 289
• “Config Mode > SLB > Network Map” on page 296”
Note: For information about GSLB configuration options, see “Config Mode –
GSLB Service Options” on page 308.
Config Mode > SLB

Note: Access to configuration options will vary with your administrative role
and system configuration of the ACOS device. For information on the
privilege level of administrative roles, see “Preconfigured GUI Access
Roles” on page 447.
Config Mode > SLB > Service

The SLB pages enable you to configure SLB parameters.
Config Mode > SLB > Service > Virtual Server
This page displays the configured virtual servers.
The following configuration sections are displayed when you click Add or
click on a virtual server name.
• General
• Port

The Health column indicates the health of the virtual servers. Place the
mouse cursor over a health icon for more information.
You can view or edit the configuration of a virtual port directly from the list
of virtual servers. Click on the Edit icon ( ) next to the virtual server
name. Clicking on the icon displays a list of the virtual ports configured on
the virtual server. (See Figure 24.) To access the configuration page for a
virtual port, click on the port number.
FIGURE 24 Virtual Port Access from Virtual Server List
Disable and Enable

To disable virtual servers, select the checkbox next to each virtual server
you want to disable, then click Disable. Likewise, to re-enable virtual serv-
ers, select the checkbox next to each virtual server you want to enable, then
click Enable.
VRID/HA Group Edit

To add multiple virtual servers to a VRID or HA group, select the checkbox
next to each of the virtual servers, then click Edit. The Group Edit page
appears. Select the VRID or HA group from the drop-down list and click
OK.
Virtual Server Parameters

Table 68 lists the parameters you can configure on virtual servers.
TABLE 68 Virtual Server Parameters

Parameter Description Supported Values
General Section
Name Name to identify the virtual server on the ACOS String of 1-31 characters
device. Default: None configured
Wildcard If you are configuring a wildcard VIP, select this Enabled or disabled
checkbox. The IP Address field is replaced by the Default: Disabled
Access List drop-down list.

TABLE 68 Virtual Server Parameters (Continued)

IP address or Virtual IP address(es) that clients will request. IPv4 or IPv6 host address or subnet
CIDR Subnet • To configure a single VIP, select the IP version address, or an ACL
(IPv4 or IPv6), then enter the IP address. Leave Default: None configured
or the Wildcard checkbox unselected.
• To configure a contiguous range of VIPs, enter
the starting host address followed by the network
Access List
mask length: ipaddr/mask-length
Do not use a space before or after the forward
slash.
The ipaddr is the starting host address in the
range and must be a valid host address. (For
example, entering 192.168.1.0/24 is not valid.)
Leave the Wildcard checkbox unselected.
• To configure a wildcard VIP:
1. Select the IP version (IPv4 or IPv6).
2. Select the Wildcard checkbox.
3. Select the ACL that specifies the VIP
addresses that can use this VIP configuration.
Status State of the virtual server. Enabled or Disabled
Default: Enabled.
Disabled on Dynamically disables the server if its protocol ports Enabled or Disabled
Condition go down. To do so, select the checkbox under Ena- Default: Disabled
bled, then select one of the following:
• Disabled When All Ports Down – Automatically
disables the virtual server if all its service ports
are down.
• Disabled When Any Port Down – Automatically
disables the virtual server if any of its service
ports is down.
If OSPF redistribution of the VIP is enabled, this
option also withdraws the route to the VIP in addi-
tion to disabling the virtual server.
ARP Status When selected, disables or re-enables ARP replies Selected or deselected
from a virtual server. Default: Deselected; ARP replies are
enabled.
Stats Data Enables collection of statistics data for the VIP. Enabled or Disabled
Note: Statistical data collection also must be ena- Default: Enabled
bled globally. See “Config Mode > SLB > Service >
Global > Settings” on page 206.
Extended Stats Enables collection of peak connection statistics. Enabled or Disabled
Default: Disabled


Redistribution Explicitly include or exclude the VIP in OSPF Enabled or Disabled
Flagged redistribution. Default: Disabled
Setting this option enables you to selectively redis-
tribute individual VIPs. Without this option, the VIP
is automatically redistributed if VIP redistribution is
enabled in OSPF.
• To redistribute a VIP, set this option on the VIP,
and enter the following command at the OSPF
configuration level: redistribute vip
only-flagged
• To exclude this VIP from redistribution, set this
option on the VIP, and enter either of the follow-
ing commands at the OSPF configuration level:
redistribute vip only-not-flagged or redistrib-
ute vip
VRID/HA Group The display of this field varies with VRRP-A or HA Number of a configured VRID or HA
configuration: group
• If VRRP-A is enabled, this field displays the Vir- Default: Not set
tual Router ID (VRID) to use for session backup.
Note: If the drop-down list does not have any
VRIDs, you still need to configure global VRRP-
A parameters. See “Config Mode > System >
VRRP-A > VRRP-A Global” on page 485.
• If HA is enabled, this field display the High
Availability (HA) group ID to use for session
backup.
Note: If the HA Group drop-down list does not
have any group IDs, you still need to configure
global HA parameters. See “Config Mode > Sys-
tem > HA > Global” on page 477.
Virtual Server Binds a virtual server template to the virtual server. Configured virtual server template.
Template Settings in the template are used to configure the Default: “default” virtual server tem-
virtual server. plate.
Some of the parameters that can be set using a vir-
tual server template can also be set on the individual
virtual server. In this case, the setting in the template
has lower priority than the setting on the virtual
server.
Policy Template Binds a policy template to the virtual server. Set- Configured policy template.
tings in the template are used to configure IP limit- Default: None
ing for the virtual server.
Note: You also can bind a policy template to indi-
vidual virtual ports. IP limiting settings in both tem-
plates take effect. Clients must comply with all IP
limiting rules.


Description Description of the virtual server. String
Default: None
Virtual Server Port Page
Note: The fields that are available depend on the service type you are configuring. All supported fields are listed
below. However, the fields that are displayed and the order in which they are displayed depend on the service type
you select.
Type Service type of the port. One of the following:
• HTTP – HTTP
Notes: • HTTPS – Secure HTTP (SSL)
• Fast-HTTP is optimized for very high perfor- • Fast-HTTP – Streamlined Hypertext
mance information transfer in comparison to reg- Transfer Protocol (HTTP) service
ular HTTP. Due to this optimization, fast-HTTP • TCP – Transmission Control Proto-
does not support all the comprehensive capabili- col
ties of HTTP such as header insertion and manip-
• UDP – User Datagram Protocol
ulation. It is recommended not to use fast-HTTP
for applications that require complete data trans- • RTSP – Real Time Streaming Proto-
fer integrity. col
• The ACOS device allocates processing resources • FTP – File Transfer Protocol
to HTTPS virtual ports when you bind them to an • MMS – Microsoft Media Server
SSL template. This results in increased CPU utili- • SSL-Proxy – SSL proxy service
zation, regardless of whether traffic is active on
• SMTP – Simple Mail Transfer
the virtual port.
Protocol
• In the current release, the RADIUS port number
• SIP – Session Initiation Protocol
on each real server must be the same. Use of
over UDP
mixed port numbers in the service group is not
supported. • SIP-TCP – SIP over TCP
• SIP-TLS – SIP over TCP/TLS
• TCP-proxy – Generic TCP stack
• DNS-UDP – UDP port for Domain
Name System caching
• DNS-TCP – TCP port for Domain
Name System caching
• Diameter – Diameter AAA
• TFTP – Trivial File Transfer Proto-
col
• RADIUS – Remote Authentication
Dial-In User Service
• Others – Wildcard port used for IP
protocol load balancing. (See the
“IP Protocol Load Balancing” chap-
ter of the Application Delivery and
Server Load Balancing Guide.)


Type • FIX – Financial Information
(cont.) eXchange (FIX) protocol
• MYSQL – MySQL database
service
• MSSQL – MS-SQL database
service
• SMPP-TCP – Short Message Peer-
to-Peer (SMPP) protocol over TCP
• SPDY – Google SPeeDy protocol
• SPDYS – Secure SPDY
Default: TCP
Port Service port number. 0-65535
The following suboptions are available for virtual Default: Depends on the service type
ports. (These may not apply to your deployment.) Note: Port 0 applies only to TCP, UDP,
• Range – Assigns a range of port numbers to the and Others service types.
virtual port. The base number for the range, (See the “IP Protocol Load Balancing”
where the range starts, is the primary port num- chapter of the Application Delivery
ber. To enter the ending number of the range, and Server Load Balancing Guide.)
select the To checkbox and enter the port number
in the field.
• Alternate – Select this option only if this port will
be an alternate port, on standby for switchover
from a primary virtual port on the same VIP. (On
the primary port, select Use Alternate and config-
ure the switchover criteria. See below.)
Use Alternate Enables switchover to another virtual port, based on Configured virtual port to use as the
specific conditions. To configure: alternate
1. Add the alternate virtual port to the VIP, if not Default: Not set
already added.
2. On the primary port (the one to which you are
adding an alternate port), select the Use Alternate
checkbox. This activates the configuration fields for
the feature.
3. Select the service type of the alternate port.
(Use the Type drop-down list located to the right of
the Use Alternate checkbox.)
The service types that appear in the list differ
depending on the service type of the primary virtual
port you are configuring.
4. Select the checkbox for each condition that will
cause ACOS to switch over from the primary port to
the alternate port. The conditions that are available
depend on the service type of the alternate port.


Service Group Service group to use for the virtual service port. The Name of a configured service group
ACOS device uses real servers and ports in the ser- Default: Not set
vice group to fulfill requests for the virtual service
port.
If the service group is not already configured, you
can select “create” to configure it. In this case, when
you click OK after configuring the service group,
you are returned to this page.
Connection Number of concurrent connections allowed on the 0-8000000 (0 means no limit)
Limit virtual service port. Default: Not set
To specify the action to take for new connection
requests after the limit has been reached, select one
of the following:
• Drop – The ACOS device silently drops the con-
nection and does not send a reset to the client.
• Reset – The ACOS device sends a connection
reset to the client.
• Logging – Generates a log message when the
connection limit is exceeded.
Use default Continues checking for an available server in other Selected or unselected
server selection service groups if all of the servers are down in the Default: Selected
when preferred first service group selected by SLB.
method fails During SLB selection of the preferred server to use
for a client request, SLB checks the following con-
figuration areas, in the order listed:
(cont.)


Use default 1. Layer 3-4 configuration items:
server selection
a. aFleX policies triggered by Layer 4 events
when preferred
method fails b. Policy-based SLB (black/white lists).
PBSLB is a Layer 3 configuration item
(cont.)
because it matches on IP addresses in
black/white lists.
2. Layer 7 configuration items:

a. Cookie switching
b. aFleX policies triggered by Layer 7 events
c. URL switching
d. Host switching
3. Default service group. If none of the items

above results in selection of a server, the
default service group is used.
• If the configuration uses only one service
group, this is the default service group.
• If the configuration uses multiple service
groups, the default service group is the
one that is used if none of the templates
used by the configuration selects another
service group instead.
The first configuration area that matches the client
or VIP (as applicable) is used, and the client request
is sent to a server in the service group that is appli-
cable to that configuration area. For example, if the
client's IP address in a black/white list, the service
group specified by the list is used for the client
request.
Use received hop Sends replies to clients back through the last hop on Selected or deselected
for response which the request for the virtual port's service was Default: Deselected
received.


Send client reset Sends a TCP reset (RST) to clients if server selec- Enabled or Disabled
when server tion fails. Server selection failure can occur as the Default: Disabled
selection fails result of any of the following conditions:
• Server or port connection limit is reached
• Server or port connection rate limit is reached
• Client in a PBSLB black/white list reaches its
connection
• The def-selection-if-pref-failed option is disabled
and SLB select a server for any reason
• All servers are down
Note: The TCP template Rest Receive option also

can be used to send a RST to clients. In ACOS
Release 2.2.1 and earlier, the Rest Receive option
would send a RST in response to a server selection
failure. In ACOS Release 2.2.2 and later, this is no
longer true. This option (Send client reset when
server selection fails) must be used instead.
Use default Forwards client traffic at Layer 3, if SLB server Enabled or Disabled
forwarding if selection fails. Default: Disabled. If SLB server selec-
server selection Note: This option applies only to wildcard VIPs on tion fails, the traffic is dropped.
fails TCP or UDP service ports.
Client IP Sticky Ensure that the ACOS device always uses the same Enabled or Disabled
NAT outbound link for a given client’s traffic. Default: Disabled
Status State of the virtual service port. Enabled or Disabled
Default: Enabled


HA Connection Backs up session information on the Standby ACOS Enabled or Disabled
Mirror device in an HA configuration. When this option is Default: Disabled
enabled, sessions remain up even following a
failover.
Notes:
• Session synchronization does not apply to DNS
sessions. Since these sessions are typically very
short lived, there is no benefit to synchronizing
them. Likewise, session synchronization does not
apply to static NAT sessions. Synchronization of
these sessions is not needed since the newly
Active ACOS device will create a new flow for
the session following failover.
• This option also requires configuration of system
HA parameters. (See “Config Mode > System >
HA > Global” on page 477.)
• In HA deployments, HA session synchronization
is required for persistent sessions (source-IP per-
sistence, and so on), and is therefore automati-
cally enabled for these sessions by the ACOS
device. Persistent sessions are synchronized even
if session synchronization is disabled in the con-
figuration.
Direct Server Disables destination NAT, so that server responses Enabled or Disabled
Return go directly to clients. Default: Disabled; destination NAT is
Note: In the current release, for IPv4 VIPs, DSR is enabled.
supported on virtual port types (service types) TCP,
UDP, FTP, and RTSP. For IPv6 VIPs, DSR is sup-
ported on virtual port types TCP, UDP, and RTSP.
SYN Cookie Protects against TCP SYN floods. Enabled or Disabled
If enabled, select Expand to extend TCP options in Default: Disabled
SYN cookies.
Notes:
• If hardware-based SYN cookies are supported on
the ACOS model you are configuring, use that
version of the feature instead. (See the “Traffic
Security Features” chapter of the System Config-
uration and Administration Guide.)
• In the current release, extended TCP options are
supported only for software-based SYN cookies,
not for hardware-based SYN cookies. You can
enable the option on individual TCP virtual ports.


Stats Data Enables collection of statistics data for the virtual Enabled or Disabled
port. Default: Enabled
Note: Statistical data collection also must be ena-
Default: Disabled
Source NAT Enables IP NAT support for the virtual port. Enabled or Disabled
traffic against Source IP NAT can be configured on a virtual port Default: Disabled
VIP in the following ways:
• ACL-SNAT Binding at the virtual port level
• VIP source NAT at the global configuration level
• aFleX policy bound to the virtual port
• Source NAT Pool at the virtual port level
These methods are used in the order shown above.
For example, if IP source NAT is configured using
an ACL on the virtual port, and VIP source NAT is
also enabled globally, then a pool assigned by the
ACL is used for traffic that is permitted by the ACL.
For traffic that is not permitted by the ACL, the
globally configured VIP source NAT can be used
instead.
Note: The current release does not support source
IP NAT on FTP or RTSP virtual ports.
Virtual Server Binds a virtual server port template to the virtual Configured virtual port template.
Port Template service port. Settings in the template are used to Default: “default” virtual port tem-
configure the port. plate.
Some of the parameters that can be set using a vir-
tual server port template can also be set on the indi-
vidual virtual port. In this case, the setting in the
template has lower priority than the setting on the
virtual port.
If the same parameter is set in a virtual server tem-
plate and a virtual server port template, both of them
apply.
Access List Specifies an ACL to use for permitting or denying ID of a configured ACL
traffic on the virtual server port. Default: Not set
Note: Selecting an ACL here permits or denies traf-
fic on the virtual sport. If you are trying to configure
source NAT on the port, use the ACL-SNAT bind-
ing fields instead. (See the end of this table.)


Source NAT IP address pool to use for IP source NAT. Name of a configured IP address pool
Pool If enabled, you can access the following options: Auto – Selected or unselected
• Auto – Select this option to enable Smart NAT. Precedence – Selected or unselected
Smart NAT automatically uses a configured IP Default: Not set
address as the NAT address for virtual port traffic
to a real server.
• Precedence – Select this option to take prece-
dence over the configured NAT pool. This option
configures Smart NAT to be used first.
Note: This option uses a single NAT pool for all
source addresses. To select a NAT pool based on
real server subnet, use the ACL-SNAT binding
fields instead. (See the end of this table.)
aFleX Name of an aFleX policy. Name of an aFleX policy that has been
To apply more than one aFleX policy to the virtual imported onto the ACOS device
service: Default: Not set
1. Select the Multiple checkbox.
2. Select the first aFleX policy from the drop-down
list.
3. Click Add. The aFleX policy appears in the list.
4. Repeat for each additional aFleX policy.
Note: Make sure to add the policies in the order you
want them to be applied. The policies are applied
from the top of the list down. To re-order a policy,
select it, then click Move up or Move down.
Template Template(s) to use. Template type: One of the types
The types of templates that are available depend on described in “Config Mode > SLB >
the service type. A separate drop-down list appears Template” on page 212.
for each type of template that is applicable to the Template name: Name of a configured
service type of the port. template.
If a template you want to use is not already config- Default: The ACOS device has some
ured, you can select “create” from the drop-down default templates, which are applied
list for the template type to configure a new tem- automatically unless you apply a dif-
plate of that type. In this case, when you click OK ferent template instead. (See the “SLB
after configuring the template, you are returned to Parameters” chapter of the Application
the Virtual Server Port page. Delivery and Server Load Balancing
Guide.)


ACL-SNAT Enables source NAT on the virtual port. Default: Not configured
Binding 1. Select the ACL from the Access List drop-down
list.
2. Select the pool from the Source NAT Pool drop-
down list.
3. Click Add.
Note: Use extended ACLs. In each ACL, the source

IP address must match on the client address or sub-
net (or “any”). The destination IP address must
match on the real server address or subnet. The
action must be permit.
The NAT pool is used only for traffic that matches
the ACL. This configuration allows the virtual port
to have multiple pools, and to select a pool based on
the traffic.
Config Mode > SLB > Service > Virtual Service

This option displays the configured virtual services. A virtual service is the
same as a virtual port configuration.
The GUI provides the following ways to configure a virtual service:

• Virtual service configuration (this page) – The Virtual Service option
allows you to name the virtual service, and automatically creates the vir-
tual server configuration.
• Virtual server configuration (Config Mode > SLB > Service > Virtual
Server) – The Virtual Server option requires you to configure the virtual
server parameters, and does not allow you to name the virtual service.
Virtual services created using the Virtual Server option are named by the
GUI, in the following format:
_VIPaddress_L4protocol_portnum
All configured virtual services are listed on the Virtual Service page, regard-
less of the GUI option used to configure them.
To configure a new virtual service, click Add. To edit an existing one, click
on the virtual service name.

Virtual Service Parameters

Table 68 on page 150 lists the parameters you can configure on virtual ser-
vices. (The parameters are the same as those you can configure if you access
the virtual port configuration page from the VIP configuration page.)
Config Mode > SLB > Service > Service Group
This option displays the configured service groups. To access the configura-
tion page, click Add or click on a service group name.
Table 69 lists the parameters you can configure in service groups.
TABLE 69 Service Group Parameters

Service Group Section
Name Name of the service group. String of 1-31 characters
Default: Not set
Type Transport protocol used by service ports in the TCP or UDP
group. Default: TCP
Algorithm Algorithm used to select a real server and service One of the following:
port to fulfil a client’s request. • Round Robin – Selects servers in
rotation.
To use a weighted load-balancing method, assign • Least Connection – Selects the server
different weights to servers or ports, so that higher that currently has the fewest connec-
weighted servers or ports are preferred over lower- tions.
weighted ones. • Service Least Connection – Selects
• To use Weighted Round Robin or Weighted Least the server port that currently has the
Connection, assign weights on individual servers. fewest connections.
• To use Weighted Least Connection on Service Note: For the Server Least Connec-
Port, assign weights on individual ports. tion method and the other least-con-
nection methods, if there is a tie, the
port (among those tied) that has the
Note: The Fastest Response Time algorithm takes
lowest number of request bytes plus
effect only if the traffic rate on the servers is at least
response bytes is selected. If there is
5 connections per second (per server). If the traffic
still a tie, a port is randomly selected
rate is lower, the first server in the service group
from among the ones that are still
usually is selected.
tied.
(cont.)

TABLE 69 Service Group Parameters (Continued)

Algorithm • Weighted Round Robin – Selects
(cont.) servers in rotation, based on the
servers’ administratively assigned
weights.
If the weight value is the same on
each server, this load-balancing
method simply selects the servers in
rotation.
The Weighted Round Robin method
uses only the server weight. Server
port weight is not used. (Instead,
server port weight is used by the
Service Weighted Least Connection
method).
• Weighted Least Connection –
Selects a server based on a combina-
tion of the server’s administratively
assigned weight and the number of
connections on the server.
• Service Weighted Least Connection
– Same as weighted-least-connec-
tion, but per service.
• Fastest Response Time – Selects the
server with the fastest first data
packet response time (after three-
way handshake) from end-user traf-
fic requests.
Note: The Fastest Response Time
method is not applicable in Direct
Server Return (DSR) deployments.
• Least Request – Selects the real
server port for which the ACOS
device is currently processing the
fewest HTTP requests. This method
is applicable to HTTP load balanc-
ing.
(cont.)


Algorithm • Round Robin Strict – Provides a
(cont.) more exact round-robin method.
The standard, default round robin
method is optimized for high perfor-
mance. Over time, this optimization
can result in a slight imbalance in
server selection. Server selection is
still basically round robin, but over
time some servers may be selected
slightly more often than others.
• Stateless Source IP Hash – Balances
server load based on a hash value
calculated using the source IP
address and source TCP or UDP
port.
• Stateless Destination IP Hash – Bal-
ances server load based on a hash
value calculated using the destina-
tion IP address and destination.
• Stateless Src and Dst IP Hash – Bal-
value calculated using both the
source and destination IP addresses,
but not the TCP or UDP ports.
• Stateless Per-Packet Round Robin –
Balances server load by sending
each packet to a different server, in
rotation.
• Stateless Source IP Only Hash –
Balances server load based on a
hash value calculated using the
source IP address only.
(cont.)


Algorithm Note: The stateless load-balancing
(cont.) methods balance traffic without cre-
ating session entries on the ACOS
device. Stateless SLB is suitable
only for certain types of traffic.
Before enabling a Stateless option,
see the “Stateless SLB” chapter in
the Application Delivery and Server
Load Balancing Guide.
The following options apply to stateful
hash-based load-balancing:
• Source IP Only Hash – Calculates a
hash value based on only the source
IP address of the client’s request.
• Source IP Hash – Calculates a hash
value based on the source IP address
and protocol port of the client’s
request.
• Destination Only IP Hash – Calcu-
lates a hash value based on only the
destination IP address of the client’s
request.
• Destination IP Hash – Calculates a
hash value based on the destination
IP address and protocol port of the
client’s request.
Default: Standard round robin (not

strict and not stateless)


Auto Stateless Automatic Stateless load-balancing method that One of the following:
Method uses hash-tag values to select a real server and ser- • Stateless Source IP Hash – Balances
vice port to fulfil a client’s request. server load based on a hash value
Note: DNS templates are not supported with state- calculated using the source IP
less load-balancing methods. Stateless load balanc- address and protocol port of the cli-
ing also does not use the session table. ent’s request.
• Stateless Destination IP Hash – Bal-
value using the destination IP
address and protocol port of the cli-
ent’s request.
Note: Applicable only for wildcard
VIP cases.
• Stateless Src and Dst IP Hash – Bal-
value calculated using both the
source and destination IP addresses,
but not the TCP or UDP ports.
• Stateless Per-Packet Round Robin –
Balances server load by sending
each packet to a different server, in
rotation. This method is applicable
only for UDP DNS traffic.
• Stateless Source IP Only Hash –
Calculates a hash value based on
only the source IP address of the cli-
ent’s request and selects a server
based on the hash value. All
requests from the same client
address are sent to the same server.


Traffic Selects mode of traffic replication to the collector • Mirror DA Replace – Replaces the
Replication servers within a service group. destination MAC address on the
incoming packet with the destina-
tion MAC for each of the collector
servers within the designated ser-
vice group.
• Mirror SA Replace – Replaces the
source MAC address on the incom-
ing packet with the MAC address
corresponding to the virtual server
on AX.
• Mirror SA and DA Replace –
Replaces source and destination
MAC addresses at Layer 2 but does
not change the Layer 3 IP address-
ing information.
• Replace IP with Server-IP –
Replaces the incoming packet’s IP
address with the IP address of the
collector server(s). Duplicate pack-
ets are then forwarded to those serv-
ers.
Note: This option affects packets at
Layer 4 and is recommended for
scenarios in which collector servers
are directly connected to the ACOS
device.
• Mirror – The packet header is left
unchanged and the original Layer 2
Destination Address (DA) or Source
Address (SA) and Layer 3 IP
addresses are left intact. Packets are
sent “as is” to the collector
server(s), and forwarded based on
the IP address in the original packet.
Default: Not set
Health Monitor Assigns a health monitor to all members in the ser- Defaults: Not set
vice group.
This option is useful in cases where the same server
provides content for multiple, independent sites.
When you use this feature, if a site is unavailable
(for example, is taken down for maintenance), the
server will fail the health check for that site, and cli-
ents will not be sent to the site. However, other sites
on the same server will pass their health checks, and
clients of those sites will be sent to the server.


Server Template Binds a server template to service group. Settings in Name of a configured server template
the template are used to configure the server. Default: Not set
Some of the parameters that can be set using a
server template can also be set on the individual
server. In this case, the setting in the template has
lower priority than the setting on the server.
Server Port Binds a server port template to the server, within Name of a configured server port
Template this service group. Settings in the template are used template
to configure the server ports, but only when the Default: Not set
ports are used as members of this service group.
Some of the parameters that can be set using a port
template can also be set on the individual port. In
this case, the setting in the template has lower prior-
ity than the setting on the port.
Note: If slow start is configured in a server template
or a server port template, it will take effect if bound
to a real server or a real port. If the template is
bound to a service-group, slow start will not take
effect.
Policy Template Binds a server template to service group. Settings in Name of a configured policy template
the template are used to configure the server. Default: Not set
Note: Some of the parameters that can be set using a
Min Active Enables use of backup servers even if some primary Enabled or Disabled
Members servers are still up. A backup server is one that has a Defaults: Disabled. Backup servers are
lower priority than other servers. used only if all primary servers are
In the field that appears next to Min Active Mem- unavailable.
bers, enter the minimum number of primary servers
that can still be active (available), before the backup
servers are used. You can specify 1-63. There is no
default.
Selecting the Min Active Members checkbox also
displays the following checkboxes:
• Skip Priority Set – By default, if a primary server
becomes unavailable, any remaining primary
servers continue to be used. If you enable the
Skip Priority Set option, the ACOS device stops
using all primary servers if any of them become
unavailable.
• Dynamic Priority – Helps ensure that the mini-
mum number of high-priority servers is main-
tained, by temporarily increasing the priority of
lower-priority servers if needed.


Priority Affinity If possible, enables or disables persistence to the Enabled or Disabled
same priority setting. Default: Disabled
Send client reset Sends a TCP reset (RST) to clients if server selec- Enabled or Disabled
when server tion fails. Server selection failure can occur as the Default: Disabled
selection fails result of any of the following conditions:
• Server or port connection limit is reached
• Server or port connection rate limit is reached
• Client in a PBSLB black/white list reaches its
connection
• The def-selection-if-pref-failed option is disabled
and SLB selects a server for any reason
• All servers are down
Note: The TCP template Rest Receive option also
can be used to send a RST to clients. In ACOS
Release 2.2.1 and earlier, the Rest Receive option
would send a RST in response to a server selection
failure. In ACOS Release 2.2.2 and later, this is no
longer true. This option (Send client reset when
server selection fails) must be used instead.
Send log Generates a log message (and SNMP notification, if Enabled or Disabled
information on enabled) when a backup service-group member is Default: Disabled
backup server placed into service for either of the following rea-
events sons:
• The connection limit on the primary servers or
member ports is exceeded.
• The primary servers or member ports go down.
Likewise, the backup-server-event-log option gen-
erates a log message when a backup service-group
member is removed from service, and a primary
server is returned to service for either of the follow-
ing reasons:
• The primary server or member port’s connection-
resume limit is reached.
• The primary server or member port comes back
up.
Stats Data Enables collection of statistics data for the service Enabled or Disabled
group. Default: Enabled
Default: Disabled


Priority Defines different actions for each priority node. You You can specify the following:
can select an action from the following: • Priority – 1-16
• Proceed – Proceed to the next priority when all • Action –
priority nodes fail.
• Proceed
• Drop – Drop request when all priority nodes fail.
• Drop
• Drop-if-exceed-limit – Drop request when the
• Drop-if-exceed-limit
number of connections exceed the limit.
• Reset
• Reset – Send client reset when all priority nodes
fail. • Reset-if-exceed-limit
• Reset-if-exceed-limit – Send client reset when Default:
the number of connections exceed the limit. • Priority – Not set
• Action – Proceed
Description Description of the service group. String
Default: None
Server Section
In the Server section, you can add, change, and delete service group members (servers and service ports). You also
can disable or re-enable service ports within the service group. Select the service ports, then click the button for the
action you want to take. For example, to disable a service port, click the checkbox next to the service port to select
the port, then click Disable.
Disabling or re-enabling a service port within a service group applies only to that service group and does not affect
the port’s state in other service groups.
IPv4/IPv6 Selects the address type of the server IP address you Depends on the selection made on the
are planning to enter. System > Settings > Web - Preference
page. (See “Config Mode > System >
Settings > Web” on page 421.)
Server Adds a real server to the service group. Name of a configured real server, or a
You can select a configured server from the drop- valid IP address.
down list or enter the server IP address to create a
new one.
Configure the additional settings described below,
and click Add.
Port Specifies the service port on the server. 0-65534
Notes: Default: Not set
• The port number you enter here must match the
service port number used in the real server con-
figuration.
• If you are configuring IP protocol load balancing,
specify 0 as the service port number. For more
information, see the “IP Protocol Load Balanc-
ing” chapter of the A10 Thunder Series and
AX Series Application Delivery and Server Load
Balancing Guide.


Server Port Binds a server port template to the server, within Configured port template.
Template this service group. Settings in the template are used Default: “default” port template.
to configure the server ports, but only when the
ports are used as members of this service group.
Some of the parameters that can be set using a port
template can also be set on the individual port. In
this case, the setting in the template has lower prior-
ity than the setting on the port.
effect.
Priority Preference for this server and port. The priority can 1-16
be 1-16. During server selection, a server and port Default: 1
with a high priority are favored over a server and
port with a low priority, and are therefore more
often selected.
Stats Data Enables collection of statistics data for the service Enabled or Disabled
group member. Default: Enabled
Config Mode > SLB > Service > Server
This option displays the configured real servers.
click on a real server name.
• General
• Port
The Status column indicates whether the server is enabled.
The Health column indicates the health of the server. Place the mouse cursor
over the health icon for more information.

Enable and Disable

To disable servers, select the checkbox next to each server you want to dis-
able, then click Disable. Likewise, to re-enable servers, select the checkbox
next to each server you want to enable, then click Enable.
Group Port Enable / Disable

To disable or re-enable ports on multiple servers, select the checkbox next
to each of the servers, then click Edit. The Group Edit page appears. Select
the ports and click Disable or Enable, then click OK.
Real Server Parameters

Table 70 lists the parameters you can configure on real servers.
TABLE 70 Server Parameters

General Section
Name Name to identify the real server on the ACOS String of 1-31 characters
device. Default: None configured
The name is not required to be the hostname config-
ured on the real server.
IP Address/Host IP address or DNS hostname of the server. IPv4 or IPv6 address, or hostname
• IP address – Specify the real IP address of the Default: None configured
server, not the VIP address to which clients will
send requests.
• DNS hostname – Specify the hostname known to
DNS. In this case, the ACOS device periodically
sends DNS queries for the IP address of the real
server, and dynamically creates the server based
on the reply. If the reply to a subsequent query
has a different IP address, an additional server is
dynamically created with the new address. (For
more information about dynamic real server cre-
ation using DNS, see the “Dynamic Real Server
Creation Using DNS” chapter in the AX Series
Application Delivery and Server Load Balancing
Guide.)
Note: The Monitor Mode > SLB > SLB > Server
page shows only the first dynamically created
server. To display all dynamically created servers,
use the show slb server command in the CLI.
GSLB External Assigns an external IP address to the server. The IPv4 or IPv6 address
IP Address external IP address allows a service IP or server that Default: None configured
has an internal IP address to be reached over the
Internet.

TABLE 70 Server Parameters (Continued)

IPv6 address Assigns an IPv6 address to the real server for IPv6 address
Mapping of GSLB. Default: None configured
GSLB
Weight Administrative weight of the server, used for 1-100
weighted load balancing. Default: 1
Health Monitor Specifies the Layer 3 health monitor to use for Name of a configured health monitor,
checking the server health. or blank (disabled)
If the monitor you want to use is not already config- Default: Enabled; ping (ICMP)
ured, you can select “create” to configure it. In this
case, when you click OK after configuring the mon-
itor, you are returned to this section.
Status State of the real server. Enabled or Disabled
Default: Enabled
Connection Number of concurrent connections allowed on the 1-8000000
Limit real server. Default: 8000000
The Logging option generates a log message when
the connection limit is exceeded.
Connection Maximum number of connections the server can 1-1000000
Resume have before the ACOS device resumes use of the Default: Not set
server. Use does not resume until the number of
connections reaches the configured maximum or
less.
Note: The ACOS device is allowed to start sending
new connection requests to the server as soon as the
number of connections on the server falls back
below the connection limit.
Slow Start Enables slow start. Slow start allows time for the Selected or unselected
server to ramp up after the server is enabled or Default: Unselected
comes online, by temporarily limiting the number of
new connections on the server.
Note: It is recommended to configure this feature in
the real server template or real port template
instead. See the “Behavior When Slow Start Is Also
Configured on the Real Server Itself” section in the
“Server and Port Templates” chapter of the
Balancing Guide.


Spoofing Cache For Transparent Cache Switching (TCS), enables Selected or unselected
support for a spoofing cache server. A spoofing Default: Unselected
cache server uses the client’s IP address instead of
its own as the source address when obtaining con-
tent requested by the client.
Note: This option applies only to the TCS feature.
For more information, see the “Transparent Cache
Switching” chapter in the AX Series Application
Delivery and Server Load Balancing Guide.
Firewall Indicates that the server is a firewall. This option is Selected or unselected
applicable to Firewall Load Balancing (FWLB). Default: Unselected
Note: FWLB is not supported in individual private
partitions. This feature can be configured only in the
shared partition.
Stats Data Enables collection of statistics data for the server. Enabled or Disabled
Default: Disabled
Server Template Binds a server template to server. Settings in the Configured server template.
template are used to configure the server. Default: “default” server template.
Some of the parameters that can be set using a
Alternate Server Specifies an alternate server to use as a dedicated Name of a configured real server
backup for a primary server. You can assign up to 16 Sequence number: 1-16
servers as dedicated backups.
Default: None
See the “Alternate Servers for Server-specific
Backup” chapter in the AX Series Application
HA Priority Cost Decreases the HA priority of an HA group, if the You can configure the following:
real server’s health status changes to Down. • Priority Cost –1-255
• HA Group – 1, 2, or All.
Default: Not set
Description Description of the real server. String
Default: None


Port Section
In the Port section, you can add, change, and delete service ports. Select the service ports, then click the button for
the action you want to take. For example, to disable a service port, click the checkbox next to the service port to
select the port, then click Disable.
Disabling or re-enabling a service port affects all virtual servers that are bound to service groups that use the port.
Port Protocol port number. 0-65534
Note: If you are configuring IP protocol load bal- Default: Not set
ancing, specify port 0, which is a wildcard port. For
more information, see the “IP Protocol Load Bal-
ancing” chapter of the A10 Thunder Series and
Balancing Guide.
Protocol Layer 4 transport protocol used by the port. TCP or UDP
Default: TCP
Weight Administrative weight assigned to the port. 1-100
The weight is used with the following load-balanc- Default: 1
ing methods (algorithms):
• Weighted Round Robin
• Weighted Least Connection
• Weighted Least Connection on Service Port
No SSL Disables SSL for server-side connections. This Enabled or Disabled
option is useful if a server-SSL template is bound to Default: Disabled. SSL for server-side
the virtual port that uses this real port, and you want connections is enabled.
to disable encryption on this real port.
Encryption is disabled by default, but it is enabled
for server-side connections when the real port is
used by a virtual port that is bound to a server-SSL
template.


Connection Maximum number of connections allowed to the 0-8000000 (0 means unlimited)
Limit service port. If the connection limit is exceeded, the Default: 8000000
ACOS device stops sending new connections to the
service port. The ACOS device does not resume
sending connections to the service port until one of
the following occurs:
• If Connection Resume is set (see below), the
ACOS device is allowed to start sending new
connection requests to the service port only after
the number of connections on the port is at or
below the Connection Resume threshold.
• If Connection Resume is not set (the default), the
ACOS device is allowed to start sending new
connection requests to the service port as soon as
the number of connections on the port falls back
below the Connection Limit.
The Logging option generates a log message when
the connection limit is exceeded.
If the connection limit is set to 0, no connection lim-
iting is performed.
Connection If the Connection Limit is exceeded, Connection 1-1000000
Resume Resume specifies the maximum number of connec- Default: not set
tions the server can have before the ACOS device
can start sending new connections to the port.
Server Port Binds a server port template to the service port. Set- Configured port template.
Template tings in the template are used to configure the port. Default: “default” port template.slow
Some of the parameters that can be set using a start
server port template can also be set on the individual
port. In this case, the setting in the template has
lower priority than the setting on the port.
If the same parameter is set in a server template and
a server port template, both of them apply.
effect.
Server-SSL Specifies an SSL template to validate real servers on Configured port template.
Template behalf of clients. This option is useful in cases Default: “default” port template.
where the real servers load balanced by a VIP have
different SSL settings.
Stats Data Enables collection of statistics data for the server Enabled or Disabled


Health Monitor Specifies the health monitor to use for checking the Name of a configured health monitor,
service port’s health. or blank (disabled)
If the monitor you want to use is not already config- Default:
ured, you can select “create” to configure it. In this • For TCP – Every 5 seconds, the
case, when you click OK after configuring the mon- ACOS device sends a connection
itor, you are returned to this section. request (TCP SYN) to the specified
TCP port on the server. The port
passes the health check if the server
replies to the ACOS device by send-
ing a TCP ACK.
• For UDP – Every 5 seconds, the
ACOS device sends a packet with a
valid UDP header and a garbage
payload to the UDP port. The port
passes the health check if the server
either does not reply, or replies with
any type of packet except an ICMP
Error message.
Follow Port Bases the port’s health status on the health status of Default: Not set
another port on the same server. The other port must
be the same type, TCP or UDP.
Default: Disabled
KDC Service Kerberos principal name of this server port. This is String
Name the ACOS client name presented to the application Default: Not set
server.
Note: This option applies to Application Access
Management (AAM).

Config Mode > SLB > Service > Template
The Template pages enable you to display and configure configuration tem-
plates for real servers, real ports, virtual servers, and virtual ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual server or port.
• If a parameter is set (or changed from its default) in both a template and
on the individual server or port, the setting on the individual server or
port takes precedence.
• If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual server or port, the set-
ting in the template takes precedence.
To view and configure server and port templates, select the following
options:
• Template > Server
• Template > Server Port
• Template > Virtual Server
• Template > Virtual Server Port
Default Server and Service Port Templates

The ACOS device has a default template for each of these template types.
The default server and port templates are each named “default”.
If you do not explicitly bind a server or service port template to a server or

service port, the default template is automatically applied. For example,
when you create a real server, the parameter settings in the default real
server template are automatically applied to the new server, unless you bind
a different real server template to the server.
The default settings in the templates are the same as the default settings for
the parameters that can be set in the templates.
If you are upgrading an ACOS device that has a configuration saved under a
previous release, the default server and port templates are automatically
bound (applied to) the servers and ports in the configuration. This does not
change the configuration or operation of the servers and ports themselves,
since the default server and port templates use the default settings for all
parameters, unless overridden by parameter settings on the individual serv-
ers and ports.

Note: In addition to configuring custom server, port, virtual-server, or virtual-

port templates, you can modify the default templates.
Caution: Before changing a default template, make sure the changes you plan
to make are applicable to all servers or ports that use the template.
Processing Priority of Templates

DNS templates have the highest priority and are used first, followed by pol-
icy templates. Then the other types of templates are used as applicable.
Config Mode > SLB > Service > Template > Server
The Server Template page lists the configured server templates. This page is
displayed when you click Add or click on a server template name.
Table 71 lists the server template parameters you can configure.
TABLE 71 Server Template Parameters

Parameter Description and Syntax Supported Values
Server Template Section
Name Name of the template. String of 1-31 characters
Health Monitor Layer 3 health monitor to use for checking the Configured health monitor that uses
health of servers that use this template. the Ping method.
Default: The default ICMP health
monitor is used: an ICMP ping (echo
request) is sent every 3 seconds. If the
ping fails 2 times consecutively, the
ACOS device sets the server state to
DOWN.
Connection Limits the number of connections allowed on real State: Enabled or Disabled
Limit Status servers that use this template. When a real server Connection Limit – 1-8000000 (8 mil-
reaches its connection limit, the ACOS device stops lion) connections per second
selecting the server for client requests.
Connection Resume – 1-1048575 con-
When you select the Connection Limit Status nections
checkbox, the following configuration fields
appear:
Default: 8000000 connections per sec-
• Connection Limit – Maximum of new connec-
ond
tions allowed on a server.
• Connection Resume – Maximum number of con-
nections the server can have before the ACOS
device resumes use of the server.
• Logging – Generates a log message when a
server exceeds its connection limit.

TABLE 71 Server Template Parameters (Continued)

Connection Rate Limits the rate of new connections the ACOS State: Enabled or Disabled
Limit device is allowed to send to servers that use this Connection rate limit – 1-1048575
template. When a real server reaches its connection connections per second
rate limit, the ACOS device stops selecting the
Sampling Per – 100ms or 1 second
server for client requests.
When you select the Connection Rate Limit check-
box, an entry field appears. Enter the maximum of Default: Disabled. When you enable
new connections allowed on a server. You can spec- the feature, the default for Sampling
ify 1-1048575 connections. Per is 1 second.
The Sampling Per option specifies the sampling
rate:
• 100ms – The connection rate limit applies to 100-
ms intervals.
• 1 second – The connection rate limit applies to
one-second intervals.
server exceeds its connection rate limit.
Slow Start Provides time for real servers that use the template State: Enabled or Disabled
to ramp-up after TCP/UDP service is enabled, by From – 1-4095 new connections
temporarily limiting the number of new connections
By – One of the following:
on the servers.
• Multiplying – 1-10
When you select the Slow Start checkbox, the fol-
lowing configuration fields appear: • Adding – 1-4095 new connections
• From – Maximum number of concurrent connec- Every – 1-60 seconds
tions to allow on the server after it first comes up. Till – 1-65535
• By – Amount by which to increase the maximum
number of concurrent connections allowed. You Default: Disabled. When you enable
can use one of the following methods to specify the feature, it has the following
the increment: defaults:
• Multiplying – Number by which to multiply • From – 128 new connections
the starting connection limit. For example, if • By – Multiplying, 2
the scale factor is 2 and the starting connection
• Every – 10 seconds
limit is 128, the ACOS device increases the
connection limit to 256 after the first ramp-up Till – 4096 concurrent connections
interval.
• Adding – As an alternative to specifying a
scale factor, you can instead specify how many
more concurrent connections to allow.
(cont.)


Slow Start • Every – Number of seconds between each
(cont.) increase of the number of concurrent connections
allowed. For example, if the ramp-up interval is
10 seconds, the number of concurrent connec-
tions to allow is increased every 10 seconds.
• Till – Maximum number of concurrent connec-
tions to allow during the final ramp-up interval.
After the final ramp-up interval, the slow start is
over and does not limit further connections to the
server.
Notes:
• The initial ramp-up interval can be any duration
from 0 up to the configured interval (10 seconds
by default). After the initial ramp up, each subse-
quent ramp-up occurs at the end of the configured
interval.
• If a normal runtime Connection Limit is also con-
figured in the template or on the server, and the
normal connection limit is smaller than the slow
start ending connection limit, the ACOS device
limits slow start connections to the maximum
allowed by the normal connection limit.
• If slow start is configured in a server template or
a server port template, it will take effect if bound
effect.
DNS Query Specifies the interval at which the ACOS device 1-1440 minutes (one day)
Interval sends DNS queries for the IP addresses of the Default: 10 minutes
dynamic real servers.
Note: This option and the remaining options
(through Prefix of Dynamic Server) apply only to
servers that are created dynamically using DNS.
With this type of real server configuration, you enter
a DNS hostname instead of an IP address when you
configure the real server. (See the “Dynamic Real
Server Creation Using DNS” chapter in the
Balancing Guide.)


Minimum TTL Specifies the minimum initial value for the TTL of 1-15
Ratio dynamic real servers. This option prevents dynamic Default: 2
real servers from aging out too quickly due to a
small TTL value from the DNS server.
To calculate the minimum TTL value for a dynamic
real server, the ACOS device multiplies the DNS
Query Interval by the Minimum TTL Ratio. For
example, if the Minimum TTL Ratio is 2 and the
DNS Query Interval is 10 minutes (600 seconds),
then the minimum TTL for dynamic real servers is
1200.
Maximum Specifies the maximum number of real servers that 1-1023
Dynamic Server can be dynamically created for a given hostname. Default: 255
Number After the maximum number of servers is created,
the ACOS device deletes the oldest servers, as
determined by the time it was created, to make room
for new ones.
Prefix of Specifies a short string to add to the front of the String of 1-3 characters
Dynamic Server name for each dynamically created real server. Default: “DRS”, for Dynamic Real
Dynamically created servers are named using the Servers
following format: prefix-ipaddr-hostname
• The prefix is the string added by the ACOS
device.
• The ipaddr is the IP address returned in the DNS
reply.
• The hostname is the hostname you specify when
you create the server configuration.
Note: The maximum total length of a dynamic
server name is 32 bytes. If the name becomes longer
than 32 characters, the ACOS device truncates the
name to 32 bytes.
Weight Administrative weight of the server, used for 1-100
weighted load balancing. Default: 1
Spoofing Cache Uses the client’s IP address as the source address Selected or unselected
when obtaining content requested by the client. Default: Unselected
Note: This option applies only to the TCS feature.
For more information, see the “Transparent Cache
Switching” chapter in Application Delivery and
Server Load Balancing Guide.
Logging for Generates log messages to indicate server selection Selected or unselected
server-selection failures. Default: Unselected
failures


Stats Data Enables collection of statistics data for the virtual Enabled or Disabled
Default: Disabled
HA Priority Cost Decreases the HA priority of an HA group, if the The following values are supported:
real server’s health status changes to Down. • Priority Cost – 1-255
• HA Group – 1, 2, or All
Default: Not set
Config Mode > SLB > Service > Template > Server Port
The Server Port Template page lists the configured server port templates.
This page is displayed when you click Add or click on a server port tem-
plate name.
Table 72 lists the server port template parameters you can configure.
TABLE 72 Server Port Template Parameters

Server Port Template Section
Health Monitor Health monitor to use for checking the health of ser- Configured health monitor.
vice ports that use this template. Default: the default TCP or UDP
health monitor is used:
• TCP – Every 30 seconds, the ACOS
device sends a connection request
(TCP SYN) to the specified TCP
port on the server. The port passes
the health check if the server replies
to the ACOS device by sending a
TCP SYN ACK.
• UDP – Every 30 seconds, the ACOS
device sends a packet with a valid
UDP header and a garbage payload
to the UDP port. The port passes the
health check if the server either does
not reply, or replies with any type of
packet except an ICMP Error mes-
sage.

TABLE 72 Server Port Template Parameters (Continued)

Weight Load-balancing preference for ports that use this 1-100
template. A higher weight gives more favor to the Default: 1
server and port relative to the other servers and
ports.
Note: This option applies only to the Service
Weighted Least Connection load-balancing method.
This option does not apply to the Weighted Least
Connection or Weighted Round Robin load-balanc-
ing methods.
Connection Limits the number of connections allowed on real The following values are supported:
Limit Status ports that use this template. When a real port • Status – Enabled or Disabled
reaches its connection limit, the ACOS device stops
• Connection Limit – 1-8000000 (8
selecting the port for client requests.
million) connections per second
When you select the Connection Limit Status
• Connection Resume – 1-1048575
connections
appear:
• Logging – Enabled or Disabled
tions allowed on a port. Default: 8000000 connections per sec-
ond
• Connection Resume – Maximum number of con-
nections the port can have before the ACOS
device resumes use of the port.
• Logging – Generates a log message when a port
exceeds its connection limit.
Connection Rate Limits the rate of new connections the ACOS The following values are supported:
Limit device is allowed to send to ports that use this tem- • Status – Enabled or Disabled
plate. When a port reaches its connection rate limit,
• Connection rate limit – 1-1048575
the ACOS device stops selecting the port for client
connections per second
requests.
• Sampling Per – 100ms or 1 second
box, an entry field appears. Enter the maximum of • Logging – Enabled or Disabled
new connections allowed on a port. You can specify Default: Disabled. When you enable
1-1048575 connections. the feature, the default for Sampling
The Sampling Per option specifies the sampling Per is 1 second.
rate:
ms intervals.


Request Rate Limits the rate of new requests the ACOS device is The following values are supported:
Limit allowed to send to ports that use this template. • Status – Enabled or Disabled
When a port reaches its request rate limit, the ACOS
• Connection rate limit – 1-1048575
device stops selecting the port for client requests.
connections per interval
When you select the Request Rate Limit checkbox,
• Sampling Per – 100ms or 1 second
an entry field appears. Enter the maximum of new
connections allowed on a port. • Logging – Enabled or Disabled
The Sampling Per option specifies the sampling • Reset-if-exceed-limit – Enabled or
rate: Disabled
• 100ms – The request rate limit applies to 100-ms
intervals. Default: Disabled. When you enable
• 1 second – The request rate limit applies to one- the feature, the default for Sampling
second intervals. Per is 1 second.
• Reset-if-exceed-limit – Sends a client reset when
the number of requests exceeds the limit.


Slow Start Provides time for real servers that use the template State: Enabled or Disabled
to ramp-up after TCP/UDP service is enabled, by From – 1-4095 new connections
temporarily limiting the number of new connections
By – One of the following:
on the servers.
• Multiplying – 1-10
When you select the Slow Start checkbox, the fol-
lowing configuration fields appear: • Adding – 1-4095 new connections
• From – Maximum number of concurrent connec- Every – 1-60 seconds
tions to allow on the port after it first comes up. Till – 1-65535
• By – Amount by which to increase the maximum
number of concurrent connections allowed. You Default: Disabled. When you enable
can use one of the following methods to specify the feature, it has the following
the increment: defaults:
• Multiplying – Number by which to multiply • From – 128 new connections
the starting connection limit. For example, if • By –
the scale factor is 2 and the starting connection
• Multiplying – 2
limit is 128, the ACOS device increases the
connection limit to 256 after the first ramp-up • Adding – 128
interval. • Every – 10 seconds
• Adding – As an alternative to specifying a • Till – 4096 concurrent connections
scale factor, you can instead specify how many
more concurrent connections to allow.
• Every – Number of seconds between each
increase of the number of concurrent connections
allowed. For example, if the ramp-up interval is
10 seconds, the number of concurrent connec-
tions to allow is increased every 10 seconds.
• Till – Maximum number of concurrent connec-
tions to allow during the final ramp-up interval.
After the final ramp-up interval, the slow start is
over and does not limit further connections to the
server.
Note: If a normal runtime Connection Limit is also
configured in the template or on the port, and the
normal connection limit is smaller than the slow
start ending connection limit, the ACOS device lim-
its slow start connections to the maximum allowed
by the normal connection limit.
effect.


Source NAT IP NAT pool to use for assigning source IP Configured IP source NAT pool
Pool addresses to client traffic sent to ports that use this Default: Not set
template. When the ACOS device performs NAT
for a port that is bound to the template, the device
selects an IP address from the pool.
Direct Server Enables destination Network Address Translation Enabled or Disabled
Return (NAT) on ports that use this template. Default: Enabled
Destination NAT is enabled by default, but is auto-
matically disabled in Direct Server Return (DSR)
configurations. You can re-enable destination NAT
on individual ports for deployment of mixed DSR
configurations, which use backup servers across
Layer 3 (in different subnets).
Note: DSR also requires configuration on the real
servers. See the “More SLB Deployment Exam-
ples” chapter of the A10 Thunder Series and
Balancing Guide.
DSCP Sets the differentiated services code point (DSCP) 1-63
value in the IP header of a client request before Default: Not set
sending the request to ports that use this template.
Inband Health Enables in-band health checking. An in-band health The following values are supported:
Check check assesses service port health based on client- • Retry counter – 0-7
server traffic, and can very quickly send a client’s
• Reassignments – 0-255
traffic to another server and port if necessary. An in-
band health check can also mark a port down. Default: Disabled. When you enable it,
the default number of retries is 2 and
In-band health monitoring for services on TCP
the default number of reassignments
watches client-server SYN handshake traffic, and
is 25.
increments the following counters if the server does
not send a SYN ACK in reply to a SYN:
• Retry counter – Each client-server session has its
own retry counter. The ACOS device increments
a session’s retry counter each time a SYN ACK is
late. If the retry counter exceeds the configured
maximum number of retries allowed, the ACOS
device sends the next SYN for the session to a
different server. The ACOS device also resets the
retry counter to 0.
(cont.)


Inband Health • Reassign counter – Each real port has its own
Check reassign counter. Each time the retry counter for
(cont.) any session is exceeded, the ACOS device incre-
ments the reassign counter for the server port. If
the reassign counter exceeds the configured max-
imum number of reassignments allowed, the
ACOS device marks the port DOWN.
In this case, the port remains DOWN until the
next time the port successfully passes a standard
health check. Once the port passes a standard
health check, the ACOS device starts using the
port again and resets the reassign counter to 0.
For more information about this feature, see the

“In-Band Health Monitoring” section of the “Health
Monitoring” chapter in the AX Series Application
Note: In the current release, server reselection is not
supported in cases where an inband SIP health
check can not reach the server.


