NETSCOUT Arbor APSConsole 6.3 User Guide PDF

Arbor APS Console
User Guide
Version 6.3
Legal Notice Default
The information contained within this document is subject to change without notice. Arbor Networks, Inc. makes
no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be liable for errors contained
herein or for any direct or indirect, incidental, special, or consequential damages in connection with the
furnishings, performance, or use of this material.
© 2019 Arbor Networks, Inc. All rights reserved. Proprietary and Confidential Information of Arbor Networks, Inc.
Document Number: APSCON-UG-63-2019/08
19 August, 2019
Contents
Preface
About the APS Console Documentation 8
Command Syntax 9
Contacting the Arbor Technical Assistance Center 10
Part I: APS Console Overview

Section 1: Introduction to APS Console 13
About Managing APS Devices from APS Console 14
About the APS Console User Interfaces 16
Section 2: Getting Started with APS Console 17
Before You Begin to Use APS Console 18
Logging in to and out of the APS Console UI 19
Editing Your User Account 20
Navigating the APS Console UI 22
Using Navigation Controls 24
About the Arbor Smart Bar 26
Saving and Emailing Pages from the UI 27
Viewing Graphs in the UI 28
Part II: APS Console Configuration

Section 3: Configuring APS Console 31
Configuring General Settings 32
About SNMP Polling 34
About User Accounts 36
About User Groups 38
Configuring User Accounts 39
Configuring the Audit Trail Settings 41
Configuring System Alerts 42
Configuring Remote Backup Settings 44
Using a Custom SSL Certificate for User Authentication 47
Adding a Custom Logo to the UI 49
Section 4: Managing the ATLAS Intelligence Feed 51
About the ATLAS Intelligence Feed 52
About the ATLAS Threat Policies 54
About the ATLAS Confidence Index 56
About Web Crawler Support 59
Configuring the ATLAS Intelligence Feed 60
Viewing the Status of ATLAS Intelligence Feed Updates 62
Viewing the AIF Traffic Statistics for a Protection Group 63
Section 5: Configuring Notifications 65
About Notifications 66
APS Console User Guide, Version 6.3 3

APS Console User Guide, Version 6.3
Configuring Notifications 68
Viewing Notifications 72
Part III: APS Management

Section 6: Introduction to APS Management 75
Configuring APS for APS Console Management 76
1About the APS Console - APS Data Synchronization 78
How Restoring Backups Affects the APS Console - APS Synchronization 82
Setting the Protection Mode (Active or Inactive) 84
About the Protection Levels 86
Deleting Offline Devices 89
Section 7: Managing Shared Server Types 91
About the Server Types 92
Viewing Server Types 96
edAdding and Deleting Custom Server Types 98
Changing the Protection Settings for Server Types 100
About Traffic Profiling for Protection Configuration 102
Capturing Traffic Profiles from APS Console 104
Using Traffic Profile Data to Configure Protection Settings 105
Restoring the Default Protection Settings 108
Section 8: Configuring the Protection Settings 109
About the Protection Settings Configuration 111
About the Outbound Threat Filter 113
Configuring the Outbound Threat Filter 115
Validating the Outbound Threat Filter Configuration 116
Application Misbehavior Settings 119
ATLAS Intelligence Feed Settings 120
Block Malformed DNS Traffic Settings 124
Block Malformed SIP Traffic Settings 125
Botnet Prevention Settings 126
CDN and Proxy Support Settings 128
DNS Authentication Settings 129
DNS NXDomain Rate Limiting Settings 130
DNS Rate Limiting Settings 131
DNS Regular Expression Settings 132
Fragment Detection Settings 133
HTTP Header Regular Expressions Settings 134
HTTP Rate Limiting Settings 135
HTTP Reporting Settings 136
ICMP Flood Detection Settings 137
Malformed HTTP Filtering Settings 138
Multicast Blocking Settings 139
Payload Regular Expression Settings 140
Private Address Blocking Settings 143
Rate-based Blocking Settings 144
SIP Request Limiting Settings 145
Spoofed SYN Flood Prevention Settings 146
TCP Connection Limiting Settings 150
TCP Connection Reset Settings 151
TCP SYN Flood Detection Settings 153
TLS Attack Prevention Settings 155
Traffic Shaping Settings 157
4 Proprietary and Confidential Information of Arbor Networks, Inc.