Dynamic Sets the initial priority of dynamic service-group The following values are supported:
Member Priority members, and specifies how much to decrement • Initial priority – 1-16
from the priority after each DNS query.
• Decrement – 0-7
Within a service group, the priorities of the mem-
bers determine which of those members can be used
to service client requests. Normally, only the highest Default:
priority members can be used. Decrementing the • Initial priority – 16
priorities of dynamic members provides a way to • Decrement – 0
ensure that the service group uses newer dynami-
cally created members instead of older ones.
The priority value decrements only when the IP
address is not refreshed after a DNS query. For
example, assume a DNS query returns IP address
1.1.1.1, and the ACOS device creates a dynamic
server with priority 16. However, the latest DNS
query returns IP address 2.2.2.2 only. In this case,
the priority of 1.1.1.1 is decremented by the delta
value. If a later DNS query returns 1.1.1.1 again, the
priority of server 1.1.1.1 is reset to 16.
If you leave the decrement set to its default (0), ser-
vice-group member priorities are not decremented.
Note: This option applies only to servers that are
created dynamically using DNS. With this type of
real server configuration, you enter a DNS host-
name instead of an IP address when you configure
the real server. (See the “Dynamic Real Server Cre-
ation Using DNS” chapter in the AX Series Applica-
tion Delivery and Server Load Balancing Guide.)
No SSL Disables SSL for server-side connections. Enabled or Disabled
Note: This option is useful if a server-SSL template Default: Disabled
is bound to the virtual port that uses this real port,
and you want to disable encryption on this real port.
Stats Data Enables collection of statistics data for the port. Enabled or Disabled
Default: Disabled


Down Grace Number of seconds existing connections on a dis- 1-86400 seconds
Period abled or deleted port are allowed to remain up Default: Not set
before being terminated.
Notes:
• The grace period applies only to sessions that are
active when the load balancing change is trig-
gered. The change applies immediately to new
sessions that begin after the change is triggered.
• The service group must contain 2 or more servers
for this feature to work. This feature supports
stateless and stateful load balancing. However,
the feature is not supported for stateful hash load-
balancing methods, such as source-IP-based or
destination-IP-based hashing.
HA Priority Cost Decrease the HA priority of a HA group, if the real The following values are supported:
port’s health status changes to Down. • Priority Cost – 1-255
• HA group – 1, 2, or All
Default: Not set

Config Mode > SLB > SLB > Template > Virtual Server
The Virtual Server Template page lists the configured virtual server tem-
plates. This page is displayed when you click Add or click on a virtual
server template name.
Table 73 lists the virtual server template parameters you can configure.
TABLE 73 Virtual Server Template Parameters

Virtual Server Template Section
Connection Limits the number of connections allowed on virtual Status – Enabled or Disabled
Limit servers that use this template. When a virtual server Connection Limit – 1-8000000 con-
reaches its connection limit, the ACOS device stops nections per second
selecting the virtual server for client requests.
Default: 8000000 (8 million) connec-
tions per second
appear:
tions allowed on a virtual server.
• Drop or Reset – Specifies the action to take for
connections that exceed the limit.
• Logging – Generates a log message when a vir-
tual server exceeds its connection limit.
Connection Rate Limits the rate of new connections the ACOS Status – Enabled or Disabled
Limit device is allowed to send to servers that use this Connection rate limit – 1-1048575
template. When a real server reaches its connection connections per second
rate limit, the ACOS device stops selecting the
server for client requests.
box, an entry field appears. Enter the maximum of Default: Disabled. When you enable
new connections allowed on a server. You can spec- the feature, the default for Sampling
ify 1-1048575 connections. Per is 1 second.
rate:
ms intervals.
The Drop or Reset option specifies the action to take
for connections that exceed the limit.
The Logging option specifies whether to generate a
log message when a virtual server exceeds its con-
nection rate limit.

TABLE 73 Virtual Server Template Parameters (Continued)

ICMP Rate Limit Configures ICMP rate limiting for the virtual server, State: Enabled or Disabled
to protect against denial-of-service (DoS) attacks. Normal Rate – 1-65535 packets per
When you select the ICMP Rate Limit Status check- second
box, the following configuration fields appear: Lockup Rate – 1-65535 seconds
• Normal Rate – Maximum number of ICMP pack- Lockup Period – 1-16383 seconds
ets allowed per second before the ACOS device
locks up ICMP traffic to the virtual server. When
ICMP traffic is locked up, all ICMP packets are Default: Disabled
dropped until the lockup expires. Specifying a maximum rate (lockup
• Lockup Status checkbox – Selecting this check- rate) and lockup period is optional. If
you do not specify them, lockup does
box displays the Lockup Rate and Lockup Period
not occur.
fields.
• Lockup Rate – Maximum number of ICMP
packets allowed per second before the ACOS
device locks up ICMP traffic. When ICMP
traffic is locked up, all ICMP packets are
dropped until the lockup expires.
• Lockup Period – Number of seconds for which
the ACOS device drops all ICMP traffic, after
the maximum rate is exceeded.
ICMPv6 Rate For parameter descriptions, see above. See above
Limit
Subnet Enables gratuitous ARPs for all VIPs in subnet State: Enabled or Disabled
Gratuitous ARP VIPs. A subnet VIP is a range of VIPs created from Default: Disabled
a range of IP addresses within a subnet.
Note: This option applies only to VIPs that are cre-
ated using a range of subnet IP addresses. The
option has no effect on VIPs created with a single IP
address.
Config Mode > SLB > Service > Template > Virtual Server Port
The Virtual Server Port Template page lists the configured virtual server
port templates. This page is displayed when you click Add or click on a vir-
tual server port template name.
Table 74 lists the virtual server port template parameters you can configure.

TABLE 74 Virtual Server Port Template Parameters

Virtual Server Port Template Section
aFlow Enables surge protection for HTTP/HTTPS. Enabled or disabled
This option queues HTTP packets from clients Default: disabled
when a server port reaches a configured connection
limit, instead of dropping them. The ACOS device
then monitors the port, and begins forwarding the
queued packets when connections become available
again. To prevent flooding of the port, the ACOS
device forwards the queued packets at a steady rate.
aFlow control is triggered when either of the follow-
ing occurs:
• If connection limit is configured on the real
server or real port – The backend real server or
real port reaches its configured connection limit.
• If connection limit is not configured on the real
server or real port – The response time of the
backend real server or real port increases dramat-
ically. The response time is the time between
when the ACOS device forwards a request to the
server, when the ACOS device receives the first
reply packet from the server.
When aFlow control is triggered, the ACOS device
queues request packets instead of forwarding them
to the server. After the response time returns to nor-
mal, the ACOS device sends the queued packets to
the server.
Note: In the current release, it is recommended to
use the first method for triggering aFlow, by config-
uring connection limits on the real servers or real
ports. The second method o
f triggering aFlow is still being refined and is con-
sidered to be in Beta status.
Note: If you change the aFlow setting for a virtual
port, or the connection limit or connection rate limit
of a real server or port used by the virtual port, you
must reload the ACOS device to place the change
into effect. Otherwise, the changed setting might not
work correctly.

TABLE 74 Virtual Server Port Template Parameters (Continued)

Connection Limits the number of connections allowed on virtual Status – Enabled or Disabled
Limit ports that use this template. When a virtual port Connection Limit – 1-8000000 con-
reaches its connection limit, the ACOS device stops nections per second
selecting the virtual port for client requests.
Default: Disabled
appear:
tions allowed on a virtual port.
• Drop or Reset – Specifies the action to take for
connections that exceed the limit.
• Logging – Generates a log message when a vir-
tual port exceeds its connection limit.
Connection Rate Limits the rate of new connections the ACOS Status – Enabled or Disabled
Limit device is allowed to send to virtual ports that use Connection rate limit – 1-1048575
this template. When a virtual port reaches its con- connections per second
nection rate limit, the ACOS device stops selecting
the virtual port for client requests.
box, an entry field appears. Enter the maximum of Default: 8000000 (8 million) connec-
new connections allowed on a virtual port. You can tions per second. The default for Sam-
specify 1-1048575 connections. pling Per is 1 second.
rate:
ms intervals.
The Drop or Reset option specifies the action to take
for connections that exceed the limit.
The Logging option specifies whether to generate a
log message when a virtual port exceeds its connec-
tion rate limit.


Reset Unknown Enables sending of a TCP Reset (RST) in response Enabled or disabled
Connection to a session mismatch. A session mismatch occurs Default: Disabled
when the ACOS device receives a TCP packet for a
TCP session that does not exist on the ACOS
device.
This option is useful in cases where a session ages
out or is deleted on the ACOS device, but the client
does not receive a RST or FIN for the session. In
this case, without a RST, the session could remain
open on the client until the session ages out.
• TCP packet with any flag other than SYN or RST
– Send RST to sender of packet only.
• TCP packet with SYN or RST flag – Do not send
RST.
Note: This option does not apply to sessions that are
in the delete queue. If the ACOS device receives a
packet for a session that has been moved to the
delete queue, the ACOS device does not send a TCP
RST. Instead, the ACOS device reactivates the ses-
sion and allows it to age out normally.
Reset L7 on Resets a Layer 7 connection upon failover. Enabled or disabled
Failover Default: Disabled
Ignore TCP MSL Immediately reuses TCP sockets after session termi- Enabled or disabled
nation, without waiting for the SLB Maximum Ses- Default: Disabled
sion Life (MSL) time to expire.
Drop Unknown Drops connections in response to a session mis- Enabled or disabled
Connection match. A session mismatch occurs when the ACOS Default: Disabled
device receives a TCP packet for a TCP session that
does not exist on the ACOS device.
Allow SYN Allows the initial SYN packet to contain other flags Enabled or disabled
Other Flags as well. Default: Disabled


SNAT Port Attempts to preserve the client’s source port for the Enabled or disabled
Preservation traffic destined to the virtual port. Default: Disabled
Notes:
• Port preservation is not always guaranteed and is
performed on a best-effort basis.
• Port preservation does not work for FTP active
mode sessions.
• Port preservation works only if source NAT is
enabled for the virtual port.
• For high availability, it is recommended to us
VRRP-A, instead of the older implementation
(HA). If you do need to use HA instead of VRRP-
A, it is recommended to use ha-use-all-ports
option when configuring the IP address pool.
This option increases the likelihood that the
ACOS device can acquire the same source port as
the client for this feature.
SNAT MSL Sets the TCP Maximum Segment Life (MSL) for 1-1800 seconds
virtual port NAT sessions. This option is useful for Default: Not set
servers that have older TCP/IP stacks, which wait
up to 240 seconds (4 minutes) after a FIN before the
endpoint can enter a new connection.
DSCP Sets the Differentiated Services Code Point (DSCP) 1-63
value in client requests before forwarding them to Default: Not set
the server.
Config Mode > SLB > Service > Class List
This page enables you to import or configure a class list for IP limiting or
DNS caching.
To edit a class list, click on the class list name. (See “Editing a Class List in
the GUI” on page 203.)
The following sections describe the IP limiting and DNS caching features
and how to configure them.

IP Limiting
IP limiting enables you to limit client traffic. Separate limits can be config-
ured for each of the following:
• Concurrent connections
• Connection rate
• Concurrent Layer 7 requests
• Layer 7 request rate
Note: In the current release, Layer 7 request limiting applies only to the HTTP,
HTTPS, and fast-HTTP virtual port types.
You can apply source IP limiting on a system-wide basis, on individual vir-

tual servers, or on individual virtual ports.
Using class lists, you can configure different classes of clients, and apply a
separate set of IP limits to each class. You also can exempt specific clients
from being limited.
The ACOS device can support up to 255 class lists. Each class list can con-
tain up to 8 million host IP addresses and 64,000 subnets.
Class List Syntax for IP Limiting

Each entry (row) in the class list defines a client class, and has the following
format:
ipaddr /network-mask [glid num | lid num] [age minutes]
[; comment-string]
Each entry consists of the following:

• ipaddr – Specifies the host or subnet address of the client. The network-
mask specifies the network mask.
To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard
address matches on all addresses that do not match any entry in the class
list.
• glid num | lid num – Specifies the ID of the IP limiting rule to use for
matching clients. You can use a system-wide (global) IP limiting rule or
an IP limiting rule configured in a policy template.
• To use an IP limiting rule configured at the global configuration
level, use the glid num option.
• To use an IP limiting rule configured at the same level (in the same
policy template) as the class list, use the lid num option.

To exclude a host or subnet from being limited, do not specify an IP lim-

iting rule.
• age minutes – Removes a host entry from the class list after the specified
number of minutes. You can specify 1-2000 minutes.
When you assign an age value, the host entry remains in the class list
only for the specified number of minutes. After the age expires (reaches
0), the host entry is removed from the class list within the next minute.
You can use the age option in combination with IP limiting options in
the LID to temporarily control client access. Any traffic limiting settings
in the LID assigned to the host entry take effect only until the age
expires.
Note: The age option applies only to host entries (IPv4 /32 or IPv6 /128). The
age option is not supported for subnet entries.
Note: If you use a class-list file that is periodically re-imported, the age for
class-list entries added to the system from the file does not reset when the
class-list file is re-imported. Instead, the entries are allowed to continue
aging normally. This is by design.
• ; comment-string – Contains a comment. Use a semi-colon ( ; ) in front
of the comment string.
Note: The ACOS device discards the comment string when you save the class
list.
IP Address Matching
By default, the ACOS device matches class-list entries based on the source
IP address of client traffic. Optionally, you can match based on one of the
following instead:
• Destination IP address – Matches based on the destination IP address
instead of the source IP address.
• IP address in HTTP request – Matches based on the IP address in a
header in the HTTP request. You can specify the header when you
enable this option.

Example Class Lists for IP Limiting

Here is an example of a very simple class list. This list matches on all cli-
ents and uses an IP limiting rule configured at the global configuration
level:
0.0.0.0/0 glid 1
Here is an example with more options:
1.1.1.1 /32 lid 1
2.2.2.0 /24 lid 2 ; LID 2 applies to every single IP of this subnet
0.0.0.0 /0 lid 10 ; LID 10 applied to every undefined single IP
3.3.3.3 /32 glid 3 ; Use global LID 3
4.4.4.4 /32 ; No LID is applied (exception list)
The rows in the list specify the following:

• For individual host 1.1.1.1, use IP limiting rule 1, which is configured in
a policy template. (A policy template can be applied globally for sys-
tem-wide IP limiting, or to an individual virtual server or virtual port.
This is described in more detail in a later section.)
• For all hosts in subnet 2.2.2.0/24, use IP limiting rule 2, which is config-
ured in a policy template.
• For all hosts that do not match another entry in the class list, use IP lim-
iting rule 10, which is configured in a policy template.
• For individual host 3.3.3.3, use IP limiting rule 3, which is configured at
the global configuration level.
• For individual host 4.4.4.4, do not use an IP limiting rule.
DNS Caching
DNS caching per-VIP enables you to tightly control caching behavior. You
can configure the following:
• DNS caching on per-VIP basis
• DNS caching on per-record basis
• Rate-based DNS caching
• DNS record weighting for selective cache entry aging
• Throttling based on domain name
• Logging of DNS cache hits

Parameters for DNS caching per VIP are configured in the following places:
• Class list (See “Config Mode > SLB > Service > Class List” on
page 196.)
• DNS Firewall template (See “Config Mode > Security > Template >
DNS Firewall” on page 369.)
Importing a Class List onto the ACOS Device

1. Select Config Mode > SLB > Service, if not already selected.
2. On the menu bar, select Class List.
3. Click Import. The Import page appears.
4. In the Name field, enter the filename to use for the imported class list.
5. Select the location of the file to be imported:

• Local – The file is on the PC you are using to run the GUI, or is on
another PC or server in the local network. Go to step 2.
• Remote – The file is on a remote server. Go to step 4.
6. Click Browse and navigate to the location of the class list.
7. Click Open. The path and filename appear in the Source field. Go to
step 10.
8. To use the management interface as the source interface for the connec-
tion to the remote device, select Use Management Port. Otherwise, the
ACOS device will attempt to reach the remote server through a data
interface.
9. Select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.
10. In the Host field, enter the directory path and filename.
11. If needed, change the protocol port number in the port field. By default,
the default port number for the selected file transfer protocol is used.
12. In the Location field, specify the directory path and filename.
13. In the User and Password fields, enter the username and password
required for access to the remote server.
14. Click OK.

Configuring a Class List in the GUI

1. Select Config Mode > SLB > Service.
2. On the menu bar, select Class List.
3. Click Add.
4. In the Name field, enter a name for the class list.
5. Select the system location in which to save the class list:

• File – The list is saved in a stand-alone file.
• Config – The list is saved in the startup-config.
Note: If the class list contains 100 or more entries, it is recommended to use the
File option.
A class list can be exported only if you use the File option.
6. Select the type: Explicit or Implicit
7. If you select Explicit, you can configure class entries of the following
types:
• String – To create a class list with string entries, perform step 8.
• IP Address – To create a class list with IP address entries, perform
step 9.
• DNS – To create a class list with DNS caching, perform step 10.
If you select Implicit, only the IP Address and DNS options are avail-
able.
8. Configure class list string entries:

a. In the String field, enter the string value.
b. Select a LID or Value String radio button.
c. If LID is selected, choose Local or Global from the drop-down list
and enter the LID ID. A value of 1-31 is supported.
d. If Value String is selected, enter the string in the Value String field.
e. Click Add.
f. Repeat for each entry.
g. Click Ok.

9. Configure class list IP address entries:

a. Select the IP version, IPv4 or IPv6.
b. Enter the IP address and subnet mask.
• For a host entry, use mask 255.255.255.255.
• For a wildcard entry, enter IP address 0.0.0.0 and network mask
0.0.0.0.
c. Specify the IP limiting rule to apply to the host or subnet address.
• Select the system location of the IP limiting rule:
Local – The IP limiting rule is configured in a policy template to
be applied to a virtual server or virtual port.
Global – The IP limiting rule is configured in a policy template
to be applied at the system (global) level.
• Enter the LID number, 1-31.
Note: Make sure to use the same number when you configure the IP limiting
rule.
d. To make the entry temporary, assign an age to the entry. You can
specify 1-2000 minutes. The entry is removed from the class list
after the age expires.
e. Click Add.
f. Repeat for each entry.
g. Click Ok.
Note: The Age option applies only to host entries (IPv4 /32 or IPv6 /128). The
Age option is not supported for subnet entries.
10. Configure settings for DNS caching:

a. In the Domain field, enter the domain string on which to match.
b. From the Match Type drop-down list, select the match option:
• Contains
• Starts With
• Ends With
c. Specify the IP limiting rule to use.
• Select Local from the LID drop-down list.
• Enter the LID number, 1-31.
d. Click Add.
e. Repeat for each domain string on which to match.
f. Click OK.

Editing a Class List in the GUI

1. Select Config Mode > SLB > Service > Class List.
2. Click on the class list name.

• If the class list was saved to the configuration file (Config option),
the GUI edit options for the class list appear.
• If the class list was saved to a standalone file (File option) and the
configuration was saved at any time after the class list was created,
the class list text is displayed instead.
3. Edit the class list as needed.
4. Click OK.
Note: You can directly edit a class list’s text in the GUI only if the class list was
saved to a standalone file (File option), not to the configuration file (Con-
fig option).
If the GUI input fields for the class list appear, instead of the file text,
either the configuration has not been saved since the class list was created,
or the class list was written to the configuration file instead of a stand-
alone file.
Config Mode > SLB > Service > GLID

Configure global IP limiting or DNS caching rules. IP limiting rules specify
connection and request limits for clients. DNS caching rules specify caching
behavior for DNS replies.
Note: To configure IP limiting rules for individual virtual servers or virtual

ports, use policy templates instead. (See “Config Mode > SLB > Template
> Application > RAM Caching” on page 221.)
To configure DNS caching rules for individual virtual ports, see “Config
Mode > SLB > Service > Class List” on page 196.
IP Limiting GLID Parameters

Each GLID rule for IP limiting has the following parameters:
• ID – Number that identifies the rule. You can set the ID to a value
between 1-1023.
• Connection Limit – Maximum number of concurrent connections
allowed for a client. You can specify 0-1048575. Connection limit 0
immediately locks down matching clients. There is no default.

• Connection Rate Limit – Maximum number of new connections allowed

for a client within the limit period. You can specify 1-2147483647 con-
nections. The limit period can be 100-6553500 milliseconds (ms), spec-
ified in increments of 100 ms. There is no default.
• Request Limit – Maximum number of concurrent Layer 7 requests
allowed for a client. You can specify 1-1048575. There is no default.
• Request Rate Limit – Maximum number of Layer 7 requests allowed for
a client within the limit period. You can specify 1-4294967295 connec-
tions. The limit period can be 100-6553500 milliseconds (ms), specified
in increments of 100 ms. There is no default.
• Over Limit action – Action to take when a client exceeds one or more of
the limits. The action can be one of the following:
• Drop – The ACOS device drops that traffic. If logging is enabled,
the ACOS device also generates a log message. This is the default
action.
• Forward – The ACOS device forwards the traffic. If logging is
enabled, the ACOS device also generates a log message.
• Reset – For TCP, the ACOS device sends a TCP RST to the client. If
logging is enabled, the ACOS device also generates a log message.
• Lockout period – Number of minutes during which to apply the over-
limit action after the client exceeds a limit. The lockout period is acti-
vated when a client exceeds any limit. The lockout period can be 1-1023
minutes. There is no default.
• Logging – Generates log messages when clients exceed a limit. Logging
is disabled by default. When you enable logging, a separate message is
generated for each over-limit occurrence, by default. You can specify a
logging period, in which case the ACOS device holds onto the repeated
messages for the specified period, then sends one message at the end of
the period for all instances that occurred within the period. The logging
period can be 1-255 minutes. The default is 0 (no wait period).
Note: The request limit and request-rate limit options, when configured in a pol-
icy template, are applicable only in policy templates that are bound to vir-
tual ports. These options are not applicable in policy templates bound to
virtual servers (rather than individual ports), or in policy templates used
for system-wide PBSLB.
The request limit and request-rate limit options apply only to HTTP, fast-
HTTP, and HTTPS virtual ports. The over-limit logging, when used with
the request-limit or request-rate-limit option, always lists Ethernet port 1
as the interface.

Match IP Address
By default, the ACOS device matches class-list entries based on the source
IP address of client traffic. Optionally, you can match based on one of the
following instead:
• Destination IP address – matches based on the destination IP address in
packets from clients.
• IP address in client packet header – matches based on the IP address in
the specified header in packets from clients. If you do not specify a
header name, this option uses the IP address in the X-Forwarded-For
header.
DNS Caching GLID Parameters

In addition to the IP limiting GLID parameters, each GLID rule for DNS
caching also has the following parameters:
• Over-limit action:
• Enable DNS Cache
• Disable DNS Cache
• DNS Cache – Caching state (enabled or disabled)
• TTL – Number of seconds to keep an entry in the cache before removing

it. You can specify 1-65535 seconds. By default, the global DNS cache
age is used. The default global DNS cache age is 300 seconds.
• Weight – Numeric value used when cache entries need to be removed to
make room for new entries. You can assign a weight of 1-7. Lower-
weighted objects are removed before higher weighted objects.
• Cache more than 60% full, entries with weight 1 are eligible to be
removed.
• Cache more than 70% full, entries with weight 1 or 2 are eligible to
be removed.
• Cache more than 80% full, entries with weights 1-4 are eligible to
be removed.
• Cache more than 90% full, entries with weights 1-6 are eligible to
be removed.
The default weight is 1.
• Source NAT Pool – Pool of NAT addresses, if reverse NAT is required.
Note: The Source NAT Pool option is applicable only to transparent traffic, not
to SLB traffic.

Config Mode > SLB > Service > Global
These pages display the configurable system-wide SLB parameters.
Select one of the following menu options:

• Global > Settings
• Global > Monitor Resource
• Global > Log Rate Limiting
Config Mode > SLB > Service > Global > Settings
Table 75 lists the SLB parameters you can configure globally.
TABLE 75 Global SLB Parameters

Settings Section
DSR Health Enables health checking of virtual IP addresses in Enabled or Disabled
Check Direct Server Return (DSR) configurations. Default: Disabled
Notes:
• You also must configure the Layer 3 health moni-
tors with the transparent option and with the alias
address set to the virtual IP address, and you must
enable DSR on the virtual ports.
• External health monitoring is currently not sup-
ported for DSR deployments.
Graceful Enables the ACOS device to wait for the specified The following values are supported:
Shutdown grace period before moving active sessions on a • Status – Enabled or Disabled
deleted or disabled port or server to the delete
• 1-65535 seconds (about 18 hours)
queue.
• After Disable – Selected or
If enabled, you can select the following:
unselected
• After Disable – Perform graceful shutdown after
• Apply – Server Only or Virtual
the server, port, virtual server, and/or virtual port
Server Only
are disabled.
Default: Disabled
• Apply – Perform graceful shutdown for the real
server or virtual server only.
Note: When you delete a real or virtual service port,
the ACOS device places all the port’s sessions in the
delete queue, and stops accepting new sessions on
the port.

TABLE 75 Global SLB Parameters (Continued)

Max Session Maximum session life for client sessions. The maxi- 1-40 seconds
Life mum session life controls how long the ACOS Default: 2 seconds
device maintains a session table entry for a client-
server session after the session ends.
The maximum session life allows time for retrans-
missions from clients or servers, which can occur if
there is an error in a transmission.
SYN Cookie Enables system-wide protection against TCP SYN Disabled or Enabled
flood attacks. SYN cookies enable the ACOS On Threshold – 0-2147483647 half-
device to continue to serve legitimate clients during open connections
a TCP SYN flood attack, without allowing illegiti- Off Threshold – 0-2147483647 half-
mate traffic to consume system resources. open connections
• On Threshold – Specifies the maximum number Default: Disabled
of concurrent half-open TCP connections
allowed on the ACOS device, before SYN cook-
ies are enabled. If the number of halfopen TCP Note: If you leave the On Threshold
connections exceeds the on-threshold, the ACOS and Off Threshold fields blank, SYN
device enables SYN cookies. You can specify 0- cookies are enabled and are always on
2147483647 half-open connections. regardless of the number of half-open
TCP connections present on the ACOS
• Off Threshold – Specifies the minimum number device.
of concurrent half-open TCP connections for
which to keep SYN cookies enabled. If the num-
ber of half-open TCP connections falls below this
level, SYN cookies are disabled. You can specify
0-2147483647 halfopen connections.
Notes:
• This option is supported only on models
AX 2200, AX 2200-11, AX 3100, AX 3200,
AX 3200-11, AX 3200-12, AX 3400, AX 5100,
AX 5200, AX 5200-11, and AX 5630.
• If Role-Based Administration (RBA) partitions
are configured, hardware-based SYN cookies
apply to all partitions. The feature is not partition-
aware.


Stats Data Globally disables or re-enables periodic collection Enabled or Disabled
of statistical data for system resources, including the Default: Enabled
following:
• CPU
• Memory
• Disk
• Interfaces
Notes: You also can enable or disable statistical
data collection for SLB and FWLB load-balancing
resources, on an individual basis. Select Enabled or
Disabled next to Stats Data on the configuration
page for the resource.
L7 Request Globally enables Layer 7 request accounting. Enabled or Disabled
Accounting Note: Layer 7 request accounting is automatically Default: Disabled
enabled for service groups that use the least-request
load-balancing method.
Fast Path Enables fast-path processing, wherein the ACOS Enabled or Disabled
Processing device does not perform a deep inspection of every Default: Enabled
field within a packet.
Compression Changes the default compression block size used for 6000-32000 Bytes
Block Size SLB. Default: Not set
Maximum Size Changes the maximum size for aFleX script files. 16-256 KB
aFleX Default: 32


DNS Cache Enables local caching of replies to DNS queries. The following values are supported:
When DNS caching is enabled, the ACOS device • Enabled or Disabled
sends the first request for a given name (hostname,
• Round Robin or Single Answer
fully-qualified domain name, URL, and so on) to
the DNS server. The ACOS device caches the reply • TTL – 1-10000000
from the DNS server, and sends the cached reply in Default: Disabled
response to the next request for the same name.
The ACOS device continues to use the cached DNS
reply until the reply times out. After the reply times
out, the ACOS devices sends the next request for
the URL to the DNS server, and caches the reply,
and so on.
If enabled, select one of the following:
• Round Robin – For DNS replies that contain mul-
tiple IP addresses in the ANSWER section, the
ACOS device rotates the addresses when reply-
ing to client requests.
• Single Answer – Caches only replies that have a
single IP address in the ANSWER section.
• TTL – Specifies the minimum Time-To-Live
(TTL) a reply form the DNS server must have, in
order for the ACOS device to cache a reply.
Note: DNS caching applies only to DNS requests
sent to a UDP virtual port in a DNS SLB configura-
tion. DNS caching is not supported for DNS
requests sent over TCP.
DNS Cache Age Specifies how long DNS replies are locally cached. 1-1000000 seconds
Note: A DNS reply begins aging as soon as it is Default: 300 seconds
cached and continues aging even if the cached reply
is used after aging starts. Use of a cached reply does
not reset the age of that reply.
DNS Cache Limits the maximum size for DNS cache entries. 1-4096 Bytes
Entry Size Default: 256 Bytes


Source NAT Globally enables IP NAT support for VIPs. Disabled or Enabled
traffic against Source IP NAT can be configured on a virtual port Default: Disabled
VIP in the following ways:
• ACL-SNAT Binding at the virtual port level
• VIP source NAT at the global configuration level
• aFleX policy bound to the virtual port
• Source NAT Pool at the virtual port level
These methods are used in the order shown above.
For example, if IP source NAT is configured using
an ACL on the virtual port, and VIP source NAT is
also enabled globally, then a pool assigned by the
ACL is used for traffic that is permitted by the ACL.
For traffic that is not permitted by the ACL, the
globally configured VIP source NAT can be used
instead.
Note: The current release does not support source
IP NAT on FTP or RTSP virtual ports.
Hardware Enables the HTTP compression module. Disabled or Enabled
Compression When enabled, the module provides hardware- Default: Disabled
based HTTP compression. Except for the compres-
sion level, the compression settings depend on the
HTTP template bound to the virtual port for which
compression is being provided. (See “Config Mode
> SLB > Template > Application > HTTP” on
page 213.) The compression level is set in hardware
and can not be changed.
Note: This option is available only if the ACOS
device you are managing contains a hardware com-
pression module.
Extended Stats Enables collection of peak connection statistics. Disabled or Enabled
Default: Disabled
Disable Reset When this option is enabled, all admins are prohib- Disabled or Enabled
Statistics ited from resetting (clearing) SLB statistics counters Default: Disabled
or interface statistics counters.
If disabled, resetting of SLB and interface statistics
counters is allowed.
System GLID Global set of IP limiting rules for system-wide IP 1-1023
limiting. Default: Not set
To configure a global Limit ID (GLID), see “Config
Mode > SLB > Service > GLID” on page 203.

Config Mode > SLB > Service > Global > Monitor Resource
From this page you can configure thresholds for Symmetric Multi-
Processing (SMP) resources. SMP resources are allocated from the global
connection session memory pool across the ACOS device’s CPUs and used
for multiple features (source IP persistence, SSL encryption, and so on).
The options on this page allow you to administratively cap the use of SMP
resources on a global scale, and by individual CPU, to improve system
performance and reduce the risk of system outage.
Based on the SMP resource needs of a feature, the ACOS device partitions
global memory resources into different pool sizes and allocates the smallest
pool of memory necessary for the feature. You can limit the allocation of
SMP resources, globally or per CPU, by the following size types:
• Type0 – 32 bytes
When a type of pool size is in use, even partially, the global memory is
reduced by the amount for that pool type. Only when the entire pool type is
freed, is the memory added back into the global memory pool.
• SMP Type0 to Type4 – Limits use of the total global memory
resource pool.
• Conn Type0 to Type4 – Limits use of the global memory by individ-
ual CPU.
For each field on this page, you can enter a value between 32767 to
256000000 (256 million). The default is 32767.

Config Mode > SLB > Service > Global > Log Rate Limiting
This page enables you to configure rate-limiting settings for logging.
Table 76 lists the parameters.
TABLE 76 Log Rate Limiting Parameters

Log Rate Limiting Section
Max Local Maximum number of messages per second that can 1-100
Logging be sent to the local log buffer. Default: 32
Max Remote Maximum number of messages per second that can 1-100000
Logging be sent to remote log servers. Default: 15000
Excluding Excludes logging to the specified destination, Local Local or Remote
or Remote. Default: logging to both destinations is
enabled.
Config Mode > SLB > Template

The Template pages enable you to configure SLB templates. Select the tem-
plate type from the menu bar. The configured templates of that type are
listed.
• To create a new template, click Add.
• To view or edit an existing template, click on the template name.
• To delete a template, select it, then click Delete.

Config Mode > SLB > Template > Application > HTTP
This page displays the configured HTTP templates.
click on a template name.
• HTTP
• Header Erase
• Header Insert
• Response Content Replace
• App Switching
• Redirect Rewrite
• Compression
Table 77 lists the parameters you can configure in HTTP templates.
TABLE 77 HTTP Template Parameters

HTTP Section
Default: Not set
Failover URL Fallback URL to send in an HTTP 302 response Valid URL
when all real servers are down. Default: Not set
Strict Forces the ACOS device to perform the server Enabled or Disabled
Transaction selection process anew for every HTTP request. Default: Disabled
Switching Without this option, the ACOS device reselects the
same server for subsequent requests (assuming the
same server group is used), unless overridden by
other template options.
Client IP Header Inserts the client’s source IP address into HTTP String of 1-63 characters
Insert headers. If you specify an HTTP header name, the Default: Not set
source address is inserted only into headers with
that name.
Click the checkbox to active the input field.

TABLE 77 HTTP Template Parameters (Continued)

Retry HTTP Configures the ACOS device to retry sending a cli- 1-3 retries
Request ent’s request to a service port that replies with an Default: Disabled. The ACOS device
HTTP 5xx status code, and reassign the request to sends the 5xx status code to the client.
another server if the first server replies with a 5xx
When you enable this feature, the
status code.
default mode is “on HTTP 5xx code”,
• on HTTP 5xx code – Stops sending client and the default number of retries is 3.
requests to a service port for 30 seconds follow-
ing reassignment.
• on HTTP 5xx code for each – Does not stop send-
ing client requests to a service port following
reassignment.
Note: This option is supported only for virtual port
types HTTP and HTTPS. The option is not sup-
ported for fast-HTTP or any other virtual port type.
Log Retry Logs HTTP retries. An HTTP retry occurs when the Enabled or disabled
ACOS device resends a client’s HTTP request to a Default: disabled
server because the server did not reply to the first
request.
(HTTP retries are enabled using the Retry HTTP
Request option.)
Terminate HTTP Enables the ACOS device to terminate HTTP 1.1 Enabled or disabled
1.1 client when client connections when the “Connection: close” Default: Disabled. Sessions for non-
request has header exists in the HTTP request. This option is compliant HTTP 1.1. clients are not
Connection: applicable to connection-reuse deployments that terminated.
close have HTTP 1.1 clients that are not compliant with
the HTTP 1.1 standard.
Non-HTTP Redirects non-HTTP traffic to a specific service Valid service group
Bypass group. This prevents non-HTTP traffic from being Default: Not set
dropped by the ACOS device.
Logging Applies a logging template to the HTTP template, Name of a configured logging
Template for HTTP logging to external servers. template
Default: Not set
HTTP Request Sets a request header wait time to prevent Slowloris 1-31
Header Wait attacks. Default: 7
Time
Header Erase Section
Notes:
• These options are not supported with the fast-http service type. The ACOS device does not allow an HTTP tem-
plate with any of the header erase or header insert options to be bound to a fast-http virtual port. Likewise, the
ACOS device does not allow header options to be added to an HTTP template that is already bound to a fast-http
virtual port.
• In the current release, HTTP header insert, replace, or erase affects both requests and responses for SIP load bal-
ancing.
Request Erases a header from HTTP requests. Enter the Default: Not set
header name in the Name field and click Add.


Response Erases a header from HTTP responses. Enter the Default: Not set
Header Insert Section
Notes:
• These options are not supported with the fast-http service type. The ACOS device does not allow an HTTP tem-
plate with any of the header erase or header insert options to be bound to a fast-http virtual port. Likewise, the
ACOS device does not allow header options to be added to an HTTP template that is already bound to a fast-http
virtual port.
• In the current release, HTTP header insert, replace, or erase affects both requests and responses for SIP load bal-
ancing.
Request Inserts a header (field:value pair) into HTTP Default: Not set
requests. Enter the header name and value in the
Name field and click Add.
By default, if a request already contains one or more
headers with the specified field name, the command
replaces the last header. You can select one of the
following options to change this behavior:
• Insert Always – Always inserts the field:value
pair. If the request already contains a header with
the same field name, the new field:value pair is
added after the existing field:value pair. Existing
headers are not replaced.
• Insert if Not Exist – Inserts the header only if the
request does not already contain a header with the
same field name.
Response Inserts a header (field:value pair) into HTTP Default: Not set
responses. Enter the header name and value in the
replaces the last header. You can select one of the
• Insert if Not Exist – inserts the header only if the
request does not already contain a header with the
same field name.


Response Content Replace Section
Notes:
• Quotation marks are not required, even if either or both strings contain blank spaces.
• The maximum number of content-replacement rules per HTTP template is 8.
Old String Specifies the data pattern to search for in server String of 1-127 characters
responses. Default: Not set
New String Replaces previous content with the specified string. String of 1-127 characters
Default: Not set
App Switching Section
Note: An HTTP template can contain a URL switching configuration or a host switching configuration but not
both.
By Selects the type of application switching to perform: URL or Host
• URL – Activates URL switching configuration
fields. (See below)
• Host – Activates Host switching configuration
fields. (See below)
Case Insensitive Specifies to consider character case in the URL. Selected or unselected
URL Default: Unselected
URL Hits Counts the number of “hits” for this URL. Enabled or Disabled
Default: Disabled


URL Switching Selects a service group based on the URL string Strings of 1-63 characters
requested by the client. The selection overrides the Default: Not set
service group configured on the virtual port.
• URL – URL string to match on. If the URL-string
does not match, the service group configured on
the virtual port is used.
• Service group – Service group to use when there
is a match.
• Match Type – Selection is performed using the
following match filters:
• Starts With – matches only if the URL starts
with the value in the URL field.
• Contains – matches if the value in the URL
field appears anywhere within the URL.
• Ends With – matches only if the URL ends
with the value in the URL field.
• Equals – matches only if the URL equals the
value in the URL field.
The match options are always applied in the order

listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a URL matches on more than one match filter of
the same type, the most specific match is used.
If you use the Starts With option with URL switch-
ing, use a slash in front of the URL string. For
example: /urlexample
Each URL matching pattern can be up to 64 bytes
long.
Note: If you plan to also use source IP persistence
or cookie persistence, you must enable the service-
group option in the source IP persistence or cookie
persistence template.
Note: You can use URL switching or Host switch-
ing in an HTTP template, but not both. However, if
you need to use both types of switching, you can do
so with an aFleX script.


Host switching Selects a service group based on the value in the Each host string can be all or part of an
Host field of the HTTP header. The selection over- IP address or host name.
rides the service group configured on the virtual Default: Not set
port.
• Host – Host string to match on. If the host-name
does not match, the service group configured on
the virtual port is used.
• Service group – Service group to use when there
is a match.
• Match Type – Selection is performed using the
following match filters:
• Starts With – matches only if the host name
starts with the value in the Host field.
• Contains – matches if the value in the Host
field appears anywhere within the hostname.
• Ends With – matches only if the hostname ends
with the value in the Host field.
The match options are always applied in the order
listed above, regardless of the order in which they
appear in the configuration. The service group for
the first match is used.
If a host name matches on more than one match fil-
ter of the same type, the most specific match is used.
Note: If you plan to also use source IP persistence
or cookie persistence, you must enable the service-
group option in the source IP persistence or cookie
persistence template.
Note: You can use URL switching or Host switch-
ing in an HTTP template, but not both. However, if
you need to use both types of switching, you can do
so with an aFleX script.


URL Hash Selects a service group based on the hash value of First or Last
the first or last bytes of the URL string. The Bytes 4-128 bytes
field specifies how many bytes to use to calculate
Default: Not set
the hash value.
Select the checkbox to activate the configuration
options.
Optionally, you can use URL hashing with either
URL switching or host switching. Without URL
switching or host switching configured, URL hash
switching uses the hash value to choose a server
within the default service group. If URL switching
or host switching is configured, for each HTTP
request, the ACOS device first selects a service
group based on the URL or host switching values,
then calculates the hash value and uses it to choose a
server within the selected service group.
The Offset field specifies the offset at which to
begin calculating the hash value.
Use Server Enables server load awareness. Enabled or Disabled
Status Note: This option applies only to URL hash switch- Default: Disabled
ing. This option requires custom configuration on
the real servers. For information, see the AX Series
Guide.
Redirect Rewrite Section
Redirect Rewrite Modifies redirects sent by servers by rewriting the Strings of 1-256 characters
matching URL string (Pattern) to the specified value Default: Not set
(Redirect To) before sending the redirects to clients.
HTTPS Rewrite Changes HTTP redirects sent by servers into Enable or Disable
HTTPS redirects before sending the redirects to cli- Protocol port number from 1-65535
ents. Default: Disable; port 443
Compression Section
Note: Compression is supported only for HTTP and HTTPS virtual ports. Compression is not supported for fast-
HTTP virtual ports.
Compression Offloads Web servers from CPU-intensive HTTP Enabled or Disabled
compression operations. Default: Disabled
Keep Accept Allows the real server to perform the HTTP com- Enabled or Disabled
Encoding pression instead of the A10 Thunder Series and Default: Disabled
AX Series device.


Level Specifies the compression level, 1-9. Each level 1-9
provides a higher compression ratio, beginning with Default: 1
level 1, which provides the lowest compression
ratio.
A higher compression ratio results in a smaller file
size after compression. However, higher compres-
sion levels also require more CPU processing than
lower compression levels, so performance can be
affected.
Note: If you plan to use hardware-based compres-
sion, the compression module must be enabled. In
this case, the compression level is set in hardware
and can not be changed. Any level you select in the
template is ignored. The other compression settings
come from the HTTP template. (See “Config Mode
> SLB > Service > Global” on page 206.)
Min Content Specifies the minimum length (in bytes) a server 0-2147483647 bytes.
Length response can be in order to be compressed. The Default: 120 bytes
length applies to the content only and does not
include the headers.
Auto Disable on Automatically disables CPU-intensive HTTP com- Selected or unselected
High CPU pression operations. If selected, you can enter a value
between 1-100
Default: Unselected
Content Type Specifies the type of content to compress, based on The content type can be a string 1-31
a string in the content-type header of the HTTP characters long.
response.
Exclude Content Explicitly excludes the specified content type(s) The content type can be a string 1-31
Type from being compressed. characters long.
Exclude URI Explicitly excludes an individual URI from being The URI string can be 1-31 characters.
compressed. An HTTP template can exclude up to
10 URI strings.

Config Mode > SLB > Template > Application > RAM Caching
This option displays the configured RAM caching templates.
The RAM Caching and Policy sections are displayed when you click Add or
Table 78 lists the parameters you can configure in RAM Caching templates.
TABLE 78 RAM Caching Template Parameters

RAM Caching Section
Default: “default”. The default tem-
plate has the default values listed
below.
Note: The default template can not be
modified.
Age Specifies how long a cached object can remain in 1-999999 seconds (about 11-1/2 days)
the AX RAM cache without being requested. Default: 3600 seconds (1 hour)
Note: This value is used if the web server specifies
that the object is cacheable but does not specify for
how long. If the server does specify how long the
object is cacheable, then the server value is used
instead.
Max Cache Size Specifies the size of the AX RAM cache. The configurable values depend on
The total size of all RAM caches combined can be ACOS model. You can specify from 1
512 MB on systems with 2 GB of memory and 1024 to the maximum allowed on your
MB on systems with 4 GB of memory. ACOS model.
Note: To display the amount of memory your sys- Default: Maximum allowed on your
tem has, select Monitor Mode > Overview > Sum- ACOS model
mary.
Min Content Specifies the minimum object size that can be 0-268435455 Bytes (4 MB)
Size cached. The ACOS device will not cache objects If you specify 0, all objects smaller
smaller than this size. than or equal to the maximum content
size can be cached.
Default: 512 Bytes
Max Content Specifies the maximum object size that can be 0-268435455 Bytes (4 MB)
Size cached. The ACOS device will not cache objects If you specify 0, no objects can be
larger than this size. cached.
Default: 81920 Bytes (80 KB)

TABLE 78 RAM Caching Template Parameters (Continued)

Replacement Specifies the policy used to make room for new Least Frequently Used
Policy objects when the RAM cache is full. Default: Least Frequently Used
The policy supported in the current release is Least
Frequently Used (LFU). When the RAM cache
becomes more than 90% full, the ACOS device dis-
cards the least-frequently used objects to ensure
there is sufficient room for new objects.
Accept Reload Enables support for the following Cache-Control Enabled or Disabled
Request headers: Default: Disabled
• Cache-Control: no-cache
• Cache-Control: max-age=0
When support for these headers is enabled, either
header causes the ACOS device to reload the cached
object from the origin server.
Verify Host Enables the ACOS device to cache the host name in Enabled or Disabled
addition to the URI for cached content. Use this Default: Disabled
option if a real server that contains cacheable con-
tent will host more than one host name (for exam-
ple, www.abc.com and www.xyz.com).
Default Policy Controls whether the default action is to cache Enabled or Disabled
No-Cache cacheable objects, or not cache them. If you change Default: Disabled
the default action to nocache, the ACOS device can
(The default action is to cache cachea-
cache only those objects that match a dynamic pol-
ble objects.)
icy rule that has the cache action.
Remove Cookie Select to remove cookies from the RAM cache and Enabled or Disabled
cached responses. Default: Disabled
Insert Age Disables insertion of Age headers into cached Default: Insertion of Age headers is
responses. enabled by default.
Insert Via Disables insertion of Via headers into cached Default: Insertion of Via headers is
responses. enabled by default.
Logging Applies a logging template to the RAM caching Name of a configured logging tem-
Template template. plate
Default: Not set

TABLE 78 RAM Caching Template Parameters (Continued)

Policy Section
This section enables you to configure policies for dynamic RAM caching. Dynamic RAM caching policies over-
ride and augment standard HTTP behavior.
To configure a cache policy:
1. In the URI field, enter the portion of the URI string to match on.
2. Select Cache from the Action drop-down list. The Duration field appears.
3. By default, the content is cached for the number of seconds specified in the Age field of the RAM Caching sec-
tion. To override the aging period, specify the number of seconds in the Duration field.
4. Click Add.
To configure a no-cache policy:

2.Select No Cache from the Action drop-down list.
3. Click Add.
To configure an invalidate policy:

2. Select Invalidate from the Action drop-down list. The Pattern field appears. Enter the portion of the URL string
on which to match. For example, to invalidate “/list” objects when the URL contains “/add”, enter “/add” (without
the quotation marks).
Notes:
• If a URI matches the pattern in more than one policy rule, the rule with the most specific match is used.
• In the current release, matching is performed based on containment. All URIs that contain the pattern string
match the rule. For example, the following policy matches all URIs that contain the string “.jpg” and sets the
cache timeout for the matching objects to 7200 seconds: policy uri .jpg cache 7200
• Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For example, if the
string pattern contains “*”, it is interpreted literally, as the “*” character.

Config Mode > SLB > Template > Application > SMTP
This option displays the configured SMTP templates.
• SMTP
• Client Domain Switching
Table 79 lists the parameters you can configure in SMTP templates.
TABLE 79 SMTP Template Parameters

SMTP Section
below.
modified.
STARTTLS Specifies whether use of STARTTLS by clients is One of the following:
required. • Disabled – Clients cannot use START-
TLS. Use this option if you need to dis-
able STARTTLS support but you do not
want to remove the configuration.
• Enforced – Before any mail transactions
are allowed, the client must issue the
STARTTLS command to establish a
secured session. If the client does not
issue the STARTTLS command, the AX
sends the following message to the cli-
ent: "530 - Must issue a STARTTLS
command first”
• Optional – Clients can use STARTTLS
but are not required to do so.
Default: Disabled
Command Disables support of certain SMTP commands. If a Any of the following:
Disabled client tries to issue a disabled SMTP command, the • EXPN
AX sends the following message to the client: “502
• TURN
- Command not implemented”
• VRFY
Default: EXPN, TURN, and VRFY are
unselected

TABLE 79 SMTP Template Parameters (Continued)

Server Domain Email server domain. This is the domain for which String
the A10 Thunder Series and AX Series device pro- Default: “mail-server-domain”
vides SMTP load balancing.
Service Ready Text of the SMTP service-ready message sent to cli- String
Message ents. The complete message sent to the client is con- Default: “ESMTP mail service ready”
structed as follows:
200 - smtp-domain service-ready-string
Client Domain Switching Section
This section enables you to select service groups based on the domain of the client. You can specify all or part of
the client domain name.
This option is applicable when you have multiple SMTP service groups.
If the client domain does not match, the service group configured on the virtual port is used.
• Client Domain – Domain name to match on. If the domain name does not match, the service group configured
on the virtual port is used.
• Service group – Service group to use when there is a match.
• Match Type – Selection is performed using the following match filters:
• Starts With – matches only if the domain name starts with the value in the Client Domain field.
• Contains – matches if the value in the Client Domain field appears anywhere within the domain name.
• Ends With – matches only if the domain name ends with the value in the Client Domain field.
The match options are always applied in the order listed above, regardless of the order in which they appear in the
configuration. The service group for the first match is used.
If a domain name matches on more than one match filter of the same type, the most specific match is used.
By default, client domain switching is not set. All client domains match, and any service group can be used.

Config Mode > SLB > Template > Application > SIP
This option displays the configured SIP templates.
The SIP configuration section is displayed when you click Add or click on a
template name.
Table 80 lists the parameters you can configure in SIP templates.
TABLE 80 SIP Template Parameters

SIP Section
below.
modified.
Registrar Name of a configured service group of SIP Regis- Name of a configured service group
Service Group trar servers.
Timeout Number of minutes a call can remain idle before the 1-250 minutes
device terminates it. Default: 30 minutes
Keep Real Disables reverse NAT for traffic from servers, based ID of an extended ACL
Server IP if on IP address. This option is useful in cases where a Default: Not set
Match ACL SIP server needs to reach another server, and the
traffic must pass through the ACOS device.
Configure an extended ACL that matches on the SIP
server IP address or subnet as the source address,
and matches on the destination server’s IP address
or subnet as the destination address. (See “Config
Mode > Security > Network > ACL > Extended” on
page 376.)
Then select the ACL from this drop-down list.
Call-ID Sends all SIP requests with a given call ID to the Enabled or disabled
Persistence same server. Default: Enabled
Server Selection Reperforms load balancing for every SIP request. Enabled or disabled
per Request Default: Disabled
ALG Source Translates source IP address in to the NAT IP Enabled or disabled
NAT address in SIP messages, when source NAT is used. Default: Disabled
ALG Translates the VIP address into the real server IP Enabled or Disabled
Destination NAT address in SIP messages, when destination NAT is Default: Disabled
used.
Dialog Aware Enables multiple clients to login with the same user- Enabled or Disabled
name. Default: Disabled

TABLE 80 SIP Template Parameters (Continued)

Note: The fields below apply only to SIP over TCP/TLS.
Except for Name and Timeout, the fields above apply only to SIP over UDP.
Client Enables the ACOS device to respond to SIP pings Enabled or Disabled
Keep-Alive from clients on behalf of SIP servers. When this Default: Disabled
option is enabled, the ACOS device responds to a
SIP ping from a client with a “pong”.
Note: If connection reuse is configured, even if cli-
ent keepalive is disabled, the ACOS device will
respond to a client SIP ping with a pong.
Server Specifies how often the ACOS device sends a SIP 5-300 seconds
Keep-Alive ping on each reusable connection with the SIP Default: 30
server. The ACOS device silently drops the server’s
pong reply.
Note: For configurations that use a connection-
reuse template, if the server does not reply to a SIP
ping within the timeout set in the connection-reuse
template, the ACOS device closes the connection.
(The connection-reuse timeout is configured by the
Timeout option in the connection-reuse template.)
Insert Client IP Inserts an “X-Forwarded-For: IP-address:port” Name of an IP header that inserts a cli-
header into SIP packets from the client to the SIP ent IP address.
server. The header contains the client IP address and Default: Disabled
source protocol port number. The ACOS device
uses the header to identify the client when forward-
ing a server reply.
Failed Client Specifies the AX response when selection of a SIP The action can be one of the following:
Selection client fails. • Reset
When you select the checkbox, the following check- • Drop
boxes appear:
• Send message
• Drop – Drops the traffic.
Default: Reset
• Send Message – Sends a message string to the
server. If the message string contains a blank, use
double quotation marks around the string.
Failed Server Specifies the AX response when selection of a SIP The action can be one of the following:
Selection server fails. • Reset
When you select the checkbox, the following check- • Drop
boxes appear:
• Send message
• Drop – Drops the traffic.
Default: Reset
• Send Message – Sends a message string to the
client. If the message string contains a blank, use
double quotation marks around the string.
Exclude Disables translation of the virtual IP address and Enabled or disabled
Translation Body virtual port within the body of SIP messages. Default: Disabled. (The virtual IP
address and port are not excluded from
translation.)


Exclude Disables translation of the virtual IP address and Enabled or disabled
Translation Start virtual port within the start line of SIP messages. Default: Disabled. (The virtual IP
Line address and port are not excluded from
translation.)
Exclude Disables translation of the virtual IP address and Valid header name
Translation virtual port within the header of SIP messages. Default: When a client sends a SIP
Header When you select the checkbox, the Header Name request, the request is addressed to the
field appears. Enter the name of the header to virtual IP address (VIP) and protocol
exclude from translation, then click Add. port number configured on the ACOS
Note: The ACOS device will not translate server device for the SIP servers. The ACOS
addresses or protocol port numbers in the following device translates the destination IP
headers: address and port of the request from
the VIP to the real IP address and port
• Call-ID header
of a SIP server. The ACOS device
• X-Forwarded-For header does not change the client IP address
• Via headers, except for the top Via header or source protocol port number.
Likewise, when the ACOS device
receives a SIP packet from a SIP
server, the ACOS device translates the
source IP address and port from the
server’s real IP address and SIP port to
the VIP address and port, then sends
the packet to the client.
By default, the ACOS device also
translates the client IP address and pro-
tocol port number where they are used
in some other parts of the SIP packet.
Client Request Header Section
Insert Inserts a header (field:value pair) into client Default: Not set
replaces the first header. You can select one of the
• Insert if not already preset – Inserts the header
only if the request does not already contain a
header with the same field name.


Erase Erases a header from client requests. Enter the Default: Not set
Note: This command erases the first matching
header.
You also have the following option:
• Erase All – Erases all headers that contain the
field name.
Client Response Header Section
Insert Inserts a header (field:value pair) into client Default: Not set
Erase Erases a header from client responses. Enter the Default: Not set
header.
field name.


Server Request Header Section
Insert Inserts a header (field:value pair) into server Default: Not set
Erase Erases a header from server requests. Enter the Default: Not set
header.
field name.
Server Response Header Section
Insert Inserts a header (field:value pair) into server Default: Not set


Erase Erases a header from server responses. Enter the Default: Not set
header.
field name.
Config Mode > SLB > Template > Application > RTSP
This option displays the configured RTSP templates.
The RTSP configuration section is displayed when you click Add or click
on a template name.
Table 81 lists the parameters you can configure in RTSP templates.
TABLE 81 RTSP Template Parameters

RTSP Section
below.
modified.
URI Service group to which to send requests for a spe- URI and name of a configured service
cific URI. group
• URI – URI to match on. Default: Requests are sent to the ser-
• Service group – Service group to which to send vice group that is bound to the virtual
client requests that match the URI port.
Note: This option is supported only for Windows
Media Server.

Config Mode > SLB > Template > Application > Diameter
This option displays the configured Diameter templates.
The Diameter configuration section is displayed when you click Add or

Table 82 lists the parameters you can configure in Diameter templates.
TABLE 82 Diameter Template Parameters

Diameter Section
below.
modified.
Multiple Origin Prepends the AX CPU ID onto the origin-host string Enabled or disabled
Host to identify the CPU used for a given Diameter peer Default: disabled. The CPU ID is not
connection. prepended onto the origin-host string.
Origin Host Value of Diameter Attribute-Value Pair (AVP) 264. String in the following format:
This AVP specifies the identity of the originating host.realm
host for Diameter messages. Since the ACOS Default: not set
device acts as a proxy for Diameter, this AVP refers
to the ACOS device itself, not to the actual clients.
From the Diameter server’s standpoint, the ACOS
device is the Diameter client.
Specify the origin-host in the following format:
host.realm
• The host is a string unique to the client (ACOS
device).
• The realm is the Diameter realm, specified by the
Origin Realm option (described below).
Origin Realm Value of Diameter AVP 296. This AVP specifies the Character string
Diameter realm from which Diameter messages, Default: not set
including requests, are originated.
Product Name Value of Diameter AVP 269. This AVP specifies the Character string
product; for example, “a10dra”. Default: not set
Vendor ID Value of Diameter AVP 266. This AVP is a number Number
that specifies the vendor; for example, “156”. Default: not set
Make sure to use a non-zero value. Zero is reserved
by the Diameter protocol.
Idle Timeout Number of minutes a Diameter session can remain 1-65535 minutes
idle before the session is deleted. Default: 5 minutes

TABLE 82 Diameter Template Parameters (Continued)

DWR Time Maximum number of seconds the ACOS device will 0-2147483647 milliseconds (ms), in
Interval wait for the reply to a device-watch-dog message 100-ms increments
sent to a Diameter server before marking the server Default: 10 seconds
Down.
Session Age Absolute limit for Diameter sessions. Any Diameter 1-65535 minutes
session that is still in effect when the session age is Default: 10 minutes
reached is removed from the AX session table.
Customizing Replaces the AVPs in Capabilities-Exchange- Enabled or Disabled
CEA Response Answer (CEA) messages with the custom AVP val- Default: Disabled
ues you configure before forwarding the messages.
Duplicate Accounting-Request messages to duplicate, and the Default: Not set
service group to which to send the duplicates. You
must specify the following information:
• AVP Code – Diameter AVP number.
• Pattern – String pattern within the message.
• Service Group – The duplication service group,
which is the service group to which to send the
duplicate messages.
Notes:
• To place the message duplication configuration
into effect, you must unbind the Diameter tem-
plate from the Diameter virtual port, then rebind
it.
• A Diameter template in which message duplica-
tion is configured can be bound to only a single
virtual port.
AVP Custom AVP values to insert into Capabilities- Default: Not set
Exchange-Request messages sent by the ACOS
device to Diameter servers.
For each custom AVP value to insert, you must
specify the following information:
• Code – Diameter AVP number.
The Mandatory option sets the AVP mandatory
flag on. By default, this flag is off (not set).
• Type – Specifies the data format of the value to
insert. You can select INT32, INT64, or String.
• Value – Specifies the value to insert.
You can add up to 6 custom AVPs.

TABLE 82 Diameter Template Parameters (Continued)

Message Code Enables load balancing of Diameter message codes, Valid message code (number)
in addition to those already load balanced by Default: Diameter load balancing
default. You can enable load balancing of up to 10 applies only to the following message
additional message codes. codes:
• Accounting-Request (code 271)
• Accounting-Answer (code 271)
• Capabilities-Exchange-Request
(code 257)
• Capabilities-Exchange-Answer
(code 257)
• Device-Watchdog-Request (code
280)
• Device-Watchdog-Answer (code
280)
• Session-Termination-Request (code
275)
• Session-Termination-Answer (code
275)
• Abort-Session-Request (code 274)
• Abort-Session-Answer (code 274)
• Disconnect-Peer-Request/Discon-
nect-Peer-Answer (code 282)
The ACOS device drops all other
Diameter message codes by default.

Config Mode > SLB > Template > Application > Logging
This option displays the configured logging templates. You can use logging
templates to send logs over TCP to external servers. This feature can be use-
ful for external HTTP logging for HTTP load-balanced traffic and for con-
tent served from the ACOS RAM cache.
The Logging Template configuration section is displayed when you click

Add or click on a template name.
Table 83 describes the configuration options for Logging templates.
TABLE 83 Logging Template Parameters

Logging Template Section
Default: Not set
Service Group Binds a service group of log servers to the logging Name of a configured service group
template. Default: Not set
TCP-Proxy Binds a configured TCP-proxy template to the log- Name of a configured TCP-proxy
Template ging template. (See “Config Mode > SLB > Tem- template
plate > TCP Proxy” on page 266.) Default: Not set
Config Mode > SLB > Template > Application > External Service
This option displays the configured external-service templates. You can use
external-service templates for steering traffic to external servers for addi-
tional processing, based on application. For example, external-service tem-
plates enable deployment of ACOS for the following solutions:
• Redirection of Internet Content Adaptation Protocol (ICAP) traffic, such
as Skyfire Rocket Optimizer traffic
• Redirection of traffic to external URL filtering servers

External-service Template Parameters

Table 84 describes the parameters you can configure.
TABLE 84 External Service Template Parameters

External Service Section
Default: Not set
Failure Action Specifies the action performed by ACOS when any One of the following:
of the following types of events occurs: • Continue
• ACOS fails to select an external-service server. • Drop
• Failure occurs during creation of a new connec- • Reset
tion to the external-service server.
Default: Continue
• The response from the external-service server
does not contain HTTP status code 200 or 403.
• Exhaustion of memory when creating a request to
the external-service server.
The Failure Action can be one of the following:
• Continue – Allows the client’s request to go to
the content server.
• Drop – Silently drops the connection and does
not send a reset to the client.
• Reset – Sends a connection reset to the client.
Note: If a TCP error occurs while ACOS is waiting
for a response, ACOS resets the connection. For
example, this occurs in the case of a connection
reset by a URL filtering server.
Type Specifies the traffic type to redirect: URL Filter or Skyfire ICAP
• URL Filter – Steers HTTP requests from clients Default: URL Filter
to external URL-filtering servers.
• Skyfire ICAP – Steers Internet Content Adapta-
tion Protocol (ICAP) to external Skyfire control-
lers.
Timeout Sets the maximum number of seconds ACOS waits The following values are supported:
for a response from the server. If the server does not • Timeout – 1-200 increments of 200
reply before the timeout expires, ACOS takes the milliseconds (ms)
configured action, which can be one of the follow- • Action – Continue, Drop, or Reset
ing:
Default:
• Continue – Allows the client’s request to go to
• Timeout – 5 (1000ms)
the content server.
• Action – Continue
• Drop – ACOS silently drops the connection and
does not send a reset to the client.
• Reset – ACOS sends a connection reset to the cli-
ent.

TABLE 84 External Service Template Parameters (Continued)

Service Group Binds the service group that contains the external- Name of a service group
service servers to this template. Default: Not set
Notes:
• Select the service group that contains the exter-
nal-service servers (for example, Skyfire servers
or URL-filtering servers). Do not select the ser-
vice group containing the content servers (HTTP
servers).
• If configuring for Skyfire, specify the group of
Skyfire servers here, but not the Skyfire control-
ler. Specify the controller in the Bypass IP field
(described below).
TCP-Proxy Applies a custom TCP-proxy template to use for Name of a TCP-proxy template
Template managing the TCP connections with the servers. Default: The default TCP-proxy
template
Source IP Applies a source-IP persistence template to the Default: Not set
Persistence external-service template.
Template
Bypass IP If configuring for Skyfire, specify the Skyfire con- Valid IP address and mask
troller here. Default: Not set
Note: This option is not applicable to URL filtering.
Config Mode > SLB > Template > Application > FIX
This page provides configuration options to create a Financial Information

eXchange (FIX) template.
TABLE 85 FIX Template Parameters

FIX Template Section
Default: Not set
Insert Client IP Inserts an AVP with the original client IP address to Enabled or Disabled
the tag 11447. Default: Disabled
For example, if the client IP address is 40.40.40.20,
this option will modify the tag to “11447=
40.40.40.20” when the server receives this client’s
PUSH data.

TABLE 85 FIX Template Parameters (Continued)

Tag Switching Inspects the FIX message header for a SenderCom- One of the following:
Type pID or TargetCompID tag value and uses a specific • Default
service group if the tag matches the Equals key-
• Sender Comp ID
word. The ACOS device can inspect FIX messages
and perform service group switching with one of the • Target Comp ID
following options: Equals – String of 1-63 characters
• Default – Uses the default service group that is Service Group – Name of a service
bound to the virtual port. This option does not group
select a service group based on tag matching. Default: Default
• Sender Comp ID – Selects a service group for
FIX requests based on the value of the Sender-
CompID tag. This tag identifies the financial
institution that is sending the request.
• Target Comp ID – Selects a service group for
FIX requests based on the value of the Target-
CompID tag. This tag identifies the financial
institution to which the request is being sent.
If you select the Sender Comp ID or Target Comp
ID radio button, the following options are dis-
played:
• Equals – Specifies a keyword which ACOS
matches against the TargetCompID or Sender-
CompID tag of a FIX message header.
Note: The keyword is case sensitive and must
match exactly with the SendCompID tag or Tar-
getCompID tag. For example, “ABC” is different
from “Abc”.
• Service Group – Selects the service-group to use
for a client request when the SenderCompID or
TargetCompID tag in the FIX message header of
the request matches the specified keyword.

Config Mode > SLB > Template > Application > SMPP
This option displays the configured Short Message Peer-to-Peer (SMPP)

templates. You can use SMPP templates to direct SMPP data communica-
tion over TCP between clients and SMPP servers.
The SMPP Template configuration section is displayed when you click Add
or click on a template name.
Table 86 describes the SMPP template options.
TABLE 86 SMPP Template Parameters

SMPP Template Section
Name Name of the template. String
Default: Not set
Client Enquire If enabled, ACOS replies to clients directly with an Enabled or Disabled
Link ENQUIRE_LINK message. The ENQUIRE_LINK Default: Disabled
message prevents the client connection from timing
out and serves the same purpose as a keepalive mes-
sage.
Server Enquire Prevents reusable connections to the SMPP server 5-300
Link from aging out. When this option is enabled, ACOS Default: Not set
regularly sends an ENQUIRE_LINK message to the
SMPP server to maintain the client-to-server con-
nection.
Server Selection Forces the ACOS to perform the server selection Enabled or Disabled
Per Request process for every SMPP request. Without this Default: Disabled
option, the ACOS device reselects the same server
for subsequent requests (assuming the same server
group is used), unless overridden by other template
options.
Note: The Server Selection Per Request option
works only in conjunction with connection-reuse. In
addition, this option requires that a username-pass-
word pair is used the SMPP template, so that ACOS
can immediately authenticate SMPP clients for
every instance of server selection.
User Sets a username and password which the ACOS String
Password device will use to authenticate SMPP clients. Default: Not set
Note: If you use this option, the same username-
password pair must be configured for all SMPP cli-
ents and servers. Otherwise, the ACOS device will
never open a TCP connection between the clients
and servers.
Note: This option requires that a connection-reuse
template is bound to the virtual server.

Config Mode > SLB > Template > Application > DBLB
This page allows you to create a database load-balancing (DBLB) template

and apply a class list to the DBLB template.
TABLE 87 DBLB Template Parameters

DBLB Template Section
Default: Not set
Class List Class list with the username-password pairs to use Name of a configured class list
for authenticating access to the database servers. Default: Not set
Config Mode > SLB > Template > Connection Reuse

This option displays the configured connection-reuse templates.
The operation of connection reuse differs depending on whether it is used

for HTTP or for SIP over TCP:
• HTTP – The ACOS device does not free a connection after sending a
client’s request. Instead, the ACOS device frees the connection only
after receiving a response to the request.
• SIP over TCP – While the ACOS device is sending a client request on a
connection, the connection is in use. However, as soon as the request has
been sent, the ACOS device frees the connection to be used again. The
connection can be used for the same client or another client. The ACOS
device does not wait for a reply to the client’s request before freeing the
connection.

The Connection Reuse section is displayed when you click Add or click on
a template name.
Table 88 lists the parameters you can configure in connection reuse tem-
plates.
TABLE 88 Connection Reuse Template Parameters

Connection Reuse Section
below.
modified.
Limit Per Server Maximum number of reusable connections per 0-65535
server port. For unlimited connections, specify 0.
Default: 1000
Timeout Maximum number of seconds a connection can 1-3600 seconds
remain idle before it times out. Default: 2400 seconds (40 minutes)
Keep Alive Specifies the number of new reusable connections 1-1024 connections
Connections to open before beginning to reuse existing connec- Default: 100
tions.
Note: This option is applicable only for SIP-over-
TCP sessions. The option is not applicable to other
types of sessions, such as HTTP sessions.
Note: Due to the way the connection-reuse feature operates, backend sessions
with servers will not be reused in either of the following cases:
• The Limit Per Server option is set to a very low value, lower than the
number of data CPUs on the ACOS device.
• The Keep Alive Connections option is set to a lower value than the
limit-per-server option.

Config Mode > SLB > Template > L4 > TCP
This option displays the configured TCP templates.
The TCP section is displayed when you click Add or click on a template
name.
Table 89 lists the parameters you can configure in TCP templates.
TABLE 89 TCP Template Parameters

TCP Section
below.
Note: In addition to configuring cus-
tom TCP templates, you can modify
the default TCP template.
CAUTION! Before changing a
default template, make sure the
changes you plan to make are appli-
cable to all virtual ports that use the
template.
Idle Timeout Number of seconds a connection can remain idle 60-2097151 seconds
before the ACOS device terminates it. Default: 120 seconds
Enter a value that is a multiple of 60 (60, 120, 1200,
and so on). If you enter a value that is not a multiple
of 60, the ACOS device rounds to the nearest, low-
est multiple of 60. For example, if you enter 70, the
value is rounded down to 60. Likewise, if you enter
110, the value is rounded down to 60.
Force Delete Maximum time that a session can stay in the system 1-31 seconds
Timeout before being deleted. Default: Not set
This option forces deletion of any session that is still
active after the specified number of seconds.
This option is useful for small, fast transactions for
which the completion time of sessions is guaran-
teed. When used in combination with the reset-fwd
and reset-rev options, the force-delete-timeout
option can help clean up user connections with
RSTs instead of allowing the connections to hang.
The Alive-if-active option quickly terminates half-
open TCP sessions on the virtual port while allow-
ing active sessions to continue without being termi-
nated.

TABLE 89 TCP Template Parameters (Continued)

Half-closed Idle Enables aging of half-closed TCP sessions. A half- 60-15000 seconds
Timeout closed TCP session is a session in which the server Default: not set. The ACOS device
sends a FIN but the client does not reply with an keeps half-closed sessions open indefi-
ACK. nitely.
Initial Window Sets the initial TCP window size in SYN ACK You can set the initial TCP window
Size packets to clients. The TCP window size in a SYN size to 1-65535 bytes.
ACK or ACK packet specifies the amount of data Default: By default, the ACOS device
that a client can send before it needs to receive an uses the TCP window size set by the
ACK. client or server.
The initial TCP window size applies only to the The initial TCP window size applies to
SYN ACKs sent to the client. After the SYN ACK, SYN ACKs generated by the ACOS
the ACOS device does not modify the TCP window device and sent to clients. By default,
size for any other packets in the session. the ACOS device uses the TCP win-
dow size in the client’s SYN.
QoS Marks QoS for SLB traffic. This option marks the 1-63
DSCP (Layer 3) and 802.1p priority (Layer 2) val- Default: Not set
ues in client-server SLB traffic.
Note: When this feature is configured, ACOS
marks traffic in both directions, ACOS-to-client
traffic and ACOS-to-server traffic.
Reset Forward Sends a TCP RST to the real server after a session Enabled or Disabled
times out. Default: Disabled
Reset Receive Sends a TCP RST to the client after a session times Enabled or Disabled
out. Default: Disabled
Note: If the server is Down, this option immediately
sends the RST to the client and does not wait for the
session to time out.
Fast TCP ACK Increases performance of bidirectional peer sessions Enabled or Disabled
on LAN by acknowledging receipt of data on behalf of cli- Default: Disabled
ents and servers.
Insert Client IP Inserts the client source IP address into the packet Enabled or Disabled
header before forwarding the packet. Default: Disabled

Config Mode > SLB > Template > L4 > UDP
This option displays the configured UDP templates.
The UDP section is displayed when you click Add or click on a template
name.
Table 90 lists the parameters you can configure in UDP templates.
TABLE 90 UDP Template Parameters

UDP Section
below.
tom UDP templates, you can modify
the default UDP template.
template.
Idle Timeout Number of seconds a connection can remain idle 60-2097151 seconds (about 33 hours)
before the ACOS device terminates it. Default: 120 seconds
Note: The maximum idle timeout sup-
of 60, the ACOS device rounds to the nearest multi-
ported for TFTP virtual ports is 255
ple of 60. For example, if you enter 70, the actual
minutes.
timeout is 60 seconds.

TABLE 90 UDP Template Parameters (Continued)

Aging Specifies how quickly sessions are terminated when One of the following:
the request is received. • Immediate
• Short, with an aging period of 1-6
• Short-lived aging: seconds
• Response Received – Session is terminated Default: Not set.
within 1 second. • If a response is received – Behavior
• No Response – Session is terminated after con- differs based on port number:
figured short aging period. • Port 53 (default DNS port) – Ses-
• Immediate aging: sion is terminated within 1 sec-
• Response Received – Session is terminated ond.
within 1 second. • Any other port number – Session
• No Response – Idle timeout value in UDP tem- is terminated after the idle time-
plate is used. out expires.
Note: If you are configuring DNS load balancing, • If there is no response – Idle timeout
A10 Networks recommends using the Immediate value in UDP template is used.
option. If you enable short aging, the default
aging period is 3 seconds.
Select another Configures the ACOS device to select another real Enabled or disabled
server if server is server if the server that is bound to an active con- Default: Disabled
down nection goes down. Without this option, another
server is not selected.
Stateless Current Specifies the stateless current connection timeout 5-120 seconds
Connection value.
Timeout

Config Mode > SLB > Template > Persistent > Cookie Persistence
This option displays the configured cookie persistence templates.
The Cookie Persistence section is displayed when you click Add or click on
a template name.
Table 91 lists the parameters you can configure in cookie persistence tem-
plates.
TABLE 91 Cookie Persistence Template Parameters

Cookie Persistence Section
below.
modified.
Expiration Number of seconds a cookie persists on a client’s 0 to 31,536,000 seconds (one year)
PC before being deleted by the client’s browser. If you specify 0, cookies persist only
Click the checkbox to enable the configuration for the current session.
field.
Cookie Name Specifies the name of the persistence cookie. String of 1-63 characters
Default: sto-id
Domain Adds the specified domain name to the cookie. String of 1-31 characters
Default: Not set
Path Adds path information to the cookie, 1-31 charac- String of 1-31 characters
ters. Default: “ / ”

TABLE 91 Cookie Persistence Template Parameters (Continued)

Match Type Specifies the granularity of persistence. You can select one of the following:
• Port – The cookie inserted into the HTTP header • Port
of the server reply to a client ensures that subse- • Server
quent requests from the client will be sent to the
With either of these options, the Ser-
same real port on the same real server.
vice Group option can be selected. The
• Server – The cookie inserted into the HTTP Scan All Members option is valid only
header of the server reply to a client ensures that if you select the Server option.
subsequent requests from the client for the same
VIP are sent to the same real server. (This
assumes that all virtual ports of the VIP use the Default: Port, with Service Group and
same cookie persistence template with match- Scan All Members options disabled
type set to Server.)
If you select Server, the Scan All Members
checkbox appears. You can select this option to
scan all members bound to the template. This
option is useful in configurations where match-
type Server is used, and where some members
have different priorities or are disabled. For
example, without this option, if you occasionally
lower the priority of members to perform mainte-
nance on them, it is possible that fast-path mem-
ber selection (enabled when you select Server)
will select the members and send traffic to them
anyway. (For more information about this option,
see the “Scan-All-Members Option in Persistence
Templates” chapter in the AX Series Application
Delivery and Server Load Balancing Guide.)
The Service Group checkbox enables support for

URL switching or host switching along with cookie
persistence. Without this option, URL switching or
host switching can be used only for the initial
request from the client. After the initial request, sub-
sequent requests are always sent to the same service
group.
To use URL switching or host switching, you also
must configure an HTTP template with the Host
Switching or URL Switching option.
Insert Always Specifies whether to insert a new persistence cookie Enabled or disabled
in every reply, even if the request already had a per- Default: Disabled. The ACOS device
sistence cookie previously inserted by the ACOS inserts a persistence cookie only if the
device. client request does not already contain
a persistence cookie inserted by the
ACOS device, or if the server refer-
enced by the cookie is unavailable.

TABLE 91 Cookie Persistence Template Parameters (Continued)

Don’t Honor Ignores connection limit settings configured on real Enabled or disabled
Conn Rules servers and real ports. This option is useful for Default: Disabled.
applications in which multiple sessions (connec-
tions) are likely to be used for the same persistent
cookie.
Config Mode > SLB > Template > Persistent > Destination IP Persistence
This option displays the configured destination-IP persistence templates.
The Destination IP Persistence section is displayed when you click Add or

Table 92 lists the parameters you can configure in Destination-IP persis-

tence templates.
TABLE 92 Destination-IP Persistence Template Parameters

Destination IP Persistence Section
below.
modified.

TABLE 92 Destination-IP Persistence Template Parameters (Continued)

Match Type Granularity of persistence. You can select one of the following:
• Port – Traffic to the same destination IP address • Port
and virtual port is always sent to the same real • Server
port. This is the most granular setting.
• Service Group
• Server – Traffic to a given destination IP address
The Scan All Members checkbox can
is always sent to the same real server, for any ser-
be selected with Server or Service
vice port.
Group.
• Service Group – This option is applicable if you
also plan to use URL switching or host switching.
If you use the Service-group option, URL or host Default: Port
switching is used for every request to select a ser-
vice group. The first time URL or host switching
selects a given service group, the load-balancing
method is used to select a real port within the ser-
vice group. The next time URL or host switching
selects the same service group, the same real port
is used. Thus, service group selection is per-
formed for every request, but once a service
group is selected for a request, the request goes to
the same real port that was selected the first time
that service group was selected.
If you select Server or Service Group, the Scan All
Members checkbox appears. You can select this
option to scan all members bound to the template.
This option is useful in configurations where match-
type Server or Service Group is used, and where
some members have different priorities or are dis-
abled. For example, without this option, if you occa-
sionally lower the priority of members to perform
maintenance on them, it is possible that fast-path
member selection (enabled when you select Server
or Service Group) will select the members and send
traffic to them anyway. (For more information about
this option, see the “Scan-All-Members Option in
Persistence Templates” chapter in the AX Series
Guide.)
Timeout Number of seconds the mapping of a client source 1-2000 minutes (about 33 hours)
IP to a real server persists after the last time traffic Default: 5 minutes
from the client is sent to the server.

TABLE 92 Destination-IP Persistence Template Parameters (Continued)

destination IP address.
Hash Persistent Enables hash-based destination-ip persistence with- Selected (enabled) or unselected (disa-
out creating a persistent session. bled)
Default: Disabled
Netmask Specifies the granularity of IP address hashing for Valid IPv4 network mask
initial server port selection. Default: 255.255.255.255
You can specify an IPv4 network mask in dotted
decimal notation.
• To configure initial server port selection to occur
once per destination VIP subnet, configure the
network mask to indicate the subnet length. For
example, to select a server port once for all
requested VIPs within a subnet such as
10.10.10.x, 192.168.1.x, and so on (“class C”
subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP
subnet, the sends all other requests for the same
VIP subnet to the same port.
• To configure initial server port selection to occur
independently for each requested VIP, use mask
255.255.255.255. (This is the default.)
IPv6 Netmask Specifies the granularity of IPv6 address hashing for 1-128
server port selection. Default: 128
Config Mode > SLB > Template > Persistent > Source IP Persistence
This option displays the configured source-IP persistence templates.
The Source IP Persistence section is displayed when you click Add or click
on a template name.
Table 93 lists the parameters you can configure in Source-IP persistence

templates.

TABLE 93 Source-IP Persistence Template Parameters

Source IP Persistence Section
below.
modified.
Match Type Granularity of persistence. You can select one of the following:
• Port – Traffic from a given client to the same vir- • Port
tual port is always sent to the same real port. This • Server
is the most granular setting.
• Service Group
• Server – Traffic from a given client to the same
The Scan All Members checkbox can
VIP is always sent to the same real server, for any
be selected with Server or Service
service port requested by the client.
Group.
• Service Group – This option is applicable if you
also plan to use URL switching or host switching.
If you use the Service-group option, URL or host Default: Port
switching is used for every request to select a ser-
vice group. The first time URL or host switching
selects a given service group, the load-balancing
method is used to select a real port within the ser-
vice group. The next time URL or host switching
selects the same service group, the same real port
is used. Thus, service group selection is per-
formed for every request, but once a service
group is selected for a request, the request goes to
the same real port that was selected the first time
that service group was selected.
(cont.)

TABLE 93 Source-IP Persistence Template Parameters (Continued)

Match Type If you select Server or Service Group, the Scan All
(cont.) Members checkbox appears. You can select this
option to scan all members bound to the template.
This option is useful in configurations where match-
type Server or Service Group is used, and where
some members have different priorities or are dis-
abled. For example, without this option, if you occa-
sionally lower the priority of members to perform
maintenance on them, it is possible that fast-path
member selection (enabled when you select Server
or Service Group) will select the members and send
traffic to them anyway. (For more information about
this option, see the “Scan-All-Members Option in
Persistence Templates” chapter in the AX Series
Guide.)
Timeout Number of seconds the mapping of a client source 1-2000 minutes (about 33 hours)
IP to a real server persists after the last time traffic Default: 5 minutes
from the client is sent to the server.
Note: The timeout for a source-IP persistent session
will not be reset if the timeout in the source-IP per-
sistence template is set to 1 minute. If the timeout is
set to 1 minute, sessions will always age out after 1
minute, even if they are active.
client source IP address.
Include Source Includes the source port in persistent sessions. Selected or unselected
Port Default: unselected
Include Configures the granularity of load-balancing persis- Selected or unselected
Destination IP tence for clients, based on the destination IP Default: unselected
address.
Hash Persistent Enables hash-based source-ip persistence without Selected or unselected
creating a persistent session. Default: unselected

TABLE 93 Source-IP Persistence Template Parameters (Continued)

Enforce High Enables Source-IP Persistence Override and Rese- Selected or unselected
Priority lect. When this feature is enabled, the ACOS device Default: unselected
continually checks for the presence of higher-prior-
ity servers, even if source-IP persistence is enabled
and sessions are already established between client
and server.
Note: If one or more higher-priority servers goes
down, new sessions are established with backup
low-priority servers. If the higher-priority servers
later come back up, then any persistent sessions
established with the low priority servers during the
outage will subsequently be terminated.
Netmask Specifies the granularity of IPv4 address hashing for Valid IPv4 network mask
server port selection. Default: 255.255.255.255
You can specify an IPv4 network mask in dotted
decimal notation.
• To configure server port selection to occur on a
per subnet basis, configure the network mask to
indicate the subnet length. For example, to send
all clients within a subnet such as 10.10.10.x,
192.168.1.x, and so on (“class C” subnets) to the
same server port, use mask 255.255.255.0. SLB
selects a server port for the first client in a given
subnet, the sends all other clients in the same sub-
net to the same port.
• To configure server port selection to occur on a
per client basis, use mask 255.255.255.255. SLB
selects a server port for the first request from a
given client, the sends all other requests from the
same client to the same port. (This is the default.)
IPv6 Netmask Specifies the granularity of IPv6 address hashing for 1-128
server port selection. Default: 128
Config Mode > SLB > Template > Persistent > SSL Session ID Persistence
This option displays the configured SSL session-ID persistence templates.
The SSL Session ID Persistence section is displayed when you click Add or
Table 94 lists the parameters you can configure in SSL session-ID persis-
tence templates.

TABLE 94 SSL Session-ID Persistence Template Parameters

SSL Session ID Persistence Section
below.
modified.
Timeout Number of minutes the mapping remains persistent 1-2000 minutes
after the last time traffic with the SSL session ID is Default: 5 minutes
sent to the server.
SSL session ID.
Config Mode > SLB > Template > SSL > Client SSL
This option displays the configured Client SSL templates.
• Client SSL
• Client Certificate Check
• SSL Cipher
A client-SSL template can contain up to 128 certificates or certificate

chains. They must be imported onto the ACOS device. (See “Config Mode
> SLB > SSL Management” on page 289.)
Note: If you replace a certificate and key in a client-SSL or server-SSL tem-

plate, you must unbind the template from the virtual ports that use it, then
rebind the template to the virtual ports, to place the change into effect.
Table 95 lists the parameters you can configure in client SSL templates.

TABLE 95 Client SSL Template Parameters

Client SSL Section
below.
modified.
Certificate Name Certificate to use for terminating or initiating SSL Name of a certificate imported onto
connections with clients. the ACOS device
Note: To use the certificate, you must import it onto
the ACOS device. (See “Config Mode > SLB > SSL
Management” on page 289.)
Chain Cert Name Chain of certificates to use for terminating or initiat- String of 1-31 characters
ing SSL connections with clients.
Key Name Key for the certificate, and the passphrase used to Kay name: string of 1-31 characters
encrypt the key. Passphrase: string of 1-16 characters
Default: None configured
Pass Phrase Pass phrase for the certificate. String
Confirm Pass
Phrase
Bypass SSLv2 Service group to which to redirect clients who Name of configured service group
request SSLv2 sessions to an alternate service Default: None configured. ACOS does
group. not support TLSv2, and rejects SSLv2
traffic if no bypass service group is
configured.
Session Cache Maximum number of cached sessions for SSL ses- 0-8000000
Size sion ID reuse. Default: 0 (session ID reuse is dis-
abled)
Session Cache Maximum amount of time a cached SSL session ID 0-604800 seconds
Timeout remains valid. If the client attempts to use a session Default: Not set
ID after it expires, a new SSL session must be set
up.
Session Ticket Maximum number of seconds an SSL authentica- 0-2147483647 seconds
Lifetime tion ticket issued by ACOS remains valid. If the cli- Default: Not set
ent attempts to use a session ticket after it expires, a
new SSL session must be set up.
Notes:
• The current release supports this option only for
software-based SSL.
• This option is not related to session ID caching. It
is recommended not to use the two features
together.

TABLE 95 Client SSL Template Parameters (Continued)

SSL False Start Disables or re-enables SSL False Start. SSL False Enabled or Disabled
Start is an SSL modification used by the Google Default: Enabled
Chrome browser for web optimization.
Note: The following ciphers are not supported in
the current release:
• SSL3_RSA_DES_64_CBC_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_EXPORT1024_RC4_56_MD5
If no other ciphers but these are enabled in the cli-
ent-SSL template, SSL False Start handshakes will
fail.
Reject Client Disables SSLv3 support. In this case, when ACOS Enabled or Disabled
Requests for receives an SSL Hello message from a client, Default: Disabled
SSLv3 ACOS responds by sending a TCP-FIN to the client
to end the session.
SSL Forward Provides dynamic interception, decryption, and re- Enabled or Disabled
Proxy encryption of SSL sessions originating from clients. Default: Disabled
This technology allows traffic inspection devices
such as firewalls to inspect traffic in the clear. For
more information, see the "SSL Intercept" chapter
in the AX Series Application Delivery and Server


Server Name Enables support for the Server Name Indication You can specify the following values:
Indication (SNI) extension for Transport Layer Security (TLS). • Server Name – String of 1-255 char-
The SNI extension enables servers that manage acters
content for multiple domains at the same IP address • Server Certificate – Certificates
to use a separate server certificate for each domain. imported onto the ACOS device
You can configure the following: • Server Private Key – Certificates
• Server Name – Domain name of the server. imported onto the ACOS device
• Server Certificate – Name of the certificate to use Default: Not set
for validating server certificates.
To add a certificate to the template, select the
certificate from the drop-down list, then click
Add.
Note: To use a certificate, you must import it
onto the ACOS device. (See “Config Mode >
SLB > SSL Management” on page 289.)
• Server Private Key – Secure verification key that
corresponds to the selected server certificate.
Note: The client-SSL template must contain one
certificate that is not mapped to a domain. The
unmapped certificate is the default certificate for the
template. The ACOS device uses the default
template for negotiating the SSL session with the
client.
If the client includes the SNI extension in its hello
message, the ACOS device uses the certificate that
is mapped to the domain requested by the client.
Otherwise, the ACOS device uses the default certif-
icate.


such as firewalls to inspect traffic in the clear.
You can configure the following options:
• State of the feature – Enabled or disabled
• CA Certificate – Name of the CA-signed certifi-
cate to use for SSL connections with clients.
• CA Private Key – Private key filename.
• Pass Phrase, Confirm Pass Phrase – Passphrase,
if required.
Bypass options:
You can use one of the following options to bypass
SSL Intercept processing for specific traffic, based
on Server Name Indication (SNI).
• Class List – Class list that specifies the match cri-
teria. This must be a class list of type Aho-Cora-
sick. (You can specify the class-list type when
creating the list.)
• Bypass – You can use the fields in this section to
enter bypass entries. This option is useful if you
have a small number of entries to add.
(This feature requires additional configuration. For

more information, see the “SSL Intercept” chapter
Load Balancing Guide.)


Client Certificate Check Section
Mode Action that the ACOS device takes in response to a One of the following:
client’s connection request. • Require
• Require – The ACOS device requires the client • Request
certificate. This action requests the client to send
• Ignore
its certificate. However, the SSL handshake does
not proceed (it fails) if the client sends a NULL Default: Ignore
certificate or the certificate is invalid.
• Request – The ACOS device requests the client
to send its certificate. With this action, the SSL
handshake proceeds even if either of the follow-
ing occurs:
• The client sends a NULL certificate (one with
zero length).
• The certificate is invalid, causing client verifi-
cation to fail.
Use this option if you want the request to trig-
ger an aFleX policy for further processing.
• Ignore – The ACOS device does not request the
client to send its certificate.
Note: If you plan to use a Certificate Revocation
List (CRL), you must set the Mode to Require.
Auth Username Specifies the field to check in the SSL certificate Common Name or Subject Alternative
from the client for that client’s name. Name Email
• Common Name – Typically used if the client cer- Default: Common Name
tificate has only one name (validates only one cli-
ent).
• Subject Alternative Name – Used if the certifi-
cate has more than one name.
Close Notify Sends a close_notify message when an SSL transac- Enabled or Disabled
tion ends, before sending a FIN. Default: Disabled
This behavior is required by certain types of client
applications, including PHP cgi. For this type of cli-
ent, if the ACOS device does not send a
close_notify, an error or warning appears on the cli-
ent.
Note: The Close Notify option can not be used
along with the TCP-proxy template Force Delete
Timeout option. Doing so may cause unexpected
behavior.


Cert-Revocation Certificate Revocation List (CRL) to use for verify- Name of a CRL imported onto the
List ing that client certificates have not been revoked. ACOS device
Note: If you plan to use a CRL, you must set the
Mode to Require. The CRL should be signed by the
same issuer as the CA certificate. Otherwise, the cli-
ent and ACOS device will not be able to establish a
connection.
CA Certificate Name of the Certificate Authority (CA) certificate Name of a CA certificate imported
to use for validating client certificates. onto the ACOS device
To add a certificate to the template, select the
certificate from the drop-down list, then click Add.
Note: To use a certificate, you must import it onto
SSL Cipher Section
This section enables you to select a specific cipher suites to support for decrypting certificates from clients. You
can select a configured SSL Cipher Template or one or more of the following:
• SSL3_RSA_RC4_128_SHA
• SSL3_RSA_DES_192_CBC3_SHA
• TLS1_RSA_EXPORT1024_RC4_56_SHA
• TLS1_RSA_AES_128_SHA
• TLS1_RSA_AES_128_SHA256
By default, all the above are enabled.

Config Mode > SLB > Template > SSL > Server SSL
This option displays the configured Server SSL templates.
• Server SSL
• SSL Cipher
Note: If you replace a certificate and key in a client-SSL or server-SSL tem-

plate, you must unbind the template from the virtual ports that use it, then
rebind the template to the virtual ports, to place the change into effect.
Table 96 lists the parameters you can configure in Server SSL templates.
TABLE 96 Server SSL Template Parameters

Server SSL Section
below.
modified.
Certificate Name Certificate to use for authentication of clients. Name of a certificate imported onto
When a server requests a client’s digital certificate, the ACOS device
the ACOS device responds on behalf of the client.
Following successful authentication, the server and
ACOS device communicate over an SSL-encrypted
session, while the client and ACOS device can com-
municate over a non-encrypted session. From the
server’s perspective, the server has an encrypted
session with the client.
Note: The key length for
SSL3_RSA_DES_40_CBC_SHA and
SSL3_RSA_RC4_40_MD5 must be 512 bits or
less.
The TLS1_RSA_EXPORT1024_RC4_56_MD5
and TLS1_RSA_EXPORT1024_RC4_56_SHA
ciphers are not supported.

TABLE 96 Server SSL Template Parameters (Continued)

Pass Phrase encrypt the key. Passphrase: string of 1-16 characters
Confirnm Pass Default: None configured
Phrase
TLS/SSL Encryption version used for connections on virtual One of the following:
Version ports that are bound to this server-SSL template. • TLS Version 1.0
Each template can use one of the following encryp-
• TLS Version 1.1
tion types:
• TSL Version 1.2
• Transport Layer Security (TLS) v1.0
• SSL Version 3.0
• Transport Layer Security (TLS) v.1.1
Default: TLS Version 1.1
• Transport Layer Security (TLS) v1.2
• Secure Sockets Layer (SSL) v3.0
Close Sends a close_notify message when an SSL transac- Enabled or disabled
Notification tion ends, before sending a FIN. Default: disabled
This behavior is required by certain types of appli-
cations, including PHP cgi.
Note: The close notification option may not work if
connection reuse is also configured on the same vir-
tual port. In this case, when the server sends a FIN
to the ACOS device, the ACOS device will not send
a FIN followed by a close notification. Instead, the
ACOS device will send a RST.
Note: The Close Notify option can not be used
along with the TCP-proxy template Force Delete
Timeout option. Doing so may cause unexpected
behavior.
Session Ticket Enables stateless SSL session ticketing. Selected or unselected
Default: Unselected
SSL Forward Enables SSL intercept support. Enabled or Disabled
Proxy Default: Disabled
Session Cache Sets the maximum number of session-ID entries. 0-128
Size Note: To disable caching, set the size to 0. Default: Not set
Session Cache Sets the maximum number of seconds a cache entry 1-7200
Timeout can remain unused before being removed from the Default: 7200
cache.
Note: Cache entries age according to the ticket age
time. The age time is not reset when a cache entry is
used.

TABLE 96 Server SSL Template Parameters (Continued)

Server Specifies an action to perform when there is an error One or more of the following:
Certificate Error with a server certificate: • Ignore
• Ignore – Ignore the SSL certificate error and keep • Trap
the connection open.
• Email
• Trap – Send an SNMP trap notification of the
• Logging
SSL certificate error.
Default: Ignore
• Email – Send an email notification of the SSL
certificate error.
• Logging – Create a system log entry of the error.
such as firewalls to inspect traffic in the clear. For
more information, see the "SSL Intercept" chapter
CA Certificate Name of the Certificate Authority (CA) certificate Name of a CA certificate imported
to use for validating server certificates. onto the ACOS device
SSL Cipher Section
This section enables you to select a specific cipher suites to support for decrypting certificates from servers. You
can select a previously configured SSL Cipher Template or one or more of the following:
• SSL3_RSA_RC4_128_SHA
• TLS1_RSA_EXPORT1024_RC4_56_SHA
By default, all the above are enabled.

Config Mode > SLB > Template > SSL > SSL Cipher
Beginning in this release, you have the option to assign a priority value to
each cipher in the SSL Cipher template. In this case, the ACOS device tries
to use the ciphers based on priority. If the client supports the cipher that has
the highest priority, that cipher is used. If the client does not support the
highest-priority cipher, the ACOS device attempts to use the cipher that has
the second-highest priority, and so on.
More than one cipher can have the same priority. In this case, the strongest
(most secure) cipher is used.
Note: An SSL cipher template takes effect only when you apply it to a client-
SSL template or server-SSL template.
Note: When you apply (bind) a cipher template to a client-SSL or server-SSL

template, the settings in the cipher template override any cipher settings in
that client-SSL or server-SSL template.
Creating an SSL Cipher Template

1. Select Config Mode > SLB > Template > SSL > SSL Cipher.
2. Click Add.
3. Enter a name in the Name field.
4. Select the cipher from the SSL Cipher drop-down list.
5. Optionally, edit the value in the Priority field.
6. Click Add.
7. Repeat for each cipher to add to the template.
8. Click OK.
To place the cipher template into effect, bind it to a client-SSL or server-
SSL template. The cipher template then applies to clients that access virtual
ports that use the client-SSL or server-SSL template.

TABLE 97 SSL Cipher

SSL Cipher Section
SSL Cipher Specifies a cipher suite for decrypting certificates One of the following:
from servers. • SSL3_RSA_RC4_40_MD5
To add a cipher to the template: • SSL3_RSA_RC4_128_MD5
1. Select a cipher from the SSL Cipher drop- • SSL3_RSA_RC4_128_SHA
down list.
2. Change the priority, if applicable. • SSL3_RSA_DES_64_CBC_SHA
3. Click Add.
• TLS1_RSA_EXPORT1024_RC4_56
4. Repeat for each cipher to add. _MD5
• TLS1_RSA_EXPORT1024_RC4_56
_SHA
Default: SSL3_RSA_RC4_40_MD5
Priority Priority setting of the template. 1 (lowest) - 100 (highest)
Note: More than one cipher can have the same pri- Default: 1
ority. In this case, the strongest (most secure) cipher
is used. If a cipher template is used by a server-SSL
template, the priority values in the cipher template
are ignored.

Config Mode > SLB > Template > TCP Proxy
This option displays the configured TCP-proxy templates.
The TCP Proxy section is displayed when you click Add or click on a tem-
plate name.
Table 98 lists the parameters you can configure in TCP-proxy templates.
TABLE 98 TCP-Proxy Template Parameters

TCP Proxy Section
below.
tom TCP-proxy templates, you can
modify the default TCP-proxy tem-
plate.
template.
FIN Timeout Number of seconds that a connection can be in the 1-60 seconds
FIN-WAIT or CLOSING state before the Default: 5 seconds
A10 Thunder Series and AX Series terminates the
connection.
Idle Timeout Number of seconds that a connection can be idle 60-2097151 seconds (about 24 days)
before the A10 Thunder Series and AX Series ter- Default: 600 seconds
minates the connection.
of 60, the ACOS device rounds to the nearest multi-
ple of 60. For example, if you enter 70, the actual
timeout is 60 seconds.

TABLE 98 TCP-Proxy Template Parameters (Continued)

Force Delete Maximum time that a session can stay in the system 1-31 seconds
Timeout before being deleted. Default: not set
This option forces deletion of any session that is still
active after the specified number of seconds.
This option is useful for small, fast transactions for
which the completion time of sessions is guaran-
teed. When used in combination with the reset-fwd
and reset-rev options, the force-delete-timeout
option can help clean up user connections with
RSTs instead of allowing the connections to hang.
Note: The Force Delete Timeout option can not be
used along with the client-SSL or server-SSL tem-
plate Close Notify option. Doing so may cause
unexpected behavior.
Retransmit Number of times the A10 Thunder Series and 1-20
Retries AX Series can retransmit a data segment for which Default: 3
the A10 Thunder Series and AX Series does not
receive an ACK.
SYN Retries Number of times the A10 Thunder Series and 1-20
AX Series can retransmit a SYN for which the Default: 5
A10 Thunder Series and AX Series does not receive
an ACK.
Time Wait Number of seconds that a connection can be in the 1-60 seconds
TIME-WAIT state before the A10 Thunder Series Default: 5 seconds
and AX Series transitions it to the CLOSED state.
Receive Buffer Maximum number of bytes addressed to the port 1-2147483647 bytes
that the A10 Thunder Series and AX Series will Default: 51200 bytes
buffer.
Transmit Buffer Number of bytes sent by the port that the 1-2147483647 bytes
A10 Thunder Series and AX Series will buffer. Default: 51200 bytes


Initial Window Sets the initial TCP window size in SYN ACK You can set the initial TCP window
Size packets to clients. The TCP window size in a SYN size to 1-65535 bytes.
ACK or ACK packet specifies the amount of data Default: By default, the ACOS device
that a client can send before it needs to receive an uses the TCP window size set by the
ACK. client or server.
The initial TCP window size applies only to the • If the virtual port is one of the ser-
SYN ACKs sent to the client. After the SYN ACK, vice types that is proxied by the
the ACOS device does not modify the TCP window ACOS device, initial TCP window
size for any other packets in the session. size applies to SYN ACKs gener-
ated by the ACOS device and sent to
clients. By default, the ACOS
device uses the TCP window size in
the client’s SYN. The following ser-
vice types are proxied by the ACOS
device: http, https, fast-http, ssl-
proxy, and smtp
• If the virtual port is not one of the
service types that is proxied by the
ACOS device (for example, the tcp
service type), initial TCP window
size applies to SYN ACKs gener-
ated by servers and forwarded by
the ACOS device to clients. By
default, the ACOS device uses the
TCP window size in the server’s
SYN ACK.
Nagle Enables Nagle congestion compression (described Enabled or Disabled
in RFC 896). Default: Disabled
Backend TCP window scaling factor for connections to back- 1-14
Window Scaling end servers. The TCP window scaling factor is Default: 1
applicable to virtual ports for which the ACOS
device acts as a TCP proxy.
Half-closed Idle Enables aging of half-closed TCP sessions. A half- 60-15000 seconds
Timeout closed TCP session is a session in which the server Default: Not set. The ACOS device
sends a FIN but the client does not reply with an keeps half-closed sessions open indefi-
ACK. nitely.
MSS Changes the minimum supported TCP Maximum 128-4312 octets
Segment Size (MSS). Default: 1460


Reno Enables the TCP Reno congestion control algo- Enabled or Disabled
rithm, and disables Cubic. Default: Disabled. Cubic is used
instead.
Initial CWND Specifies the maximum number of unacknowledged 1-10
packets that can be sent on a TCP connection. Default: 4 segments
A large initial congestion-control window size helps
reduce HTTP response latency, especially for short
web pages.
ACK Specifies the cases in which the ACOS device sends High, medium, or low
Aggressiveness an ACK to the client. You can set ACK aggressive- Default: low
ness to one of the following levels:
• High – ACK for each packet
• Medium – Delayed ACK, with ACK on each
packet with PUSH flag
• Low – Delayed ACK
A high ACK aggressiveness helps reduce the delay
of interactive client-server applications, but at a cost
of more ACKs.
Keep-alive Number of seconds a TCP-proxy session can remain 60-12000
Interval idle before the ACOS device sends a TCP ACK to Default: 75
the devices on both ends of the session.
Keep-alive Maximum number of times the ACOS device sends 2-10
Probes a keepalive ACK, before deleting the session. Default: 9
Dynamic Buffer Optimally adjusts the transmit and receive buffer Selected or unselected
Allocation sizes of TCP-proxy while maintaining a constant Default: Unselected
sum of combined values.
Reset Forward Specifies to send a TCP RST to the real server after Enabled or Disabled
a session times out. Default: Disabled
Reset Receive Specifies to send a TCP RST to the client after a Enabled or Disabled
session times out. Default: Disabled

Config Mode > SLB > Health Monitor

The Health Monitor pages allow you to configure health methods.
You can configure health methods on the ACOS device by configuring set-
tings for the type of service you are monitoring. You also can configure
health monitors externally using Tcl scripts and import the monitors for use
by the ACOS device.
Config Mode > SLB > Health Monitor Mode > Health Monitor
This option displays the configured health monitors.
click on a health monitor name.
• Health Monitor
• Method
Note: In the Method section, you can select Internal or External. Leave the
method set to Internal if you want to configure a method using method
settings available on the ACOS device. In this case, select the service type
from the Type drop-down list.
To use an imported script as the method, click External.
Table 99 lists the health monitor parameters you can configure.
TABLE 99 Health Monitor Parameters

Health Monitor Section
Name Name of the health monitor. String of 1-31 characters
Default: Not set
Retry Specifies the maximum number of times the ACOS 1-5
device will resend the same health check to an unre- Default: 3
sponsive server or service before marking that
server or service as down.
Consec Pass Specifies the number of times the target device must 1-10 consecutive passes
Req’d consecutively pass the same periodic health check Default: 1
in order to pass the health check.
Interval Specifies the number of seconds between each 1-180 seconds
check using the monitor. Default: 5 seconds

TABLE 99 Health Monitor Parameters (Continued)

Timeout Specifies the number of seconds the ACOS device 1-180 seconds
waits for a reply to a health check. If the ACOS Default: 5 seconds
device does not receive reply by the end of the time-
out, the ACOS device either sends the health check
again (if there are retries left) or marks the server or
service down.
Strictly Retry Force the ACOS device to wait until all retries are Selected (enabled) or unselected (disa-
unsuccessful before marking a server or port Down. bled)
This option is applicable only to some types of Default: Disabled
health monitors, such as HTTP health monitors. For
example, this command applies to HTTP health
monitors that expect a string in the server reply. By
default, if the server’s HTTP port does not reply to
the first health check attempt with the expected
string, the ACOS device immediately marks the
port Down.
Disable After Disables the target of a health check if the tar- Selected (enabled) or unselected (disa-
Down get fails the health check. bled)
Default: Disabled
Method Section – General Parameters
Override IPv4 Sends the health check to the specified IPv4 Valid IPv4 address
address, instead of sending the health check to the Default: The health check is sent to the
IP address of the real server or GSLB service IP IPv4 address of the real server or
with which the health monitor is associated. GSLB service IP
Override IPv6 Sends the health check to the specified IPv6 Valid IPv6 address
address, instead of sending the health check to the Default: The health check is sent to the
IP address of the real server or GSLB service IP IPv6 address of the real server or
with which the health monitor is associated. GSLB service IP
Override Port Sends the health check to the specified protocol port 0-65534
number, instead of sending the health check to the Default: The health check is sent to the
protocol port number configured for the health protocol port number configured for
method. the health method.
Method Specifies the health method: Internal or External
• Internal – The method is configured using Default: Internal
options on the ACOS device. See the following
descriptions for information about individual
internal methods.
• External – The method is configured by using a
script that is imported onto the ACOS device. See
“Method Section – External” at the end of this
table.


Type Internal method used for the health monitor. One of the following:
• ICMP
• TCP
• UDP
• HTTP
• HTTPS
• FTP
• SMTP
• POP3
• SNMP
• DNS
• RADIUS
• LDAP
• RTSP
• SIP
• NTP
• IMAP
• DATABASE
• kerberos-kdc
• Compound
Default: ICMP
Method Section – ICMP
Mode Specifies whether the monitor is Transparent. Not set or Transparent
Default: Not set
Alias Address Used with Transparent mode. IPv4 or IPv6 address
• In DSR, the ipaddr specifies the virtual IP
address.
• In FWLB, the ipaddr specifies the IP address of
the ACOS device on the other side of the firewall,
or the floating IP address of the HA group on the
other side of the firewall.
Select the IP version of the address (IPv4 or IPv6).


Passive Status Enables passive mode for the health monitor. This Selected or unselected
option allows you to specify the interval at which a If selected, the following values are
health check is performed for the server and set the supported:
type of good response code to send when the server
• Type – Status Code 2xx or Status
passes the health check.
Code Non 5xx
If selected, you can configure the following options:
• Threshold – 0-100
• Type – Selects the type of good status code to
send after passing the health check. • Sample Threshold – 1-10000
• Status Code 2xx • Passive Interval – 1-180
• Status Code Non 5xx Default: Unselected
• Threshold – If selected, the following default val-
ues apply:
• Sample Threshold –
• Type – Status Code 2xx
• Passive Interval – Specifies the number of sec-
onds between each check when the monitor is • Threshold – 75
deployed in passive mode. • Sample Threshold – 50
• Passive Interval – 10
Method Section – TCP
Port Port to which the ACOS device sends a connection 1-65534
request (TCP SYN). Default: 80
The ACOS device Expects a TCP SYN ACK in
reply.
HalfOpen Specifies whether to respond to the SYN ACK by False – The ACOS device does
sending an ACK, which completes the connection respond to the SYN ACK by sending
setup. an ACK.
True – The ACOS device sends a RST
(Reset).
Default: False
Send Specifies a text string to send to the target TCP port. String
Default: Not set
Response Specifies a text string that must be present some- String
Contains where within the server reply. Default: Not set


Method Section – UDP
Port Port to which the ACOS device sends a UDP 1-65534
packet. Default: 61
The ACOS device sends a packet with a valid UDP
header and a garbage payload to the specified UDP
port on the server.
The ACOS device expects either of the following:
• Server reply from the specified UDP port, with
any type of packet
• Server does not reply at all
The server fails the health check only if the server
replies with an ICMP Error message.
Method Section – HTTP
Port Port to which the ACOS device sends an HTTP 1-65534
request. Default: 80
The ACOS device expects OK message (200).
Host Replaces the information in the Host field of the String
request sent to the real server. Default: The real server’s IP address
URL Specifies the request type and the page to which to Request type can be GET, HEAD, or
send the request. POST.
The request type can be GET, HEAD, or POST. Page name can be a string.
If you select POST, the Post Data field appears. Default: GET; default page is “ / ”, the
• To specify a string, select String. In the postdata index.html page.
string, use “=” between a field name and the
value you are posting to it. If you post to multiple
fields, use “&” between the fields. For example:
fieldname1=value&fieldname1=value
• To specify a POST data file, select File. Select
the POST data file from the drop-down list. (The
file must be imported onto the ACOS device first.
To import a POST data file, see “Config Mode >
SLB > Health Monitor > Health HTTP Post File”
on page 284.)
User Username to log in. String
Default: Not set
Password Password to log in. String
Default: Not set
Expect Specifies a response code or string expected from String or response code(s)
the server, in which case this value is also expected. Default: The ACOS device expects
To specify a range of response codes, use a dash ( - ) response code 200 (OK).
between the low and high numbers of the range. Use
commas to delimit individual code numbers or sepa-
rate ranges. Select Code.