UDP Flood Detection Settings 158
Section 9: Configuring Filter Lists to Drop and Pass Traffic 159
About Filter Lists 160
Configuring Master Filter Lists 162
Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter 164
Section 10: Managing the Blacklists and Whitelists 167
About Blacklisting and Whitelisting Traffic 168
About the Capacity of the Blacklists and Whitelists 172
Blacklisting Inbound Traffic 174
Viewing and Searching the Inbound Blacklist 177
Blacklisting Outbound Traffic 180
Viewing and Searching the Outbound Blacklist 182
Whitelisting Inbound Traffic 184
Viewing and Searching the Inbound Whitelist 186
Whitelisting Outbound Traffic 188
Viewing and Searching the Outbound Whitelist 190
Section 11: Viewing APS Traffic 193
Viewing the Traffic Activity for a Protection Group 194
Viewing the Traffic Overview for a Protection Group 197
Filtering the Traffic Data by APS 199
Viewing the Attack Categories for a Protection Group 200
Viewing the Top URLs for a Protection Group 206
Viewing the Top Domains for a Protection Group 208
Viewing the Top IP Locations for a Protection Group 210
Viewing the Top Protocols for a Protection Group 212
Viewing the Top Services for a Protection Group 214
Section 12: Managing Protection Groups 217
About Protection Groups 218
About Bandwidth Alerts 223
Viewing the Status of Protection Groups 225
Adding, Editing, and Deleting Protection Groups 231
Assigning APS Devices to Protection Groups 237
Overriding a Protection Group’s Settings on a Managed APS 240
Section 13: Mitigating Attacks 243
About Attack Mitigation 244
Workflow for Routine System Monitoring 246
Indicators of Attacks and Mitigations 248
Mitigating an Attack by Raising the Protection Level 251
Changing the Protection Level 253
Identifying and Blocking an Attack 255
Section 14: Traffic Forensics 259
About the Blocked Hosts Log 260
Viewing the Blocked Hosts Log 262
Information on the Blocked Hosts Log Page 266
Viewing the ATLAS Threat Categories that Block Traffic 269
About Capturing Packets 274
Capturing Packet Information 275
Section 15: Managing Centralized Reports 277
About Centralized Reports 278
About the Centralized Executive Summary Report 279
Proprietary and Confidential Information of Arbor Networks, Inc. 5

Configuring On-Demand Centralized Reports 283

Viewing and Deleting Centralized Reports 286
Part IV: Network Management

Section 16: Viewing Network Activity on the Dashboard 291
Viewing a Dashboard of Network Activity 292
Viewing APS Traffic on the Dashboard 294
Viewing Active Alerts on the Dashboard 297
Section 17: Monitoring Alerts 301
About Alerts 302
Viewing a Summary of Alerts 304
Filtering the Alerts on the Alerts page 306
Section 18: Monitoring the Status of the Network and Devices 309
Viewing a Summary of System Activity 310
Viewing System Information on the Summary Page 311
Viewing Audit Trail Information on the Summary Page 313
Section 19: Monitoring System Changes in the Audit Trail 315
About the Audit Trail 316
Including Change Messages in the Audit Trail 318
Viewing the Audit Trail Log 319
Part V: APS Console Maintenance and Management