Maintenance Specifies a response code that indicates the server String or response code(s)
Code status should be changed to Maintenance. Default: Not set
When a server’s health status is Maintenance, the
server will accept new requests on existing cookie-
persistent or source-IP persistent connections, but
will not accept any other requests.
The Maintenance health status applies to server
ports and service-group members. When a port’s
status changes to Maintenance, this change applies
to all service-group members that use the port.
To leave maintenance mode, the server must do one
of the following:
• Successfully reply to a health check, but without
including the maintenance code. In this case, the
server’s health status changes to Up.
• Fail a health check. In this case, the server’s sta-
tus changes to Down.
Note: This feature applies only to servers in cookie-
persistence or source-IP persistence configurations,
and can be used only for HTTP and HTTPS ports.
Passive Status Enables passive mode for the health monitor. This Selected or unselected
option allows you to specify the interval at which a If selected, the following values are
health check is performed for the server and set the supported:
type of good response code to send when the server
• Type – Status Code 2xx or Status
passes the health check.
Code Non 5xx
If selected, you can configure the following options:
• Threshold – 0-100
• Type – Selects the type of good status code to
send after passing the health check. • Sample Threshold – 1-10000
• Status Code 2xx • Passive Interval – 1-180
• Status Code Non 5xx Default: Unselected
• Threshold – If selected, the following default val-
ues apply:
• Sample Threshold –
• Type – Status Code 2xx
• Passive Interval – Specifies the number of sec-
onds between each check when the monitor is • Threshold – 75
deployed in passive mode. • Sample Threshold – 50
• Passive Interval – 10
Method Section – HTTPS
Port Port to which the ACOS device sends an HTTPS 1-65534
The ACOS device expects OK message (200).
Host Replaces the information in the Host field of the String
request sent to the real server. Default: The real server’s IP address


URL Specifies the request type and the page to which to Request type can be GET, HEAD, or
send the request. POST.
The request type can be GET, HEAD, or POST. Page name can be a string.
If you select POST, the Post Data field appears. Default: GET; default page is “ / ”, the
• To specify a string, select String. In the postdata index.html page.
string, use “=” between a field name and the
value you are posting to it. If you post to multiple
fields, use “&” between the fields. For example:
fieldname1=value&fieldname1=value
• To specify a POST data file, select File. Select
the POST data file from the drop-down list. (The
file must be imported onto the ACOS device first.
To import a POST data file, see “Config Mode >
SLB > Health Monitor > Health HTTP Post File”
on page 284.)
Default: Not set
Default: Not set
Expect Specifies a response code or string expected from String or response code(s)
the server, in which case this value is also expected. Default: The ACOS device expects
To specify a range of response codes, use a dash ( - ) response code 200 (OK).
between the low and high numbers of the range. Use
commas to delimit individual code numbers or sepa-
rate ranges. Select Code.


Maintenance Specifies a response code that indicates the server String or response code(s)
Code status should be changed to Maintenance. Default: Not set
When a server’s health status is Maintenance, the
server will accept new requests on existing cookie-
persistent or source-IP persistent connections, but
will not accept any other requests.
The Maintenance health status applies to server
ports and service-group members. When a port’s
status changes to Maintenance, this change applies
to all service-group members that use the port.
To leave maintenance mode, the server must do one
of the following:
• Successfully reply to a health check, but without
including the maintenance code. In this case, the
server’s health status changes to Up.
• Fail a health check. In this case, the server’s sta-
tus changes to Down.
Note: This feature applies only to servers in cookie-
persistence or source-IP persistence configurations,
and can be used only for HTTP and HTTPS ports.
SSLv2Hello Specifies whether the ACOS device encapsulates Enabled or Disabled
Status SSLv3, TLSv1, or TLSv1.1 hello messages within Default: Enabled
the SSLv2 hello messages for HTTPS health
checks.
Certificate Name Certificate to use for terminating or initiating SSL Name of a certificate imported onto
connections with clients. the ACOS device
encrypt the key. Passphrase: string of 1-16 characters
Default: None configured
Pass Phrase Pass phrase for the certificate. String
Confirm Pass
Phrase
Method Section – FTP
Port Port to which an FTP login request is sent. 1-65534
The ACOS device expects an OK message, or Pass- Default: 21
word message followed by an OK message.
Unless you use anonymous login, the username and
password must be specified.
Default: Not set


Default: Not set
Method Section – SMTP
Port Port to which the ACOS device sends an SMTP 1-65534
Hello message on the specified server in the speci- Default: 25
fied domain.
The ACOS device expects a reply with an OK mes-
sage (reply code 250).
Domain Domain to which the SMTP Hello message is sent. A10
Method Section – POP3
Port Port to which the ACOS device sends a POP3 user 1-65534
login request with the specified username and pass- Default: 110
word.
The ACOS device expects reply with OK message.
Default: a10
Default: a10
Method Section – SNMP
Port Port to which the ACOS device sends an SNMP Get 1-65534
or Get Next request for the specified OID, from the Default: 161
specified community.
The ACOS device expects a reply with the value of
the OID.
Operation Type of request to send. Get or Get Next
Default: Get
OID OID requested. sysDescr, sysUpTime, sysName, or
Note: Although you can enter these objects in another name in ASN.1 style
ASN.1 format, only MIB-2 OIDs are supported. 1.1.0
Community SNMP community used for the request. String
Default: “public”
Method Section – DNS
Port Port to which a DNS lookup request is sent. 1-65534
The ACOS device expects a reply with code 0. Default: 53
Domain / Specifies whether to test based on a domain name, Domain or IP Address
IP Address or to test a specific DNS server. Default: Domain
radio button To test a specific server, click IP Address and enter
the address in the IP Address field. Otherwise, to
test based on a domain name sent in the health
check, leave Domain selected and enter the domain
name in the Domain field.


Domain Domain name requested from the DNS server. Validly formed domain name
Default: www.a10networks.com
IP Address Specifies the IP address of the DNS server, and the Valid IP address
address type (IPv4 or IPv6). Default: Not set
Type For health checks sent to a domain name, specifies One of the following:
the record type the responding server is expected to • A – IPv4 address record
send in reply to health checks.
• CNAME – Canonical name record
for a DNS alias
• SOA – Start of authority record
• PTR – Pointer record for a domain
name
• MX – Mail Exchanger record
• TXT – Text string
• AAAA – IPv6 address record
Default: A
Recursion Specifies whether the tested DNS server is allowed Enabled or Disabled
to send the health check’s request to another DNS Default: Enabled
server if the tested server can not fulfill the request
using its own database. Recursion is enabled by
default.
Expect List of response codes, in the range 0-15, that are 0-15
valid responses to a health check. If the tested DNS Default: The expect list is empty, in
server responds with any of the expected response which case the ACOS device expects
codes, the server passes the health check. status code 0 (No error condition).
To specify a range, use a dash. Separate the codes
(and code ranges) with commas. For example:
0-3,5.
DNS Transport Enables DNS health monitoring over TCP. Selected or unselected
over TCP Default: Unselected
Method Section – RADIUS
Port Port to which the ACOS device sends a Password 1-65534
Authentication Protocol (PAP) request to authenti- Default: 1812
cate the specified username.
The ACOS device expects an Access Accepted
message (reply code 2).
User Username for which authentication is requested. String
Default: a10
Password User password. String
Default: a10
Secret Shared secret required by the RADIUS server. String
Default: a10


Method Section – LDAP
Port Port to which the ACOS device sends an LDAP 1-65534
Bind request. Default:
The ACOS device expects a reply containing result • 389
code 0.
• If SSL is enabled, 636
Type Sets the SSL type for the LDAP health check: None, SSL, or StartTLS
• None – Does not use encryption for the health Default: None
check.
• SSL – Uses TLS to secure the connection.
• StartTLS – Requires an encrypted reply from the
LDAP server. When this option is enabled,
ACOS begins the health check with a StartTLS
request.
Distinguished Species the Distinguished Name. String
Name Default: Not set
Password Specifies the password for the Distinguished Name. String
Default: Not set
Run Search Specifies a distinguished name (DN) to search for in String
RootDN the LDAP server’s database. Default: Not set
Run Search Specifies a query to search for in the LDAP server’s String
Query database. Default: Not set
AcceptNotFound Marks the server as running (UP) if a response is not Selected or unselected
found. Default: Unselected
Method Section – RTSP
Port Port to which the ACOS device sends a request for 1-65534
information about the specified file. Default: 554
The ACOS device expects a reply with information
about the specified file.
URL URL of the requested file. URL of the requested file
Default: /sample.mpg
Method Section – SIP
Port Port to which the ACOS device sends a SIP request. 1-65534
The ACOS device expects a 200 - OK message in Default: 5060
response.
The request is an OPTION request, unless you
select the Register checkbox.
Register When selected, send a REGISTER request instead Selected or unselected
of a SIP request. Default: unselected


TCP When selected, uses TCP instead of UDP to send Selected or unselected
the health check. Select this option if the health Default: unselected
method will be used in a SIP-over-TCP configura-
tion.
Expect Response Specifies a range of acceptable status codes. When Enter any or specify a value in one of
Code you configure this option, a SIP server passes its the following formats:
health check only if its reply contains one of the • xxx
specified SIP status codes.
• xxx-xx
Where xxx is a number between 100-
899
Default: Not set
Method Section – NTP
Port Port to which the ACOS device sends an NTP 1-65534
The ACOS device sends an NTP client message to
and expects a standard NTP 48-byte reply packet.
Method Section – IMAP
Port Port to which the ACOS device sends an IMAP user 1-65534
login request with the specified username and pass- Default: 143
word.
The ACOS device expects reply with OK message.
Default: a10
Default: a10
Authentication Method used by the server to authenticate the Any of the following:
Method ACOS device. • Plain Text
• Cram MD5
• Login
Default: Not set
Method Section – DATABASE
Database Selects database type on the server. One of the following:
• MSSQL
• MySQL
• Oracle
• PostgreSQL
• Default: MSSQL
Database Name Specifies the name of the database to query. String
Default: Not set
User Specifies the login information required to access Strings
Password the database. Default: Not set


SQL Query Specifies the SQL query to send to the database. String
Note: Make sure to configure a response string as Default: Not set
well. Without a response string, the ACOS device
will not send an SQL query to the database.
Respond String Specifies the query result expected from the data- String
base in order to pass the health check. Default: Not set
Note: To use the receive string option, you also
must use the send string option. If you do not use
the send option, the ACOS device does not send a
query.
Row For replies that consist of multiple results, the 1-10
Column results are in a table. You can specify the row and Default: 1
column location within the results table to use as the
receive string.
Note: If you do not specify the row and column,
row 1 and column 1 are queried by default.
Method Section – kerberos-kdc
Type Type of Kerberos request ACOS sends to the One of the following:
Kerberos Key Distribution Center (KDC): • kinit
• kinit - Configures a Kerberos health method to • kadmin
check accessibility of the KDC for obtaining a
• kpasswd
Ticket Granting Ticket (TGT).
Default: kinit
• kadmin - Configures a Kerberos health method to
check accessibility of the Kerberos server for
user account administration.
• kpasswd - Configures a Kerberos health method
to check accessibility of the Kerberos server for
user password changes.
TCP Only Sends health checks only over TCP, and never over Enabled or Disabled
UDP. Default: Disabled
Principal Name of the Kerberos principal. This is the ACOS String
client name presented to the server. Default: Not set
Password Password. String
Default: Not set
KDC Server Hostname or IP address of the server where the Hostname or IP address
KDC is running. Default: Not set. When you add server
information, the default port depends
on the method type (Type option
above):
• kinit - 88
• kadmin - 749
• kpasswd – 464


Method Section – Compound
Boolean Compound health monitor consisting of a set of Configured health monitors
Expression health monitors joined in a Boolean expression Boolean operators: AND, OR, NOT
(AND / OR / NOT).
First, configure the individual health monitors, then

construct a Boolean expression using those moni-
tors.
To enter a health monitor:

1. Click the radio button next to the list of health
monitors.
2. Select the monitor.
3. Click Add.
To enter an operator:
Click the radio button next to the list of operators.
2. Select the operator.
3. Click Add.
Note: Make sure to use Reverse Polish Notation.

Otherwise, the GUI will display an error message
when you click OK to complete the health monitor
configuration.
(For more information, see the “Compound Health
Monitors” section in the “Health Monitoring” chap-
ter of the AX Series Application Delivery and Server
Load Balancing Guide.)
Method Section – External
Note: External health methods are not supported in Direct Server Return (DSR) deployments.
Program Name of an external program (for example, a Tcl External monitor imported onto the
script) to run. ACOS device.
The ACOS device bases the health status of the
server or service on the outcome of the program.
Note: To use the program, you must import it onto
the ACOS device. (See “Config Mode > SLB >
Health Monitor > External Program” on page 284.)
Arguments Arguments to use with the program. Strings
Default: Not set
Server Port Port to which the ACOS device sends the health 1-65534
check. Default: Not set


Preference This option applies to weighted load-balancing Selected or unselected
methods such as SNMP-based load balancing. (See Default: Unselected
the “SNMP-based Load Balancing” chapter in the
Guide.)
Config Mode > SLB > Health Monitor > External Program
This page allows you to create an external program for use as a health mon-
itor.
Enter a name and description for the monitor, then copy and paste the script
into the Definition field and click OK. The name must end with “.tcl”.
Note: To create an external program in a non-English language (for example,

Japanese), save it in Unicode UTF-8 format. To set the language in the
GUI to UTF-8, configure the browser so that you can view UTF-8 encod-
ing. For example, in Internet Explorer, select View > Encoding > Uni-
code.
Config Mode > SLB > Health Monitor > Health HTTP Post File
This page allows you to import a file containing POST data to use with an
HTTP or HTTPS health check. Use this option if you need to use a POST
data payload longer than 255 bytes. An imported POST data file can contain
a payload of up to 2 Kbytes.
Importing a POST Data File

To import a POST data file:
2. Click Browse and navigate to the location of the certificate.
step 10.

interface.
7. If needed, change the protocol port number n the port field. By default,
10. Click OK.
Config Mode > SLB > Health Monitor Mode > Global
This page enables you to globally change the default settings for health
monitor parameters.
Globally changing a health monitor parameter changes the default for that
parameter. For example, if you globally change the interval from 5 seconds
to 10 seconds, the default interval becomes 10 seconds.
If a parameter is explicitly set on a health monitor, globally changing the

parameter does not affect the health monitor. For example, if the interval on
health monitor hm1 is explicitly set to 20 seconds, the interval remains 20
seconds on hm1 regardless of the global setting.
Note: Global health monitor parameter changes automatically apply to all new
health monitors configured after the change. To apply a global health
monitor parameter change to health monitors that were configured before
the change, you must reboot the ACOS device.

Table 100 lists the health monitor parameters you can globally change.
TABLE 100 Global Health Monitor Parameters

Retry Specifies the Maximum number of times the ACOS 1-5
device will send the same health check to an unre- Default: 3
sponsive server before determining that the server is
down.
Consec Pass Number of consecutive times the device must pass 1-10
Req’d the same periodic health check, in order to be Default: 1
marked Up.
Interval Number of seconds between health check attempt. 1-180 seconds
A health check attempt consists of the ACOS device Default: 5 seconds
sending a packet to the server. The packet type and
payload depend on the health monitor type. For
example, an HTTP health monitor might send an
HTTP GET request packet.
Timeout Number of seconds the A10 Thunder Series and 1-60 seconds
AX Series waits for a reply to a health check. Default: 5 seconds
Note: This option is not applicable to external
health monitors.
Health Check Dynamically increases the default and timeout Enabled or Disabled
Rate Auto parameters for health checks. Increasing these tim- Default: Enabled
Adjustment ers provides additional time for health-check
processing.
Health Check Changes the health check rate limiting threshold. 1-50000
Rate Default: 1000 per 500 ms
External Health Changes the health check rate thresholds for when • Number of External Script Pro-
Check Rate an external program is used for health monitoring. grams – 1-999
• Unit Time for the External Check
Rate – 1-20
Default: 2 per 2 100ms

Config Mode > SLB > Black-White List

This option allows you to configure or import a black/white list for use with
Policy-Based SLB (PBSLB).
Note: If a connection limit is specified in a black/white list, the ACOS device

does not support using the list for both system-wide PBSLB and for
PBSLB on an individual virtual port. In this case, the ACOS device may
increase the current connection counter more than once, resulting in a
much lower connection limit than the configured value. To work around
this issue, use separate black/white lists.
Importing a Black/white List

1. Select Config Mode > SLB > Black-White List, if not already selected.
2. Click Import. The Import page appears.
3. In the Name field, enter the name to use for the imported list.

5. Click Browse and navigate to the location of the class list.
6. Click Open. The path/filename appears in the field. Go to step 13.
interface.
13. Click OK.

Configuring a Black/white List in the GUI

The PBSLB section is displayed when you click Add or click on a
black/white list name.
Table 101 lists the PBSLB parameters you can configure.
TABLE 101 Black-White List Parameters

PBSLB Section
Name Name and location of the black/white list. Name can be 1-31 characters
The location can be one of the following: Local or Remote
• Remote – You are importing the list from an
external device.
• Local – You are importing the list by copying and
pasting it into the Definition field.
Interval Specifies how often the ACOS device re-imports 60 – 86400 seconds
(Remote only) the list to ensure that changes to the list are automat- Default: 300 seconds
ically replicated on the AX.
Use Uses the management interface as the source inter- Enabled or disabled
Management face for the connection to the remote device. Default: Disabled
Port The management route table is used to reach the
device. By default, the ACOS device attempts to use
the data route table to reach the remote device
through a data interface.
Note: For information about the data and manage-
ment route tables, see the “Using the Management
Interface as the Source for Management Traffic”
chapter in the AX Series System Configuration and
Administration Guide.
Protocol File transfer protocol to use. TFTP
(Remote only)
Host IP address or hostname of the device where the list Valid IP address or hostname
(Remote only) is located. Default: Not set
Location Path and filename of the list on the remote device. Valid pathname and filename
(Remote only) Default: Not set
Definition Text entry field for a black/white list. Black/white list
(Local only) Default: None

Config Mode > SLB > aFleX

This page displays the aFleX policies imported onto the ACOS device.
Click Add or the name of an existing aFleX policy to display the aFleX con-
figuration page.
From this page, enter the name for the policy, and copy or modify the script
in the Definition field. Click OK to confirm your configuration.
Troubleshooting aFleX Syntax Errors

When you click OK after entering an aFleX script, the GUI saves the script
and redisplays the aFleX table. The GUI also performs a syntax check. If
there are errors:
1. Click on the aFleX name to display the configuration page for the
script.
2. Edit the script text.
3. Click OK.
4. The aFleX script table reappears. If the script still contains syntax errors,
the errors are displayed above the table.
Config Mode > SLB > SSL Management

The SSL Management pages enable you to manage certificates, keys, and
Certificate Revocation Lists (CRLs).
Certificate Formats for Importing and Exporting

With previous releases, the ACOS device only supports certificates and
CRLs that are in Privacy-Enhanced Mail (PEM) format. The maximum sup-
ported certificate size is 16 KB. You can specify the format when you
import the certificate and the ACOS device automatically converts the
imported certificate into PEM format.
Beginning with ACOS Release 2.7.0, you can export SSL certificates in the
following formats:

• PEM
• Distinguished Encoding Rules (DER)
• Personal Information Exchange (PFX)
In addition to these formats, you also have the option to export an SSL Cer-
tificate as a PKCS #7 (P7B) file.
Config Mode > SLB > SSL Management > Certificate
The Certificate page enables you to manage certificates and keys.
Generating a Self-Signed Certificate

1. Select Config Mode > SLB > SSL Management, if not already selected.
2. On the menu bar, select Certificate.
3. Click Create.
4. Enter a name for the certificate.
5. In the Issuer drop-down list, select Self, if not already selected.
6. Enter the rest of the certificate information in the remaining fields of the
Certificate section.
Note: If you need to create a wildcard certificate, use an asterisk as the first part
of the common name. For example, to create a wildcard certificate for
domain example.com and it sub-domains, enter the following common
name: *.example.com
7. From the Key Size drop-down list, select the length (bits) for the key.
8. Click OK. The ACOS device generates the self-signed certificate and its
key. The new certificate and key appear in the certificate list. The certif-
icate is ready to be used in client-SSL and server-SSL templates.
Generating a Key and CSR for a CA-Signed Certificate

3. Click Create.
4. Enter a name for the certificate.

5. In the Issuer drop-down list, select Certificate Authority, if not already

selected.
This option displays the Pass Phrase and Confirm Pass Phrase fields.
6. Enter or select the rest of the certificate information in the remaining

fields of the Certificate section.
Note: If you need to create a request for a wildcard certificate, use an asterisk as
the first part of the common name. For example, to request a wildcard cer-
tificate for domain example.com and it sub-domains, enter the following
common name: *.example.com
7. Enter a passphrase.
8. From the Key Size drop-down list, select the length (bits) for the key.
9. Click OK. The ACOS device generates the certificate key and the certif-
icate signing request (CSR), and displays the CSR. The CSR is dis-
played in the Request Text field.
10. To save the CSR to your PC:

a. Click Download.
Note: If the browser security settings normally block downloads, you may need
to override the setting. For example, in IE, hold the Ctrl key while click-
ing Download.
b. Click Save.
c. Navigate to the save location.
d. Click Save again.
Note: If you prefer to copy-and-paste the CSR, make sure to include everything,
including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END
CERTIFICATE REQUEST-----”.
11. When you receive the certificate from the CA, import it onto the ACOS
device. (See “Importing a Certificate and Key” below.)
Importing a Certificate and Key

You can import certificate and key files.
Note: If you are importing a CA-signed certificate for which you used the
ACOS device to generate the CSR, you do not need to import the key. The
key is automatically generated on the ACOS device when you generate
the CSR.

2. On the menu bar, select Certificate. (This option also applies to certifi-
cate chain files.)
3. Click Import.
4. In the Name field, enter a name for the certificate or key. This is the
name you will refer to when adding the certificate or key to a client-SSL
or server-SSL template.

• Local – The file is on the PC you are using to run the GUI, or is on a
PC or server in the local network. Go to step 6.
• Text – You plan to copy-and-paste the text of the file directly into a
field on the GUI page. Go to step 8.
step 15.
interface.
9. To copy-and-paste the certificate file directly into the GUI, select Text
next to Import Certificate From (if not already selected), then copy-and-
paste the certificate into the Content field. Go to step 15.
10. Select the certificate format: PEM, DER, PFX, or P7B.
11. Select the file transfer protocol: HTTP, HTTPS, FTP, TFTP, RCP, SCP,
or SFTP.
12. In the URL field, enter the directory path and filename.

15. Next to Import Key from, select the source for the key:
• Local – The key is on the PC you are using to run the GUI, or is on
a PC or server in the local network.
• Remote – The key is on a remote server.
• Text – You plan to copy-and-paste the text of the key directly into a
field on the GUI page.
16. Depending on the option you selected in step 15, specify the import set-
tings or copy-and-paste the key into the Content field.
17. Click OK.
Exporting a Certificate and Key
Note: Due to a limitation in Windows, it is recommended to use names shorter

than 255 characters. Windows allows a maximum of 256 characters for
both the file name and the directory path. If the combination of directory
path and file name is too long, Windows will not recognize the file. This
limitation is not present on machines running Linux/Unix.
3. Select the certificate. (Click the checkbox next to the certificate name.)
4. From the Export Format drop down menu, select the certificate format:
PEM, DFR, or PFX.
5. Click Export.
ing Export.
6. Click Save.
8. Click Save again.

Config Mode > SLB > SSL Management > Cert Revocation List
The Cert Revocation List page enables you to manage Certificate Revoca-
tion Lists (CRLs).
Importing a CRL
You can locally import a CRL. Place it on the PC that is running the GUI or
CLI session, or onto a PC or file server that be locally reached over the net-
work.
2. On the menu bar, select Cert Revocation List.
3. Click Import.

step 12.
interface.
8. Select the file transfer protocol: HTTP, HTTPS, FTP, TFTP, RCP, SCP,
and SFTP.
9. In the URL field, enter the directory path and filename.
12. Click OK.

Exporting a CRL
2. On the menu bar, select Cert Revocation List.
3. Select the CRL. (Click the checkbox next to the CRL name.)
4. Click Export.
ing Export.
5. Click Save.
7. Click Save again.
Config Mode > SLB > SSL Management > Expiration Mail
This page enables you to configure the ACOS device to send email notifica-
tion when an SSL certificate is about to expire. This feature sends a daily
email listing the certificates that are about to expire or that have recently
expired.
One notification is sent per day. If a certificate is updated before expiration

or at least before the configured interval, no more notification emails are
sent for that certificate.
To configure email notification for certificate expiration:

1. Select Config Mode > SLB > SSL Management > Expiration Mail, if
not already selected.
2. In the Email Address field, enter the email addresses to which to send
the notifications. You can specify up to 2 email addresses. Use a space
between them.
3. In the Before field, specify how many days before expiration to begin
sending notification emails. You can specify 1-5. The default is 5.
4. On the Interval field, specify how many days after expiration to con-
tinue sending notification emails. You can specify 1-5. The default is 2.

5. To exclude a certificate from notification, select it from the Certificate

Name drop-down list and click Add. Repeat for each certificate you
want to exclude.
6. Click OK.
Config Mode > SLB > Network Map

The network map displays configured SLB elements for an ACOS device.
Specify a node or service group, a VIP, a port, an aFleX script, template or
source NAT in a search field and view all the VIPs, service groups, and
nodes that are utilizing that particular aspect of configuration.
Search for SLB objects that share a relationship with a virtual server in a
particular network using the following relationship sequence: From a Vir-
tual Server to a Virtual Server Port or a Service Group, to a Server.
Note: The search field supports partial matches, but does not support wildcard
characters.
Viewing the network map

1. Go to Config Mode > SLB > Network Map.
The following page will appear:

2. Use filters to sort the information you wish to view. Specify a maximum
of 5 filters:
a. From the drop down to the right of Virtual Server, search for infor-
mation on SLB objects such as Virtual Servers, Virtual Server Ports,
Service Group, Service Group Member, Server, Health Monitor,
aFleX, Access List, Source NAT Pool, Certificate, or any templates.
b. From the drop down to the right of the IP Address, you can search
either by specifying the IP Address or choose Status to search for
objects that are Enabled, Disabled, Running, Functional Running,
Partial Running, or Stopped.
3. Click on a service group list page, server page, health monitor page, or
SSL certificate page, to display a micro pop-up window that will display
content similar to the network map page. This makes it easy to identify
relationships among SLB objects. The following displays a server
micro-popup that you can view from the Service Group window:
The network map feature also displays role based administration (RBA)
relationship in the virtual server, service group, server, and different tem-
plate pages. This means that when an RBA object refers to a shared object,
their relationship will be shown in the network map. While the layout for all
RBA objects is the same, the only difference in RBA is the inability to click
on a hyperlink to be redirected to another module.


Global Server Load Balancing - GSLB Easy Config
Global Server Load Balancing
This chapter describes the GSLB monitoring and configuration options in

the GUI.
• “GSLB Easy Config” on page 299
• “Monitor Mode – GSLB” on page 306
• “Config Mode – GSLB Service Options” on page 308
GSLB Easy Config

The GSLB Easy Config page enables you to enter information for the ser-
vices to be managed by Global Server Load Balancing (GSLB).
To configure GSLB services using the GSLB Easy Config page, the follow-
ing information is required:
• Zone name – Name of the DNS domain containing the services to be
managed by GSLB. For example, if GSLB will be provided for
www.example.com, the zone name is “example.com”.
• DNS mode (proxy or server):
• Proxy – This ACOS device acts as a proxy for an external DNS
server.
• Server – This ACOS device directly responds to address queries for
the zone’s services. (The ACOS device still forwards other types of
queries to the external DNS server.)
• Service information:
• Name – String to uniquely identify the service configuration on the
ACOS device
• Type – FTP, TFTP, HTTP, HTTPS, IMAP4, LDAP, NNTP, POP3,
SMTP, TELNET, or Other.
• IP address – IP address at which this ACOS device can reach the
service. You also must specify how the IP address is connected to
this ACOS device:
• SLB direct-conn real server – IP address belongs to a real server
connected to this ACOS device.
• SLB self-service device – IP address is a VIP configured on this
ACOS device.

• SLB device – IP address is a VIP configured on another ACOS

device (the SLB device for the site).
• Protocol port – Layer 4 port of the service.
After you use the GSLB Easy Config options to configure these parameters,
the GUI creates the GSLB resources for the configuration.
Note: GSLB has many additional options that you can modify based on your
deployment requirements. For information about specific options, see the
following:
• “Config Mode – GSLB Service Options” on page 308
• Global Server Load Balancing Guide
Configuring GSLB
1. Select Config Mode > Get Started > GSLB Easy Config.
2. Enter the zone name in the Name field.
3. Enter the service name in the Service Name field.
4. Select the service type from the Type drop-down list.
5. Click Next. The GSLB Service page appears.
6. To enable Server Mode, select the check box, or clear the check box to
select Proxy Mode for the service.
7. Enter site information:

a. Enter the site name in the field above the GSLB Site column.
b. Click Add. The site name appears in the GSLB Site column.
c. Repeat for each site.
8. To specify the service IP addresses for a site:

a. In the table that lists GSLB sites, click on the desired site name.
b. In the Service IPs section, select one of the following:
• SLB direct-conn real server – IP address belongs to a real server
connected to this ACOS device. The Server IP address field
appears. Go to step 9.
• SLB self-service device – IP address is a VIP configured on this
ACOS device. The VIP address field appears. Go to step 10.
• SLB device – IP address is a VIP configured on another ACOS
device (the SLB device for the site). The Device Address and
VIP address fields appear. Go to step 11.

9. Enter the IP address of the server in the Server IP address field.
10. Enter the VIP address of the service in the VIP address field.
11. Enter the IP address of the site SLB device in the Device Address field.
12. Enter the VIP address of the service in the VIP address field.
13. Enter the protocol port number in the Port field.
14. Click Add.
15. Click Return.
16. Repeat step 8 through step 15 for each site.
17. Click Finish.
18. A summary page of the services you configured is displayed.
19. Click Return. The GSLB Easy Config page is redisplayed. You can con-
figure another zone or navigate to another GUI page.

Configuration Example
The example GUI pages in the following figures configure GSLB for an
HTTP service. The network topology for the example is shown in
Figure 25.
FIGURE 25 GSLB Example Topology
The HTTP service is named “www” and is located in domain “exam-

ple.com”. The service is located at two different sites:
• Site-West
• Site-East
The GSLB controller (this ACOS device) is located at Site-West. Another

ACOS device is serving as a site SLB device at Site-West.
The GSLB controller is configured to act as the DNS server for “exam-
ple.com”. When a client sends a DNS request for “www.example.com”, the
GSLB controller selects an IP address based on the GSLB policy. By

default, a site IP address located near the client is selected, based on infor-
mation in the Internet Assigned Numbers Authority (IANA) geo-location
database on the GSLB controller.
The GSLB controller replies to the client’s DNS query with the selected site
IP address. The client then sends the HTTP request to the specified site.
Configuring GSLB Easy Config
First, enter the zone name and service name, and then select the service type
from the drop-down menu.
FIGURE 26 Config Mode > Get Started > GSLB Easy Config
On the next page that appears, enter a site name and click Add. Then, click
on the site name to access the configuration page for that site.
FIGURE 27 Config Mode > Get Started > GSLB Easy Config - Service
Configuration

Enter the IP information for the service. Select the appropriate radio button
in the Service IPs section, and enter the Device Address, VIP and Port.
Click Add. Click Return.
FIGURE 28 Config Mode > Get Started > GSLB Easy Config - Site
Configuration for Site-East
Verify the service IP address.
FIGURE 29 Config Mode > Get Started > GSLB Easy Config - Site
Configuration, Service IP added

Enter the next site name, click Add. Then, click on the site name and enter
the IP information as before. Click Add, and then click Return.
FIGURE 30 Site Configuration, Site Configuration for Site-West
Verify the IP information and click Finish.
FIGURE 31 Service Configuration Complete

Global Server Load Balancing - Monitor Mode – GSLB
Verify the complete configuration, then click Finish again to display the
Detailed information for all of the sites.
FIGURE 32 Service Configuration Verification
Monitor Mode – GSLB

The pages in this sub-module display information for Global Server Load
Balancing (GSLB).
Monitor Mode > GSLB > Site
This page shows information for GSLB sites.
TABLE 102 Monitor Mode > GSLB > Site

Field Description
Site GSLB site name.
SLB-Device IP address of the SLB device that is managing the real serv-
ers at the site.
Server IP address of the GSLB service.
Usage Number of times the service IP was selected.
Service Status GSLB service port state.

Global Server Load Balancing - Monitor Mode – GSLB
Monitor Mode > GSLB > Zone
This page shows information for GSLB zones.
TABLE 103 Monitor Mode > SLB > GSLB > Zone
Field Description
Zone Zone name.
Service Service type and service name.
Received Number of DNS queries received for the service.
Queries
Sent Responses Number of DNS replies sent to clients for the service.
Proxy Number of DNS replies sent to clients by the ACOS device
as a DNS proxy for the service.
Cache Number of cached DNS replies sent to clients by the ACOS
device for the service. (This statistic applies only if the DNS
cache option is enabled in the policy.)
Server Number of DNS replies sent to clients by the ACOS device
as a DNS server for the service. (This statistic applies only if
the DNS server option is enabled in the policy.)
Sticky Number of DNS replies sent to clients by the ACOS device
to keep the clients on the same site. (This statistic applies
only if the DNS sticky option is enabled in the policy.)
Backup If the backup-alias option is configured, this field shows the
CNAME that will be returned by GSLB.
Monitor Mode > GSLB > Protocol
This page shows statistics for the GSLB protocol running on this ACOS
device.

Global Server Load Balancing - Config Mode – GSLB Service Options
Config Mode – GSLB Service Options

The GSLB pages enable you to configure Global Server Load Balancing
(GSLB).
Note: If this ACOS device will be the GSLB controller, use all the configuration
pages. If this ACOS device will be only a site ACOS device, go to “Con-
fig Mode > Service > GSLB > Global” on page 342. Enable the Run
GSLB as Site SLB Device option and click OK. Do not configure any
other GSLB parameters.
Config Mode > GSLB > FQDN

The options on this page allow you to configure GSLB services. Using this
page, you can easily configure all of a service’s parameters, including its
site, service-IP, and zone membership, by entering the following informa-
tion:
• Service name and zone name
• Service type (HTTP by default)
The service name and zone name, in combination, comprise a fully-quali-

fied domain name (FQDN). For example, the combination of zone name
“example.com” and service name “www” becomes FQDN “www.exam-
ple.com”.
In addition to simplifying configuration, this page, and the FQDN configu-

ration page, each allow you to enable or disable the entire FQDN, or indi-
vidual sites within the FQDN.
GSLB FQDN Parameters

Table 104 lists the FQDN parameters.
TABLE 104 GSLB FQDN Parameters

FQDN Section
FQDN The Fully Qualified Domain Name (FQDN) of the Valid domain name
entry. Default: Not set
GSLB Zone Zone portion of the FQDN. Name of a GSLB zone
Note: After you enter the FQDN string and click, Default: Not set
the GUI auto-populates this field and the Service
field.

TABLE 104 GSLB FQDN Parameters (Continued)

Service Service portion of the FQDN. Name of a GSLB service
Default: Not set
Port Service type. One of the following:
• FTP
• TFTP
• HTTP
• HTTPS
• IMAP4
• LDAP
• NNTP
• POP3
• SMTP
• TELNET
• Other
Default: HTTP
Policy Applies a GSLB policy to the FQDN entry. Name of a configured policy
Default: The default GSLB policy is
used.
Action Action to perform on DNS queries for the FQDN: One of the following:
• Forward Response – Forwards responses to the • Forward Response
local DNS server, but does not forward queries to • Forward Both
the Authoritative DNS server.
• Forward Query
• Forward Both – Forwards queries to the Authori-
• Drop
tative DNS server, and forwards responses to the
local DNS server. • Ignore
• Forward Query – Forwards queries to the Author- • Reject
itative DNS server, but does not forward Default: not set
responses to the local DNS server.
• Drop – Drops DNS queries from the local DNS
server.
• Ignore – Sends an empty response.
• Reject – Rejects DNS queries from the local DNS
server and returns the “Refused” message in
replies.
Status State of the service. Enabled or Disabled
Default: Enabled


GSLB Site Section
Site Adds a GSLB site. Name of a GSLB site
1. Select the site from the Site drop-down list. Default: Not set
2. If using a GSLB template, select it from Template
drop-down list.
3. Enter the weight (bias) for the site, or use the
default (1).
Click
Configuration fields appear in the GSLB Service IP
section (located to the right).
Template Binds a template to the site. To use the bw-cost met- Name of a configured GSLB template
ric, use this option to bind a GSLB SNMP template Default: Not set
to the site.
Weight Assigns a weight to the site. If the weighted-site 1-100
metric is enabled in the policy and all metrics before Default: 1
weighted-site result in a tie, the site with the highest
weight is selected.
GSLB Service IP Section
Service IP Type Specifies the way in which the service is connected Default: SLB direct-conn real server
to this ACOS device :
• SLB direct-conn real server – The ACOS device
you currently are configuring for GSLB is
directly connected to the real server.
• SLB self-service device – The ACOS device you
currently are configuring for GSLB is also the
ACOS device that is configured to perform SLB
for the VIP that provides the service to clients.
This is the VIP bound to a service group contain-
ing the real servers on which the service is
located.
• SLB device – The service is load balanced by
another ACOS device.
(See the row below for the options that match your
selection.)


SLB direct-conn If using this option, specify the following: Defaults:
real server • Server – IP address of the server. • Server – Not set.
• Name – Name for the directly-connected server • Name – Auto-populated after you
in the GSLB configuration. enter the server.
• Health Monitor – Health monitor used to check • Health Monitor – The default is
the reachability and responsiveness of the ser- “(default)”, which is the default
vice. TCP or UDP health monitor,
depending on the protocol of the
service.
SLB self-service If using this option, specify the following: Defaults:
device • VIP – Virtual IP address. • VIP – Not set.
• Name – Name for the virtual server. • Name – Auto-populated after you
• Dev Name – Name for the SLB device (this enter the server.
device) in the GSLB configuration. • Dev Name – Not set.
• Health Monitor – Health monitor for checking • Health Monitor – The default is
the reachability and responsiveness of the ser- “(default)”, which is the default
vice. TCP or UDP health monitor,
depending on the protocol of the
service.
SLB device If using this option, specify the following: Defaults:
• VIP – Virtual IP address. • Device Name – Not set.
• Name – Name for the virtual server. • Device IP – Not set.
• Dev Name – Name for the SLB device (this • VIP – Not set.
device) in the GSLB configuration. • Name – Auto-populated after you
• Health Monitor – Health monitor for checking enter the server.
the reachability and responsiveness of the ser- • Health Monitor – Health monitor
vice. for checking the reachability and
responsiveness of the service.
DNS MX Record Section
Use this section if you need to add Mail Exchange (MX) records for the zone.
1. In the Name field, enter the fully-qualified domain name of the mail server for the zone.
2. If more than one MX record will be configured for the zone, enter the priority of this MX record in the Priority
field. The priorities of the MX records determine the order in which the mail server should attempt to deliver mail
to the MX hosts. The MX record with the lowest priority number has the highest priority and is tried first. The pri-
ority can be 0-65535. There is no default.
3. Click Add.
DNS CName Record Section
Use this section if you need to configure CNAME (alias) records for the service.
To configure an alias, enter the alias in the Name field, then click Add.


DNS NS Record Section
Use this section if you need to configure Name Server (NS) records for the zone. Enter the record name in the
Name field, then click Add.
DNS SRV Record Section
Use this section if you need to configure Service Records (SRV) records for the service. Enter the Name field, Pri-
ority (0-65535), Port (0-65534), and Weight (0-100). Then, click Add.
DNS PTR Record Section
Use this section if you need to configure Pointer (PTR) records for the service.
Enter the record name in the Name field, then click Add.
DNS TXT Record Section
Use this section to configure multiple pieces of DNS text (TXT) data within one TXT record.
Enter the a string value for the text record, then click Add.
Geo-location Section
Use this section to configure geo-location parameters for the service.
In the Geo-location field, enter the geo-location name.
1. To configure an alias for the geo-location, enter the alias name in the Alias field.
2. To set a DNS action for the geo-location, click Action and select the action from the drop-down list. The actions
are the same as the ones you can select in the FQDN section. Selecting an action here overrides any action selected
in the FQDN section, for this geo-location.
3. To use a GSLB policy other than the zone’s policy (the default setting), click Policy and select the policy from
the drop-down list.
4. Click Add.
Config Mode > GSLB > FQDN Group

FQDN groups simplify administration, by providing a single page where
you can enable or disable services at any of the following levels of granular-
ity, from least to most granular:
• Entire FQDN group (all zones in the group, and all their services)
• Individual sites (all services within the site)
• Individual FQDNs (individual services in individual zones)

GSLB FQDN Group Parameters

Table 105 lists the FQDN Group parameters.
TABLE 105 GSLB FQDN Group Parameters

FQDN Section
FQDN Group Name for the group Valid string
Default: Not set
FQDN List of the FQDNs contained in the FQDN group. Configured FQDNs
To add an FQDN to the group: Default: Not set
1. Select the FQDN from the drop-down list.
2. Click Add.
Site Lists the sites within the FQDNs contained by the N/A
group.
Disabling Services based on FQDN Service Group

1. Navigate to Config Mode > GSLB > FQDN Group.
• To disable all services in one or more FQDN service groups, select
the group(s), then click Disable.
• To disable individual FQDNs, go to step 2.
• To disable individual sites, go to step 3.
2. To disable individual FQDNs:

a. Click on the FQDN service group name. The configuration page for
the group appears.
b. In the FQDN section, select each FQDN to disable.
c. Click Disable.
3. To disable individual sites:

a. Click on the FQDN service group name. The configuration page for
the group appears.
b. In the FQDN section, select each FQDN to disable.
c. Click Disable.
Re-enabling services from within an FQDN service group:

The procedure is similar to that for disabling services. After selecting the
FQDNs or sites, click the Enable button instead of the Disable button.

Config Mode > Service > GSLB > Zone

This option displays the configured GSLB zones. The leftmost column in
the table lists the Name of the zone. The middle column lists the Policy
associated with the zone. The rightmost column lists the Status for each
zone, which can be either enabled or disabled, as represented by the follow-
ing icons: or
This page allows you to perform the following actions for a zone:
• Add
• Delete
• Enable
• Disable
The Zone section is displayed when you click Add or click on a GSLB zone
name.
Zone Parameters
Table 106 lists the GSLB zone parameters.
TABLE 106 GSLB Zone Parameters

Zone Section
Name Name of the zone. 1-31 alphanumeric characters
Default: Not set
Note: You can use lower case charac-
ters and upper case characters. How-
ever, since Internet domain names are
case-insensitive, the ACOS device
internally converts all upper case char-
acters in GSLB zone names to lower
case.
TTL Enables the TTL option and displays the TTL Time Selected or unselected.
field. Default: Selected
TTL Time Changes the TTL of each DNS record contained in 0-1000000000 (1 billion) seconds.
DNS replies received from the DNS for which the Default: 10 seconds
AX Series is a proxy, for this zone.
Policy Applies a GSLB policy to the zone. Name of a configured GSLB policy
Default: “default”
Disable All Disables all servers at all sites in the zone. Selected or unselected
Services Default: Unselected

TABLE 106 GSLB Zone Parameters (Continued)

DNS SOA Configures a DNS start of authority (SOA) record You can specify the following values:
Normal for the GSLB zone. • Radio button – Selected or
Enabling DNS SOA Normal permits the following unselected
configurable options: • Server Name – String of 1-127 char-
• Server Name – Name of the server. acters
• Mailbox – Name of the mailbox. • Mailbox – String of 1-127 charac-
• Serial – Specifies the initial serial number of the ters
SOA record. This number is automatically incre- • Serial – 0-2147483647
mented each time a change occurs to any records • Refresh – 0-2147483647
in the zone file.
• Retry – 0-2147483647
• Refresh – Specifies the number of seconds other
• Expire – 0-2147483647
DNS servers wait before requesting updated
information for the GSLB zone. • TTL– 0-2147483647
• Retry – Specifies how many seconds other DNS Defaults:
servers wait before resending a refresh request, if • Radio button – Unselected
the GSLB does not respond to the previous • Server Name – null
request.
• Mailbox – null
• Expire – Specifies how many seconds GSLB can
• Serial – Current system time on the
remain unresponsive to a refresh request before
GSLB Ax device
the other DNS server drops responding queries
for the zone. • Refresh – 3600
• TTL – Specifies the number of seconds GSLB • Retry – 900
will cache and reuse negative replies. A negative • Expire – 1209600
reply is an error message indicating that a request • TTL– GSLB Zone TTL
domain does not exist.
DNS SOA Causes the ACOS device to replace the internal See “DNS SOA Normal” above for
External SOA record with an external SOA record when a supported and default values.
request is received from an external client. Enabling
this option prevents external clients from gaining
access to internal information.
Note: This feature must also be enabled in GSLB
policy.


Service Section
This section adds services to the zone.
Note: The service IPs must already be configured. If you have not already configured them, see “Config Mode >
Service > GSLB > Global” on page 342.
1. Click Add.
2. Enter a name for the service in the Service field.
3. Select the service type from the Port drop-down list.
If the service type is not in the list, select Other to display an input field appears with a port number in it. Edit the
port number to the number for the service.
4. To use a GSLB policy other than the zone’s policy (the default setting), select the policy from the Policy drop-
down list.
5. To specify the action to take for DNS requests or responses, select the action from the Action drop-down list.
(See “Action Options on Service Section” on page 317.)
6. To configure DNS Address (A) records for the service, use the DNS Address Record section. (See “DNS
Address Record Section” on page 317.)
7. To configure DNS Mail Exchange (MX) records for the service, use the DNS Address Record section. (See
“DNS MX Record Section” on page 318.)
8. To configure a Canonical Name (CNAME) record for the service, use the DNS CNAME Record section. (See
“DNS CNAME Record Section” on page 318.)
9. To configure a Name Server (NS) record for the service, use the DNS NS Record section. (See “DNS NS Record
Section” on page 318.)
10. To configure a Service Record (SRV) for the service, use the DNS SRV Record section. (See “DNS SRV
Record Section” on page 319.)
11. To configure a Pointer (PTR) record for the service, use the DNS PTR Record section. (See “DNS PTR Record
Section” on page 319.)
12. To configure geo-location settings for the service, use the Geo-location section. (See “Geo-location Section” on
page 319.)
13. Click OK.
The port can be a well-known name recognized by the ACOS device or a port number from 1 to 65535.
The service name can be 1-31 alphanumeric characters. (For the same reason described for zone names, the ACOS
device converts all upper case characters in GSLB service names to lower case.)
Use this section if you need to add Mail Exchange (MX) records for the zone.
1. In the Name field, enter the fully-qualified domain name of the mail server for the zone.
2. If more than one MX record will be configured for the zone, enter the priority of this MX record in the Priority
field. The priorities of the MX records determine the order in which the mail server should attempt to deliver mail
to the MX hosts. The MX record with the lowest priority number has the highest priority and is tried first. The pri-
ority can be 0-65535. There is no default.
3. Click Add.


Use this section if you need to configure Name Server (NS) records for the zone. Enter the record name in the
Name field, then click Add.
Action Options on Service Section
Use this section to configure general settings for the service. The action can
be one of the following:
• Not set (default)
• Forward Response – Forwards responses to the local DNS server, but

does not forward queries to the Authoritative DNS server.
• Forward Both – Forwards queries to the Authoritative DNS server, and
forwards responses to the local DNS server.
• Forward Query – Forwards queries to the Authoritative DNS server, but
does not forward responses to the local DNS server.
• Drop – Drops DNS queries from the local DNS server.
• Reject – Rejects DNS queries from the local DNS server and returns the
“Refused” message in replies.
DNS Address Record Section

Use this section if you need to add Address (A) records for the service. The
A records are used with the DNS IP Replace option in the GSLB policy.
Note: The no-response option is not valid with the Static or as-replace option.
To add an A record:
1. Select the VIP from the VIP Order drop-down list.
2. Select the as-backup option to configure a DNS name server record.

This option specifies the backup servers in the Address record. These
are the servers that will be returned to the client if the primary servers
fail and backup server mode is enabled.
3. Select the as-replace option to replace the IP address in DNS replies to

clients. To use this option, you also must enable the DNS IP Replace
option in the GSLB policy.
4. Optionally, select the no-response option to prevent the IP address for

this site from being included in DNS replies to clients.

5. If the GSLB ACOS device will act as the DNS server for this service IP
address, select Static. To use this option, you also must enable the Server
Mode option in the GSLB policy.
6. To assign a weight to the service, enter the value in the Weight field. If
the weighted-ip metric is enabled in the policy and all metrics before
weighted-ip result in a tie, the service on the site with the highest weight
is selected. The weight can be 1-100. By default, the weight is not set.
7. Enter the Time to Live in the TTL field, ranging from 1-2147483647.
8. Click Add.
The VIP addresses are placed in the DNS reply in the order they appear in
this section, starting with the VIP at the top of the list. To re-order the VIP
addresses, select the row for one of the A records and click Move Up or
Move Down.

Use this section if you need to add Mail Exchange (MX) records for the ser-
vice.
1. In the Name field, enter the fully-qualified domain name of the mail
server for the service.
2. If more than one MX record will be configured for the same service,
enter the priority of this MX record in the Priority field. The priorities of
the MX records determine the order in which the mail server should
attempt to deliver mail to the MX hosts. The MX record with the lowest
priority number has the highest priority and is tried first. The priority
can be 0-65535. There is no default.
3. Click Add.
DNS CNAME Record Section

Use this section if you need to configure CNAME (alias) records for the ser-
vice.
To configure an alias, enter the alias in the Name field, then click Add.

Use this section if you need to configure Name Server (NS) records for the
service. Enter the record name in the Name field, then click Add.

DNS SRV Record Section

Use this section if you need to configure Service Records (SRV) records for
the service. Enter the Name field, Priority (0-65535), Port (0-65534), and
Weight (0-100). Then, click Add.
DNS PTR Record Section

Use this section if you need to configure Pointer (PTR) records for the ser-
vice.
Enter the record name in the Name field, then click Add.
DNS TXT Record Section

Use this section to configure multiple pieces of DNS text (TXT) data within
one TXT record.
Enter the a string value for the text record, then click Add.
Use this section to configure geo-location parameters for the service.
1. In the Geo-location field, enter the geo-location name.
2. To configure an alias for the geo-location, enter the alias name in the
Alias field.
3. To set a DNS action for the geo-location, click Action and select the
action from the drop-down list:
• Forward Response – Forwards responses to the local DNS server,
but does not forward queries to the Authoritative DNS server.
• Forward Both – Forwards queries to the Authoritative DNS server,
and forwards responses to the local DNS server.
• Forward Query – Forwards queries to the Authoritative DNS server,
but does not forward responses to the local DNS server.
• Drop – Drops DNS queries from the local DNS server.
• Reject – Rejects DNS queries from the local DNS server and returns
the “Refused” message in replies.
4. To use a GSLB policy other than the zone’s policy (the default setting),
click Policy and select the policy from the drop-down list.
5. Click Add.

Config Mode > Service > GSLB > Site

This option displays the configured GSLB sites. A column at the right lists
the Status for each site, which can be either enabled or disabled, as repre-
sented by the following icons: or
This page allows you to perform the following actions for a site:
• Add
• Delete
• Enable
• Disable
Site Parameters
click on a GSLB site name.
• General
• SLB-Device
• Template
• IP-Server
• Geo-location
• Options
Table 107 lists the GSLB site parameters.
TABLE 107 GSLB Site Parameters

General Section
Name Name of the site. 1-63 alphanumeric characters
Default: Not set
Weight Assigns a weight to the site. If the weighted-site 1-100
metric is enabled in the policy and all metrics before Default: 1
weighted-site result in a tie, the site with the highest
weight is selected.
Template Binds a template to the site. To use the bw-cost met- Name of a configured GSLB template
ric, use this option to bind a GSLB SNMP template Default: Not set
to the site.
Disable All Disables all servers at all sites in the zone. Selected or unselected
Servers Default: Unselected

TABLE 107 GSLB Site Parameters (Continued)

SLB-Device Section
Clicking Add in this section displays the SLB-Device section, which contains the following fields. Click OK when
finished to return to the Config Mode > Service > GSLB > Site page.
Device Name of an SLB device (an ACOS device config- 1-31 alphanumeric characters
ured to provide SLB) at the site. Default: None
IP Address IP address of the SLB device. Default: None configured
Admin Assigns a preference value to the SLB device. If the 0-255.
Preference admin-preference metric is enabled in the policy Default: 100
and all metrics before this one result in a tie, the
SLB device with the highest admin-preference
value is selected.
Max Client Specifies the maximum number of GSLB clients for 1-2147483647
the device. Default: 32768
Auto Map Enables or disables DNS automatic mapping. For Enabled or Disabled
configuration options, see Table 111 on page 332. Default: Disabled
Gateway Specifies the gateway. Valid IP address
Default: None
VIP Server Maps GSLB services to the SLB device. Default: Not set
1. Select the service IP from the drop-down list.
If the service IP you want to use is not already
configured, you can select “create” from the drop-
down menu to configure it. In this case, when you
click OK after configuring the service, you are
returned to this section.
2. Click Add.
Template Section
This section configures a GSLB SNMP template for use with the bw-cost metric.
To configure a template, enter all of the information into the fields, then click Add.
Default: Not set
User Name Specifies the SNMPv3 username required for access String
to the SNMP agent on the site ACOS device. Default: Not set
Community For SNMPv1 or v2c, specifies the community string String
required for authentication. Default: Not set
Host Specifies the IP address of the site ACOS device. Valid IP address
Default: Not set
Port Specifies the protocol port on which the site ACOS 0-65534
devices listen for the SNMP requests from the Default: 161
GSLB ACOS device.
Version Specifies the SNMP version running on the site v1, v2c, or v3
ACOS device. Default: v3


OID Specifies the interface MIB object to query on the Valid OID
site ACOS device. Default: Not set
Note: If the object is part of a table, make sure to
append the table index to the end of the OID. Other-
wise, the ACOS device will return an error.
Interface Specifies the SNMP interface ID. Valid SNMP interface ID
Default: Not set
Security-level Specifies the SNMPv3 security level: One of the following:
• no-auth – Authentication is not used and encryp- • no-auth
tion (privacy) is not used. • auth-no-priv
• auth-no-priv – Authentication is used but encryp- • auth-priv
tion is not used.
Default: no-auth
• auth-priv – Both authentication and encryption
are used.
Security-engine- Specifies the ID of the SNMPv3 security engine String of 1-127 characters
id running on the site ACOS device. Default: Not set
Auth-key Specifies the authentication key. String of 1-127 characters
Note: This option is applicable only if the security Default: Not set
level is auth-no-priv or auth-priv.
Auth-proto Specifies the authentication protocol. sha or md5
Note: This option is applicable only if the security Default: md5
level is authno-priv or auth-priv.
Priv-key Specifies the encryption key. String of 1-127 characters
Note: This option is applicable only if the security Default: Not set
level is auth-priv.
Priv-proto Specifies the privacy protocol used for encryption. aes or des
Note: This option is applicable only if the security Default: des
level is auth-priv.
Context-engine- Specifies the ID of the SNMPv3 protocol engine String
id running on the site ACOS device. Default: Not set
Context-name Specifies an SNMPv3 collection of management String
information objects accessible by an SNMP entity. Default: Not set
Interval Specifies the amount of time between each SNMP 1-999 seconds
GET to the site ACOS devices. Default: 3
IP-Server Section
This section adds service IPs to the site. To add a service IP to the site, select the service IP from the drop-down list
and click Add.
Name Name of the service IP. Name of a configured service IP
Default: Not set
IP Address IP Address of the service IP. IP address of the configured service IP
Default: Not set


This section adds a geo-location database or add manually configured geo-locations.
To add a geo-location database, select it from the leftmost drop-down list next to Geo-location, and click Add.
To add a manually configured geo-location, select up to four nodes from the drop-down lists. Select them from left
to right. After selecting the nodes for a geo-location, click Add.
Name Geo-location name. Name of a manually configured geo-
location
Options Section
This section configures site settings for the bw-cost (bandwidth cost), and active RDT metrics.
Auto Map Enables or disables DNS automatic mapping. For Selected (enabled) or unselected (dis-
configuration options, see Table 111 on page 332. abled)
Default: Selected (enabled)
Bandwidth Cost Configures options for the bandwidth-cost metric: The following settings are supported:
• Limit – Specifies the maximum amount the • Limit – 0-2147483647
SNMP object queried by the GSLB ACOS device • Threshold – 0-100
can increment since the previous query, in order
for the site to remain eligible for selection.
Defaults:
• Threshold – For a site to regain eligibility when
bw-cost is being compared, the SNMP object’s • Limit – Not set
incremental value must be below the threshold- • Threshold – Not set
percentage of the limit value.
For example, if the limit value is 80000 and the
threshold is 90, the limit value must increment by
72000 or less, in order for the site to become eli-
gible again based on bandwidth cost. Once a site
again becomes eligible, the SNMP object’s value
is again allowed to increment by as much as the
bandwidth limit value (80000, in this example).


Active RDT Configures options for the aRDT metric: The following settings are supported:
• Aging Time – Specifies the maximum number of • Aging Time – 1-15360 minutes
minutes during which a stored aRDT result can • Bind Geoloc – Enabled or disabled
be used.
• Match Selected Entry – Enabled or
• Bind Geoloc – Stores the aRDT measurements on disabled
a per geo-location basis. Without this option, the
• Overlap – Enabled or disabled
measurements are stored on a per site-SLB
device basis. • Limit – 1-16383
• Match Selected Entry – Allows overlap for the • Mask – 1-32
Bind option, to ensure the most precise match. • Ignore Count – 1-15
• Limit – Specifies the maximum aRDT allowed • Range Factor – 1-1000
for the site. If the aRDT measurement for a site • Smooth Factor – 1-100
exceeds the configured limit, GSLB does not
eliminate the site. Instead, GSLB moves to the
next metric in the policy. You can specify Defaults:
0-16383 milliseconds (ms). • Aging Time – 10 minutes
• Ignore Count – Ignores count if the aRDT is out • Bind Geoloc – Disabled
of range. • Match Selected Entry – Disabled
• Mask – Specifies the IPv4 client subnet mask • Overlap – Disabled
length.
• Limit – 16383 ms
• Range Factor – Specifies the maximum percent-
• Ignore Count – 5
age a new aRDT measurement can differ from the
previous measurement. If the new measurement • Mask – 32
differs from the previous measurement by more • Range Factor – 25
than the allowed percentage, the new measure- • Smooth Factor – 10
ment is discarded and the previous measurement
is used again.
For example, if the range-factor is set to 25 (the
default), a new measurement that has a value
from 75% to 125% of the previous value can be
used. A measurement that is less than 75% or
more than 125% of the previous measurement
can not be used.
• Smooth Factor – Blends the new measurement
with the previous one, to smoothen the measure-
ments.
For example, if the smooth-factor is set to 10 (the
default), 10% of the new measurement is used,
along with 90% of the previous measurement.
Similarly, if the smooth-factor is set to 50, 50%
of the new measurement is used, along with 50%
of the previous measurement.

Config Mode > GSLB > Service IP
This option displays the configured GSLB services.
The Service IP and Port sections are displayed when you click Add or click
on a service name.
Table 108 lists the GSLB service parameters.
TABLE 108 GSLB Service IP Parameters

Service IP Section
Name Name of the service. String
Default: Not set
IP Address IP address of the service. A valid IPv4 or IPv6 address
Default: Not set
External IP Assigns an external IP address to the service IP. The A valid IP address
Address external IP address allows a service IP that has an Default: Not set
internal IP address to be reached from outside the
internal network.
Health Monitor Health monitor to use for checking the health of the Name of a configured health monitor,
service IP address. You can specify any health mon- Default: (default)
itor (Layer 3, 4 or 7). If you do not specify a health
monitor, the default Layer 3 health monitor (ICMP
ping) is used.
If the monitor you want to use is not already config-
ured, you can select “create” to configure it. In this
case, when you click OK after configuring the mon-
itor, you are returned to this section.
Note: If you leave the health monitor for a service
left at its default setting (the default ICMP ping
health check), the health checks for the service IP
and its ports are performed within the GSLB proto-
col.
If you use a custom health monitor, or you explicitly
apply the default Layer 3 health monitor to the ser-
vice, the GSLB protocol is not used for any of the
health checks.
Health Check Enables the health monitor. Enabled or Disabled
Protocol Default: Enabled
Status State of the service. Enabled or Disabled
Default: Enabled

TABLE 108 GSLB Service IP Parameters (Continued)

Port Section
Use this section to add the services to the service IP.
Port Protocol port number. 0-65535
Default: 80
Protocol Layer 4 transport protocol. TCP or UDP
Default: TCP
Health Monitor Health monitor to use to check the health of the ser- Configured health monitor
vice. Default: (default). This is the default
Note: If you use a custom health monitor for a ser- TCP or UDP health monitor.
vice port, the port number specified in the service
configuration is used instead of the port number
specified in the health monitor configuration.
Config Mode > GSLB > DNS Proxy
This option displays the configured DNS proxies.
click on a DNS proxy name.
• Proxy
• GSLB Port
Table 109 lists the DNS proxy parameters.
TABLE 109 GSLB DNS Proxy Parameters

Proxy Section
Name Name of the DNS proxy. Default: None configured
IP Address IP address of the virtual server for the DNS proxy. Default: None configured
Status State of the DNS proxy. Enabled or Disabled
Default: Enabled

TABLE 109 GSLB DNS Proxy Parameters (Continued)

backup.
GSLB Port Section
Type Specifies the port type of a DNS proxy interface. One of the following:
• UDP – User Datagram Protocol. • UDP
• DNS-UDP – DNS over UDP. • DNS-UDP
• DNS-TCP – DNS over TCP. • DNS-TCP
Note: Default: UDP
• In DNS-UDP, if the buffer does not have enough
room to fill all the DNS records, the TC flag will
be set in response.
• In DNS-TCP, the drop option causes a connection
reset.
Port Service port number. 0-65534
Default: Not set
Service Group Service group to use for the DNS proxy. Name of a configured service group
If the service group is not already configured, you Default: Not set
can select “create” to configure it. In this case, when
you click OK after configuring the service group,
you are returned to this section.
Status State of the virtual server port. Enabled or Disabled
Default: Enabled
HA Connection Backs up session information on the Standby ACOS Enabled or Disabled
Mirror device in an HA configuration. When this option is Default: Disabled
enabled, sessions remain up even following a
failover.
Note: This option also requires configuration of
system HA parameters. (See “Config Mode > Sys-
tem > HA > Global” on page 477.)

TABLE 109 GSLB DNS Proxy Parameters (Continued)

Connection Number of concurrent connections allowed on the 0-8000000 (one million)
Limit DNS proxy. 0 means no limit.
If enabled, you can select one of the following One of the following:
options: • Drop – Selected or unselected
• Drop – Drops new connections until the number • Reset – Selected or unselected
of concurrent connections on the virtual port falls
Default:
below the port’s connection limit.
• 1000000 (one million)
• Reset – Resets new connections until the number
of concurrent connections on the virtual port falls • Drop
below the connection limit.
Source NAT IP address pool to use for IP source Network Name of a configured IP address pool
Pool Address Translation (NAT). Default: Not set
aFleX Name of an aFleX policy. Name of an aFleX policy that has been
imported onto the ACOS device.
Default: Not set
UDP Template UDP template to use. Name of a configured template.
If the template you want to use is not already con- Default: The AX default UDP tem-
figured, you can select “create” to configure it. In plate is used. (See the “SLB Parame-
this case, when you click OK after configuring the ters” chapter in the A10 Thunder
template, you are returned to this section. Series and AX Series Application
Delivery and Server Load Balancing
Guide.)

Config Mode > Service > GSLB > Geo-location
The geo-location options enable you to import and load (activate) geo-loca-
tion databases and to find information in the currently loaded geo-location
database.
Config Mode > Service > GSLB > Geo-location > Import
This option displays sections listed in Table 110.
TABLE 110 GSLB Geo-location Import Parameters

File Section
This section enables you to import a geo-location database from an external server. The table at the bottom of the
section lists the geo-location databases that are already on the ACOS device. The Name column lists the database
filename. The Type column indicates whether the database is automatically included with the software (Builtin) or
is a custom database that was imported (Template), in which case the data must be extracted using a CSV template.
To import a geo-location database, select or enter values for the following fields, then click Add.
chapter in the AX Series System Configuration and
Protocol File transfer protocol to use for importing the geo- FTP, TFTP, RCP, SCP, or SFTP
location database. Some or all of the following
fields appear, depending on your selection.
Host Hostname or IP address of the remote server. Default: Not set
Port Protocol port on which the remote server listens for 0-65535
the file transfer protocol’s traffic. Configurable only for FTP, for which
the default is 21.
Location Filename and directory path on the remote server. Default: Not set
Specify the directory path relative to the home
directory for the file transfer protocol.
User Username required for access to the remote server. Default: Not set
Password Password required for access to the remote server. Default: Not set

TABLE 110 GSLB Geo-location Import Parameters (Continued)

Template Section
This section enables you to configure a template for extracting the geo-location data from an imported geo-location
database.
Name Name of the template. String
Default: Not set
Delimiter Character used to delimit data fields in the CSV file. ASCII character or its decimal ASCII
code (0-255)
Default: comma
IP-From These fields indicate the position of the field in the 1-64
IP-To CSV file that provides the information required for Default: Not set
Continent the database. For example, if the source IP address
or subnet is listed in the CSV file in data field 4,
Country
enter “4” in the IP-From field.
State
City
Load/Unload Section
This section loads or unloads a geo-location database. Loading a geo-location database makes it the active geo-
location database to be used by GSLB. Only one geo-location database can be active. The table at the bottom of the
section provides a summary of the geo-location database file. The Name column lists the name of the geo-location
database file. The Template column lists the name of the CSV template that was used to extract data from the file.
The Percentage column lists the percentage of the data file that is finished loading, and it typically displays 100%,
because the loading process is almost instantaneous for smaller files. The Lines column lists the total number of
lines in the database file. The Success column lists the number of lines in the database file that have finished load-
ing. The Err/W column lists the number of errors or warnings that occurred while the database file was loading.
File Name of the CSV file. Name of an imported CSV file
Default: Not set
Template Name of the CSV template to use to extract data Name of a configured CSV template
from the file. Default: Not set
Note: If you are loading the IANA database
included with the ACOS device, enter “iana” in the
File field and leave the Template field blank.

Config Mode > Service > GSLB > Geo-location > Find
This page lists the geo-locations on the ACOS device. To display sub-range
locations within a geo-location, click on the geo-location name.
To find specific geo-location entries:

1. Select Geo-location or IP Address.
• If you select Geo-location, you can specify an IP range using the
From and To fields. You also can select the Statistics check box to
display usage statistics for the geo-locations.
• If you select IP Address, enter the client IP address. (You must enter
the entire address.)
2. Click Find.
Config Mode > Service > GSLB > Policy
This option displays the configured GSLB policies.

click on a DNS proxy name.
• General
• Metric
• DNS Options
• DNS Proxy Block
• Geo-location
• Auto Map
Note: In ACOS Release 2.7.0, all ACOS models and software do not have any
code for Passive round trip time (RTT) for the time difference between
receiving a TCP SYN and a TCP ACK for the TCP connection for GSLB.
The code was completely removed starting from 2.7.0 because there was
no single customer using this round trip time capability for GSLB.

GSLB Policy Parameters

Table 109 lists the GSLB policy parameters.
TABLE 111 GSLB Policy Parameters

General Section
Name Name of the policy. 1-63 characters
Metric Force Forces the GSLB controller to always check all Enabled or Disabled
Check metrics in the policy. Default: Disabled
Metric Fail Enables GSLB to stop if there are no valid service Enabled or Disabled
Break IPs. Default: Disabled
Metric Section
Metrics in the In Use column are enabled in this policy. Metrics in the Not In Use column are disabled in this pol-
icy.
To disable a metric, drag it from the In Use column to the Not In Use column.
To enable a metric, drag it from the Not In Use column to the In Use column.
The metrics in the In Use column are used in the order they are listed in the column, from the top down. To re-order
metrics in either column, drag-and-drop them to the desired location.
Health Check Service IP addresses that pass their health checks Enabled or Disabled
are preferred over addresses that do not pass their Default: Enabled
health checks.
An IP address that fails its health check is not auto-
matically ineligible to be included in the DNS reply
to a client.
Note: This metric requires the GSLB protocol to be
enabled on the site ACOS devices, if the default
health checks are used on the service IPs.
Geographic Service IP addresses for the geographic region Enabled or Disabled
where the client is located are preferred over Default: Enabled
addresses from other regions.
The GSLB A10 Thunder Series and AX Series
selects the geographic region by matching the cli-
ent’s IP address with the GSLB address ranges con-
figured using geo-location options.
Round Robin Each service IP address is used sequentially, in rota- Enabled or Disabled
tion. The first service IP address is selected for the Default: Enabled
first new connection, the second address is selected
for the second new connection, and so on until all
service IP addresses have been selected. Then selec-
tion starts over again with the first service IP
address.
Note: If the last metric is Admin IP, and Round
Robin is disabled, the list of IP addresses is sent to
the client. Round-robin is not used.

TABLE 111 GSLB Policy Parameters (Continued)

Weighted IP Service IP addresses with higher weight values are Enabled or Disabled
preferred over addresses with lower weight values. Default: Disabled
As a simple example, assume that the weighted-ip
metric is the only enabled metric, or at least always
ends up being the tie breaker. IP address 10.10.10.1
has weight 4 and IP address 10.10.10.2 has
weight 2. During a given session aging period, the
first 4 requests go to 10.10.10.1, the next 2 requests
go to 10.10.10.2, and so on, (4 to 10.10.10.1, then 2
to 10.10.10.2).
Weighted Site Sites with higher weight values are preferred over Enabled or Disabled
sites with lower weight values. Default: Disabled
As a simple example, assume that the weighted-site
metric is the only enabled metric, or at least always
ends up being the tie breaker. Site A has weight 4
and site B has weight 2. During a given session
aging period, the first 4 requests go to site A, the
next 2 requests go to site B, and so on, (4 to A, then
2 to B).
Session Capacity Sites that have not exceeded their thresholds for Enabled or Disabled
their respective maximum TCP/UDP sessions are Default: Disabled. When you enable
preferred over sites that have exceeded their thresh- Session Capacity, the default threshold
olds. is 90.
Example:
Site A’s maximum session capacity is 800,000 and
Site B’s maximum session capacity is 500,000. If
the session-capacity threshold is set to 90, then for
Site A the capacity threshold is 90% of 800,000,
which is 720,000. Likewise, the capacity threshold
for Site B is 90% of 500,000, which is 450,000.
When you enable the session capacity metric, it has
the following sub-options:
• Threshold – Specifies the capacity threshold.
• Fail-break – Breaks the connection when it has
exceed the specified threshold.
enabled on both the GSLB controller and the site
ACOS devices.
Active Servers Prefers the site that has the most active servers for Enabled or Disabled
the requested service. Default: Disabled
When you enable the active servers metric, it has
the following sub-option:
• Fail-break – Breaks the connection when there is
no active server.


Active RDT Selects the site with the fastest round-trip-time for a Enabled or Disabled
DNS query and reply between a site ACOS device Default: Disabled. When you enable
and the GSLB local DNS. aRDT, a site ACOS device sends 5
The aRDT metric is disabled by default. You can DNS requests to the GSLB domain’s
enable it to take either a single sample (single shot) local DNS. The GSLB ACOS device
or multiple samples at regular intervals. averages the aRDT times of the 5 sam-
1. Click the plus sign to display the aRDT configu- ples.
ration fields.
2. To use single-shot aRDT, select the Single-shot
checkbox. To collect multiple samples, do not select
the Single-shot checkbox.
• To change settings for single-shot, edit the values
in the Timeout and Skip fields.
• To change settings for multiple samples, edit the
values in the Samples, Difference, and Tolerance
fields.
When you enable the aRDT metric, it has the fol-
lowing sub-options:
• Samples – 5
• Difference – 0
• Tolerance – 10 percent.
• Timeout – 3 seconds
• Skip – 3
• Single-shot – disabled
• Fail-break – Breaks the connection when there is
no valid aRDT measurement.
ACOS devices.


Connection Load Sites that are at or below their thresholds of average Enabled or Disabled
new connections per second are preferred over sites Default: Disabled
that are above their thresholds.
• Load limit – Specifies the maximum average
The load limit can be 1-999999999
number of new connections per second the site
(999,999,999).
A10 Thunder Series and AX Series can have.
The number of samples can be 1-8.
• Samples – Number of samples for the SLB
device (the site ACOS device) to collect. The sample interval can be 1-60 sec-
onds.
• Interval – Number of seconds between each sam-
ple.
• Fail-break –Breaks the connection when it Defaults:
exceeds the load limit. • Load limit – not set
Note: This metric requires the GSLB protocol to be • Samples – 5
enabled on both the GSLB controller and the site • Interval – 5 seconds
ACOS devices.
Num Session Sites that are at or below their thresholds of current Enabled or Disabled
available sessions are preferred over sites that are Default: Disabled
above their thresholds.
The tolerance specifies the percentage by which the
number of available sessions on site SLB devices
can differ without causing the num-session metric to
select one SLB device over another. Thus, minor
differences among SLB devices do not cause fre-
quent, unnecessary changes in site preference.
Example:
Site A has 800,000 sessions available and Site B has
600,000 sessions available. The difference between
the two sites is 200,000 available sessions. If num-
session is set to 10, then Site A is preferred because
200,000 is larger than 10% of 800,000, which is
80,000.
ACOS devices.
Admin Selects the service with the highest administratively Enabled or Disabled
Preference set preference. Default: Disabled
BW Cost Selects sites based on bandwidth utilization on the Enabled or Disabled
site AX links. Default: Disabled
• Fail-break – Breaks a connection when it exceeds
the bandwidth limit.
Note: This metric requires an SNMP template. To
configure the template, you must use the CLI. See
the “Config Commands: Global Server Load Bal-
ancing” chapter in the CLI Reference.


Least Response Service IP addresses with the fewest hits are pre- Enabled or Disabled
ferred over addresses with more hits. Default: Disabled
ACOS devices.
Admin IP Assigns administrative weight to the IP addresses. Enabled or Disabled
Default: Disabled
DNS Options Section
Action Enables or disables the action to perform for DNS Enabled or Disabled
traffic. Actions for a service within a GSLB zone Default: Disabled.
must be configured using the CLI. Once configure
in the CLI, they can be enabled or disabled with this
checkbox.
For details see the description of the action com-
mand (under zone configuration) in the “Config
Commands: Global Server Load Balancing” chapter
of the CLI Reference.
Active Only Removes IP addresses from DNS replies when Enabled or Disabled
those addresses fail a health check. Default: Disabled
Fail safe – Returns a list of server IP addresses for
failed servers to the client. Without this option, IP
addresses of failed servers are omitted from the
reply.
Note: If none of the IP addresses in the DNS reply
pass the health check, the GSLB A10 Thunder
Series and AX Series does not use this metric, since
it would result in an empty IP address list.
Selected Only Returns only the selected IP addresses. The following values are supported:
Answer Number – Specifies the maximum number • Enabled or Disabled
of selected answers (address records) that can be • Answer Number – 1-128
returned in the DNS reply.
Default:
• Disabled
• Answer Number – Not set


Cache Caches DNS replies and uses them when replying to Enabled or Disabled
clients, instead of sending a new DNS request for Default: Disabled
every client query.
The aging time can be
1-1,000,000,000 seconds (nearly 32
years).
Default: TTL set by the DNS server in
the reply
Note: If you change the value and later
want to restore it to the default, use the
TTL field.
Hint Enables or disables the appearance of hints, which One or more of the following:
are A or AAAA records sent in response to client • No
requests. Hints appear in the Additional Section of
• Additional
DNS responses by default, but the appearance of
these records can be disabled or (using the CLI) • Answer
made to appear in different regions of the DNS Default: Additional
response.
Logging Sets GSLB policy logging parameters. If enabled, One of the following:
you can configure the following: • Disabled
• None – Does not create any log entries. • None
• Query – Specifies that query messages are • Response
logged.
• Query
• Response – Specifies that response messages
• Both
are logged.
Default: Disabled
• Both – Specifies that both query and response
messages are logged.
CName Detect Enabling this option results in the GSLB-AX apply- Enabled or Disabled
ing the zone and service policy to the Cname record Default: Enabled
instead of applying it to the address record. Dis-
abling this option skips the Cname response.
External IP Returns the external IP address configured for a ser- Enabled or Disabled
vice IP. The external IP address must be configured Default: Enabled
on the service IP. This option is disabled by default.
Note: The external IP address must be configured
on the service IP.
Backup Alias Returns the alias CNAME record configured for the Enabled or Disabled
service, if GSLB does not receive an answer to a Default: Disabled
query for the service and no active DNS server
exists.
Backup Server Assigns a backup servers as an alternate for the pri- Enabled or Disabled
mary server. Default: Disabled
IP Replace Replaces the IP addresses in the DNS reply with the Enabled or Disabled
service IP addresses configured for the service. Default: Disabled


IPv6 Mapping Specifies the actions in response to an IPv6 DNS One or more of the following:
query. You can enable one or more of these options: • No
• No – No action. • Additional
• Additional – Append AAAA records in the DNS • Answer
Addition section of replies.
• Exclusive
• Answer – Append AAAA records in DNS
• Replace
Answer section of replies.
Default: No
• Exclusive – Replace A records (IPv4 address
records) with AAAA records.
• Replace – Reply with AAAA records only.
IPv6 Mix Enables GSLB to return both AAAA and A records Enabled or Disabled
in the same answer. Default: Disabled
IPv6 Smart Enables IPv6 return by query type. For the IPv4- Enabled or Disabled
IPv6 mapping records, an A query (IPv4) will return Default: Disabled
an X record and an AAAA query (IPv6) will return
an AAAA record.
Geo-location Returns the alias name configured for the client’s Enabled or Disabled
Alias geo-location. Default: Disabled
Geo-location Performs the DNS traffic handling action specified Enabled or Disabled
Action for the client’s geo-location. The action is specified Default: Disabled
as part of service configuration in a zone.
Geo-location Uses the GSLB policy assigned to the client’s geo- Enabled or Disabled
Policy location. Default: Disabled
Auto Map Automates the creation of service IPs by taking the Enabled or Disabled
name of a system resource, or "module", and Default: Disabled
appending it to the front of a zone to create the ser-
vice name (DNS name). Once the servers and other
network devices have been configured with basic
information, auto-mapping enables the GSLB pro-
tocol to support DNS queries for many common
modules.
MX Additional Appends MX records in the Additional section in Enabled or Disabled
replies for A records, when the device is configured Default: Disabled
for DNS proxy or cache mode.


Server Mode Directly responds to Address queries for specific Enabled or Disabled
service IP addresses in the GSLB zone. (The ACOS Default: Disabled
device still forwards other types of queries to the
DNS server.)
If you use this option, you do not need to use the
CName Detect option. When a client requests a con-
figured alias name, GSLB applies the policy to the
CNAME records.
• The Authoritative Mode option makes the ACOS
device the authoritative DNS server for the
GSLB zone, for the service IPs in which you
enable the Static option. If you omit the Authori-
tative Mode option, the ACOS device is a non-
authoritative DNS server for the zone domain.
The Full Server List option Appends all A
records in the Authoritative section of DNS
replies.
• The MX option Provides the MX record in the
Answer section, and the A record for the mail
server in the Additional section, when the device
is configured for DNS server mode.
• The MX Additional option enables the GSLB
ACOS device to provide the A record containing
the mail server’s IP address in the Additional sec-
tion, when the device is configured for DNS
server mode.
• The NS List option appends all Name Server
(NS) Resource Records (RR) in the Authority
section of DNS replies.
• The NS option provides the name server record.
• The Auto NS option provides A records for NS
records automatically.
• The SRV option provides the server selection
record.
• The PTR option provides the pointer record.
• The Auto PTR option provides pointer records
automatically.
• The TXT option provides the text string record.
Note: To place the Server Mode option into effect,
you also must enable the Static option on the indi-
vidual service IP. (To configure the service IP
addresses, see “Config Mode > Service > GSLB >
Global” on page 342.)


Sticky Sends the same service IP address to a client for all Enabled or Disabled
requests from that client for the service address. The aging time can be 1-65535 min-
• The DNS Client IP mask specifies the granularity utes.
of the feature for IPv6. Default: Disabled. The default aging
• The Aging Time Specifies how many minutes a time is 5 minutes.
DNS reply remains sticky.
Note: If you enable the Sticky option, the sticky
time must be as long or longer than the zone TTL.
TTL Specifies the value to which the A10 Thunder 0-1000000 (1 million) seconds.
Series and AX Series changes the TTL of each DNS Default: 10 seconds
record contained in DNS replies received from the
DNS for which the A10 Thunder Series and
AX Series is a proxy.
DNS Proxy Block Section
Note: The GSLB ACOS device must be operating in proxy mode to support the DNS Proxy Block feature.
Action Selects an action to perform on a query type. One of the following:
• No – No action. • No
• Drop – Drops the specified query type without • Drop
sending a confirmation message to the client. • Reject
• Reject – Rejects the specified query type and • Ignore
returns the “Refused” message in replies to the
Default: Drop
client.
• Ignore – Does not perform any action for the
query.
Note: Selecting an action without specifying the
query type will cause the feature to remain disabled.
Type List Specifies a DNS query type for the selected action. One or more of the following:
You can select from the following types: • a (type 1)
• a – IP Address • aaaa (type 28)
• aaaa – IPv6 Address • mx (type 15)
• mx – Mail Routing • ns (type 2)
• ns – Name server • cname (type 5)
• cname – Canonical Name • soa (type 6)
• soa – Start of Authority Zone • srv (type 33)
• srv – Server Selection • txt (type 16)
• txt – Text String • ptr (type 12)
• ptr – Domain name pointer Default: Not set
Note: Selecting a DNS query type without specify-
ing the action will cause the default action to be
applied to the selected query type.


Range List Targets a range of DNS query types that will be 1-65535
blocked. Default: Not set
• From – The numeric value used to define the
beginning of the range.
• To – The numeric value used to define the end of
the range.
Match First Specifies whether to match the requested IP address Global or Policy
with the global geo-location table or with the geo- Default: Global
location table configured in the policy.
Overlap Specifies whether overlap matching is enabled. Enabled or Disabled
Default: Disabled
Auto Map Section
Module Globally binds DNS function to a collection of One or more of the following:
modules and automatically builds DNS information. • GSLB Site
You can append one or more of the following mod-
• GSLB Service IP
ules:
• GSLB Group
• GSLB Site
• SLB Device
• GSLB Service IP
• SLB Server
• GSLB Group
• SLB Virtual Server
• SLB Device
• Hostname
• SLB Server
Default: None set
• SLB Virtual Server
• Hostname
Note: Automatic mapping works only with the
GSLB wildcard service.
TTL Number of seconds the ACOS device caches DNS 1-65535
replies. Default: 300

Config Mode > Service > GSLB > Global
This page displays the global GSLB settings you can configure.
Table 112 lists the global GSLB parameters.
TABLE 112 GSLB Global Parameters

Global Section
Run GSLB as Select this option if the ACOS device will perform Enabled or Disabled
Site SLB Device SLB at one of the GSLB sites. Default: Disabled
Note: If the ACOS device will also manage all the
SLB sites in the GSLB deployment, also select Run
GSLB as Controller.
Run GSLB as Select this option if the ACOS device will manage Enabled or Disabled
Controller all the SLB sites in the GSLB deployment. Default: Disabled
Note: The A10 Networks GSLB protocol uses port
4149. The protocol is registered on this port for both
TCP and UDP.
GSLB Protocol Specifies the number of seconds between GSLB sta- 1-300 seconds
Update Interval tus messages. Default: 30 seconds
GSLB Protocol Changes message limits for the GSLB protocol. For each of these, you can specify
Limits Note: Generally, these settings do not need to be 0-1000000.
changed. Defaults:
• Active RDT query – 200
• Active RDT Response – 1000
• Active RDT Session – 32768
• Connection Load Response –
Unlimited
• Response – 3600
• Message – 10000
use-mgmt-port Uses the management interface as the source inter- Selected or unselected
face for the connection to the remote device. If you Default: Unselected
omit this option, the ACOS device uses a data inter-
face instead.

TABLE 112 GSLB Global Parameters (Continued)

GSLB Active Configures global settings for the aRDT metric. You can specify the following values:
RDT • Domain – Specifies the domain for aRDT que- • Domain – Valid domain name
ries. • Interval – 1-16383 seconds
• Interval – Specifies the number of seconds • Retry – 0-16
between queries.
• Sleep – 1-300 seconds
• Retry – Specifies the number of times GSLB will
• Timeout – 1-16383 milliseconds
resend a query to which no reply has been
(ms)
received.
• Track – 3-16383 seconds
• Sleep – Specifies the number of seconds during
which GSLB will stop sending queries, if the • Port –A valid port number
number of retries is used and no reply has been
received. Defaults:
• Timeout – Specifies the number of milliseconds • Domain – Not set
GSLB will wait for a reply before resending the
• Interval – 1 second
query.
• Retry – 3
• Track – Specifies the tracking time.
• Sleep – 3 seconds
• Timeout – 3000 ms
• Track – 60 seconds
• Port – 0
GSLB DNS Configures global settings for DNS queries. Action:
• Action – Globally drop or reject DNS queries • No
from the local DNS server. • Drop
• No - Performs no action on DNS queries. • Reject
• Drop – Drops DNS queries that do not match Logging:
any zone service.
• No
• Reject – Rejects DNS queries that do not
• Query
match any zone service, and returns the
“Refused” message in replies. • Response
• Logging – Sets global DNS logging parameters. • Both
• No – Disables option. • None
• Query – Specifies that query messages are Defaults:
logged. • Action – No
• Response – Specifies that response messages • Logging – No
are logged.
• Both – Specifies that both query and response
messages are logged.
• None – Logs nothing.

TABLE 112 GSLB Global Parameters (Continued)

System Section
Auto Map Automatically builds DNS infrastructure. One or more of the following options:
Module You can append one or more of the following mod- • GSLB Site
ules: • GSLB Service IP
• GSLB Site • GSLB Group
• GSLB Service IP • SLB Device
• GSLB Group • SLB Server
• SLB Device • SLB Virtual Server
• SLB Server • Hostname
• SLB Virtual Server Default: None set
• Hostname
Auto Map TTL Automatically specifies the number of seconds the 1-65535
ACOS device caches DNS replies. Default: 300
IP TTL Changes the IP Time-to-Live (TTL) in DNS replies 1-255
to clients. Default: 0
Wait Delays startup of GSLB following startup of the 0-16384 seconds
ACOS device. Default: 0 seconds (no delay)
Metrics That Require the GSLB Protocol on Site ACOS Devices

ACOS devices use the GSLB protocol for GSLB management traffic. The
protocol is required to be enabled on the GSLB controller. The protocol is
recommended on site ACOS devices but is not required. However, some
GSLB policy metrics require the protocol to be enabled on the site ACOS
devices as well as the GSLB controller:
• Session Capacity
• aRDT
• Connection Load
• Num Session
• Least Response
The GSLB protocol is required in order to collect the site information pro-
vided for these metrics.
Note: The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required.

Config Mode – Security Options - Config Mode > Security
Config Mode – Security Options
This chapter describes configuration options for ACOS security features.

• “Config Mode > Security > WAF” on page 347
• “Config Mode > Security > Authentication” on page 356
• “Config Mode > Security > Template” on page 363
• “Config Mode > Security > Network” on page 372
Config Mode > Security

The Security pages enable you to configure the following ACOS security
feature:
• Web Application Firewall (WAF)
• Application Access Management (AAM)
WAF
The WAF filters communication between users and Web applications to
protect Web servers and sites from unauthorized access and malicious pro-
grams. This new layer of security examines incoming end-user requests,
output from Web servers, and access to Web site content to safeguard
against Web attacks and protect sensitive information hosted on Web serv-
ers.

AAM
Application Access Management (AAM) is a suite of security features for
optimizing Authentication, Authorization, and Accounting (AAA) for cli-
ent-server traffic. AAM includes the following features:
• Logon Portal – The Logon Portal provides a single sign-on interface for
end-users. ACOS obtains the end-user’s credentials through a basic
HTTP request-reply exchange or using a web-based form, then uses a
backend AAA server to verify the credentials.
• Online Certificate Status Protocol (OCSP) – OCSP is a network compo-
nent that provides certificate verification services. OCSP eliminates the
need to import certificate revocation list (CRL) files onto the ACOS
device. Instead, the CRLs are maintained on the OCSP responder
(server). When a client sends its certificate as part of a request for a
secured service, ACOS sends the certificate to the OCSP responder for
verification, before allowing the client to access secured services.
• Authentication Relay – Authentication Relay offloads your AAA serv-
ers. ACOS contacts backend AAA servers on behalf of clients. After a
server responds, ACOS caches the reply and uses the cached reply for
subsequent client requests.
• AAA Health Monitoring and Load Balancing – You can use ACOS SLB
to load balance authentication traffic among a group of AAA servers.
ACOS supports custom health checks for LDAP, RADIUS, Kerberos,
and OCSP.
More Information
The GUI pages for configuring WAF and AAM features are described in
this document. However, for information about how to use these features to
deploy security solutions for your network, see the following:
• Web Application Firewall Guide
• Application Access Management and DDoS Mitigation Guide

Config Mode > Security > WAF

The WAF is configured via a WAF template, which includes built-in basic
and policy-based security checks for effortless and quick enabling. Within
the WAF template, you can enforce security checks to immediately provide
a foundational level of protection against common threats.
For more information, see the Web Application Firewall Guide.
Config Mode > Security > WAF > Bind
From the Bind page, you can configure the ACOS to override the WAF set-
tings applied to the HTTP/HTTPS virtual port with another set of WAF set-
tings, using an HTTP policy template. You can configure rules in the HTTP
template to match on URLs, hostnames, or cookie names in traffic.
Binding a WAF Template

1. Navigate to Config Mode > Security > WAF > Bind. A table of HTTP
virtual services appears. (A virtual service is the combination of a vir-
tual IP address, or “VIP” and a virtual port with service type HTTP or
HTTPS.)
FIGURE 33 Config Mode > Security > WAF > Bind
2. Click the Bind icon. The WAF binding page appears.

d. In the Name field, select the name of an HTTP or HTTPS virtual
service port from the drop-down list.
e. Select the name of a configured WAF template from the drop-down
list or “create” to access the WAF template configuration page.
3. Select OK.

WAF Binding Parameters

Table 113 describes the fields of this page.
TABLE 113 Config Mode > Security > WAF > Bind
WAF Section
Name Name of the virtual service. Configured virtual service
The names in the drop-down list are in the following Default: not set
format:
_VIPname_Type_Portnum
WAF WAF policy template to bind to the virtual service. Configured WAF template
Default: not set
HTTP Policy HTTP policy template to bind to the virtual service, Configured HTTP policy template
for use overriding WAF template settings. Default: not set

Config Mode > Security > WAF > Template
The pages in this section provide configuration options to create WAF tem-
plates and specify HTTP policies to override template application for differ-
ent types of client traffic.
Config Mode > Security > WAF > Template > WAF
From the WAF template page, you can quickly enforce security filters for
communication between clients and web servers.
To enforce the WAF template, apply the WAF template to the

HTTP/HTTPS virtual port of a virtual server.
Table 114 lists the security checks you can configure.
TABLE 114 WAF Template Options

Template Name Name of the WAF template in the ACOS configura- String
tion. Default: Not set
Deployment Mode
Deployment Sets the operational mode for the WAF template. You can select one of the following:
Mode • Active – Standard operational mode. You must • Active
use Active Mode if you want the WAF to sanitize • Learning
or drop traffic based on the configured WAF poli-
• Passive
cies.
Default: Active Mode
• Learning – Provides a way to initially set the
thresholds for certain WAF checks based on
known, valid traffic.
• Passive – Provides passive WAF operation. All
enabled WAF checks are applied, but no WAF
action is performed upon matching traffic. This
mode is useful in staging environments to iden-
tify false positives for filtering.
Request Checks
URI White List Enforces the rules contained within a WAF policy Name of a WAF policy file
file for the URI White List. Default: uri_wlist_defs
URI Black List Enforces the rules contained within a WAF policy Name of a WAF policy file
file for the URI Black List. Default: uri_blist_defs

TABLE 114 WAF Template Options (Continued)

Deny Action WAF response sent to the client if traffic is denied One of the following:
by the WAF template. • http-resp-403 – Sends a 403 Forbid-
den response to the client. The
default string returns a generic
“Request Denied!” page to the cli-
ent.
• http-resp-200 – Sends a 200 OK
response to the client with the speci-
fied resp-string. The default string
returns a generic “Request Denied!”
page to the client.
• http-redirect – Redirects the client
to the specified URL.
• reset-conn – Sends a TCP RST to
the client to end the connection.
Default: http-resp-403
Allowed HTTP Checks requests to ensure they contain only the Valid HTTP method names:
Methods HTTP methods that are allowed by this option. • GET
• POST
• HEAD
• PUT
• OPTIONS
• DELETE
• TRACE
• CONNECT
• PURGE
Default: GET, POST
Bot Check Checks the user-agent of incoming requests for Enabled or Disabled
known bots. This check uses the list of defined bots Definition – Name of a configured
in the specified WAF policy file. WAF policy file
Default: Disabled


Buffer Overflow Checks for attempts to cause a buffer overflow on Enabled or Disabled
the Web server. The maximum accepted URL length
• Max Cookie Length – Sets the maximum length can be set between 0 to 16127. The
for cookies allowed in a request. maximum accepted length for all other
• Max Headers Length – Sets the maximum header limits can be set between 0 to 65535.
length for headers allowed in requests. Default: Enabled
• Max URL Length – Sets the maximum URL If enabled, the following default val-
length allowed in requests. ues apply:
• Max Post Size – Sets the maximum content • Max Cookie Length – 4,096
length allowed in HTTP POST requests. • Max Header Length – 4,096
• Max URL Length – 1,024
• Max POST content size – 20,480
Cookie Encrypt Uses the specified Secret string to encrypt and Cookie Name – String or PCRE
decrypt cookies in server to client communication. expression
For Cookie Name, you can enter the name of a spe- Secret – String
cific cookie as a string, or a PCRE expression to
Default: Not set
encrypt all cookies which match the expression.
Cross-Site Tags fields of a web form to protect against cross- Enabled or Disabled
Forgery (CSRF) site request forgery (CSRF). Default: Disabled
Check
Form Checks that user input to form fields is consistent Enabled or Disabled
Consistency with the intended format. Default: Disabled
Check
HTTP Check Checks that user requests are compliant with HTTP Enabled or Disabled
protocols. Default: Disabled
Max Cookies Specifies the maximum number of cookies a request 0-63
can contain. Default: 20
Max Headers Specifies the maximum number of headers a request 0-63
can contain. Default: 20
Referer Check Validates that the referer header in a request con- One of the following:
tains Web form data from the specified Web server, • Enabled
rather than from an outside Web site. This check
• Disabled
protects against CSRF attacks.
• Only-If-Present
• Enabled – Always validates the referer header. If
selected, the request fails the check if there is no If this check is activated, you can set
referer header or if the referer header is invalid. the following additional options:
• Disabled – Configures WAF to not validate • Allowed Referer Domains – String
requests based on the referer header. • Safe URL – String
• Only-If-Present – Validates the referer header Default: Disabled
only if a referer header exists. If the check finds
an invalid referer header, the request fails the
check. However, the request does not fail the
check if there is no referer header in the request.


SQL Injection Checks for SQL strings to protect against SQL One of the following:
Attack Check injection attacks. This check uses the list of defined • Reject
SQL commands in the “sqlia_defs” WAF policy
• Disabled
file.
• Sanitize
Definition – Name of a configured
WAF policy file
Default: Disabled
Cross-site Checks for potential HTML XSS scripts to protect One of the following:
Scripting (XSS) against cross-site scripting attacks. This check uses • Reject
Check the list of defined Javascript commands in the
• Disabled
“jscript_defs” WAF policy file.
• Sanitize
Default: Disabled
URL Check Select this option to prevent users from accessing Enabled or Disabled
the URLs of your website directly. The URL Check Default: Disabled
allows users to only access Web pages by clicking a
hyperlink on your protected Web site.
Note: In the current release, the approved URL path
list for the URL Check can be configured only using
Learning Mode.
Request Checks
CCN Mask Replaces all but the last four digits of credit card Enabled or Disabled
numbers with an “x” character. Default: Disabled
SSN Mask Replaces all but the last four digits of US Social Enabled or Disabled
Security numbers with an “x” character. Default: Disabled
PCRE Mask Cloaks patterns in a response that match the speci- You can specify the following options:
fied PCRE pattern. • PCRE Pattern – Valid string
• PCRE Pattern – Specifies the pattern to search for • Mask – Single character
in responses.
• Keep Start – 0-65535
• Mask – Selects a character to mask the matched
• Keep End – 0-65535
pattern of a string.
Default:
• Keep Start – Sets the number of unmasked char-
acters at the beginning of the string. • PCRE Pattern – Not set
• Keep End – Specifies the number of unmasked • Mask – x
characters at the end of the string. • Keep Start – 0
• Keep End – 0
Filter Response Removes the Web server’s identifying headers in Enabled or Disabled
Headers responses. By default, this check uses the Definition – Name of a configured
“allowed_resp_codes” WAF policy file for a list of WAF policy file
acceptable HTTP response codes.
Default: Disabled
If enabled, the default policy file
is “allowed_resp_codes”


Hide Response “Cloaks” your Web servers by hiding response Enabled or Disabled
Codes codes from them instead of forwarding them to the Default: Disabled
client.
Template for External Logging
Logging Applies a configured logging template to the WAF Name of a logging template
Template template. Default: None selected
Config Mode > Security > WAF > Template > HTTP Policy
You can configure ACOS to override the WAF settings applied to the
HTTP/HTTPS virtual port with another set of WAF settings, using an HTTP
policy template. You can configure rules in the HTTP template to match on
URLs, hostnames, or cookie names in traffic.
Note: For the WAF to operate, it is still required to bind a WAF template
directly to the virtual port, to use as the virtual port’s primary WAF tem-
plate. HTTP policy templates can be used only to override the primary
WAF template with secondary WAF template, based on the match rules in
the HTTP policy template.
To configure WAF override:

1. Select Config Mode > Security > WAF > Template > HTTP Policy.
2. Click Add to create a new template. To edit an existing template, click

on the template name instead.
3. Enter a name for the template in the Name field.
4. Configure rules for matching:

a. Select the rule type from the Type drop-down list:
• URL
• Host
• Cookie Name
b. Select the match operation from the Match Type drop-down list:
• Equals string – matches only if the URL, hostname, or cookie
name completely matches the specified string.
• Starts With string – matches only if the URL, hostname, or
cookie name starts with the specified string.
• Contains string – matches if the specified string appears any-
where within the URL, hostname, or cookie name.
• Ends With string – matches only if the URL, hostname, or
cookie name ends with the specified string.

c. Enter the match pattern in the Match field.

d. From the WAF drop-down list, select the WAF template to which to
bind this HTTP policy template. The WAF template you select will
be used for traffic that matches the rule.
e. Click Add.
f. Repeat for each rule.
5. Click OK.
Note: Match options are always applied in the order shown above, regardless of
the order in which the rules appear in the configuration. The WAF tem-
plate associated with the rule that matches first is used.
Note: If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than one
of them, the most-specific match is always used.
Config Mode > Security > WAF > Definition
Caution: Misconfigured PCRE expressions can negatively impact system per-

formance. Do not apply a PCRE expression to a WAF policy file
unless you are completely certain that the PCRE expression will
achieve the desired result.
The following WAF security checks use WAF policy files (also referred to
as WAF Definitions) to provide customized protection against common
threats:
• Hide Response Codes
• Bot Check
• XSS Check
• SQLIA Check
• URI Black List
• URI White List
If one of these checks is enabled and a WAF definition file is not specified,
the default WAF policy file is applied.

Table 115 lists pre-loaded WAF policy files
TABLE 115 Pre-Loaded WAF Policy Files

Check Policy File Description
Hide Response Codes allowed_resp_codes Defines a list of permitted HTTP response codes.
Bot Check bot_defs Defines a list of known bots.
XSS Check jscript_defs Defines a set of commonly used javascript commands.
SQLIA Check sqlia_defs Defines common search terms for SQL injection attacks.
URI Black List uri_blist_defs Lists exclusion criteria for the URI Black List.
URI White List uri_wlist_defs Lists inclusion criteria for the URI White List.
Note: You cannot edit or delete default files. However, you can create and apply
new files to WAF checks at your own discretion. A10 Networks advises
copying a default WAF policy file and customizing the contents to fit your
specific demands.
Configure a WAF Policy File
To create a new WAF policy file:

1. Click Add. The WAF Definition creation page appears.
2. Optionally, select the Copy Available WAF definition checkbox and

select the name of a default WAF Policy File from the drop-down menu.
3. In the Name field, enter a name for the WAF policy file.
4. In the Definition field, configure a list of policy rules. The entries of a
WAF Policy File are written in the format of a PCRE expression.
5. Click OK.
To edit an existing WAF definition file:

1. Click the name of a configured Definition file.
2. In the Definition field, modify the policy file content.
3. Click OK.
Notes
• You cannot edit or delete default files. However, you can create and
apply new files to WAF checks at your own discretion. A10 Networks
advises copying a default WAF definition file and customizing the con-
tents to fit your specific demands.
• You can click on the name of an existing file to edit it in the GUI. You
can delete an existing file by selecting the checkbox located on the left
of its name, then clicking the Delete button.
• You can copy the contents of an existing policy file by selecting the
checkbox located on the left of its name, then clicking the Clone button.

Config Mode > Security > Authentication

The pages in this section configure Application Access Management
(AAM) features.
Config Mode > Security > Authentication > Bind
This page enables you to bind security resources to service ports (virtual
ports on VIPs). The buttons on this page enable you to perform the follow-
ing actions:
• Add – Create a new virtual port.
• Delete – Delete virtual port.
• Edit – Edit an existing virtual port.
• Clone – Copy an existing virtual port.
• Enable – Enable a virtual port.
• Disable – Disable a virtual port.
The Add, Edit, and Clone buttons display a configuration page for the vir-
tual port.
The security configuration procedures that appear in other documents in the

ACOS library include steps to perform the security resource binding.
In the current release, the security bindings you can configure using this
page apply only to HTTP virtual ports.

Config Mode > Security > Authentication > Template
This page displays the configured authentication templates. From this page,
you can edit or delete existing templates, and create new ones.
Authentication Template Parameters

Table 116 lists the parameters you can configure.
TABLE 116 Config Mode > Security > Authentication > Template
Authentication Template Section
Default: Not set
Authentication Specifies whether the template applies to a single Authentication Server or Service
Server/Service AAA server or a group of servers: Group radio button
Group • Authentication Server – Use this option if you are Default: Authentication Server
binding a single AAA server to the template.
Selecting this radio button activates the Authenti-
cation Server drop-down list. Select the authenti-
cation-server profile for the AAA server from the
list.
• Service Group – Use this option if you are bind-
ing a set of AAA servers to the template. Select-
ing this radio button activates the Service Group
drop-down list. Select the service group that con-
tains the AAA servers.
Authentication Binds an authentication-relay profile to the tem- Configured authentication-relay
Relay plate. profile
Default: Not set
Authentication Binds an authentication-logon profile to the tem- Configured authentication-logon
Logon plate. profile
Default: Not set
Logout URL Web page to serve to end-users after they log out. Default: Not set
Logout Idle Maximum amount of time an authenticated end-user 1-86400 seconds
Timeout session can be idle before being terminated by Default: 300
ACOS.

Config Mode > Security > Authentication > Server
This page displays the configured authentication-server profiles.
Authentication-server Profile Parameters

TABLE 117 Config Mode > Security > Authentication > Server
Authentication Server Section
Name Name of the profile. String of 1-31 characters
Default: Not set
Type AAA server type. OCSP, RADIUS, or LDAP
Default: OCSP
The following options apply if you select OCSP.
URL Address of the OSCP responder, in the following Valid hostname or IP address
format: Default: Not set
http://hostname-or-ipaddr[:port-num]/
Responder CA Filename of the OCSP responder’s CA certificate. CA certificate file imported onto the
Note: You must import the file onto the ACOS ACOS device
device. Default: Not set
Responder Cert Filename of the OCSP responder’s certificate. Server certificate file imported onto
Note: You must import the file onto the ACOS the ACOS device
The following options apply if you select RADIUS.
Host Hostname or IP address of the RADIUS server. Valid hostname or IP address
Default: Not set
Secret Shared secret (password) used for securing String up to 128 characters long
Confirm Secret RADIUS traffic between ACOS and the RADIUS Default: Not set
server. The same string must be used by ACOS and
the server.
Port Protocol port on which the server listens for 1-65535
RADIUS traffic. Default: 1812
Retry Maximum number of times ACOS will send the 1-32
same request before giving up. Default: 5
Interval Maximum number of seconds ACOS will wait for a 1-1024 seconds
reply to a request before resending the request. Default: 3 seconds
Authorization Checks the list of allowed URIs provided by the Selected or unselected
Check AAA server. (This capability requires configuration Default: Unselected
on the ACOS device and on the AAA server. For
information, see the Application Access Manage-
ment and DDoS Mitigation Guide.)

TABLE 117 Config Mode > Security > Authentication > Server
The following options apply if you select LDAP.
Host Hostname or IP address of the LDAP server. Valid hostname or IP address
Default: Not set
Port Protocol port on which the server listens for LDAP 1-65535
traffic. Default: 389
Administrator’s Distinguished Name (DN) of the LDAP admin String
DN account required for access to the server. Default: Not set
Admin Secret Admin password. String
Password Default: Not set
Password Maximum amount of time an end-user’s password 1 - 4294967295 seconds
Expiration Time can be cached. Default: Not set
Search Base LDAP server’s search base. String
Default: Not set
Timeout Maximum number of seconds ACOS waits for the 1-255 seconds
LDAP server to respond to a request. If a request Default: 10 seconds
times out, ACOS aborts that request.
Authorization Checks the list of allowed URIs provided by the Selected or unselected
Check AAA server. (This capability requires configuration Default: Unselected
on the ACOS device and on the AAA server. For
information, see the Application Access Manage-
ment and DDoS Mitigation Guide.)
Use UID Uses the UID instead of the CN for the admin name. Selected or unselected
Default: Unselected

Config Mode > Security > Authentication > Logon
This page displays the configured authentication-logon profiles.
Authentication-logon Profile Parameters

TABLE 118 Config Mode > Security > Authentication > Logon
Authentication Logon Section
Name Name of the profile. String of 1-31 characters
Default: Not set
Type Authentication-logon profile type: HTTP Basic or Form Based
• HTTP Basic – The Logon Portal sends an HTTP Default: HTTP Basic
401 (Unauthorized) message with response code
4, containing a WWW-Authenticate HTTP
header. The client browser is expected to send a
reply with the Authorization header, containing
the username and password in Base64-encoded
form.
• Form Based – The Logon Portal uses a set of web
pages to collect user credentials.
Note: Form-based logon requires a set of Logon
Portal files, which must be imported onto the ACOS
device. (See “Config Mode > Security > Authenti-
cation > Portal” on page 362.)
The following options apply if you select HTTP Basic.
Realm Name of the realm secured by the AAA server. Default: Not set
Retry Number of times ACOS will resend the authentica- 1-32
tion request to the client, to allow the end-suer to re- Default: 3
enter their credentials.
The following options apply if you select Form Based.
Portal Zip archive of web portal files. Zip archive imported onto the ACOS
Note: This file must be imported onto the ACOS device
device. (See “Config Mode > Security > Authenti- Default: Not set
cation > Portal” on page 362.)
Action URL URL for the POST action to be performed by the Valid URL string; for example:
client browser after the end-user enters their creden- mylogon.fo
tials. Default: Not set
Username Name of the data field for the username entered into String
Variable the logon form by the end-user. Default: Not set
Password Name of the data field for the password entered into Default: Not set
Variable the logon form by the end-user.

Config Mode > Security > Authentication > Relay
This page displays the configured authentication-relay profiles.
Authentication-relay Profile Parameters

TABLE 119 Config Mode > Security > Authentication > Relay
Authentication Relay Section
Name Name of the profile. String
Default: Not set
Type Type of authentication ACOS uses to log onto con- HTTP Basic or Kerberos
tent servers on behalf of authenticated clients: Default: Not set
• HTTP Basic – ACOS uses Basic-HTTP authenti-
cation to log onto content servers on behalf of cli-
ents authenticated by a backend AAA server.
• Kerberos – ACOS uses Kerberos.
The following options apply if you select Kerberos.
KDC Hostname or IP address of the Kerberos Key Distri- Valid hostname or IP address
bution Center (KDC). Default: Not set
Port Protocol port number on which the KDC listens for 1-65535
requests. Default: 88
Timeout Maximum number of seconds ACOS waits for the 1-255 seconds
Kerberos server to respond to a request. If a request Default: 10
times out, ACOS aborts that request.
Realm Name of the realm (domain) secured by the Ker- String
beros server. Default: Not set
AX KDC Kerberos admin account name required to log onto String
Account the KDC. Default: Not set
AX KDC Password required for logging onto the KDC. String
Password Default: Not set

Config Mode > Security > Authentication > Portal
This page lists the zip archives imported onto the ACOS device for use with
form-based authentication. You can use this page to import new archives,
and to delete any archives that are no longer needed.
To import a web portal archive:

1. Click Import.
2. In the File Name field, enter a name for the file. This is the name you
will need to refer to when using the file in an AAM deployment.

step 12.
interface.
8. In the Host field, enter the hostname or IP address of the server where
the archive is located.
9. In the Location field, enter the directory path and filename.
12. Click OK.