Section 20: Managing APS Console Files 323
About the Files Page 324
Managing the Files on APS Console and Managed APS Devices 326
Managing Diagnostics Packages 328
Section 21: Backing Up APS Console 329
About APS Console Backups 330
Running a Local Backup Manually 332
Appendixes
Appendix A: Notification Formats 337
Email Notification Examples 338
Syslog Notification Examples 339
Appendix B: Using FCAP Expressions 341
Available FCAP Expressions 342
FCAP Expression Reference 344
Logical Operators for Compound FCAP Expressions 349
FCAP Expressions that Indicate Direction 350
Examples of FCAP Expressions 351
Glossary 353
Index 363
End User License Agreement 371

Preface
This guide describes how to configure and use the NETSCOUT® Arbor APS Console to
manage Arbor APS, to protect critical service availability.
Audience
This guide is intended for the network security system administrators (or network
operators) who are responsible for configuring and managing APS Console on their
networks. These administrators should have a fundamental knowledge of their network
security policies and network configuration.
In this section
This section contains the following topics:
About the APS Console Documentation 8

Command Syntax 9
Contacting the Arbor Technical Assistance Center 10

About the APS Console Documentation

The instructions assume that you have completed the installation steps in the appropriate
Quick Start Card.
Related documentation
See the following guides for information about APS Console and its deployment:
Reference documentation
Document Contents
APS Console User Instructions and information for using the features in the APS
Guide Console user interface (UI).
APS Console Information about configuring advanced settings in APS Console,

Advanced particularly those that can only be configured in the command
Configuration line interface (CLI).
Guide
APS Console Quick Instructions and requirements for the installation and initial
Start Card configuration of APS Console.
APS Console Quick Instructions and requirements for the installation and initial
Start Card configuration of the APS Console.
APS Console Online Online help topics from the APS Console User Guide and APS
Help Console Advanced Configuration Guide . The Help is context-
sensitive to the APS Console UI page from which it is accessed.
APS Console Online The APS Console API doc is installed with APS Console. You can
API Documentation access it at the following link:
https://IP_address/api/aps-console/docs/v2/endpoints.html
IP_address = the IP address or hostname for your APS
Console
APS User Guide Instructions and information for using the APS user interface (UI).
It also contains instructions and information for configuring
advanced settings in APS, including those that can only be
configured using the command line interface (CLI).

Preface
Command Syntax
This guide uses typographic conventions to make the information in procedures,
commands, and expressions easier to recognize.
The following table shows the syntax of commands and expressions. Do not type the
brackets, braces, or vertical bar in commands or expressions.
Conventions for commands and expressions

Convention Description
Monospaced bold Information that you must type exactly as shown.
Monospaced A variable for which you must supply a value.

italics
{ } (braces) A set of choices for options or variables, one of which is required.

For example: {option1 | option2}.
[ ] (square brackets) A set of choices for options or variables, any of which is optional.
For example: [variable1 | variable2].
| (vertical bar) Separates the mutually exclusive options or variables.

Contacting the Arbor Technical Assistance Center

The Arbor Technical Assistance Center is your primary point of contact for all service and
technical assistance issues that involve Arbor products.
Contact methods
You can contact the Arbor Technical Assistance Center as follows:
n Phone US toll free — +1 877 272 6721
n Phone worldwide — +1 781 362 4301

n Support portal — https://support.arbornetworks.com
Submitting documentation comments

If you have comments about the documentation, you can forward them to the Arbor
Technical Assistance Center. Please include the following information:
n Title of the guide
n Document number (listed on the reverse side of the title page)

n Page number
Example
APSCON-UG-63-2019/08
APS Console User Guide
Page 9

Part I:
APS Console Overview

Section 1:
Introduction to APS Console
This section describes APS Console and how to use it to manage APS devices.
In this section
About Managing APS Devices from APS Console 14

About the APS Console User Interfaces 16

About Managing APS Devices from APS Console

Very large organizations may have multiple APS devices installed across data centers or
geographic areas. APS Console provides security administrators with a single console for
the central management of multiple APS devices.
APS Console features