Config Mode > Security > Template

These options allow you to configure the following types of security feature
templates:
• Policy – Useful for a variety of security solutions, policy templates can
use black/white lists or class lists to match on traffic, and to specify
actions to perform on matching traffic.
• DNS Application Firewall – Useful for DNS caching and optimization,
as well as filtering malformed requests.

Config Mode > Security > Template > Policy
The Policy page displays the configured policy templates. This page is dis-
played when you click Add or click on a template name.
Table 120 lists the parameters you can configure in policy templates.
TABLE 120 PBSLB Policy Template Parameters

Policy Section
Default: Not set
Black-White List Specifies the black/white list to use for Policy-based Name of a black/white list either cre-
SLB (PBSLB), and the settings for groups within ated on or imported onto the ACOS
the list. device. Default: none
1. Select the black/white list from the drop-down Parameters for each group:
list or select “create” to create or import a new one. • Group ID – No default
(If you click “create”, see “Config Mode > SLB >
• Action – Drop, Reset, or a service
Black-White List” on page 287.)
group name. Default: Drop
2. Enter settings for the groups in the black/white
• Logging – Default: disabled
list:
• Period – 0-60 minutes. Default: 3
a. Select the group from the Group ID drop-down
list. • Log Failures Only – Default: dis-
abled
b. Select one of the following from the Action
drop-down list. • Over Limit Action – Lockout or
Reset. Default: drop
• Drop – Drops connections for IP addresses that
are in the specified group. • Over Limit Lockup Duration –
1-127 minutes. Default: not set
• Reset – Resets connections for IP addresses
that are in the specified group. • Over Limit Log Interval – 1-255
minutes. Default: not set
• service group name – Sends clients to the SLB
service group associated with this group ID on Timeout – 1-127 minutes. Default: 5
the ACOS device.
• create – This option displays the configuration
page for creating a new service group.
c. Optionally, enable logging. To change the log-
ging interval, edit the number in the Period field.
Logging generates messages to indicate that traf-
fic matched the group ID.
(cont.)

TABLE 120 PBSLB Policy Template Parameters (Continued)

Black-White List d. To generate log messages only when there is a
(cont.) failed attempt to reach a service group, select Log
Failures only.
e. Click Add. The group settings appear in the
PBSLB list.
f. Repeat the steps above for each group.
3. Select the action to take when traffic exceeds the
limit: Drop or Reset.
Note: If the Use default server selection when

preferred method fails option is enabled on the
virtual port, log messages will never be generated
for server-selection failures. To ensure that mes-
sages are generated to log server-selection failures,
disable the option on the virtual port. This limitation
does not affect failures that occur because a client is
over their PBSLB connection limit. These failures
are still logged.
Notes:
• If a connection limit is specified in a black/white
list, the ACOS device does not support using the
list for both system-wide PBSLB and for PBSLB
on an individual virtual port. In this case, the
ACOS device may increase the current connec-
tion counter more than once, resulting in a much
lower connection limit than the configured value.
To work around this issue, use separate
black/white lists.
If the template uses a black/white list, the Lockup
over-limit action is applicable only if the template is
applied at the system level, for system-wide PBSLB
deployed for Sockstress protection. If the template
uses a class list, the Lockup over-limit action is
applicable regardless of whether the template is
applied at the system level or to an individual virtual
server or virtual port.


Class List Configures limits for client IP traffic. You can apply • Class list – Name of a configured
a policy template for IP limiting on a global basis, to class list.
individual virtual servers, or to individual virtual • Limit ID (LID) – 1-31
ports.
• Connection limit – 0-1048575
To configure IP limiting, specify the following
• Connection-rate limit –
parameters:
1-4294967295 connections. The
• Class list – Class of clients to which to apply this limit period can be 100-6553500
IP limiting rule. (See “Config Mode > SLB > milliseconds (ms), specified in
Service > Class List” on page 196.) increments of 100 ms.
• Limit ID (LID) – Number from 1-31 that identi- • Request limit – 1-1048575
fies the rule.
• Request-rate limit – 1-4294967295
• Connection limit – Maximum number of concur- connections. The limit period can be
rent connections allowed for a client. 100-6553500 milliseconds (ms),
• Connection-rate limit – Maximum number of specified in increments of 100 ms.
new connections allowed for a client within the • Over-limit action – Drop, Reset or
limit period. Forward
• Request limit – Maximum number of concurrent • Lockout period – 1-1023 minutes
Layer 7 requests allowed for a client.
• Logging – Enabled or disabled. The
• Request-rate limit – Maximum number of Layer logging period can be 0-255 min-
7 requests allowed for a client within the limit utes.
period.
• Client IP – L3 Source IP, L3 Desti-
• Over-limit action – Action to take when a client nation IP, or L7 Header Name. For
exceeds one or more of the limits. The action can L7 Header Name, you can specify
be one of the following: the header name or use the default.
• Drop – The ACOS device drops that traffic. If (See below.)
logging is enabled, the ACOS device also gen-
erates a log message.
• Forward – The ACOS device forwards the traf-
fic. If logging is enabled, the ACOS device
also generates a log message.
• Reset – For TCP, the ACOS device sends a
TCP RST to the client. If logging is enabled,
the ACOS device also generates a log message.
• Lockout period – Number of minutes during
which to apply the over-limit action after the cli-
ent exceeds a limit. The lockout period is acti-
vated when a client exceeds any limit.
(cont.)


Class List • Logging – Generates log messages when clients Defaults:
(cont.) exceed a limit. When you enable logging, a sepa- • Class list – None
rate message is generated for each over-limit
• Limit ID (LID) – None
occurrence, by default. You can specify a logging
period, in which case the ACOS device holds • Connection limit – None
onto the repeated messages for the specified • Connection-rate limit – None
period, then sends one message at the end of the • Request limit – None
period for all instances that occurred within the
• Request-rate limit – None
period.
• Over-limit action – Drop
• Client IP – Specifies the IP address on which to
match: • Lockout period – None
• L3 Source IP – Matches class-list entries based • Logging – Disabled. When logging
on the source IP address of client traffic. is enabled, the default logging
period is 0 (no wait period).
• L3 Destination IP – Matches class-list entries
based on the destination IP address of client • Client IP – L3 Source IP. If you
traffic. select L7 Header Name, the default
header name is X-Forwarded-For.
• L7 Header Name – Matches class-list entries
based on the IP address in the specified client
packet header.
Note: Class lists can be configured only in the
shared partition. A policy template configured in the
shared partition or in a private partition can use a
class list configured in the shared partition.
Note: The class-list options Request limit and
Request-rate limit, when configured in a policy tem-
plate, are applicable only in policy templates that
are bound to virtual ports. These options are not
applicable in policy templates bound to virtual serv-
ers (rather than individual ports), or in policy tem-
plates used for system-wide PBSLB.
The Request limit and Request-rate limit options
apply only to HTTP, fast-HTTP, and HTTPS virtual
ports. The over-limit logging, when used with the
request-limit or request-rate-limit option, always
lists Ethernet port 1 as the interface.
Use Destination Matches destination traffic against the black/white Enabled or disabled
IP list, instead of source traffic. Default: Disabled. Source traffic is
Generally, this option is applicable when wildcard matched against the black/white list.
VIPs are used.


Geo-location • Overlap – Enables overlap matching mode. If The following values are supported:
there are overlapping addresses in the • Overlap – Enabled or disabled
black/white-list, use this option to enable the
• Share – Enabled or disabled
ACOS device to find the most precise match.
• Full Domain Tree – Enabled or dis-
• Share – Include all virtual servers and virtual
abled
ports that use the template. This option causes the
following counters to be shared: Default:
• Permit • Overlap – Disabled
• Deny • Share – Disabled
• Connection number • Full Domain Tree – Disabled
• Connection limit
Note: A10 Networks recommends you enable or
disable this option before enabling GSLB.
Changing the state of this option while GSLB is
running can cause the related statistics counters
to be incorrect.
• Full Domain Tree – Checks the current connec-
tion count not only for the client’s specific geo-
location, but for all geo-locations higher up in the
domain tree.

Config Mode > Security > Template > DNS Firewall
This option displays the configured DNS Firewall templates.
The DNS Firewall configuration section is displayed when you click Add or
Note: DNS Firewall templates are not supported with stateless load-balancing
methods.
Table 121 lists the parameters you can configure in DNS Firewall templates.
TABLE 121 DNS Template Parameters

DNS Firewall Section
below.
modified.
Note: The parameter below applies to DNS security.
Malformed Provides security for DNS VIPs. DNS security Default: Not set
Query examines DNS queries addressed to a VIP to ensure When you enable the Malformed
that the queries are formed properly (not mal- Query option, the default action is
formed). If a malformed DNS query is detected, the Drop.
ACOS device takes one of the following actions:
• Drop – Drops the query
• Forward to Service Group – This option is useful
if you want to quarantine and examine the mal-
formed queries, while still keeping them away
from the DNS server.
DNS Firewall Enables or disables the template. Enabled or Disabled
Template If you disable the template, the settings stop taking Default: Enabled
effect but the template itself is not removed from the
configuration.
Note: The parameters below apply to DNS optimization.
Default Policy Cache action for requests that do not match any Cache or No Cache
domain-string in the class list. Default: No Cache.
By default, replies for domain names
that do not match the class list are not
cached.
Log Period Period for logging of DNS caching events. 1-10000 minutes
Default: Not set

TABLE 121 DNS Template Parameters (Continued)

Max Cache Size Maximum number of DNS replies that can be Configurable values differ with ACOS
cached for an individual DNS virtual port. model. To view supported values, con-
sult the GUI.
Default: maximum allowed on the
entire system.
Note: This is based on the standard
amount of RAM installed in each sys-
tem. For details, contact A10 Net-
works
Max Cache Specifies the maximum number of DNS entries that 1-4096 bytes
Entry Size can be cached per VIP. Default: 256 bytes
Max Query Specifies the maximum number of bytes in the DNS 1-4095
Length query. Default: unlimited

TABLE 121 DNS Template Parameters (Continued)

Class List Class list to use for matching on domain strings. Name of a configured class list
To configure a class list, see “Config Mode > SLB > LID options:
Service > Class List” on page 196. • LID – 1-31
• DNS Cache – Enabled or disabled
After you select a class list, the following configura- • TTL – 1-65535 seconds.
tion fields appear. These fields configure a LID for
• Weight – 1-7
DNS caching. When you finish selecting or entering
LID values, click Add. • Connection Rate Limit –
1-4294967295 DNS connections per
• LID – LID ID
1-65535 100-millisecond (ms) inter-
• DNS Cache – Specifies whether to cache replies vals
to queries for the domain name.
• Over Limit:
• TTL – Number of seconds the ACOS device
• Drop
caches DNS replies.
• Forward
• Weight – Numeric value used when cache entries
need to be removed to make room for new • Enable DNS Cache
entries. Lower-weighted objects are removed • Disable DNS Cache
before higher weighted objects. • Lockout – Enabled or disabled;
• Cache more than 60% full, entries with weight 1-1023 minutes
1 are eligible to be removed. • Log – Enabled or disabled; 1-10000
• Cache more than 70% full, entries with weight minutes
1 or 2 are eligible to be removed.
• Cache more than 80% full, entries with Default: not set
weights 1-4 are eligible to be removed.
When you configure a LID, it has the
• Cache more than 90% full, entries with following default values:
weights 1-6 are eligible to be removed.
• DNS Cache – Enabled or disabled
• Connection Rate Limit – Maximum rate allowed
• TTL – 1-65535 seconds.
for queries. If queries exceed the specified rate,
the over-limit action is applied. • Weight – 1-7
• Over Limit – action to take if the query rate • Connection Rate Limit –
exceeds the configured limit: 1-4294967295 DNS connections per
1-65535 100-millisecond (ms) inter-
• Drop – Drops the request.
vals
• Forward – Forwards the request to the DNS
• Over Limit: Drop
server.
• Lockout – Enabled or disabled;
• lockout minutes – Stops accepting new
1-1023 minutes
requests for the specified number of minutes.
• Log – Enabled or disabled; 1-10000
• Enable DNS Cache – Enables caching.
minutes
• Disable DNS Cache – Disables caching.
• Lockout – After an over-limit condition occurs,
stops accepting new requests for the specified
number of minutes.
• Log – Enables logging for DNS caching. In the
field to the right of the Log checkbox, enter the
number of minutes between log messages.

Config Mode > Security > Network

The Network pages enable you to configure security options for Layer 2 and
Layer 3 network settings for the ACOS device.
Config Mode > Security > Network > ACL
The ACL pages enable you to configure and apply Access Control Lists
(ACLs).
You can use ACLs for the following tasks:

• Permit or block through traffic.
• Permit or block management access.
• Specify the internal host or subnet addresses to which to provide Net-

work Address Translation (NAT).
An ACL can contain multiple rules. Each rule contains a single permit or
deny statement. Rules are added to the ACL in the order you configure
them. The first rule you add appears at the top of the ACL.
Configuring an ACL Rule

1. Select Config Mode > Service > Network > ACL.
2. On the menu bar, select Standard or Extended.
3. Click Add.
4. Configure the options for the rule. (See Table 122 on page 374 and
5. When finished configuring the rule, click OK. The rule list is redis-
played, containing the new rule.
6. To commit the ACL changes, click OK.

Re-Ordering ACL Rules
Each row in the ACL tables is a separate ACL rule. You can configure mul-
tiple rules in the same ACL. In this case, they still appear as separate rows,
with the same ACL number.
The ACOS device applies the ACL rules in the order they are listed, starting
at the top of the table. The first rule that matches traffic is used to permit or
deny that traffic. After the first rule match, no additional rules are compared
against the traffic.
If you need to re-order the rules within an ACL, you can do so by dragging-
and-dropping the rules to their new position.
Click OK to commit the changes.
Applying (Binding) ACLs
Access lists do not take effect until you apply them.

• To permit or block through traffic on an interface, apply the ACL to the
interface. (See “Config Mode > Network > Interface” on page 397.)
• To specify the internal host or subnet addresses to which to provide Net-
work NAT, select the ACL when configuring the pool. (See “Config
Mode > SLB > SSL Management” on page 289.)
• To use the ACL permit or block management access, see “Config Mode
> System > Settings > Access Control” on page 460.
Anywhere an ACL can be used, this document describes how to apply the
ACL.
Config Mode > Security > Network > ACL > Standard
This option lists the configured standard ACLs. For configuration informa-
tion, see the following topics:
• “Configuring an ACL Rule” on page 372
• “Re-Ordering ACL Rules” on page 373
• “Applying (Binding) ACLs” on page 373
The Standard section is displayed when you click Add or click on an ACL
number.

Table 122 lists the Standard ACL parameters.
TABLE 122 Standard ACL Parameters

Standard Section
Remark / Entry Specifies whether to configure an ACL remark or Default: Entry
rule.
To create a remark:
1. Select the remark radio button.
2. Enter a value from 1-99 for the ID.
3. Write a remark and click Add.
4. Add or delete entries from the remark list.
5. When finished, click OK.
Note: Remarks will appear as a new ID. Subsequent
remarks of the same ID are consolidated as a single
entry.
To configure an ACL rule:
1. Select the Entry radio button.
2. You will have access to a series of configur-
able options. These are described in detail
below.
ID ACL number. 1-99
Action Specifies the action to perform on traffic that Default: Deny
matches the ACL:
• Deny – Drops the traffic.
• Permit – Allows the traffic.
• L3-VLAN-fwd-disable – Disables Layer 3 for-
warding between VLANs for IP addresses that
match the ACL rule.
Log Enables logging. When logging is enabled for the Default: Disabled
ACL, the ACOS device generates log messages
when traffic matches the ACL.
The Transparent Session Only option limits logging.
The option only logs creation and deletion of trans-
parent sessions for traffic that matches the ACL
rule.

TABLE 122 Standard ACL Parameters (Continued)

Source Address Specifies the source address to match on: Default: Any
• Any – The ACL matches on all source IP
addresses.
• Host – The ACL matches only on the specified
host IP address.
• Address – The ACL matches on any host in the
specified subnet. The filter-mask specifies the
portion of the address to filter:
• Use 0 to match.
• Use 255 to ignore.
For example, the following filter-mask filters on
a 24-bit subnet: 0.0.0.255

Config Mode > Security > Network > ACL > Extended
This option lists the configured extended ACLs. For configuration informa-
tion, see the following topics:
The Extended section is displayed when you click Add or click on an ACL
number.
Table 123 lists the Extended ACL parameters.
TABLE 123 Extended ACL Parameters

Extended Section
Remark / Entry Specifies whether to configure an ACL remark or Default: Entry
rule.
To create a remark:
1. Select the remark radio button.
2. Enter a value from 100-199 for the ID.
3. Write a remark and click Add.
4. Add or delete entries from the remark list.
Note: Remarks will appear as a new ID. Subsequent
remarks of the same ID are consolidated as a single
entry.
To configure an ACL rule:
1. Select the Entry radio button.
2. You will have access to a series of configur-
able options. These are described in detail
below.
ID ACL number. 100-199
matches the ACL:
match the ACL rule.

TABLE 123 Extended ACL Parameters (Continued)

Log Enables logging. When logging is enabled for the Enabled or Disabled
ACL, the ACOS device generates log messages Default: Disabled
rule.
Protocol Specifies the IP protocol on which to match. You can select one of the following:
To match on source or destination protocol ports, • ICMP
select TCP or UDP. The Source Port and Destina- • IP
tion Port fields appear.
• TCP
• UDP
Default: ICMP
Type Matches based on the specified ICMP type. You can Default: Matches on any valid type
enter the type number in the Type Number field, or number or name.
select the type from the drop-down list next to the
Type Number field.
Note: This option is applicable if the protocol type
is ICMP.
The type number can be 0-254.

The type name can be one of the following:
• echo-reply – Type 0, echo reply
• dest-unreachable – Type 3, destination unreach-
able
• source-quench – Type 4, source quench
• redirect – Type 5, redirect message
• echo-request – Type 8, echo request
• time-exceeded – Type 11, time exceeded
• parameter-problem – Type 12, parameter prob-
lem
• timestamp – Type 13, timestamp
• timestamp-reply – Type 14, timestamp reply
• info-request – Type 15, information request
• info-reply – Type 16, information reply
• mask-request – Type 17, address mask request
• mask-reply – Type 18, address mask reply
Code This option is applicable if the protocol is ICMP. 0-254
Matches based on the specified ICMP code. Default: Not set


Source Address Specifies the source address on which to match: Default: Any
addresses.
host IP address.
• Use 0 to match.
For example, the following filter-mask filters on a
24-bit subnet: 0.0.0.1
Source Port Specifies the source protocol port(s) on which to The port can be1 1-65535.
match, and the match operator. Default: Not set
This option is available only for the TCP or UDP
protocol.
Click the checkbox to activate the configuration
fields.
The operator can be one of the following:
= (equal) – The ACL matches on traffic from the
specified source port.
> (greater than) – The ACL matches on traffic
from any source port with a higher number than
the specified port.
< (less than) – The ACL matches on traffic from
any source port with a lower number than the
specified port.
Range – The ACL matches on traffic from any
source port within the specified range.
Destination Specifies the destination address on which to match. Default: Any
Address The options are the same as those for Source
Address.
Destination Port Specifies the destination protocol port(s) on which The port can be 1-65535.
to match. Default: Not set
The options are the same as those for Source Port.
DSCP Matches on the 6-bit Diffserv value in the IP header. 1-63
Default: Not set
VLAN ID Matches on the specified VLAN. VLAN matching Valid VLAN ID
occurs for incoming traffic only. Default: Not set. Matches on any
VLAN.
Fragments Matches on packets in which the More bit in the Enabled or disabled
header is set (1) or has a non-zero offset. Default: disabled. Does not match on
fragments.


TCP Established Matches on TCP packets in which the ACK or RST Enabled or disabled
bit is not set. This option is useful for protecting Default: disabled
against attacks from outside. Since a TCP connec-
tion from the outside does not have the ACK bit set
(SYN only), the connection is dropped. Similarly, a
connection established from the inside always has
the ACK bit set. (The first packet to the network
from outside is a SYN/ACK.)
Config Mode > Security > Network > ACL > IPv6
This option lists the configured IPv6 ACLs. For configuration information,
see the following topics:
The IPv6 section is displayed when you click Add or click on an ACL num-
ber.
Table 124 lists the IPv6 ACL parameters.
TABLE 124 IPv6 ACL Parameters

IPv6 Section
Name ACL name. String
matches the ACL:
match the ACL rule.
Log Enables logging. When logging is enabled for the Enabled or Disabled
ACL, the ACOS device generates log messages Default: Disabled
rule.

TABLE 124 IPv6 ACL Parameters (Continued)

Protocol Specifies the IP protocol on which to match. You can select one of the following:
To match on source or destination protocol ports, • ICMP
select TCP or UDP. The Source Port and Destina- • IPv6
tion Port fields appear.
• TCP
• UDP
Default: ICMP
Source Address Specifies the source address on which to match: Default: Any
addresses.
host IP address.
• Use 0 to match.
For example, the following filter-mask filters on a
24-bit subnet: 0.0.0.255
Source Port Specifies the source protocol port(s) on which to 1-65535.
match, and the match operator. Default: Not set
This option is available only for the TCP or UDP
protocol.
Click the checkbox to activate the configuration
fields.
The operator can be one of the following:
= (equal) – The ACL matches on traffic from the
specified source port.
> (greater than) – The ACL matches on traffic
from any source port with a higher number than
the specified port.
< (less than) – The ACL matches on traffic from
any source port with a lower number than the
specified port.
Range – The ACL matches on traffic from any
source port within the specified range.
Destination Specifies the destination address on which to match. Default: Any
Address The options are the same as those for Source
Address.
Destination Port Specifies the destination protocol port(s) on which 1-65535.
to match. Default: Not set
The options are the same as those for Source Port.

TABLE 124 IPv6 ACL Parameters (Continued)

DSCP Matches on the 6-bit Diffserv value in the IP header. 1-63
Default: Not set
VLAN ID Matches on the specified VLAN. VLAN matching Valid VLAN ID
occurs for incoming traffic only. Default: Not set. Matches on any
VLAN.
Fragments Matches on packets in which the More bit in the Enabled or disabled
header is set (1) or has a non-zero offset. Default: disabled. Does not match on
fragments.
TCP Established Matches on TCP packets in which the ACK or RST Enabled or disabled
bit is not set. This option is useful for protecting Default: disabled
against attacks from outside. Since a TCP connec-
tion from the outside does not have the ACK bit set
(SYN only), the connection is dropped. Similarly, a
connection established from the inside always has
the ACK bit set. (The first packet to the network
from outside is a SYN/ACK.)

Config Mode > Security > Network > DDos Protection

The options on this page enable protection against distributed denial-of-ser-
vice (DDoS) attacks.
Table 125 lists the DDoS protection options. All options are supported for
IPv4. All options except IP Option are supported for IPv6.
TABLE 125 DDoS Protection Options

Parameter Description
Drop All Enables all the DDoS protection options listed below.
IP Option Drops all packets that contain any IP options.
Land Attack Drops spoofed SYN packets containing the same IP address
as the source and destination, which can be used to launch
an “IP land attack”.
Ping-of-Death Drops all jumbo IP packets longer than the maximum valid
IP packet size (65535 bytes), known as “ping of death”
packets.
Note: On models Thunder 6430S, Thunder 6430,
Thunder 5430S, AX 2200, AX 3200, AX 3200-11,
AX 3200-12, AX 3400, AX 5100, AX 5200, AX 5200-11,
and AX 5630, the Ping-of-Death option drops IP packets
longer than 65535 bytes. On other models, the option drops
all IP packets longer than 32000 bytes.
Frag Drops all IP fragments, which can be used to attack hosts
running IP stacks that have known vulnerabilities in their
fragment reassembly code.
TCP No Flags Drops all TCP packets that do not have any TCP flags set.
TCP SYN Fin Drops all TCP packets in which both the SYN and FIN flags
are set.
TCP SYN Frag Drops incomplete (fragmented) TCP Syn packets, which
can be used to launch TCP Syn flood attacks.
Out of Sequence Checks for out-of-sequence packets in new HTTP or
HTTPS connection requests from clients.
Note: This option and the following options apply only to
system-wide Policy-Based SLB.
Zero Window Checks for a zero-length TCP window in new HTTP or
Bad Content Checks for invalid HTTP or SSL payloads in new HTTP or

Config Mode > Security > Network > ICMP Rate Limiting
The ICMP Rate Limiting option globally enables protection against denial-
of-service (DoS) attacks.
Table 126 lists the ICMP Rate Limiting parameters you can configure.
TABLE 126 ICMP Rate Limiting Parameters

ICMP Rate Limiting Section
ICMP Rate Enables the configuration fields for the feature. Selected or unselected
Limiting Default: Unselected
Normal Rate Maximum number of ICMP packets allowed per second. 1-65535 packets per second
If the AX interface receives more than the normal rate of Default: Not set
ICMP packets, the excess packets are dropped until the
next one-second interval begins.
Lockup Rate Maximum number of ICMP packets allowed per second 1-65535 packets per second
before the ACOS device locks up ICMP traffic. When Default: Not set
ICMP traffic is locked up, all ICMP packets are dropped
until the lockup expires.
Note: Specifying a maximum rate (lockup rate) and
lockup time is optional. If you do not specify them,
lockup does not occur.
Log messages are generated only if the lockup option is
used and lockup occurs. Otherwise, the ICMP rate-limit-
ing counters are still incremented but log messages are
not generated.
Lockup Period Number of seconds for which the ACOS device drops all 1-16383 seconds
ICMP traffic, after the maximum rate is exceeded. Default: Not set
ICMPv6 Rate Limiting Section
ICMPv6 Rate Configures ICMPv6 rate limiting for the interface, to pro- Selected or unselected
Limiting tect against denial-of-service (DoS) attacks. Default: Unselected
The configuration options and supported values are the
same as those for ICMP Rate Limiting.


Config Mode – IP Source NAT Options - Config Mode > IP Source NAT
Config Mode – IP Source NAT Options
This chapter describes the IP Source NAT configuration options.

• “Config Mode > IP Source NAT > IPv4 Pool” on page 387
• “Config Mode > IP Source NAT > IPv6 Pool” on page 388
• “Config Mode > IP Source NAT > Group” on page 389
• “Config Mode > IP Source NAT > ACL Bind” on page 390
• “Config Mode > IP Source NAT > Interface” on page 391
• “Config Mode > IP Source NAT > NAT Range” on page 391
• “Config Mode > IP Source NAT > Static NAT” on page 392
• “Config Mode > IP Source NAT > Global” on page 393
Config Mode > IP Source NAT

The IP Source NAT pages enable you to configure IP source Network
Address Translation (NAT).
Layer 3 NAT translates internal host addresses into global routable

addresses before sending the host’s traffic to the Internet. When reply traffic
is received, the ACOS device then retranslates addresses back into internal
addresses before sending the reply to the client.
You can configure dynamic or static IP source NAT:

• Dynamic source IP NAT – Internal addresses are dynamically translated
into global addresses from a pool.
• Static source IP NAT – Internal addresses are explicitly mapped to
global addresses.
To configure dynamic IP Source NAT, you can use the IPv4, IPv6, Group,
Binding, and Interface options.
To configure static IP source NAT, you can use the NAT Range, Global, and
Interface options.

Configuration Elements for Dynamic NAT

Dynamic NAT uses the following configuration elements:
• ACL – to identify the inside host addresses to be translated. (You must
configure the ACL first. See “Config Mode > Security > Network >
ACL” on page 372.)
• Pool – to identify a contiguous range of global addresses into which to
translate inside addresses. (Use the IPv4 and IPv6 pages.)
• Optionally, pool group – to use non-contiguous address ranges. To use a
non-contiguous range of addresses, you can configure separate pools,
then combine them in a pool group and map the ACL to the pool group.
The addresses within an individual pool still must be contiguous, but
you can have gaps between the ending address in one pool and the start-
ing address in another pool. You also can use pools that are in different
subnets.
A pool group can contain up to 5 pools. Pool group members must
belong to the same protocol family (IPv4 or IPv6) and must use the
same HA ID. A pool can be a member of multiple pool groups. Up to 50
NAT pool groups are supported.
(To configure a pool group, use the Group page.)
• Inside NAT setting on the interface connected to the inside host.
• Outside NAT setting on the interface connected to the Internet. Inside

host addresses are translated into global addresses from a pool before
the host traffic is sent to the Internet.
(To set the NAT interfaces, use the Interface page.)
Note: In addition, on some ACOS models, if Layer 2 IP NAT is required, you

also must enable CPU processing on the NAT interfaces. This applies to
models AX 2200, AX 2200-11, AX 3100, AX 3200, AX 3200-11,
AX 3200-12, AX 3400, AX 5100, AX 5200, AX 5200-11, and AX 5630.

Configuration Elements for Static NAT

Static NAT uses following configuration elements:
• Address range list or static translations – Contiguous ranges of inside
addresses and global addresses to translate them into, or individual map-
pings of inside to global addresses.
(To enable static NAT and configure the address mappings, use the
Global and NAT Range pages.)
• Inside NAT setting on the interface connected to the inside host.
• Outside NAT setting on the interface connected to the Internet. Inside

host addresses are translated into global addresses from a static mapping
or a range list before the host traffic is sent to the Internet.
(To set the NAT interfaces, use the Interface page.)
Config Mode > IP Source NAT > IPv4 Pool

This option lists the configured IPv4 pools.
The IPv4 Pool section is displayed when you click Add or click on an IPv4
pool name.
Table 127 lists the IPv4 pool parameters.
TABLE 127 IPv4 Pool Parameters

IPv4 Pool Section
Name Name of the address pool. String
Default: Not set
Start IP Address Beginning (lowest) IP address in the range. Valid IPv4 address
Default: Not set
End IP Address Ending (highest) IP address in the range. Valid IPv4 address
Default: Not set
Netmask Network mask for the IP addresses in the pool. Valid IPv4 network mask
Default: Not set
Gateway Default gateway of the next-hop router to use as the IP address of the next-hop router
default gateway for NATted traffic. Default: Not set

TABLE 127 IPv4 Pool Parameters (Continued)

backup.
IP-RR Uses pool IP addresses in round robin fashion. Enabled or Disabled
Without this option, the ACOS device creates NAT Default: Disabled
translations by using all the protocol ports of the
first IP address in the pool, then using all the ports
of the next IP address, and so on.
Config Mode > IP Source NAT > IPv6 Pool

This option lists the configured IPv6 pools.
The IPv6 Pool section is displayed when you click Add or click on an IPv6
pool name.
Table 128 lists the IPv6 pool parameters.
TABLE 128 IPv6 Pool Parameters

IPv6 Pool Section
Name Name of the address pool. String
Default: Not set
Start IP Address Beginning (lowest) IP address in the range. Valid IPv6 address
Default: Not set
End IP Address Ending (highest) IP address in the range. Valid IPv6 address
Default: Not set

TABLE 128 IPv6 Pool Parameters (Continued)

Netmask Length Number of bits in the network mask for the IP 64-128
addresses in the pool. Default: Not set
Gateway Default gateway of the next-hop router to use as the IP address of the next-hop router
default gateway for NATted traffic. Default: Not set
backup.
IP-RR Uses pool IP addresses in round robin fashion. Enabled or Disabled
Without this option, the ACOS device creates NAT Default: Disabled
translations by using all the protocol ports of the
first IP address in the pool, then using all the ports
of the next IP address, and so on.
Config Mode > IP Source NAT > Group

This option lists the configured pool groups.
The Group section is displayed when you click Add or click on a pool group
name.
Table 129 lists the pool group parameters.
TABLE 129 Pool Group Parameters

Group Section
Name Name of the pool group. String
Default: Not set

TABLE 129 Pool Group Parameters (Continued)

backup.
IPv4/IPv6 Type of addresses to be used in the group. IPv4 or IPv6
Default: IPv4
Group Member The IP address pools in the group. Name of configured pool
1. Select a configured address pool from the Availa- Default: Not set
ble Pool drop-down list.
2. Click Add.
Config Mode > IP Source NAT > ACL Bind

This page enables you to bind ACLs to IP address pools or pool groups for
dynamic NAT. To create a binding:
1. Select an IPv4 or IPv6 radio button.
1. Select a configured ACL from the ACL drop-down list.
2. Select a configured pool or pool group from the NAT Pool drop-down
list.
3. To set the TCP Maximum Segment Life (MSL) for NATted sessions,
enter the maximum number of seconds in the MSL field. You can enter
1-1800 seconds. This option is only available for IPv4.
Note: This option is useful for servers running older TCP/IP stacks, which may
wait up to 240 seconds (4 minutes) after a FIN before allowing a new
TCP connection.

4. Click Add.
5. Repeat if needed for additional bindings.
6. Click OK.
Config Mode > IP Source NAT > Interface

This page identifies the inside and outside NAT interfaces.
1. Select the inside interface from the Interface drop-down list.
2. Select Inside from the IPv4 or IPv6 Direction drop-down list, if not
already selected.
3. Click Add.
4. Repeat for additional interfaces.

To add an outside interface, repeat step 1 through step 4, using the Out-
side option from the IPv4 or IPv6 Direction drop-down list.
To add an interface that is both outside and inside, repeat step 1 through
step 4, using the Both option from the IPv4 or IPv6 Direction drop-
down list.
5. Click OK.
Config Mode > IP Source NAT > NAT Range

This option lists the configured static NAT range lists.
The NAT Range section is displayed when you click Add or click on a range
list name.
Table 130 lists the NAT range parameters.
TABLE 130 NAT Range Parameters

NAT Range Section
Name Name of the NAT range list. String
Default: Not set
IPv4/IPv6 Type of addresses to be used in the range. IPv4 or IPv6
Default: IPv4

TABLE 130 NAT Range Parameters (Continued)

Local Beginning (lowest) IP address in the range of source Valid IP address and network mask
addresses. (IPv4) or mask length (IPv6)
Default: Not set
Global Beginning (lowest) IP address in the range of NAT Valid IP address and network mask
addresses. (IPv4) or mask length (IPv6)
Default: Not set
Count Specifies how many addresses to be translated. The 1-200000
range contains a contiguous block of the number of Default: 1
addresses you specify.
backup.
Config Mode > IP Source NAT > Static NAT

This option lists the configured static NAT translations.
The Static NAT Range section is displayed when you click Add or click on
a static translation name.
Table 131 lists the Static NAT parameters.
TABLE 131 Static NAT Parameters

Static NAT Section
Source Address Inside address to be translated into a global address. Valid IP address
Default: Not set

TABLE 131 Static NAT Parameters (Continued)

Global Address Global address to use for the inside address. Valid IP address
Default: Not set
backup.
Config Mode > IP Source NAT > Global

This page enables you to set global NAT parameters.
Note: The timeout values specify the minimum timeout. The actual time a ses-
sion may remain idle is up to 60 seconds later than the configured time-
out.
Table 132 lists the global NAT parameters.
TABLE 132 Global NAT Parameters

Global Section
PPTP NAT ALG Disables or re-enables NAT Application-Layer Enabled or Disabled
Gateway (ALG) support for the Point-to-Point Tun- Default: Enabled
nelling Protocol (PPTP). This feature enables cli-
ents and servers to exchange Point-to-Point (PPP)
traffic through the ACOS device over a Generic
Routing Encapsulation (GRE) tunnel. PPTP is used
to connect Microsoft Virtual Private Network
(VPN) clients and VPN hosts.

TABLE 132 Global NAT Parameters (Continued)

IP Source NAT Enables or disabled static NAT. Enabled or Disabled
Allow Static Note: This option is required only to enable use of Default: Disabled
Host individually configured static mappings. If you con-
figure a NAT range list instead, you do not need this
option.
If you prefer to configure individual mappings, use
the CLI to configure the mappings. Configuration of
individual static source NAT mappings is not sup-
ported in the GUI.
Source NAT Uses an IP pool’s default gateway to forward traffic Enabled or Disabled
Gateway for L3 from a real server. Default: Disabled
When this feature is enabled, the ACOS device
checks the server IP subnet against the IP NAT pool
subnet. If they are on the same subnet, then the
ACOS device uses the gateway as defined in the IP
NAT pool for Layer 2 / Layer 3 forwarding.
This feature is useful if the server does not have its
own upstream router and the ACOS device can lev-
erage the same upstream router for Layer 2 /
Layer 3.
Reset Idle TCP Enables client and server TCP resets for NATted Enabled or Disabled
Connections TCP sessions that have become idle. Default: Disabled
SYN Timeout Sets the timeout after a SYN. A value within one of the following
ranges:
• 2-31 seconds – The timeout takes
place very rapidly, as close to the
configured timeout as possible.
• 60-300 seconds – The timeout value
must be divisible by 60, and can be
a minimum of 1 minute. If the time-
out is set to a value in the range 32-
59, the timeout value is rounded up
to 60.
Default: 60 seconds


TCP Timeout Sets the timeout for TCP sessions that are not ended A value within one of the following
normally by a FIN or RST. ranges:
• 2-31 – The timeout takes place very
rapidly, as close to the configured
timeout as possible.
• 32-15000 seconds – The timeout
value must be divisible by 60, and
can be a minimum of 1 minute. If
the timeout is set to a value in the
range 32-59, the timeout value is
rounded up to 60. Values in the
range 61-11999 are rounded down
to the nearest multiple of 60.
Default: 300 seconds
UDP Timeout Sets the timeout for UDP sessions. A value within one of the following
ranges:
• 2-31 – The timeout takes place very
can be a minimum of one minute.
Default: 300 seconds
ICMP Timeout Sets the timeout for ICMP sessions. A value within one of the following
The Fast option terminates the session as soon as a ranges:
response is received. • 2-31 – The timeout takes place very
can be a minimum of 1 minute. If
the timeout is set to a value in the
range 32-59, the timeout value is
rounded up to 60. Values in the
range 61-11999 are rounded down
to the nearest multiple of 60
• Or select the Fast radio button
Default: 60 seconds


Service Timeout Section
This section enables you to specify how long NATted sessions on a specific protocol port can remain idle before
being terminated. The timeout set for an individual protocol port overrides the global TCP or UDP timeout for
NATted sessions.
You can specify between 2-31 seconds, 60-15000 seconds, or fast. The fast option terminates the session as soon as
a response is received.
By default, The TCP or UDP timeout set for NAT translation is used.
To configure a service timeout:

1. Select TCP or UDP from the Protocol drop-down list.
2. Enter the port number in the Port field.
3. Enter the number of seconds in the Timeout field, or select Fast.
4. Click Add.

Config Mode – Network Options - Config Mode > Network
Config Mode – Network Options
This chapter describes the Network configuration options.

• “Config Mode > Network > Interface” on page 397
• “Config Mode > Network > Trunk” on page 411
• “Config Mode > Network > LACP” on page 412
• “Config Mode > Network > VLAN” on page 413
• “Config Mode > Network > ARP” on page 415
• “Config Mode > Network > Route” on page 416
• “Config Mode > Network > DNS” on page 418
• “Config Mode > Network > BPDU-Fwd-Group” on page 418
Config Mode > Network

The Network pages enable you to configure Layer 2 and Layer 3 network
settings for the ACOS device.
Config Mode > Network > Interface

The Interface pages enable you to configure the ACOS device’s manage-
ment interface and data interfaces.

Config Mode > Network > Interface > LAN
The LAN page shows the configuration settings for the ACOS device’s
Ethernet data interfaces.
The Status column indicates whether the interface is enabled.
The Status column, furthest to the right, indicates whether VRRP-A or HA

is enabled on the interface. To enable VRRP-A or HA on an interface, use
the VRRP-A/HA section. (See Table 133.)
To disable interfaces, select the checkbox next to each interface you want to
disable, then click Disable. Likewise, to re-enable interfaces, select the
checkbox next to each interface you want to enable, then click Enable.
The following configuration sections are displayed when you click on an

interface name:
• General
• IPv4
• IPv6
• VIP
• LACP
• VRRP-A or HA
Table 133 lists the parameters you can configure on Ethernet data interfaces.
TABLE 133 Ethernet Data Interface Parameters

General Section
Status Administrative state of the interface. Enabled or Disabled
Default: Disabled
Name Name for the interface. String up to 63 characters
Default: None

TABLE 133 Ethernet Data Interface Parameters (Continued)

MTU Maximum Transmission Unit (MTU) for packets The configurable values depend on the
transmitted on the interface. ACOS model.
Notes: For all models, the default is 1500
• Jumbo support must be enabled in order to set the bytes.
MTU to a higher value than the default. (See
“Config Mode > Network > Interface > Global”
on page 410.)
• Jumbo frames are not supported on models AX
1030, AX 2500, AX 2600, SoftAX, or
AX-V 3000-11-GCF
Speed Maximum speed on the interface. One of the following:
• 10M – 10 Megabits per second (Mbs/sec) • 10M
• 100M – 100 Megabits per second (Mbs/sec) • 100M
• 1G – 1 Gigabit per second (Gb/sec) • 1G
• 10G – 10 Gigabits per second (Gbs/sec) • 10G
• Auto – The interface speed is negotiated based on • Auto
the speed of the other end of the link. Default: Auto
Note: All possible options are listed
above. The options that are listed for a
particular interface depend on the
interface type.
Duplex Sets the duplex mode. One of the following:
• Full – Full-duplex mode. • Full
• Half – Half-duplex mode. • Half
• Auto – The mode is negotiated based on the • Auto
mode of the other end of the link. Default: Auto
Flow Control State of 802.3x flow control. Enabled or Disabled
Default: Disabled. The interface auto-
negotiates flow control settings with
the other end of the link.
CPU Process Enables software-based switching or routing of Enabled or Disabled
Layer 2/Layer 3 traffic. Default: Disabled
Note: This command is applicable only to models
AX 2200, AX 2200-11, AX 3100, AX 3200,
AX 3200-11, AX 3200-12, AX 3400, AX 5100,
AX 5200, AX 5200-11m and AX 5630.


ICMP Rate Configures ICMP rate limiting for the interface, to State: Enabled or Disabled
Limiting protect against denial-of-service (DoS) attacks. Normal Rate – 1-65535 packets per
box, the following configuration fields appear: Lockup Rate – 1-65535 packets per
• Normal Rate – Maximum number of ICMP pack- second
ets allowed per second on the interface. If the AX Lockup Period – 1-16383 seconds
interface receives more than the normal rate of
ICMP packets, the excess packets are dropped
until the next one-second interval begins. Default: Disabled
• Lockup Rate – Maximum number of ICMP pack- Note: Specifying a maximum rate
(lockup rate) and lockup time is
ets allowed per second before the ACOS device
optional. If you do not specify them,
locks up ICMP traffic on the interface. When
lockup does not occur.
ICMP traffic is locked up, all ICMP packets are
dropped until the lockup expires. Log messages are generated only if the
lockup option is used and lockup
occurs. Otherwise, the ICMP rate-lim-
the ACOS device drops all ICMP traffic on the
iting counters are still incremented but
interface, after the maximum rate is exceeded.
log messages are not generated.
ICMPv6 Rate Configures ICMPv6 rate limiting for the interface, State: Enabled or Disabled
Limiting to protect against denial-of-service (DoS) attacks. Normal Rate – 1-65535 packets per
When you select the ICMPv6 Rate Limit Status second
checkbox, the following configuration fields Lockup Rate – 1-65535 packets per
appear: second
• Normal Rate – Maximum number of ICMPv6 Lockup Period – 1-16383 seconds
packets allowed per second on the interface. If
the AX interface receives more than the normal
rate of ICMPv6 packets, the excess packets are Default: Disabled
dropped until the next one-second interval Specifying a maximum rate (lockup
begins. rate) and lockup time is optional. If
you do not specify them, lockup does
• Lockup Rate – Maximum number of ICMPv6
not occur.
packets allowed per second before the ACOS
device locks up ICMPv6 traffic on the interface.
When ICMPv6 traffic is locked up, all ICMPv6
packets are dropped until the lockup expires.
the ACOS device drops all ICMPv6 traffic on the


L3-VLAN-fwd- Disables Layer 3 forwarding between VLANs for Enabled (Layer 3 forwarding between
disable incoming traffic. VLANs is disabled)
or
Disabled (Layer 3 forwarding between
VLANs is enabled)
Default: disabled (Layer 3 forwarding

between VLANs is enabled by
default.)
IPv4 Section
Note: This section is applicable only if the ACOS device is deployed in gateway (route) mode. If you are deploy-
ing in transparent (Layer 2) mode, see “Config Mode > Network > Interface > Transparent” on page 407.
IP Address IPv4 address of the interface. Valid IPv4 address
Default: Not set
Mask Network mask for the interface. Valid IPv4 mask
Default: Not set
Secondary IP Additional IP addresses configured on the interface. Default: Not set
List Note: The address in the IP Address field is the pri-
mary IP address.
IPv4 ACL Access Control List (ACL) to use to filter inbound Configured ACL
traffic on the interface. Default: Not set
The ACL must already be configured. To configure
an ACL, see “Config Mode > Security > Network >
ACL” on page 372.
IPv6 Section
Note: This section is applicable only if the ACOS device is deployed in gateway (route) mode. If you are deploy-
ing in transparent (Layer 2) mode, see “Config Mode > Network > Interface > Transparent” on page 407.
IPv6 Address IPv6 addresses configured on the interface. Valid IPv6 address
List To add an IPv6 address: Prefix length can be 1-128
1. Enter the address in the IPv6 Address field. Default: Not set
2. Enter the prefix length in the Prefix Length field.
3. To allow the address to be assigned to more than
one interface, select the Anycast checkbox.
Note: A packet sent to an anycast address is routed
to the “nearest” interface with that address, based on
the distance in the routing protocol.
4. Click Add.
Auto Link-Local Automatically configures the link-local address. Selected or unselected
Default: Unselected
Note: If Auto Link-Local and Link-
Local are both unselected, the address
is configured as a global address.


Link-Local Configures the specified address as the link-local Selected or unselected
address for the interface. This option overrides the Default: Unselected
automatically generated link-local address for the
Note: If Auto Link-Local and Link-
interface.
Local are both unselected, the address
To allow the address to be assigned to more than is configured as a global address.
Note: A packet sent to an anycast address is routed
to the “nearest” interface with that address, based on
traffic on the interface. Default: Not set
ACL” on page 372.
VIP Section
Allow Enables client traffic received on this interface and Enabled or Disabled
Promiscuous addressed to TCP port 80 to be load balanced for Default: Disabled
VIP any VIP address.
This feature also requires configuration of a virtual
server that has IP address 0.0.0.0. For more infor-
mation, see the “Wildcard VIPs” chapter in the AX
Series Application Delivery and Server Load Bal-
ancing Guide.
TCP Syn Cookie Enables Layer 2/3 SYN cookies on the interface. Enabled or Disabled
Note: Hardware-based SYN cookie support also Default: Disabled
must be enabled globally. See “Config Mode > SLB
> Service > Global” on page 206.
LACP Section
Trunk ID ID number of the trunk. 1-16
Note: Up to 16 trunks are supported, in any combi- Default: Not set
nation of static and dynamic trunks.
LACP Priority Priority value assigned to this dynamic trunk on the 1-65535
ACOS device. Default: Not set
Note: A low priority number indicates a high prior-
ity value. The highest priority is 1 and the lowest
priority is 65535.
Timeout Sets the aging timeout for LACP data units from the Long (90 seconds) or Short (3 sec-
other end of the LACP link. onds)
Default: Long
Admin Key Unique value that identifies the capabilities of the 10000-65535
trunk. This key is used during negotiation for mem- Default: Not set
bership in the trunk.
Uni-directional Implements Unidirectional Detection (UDLD) Selected or unselected
Detection using a single port LACP. Default: Unselected


UDLD Timeout Specifies the UDLD timeout value. If enabled, you One of the following:
can select one of the following timeout ranges: • Fast (100-1000)
• Fast – 100-1000 • Slow (1-60)
• Slow – 1-60 Default: Not set. If enabled, Fast is
selected by default.
VRRP-A/HA Section
Note: The display of this section varies with VRRP-A/HA configuration.
VRRP-A/HA Indicates whether this is a VRRP-A interface. Enabled or Disabled
Status Note: The maximum number of VRRP-A interfaces Default: Disabled
you can configure is the same as the number of
Ethernet data ports on the ACOS device.
Type Indicates the type of device to which this VRRP-A One of the following:
interface is connected. • None – This option is not used.
Selecting an option other than None allows the • Router-Interface – An upstream
ACOS device to base its VRRP-A status on the sta- router (and ultimately, clients) can
tus of the links to the real servers and upstream rout- be reached through the interface.
ers.
• Server-Interface – A real server can
be reached through the interface.
• Both – Both a server and upstream
router can be reached through the
interface.
Default: None
Heartbeat Disables or enables sending of VRRP-A heartbeat Enabled or Disabled
messages on the interface. Default: Enabled
VLAN VLAN on which to send heartbeat messages, if this VLAN ID
interface is a tagged member of a VLAN. Default: Not set
Multiple IP Addresses on a Single Data Interface

You can configure multiple IP addresses on Ethernet and Virtual Ethernet
(VE) data interfaces and on loopback interfaces, on ACOS devices
deployed in gateway (route) mode.
Each IP address must be unique on the ACOS device. Addresses within a

given subnet can be configured on only one interface on the device. (The
ACOS device can have only one data interface in a given subnet.)
IP addresses are added to an interface in the order you configure them. The
addresses appear in show command output and in the configuration in the
same order.

The first IP address you add to an interface becomes the primary IP address
for the interface. If you remove the primary address, the next address in the
list (the second address to be added to the interface) becomes the primary
address.
The ACOS device automatically generates a directly connected route to
each IP address. If you enable redistribution of directly connected routes by
OSPF or IS-IS, those protocols can advertise the routes to the IP addresses.
Multiple OSPFv2 Networks on the Same Interface Not Supported
The ACOS device does not support multiple OSPFv2 networks on the same
data interface. One OSPFv2 network configuration can enable at most one
network per interface.
For example, assume a data port has 3 IP addresses configured that belong
to 3 separate subnets, S1, S2, and S3. If you configure network S4 with area
A.B.C.D, and S4 contains S1, S2, and S3, then only S1 will be running
OSPF. S2 and S3 will not be known to other OSPF routers.
To work around this limitation, enable OSPF redistribution of directly con-

nected routes so that OSPF will redistribute S2 and S3 via the network run-
ning on S1.
Config Mode > Network > Interface > Management
The Management page shows the configuration settings for the ACOS
device’s out-of-band management port.
The following configuration sections are displayed when you click on the
Management menu option:
• General
• IPv4
• IPv6
Note: The ACOS device allows the same IP address to be configured as the
ACOS device’s global IP address, and as a NAT pool address. However,
in Layer 2 (transparent) deployments, if you do configure the same
address in both places, and later delete one of the addresses, you must
reload the ACOS device to place the change into effect
Table 134 lists the parameters you can configure on the Ethernet manage-
ment port.

TABLE 134 Ethernet Management Port Parameters

General Section
Status Administrative state of the port. Enabled or Disabled
Default: Disabled
Speed Maximum speed on the interface. One of the following:
• Auto – The interface speed is nego-
tiated based on the speed of the
other end of the link.
• 10M – 10 Megabits per second
(Mbs/sec)
• 100M – 100 Megabits per second
(Mbs/sec)
• 1G – 1 Gigabit per second (Gbs/sec)
Default: Auto
Note: All possible options are listed
above. The options that are listed for a
particular interface depend on the
interface type.
Duplex Sets the duplex mode. One of the following:
• Auto – The mode is negotiated
based on the mode of the other end
of the link.
• Full – Full-duplex mode.
• Half – Half-duplex mode.
Default: Auto
Flow Control Enables 802.3x flow control. Enabled or Disabled
Default: Disabled. The AX Ethernet
interface auto-negotiates flow control
settings with the other end of the link.

TABLE 134 Ethernet Management Port Parameters (Continued)

Apps Use Mgmt Enables use of the management interface as the Enabled or Disabled
Port source interface for automated management traffic. Default: Disabled. The ACOS device
This applies to management traffic using the follow- attempts to use a route from the main
ing protocols: route table for management connec-
• SYSLOG tions originated on the ACOS device.
• SNMPD
• NTP
• RADIUS
• TACACS+
• SMTP
The ACOS device has two route tables:
• Management route table – Contains all static
routes whose next hops are connected to the man-
agement interface. The management route table
also contains the route to the device configured as
the management default gateway.
• Main route table – Contains all routes whose next
hop is connected to a data interface. These routes
are sometimes referred to as data plane routes.
Entries in this table are used for load balancing
and for Layer 3 forwarding on data ports.
This route table also contains copies of all static
routes in the management route table, excluding
the management default gateway route.
For more information, see the “Using the Manage-

ment Interface as the Source for Management Traf-
fic” chapter in the System Configuration and
IPv4 Section
Default Gateway IP address of the next-hop router to use for traffic Valid IPv4 address
outside the management interface’s subnet.
IPv6 Section
Prefix Length Length of the network prefix. 1-128
outside the management interface’s subnet.

Config Mode > Network > Interface > Transparent
The Transparent page enables you to specify the global IP address of the
ACOS device, if deploying the device in transparent (Layer 2) mode.
Note: Note: If you are deploying in gateway (Layer 3) mode, see “Config Mode
> Network > Interface > LAN” on page 398.
The following configuration sections are displayed when you click on the
Transparent menu option:
• IPv4
• IPv6
Table 135 lists the global IP address parameters you can configure.
TABLE 135 Global IP Parameters (Transparent Mode only)

IPv4 Section
outside the ACOS device’s subnet.
IPv6 Section
outside the ACOS device’s subnet.
Config Mode > Network > Interface > Virtual
The Virtual page shows the configuration settings for the ACOS device’s
Virtual Ethernet (VE) data ports.
The following configuration sections are displayed when you click on a VE

name:
• IPv4
• IPv6
• VIP
Note: You must create the VE before you can configure it here. To create a VE,
see “Config Mode > Network > VLAN” on page 413.

Table 136 lists the parameters you can configure on VE data interfaces.
TABLE 136 Virtual Ethernet Data Interface Parameters

IPv4 Section
Status Administrative state of the interface. Enabled or Disabled
Default: Disabled
Name Name for the interface. String up to 63 characters
Default: None
Secondary IP Additional IP addresses configured on the interface. None configured
List Note: The address in the IP Address field is the pri-
mary IP address.
traffic on the VE.
ACL” on page 372.
ICMP Rate Configures ICMP rate limiting for the interface, to State: Enabled or Disabled
Limiting protect against denial-of-service (DoS) attacks. Normal Rate – 1-65535 packets per
box, the following configuration fields appear: Lockup Rate – 1-65535 packets per
• Normal Rate – Maximum number of ICMP pack- second
ets allowed per second on the interface. If the AX Lockup Period – 1-16383 seconds
interface receives more than the normal rate of
ICMP packets, the excess packets are dropped
until the next one-second interval begins. Default: Disabled
• Lockup Rate – Maximum number of ICMP pack- Specifying a maximum rate (lockup
ets allowed per second before the ACOS device rate) and lockup time is optional. If
locks up ICMP traffic on the interface. When you do not specify them, lockup does
ICMP traffic is locked up, all ICMP packets are not occur.
dropped until the lockup expires.
the ACOS device drops all ICMP traffic on the
or
VLANs is enabled)

default.)

TABLE 136 Virtual Ethernet Data Interface Parameters (Continued)

IPv6 Section
IPv6 Address IPv6 addresses configured on the interface. Valid IPv6 address
List To add an IPv6 address: Prefix length can be 1-128.
1. Enter the address in the IPv6 Address field.
2. Enter the prefix length in the Prefix Length field.
3. To allow the address to be assigned to more than
A packet sent to an anycast address is routed to
the “nearest” interface with that address, based on
4. Click Add.
Auto Link-Local Sets IPv6 addresses as link-local of the neighboring Enabled or Disabled
IPv6 RIP router automatically. Default: Unselected
Link-Local Sets a link-local IPv6 address of the neighboring • Link-Local – Enabled or Disabled
IPv6 RIP router. • IP Address – Valid IPv6 address
• IP Address – IPv6 address to which this entry’s • Prefix Length – 1-128
addressing information pertains.
• Anycast – Enabled or Disabled
• Prefix Length – Length of the prefix (in bits)
Default: Not set
associated with the IPv6 address of this entry.
• Anycast – Designates the IPv6 address as an any-
cast address. The object has the value ‘true (1)’, if
this address is an anycast address and the value
‘false (2)’ otherwise.
Note: Specifying the interface as valid for only link-
local IPv6 addresses is useful in cases where you do
not want the floating IPv6 address to be associated
with all AX interfaces.
traffic on the VE.
ACL” on page 372.

TABLE 136 Virtual Ethernet Data Interface Parameters (Continued)

VIP Section
Allow Enables client traffic received on this interface and Enabled or disabled
Promiscuous addressed to TCP port 80 to be load balanced for Default: Disabled
VIP any VIP address.
This feature also requires configuration of a virtual
server that has IP address 0.0.0.0. For more infor-
mation, see the “Wildcard VIPs” chapter in the AX
Series Application Delivery and Server Load Bal-
ancing Guide.
TCP Syn Cookie Enables Layer 2/3 SYN cookies on the interface. Enabled or disabled
Note: Hardware-based SYN cookie support also Default: Disabled
must be enabled globally. See “Config Mode > SLB
> Service > Global > Settings” on page 206.
Config Mode > Network > Interface > Global
This page shows and allows you to change global interface settings.
Table 137 lists the global interface parameters.
TABLE 137 Global Interface Parameters

TCP SYN Cookies Section
Threshold Threshold for TCP handshake completion. This 1-100 seconds
parameter is applicable when SYN cookies are Default: 4 seconds
active.
or
VLANs is enabled)

default.)

TABLE 137 Global Interface Parameters (Continued)

Jumbo On models that support jumbo frames, this option Enabled or Disabled
enables jumbo support. Default: Disabled
Notes:
• On non-FPGA models, after you enable (or dis-
able) jumbo frame support, you must save the
configuration and reboot to place the change into
effect.
• If jumbo support is enabled on a non-FPGA
model and you erase the startup-config, the
device is rebooted after the configuration is
erased.
For additional information, and a list of models that
support jumbo frames, see the System Configuration
and Administration Guide.
Config Mode > Network > Trunk

This section lists the configured trunk groups, a set of Ethernet data ports
configure as a single logical link.
The Trunk section is displayed when you click Add or click on a trunk num-
ber.
Table 138 lists the trunk parameters you can configure.
TABLE 138 Trunk Parameters

Trunk Section
Trunk ID Assigns a numeric ID to the trunk group. 1-16
Note: Up to 16 trunks are supported, in any combi- Default: Not set
nation of static and dynamic trunks.
Name Name of the trunk. String of 1-63 characters
Note: The name can contain numbers, upper case Default: Not set
and lower case characters. The following special
characters are not allowed:
~!@#$%^&*()_+|}{:”<>?

TABLE 138 Trunk Parameters (Continued)

Interface Specifies the Ethernet data ports in the trunk. Ethernet data port names
To add a port to the trunk: Default: None
1. Select the port in the Available list.
2. Click >> to move the port to the Port list.
3. Repeat for each port to add to the trunk.
To disable a trunk port:
1. Select the port in the Port list.
2. Click >> to move the port to the Disabled Port
list.
When you finish configuring the trunk, click OK.
Ports Threshold Section
Threshold Specifies the minimum number of up ports required 2-8
from the drop-down list. Default: Not set
Threshold Timer Specifies the trunk-threshold timer. 1-300 seconds
The trunk-threshold timer is used in some situations Default: 10 seconds
to delay the ports-threshold action. The configured
port threshold is not enforced until the timer
expires. The ports-threshold timer for a trunk is
used in the following situations:
• When a member of the trunk links up.
• A port is added to or removed from the trunk.
• The port threshold for the trunk is configured
during runtime. (If the threshold is set in the
startup-config, the timer is not used.)
Config Mode > Network > LACP

This option enables you to set the Link Aggregation Control Protocol
(LACP) system priority of the ACOS device.
The LACP system priority can be assigned a value from 1 (low priority) to
65535 (high priority). The default priority setting is 2.
Note: In cases where LACP settings on the local device (the ACOS device) and
the remote device at the other end of the link differ, the settings on the
device with the higher priority are used.
Note: If the LACP trunk has more candidate members than are allowed by the
device at the other end of the link, LACP selects the interfaces with the

highest port priority values as the active interfaces. The other interfaces
are standbys, and are used only if an active interface goes down.
Config Mode > Network > VLAN

The VLAN option provides configuration pages for Layer 2 settings. The
following menu options are available:
• VLAN
• MAC
• Global
Config Mode > Network > VLAN > VLAN
This page lists the configured Virtual LANs (VLANs). A VLAN is a set of
Ethernet data ports configured as a separate Layer 2 collision domain.
The VLAN section is displayed when you click Add or click on a VLAN
number.
Table 139 lists the VLAN parameters you can configure.
TABLE 139 VLAN Parameters

VLAN Section
VLAN ID ID number of the VLAN. 2-4094
Default: Not set
Name Name to identify the VLAN. String of 1-31 characters
Default: Not set
Interface Specifies the Ethernet data ports in the VLAN. Ethernet data port names
To add a port to the VLAN: Default: Not set
1. Select the port in the Available list.
2. To add the port as untagged, click << to move the
port to the Untagged list. Otherwise, click >> to
move the port to the Tagged list.
3. Repeat for each port to add to the VLAN.
Virtual Interface Specifies the VE number for the VLAN. 1-4094
If the ACOS device is deployed in gateway (Layer Default: Not set
3) mode, you can configure an IP interface on the Note: To simplify configuration, select
VE. (See “Config Mode > Network > Interface > the VE number that corresponds to the
Virtual” on page 407.) VLAN number.

TABLE 139 VLAN Parameters (Continued)

Static MAC Section
This section enables you to add static MAC entries to the VLAN.
To add a static MAC entry:
1. Enter the MAC address in the MAC Address field. Use the following format: aabb.ccdd.eeff
2. Select the port from the Port drop-down list.
3. Click Add.
Config Mode > Network > VLAN > MAC
This page displays the aging timer for dynamic (learned) MAC entries. An
entry that remains unused for the duration of the aging time is removed
from the MAC table.
You can specify 10-600 seconds. The default is 300 seconds.
Note: On models AX 2200, AX 3200, AX 3200-11, AX 3200-12, AX 3400,

AX 5100, AX 5200, AX 5200-11, and AX 5630 the actual MAC aging
time can be up to 2 times the configured value. For example, if the aging
time is set to 50 seconds, the actual aging time will be between 50 and
100 seconds. On other models, the actual MAC aging time can be +/- 10
seconds from the configured value.
Config Mode > Network > VLAN > Global
This page enables you to change the traffic limits for VLANs. You can set
global limits for all VLANs, as well as per-VLAN limits.
Table 140 lists the VLAN traffic limits you can configure.
TABLE 140 VLAN Traffic Limit Parameters

All VLAN Limitation Section
Broadcast Maximum number of broadcast packets allowed per 1-65535
Packets second, on all VLANs combined. Default: 5000 packets per second
IP Multicast Maximum number of IP multicast packets allowed 1-65535
Packets per second, on all VLANs combined. Default: 5000 packets per second
Multicast Maximum number of multicast packets allowed per 1-65535
Packets second, on all VLANs combined. Default: 5000 packets per second
Unknown Maximum number of unknown unicast packets 1-65535
Unicast Packets allowed per second, on all VLANs combined. Default: 5000 packets per second

TABLE 140 VLAN Traffic Limit Parameters (Continued)

Per VLAN Limitation Section
Broadcast Maximum number of broadcast packets allowed per 1-65535
Packets second, on any individual VLAN. Default: 1000 packets per second
IP Multicast Maximum number of IP multicast packets allowed 1-65535
Packets per second, on any individual VLAN. Default: 1000 packets per second
Multicast Maximum number of multicast packets allowed per 1-65535
Packets second, on any individual VLAN. Default: 1000 packets per second
Unknown Maximum number of unknown unicast packets 1-65535
Unicast Packets allowed per second, on any individual VLAN. Default: 1000 packets per second
Config Mode > Network > ARP

The ARP pages enable you to configure static Address Resolution Protocol
(ARP) entries.
Config Mode > Network > ARP > IPv4
The IPv4 ARP configuration section is displayed when you click Add or
click on a static ARP entry.
Table 141 lists the IPv4 ARP parameters.
TABLE 141 IPv4 ARP Parameters

IPv4 ARP Section
IP Address IPv4 address of the entry. Valid IPv4 address
Default: Not set
MAC Address MAC address of the entry. Valid MAC address
Default: Not set
Interface Ethernet data port through which the device with the Ethernet data port names
IP address and MAC address specified above can be Default: Not set
reached.
VLAN ID VLAN for which to add the ARP entry. VLAN ID
Default: The entry can be used for any
VLAN.

Config Mode > Network > ARP > IPv6 Neighbor
The IPv6 Neighbor configuration section is displayed when you click Add
or click on a static IPv6 neighbor entry.
Table 142 lists the IPv6 neighbor parameters.
TABLE 142 IPv6 Neighbor Parameters

IPv6 Neighbor Section
IP Address IPv4 address of the entry. Valid IPv6 address
Default: Not set
MAC Address MAC address of the entry. Valid MAC address
Default: Not set
Interface Ethernet data port through which the device with the Ethernet data port names
IP address and MAC address specified above can be Default: Not set
reached.
VLAN VLAN for which to add the ARP entry. VLAN ID
Default: The entry can be used for any
VLAN.
Config Mode > Network > ARP > Global
The Global section enables you to change the ARP timeout, which is used to
age out dynamic ARP table entries. By default, dynamic ARP entries age
out after 300 seconds (5 minutes). You can change the global ARP timer to
60-86400 seconds.
Config Mode > Network > Route

The Route pages enable you to configure IP routing parameters.
Config Mode > Network > Route > IPv4 Static
This option displays the configured IPv4 static routes.
The Static Route section is displayed when you click Add or click on an
IPv4 static route.
Table 143 lists the parameters you can configure for IPv4 static routes.

TABLE 143 IPv4 Static Route Parameters

Static Route Section
IP Address Destination network of the route. Valid IPv4 address
Prefix Default: Not set
Netmask Network mask for the destination network. Valid IPv4 mask
Default: Not set
Gateway IP address of the next-hop router to use to reach the Valid IPv4 address
destination network. Default: Not set
Distance Distance value for the route. 1-255
Default: 1
Config Mode > Network > Route > IPv6 Static
This option displays the configured IPv6 static routes.
The Static Route section is displayed when you click Add or click on an
IPv6 static route.
Table 144 lists the parameters you can configure for IPv6 static routes.
TABLE 144 IPv6 Static Route Parameters

Static Route Section
IP Address Destination network of the route. Valid IPv6 address
Default: Not set
Default: Not set
Forwarding IP address of the next-hop router to use to reach the Valid IPv6 address
Router Address destination network. Default: Not set
Outgoing Port Outbound data interface. Valid data interface
Note: This option applies only to link-local Default: Not set
addresses.
Distance Distance value for the route. 1-255
Default: 1

Config Mode > Network > DNS

The DNS section enables you to configure the ACOS hostname and other
DNS settings.
Table 145 lists the DNS parameters you can configure.
TABLE 145 DNS Parameters

DNS Section
Hostname Hostname of the ACOS device. String
Default: ACOS model
DNS Suffix Default domain name (DNS suffix) for hostnames on the String
ACOS device. Default: Not set
Primary DNS IP address of the DNS server to which the ACOS device Valid IPv4 address
should send DNS requests. Default: Not set
Secondary DNS IP address of the DNS server to use as a backup if the pri- Valid IPv4 address
mary DNS server does not respond. Default: Not set
Config Mode > Network > BPDU-Fwd-Group

This option enables you to configure BPDU forwarding groups. BPDU for-
warding groups enable you to use the ACOS device in a network that runs
Spanning Tree Protocol (STP).
A BPDU forwarding group is a set of tagged Ethernet interfaces that will

accept and broadcast STP BPDUs among themselves. When an interface in
a BPDU forwarding group receives an STP BPDU (a packet addressed to
MAC address 01-80-C2-00-00-00), the interface broadcasts the BPDU to all
the other interfaces in the group.
You can configure up to 8 BPDU forwarding groups.
Rules for trunk interfaces:

• PBDUs are broadcast only to the lead interface in the trunk.
• If a BPDU is received on an Ethernet interface that belongs to a trunk,

the BPDU is not broadcast to any other members of the same trunk.

To configure a BPDU forwarding group:

1. Select the group number from the BPDU-Fwd-Group drop-down list.
2. Select the interfaces to add to the group.
3. Click >> to add the interfaces to the group.


Config Mode – System Options - Config Mode > System
Config Mode – System Options
This chapter describes the System configuration options.

• “Config Mode > System > Settings” on page 421
• “Config Mode > System > Admin” on page 442
• “Config Mode > System > SNMP” on page 463
• “Config Mode > System > Maintenance” on page 469
• “Config Mode > System > Console” on page 472
• “Config Mode > System > Config File” on page 472
• “Config Mode > System > aVCS” on page 474
• “Config Mode > System > HA” on page 476
• “Config Mode > System > VRRP-A” on page 485
Config Mode > System

The System pages enable you to configure system-level parameters.
Config Mode > System > Settings

The Settings options configure system management settings.
Config Mode > System > Settings > Web
This menu option displays the following configuration sections:

• Web
• aXAPI
• Preference

Table 146 lists the Web parameters.
TABLE 146 Web Parameters

Web Section
Language Language of the GUI. One of the following:
• English
• Simple Chinese
• Japanese
• Traditional Chinese
• Korean
Default: English
Web Timeout Number of minutes a Web management session can 0-60 minutes
remain idle before it times out and is terminated by Default: 10 minutes
the ACOS device.
To disable the timeout, specify 0.
HTTP Port HTTP protocol port number and port state. Enabled or Disabled
1-65535
Default: Enabled; 80
HTTPS Port HTTPS protocol port number and port state. Enabled or Disabled
1-65535
Default: Enabled; 443
Redirect HTTP Automatically redirects requests for the unsecured Enabled or Disabled
to HTTPS port (HTTP) to the secure port (HTTPS). Default: Enabled
aXAPI Section
aXAPI Timeout Number of minutes an aXAPI session can remain 0-60 minutes.
idle before being terminated. Once the aXAPI ses- If you specify 0, sessions never time
sion is terminated, the session ID generated by the out.
ACOS device for the session is no longer valid.
Default: 10 minutes
Note: For information about aXAPI, see the aXAPI
Reference.
Preference Section
Default IP Default IP address type for configuration fields in IPv4 or IPv6
Address the GUI. Default: IPv4
Note: Changing the default address type does not
change any addresses that are already configured.
This option simply changes the default address type
that is selected on configuration sections.

TABLE 146 Web Parameters (Continued)

Default Save To Selects the partition(s) to which to save configura- Current Partition or All Partitions
tion changes by default: Default: Current Partition
• Current Partition – The partition currently
selected from the Partition drop-down list at the
top of the GUI window.
• All Partitions – The shared partition and all
RBA/L3V private partitions.
Note: Once set, the default save option is always
remembered for different user profiles.
Multiple Config Permits multiple administrative sessions in configu- Enabled or Disabled
Mode ration mode. Default: Disabled
Config Mode > System > Settings > Web Certificate

This page lists information about the web certificate used by the GUI.
You also can use this page to replace the web certificate. Replacing the cer-
tificate with a CA-signed certificate prevents the certificate warning from
being displayed by your browser when you log onto the GUI. You can
install child certificate and key, and up to 3 chain certificates. After import-
ing the certificate files, click OK to place the change into effect.
Exporting Web Certificate Files

1. Select Config Mode > System > Settings > Web Certificate, if not
already selected.
2. Click Export.
3. Select the save location.
4. Click OK or Save (depending on the browser).
All web management certificates, keys, and chain certificates are down-
loaded.

Replacing Web Certificate Files

1. Select Config Mode > System > Settings > Web Certificate, if not
already selected.
2. Import the child certificate:

a. Select the certificate file location next to Import Certificate from:
• Local – The file is on the PC you are using to run the GUI, or is
on another PC or server in the local network. Go to step b.
• Remote – The file is on a remote server. Go to step d.
b. Click Browse and navigate to the location of the certificate file.
c. Click Open. The path and filename appear in the Source field. Go to
step 5.
d. To use the management interface as the source interface for the con-
nection to the remote device, select Use Management Port. Other-
wise, the ACOS device will attempt to reach the remote server
e. Select the file transfer protocol: FTP, TFTP, RCP, SCP, or SFTP.
f. In the Host field, enter the directory path and filename.
g. If needed, change the protocol port number in the port field. By
default, the default port number for the selected file transfer proto-
col is used.
h. In the User and Password fields, enter the username and password
3. Import the key for the child certificate. The options are the same as
those for importing the child certificate.
4. Import the chain certificates, if applicable. The options are the same as
those for importing the child certificate.
5. Click OK.
Resetting the Web Certificate to the Factory Default

If you need to reset the web certificate to the one installed at the factory,
click Reset.
If you need to reset the web certificate using the CLI instead, enter the fol-
lowing command at the global configuration level of the CLI:
web-service certificate-reset

Config Mode > System > Settings > Terminal > CLI
This menu option displays the CLI Terminal section.
Table 147 lists the parameters you can configure in this section.
To restore all CLI access settings to the default values, click the Reset To
Default button.
Caution: The Reset To Default option also resets the enable password to its
default value (empty – no password).
TABLE 147 CLI Parameters

CLI Terminal Section
CLI Timeout Specifies the number of minutes a CLI session can 0-60 minutes
be idle before it times out and is terminated. Default: 10 minutes
To disable the timeout, enter 0.
Current Enable Allows you to change the enable password. String
Password 1. Enter the current enable password in the Current
Enable Password Enable Password field.
Confirm 2. Enter the new enable password in the Enable
Password Password and Confirm Enable Password fields.
3. When finished configuring CLI settings, click
OK.
Auto Size Automatically adjusts the length and width of the Selected (enabled) or deselected (dis-
terminal display. abled)
Disabling this option enables the Columns and Default: Selected
Lines input fields.
Columns Specifies the number of columns to display. 0-512
Default: 80 columns
To use an unlimited number of col-
umns, enter 0.
Lines Specifies the number of lines to display per page. 0-512
Default: 24 lines
To disable paging, enter 0.
Enable Edit of Enables command editing. Selected (enabled) or unselected (dis-
Command Line abled)
Default: Selected
Enable Control Enables the command history. Selected (enabled) or unselected (dis-
of Command abled)
History Default: Selected
History Size Specifies the number of commands the command 0-1000
history can contain. Default: 256 commands

Config Mode > System > Settings > Terminal > Banner
The banner sections enable you to configure the banner messages displayed
in the CLI. By default, the messages shown in bold type in the following
example are displayed:
login as: admin
Welcome to AX
Using keyboard-interactive authentication.
Password:
Last login: Thu Feb 7 13:44:32 2008 from
192.168.1.144
[type ? for help]
You can format banner text as a single line or multiple lines.
If you configure a banner message that occupies multiple lines, you must
specify the end marker. The end marker is a simple string up to 2-characters
long, each of the which must be an ASCII character from the following
range: 0x21-0x7e. Pressing Enter at the end of each line is not necessary.
The multi-line banner text starts from the first line and ends at the marker. If
the end marker is on a new line by itself, the last line of the banner text will
be empty. If you do not want the last line to be empty, put the end marker at
the end of the last non-empty line.
1. To configure a banner:
a. Select the banner type, single-line or multi-line.
b. If you selected multi-line, enter the end marker value in the End
Marker field.
c. Enter the message in the Login Banner or Exec Banner field.
If the message is a multi-line message, you can add line breaks by
pressing Enter / Return at the end of every line. Do not type the end
marker at the end of the message. The GUI automatically places the
end marker at the end of the message text in the configuration.
2. If you are configuring both messages, repeat step 1 for the other mes-
sage.
3. Click OK.

Config Mode > System > Settings > Log

This menu option displays the following log configuration sections:
• Log – Configures log levels and output options
• Status – Configures display of the log on the Monitor Mode > Overview
> Status page
Table 148 lists the system log parameters you can configure.
TABLE 148 Log Parameters

Log Section
Disposition Output options for each message level. For each mes- The following message levels can be
sage level, you can select which of the following output individually selected for each output
options to enable: option:
• Console – Messages are displayed in Console ses- • Emergency
sions. • Alert
• Buffered – Messages are stored in the system log buf- • Critical
fer. The GUI system log lists the messages in this
• Error
buffer.
• Warning
• Email – Messages are sent to the email addresses in
the Email To list. (See below.) • Notification
• SNMP – Notifications are sent to the SNMP server • Information
specified in the SMTP Server fields. (See below.) • Debug
• Syslog – Messages are sent to the external log servers Only Emergency, Alert, Critical, and
specified in the Log Server fields. (See below.) Notification can be selected for Email.
• Monitor – Messages are displayed in Telnet and SSH
sessions.
Logging Settings for sending log messages by email. See “Log Email Filter Configuration”
Email Filter on page 429.
Logging
Email Buffer
Number
Logging
Email Buffer
Time
Facility Standard Syslog facility to use. Standard Syslog facilities listed in RFC
3164.
Log Buffer Maximum number of log entries the log buffer can 10000 to 50000 entries
Entries store. Default: 30000
Log Server IP addresses or fully-qualified domain names of exter- Any valid IP address or fully-qualified
nal log servers. domain name.
Only the message levels for which Syslog is selected in Default: Not set
the Disposition list are sent to log servers.

TABLE 148 Log Parameters (Continued)

Log Server Protocol port to which log messages sent to external log Any valid protocol port number
Port servers are addressed. Default: 514
Email To Email addresses to which to send log messages. List of up to 10 email addresses. Use
Only the message levels for which Email is selected in commas to separate the addresses.
the Disposition list are sent to log servers. Each email address can be a maximum
Use a single space between each address. of 63 characters long.
Formatting commands are not supported. For example,
do not enter any of the following: \n, \r, \t.
Addresses are allowed to wrap. Do not press the Enter
key to force an address to go to the next line.
SMTP IP address or fully-qualified domain name of an email Any valid IP address or fully-qualified
Server server using Simple Message Transfer Protocol. domain name.
Default: Not set
SMTP Protocol port to which email messages sent to the Any valid protocol port number
Server Port SMTP server are addressed. Default: 25
Mail From Specifies the email From address. Valid email address
Default: Not set
Need Specifies whether access to the SMTP server requires Selected (enabled) or unselected (dis-
Authentica- authentication. abled)
tion Default: disabled
Username Username required for access to the SMTP server. Valid username
Default: Not set
Password Password required for access to the SMTP server. Valid password
Default: Not set
Audit Section
Level Types of commands to be logged: One of the following:
• Disabled – Command auditing is disabled. • Disabled
• Enabled – Configuration commands are logged. • Enabled
• Enable Privilege – Configuration commands and • Enable Privilege
operational commands are logged. Default: Disabled
Audit Number of entries the audit log can hold. When the log 1000-30000
Buffer Size is full, the oldest entries are removed to make room for Default: 20000
new entries.

TABLE 148 Log Parameters (Continued)

Status Section
Level Specifies the log levels that are displayed on the Any of the following:
Monitor Mode > Overview > Status page. • Emergency
You also can change the display color for each message • Alert
level.
• Critical
• Error
• Warning
• Notification
• Information
• Debug
Default: All are enabled
For default and available colors, dis-
play the drop-down lists next to the
message levels.
Refresh Specifies how often the Status page is automatically 5-60 seconds
Interval refreshed. Default: 10 seconds
Entry Specifies how many log entries can be views on the Sta- 10-1000 messages
Number tus page. Default: the 100 most recent messages
Log Email Filter Configuration

To configure email of log messages:
• Configure ACOS access to the email server.
• Configure log email settings.
Configure ACOS Access to the SMTP (email) Server

2. In the SMTP Server field, enter the hostname or IP address of the SMTP
server.
3. If the SMTP server does not use the default SMTP port, enter the correct
SMTP Server Port field.
4. In the Mail From field, enter the sending email address for emailed log
messages.

5. If authentication is required for access:

• Select the Need Authentication checkbox.
• Enter the username and password in the Username and Password
fields.
Configure Email Log Settings:

2. On the menu bar, select Log.
3. In the Logging Email Filter section, click Add. A configuration page for
the filter appears.
4. In the ID field, enter the filter ID, 1-8.
5. To immediately send matching messages in an email instead of buffer-

ing them, select Trigger. Otherwise, matching messages are buffered
until the message buffer becomes full or the send timer for emailed log
messages expires.
6. Construct the rest of the filter by selecting the conditions.
Note: The conditions must be selected in the order described here. Otherwise,
the filter will be invalid. If you accidentally configure an invalid filter,
you can click Clear to remove the filter conditions and start again.
a. Select the message severity level from the first drop-down list, at the
upper left, and click Add. To add more severity levels, repeat this
step for each severity level.
b. Optionally, select a software module from the second drop-down
list, to the right of the first drop-down list. Then click Add. To add
more modules, repeat this step for each module.
c. Optionally, enter a regular expression to specify message text to
match on, in the lower left entry field. Then click Add.
d. Select the operator from the drop-down list in the lower right field,
and click Add.
7. Click OK. The new filter appears in the Logging Email Filter section on
the Log page.
8. Optionally, to change the maximum number of log messages to buffer

before sending emailing them, edit the number in the Logging Email
Buffer Number field. You can specify 16-256 messages. The default is
50.

9. Optionally, to change the number of minutes the ACOS device waits

before sending all buffered messages, edit the number in the Logging
Email Buffer Time field. This option takes affect if the buffer does not
reach the maximum number of messages allowed. You can specify 10-
1440 minutes. The default is 10.
10. When finished configuring log settings, click OK.
FIGURE 34 Config Mode > System > Settings > Log - Add (Logging Email
Filter)

FIGURE 35 Config Mode > System > Settings > Log (Logging Email Filter
added)
Config Mode > System > Settings > General
This menu option provides the following suboptions for configuring general
system parameters:
• Threshold
• TFTP
• Resource Usage
• PBSLB
Note: The Buffer Drop and Buffer Usage options are not applicable to some
device types. The options are applicable to hardware-based ACOS models
and SoftAX.

Config Mode > System > Settings > General > Threshold
This option enables you to specify event thresholds for utilization of system
resources. If utilization of a system resource crosses the configured thresh-
old, a log message is generated. If applicable, an SNMP trap is also gener-
ated.
Table 149 lists the thresholds you can configure.
TABLE 149 Threshold Parameters

Threshold Section
System CPU temperature. 1-68° C (degrees Centigrade)
Temperature Default: 68°
Control CPU Control CPU utilization. 1-100 percent
Usage Default: 90 percent
Data CPU Data CPU utilization. 1-100 percent
Memory Memory utilization. 1-100 percent
Disk Usage Hard disk utilization. 1-100 percent
Default: 85 percent
Buffer Drop Packet buffer drops. Depends on the ACOS model. See the
GUI for information.
Buffer Packet control buffer utilization. Depends on the ACOS model. See the
Usage GUI for information.
Config Mode > System > Settings > General > TFTP
This option enables you to increase the TFTP block size.
The TFTP block size is the maximum packet length the ACOS TFTP client
can use when sending or receiving files to or from a TFTP server. You can
specify from 512-32768 bytes. The default is 512 bytes.
Increasing the TFTP block size can provide the following benefits:
• TFTP file transfers can occur more quickly, since fewer blocks are
required to a send a file.
• File transfer errors due to the server reaching its maximum block size
before a file is transferred can be eliminated.
To determine the maximum file size a block size will allow, use the follow-
ing formula: 1K-blocksize = 64MB-filesize

Block Size Maximum File Size

1024 64 MB
8192 512 MB
32768 2048 MB
Increasing the TFTP block size of the ACOS device only increases the max-
imum block size supported by the ACOS device. The TFTP server also
must support larger block sizes. If the block size is larger than the TFTP
server supports, the file transfer will fail and a communication error will be
displayed on the CLI terminal.
If the TFTP block size is larger than the IP Maximum Transmission Unit
(MTU) on any device involved in the file transfer, the TFTP packets will be
fragmented to fit within the MTU. The fragmentation will not increase the
number of blocks; however, it can re-add some overhead to the overall file
transmission speed.
Config Mode > System > Settings > General > Resource Usage >
Global
This page enables you to reconfigure the system capacity for certain system
resources.
Table 150 lists the resource capacities you can configure. The supported val-
ues and defaults may differ depending on the ACOS model.
Note: To place a change to L4 Session into effect, a reboot is required. A reload

will not place this change into effect. For changes to any of the other sys-
tem resources, a reload is required but a reboot is not required.
TABLE 150 Resource Usage Global Parameters

Network Usage Limitation Section
L4 Session Total Layer 4 sessions.
NAT Pool Total IP source-NAT pool addresses.
Address
Template Usage Limitation Section
Client-SSL Total configurable client-SSL templates.
Template
Connection Total configurable connection reuse templates.
Reuse
Template
Fast-TCP Total configurable TCP templates.
Template

TABLE 150 Resource Usage Global Parameters (Continued)

Fast-UDP Total configurable UDP templates.
Template
HTTP Total configurable HTTP templates.
Template
Cookie Total configurable cookie persistence templates.
Persistence
Template
Source-IP Total configurable source-IP persistence templates.
Persistence
Template
TCP-Proxy Total configurable TCP-proxy templates.
Template
RTSP Total configurable RTSP (streaming-media) templates.
Template
Server-SSL Total configurable server-SSL templates.
Template
SLB Usage Limitation Section
Server Port Total configurable server ports.
Server Total configurable servers.
Service Total configurable service groups.
Group
Virtual Total configurable virtual server ports.
Server Port
Virtual Total configurable virtual servers.
Server
IPv6 Total IPv6 addresses for class-lists.
Addresses
for Class
List
Config Mode > System > Settings > General > Resource Usage >
Template
This page allows you to configure resource templates for Layer 2/3 parti-
tions. Once defined, you can bind or unbind a resource template to a partic-
ular partition. You can also apply a sample template to multiple partitions.
Note: GSLB parameters are configurable on per-partition basis hard-coded and

are thus non-configurable at the system level.
Table 151 lists the resource usage templates you can configure. The sup-
ported values and defaults may differ depending on the ACOS model.

TABLE 151 Resource Usage Template Parameters

Application Resource Section
Name Name of the template.
Virtual Enter number of virtual servers allowed.
Server
Service Enter number of number of service groups allowed.
Group
Server Number of real servers allowed.
Health Enter the number of health monitor checks a server uses.
Monitor
GSLB Enter number of GSLB devices allowed.
Device
GSLB Enter the number of GSLB geo-locations allowed.
Geo-location
GSLB IP Enter the number of GSLB IP lists allowed.
List
GSLB Enter the number of GSLB policies allowed.
Policy
GSLB Enter the number of GSLB services allowed.
Service
GSLB Enter the number of GSLB service IPs allowed.
Service IP
GSLB Enter the number of GSLB service-ports allowed.
Service Port
GSLB Site Enter the number of GSLB sites allowed.
GSLB Enter the number of GSLB templates allowed.
Template
GSLB Zone Enter the number of GSLB zones allowed.
Network Resource Section
Static MAC Enter the number of static MAC addresses allowed.
Static ARP Enter the number of static IPv4 ARPs or IPv6 neighbors allowed.
Static Enter the number of static neighbors allowed.
Neighbor
Static IPv4 Enter the number of static IPv4 routes allowed.
Route
Static IPv6 Enter the number of static IPv6 routes allowed.
Route

TABLE 151 Resource Usage Template Parameters (Continued)

System Resource Section
Bandwidth Enter the bandwidth limit in Mbps.
From this field, you can enable or disable the watermark option.
If enabled, when the bandwidth approaches the 90% mark, exist-
ing sessions will be maintained and any new sessions will be
dropped. If disabled, new connections are accepted until 100% of
the bandwidth in that second is utilized. A watermark is enabled
by default.
Concurrent Enter the concurrent session limit.
Session
L4 CPS Enter the Layer 4 CPS limit.
L7 CPS Enter the Layer 7 CPS limit.
NAT CPS Enter the NAT CPS limit.
SSL CPS Enter the SSL CPS limit.
SSL Enter the SSL throughput limit in Mbps.
Throughput From this field, you can enable or disable the watermark option.
If enabled, when the bandwidth approaches the 90% mark, exist-
ing sessions will be maintained and any new sessions will be
dropped. If disabled, new connections are accepted until 100% of
the bandwidth in that second is utilized. A watermark is enabled
by default.
Config Mode > System > Settings > General > PBSLB
This page allows you to configure system-wide Policy-Based SLB
(PBSLB). System-wide PBSLB enables you to control access through the
ACOS device based on source or destination IP address.
For traffic that is allowed access, you also can enforce connection limits and
connection-rate limits. Additionally, you can specify the action to take for
traffic that exceeds the connection limit or connection-rate limit.
To specify the IP addresses to permit, deny, or limit, you can use a

black/white list or a class list. The black/white list or class list maps the IP
addresses to permit or deny actions, limits, and over-limit actions specified
in a policy or a policy template.
Deciding Whether to Use a PBSLB Policy or a PBSLB Policy

Template
The main difference between using an individual policy and a policy tem-
plate, is that PBSLB templates support use of class lists, which can be used
with options that are not available using black/white lists.

Specifically, the following traffic limiting options are available if you use a
class list:
• Connection limiting – Maximum number of concurrent connections
allowed for a client.
• Connection-rate limiting – Maximum number of new connections
allowed for a client within a specified period.
• Request limiting – Maximum number of concurrent Layer 7 requests
allowed for a client.
• Request-rate limiting – Maximum number of Layer 7 requests allowed
for a client within a specified period.
If you use a black/white list, the only one of these options that is supported
is connection limiting.
Class List Syntax

A class list is a text file that contains entries (rows) in the following format:
ipaddr /network-mask [glid num | lid num]
Each entry consists of the following:

• ipaddr – Specifies the host or subnet address of the client. The network-
mask specifies the network mask.
To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard
address matches on all addresses that do not match any entry in the class
list.
• glid num | lid num – Specifies the ID of the IP limiting rule to use for
clients that have the specified IP address. The IP limiting rule specifies
the connection limit, connection-rate limit, request limit, and request-
rate limit for the clients.
You can use a system-wide (global) IP limiting rule or an IP limiting
rule configured in a policy template.
• To use an IP limiting rule configured at the global configuration
level, use the glid num option. Global LIDs can be used by other
policy templates.
• To use an IP limiting rule configured within the policy template, use
the lid num option.
You can configure GLIDs or LIDs during configuration of the policy
template.
Note: To exclude a host or subnet from being limited, do not specify an IP limit-
ing rule.

Here is an example class list:
Here is an example of a very simple class list. This list matches on all cli-
ents and uses an IP limiting rule configured at the global configuration
level:
0.0.0.0/0 glid 1
Here is an example with more options:
1.1.1.1 /32 lid 1
2.2.2.0 /24 lid 2
0.0.0.0 /0 lid 10
3.3.3.3 /32 glid 3
4.4.4.4 /32

• For individual host 1.1.1.1, use IP limiting rule 1, which is configured in
a policy template. (A policy template can be applied globally for sys-
tem-wide IP limiting, or to an individual virtual server or virtual port.
This is described in more detail in a later section.)
• For all hosts in subnet 2.2.2.0/24, use IP limiting rule 2, which is config-
ured in a policy template.
• For all hosts that do not match another entry in the class list, use IP lim-
iting rule 10, which is configured in a policy template.
• For individual host 3.3.3.3, use IP limiting rule 3, which is configured at
the global configuration level.
• For individual host 4.4.4.4, do not use an IP limiting rule.
Black/White List Syntax

A black/white list is a text file that contains entries (rows) in the following
format:
ipaddr [/network-mask] [group-id] [#conn-limit]
• ipaddr [/network-mask]– Specifies the host or subnet address of the cli-
ent. The network-mask is optional. The default is 32, which means the
address is a host address.
• group-id – Number from 1 to 31 in a black/white list that identifies a
group of IP host or subnet addresses contained in the list. In a policy
template on the ACOS device, you can map the group to one of the fol-
lowing actions:
• Drop the traffic
• Reset the connection

The default group ID is 0, which means no group is assigned.

• #conn-limit – Specifies the maximum number of concurrent connections
allowed from the client. By default, there is no connection limit. If you
set it, the valid range is from 1 to 32767. On the ACOS device, you can
specify whether to reset or drop new connections that exceed this limit.
The # is required only if you do not specify a group-id.
Here is an example black/white list:

10.10.1.3 4
10.10.2.0/24 4
192.168.1.1/32 #20

• The first row assigns a specific host to group 4. On the ACOS device,
the drop action will be assigned to this group, thus black listing the cli-
ent.
• The second row black lists an entire subnet, by assigning it to the same
group (4).
• The third row sets the maximum number of concurrent connections for a
specific host to 20. The action to take when the client’s traffic exceeds
the limit can be specified during configuration of the policy template (or
policy).
Configuring System-Wide PBSLB

1. Select Config Mode > System > Settings > General > PBSLB, if not
already selected.
2. Select one of the following:

• PBSLB Policy Template
• PBSLB
For help selecting an option, see “Deciding Whether to Use a PBSLB
Policy or a PBSLB Policy Template” on page 437.
3. From the drop-down list, select one of the following:

• Name of a configured policy template (or policy, if you selected
PBSLB in the previous step) – Any configured policy templates (or
PBSLB policies) that are already on the ACOS device are listed.
The configuration page for the policy template or policy appears.
• “create” – This option displays a configuration page for creating a
new policy template (or policy).

4. See one of the following for more information:

• To configure a policy template, see “Config Mode > SLB > Tem-
plate > Application > RAM Caching” on page 221.
• To configure a policy, see “Config Mode > SLB > Black-White
List” on page 287.
Config Mode > System > Settings > Boot
This menu option displays the boot image location from which the system
image will be loaded the next time the ACOS device is rebooted.
The ACOS device always tries to boot using the Hard Disk first. The Com-
pact Flash is used only if the hard drive is unavailable. You can select the
primary or secondary image area on each boot device.
To change the priority, select Primary or Secondary, then click OK.
Config Mode > System > Settings > Action

This menu option has the following sub-options:
• Reload – Restarts AX system processes and reloads the startup-config,
without also reloading the system image. (This option also closes all
sessions.)
• Shutdown – Powers down the ACOS device.
• Reboot – Reboots the ACOS device.
• Save – Syncs the configuration file (startup-config) with the running-

config (running configuration), so that the startup-config includes all the
current changes made to the running-config. (This is equivalent to click-
ing Save on the top of the GUI window.)
• Logout – Ends your admin session. (This is equivalent to clicking Log-
out on the top of the GUI window.)

Config Mode > System > Admin

The Admin pages enable you to configure and manage AX administrator
accounts.
Config Mode > System > Admin > Administrator
This page lists the configured admin accounts.
Table 153 lists the admin parameters displayed in the admin table.
TABLE 152 Admin Parameters

Name Login name for the admin.
Role GUI access allowed to the admin:
• ReadOnlyAdmin
• ReadWriteAdmin
• SystemAdmin
• NetworkAdmin
• NetworkOperator
• SLBServiceAdmin
• SLBServiceOperator
• PartitionReadWrite
• PartitionNetworkOperator
• PartitionSLBServiceAdmin
• PartitionSLBServiceOperator
• PartitionReadOnly
(For details, see “Preconfigured GUI Access Roles” on
page 447.)
CLI Privilege CLI privilege level for the admin account:
• read – Read-only access to the shared partition and all pri-
vate partitions
• write – Read-write access to the shared partition and all
private partitions
• partition-read – Read-only access to the private partition
listed in the Partition column
• partition-write – Read-write access to the private partition
listed in the Partition column
• partition-enable-disable – Operator access to the private
partition listed in the Partition column. This privilege
level allows the admin to enable, disable, and display sta-
tistics for real servers in the partition.

TABLE 152 Admin Parameters (Continued)

Partition Partition to which the admin is assigned.
Note: This field applies only to admins with the Partition
Write Admin, Partition Read Admin, or Partition RS Opera-
tor role.
Access Type Management interface through which the admin is allowed
to access the ACOS device. The access type can be one or
more of the following:
• Web
• CLI
• aXAPI
Trusted Host Host or subnet address from which the admin is allowed to
log onto the ACOS device.
Locked Time If the account is locked, indicates how long the account has
been locked.
Unlocked Time If the account is locked, indicates how long the account will
continue to be locked.
Status Current state of the account:
(unlabeled) – The account is enabled.
– The account is disabled.
Admin Account Configuration
The Admin section is displayed when you click Add or click on an admin
name.
TABLE 153 Admin Configuration Parameters

Administrator Section
Administrator Login name for the admin. 1-31 characters
Name
Password Login password for the admin. 1-63 characters
Confirm If you are modifying an existing admin account, the
Password Change Administrator Password checkbox toggles
display of the Password and Confirm Password
fields.
Trusted Host IP Specifies the host or subnet address from which the Valid IP address
Address admin is allowed to log onto the ACOS device. Default: 0.0.0.0 (any address allowed)

TABLE 153 Admin Configuration Parameters (Continued)

Netmask for Specifies the network mask for the trusted IP Valid network mask
Trusted Host address. Default: 0.0.0.0 (any subnet allowed)
Access Type Management interface through which the admin is Default: Access is allowed through all
allowed to access the ACOS device. The access 3 interfaces
type can be one or more of the following:
• Web
• CLI
• aXAPI
Role GUI access allowed to the admin. For each GUI Default: Not set
page, the admin role specifies whether the admin is
allowed to access (view) the page. If the admin is
allowed to access the page, the role specifies
whether the admin has read-only or read-write priv-
ileges for the page.
(For more information, see “Config Mode > System
> Admin > Role” on page 446.)
Partition Specifies the partition to which the admin is Enabled or Disabled
assigned. Default: Enabled
Note: This field applies only to admins with the
Partition Write Admin, Partition Read Admin, or
Partition RS Operator role.
Status Enables or disabled the account. Enabled or Disabled
Note: This field does not appear for the “admin” Default: Enabled
admin account, which cannot be disabled.
SSH Key File Section
This section enables you to import or delete keys used for public key authentication of access by the admin.
For information about this feature, see the “SSH Public Key Authentication for SSH Management Access” section
of the “Management Security Features” chapter in the System Configuration and Administration Guide.

Config Mode > System > Admin > Partition
This page enables you to configure a private partition for Application Deliv-
ery Partitioning (ADP)
Note: For information about ADP, see the System Configuration and Adminis-
tration Guide.
Note: If you delete a partition, resources associated with the partition are perma-
nently deleted. This includes SSL certificates and keys, and aFleX scripts.
These resources are deleted even if you reload or reboot without saving
the configuration. In this case, the partition configuration is restored but
the resources are still gone.
The Partition table lists the private partitions that are configured on the
ACOS device. The partition name and the logo file associated with the par-
tition are shown.
The Partition section is displayed when you click Add or click on a partition
name.
TABLE 154 Partition Configuration Parameters

Partition Section
Partition Name Name for the partition. 1-14 characters
Network Enables Layer 2/3 virtualization for the partition. Enabled or Disabled
Partition Layer 2/3 virtualization allows a private partition to Default: Disabled
have its own network resources. You can enable
Layer 2/3 virtualization on an individual partition
basis.
System Resource Applies a system resource template to the partition. A configured resource template
Template Select “create...” to access the system resource tem- Default: Not set
plate configuration page.
Max aFleX Files Maximum number of aFleX policies the partition 1-128
can have. Default: 32
Current Logo Shows the logo currently associated with this parti- Supported value: A graphic file
Picture tion. 180x60 pixels.
Each private partition has a logo file associated with Default: The A10 Networks logo is
it. The logo appears in the upper left corner of the used.
Web GUI when the partition is selected as the cur-
rent partition for the GUI session. (See “System
Partitions” on page 34.)

TABLE 154 Partition Configuration Parameters (Continued)

Change Logo Enables you to replace the logo. Supported value: A graphic file
Picture 1. Copy the logo file onto the PC on which you are 180x60 pixels.
running the browser for the GUI session. Default: The A10 Networks logo
2. In this field, click Browse.
3. Navigate to the logo file and click Open.
4. Click OK.
Config Mode > System > Admin > Role
Admin roles enable you to restrict the GUI options an admin is authorized
to use. For each GUI page, the admin role specifies whether the admin is
allowed to access (view) the page. If the admin is allowed to access the
page, the role specifies whether the admin has read-only or read-write privi-
leges for the page.
You can assign an admin to a preconfigured role or a custom role that you
configure. You also can customize the preconfigured roles. Table 155 lists
the preconfigured roles and the types of GUI page access allowed by each
one.
Table Column Descriptions

In the Role and Access column, the numbers indicate the roles.
Note: If you configure GUI-based access in RADIUS, LDAP or TACACS+,

these are the numbers to use when specifying a preconfigured role.
• 1 – ReadOnlyAdmin
• 2 – ReadWriteAdmin
• 3 – SystemAdmin
• 4 – NetworkAdmin
• 5 – NetworkOperator
• 6 – SLBServiceAdmin
• 7 – SLBServiceOperator
• 8 – PartitionReadWrite
• 9 – PartitionNetworkOperator
• 10 – PartitionSLBServiceAdmin

• 11 – PartitionSLBServiceOperator
• 12 – PartitionReadOnly
The following letters indicate the access privileges for the GUI page:
• R – Read-only
• W – Read-write
• H – Hidden (page can not be viewed by the admin)

.
TABLE 155 Preconfigured GUI Access Roles

Role and Access
1 1 1
GUI Page* 1 2 3 4 5 6 7 8 9 0 1 2
Monitor Pages
Monitor > Overview > Summary R R R R R R R R R R R R
Monitor > Overview > Status R R H H H R R R H R R R
Monitor > Overview > Statistics R R H H H R R R H R R R
Monitor > Overview > Performance R R H H H R R R H R R R
Monitor > SLB > Service R R H H H R R R H R R R
Monitor > SLB > Health Monitor R R H H H R R R H R R R
Monitor > SLB > Black-White List R R H H H R R R H R R R
Monitor > SLB > aFleX R R H H H R R R H R R R
Monitor > Service > Session R R H H H R R R H R R R
Monitor > Service > Application R R H H H R R R H R R R
Monitor > GSLB > Site R R H H H H H R H H H R
Monitor > GSLB > Zone R R H H H H H R H H H R
Monitor > GSLB > Protocol R R H H H H H R H H H R
Monitor > Security > WAF R R H H H H H R H H H R
Monitor > Security > Authentication R R H H H H H R H H H R
Monitor > Security > ACL R R H H H H H R H H H R
Monitor > IP Source NAT > Pool R R H H H H H R H H H R
Monitor > IP Source NAT > Static NAT R R H H H H H R H H H R
Monitor > Network > Interface R R H R R H H R R H H R
Monitor > Network > Trunk R R H R R H H R H H H R
Monitor > Network > LACP R R H R R H H H H H H H
Monitor > Network > VLAN R R H R R H H R R H H R
Monitor > Network > ARP R R H R R H H R R H H R
Monitor > Network > Route R R H R R H H R R H H R
Monitor > System > Admin R R R H H H H R H H H H
Monitor > System > Logging R R R H H H H R H H H H
Monitor > System > Diagnosis R R R H H H H H H H H H
Monitor > System > aVCS R R R H H H H H H H H H
Monitor > System > HA R R H H H R R H H H H H

TABLE 155 Preconfigured GUI Access Roles (Continued)

Role and Access
1 1 1
GUI Page* 1 2 3 4 5 6 7 8 9 0 1 2
Monitor > System > VRRP-A R R H H H R R R H R R R
Config Pages
Config > Get Started > Basic System R W H W R H H H H H H H
Config > Get Started > Smart Template R W H H H W R W H W R R
Config > Get Started > GSLB Easy Config R W H H H H H W H H H H
Config > SLB > Service R W H H H W R W H W R R
Config > SLB > Template R W H H H W R W H W R R
Config > SLB > Health Monitor R W H H H W R W H W R R
Config > SLB > Black-White List R W H H H W R W H W R R
Config > SLB > aFleX R W H H H W R W H W R R
Config > SLB > SSL Management R W H H H W R W H W R R
Config > SLB > Network Map R W H H H W R W H W W R
Config > GSLB > FQDN R W H H H H H W R H H R
Config > GSLB > FQDN Group R W H H H H H W H H H R
Config > GSLB > Zone R W H H H H H W H H H R
Config > GSLB > Site R W H H H H H W H H H R
Config > GSLB > Service IP R W H H H H H W H H H R
Config > GSLB > DNS Proxy R W H H H H H W H H H R
Config > GSLB > Geo-location R W H H H H H W H H H R
Config > GSLB > Policy R W H H H H H W H H H R
Config > GSLB > Global R W H H H H H H H H H H
Config > Security > WAF R W H H H H H W H H H R
Config > Security > Authentication R W H H H H H W H H H R
Config > Security > Template R W H H H H H W H H H R
Config > Security > Network R W H H H H H W H H H R
Config > IP Source NAT†> IPv4 Pool R W H H H H H W H W R R
Config > IP Source NAT† > IPv6 Pool R W H H H H H W H W R R
† R W H H H H H W H W R R
Config > IP Source NAT > Group
Config > IP Source NAT† > ACL Bind R W H H H H H W H W R R
Config > IP Source NAT† > Interface R W H H H H H W H W R R
Config > IP Source NAT† > NAT Range R W H H H H H W H W R R
Config > IP Source NAT† > Static NAT R W H H H H H W H W R R
Config > IP Source NAT† > Global R W H H H H H H H H H H
Config > Network > Interface † R W H W R H H W R H H R
Config > Network > Trunk† R W H W R H H H H H H H
Config > Network > LACP R W H W R H H H H H H H
Config > Network > VLAN † R W H W R H H W R H H R
Config > Network > ARP† R W H W R H H W R H H R

TABLE 155 Preconfigured GUI Access Roles (Continued)

Role and Access
1 1 1
GUI Page* 1 2 3 4 5 6 7 8 9 0 1 2
Config > Network > Route† R W H W R H H W R H H R
Config > Network > DNS† R W H W R H H H H H H H
Config > Network > ICMP Rate Limiting† R W H W R H H H H H H H
Config > Network > BPDU-Fwd-Group† R W H W R H H H H H H H
Config > System > Settings > Web R W W H H H H W H H H R
Config > System > Settings > Web Certificate R W W H H H H H H H H H
Config > System > Settings > Access Control R W W W R H H W H H H R
Config > System > Settings > Time R W W W R H H H H H H H
Config > System > Settings > Terminal R W W H H H H H H H H H
Config > System > Settings > Log R W W W R H H H H H H H
Config > System > Settings > General R W W H H H H H H H H H
Config > System > Settings > Boot R W W H H H H H H H H H
Config > System > Settings > Action H W W H H H H H H H H H
Config > System > Admin R W W H H H H H H H H H
Config > System > SNMP R W W W R H H H H H H H
Config > System > Maintenance R W W H H H H H H H H H
Config > System > Console R W H H H H H H H H H H
Config > System > Config File R W W H H H H H H H H H
Config > System > aVCS R W W H H H H H H H H H
Config > System > HA R W H H H W R H H H H H
Config > System > VRRP-A R W H H H W R W H W R R
*. In some cases where the same access privileges apply to all pages at a given GUI level, only the high-level page name is
listed in this table. However, access is configurable on an individual page basis for all GUI pages.
†. For the partition roles (8-12), the access privileges shown in the table are for admins of partitions in which Layer 2/3 vir-
tualization is enabled. If Layer 2/3 virtualization is disabled in the partition, this page is hidden.
Assigning a Role to an Admin

To assign a role to an admin, use the following procedure.
Note: If you plan to use a custom role, first see “Configuring a Custom Role” on
page 450.
1. Select Config Mode > Settings > Admin > Administrator and click Add.
2. If configuring a new admin, enter the username and password.
3. Select the admin role from the Role drop-down list.

4. If configuring an RBA partition admin, select the partition from the Par-
tition drop-down list.
5. Click OK.
Configuring a Custom Role

1. Select Config Mode > Settings > Admin > Role.
2. Click Add.
3. Enter the role name in the Role Name field.
4. Select the access privileges for each page.