APS Console can manage up to 50 APS devices, which allows you to monitor and respond
to attacks across your network from a single user interface.
Note
APS Console can support multiple versions of APS software simultaneously. For more
information about multi-version support, see the APS and APS Console Compatibility
Guide .
The ability to manage multiple APS devices from a single user interface allows you to more
effectively perform the following network management tasks:
n View the critical alerts and events in your network and outside your network that may
put your business at risk.
n Manage the security policies that protect your network from potential threats and
attacks.
n Centralize the server types, protection groups, outbound threat filter, blacklists, and
whitelists to provide consistent protection across your network and a streamlined
workflow.
n Quickly respond to attacks by adjusting the protections on multiple APS devices or an
individual APS, all from APS Console.
APS management tasks

APS Console allows you to perform the following tasks for managing the configuration
and daily operations on the APS devices that are under management:
n Centrally create, configure, and manage the server types, protection groups, outbound
threat filter, blacklists, and whitelists in APS Console. APS Console propagates the
configurations to each managed APS as appropriate.
n Share common protection groups and server types across multiple APS devices.
n View the traffic and statistics from each APS as well as an aggregate of the data from all
of the APS devices. For example, you can view an aggregated blocked host log.
n View active bandwidth alerts and system alerts for all of the APS devices.
n View and respond to the threats that are identified by the ATLAS threat policies.
n Respond to availability attacks by changing the protection level, blacklisting hosts, or
modifying the protection settings globally or per APS.
n Navigate to a specific APS to view more detailed information about its configuration or
traffic.
When you first connect APS to APS Console, the applicable configurations on APS Console
are copied to APS. Thereafter, any changes to the configurations on APS Console are
periodically copied to each APS as appropriate.
See “1About the APS Console - APS Data Synchronization” on page 78.

Section 1: Introduction to APS Console
Communication between APS Console and APS

To manage APS from APS Console, you connect the APS to APS Console. You do so on the
Configure General Settings page in APS. See “Configuring APS for APS Console
Management” on page 76.
After you connect an APS to APS Console, the systems communicate with each other as
follows:
n APS Console sends requests to APS for information such as alerts and traffic data.
n APS checks APS Console periodically for configuration changes and obtains the
changes that apply to the APS.
In APS Console, you can view the connection and synchronization status for a specific APS
in the System Information section on the Summary page. See “Viewing the APS
synchronization status” on page 78.
Single sign-on
You can navigate to an APS from several areas in the APS Console UI, which allows you to
examine specific data more closely. For example, from the Blocked Hosts Log page in APS
Console, you can navigate to the Blocked Hosts Log page in the APS that blocked a
particular host.
If your APS user account has the same username as your APS Console user account, the
APS opens without prompting you to log in. You can use a different password for each
account.
Important
To use single sign-on with an APS, the APS must have a valid reverse DNS lookup. If the
APS does not have a valid reverse DNS lookup, then APS Console links to the IP address
of the APS instead of its hostname. If this happens, an SSL certificate error will occur.

About the APS Console User Interfaces

You can view data and configure settings using the user interface (UI) and the command
line interface (CLI).
About the UI
On APS Console, you use the UI to configure system settings and view and analyze
network traffic on managed APS devices.
The APS Console UI uses the HTTPS protocol for secure sessions. The certificate is based
on Arbor’s Certificate Authority (CA); however, you can use your own certificate. See “Using
a Custom SSL Certificate for User Authentication” on page 47.
See “Logging in to and out of the APS Console UI” on page 19 and “Navigating the APS
Console UI” on page 22.
About the CLI

The command line interface (CLI) allows you to enter commands and navigate through
the directories on APS Console.
Typically, the CLI is used for installing and upgrading the software and completing the
initial configuration. However, some advanced functions can be configured only by using
the CLI.
See “Using the Command Line Interface (CLI)” in the APS Console User Guide .