• Hide – The page can not be viewed by admins with this role.
• RO – Read-only access.
• RW – Read-write access.
The filter options hide or display all pages of the selected access levels.
For example, to display only the pages that are hidden, select Hide next
to Filter Options.
To select individual pages under Monitor or Config, click to remove the
checkbox, expand the page list, and select the access levels for the indi-
vidual pages.
5. Click OK.
Config Mode > System > Admin > Object Access Control
This page provides configuration options for Object Access Control (OAC).
TABLE 156 Object Access Control Parameters

Object Access Control Section
Name Name of the OAC. String
Default: Not set
Authorized Lists virtual servers that have authorized access in Name of a configured virtual server
Virtual Server the OAC. Default: Not set
Authorized Lists service groups that have authorized access in Name of a configured service group
Service Group the OAC. Default: Not set
Authorized Lists servers that have authorized access in the Name of a configured server
Server Node OAC. Default: Not set

Config Mode > System > Admin > Lockout Policy
This page enables you to configure the admin lockout policy. Admin lock-
out is a feature that disables an admin account after a specified number of
invalid login attempts (login attempts using the wrong password).
To set the lockout policy, select the Lockout Policy menu option. The Lock-
out Policy section appears.
TABLE 157 Lockout Policy Parameters

Lockout Policy Section
Administrator Enables the feature. Selected (enabled) or unselected (Dis-
Lockout Feature abled)
Default: Unselected
Administrator Number of consecutive failed login attempts 1-10
Lockout after allowed before an administrator is locked out. Default: 5
Lockout Time in Number of minutes a lockout remains in effect. 0-1440 minutes
After the lockout times out, the admin can try again Default: 10 minutes
to log in.
To keep accounts locked until you or
another authorized administrator
unlocks them, specify 0.
Reset Lockout Number of minutes the ACOS device remembers 1-1440 minutes.
after failed login attempts. Default: 10 minutes

Config Mode > System > Admin > External Authentication
These options enable you to configure RADIUS, LDAP or TACACS+ serv-

ers to use for external authentication of admin access to the ACOS device.
(For information about the authentication process, see the “Configuring

AAA for Admin Access” section in the “Management Security Features”
chapter of the System Configuration and Administration Guide.)
Config Mode > System > Admin > External Authentication > Gen-
eral
This page enables you to configure authentication for admin access.
• Authentication Type – Specifies the authentication sources to be used
and the order in which to use them. You can specify one or more of the
following, in any order:
• Local (the local admin database on the ACOS device)
• RADIUS
• TACACS+
• LDAP
• Authentication Console Type – Specifies a separate authentication pol-

icy for the console (serial) port. The options are the same as described
above.
Note: By default, the settings applied above also apply to the console port. If
you leave the console authentication policy set to None, the settings above
are used.
• Disable Local – Disables automatic local authentication of the “admin”
account. Without this option, the “admin” account is always authenti-
cated locally, regardless of the authentication configuration used for the
other admin accounts.

Configuring the Global AAA Settings on the ACOS Device

1. Select Config Mode > System > Admin > External Authentication >
General.
FIGURE 36 External Authentication General
2. Specify the Authentication Type and Authentication Console Type, and

specify the order in which to use them. To do so, follow these steps:
a. Click on the desired authentication name (such as RADIUS or
LDAP) in the Available pane.
b. Click on the redirect arrows (>>) to the right of the Available pane
to move your choices from the Available pane to the Selected win-
dow pane. Use the redirect arrows (<<) to move any wrong choices
from the Selected pane back to the Available pane.
3. Click on the radio button next to Local, TACACS+, Local/TACACS+,

TACACS+/Local.
4. Optionally, to enable tiered authentication, for Mode, select Multiple as

opposed to the default choice, Single.
5. Click on either the Enabled or Disabled radio button for the Login Privi-
lege Mode.
6. Click on “Disable local authentication” when the external authentication

is available, if desired.
7. Click OK.
Authentication Process
You can specify whether to check the local database or the remote server
first. Figure 37 and Figure 38 show the authentication processes used if the
ACOS device is configured to check remote AAA servers (RADIUS, LDAP
or TACACS+) first.
If the RADIUS, LDAP or TACACS+ server responds, the local database is

not checked.
• If the admin name and password are found on the RADIUS, LDAP or
TACACS+ server, the admin is granted access.
• If the admin name and password are not found on the RADIUS, LDAP
or TACACS+ server, the admin is denied access.
Only if there is no response from any RADIUS, LDAP or TACACS+ server,

does the ACOS device check its local database for the admin name and
password.
Username “admin” Always Authenticated Locally By Default

An exception is made for the “admin” account. By default, the ACOS
device always uses local authentication for “admin”. Optionally, you can
disable automatic local authentication for “admin”, in which case the
authentication process is the same as for other admin accounts.

FIGURE 37 Authentication Process When Remote Authentication Is First

(2 remote servers configured) – Example shown is for RADIUS

FIGURE 38 Authentication Process When Remote Authentication Is First

(1 remote server configured) – Example shown is for TACACS+

Config Mode > System > Admin > External Authentication >
RADIUS
This page enables you to configure RADIUS servers.
Table 158 lists the RADIUS server parameters you can configure.
TABLE 158 RADIUS Authentication Parameters

RADIUS Authentication Section
Server 1 Displays the RADIUS server configuration fields: Valid values:
• Hostname – Hostname or IP address of the • Hostname – Hostname or IP address
RADIUS server. of the RADIUS server.
• Secret and Confirm Secret – Password required • Secret and Confirm Secret – String
by the RADIUS server for authentication • Authentication – 1-65535
requests.
• Account – 1-65535
• Authentication – Protocol port number on which
• Retransmit – 0-5 retries
the RADIUS server listens for authentication
requests. • Timeout – 1-15 seconds
• Account – Protocol port number on which the
RADIUS server listens for accounting traffic. Defaults:
• Retransmit – Maximum number of times the • Hostname – Hostname or IP address
ACOS device can resend an unanswered authen- of the RADIUS server.
tication request to the server. If the ACOS device • Secret and Confirm Secret – Not set
does not receive a reply to the final request, the
• Authentication – 1812
ACOS device tries the secondary server, if one is
configured. • Account – 1813
• Timeout – Maximum number of seconds the • Retransmit – 3 retries
ACOS device will wait for a reply to an authenti- • Timeout – 3 seconds
cation request before resending the request.
Server 2 Enables you to configure a second RADIUS server See above.
to use only as a backup if server 1 is unavailable.

LDAP
This page enables you to configure the Lightweight Directory Access Proto-
col (LDAP).
Table 159 lists the LDAP parameters you can configure.
TABLE 159 LDAP Authentication Parameters

LDAP Authentication Section
LDAP Server 1 Displays the LDAP server configuration fields. Valid values:
• Hostname – Hostname or IP address of the • Hostname – Hostname or IP address
server. of the LDAP server.
• CN – Value for the Common Name (CN) attri- • CN – String
bute. • DN – String
• DN – Value for the Distinguished Name (DN) • Timeout – 1-60 seconds
attribute.
• Port – 1-65535
Note: To use nested OUs, specify the nested OU
• Use SSL - Selected (enabled) or
first, then the root.
unselected (disabled)
• Timeout – Maximum number of seconds the
ACOS device will wait for a reply to an authenti-
cation request before resending the request. Defaults:
Note: If the LDAP server does reply before the • Hostname – Hostname or IP address
timeout, authentication of the admin fails. of the LDAP server.
• Port – The protocol port on which the server lis- • CN– Not set
tens for LDAP traffic. • DN– Not set
• Use SSL – If disabled, the DN and password for a • Timeout – 44 seconds
bind request will be clear-text and visible to all • Port – 389
users. If enabled, the DN and password for a bind
• Use SSL – Unselected (disabled)
request will be encrypted so that only the server
can decrypt the message.
LDAP Server 2 Enables you to configure a second LDAP server to See above.
use only as a backup if server 1 is unavailable.

TACACS+
Table 160 lists the TACACS+ server parameters you can configure.
TABLE 160 TACACS+ Authentication Parameters

TACACS+ Authentication Section
TACACS+ Displays the RADIUS server configuration fields: Valid values:
Server 1 • Hostname – Hostname or IP address of the • Hostname – Hostname or IP address
RADIUS server. of the RADIUS server.
• Secret and Confirm Secret – Password required • Secret and Confirm Secret – String
by the RADIUS server for authentication • Port – 1-65535
requests.
• Timeout – 1-12 seconds
• Port – Protocol port number on which the
TACACS+ server listens for authentication
requests. Defaults:
• Timeout – Maximum number of seconds the • Hostname – Hostname or IP address
ACOS device will wait for a reply to an authenti- of the RADIUS server.
cation request before resending the request. • Secret and Confirm Secret – Not set
• Port – 49
• Timeout – 12 seconds
TACACS+ Enables you to configure a second TACACS+ See above.
Server 2 server to use only as a backup if server 1 is unavail-
able.
Config Mode > System > Admin > Change Password
Enables you to change the password for the admin account under which you
are currently logged in.
Note: This option takes effect only if there are no other open admin sessions
using the same admin name.

Config Mode > System > Settings > Access Control

The Access Control page controls management access to the ACOS
device’s Ethernet interfaces. The management access settings apply to
access through the management interface, physical Ethernet data interfaces,
and Virtual Ethernet (VE) interfaces.
By default, certain types of management access through the ACOS device’s
Ethernet interfaces are blocked. Table 161 lists the default settings for each
management service.
TABLE 161 Default Management Access

Ethernet
Management Management Ethernet and VE
Service Interface Data Interfaces
Ping Enabled Enabled
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
You can enable or disable management access, for individual access types
and interfaces. You also can use an ACL to permit or deny management
access through the interface by specific hosts or subnets.
To change management access settings for interfaces:

1. For each interface (each row), select or de-select the checkboxes for the
access types.
2. To use an ACL to control access, select the ACL from the ACL drop-
down list in the row for the interface.
3. After selecting the settings for all the interfaces, click OK.
To reset the access settings to the defaults listed in Table 161, click Reset to
Default.
Notes Regarding Use of ACLs

If you use an ACL to secure management access, the action in the ACL rule
that matches the management traffic’s source address is used to permit or
deny access, regardless of other management access settings.
For example, if you disable Telnet access to a data interface, but you also
enable access to the interface using an ACL with permit rules, the ACL per-

mits Telnet (and all other) access to the interface, for traffic that matches the
permit rules in the ACL.
If you want certain types of management access to be disabled on an inter-

face, do not use a permit ACL to control management access to the inter-
face.
Each ACL has an implicit deny any rule at the end. If the management traf-
fic’s source address does not match a permit rule in the ACL, the implicit
deny any rule is used to deny access.
On data interfaces, you can disable or enable access to specific services and
also use an ACL to control access. However, on the management interface,
you can disable or enable access to specific services or control access using
an ACL, but you can not do both.
Config Mode > System > Settings > Time

The Time pages enable you to set the system time and date and select the
timezone.
Note: You do not need to configure Daylight Savings Time. The ACOS device
automatically adjusts the time for Daylight Savings Time based on the
timezone you select.
Note: If you change the ACOS timezone or system time, the statistical database
is cleared. This database contains general system statistics (performance,
and CPU, memory, and disk utilization) and SLB statistics. For example,
in the GUI, the graphs displayed on the Monitor Mode > Overview page
are cleared.
Note: If the system clock is adjusted while OSPF or IS-IS is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and IS-IS before adjusting the system clock.
This page enables you to configure the system time and date. You can use
one of the following methods:
• Set the ACOS device to synchronize with a Network Time Protocol
(NTP) server.
• Set the ACOS device to synchronize with the local system time on the
PC you are using to access the GUI.
• Manually set the date and time.

Table 162 lists the configuration options on the Date/Time section.
TABLE 162 Date/Time Parameters

Date/Time Section
Date Manually sets the date. Click the icon at the right of Depends on when the device was first
the field to open a calendar from which you can booted
select the date.
Time Manually sets the time, in hh:mm:ss format. Depends on when the device was first
booted
Sync Local Time Synchronizes the ACOS date and time with the N/A
local system time on the PC you are using to access
the GUI.
Automatically Activates the NTP input fields and disables the Date Selected (enabled) or unselected (disa-
Synchronize and Time fields. bled)
with Internet If NTP servers are configured and at least one of Default: Unselected
Time them is enabled, the checkbox is selected.
Server(NTP)
If NTP servers are configured but none of them are
enabled, the checkbox is un-selected.
Likewise, if no NTP servers are configured, the
checkbox is un-selected. Select it to enable the NTP
configuration fields.
NTP Specifies the hostnames or IP addresses of the NTP Valid IP address
servers and how often the ACOS device resynchro- Default: not set
nizes with them.
1. Enter the NTP server IP address in the NTP
Server field.
3. Click Add.
4. Click OK.
You can configure a maximum of 4 NTP servers.
Time Zone Section
Use this section to select the timezone for the ACOS device. Select the timezone from the list, then click OK.
Daylight Savings Time (DST) is enabled by default, if applicable to the selected timezone. To disable DST, select
the Disable Daylight Saving Time checkbox.

Config Mode > System > SNMP

The SNMP sections enable to configure the Simple Network Management
Protocol (SNMP) settings.
The following sections are available:

• General
• Community
• Trap
• Trap List
• SNMP MIB Download
Notes
• Some traps are triggered by a configurable threshold. The thresholds in
the trap descriptions below are the default thresholds. To change an
event threshold, use the monitor command at the global configuration
level of the CLI.
• You can configure SNMPv1 and v2c settings using the GUI. To config-
ure SNMPv3 settings, use the CLI.
• The System Drop Packet trap is not applicable to some device types.
The trap is applicable to hardware-based ACOS models and SoftAX.
Table 163 lists the configuration options on the SNMP sections.
TABLE 163 General SNMP Parameters

General Section
System SNMP Specifies the state of the SNMP service on the Enabled or Disabled
Service ACOS device. Default: Disabled
System Location Specifies the ACOS device location. String
Default: Not set
System Contact Specifies who to contact regarding the ACOS String
Community Section
SNMP Name of a read-only SNMP community. String
Community Note: Only read-only strings are supported.

TABLE 163 General SNMP Parameters (Continued)

Hostname Specifies the hosts or subnet that is allowed to Valid subnet or host address
(IP/Mask) access the community. Default: Not set (any host or subnet is
Only the specified host or subnet can receive SNMP allowed)
data from the ACOS device by sending a GET
request to this community.
Object Identifier Restricts the objects that the ACOS device returns Valid OID
in response to GET requests. Values are returned Default: Not set (all objects can be
only for the objects within or under the specified accessed)
OID.
Note: The OID for A10 Networks AX objects is
1.3.6.1.4.1.22610.
Trap Section
Community Specifies the community string for the traps. Valid community string
Default: public
IP Address Specifies the IP address of the trap receiver. Valid IP address
(Host) Default: Not set
Port Specifies the UDP port to which the ACOS device 1-65535
will send the traps. Default: 162
Version Specifies the SNMP version. V1 or V2c
Default: V1
Trap List Section
All Traps Enables all traps. Selected (enabled) or unselected (disa-
bled)
Default: Unselected
SNMP Group Enables all SNMP traps. Selected (enabled) or unselected (disa-
Selecting this option disables the checkboxes for the bled)
individual traps in the group. To disable only certain Default: Unselected
traps in the group, leave SNMP Group unselected,
and select the individual traps instead. The same
applies to the other group options described below.
The SNMP group contains the following traps:
• Link Down – Indicates that an Ethernet interface
has gone down.
• Link Up – Indicates that an Ethernet interface has
come up.


SLB Group Enables all Server Load Balancing (SLB) traps. Selected (enabled) or unselected (disa-
The SLB group contains the following traps: bled)
• Service Down – Indicates that an SLB service has Default: Unselected
gone down.
• Service Up – Indicates that an SLB service has
come up.
• Server Down – Indicates that an SLB server has
gone down.
• Server Up – Indicates that an SLB server has
come up.
• Service Connection Limit – Indicates that an SLB
service has reached its configured connection
limit.
• Service Connection Resume – Indicates that an
SLB service has reached its configured connec-
tion-resume value.
• Server Connection Limit – Indicates that an SLB
server has reached its configured connection
limit.
• Server Connection Resume – Indicates that an
SLB server has reached its configured connec-
tion-resume value.
• Virtual Port Down – Indicates that an SLB virtual
service port has gone down.
• Virtual Port Up – Indicates that an SLB virtual
service port has come up. An SLB virtual server’s
service port is up when at least one member (real
server and real port) in the service group bound to
the virtual port is up.
• Virtual Port Reach Conn-Limit – Indicates that
the connection limit configured on a virtual port
has been exceeded.
• Virtual Port Reach Conn-Rate-Limit – Indicates
that the connection rate limit configured on a vir-
tual port has been exceeded.
• Virtual Server Reach Conn-Limit – Indicates that
the connection limit configured on a virtual
server has been exceeded.
(cont.)


SLB Group • Virtual Server Reach Conn-Rate-Limit – Indi-
(cont.) cates that the connection rate limit configured on
a virtual server has been exceeded.
• App Buffer Reach Limit – Indicates that the con-
figured SLB application buffer threshold has
been exceeded. (See “Config Mode > System >
Settings > General > Threshold” on page 433.)
GSLB Group Enables all Global SLB (GSLB) traps. Selected (enabled) or unselected (disa-
The GSLB group contains the following traps: bled)
• Group Default: Unselected
• Site
• Service IP
• Zone
SSL Group Enables all SSL traps. Selected (enabled) or unselected (disa-
The current release has the following trap, Server bled)
Certificate Error. Default: Unselected
HA Group Enables all High Availability (HA) traps. Selected (enabled) or unselected (disa-
The HA group contains the following traps: bled)
• Standby – Indicates that the ACOS device is Default: Unselected
going from HA Active mode to Standby mode.
• Active – Indicates that the ACOS device is going
from HA Standby mode to Active mode.
• Active-Active – Indicates that an Active-Active
configuration has been enabled.
Network Group Enables all Network traps. Selected (enabled) or unselected (disa-
The Network group contains the following trap: bled)
• Trunk Port Threshold – Indicates that the trunk Default: Unselected
ports threshold feature has disabled trunk mem-
bers because the number of up ports in the trunk
has fallen below the configured threshold. (See
“Config Mode > Network > Trunk” on page 411.)


System Group Enables all system-level traps. Selected (enabled) or unselected (disa-
The System Group group contains the following bled)
traps: Default: Unselected
• Start – Indicates that the ACOS device has
started.
• Shutdown – Indicates that the ACOS device has
shut down.
• Restart – Indicates that the ACOS device is going
to reboot or reload.
• High Temperature – Indicates that the tempera-
ture inside the ACOS device chassis has
exceeded the configured threshold. (See “Config
Mode > System > Settings > General > Thresh-
old” on page 433.)
• Fan – Indicates that a system fan has failed. Con-
tact A10 Networks.
• Primary Disk – Indicates that the primary disk
has failed or the RAID system (if applicable) has
failed. The primary disk is the one on the left, as
you are facing the front of the ACOS device
chassis.
(cont.)


System Group • Secondary Disk – Indicates that the secondary
(cont.) disk has failed or the RAID system (if applicable)
has failed. The secondary disk is the one on the
right, as you are facing the front of the ACOS
device chassis.
Note: This trap does not apply to models that use
SSDs instead of disks.
• High Memory Usage – Indicates that the memory
usage has exceeded the configured threshold.
• High Control CPU Usage – Indicates that the
control CPU utilization has exceeded the config-
ured threshold.
• High Data CPU Usage – Indicates that data CPU
utilization has exceeded the configured threshold.
• System High Disk Usage – Indicates that hard
disk usage has exceeded the configured thresh-
old.
• System Drop Packet – Indicates that the system
has dropped more than the configured threshold.
• Power Supply – Indicates that a upper power sup-
ply has failed. Contact A10 Networks.
Note: To configure thresholds, see “Config Mode >
System > Settings > General > Threshold” on
page 433.
AX SNMP MIB Web link to download the ACOS Management N/A
Download Information Base (MIB) files.
For information about the ACOS MIBs, see the MIB
Reference.

Config Mode > System > Maintenance

The following sections describe the maintenance options for the
A10 Thunder Series and AX Series system software and configuration files.
Note: System Reload – When performing an upgrade, allow up to five minutes

for the reload procedure to complete, during which time the system per-
forms a full reload and will be offline. The actual time may vary depend-
ing on system parameters.
Config Mode > System > Maintenance > Upgrade
This menu option displays the Upgrade page, which you can use to upgrade
the system image on the ACOS device.
Note: For complete upgrade instructions, see the release notes for the software
release to which you plan to upgrade.
Table 164 lists the options on the Upgrade page.
TABLE 164 Upgrade Settings

Upgrade Section
Media Specifies the boot device onto which you want to One of the following:
install the upgrade. • Disk
• Compact Flash
• Both
Default: Disk
Destination Specifies the image area on the selected boot One of the following:
device(s). • Primary
• Secondary
Default: Primary
Reboot Specifies whether the ACOS device will reboot Yes or No
automatically after installing the upgrade. Default: No
Upgrade from Specifies whether the image you are installing is Local or Remote
located locally on the PC you are using to access the Default: Local
GUI, or is located on a remote file server.
• If Local is selected, the Filename field appears.
• If Remote is selected, the other fields listed
below appear.

TABLE 164 Upgrade Settings (Continued)

Filename Directory path and filename for the image, if locally Valid path and file name
stored on the PC you are using.
1. Click Browse.
2. Navigate to the image file.
3. Click Open.
4. Click OK.
Staggered In aVCS deployments, this option upgrades only the Selected (enabled) or unselected (disa-
Upgrade Mode selected device. The other devices will continue to bled)
operate so that service is not interrupted. Default: Unselected
Note: Some preparation may be required before you
upgrade. Before proceeding with the upgrade, see
the “Upgrading the Software Image (aVCS virtual
chassis)” section in the release notes for the version
to which you are upgrading.
The following fields are applicable only if you select Remote.
chapter in the System Configuration and Adminis-
tration Guide.
Protocol If you select to upgrade from a remote device, this One of the following:
field appears. You can use it to specify the file trans- • FTP
fer protocol to use.
• TFTP
• RCP
• SCP
• SFTP
Default: FTP
Host If you select to upgrade from a remote device, this Valid IP address
field appears. You can use it to specify the IP Default: Not set
address of the remote file server.
Port If you select to upgrade from an FTP server, this 1-65535
field appears. You can use it to specify the protocol Default: Depends on the file transfer
port on the server to which to send the file transfer protocol selected
request.


Location Directory path and filename of the image file on the String
remote server. Enter the path relative to the root Default: Not set
directory for the file transfer method. For example,
if using FTP, enter a path relative to the FTP direc-
tory.
User Username for logging onto the remote server, if String
required. Default: Not set
Password Password for logging onto the remote server, if String
required. Default: Not set
Config Mode > System > Maintenance > Backup
This menu option provides the following sub-options:

• System – Displays a page for selecting the location where to save a copy
of the ACOS configuration. This option backs up the startup-config file,
aFleX files, and SSL certificates and keys.
• Log – Displays a page for selecting the location where to save a copy of
the entries in the AX log buffer.
The Local and Remote location options work the same as described in
Table 164 on page 469.
Config Mode > System > Maintenance > Restore > System
You can restore the A10 Thunder Series and AX Series to a saved backup
configuration from a previously saved backup file on either a local or a
remote host.
This option displays a page for selecting the location from where to restore
the ACOS configuration. This option restores the startup-config file, aFleX
files, and SSL certificates and keys saved in the system backup.
The Local and Remote location options work the same as described in
Table 164 on page 469.
Note: Reload option – When performing a restore, allow five minutes for the
backup procedure to complete, during which time the system performs a
full reload and will be offline. The actual time may vary depending on
system parameters.

Config Mode > System > Maintenance > License
This option enables you to manage module licenses, if applicable.
To install a license, copy-and-paste the license key into the License field
and click Update.
Config Mode > System > Console

This option opens an HTTP-based console session to the CLI. For syntax
information, see the CLI Reference.
Config Mode > System > Config File

This page enables you to manage the ACOS device’s configuration files.
Note: The maximum size of a configuration file that you can add or modify is
256 kB.
You can use this page to perform the following configuration management
tasks:
• Display individual configuration files.
• Add, modify, and delete configuration files.
• Display side-by-side comparisons of configuration files.
Displaying a Configuration File

1. Select Config Mode > System > Config File.
2. Click on the configuration file name.
Adding a Configuration File

2. Click Add. The Config File page appears.
3. Enter the name in the Name field.
4. To use another configuration file as a template, select the file from the
Copy drop-down list.

5. Edit the file if required.
6. Click OK.
Modifying a Configuration File

2. Click on the configuration file name.
3. Edit the file.
4. Click OK.
Deleting a Configuration File

2. Select the checkbox next to each configuration file to delete.
3. Click Delete.
Comparing Configuration Files

2. Select the checkbox next to each of the 2 configuration files to compare.
3. Click Diff.
Note: You can compare a maximum of 2 files at a time.
The device configurations appear side-by-side in a new window. Differ-

ences between the two configurations are highlighted:
• Yellow – Indicates a configuration section that is present in each
device’s configuration, but does not contain exactly the same configura-
tion on both devices.
• Red – Indicates a configuration command that is present in the device
configuration shown on the left, but is not present in the device configu-
ration shown on the right.
• Green – Indicates a configuration command that is present in the device
configuration shown on the right, but is not present in the device config-
uration shown on the left.

Config Mode > System > aVCS

The pages of this section enable you to configure the ACOS Virtual Chassis
System (aVCS) feature. This feature allows you to manage multiple ACOS
devices as a single, virtual chassis.
Note: Before configuring this feature, see the “Virtual Chassis System” chapter
in the System Configuration and Administration Guide.
Config Mode > System > aVCS > General
This page provides options to enable aVCS on the device.
TABLE 165 Config Mode > System> aVCS > General

aVCS Enabled State of the aVCS feature on the device. aVCS must Enabled or disabled
be enabled for a device to become a member (mas- Default: disabled
ter or backup) of a virtual chassis.
vmaster-take- Force vMaster re-election, by temporarily changing 1-255
over a device’s aVCS priority. Default: not set
Note: A low priority number indicates a high prior-
ity value. The highest priority is 1 and the lowest
priority is 255. The takeover occurs regardless of
priority settings on the current vMaster.
Config Mode > System > aVCS > Settings
This page displays options to configure aVCS settings.
Table 166 lists the aVCS parameters you can configure.
TABLE 166 Upgrade Settings

Chassis Section
IPv4 or IPv6 IPv4 or IPv6 address for the aVCS floating IP A valid IPv4 or IPv6 address
radio buttons address. Default: Not set
Mask Network mask or subnet mask for the aVCS floating Valid IPv4 network mask or mask
Prefix Length IP address. length.
Default: not set


Floating IP Management address of the virtual chassis. Valid IPv4 unicast address
Navigating to this address accesses the current mas- Default: not set
ter device of the virtual chassis.
Multicast IP IP address to which devices in the virtual chassis Valid IPv4 multicast address
send master-election traffic. Default: 224.255.255.1
Multicast Port Protocol port from which devices in the virtual 1-65535
chassis send master-election traffic. Default: 41217
Time Interval Number of seconds between transmission of keep 1-60
alive messages from the vMaster to vBlades. Default: 3
Dead Interval Maximum number of seconds to wait for a kee- 5-240
palive message from the vMaster before triggering Default: 10
vMaster re-election.
Failure Retry Number of retry attempts after a device fails to join -1-255
Count the virtual chassis. Default: 2
Note: Use the value -1 to retry continuously.
SSL Enable State of SSL for configuration synchronization traf- Enabled or disabled
fic between aVCS devices. Default: Disabled
vmaster-mes- If selected, indicates that the vBlade should not take Enabled or disabled
sage-buffer over as the vMaster when the vMaster is in a main- Default: Disabled
tenance state.
vMaster-mes- Specifies aging time of the message buffer. 0-900 seconds
sage-buffer- Default: 90 seconds
aging
vMaster-mes- Specifies length of the message buffer. 15-180
sage-buffer- Default: 30
length
Device Section
Device ID Unique ID of the device within the virtual chassis. 1-8
Default: not set
Priority Static priority value used during master election. 0-255
Higher priority values are preferred over lower pri- Default: 0
ority values. For example, priority value 200 is pre-
ferred over priority value 2.
Unicast Port Protocol port used to create TCP connection 1-65535
between aVCS master and backup. This connection Default: 41216
is used for configuration synchronization.
Election Ethernet port(s) used for master election traffic. One or more of the management port
Interface Note: In the current release, only a single election and Ethernet data ports
interface is supported. Default: not set
Unselected Ethernet port associated with the aVCS floating IP Management port or Ethernet data port
address. When the device is the aVCS master for the Default: not set
virtual chassis, traffic to and from the virtual chassis
floating IP address goes through the port.


Enabled State of the aVCS feature on the device. aVCS must Enabled or disabled
be enabled for a device to become a member (mas- Default: Disabled
ter or backup) of a virtual chassis.
aVCS Action Section
aVCS Reload Reloads the aVCS process. aVCS reload is required Enabled or disabled
to place any aVCS-related configuration changes Default: Disabled
into effect.
Disable Merge This option is available if aVCS reload is enabled. Enabled or disabled
This option prevents configuration information Default: Disabled
from being migrated from the vBlades to the vMas-
ter following the reload. This option is useful when
you are replacing a virtual chassis vBlade by remov-
ing an ACOS device and replacing it with another
ACOS of the same model. In this case, the option
allows the replacement device to be configured by
the vMaster.
After the initial configuration migration, configura-
tion synchronization operates normally.
Without this option, when you add an ACOS device
to a virtual chassis that is already running, the
device’s configuration information is migrated to
the vMaster.
vMaster- Specifies the number of seconds the vMaster is 0-3600
maintenance maintained. Default: 60
Config Mode > System > HA

The HA pages enable you to configure options for High Availability.
This section provides access to the following suboptions:

• HA Global – Displays a page for configuring global HA settings. This is
the only page you need to configure Layer 3 HA.
• HA Inline Mode – Displays a page for configuring Layer 2 inline mode
HA. You need to use both the Global and HA Inline Mode pages to con-
figure Layer 2 HA.
• HA Interface – Displays a page for configuring the device’s HA inter-
faces.
• Config Sync – Displays a page to synchronize the Layer 4-7 configura-
tion information on the ACOS devices in an HA pair

Notes
• Access to configuration options will vary with your administrative role
• Before configuring any HA options, see the “High Availability” chapter
in the System Configuration and Administration Guide for detailed
information about how HA works and how to configure it.
• Beginning in ACOS Release 2.7.0, heartbeat messages in Layer 2 Inline
mode deployments are sent in unicast packets with the unicast MAC
address and unicast IP address of the peer ACOS device in the HA pair.
They no longer are sent in IP multicast packets addressed to IP multicast
destination MAC and IP addresses. Like previous releases, they also are
not sent as broadcasts.
This applies to all models. This change does not require any configura-
tion changes and should not affect the operation of your HA deploy-
ment.
Config Mode > System > HA > Global
The menu option displays the following sections.

• General
• Group
• Floating IP Address
• Status Check
• Force Self Standby
Table 167 lists the configuration options in the HA Global sections.
TABLE 167 Global HA Parameters

General Section
HA Status State of the HA feature on this ACOS device. Enabled or Disabled
Default: Disabled
Identifier HA ID of the ACOS device. The HA ID uniquely 1 or 2
identifies the ACOS device within the HA pair. Select 1 on one of the ACOS devices
and select 2 on the other ACOS
device.

TABLE 167 Global HA Parameters (Continued)

Set ID Set ID of the HA pair this ACOS is in. The HA set 1-7
ID specifies the HA set to which the ACOS device Default: Not set
belongs. This parameter is applicable to configura-
tions that use multiple ACOS device pairs.
To set this option if needed, use 1 or higher. Use the
same set ID on both ACOS devices in this HA pair.
If there is only one HA pair in the network, you do
not need to use this option.
Preemption Controls whether failovers can be caused by config- Enabled or Disabled
Status uration changes to HA priority. Default: Disabled
Time Interval Specifies the amount of time between sending each 1-255 units of 100 ms each
heartbeat message. Default: 2 (200 ms or 0.2 seconds)
HA Mirroring Specifies the IP address of a data interface on the Valid IP address
IP Address other ACOS device in the HA configuration. Default: Not set
The mirroring IP address is an IP address on the
peer ACOS device in the HA pair. The connection
mirror interface is used for session synchronization
(also called "connection mirroring”) and configura-
tion synchronization. Until a connection mirror
interface is specified, the ACOS device remains in
Standby state.
Note: A mirror interface is required in Inline
deployments.
Timeout Retries Specifies the Number of times the HA time interval 2-255
can expire before the Standby ACOS device fails Default: 5
over to become the Active ACOS device.
ARP Retry Specifies the number of additional gratuitous ARPs, 1-255
in addition to the first one, an ACOS device sends Default: 4 additional gratuitous ARPs,
after transitioning from Standby to Active in an HA for a total of 5
configuration.
Group Section
Group Adds the ACOS device to HA groups and sets the Group ID can be 1-31
priorities for each group. Priority can be 1 (low priority) to 255
In Active-Standby configurations, configure only (high priority)
one HA group. Use the same group ID on each Default: Not set
ACOS device.
In Layer 3 Active-Active configurations, to make
one ACOS device active for some virtual servers
and make the other ACOS device active for the
other virtual servers, configure both HA groups (1
and 2) and give them different priorities. Use the
same group IDs for the same virtual servers on each
ACOS device.

TABLE 167 Global HA Parameters (Continued)

Floating IP Address Section
Floating IP For each HA group, specifies the IP address that Group Name can be 1-31
Address downstream devices should use as their default A valid IPv4 or IPv6 address
gateway. The same address is shared by both ACOS
Default: not set
devices in the HA pair. Regardless of which device
is Active, downstream devices can reach their
default gateway at this IP address.
Note: A floating IP address can not be the same as
an address that already belongs to a device. For
example, the IP address of an ACOS device inter-
face can not be a floating IP address.
Status Check Section
IP Address Checks the health of gateways and changes HA sta- A valid gateway
tus if a gateway fails its health check. Default: Not set
To configure gateway-based failover:
1. Configure a health monitor that uses the ICMP
method. (See“Config Mode > SLB > Health
Monitor” on page 270.)
2. Configure the gateway as an SLB real server
and apply the ICMP health monitor to the
server. (See “Config Mode > SLB > Service >
Server” on page 171.)
3. Enable HA checking for the gateway. In the
Status section, enter the gateway IP address in
the Gateway field, and click Add.
VLAN Checks the health of VLANs and changes HA status The following values are supported:
if a VLAN stops responding. • VLAN ID – 1-4094
To configure VLAN-based failover: • Timeout – 2-600
1. Enter the VLAN ID in the VLAN ID field. Note: You must specify the timeout.
2. In the Timeout field, enter the number of sec- Although there is no default, A10 Net-
onds a VLAN can be silent before triggering works recommends setting the timeout
an HA status change. to 30 seconds.
3. Click Add. Default: Not set
Force Self Standby Section
This section allows you to force HA groups into the standby state on this ACOS device.
To force a group into the standby state:
1. Select the group ID from the Group Name drop-down list. To force all groups into the standby state, select All.
2. Click Enable.
To disable forced standby on a group:
1. Select the group ID from the Group Name drop-down list. To disable forced standby on all groups, select All.
2. Click Disable.
To verify the change, see “Monitor Mode > System > HA > Group” on page 125.

Config Mode > HA > Setting > HA Inline Mode
The menu option displays the HA Inline Mode section.
Table 168 lists the configuration options in the General section for HA
inline mode.
TABLE 168 HA Inline Mode Parameters

HA Inline Mode Section
Inline Mode Enables inline mode. Enabled or Disabled
Status Default: Disabled
Preferred Port Specifies the HA interface to use for session syn- AX Ethernet interface enabled for HA
chronization and for management traffic between Default: The AX selects the Active
the ACOS devices. ACOS device’s preferred HA port as
follows:
1. Is a preferred port specified with the
inline configuration, and is the port
up? If so, use the port.
2. If no preferred HA port is specified
in the configuration or that port is
down, the first HA interface that came
up on the AX is used as the preferred
HA port.
If the preferred HA port selected by 1.
or 2. above goes down, the HA inter-
face with the lowest port number is
used. If that port also goes down, the
HA interface with the next-lowest port
number is used, and so on.
Restart Time Amount of time interfaces in the restart port list 1-100 units of 100 milliseconds (ms)
remain disabled following a failover. Default: 20 units of 100 ms (2 sec-
onds)
Restart Port List List of Ethernet interfaces on the previously Active AX Ethernet interfaces
ACOS device to toggle (shut down and restart) fol- Default: Not set
lowing HA failover.
L3 Inline Mode Enables blocking of traffic loops in a gateway Enabled or Disabled
(Layer 3) hot-standby HA configuration. Default: Disabled
Link Event Amount of time the ACOS device waits before 100 - 10000 milliseconds (ms)
Delay changing the HA state (Up, Partially Up, or Down) The value you specify must be divisi-
in response to link-state changes on the HA inter- ble by 100 ms.
faces.
Default: 3000 ms (3 seconds)

Connection-mirror Requirement for Layer 2 Inline Mode HA

The ACOS device requires a connection mirror interface to be configured
Layer 2 inline mode HA deployments.
A connection mirror interface is an IP address on the peer ACOS device in

the HA pair. The connection mirror interface is used for session synchroni-
zation (also called “connection mirroring”) and configuration synchroniza-
tion. Until a connection mirror interface is specified, the ACOS device
remains in Standby state.
If a connection mirror interface is not configured, a log message such as the

following is generated every 5 minutes:
Sep 01 2012 03:01:30 Warning [HA]:HA Peer IP is not configured. Peer IP is
required in Inline Mode.
Config Mode > HA > Setting > HA Interface

This option enables you to configure HA settings on Ethernet data inter-
faces.
To enable or disable HA on individual interfaces, select the interfaces, then

click Enable or Disable. The status change is shown in the HA status col-
umn.
When you click on an interface name, the VIP section is displayed.
Note: If the interface is a tagged member of a VLAN, it is required to specify

the VLAN ID when configuring the interface to be an HA interface. If the
VLAN ID is not specified, the ACOS device does not transmit any heart-
beat packets on the interface. This is an invalid configuration.
Table 169 lists the configuration options in the VIP section.
TABLE 169 HA Interface Parameters

HA Interface Section
Status Specifies whether the interface is an HA interface. Enabled or Disabled
Default: Disabled
HA Status Enables or disables configuration of HA interface Enabled or Disabled
parameters. Default: Disabled

TABLE 169 HA Interface Parameters (Continued)

Type Identifies the type of device connected to the HA One of the following:
interface: • None
• None – The device type does not affect calcula- • Router-Interface
tion of HA state.
• Server-Interface
• Router-Interface – The interface is connected to
• Both
an upstream router.
Default: None
• Server-Interface – The interface is connected to a
real server.
• Both – The interface is connected to an upstream
router and a real server.
Heartbeat Enables or disables heartbeat messages on the inter- Enabled or Disabled
face. Default: Disabled. When enabled,
To restrict the heartbeat messages to a specific heartbeat messages are enabled for all
VLAN, enter the VLAN ID in the VLAN field. VLANs.
Notes:
• If the interface is tagged and heartbeat messages
are enabled, you must specify the VLAN.
• If the heartbeat messages from one ACOS device
to the other will pass through a Layer 2 switch,
the switch must be able to pass UDP IP multicast
packets. (This requirement does not apply to
Layer 2 inline HA because it uses unicast to
transmit the heartbeat.)
VLAN Specifies the VLAN on which heartbeat messages VLAN ID
are enabled. Heartbeat messages are enabled for all
VLANs. However, if the interface is
tagged and heartbeat messages are
enabled, you must specify the VLAN
ID.

Config Mode > HA > Config Sync
This page enables you to synchronize the Layer 4-7 configuration informa-
tion on the ACOS devices in an HA pair.
Requirements
Session synchronization (connection mirroring) is required for config sync.
Config sync uses the session synchronization link. To enable session syn-
chronization, see “Config Mode > System > HA > Global” on page 477.
SSH management access must be enabled on both ends of the link. (See
“Config Mode > System > Settings > Access Control” on page 460.)
Note: Before performing a config-sync procedure, see the “Synchronizing HA

Information” section in the “High Availability” chapter of the System
Configuration and Administration Guide.
Performing Config Sync
To synchronize the Layer 4-7 configuration information with the other

ACOS device in the HA pair:
1. In the User and Password fields, enter the admin username and pass-
word for logging onto the other ACOS device.
2. If Role-Based Administration (RBA) is configured on the ACOS

device, select whether to synchronize all partitions or only the currently
selected partition. (See “System Partitions” on page 34. Also see the
“Synchronizing the Configuration” section in the “Role-Based Adminis-
tration” chapter of the System Configuration and Administration Guide.)
Note: This option is applicable only if you are logged on with Root or Super
Admin privileges.
3. Next to Operation, select the information to be copied to the other

ACOS device:
• All – Copies all the following to the other ACOS device:
• Admin accounts and settings
• Floating IP addresses
• IP NAT configuration
• Access control lists (ACLs)
• Health monitors
• Policy-based SLB (black/white lists)
• SLB
• FWLB

• GSLB
• Data files (see below)
The items listed above that appear in the configuration file are cop-
ied to the other ACOS device’s running-config.
• Data Files – Copies only the SSL certificates and private-key files,
aFleX files, External health heck files, and black/white-list files to
the other ACOS device
• Running-config – Copies everything listed for the All option, except
the data files, from this ACOS device’s running-config
• Startup-config – Copies everything listed for the All option, except
the data files, from this ACOS device’s startup-config
4. Next to Peer Option, select the target for the synchronization:

• To Running-config – Copies the items selected in step 3 to the other
ACOS device’s running-config
• To Startup-config – Copies the items selected in step 3 to the other
ACOS device’s startup-config
5. To reload the other ACOS device after synchronization, select With

Reload. Otherwise, the other ACOS device is not reloaded following the
synchronization.
Note: In some cases, reload either is automatic or is not allowed. See the “Syn-
chronizing HA Information” section in the “High Availability” chapter of
the System Configuration and Administration Guide.
6. In the Destination IP field, enter the IP address of the other ACOS

device.
7. Click OK.

Config Mode > System > VRRP-A

The pages of this sub-module enable you to configure options for VRRP-A.
This page provides access to the following suboptions:
• VRRP-A Global – Displays a page for configuring global VRRP-A set-
tings.
• VRRP-A Interface – Displays a page for configuring the device’s
VRRP-A interfaces.
• Failover Policy Template – Displays a page for configuring Failover
Policy Templates.
Notes
• VRRP-A is supported only on ACOS devices that are deployed in gate-
way (route) mode. Transparent mode (inline) deployments are not sup-
ported. For transparent/inline deployments, use the High Availability
(HA) feature instead.
• Access to configuration options will vary with your administrative role
• VRRP-A is the A10 Networks implementation of the High Availability
protocol that is completely different from the industry-standard imple-
mentation of Virtual Router Redundancy Protocol (VRRP). For pur-
poses of operational familiarity, it borrows concepts from VRRP, but is
significantly different from VRRP. VRRP-A will not inter-operate with
VRRP.
In this release, VRRP-A, a High Availability (HA) implementation, is
mutually exclusive of the HA feature and is configured separately and
not as part of the HA functionality.
Config Mode > System > VRRP-A > VRRP-A Global
This page displays the following sections.

• General
• VRID
• Floating IP Address
• VRRP-A Tracking

• Preferred Session Sync Port
• Force Self Standby
Table 170 lists the configuration options in the VRRP-A Global section.
TABLE 170 Global VRRP-A Parameters

General Section
VRRP-A Status Indicates the state of VRRP-A on the ACOS device. Enabled or Disabled
Default: Disabled
Device ID Sets a unique ID of the device within the VRRP-A 1-8
set. Default: Not set
Notes:
• If aVCS is configured, use the same number as
the aVCS device ID.
• The device ID ranges vary on different ACOS
devices.
Set ID Indicates a set ID number for the VRRP-A domain. 1-7
All devices that provide backup for a given VRID Default: Not set
must belong to the same VRRP-A set.
Default VRID Enables or disables the default VRID on the shared Enabled or Disabled
partition. If disabled, you an use the default VRID Default: Enabled
in the shared partition and all private partitions.
Note: Disabling the default VRID allows you to use
VRIDs 1.31 instead of VRID 0 (the default VRID)
in the shared partition. In private partitions, dis-
abling the default VRID disables VRRP-A.
Hello Interval Specifies the number of milliseconds (ms) between 1-255 units of 100 ms each
each VRRP-A hello message the active device Default: 2 per 100ms (0.2 seconds)
sends to the backup devices.
Dead Timer Specifies the number of hello intervals during which 2-255
a backup device will wait for a hello message from Default: 5 (1000ms)
the active device. If this value expires, the standby
ACOS device fails over to become the Active
ACOS device.
Track Event Specifies the duration of milliseconds (ms) waited 1-100
Delay by the ACOS device before beginning failover in Default: 30 per 100ms (3 seconds)
response to priority changes. The track event delay
helps avoid unnecessary failovers caused by brief,
temporary network changes.


Preemption Specifies the number of milliseconds (ms) to wait 1-255
Delay before beginning failover in response to configura- Default 60 units per 100ms (6 seconds)
tion changes.
Note: When VRRP-A is configured on 2 ACOS
devices, changing the priority will cause an instant
failover within 1 to 3 seconds.
ARP Retry Specifies the number of additional IPv4 gratuitous 1-255
ARPs or ICMPv6 neighbor advertisements, in addi- Default: 4 additional gratuitous ARPs,
tion to the first one, an ACOS device sends after for a total of 5
transitioning from Standby to Active in a VRRP-A
configuration.
Host ID append VRID that is used to carry the host ID information Shared Partition – 1-31 or default
to VRID in its heartbeat message. Default: Not set
VRID Section
VRID Specifies the virtual router ID (VRID). 1-31 or default
Default: default
Priority VRRP-A priority of this device. 1-255
Default: 150
Preempt Mode Enables or disables ability for failovers to be caused • Preempt Mode – Enabled or Dis-
by configuration changes to VRRP-A priority or abled
device ID. • Threshold – 1-255
If you enable this option, you can specify the pre-
Default:
emption threshold. The pre-emption threshold spec-
ifies the maximum difference in priority value that • Preempt Mode – Enabled
can exist between the active and standby devices • Threshold – Not set
without failover occurring.
Failover Policy Applies a Failover Policy Template to a tracked A configured Failover Policy Template
Template event. Default: Not set
Floating IP Address Section
VRID Selects a VRID associated with a VRRP-A group. 1-31 or default
Default: default
IPv4 or IPv6 For each VRRP-A group, specifies the IP address Valid IPv4 or IPv6 address
radio buttons that downstream devices should use as their default Default: Not set
gateway. The same address is shared by all ACOS
devices configured in the VRRP-A. Regardless of
which device is Active, downstream devices can
reach their default gateway at this IP address.
Note: A floating IP address can not be the same as
an address that already belongs to a device. For
example, the IP address of an ACOS device inter-
face can not be a floating IP address.


VRRP-A Tracking Section
This section displays tracking options for the following:
• Gateways
• VLANs
• Trunks
• Interfaces
• Routes
In the event of failover, the priority cost of a tracked item is deducted from the priority value of the associated
ACOS device. Tracking protocol dynamically reduces the priority of a device causing a failover to optimize net-
work resources.
Notes: For private partitions, only interface, route, and VIP tracking are supported.
For complete parameter descriptions, see Table 172 on page 490.
Preferred Session Sync Port Section
Interface Preferred interface for receiving sessions. Ethernet data port names
Default: ethernet1
VLAN ID ID number of the VLAN. 1-4094
Default: Not set
VRID Leader Section
VRID Leader Preferred interface for receiving sessions. Shared Partition: 1-31 or default
Name Private Partition: 1-7
Default: Not set
Partition Partition to which the VRID leader you specify Default: Not set
belongs.
VRID VRRP-A virtual router ID (VRID). Default: Not set
Force Self Standby Section
This section allows you to force VRRP-A groups into the standby state on this ACOS device.
To force a group into the standby state:
1. Select the group ID from the Group Name drop-down list. To force all groups into the standby state, select All.
2. Click Enable.
To disable forced standby on a group:
1. Select the group ID from the Group Name drop-down list. To disable forced standby on all groups, select All.
2. Click Disable.
To verify the change, see “Monitor Mode > System > VRRP-A > VRID” on page 127.
Note: The Force Self Standby option remains in effect until one of the other failover triggers occurs or the device is
reloaded or rebooted. The option is not added to the configuration and does not persist across reloads or reboots.

Config Mode > System > VRRP-A > VRRP-A Interface
This option enables you to configure VRRP-A settings on Ethernet data

interfaces.
To enable or disable VRRP-A on individual interfaces, select the interfaces,

then click Enable or Disable. The status change is shown in the VRRP-A
status column.
When you click on an interface name, the VRRP-A Interface section is dis-
played.
Table 171 lists the configuration options in the VRRP-A Interface section.
TABLE 171 VRRP-A Interface Parameters

VRRP-A Interface Section
Status Specifies whether the interface is a VRRP-A inter- Enabled or Disabled
face. Default: Disabled
VRRP-A Status Enables or disables configuration of VRRP-A inter- Enabled or Disabled
face parameters. Default: Disabled
Type Identifies the type of device connected to the One of the following:
VRRP-A interface: • None
• None – The device type does not affect calcula- • Router-Interface
tion of VRRP-A state.
• Server-Interface
• Router-Interface – The interface is connected to
• Both
an upstream router.
Default: None
• Server-Interface – The interface is connected to a
real server.
• Both – The interface is connected to an upstream
router and a real server.
Heartbeat Enables or disables heartbeat messages on the inter- Enabled or Disabled
face. Default: Disabled. When enabled,
To restrict the heartbeat messages to a specific heartbeat messages are enabled for all
VLAN, enter the VLAN ID in the VLAN field. VLANs.
Note: If the interface is tagged and heartbeat mes-
sages are enabled, you must specify the VLAN.
VLAN Specifies the VLAN on which heartbeat messages VLAN ID
are enabled. Heartbeat messages are enabled for all
VLANs. However, if the interface is
tagged and heartbeat messages are
enabled, you must specify the VLAN
ID.

Config Mode > VRRP-A > Setting > Failover Policy Template
This page allows you to view and create Failover Policy Templates. In
response to policy-based failover, the weight assigned to an event is
deducted from the total weight of the ACOS device and is used to determine
the Active/Standby status of devices within a pair.
Note: The weight value encompasses tracked gateway, interfaces, VLANs,

trunks, or routes and their Up/Down status. VRRP-A first determines
Active/Standby status by the weight associated with each device. If both
devices share the same weight, priority cost of the VRRP-A tracking
function is then considered to determine Active/Standby status.
Parameters for Failover Policy Templates

Table 172 lists the configuration options in the Failover Policy Template
section.
TABLE 172 VRRP-A > Failover Policy Template

General Section
Name Name of the Failover Policy Template. String
Default: Not set
Gateway Tracking Section
IPv4 or IPv6 Specifies the destination IPv4 or IPv6 address of the You can specify the following values:
radio buttons route. • IPv4 or IPv6
• Gateway – Valid IP address
Default:
• IPv4
• Gateway – Not set
Weight Specifies the value to subtract from the total weight 1-255
assigned to an ACOS device. Default: Not set
VLAN Tracking Section
VLAN ID ID number of the VLAN. Valid VLAN ID
Default: Not set
Timeout Specifies how long the VLAN can remain idle. 2-600
Default: Not set

TABLE 172 VRRP-A > Failover Policy Template

Trunk Tracking Section
Trunk ID ID assigned to the trunk by the admin who config- 1-16
ured it. Default: Not set
Per Port Weight Specifies a value to subtract from the VRID priority 1-255
if a port goes down. Default: Not set
Interface Tracking Section
Interface Specifies the ethernet data port for the VRRP-A Ethernet data port names
interface. Default: ethernet1
Route Tracking Section
Route Specifies the IPv4 or IPv6 route to track. Valid IPv4 or IPv6 address and net-
work mask
Default: Not set
Gateway Specifies the next-hop gateway for the route. Valid IPv4 or IPv6 address
Default: Not set
Distance Specifies the metric value (cost) of the route. 1-255
Default: Not set
Protocol Specifies the source of the route. You can select one One of the following:
of the following: • Any
• Any – Routes added by an administrator or rout- • Static
ing protocol.
• Dynamic
• Static – Routes added by an administrator.
Default: Any
• Dynamic – Routes added by a routing protocol.


A10 Thunder Series and AX Series – Graphical User Interface

A10 Thunder Series and AX Series – Graphical User Interface
Corporate Headquarters
A10 Networks, Inc.

3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)

Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
© 2013 A10 Networks Corporation. All rights reserved.


A10 Thunder AX 271-P2 GUI Ref-2013.08.05

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 Thunder AX 271-P2 GUI Ref-2013.08.05

Uploaded by

Copyright:

Available Formats

Graphical

A10 ThunderTM Series and AX Series

Document No.: D-030-01-00-0067

A10 Networks Inc. Software License and End User Agreement

Obtaining Technical Assistance

A10 Networks, Inc.

Tel: +1-408-325-8668 (main)

Collecting System Information

To collect system information, use either of the following methods.

USING THE GUI (RECOMMENDED)

3. Email the file as an attachment to support@a10networks.com.

Customer Driven Innovation 3 of 494

USING THE CLI

4 of 494 Customer Driven Innovation

About This Document

This document describes features of the A10 Networks Advanced Core

• AX Series Advanced Traffic Manager / Application Delivery Controller.

FIGURE 1 A10 Thunder 6430

Customer Driven Innovation 5 of 494

• System Configuration and Administration Guide

• Application Access Management and DDoS Mitigation Guide

• Web Application Firewall Guide

Application Delivery Guides

• Global Server Load Balancing Guide

Note: Some guides include GUI configuration examples. In these examples,

6 of 494 Customer Driven Innovation

A10 Virtual Application Delivery Community

Customer Driven Innovation 7 of 494

8 of 494 Customer Driven Innovation

Obtaining Technical Assistance 3

About This Document 5

Customer Driven Innovation 9 of 494

10 of 494 Customer Driven Innovation

Customer Driven Innovation 11 of 494

Monitor Mode > Network > Route .............................................................................................. 113

Config Mode 131

12 of 494 Customer Driven Innovation

Config Mode – SLB Options 149

Customer Driven Innovation 13 of 494

Config Mode > SLB > SSL Management ................................................................................... 289

Global Server Load Balancing 299

Config Mode – Security Options 345

14 of 494 Customer Driven Innovation

Config Mode > Security > Template ...........................................................................................363

Config Mode – IP Source NAT Options 385

Config Mode – Network Options 397

Customer Driven Innovation 15 of 494

Config Mode – System Options 421

16 of 494 Customer Driven Innovation

TABLE 1 GUI Browser Support

A screen resolution of at least 1024x768 is required for the GUI to be dis-

Customer Driven Innovation 17 of 494

After successful login, the Summary screen is displayed, as shown in

18 of 494 Customer Driven Innovation

FIGURE 3 Monitor Mode > Overview > Summary

The GUI consists of the following main components:

• Module buttons – use to select a feature area (module) on the ACOS

• Main display area – where monitoring and configuration is performed

These components are described further in “GUI Features” on page 21.

Customer Driven Innovation 19 of 494

Redirection of HTTP to HTTPS

To disable redirection of HTTP to HTTPS, enter the following command at

20 of 494 Customer Driven Innovation