Section 2:
Getting Started with APS Console
This section describes how to log in to and navigate the APS Console user interface (UI).
You use the UI to configure system settings, manage network security rules, and view and
analyze network traffic.
In this section
Before You Begin to Use APS Console 18

Logging in to and out of the APS Console UI 19
Editing Your User Account 20
Navigating the APS Console UI 22
Using Navigation Controls 24
About the Arbor Smart Bar 26
Saving and Emailing Pages from the UI 27
Viewing Graphs in the UI 28

Before You Begin to Use APS Console

Before you can access the APS Console UI, you must perform the tasks described in this
topic.
Initial requirements
You must complete all of the initial configuration procedures listed in the Quick Start
Cards for your appliances. Verify that you have done the following:
n connected and configured your APS Console
n connected and configured your APS devices
Supported web browsers

See the Release Notes for a list of supported browsers.
Logging in as a new user

If you are a new user, verify that your administrator has created an account for you with a
user name and initial password.
Important
Change this password for security purposes after you log in for the first time.
For information about changing your password, see “Editing Your User Account” on
page 20.

Section 2: Getting Started with APS Console
Logging in to and out of the APS Console UI

You use the UI to configure system settings, manage network security rules, and view and
analyze the network traffic.
Logging in as a new user

If you are a new user, verify that your administrator has created an account for you with a
user name and initial password.
Important
Change this password for security purposes after you log in for the first time.
For information about changing your password, see “Editing Your User Account” on the
next page.
Accepting the certificate

The APS Console UI uses the HTTPS protocol for secure sessions. The certificate is based
on Arbor Networks’ Certificate Authority (CA); however, you can use your own certificate.
The first time you access APS Console, you must accept the SSL certificate to complete the
secure connection. For more information, see your web browser’s instructions for
accepting certificates.
Logging in to the APS Console UI

Important
You must use a secure connection to access APS Console.
To log in to the APS Console UI:

1. Open your web browser.
2. Enter https://console_IP_address
console_IP_address = the IP address of your APS Console
3. If applicable, select the appropriate option for accepting the site’s certificate, and then
click OK .
4. In the Welcome window, type your user name and password.
5. Click Log in .
Logging out of the APS Console UI

To log out of the APS Console UI:
n In the upper-right corner of any page in the UI, click Logout .
Troubleshooting
If you cannot access the UI, verify that you are logged in to your computer with a local
administrator account. Then try to log in to APS Console again.

Editing Your User Account

You can edit the information in your APS Console user account. Typically, you edit your
account to change your password.
If you are not an administrative user, you can only view and edit your own account. An
administrative user can edit any account.
When you create or edit the accounts of other users, the entry screen is somewhat
different. See “Configuring User Accounts” on page 39.
When to change your password

For security purposes, you should change your password in the following situations:
n after you log in to APS Console for the first time
n at intervals that your system administrator recommends
n whenever you think that someone else might have gained access to your password
Passwords must meet certain criteria. See “Criteria for secure and acceptable passwords”
on page 36.
Editing your account

To edit your user account:
1. Select Administration > User Accounts.
2. If you are an administrator, click your user name link to display the Edit Existing
Account window.
If you are a non-administrative user, your own account appears on the Edit Existing
Account page.
3. Edit your account settings.
See “User account settings” below.
4. When you finish editing, click Save.
5. If the Audit Trail window appears, type a message for the audit trail or accept your
default message, if any.
User account settings

Settings for editing user accounts
Setting Description
Username box Displays the user name that was originally assigned. You cannot
edit the user name.
Real Name box Type your full name.

Settings for editing user accounts (continued)

Setting Description
Email box Type your email address as a fully qualified domain name. For
example, user@example.com.
If the administrator who created your user account entered your
email address, APS Console created a notification for that email
address. If you change or delete your email address, be sure to
edit or delete any related notifications on the Configure
Notifications page (Administration > Notifications). See
“Configuring Notifications” on page 68.
Password box Type a password, and then re-type it to confirm it.

Confirm box

Navigating the APS Console UI

You can navigate through the APS Console UI menus and pages using the following
controls:
n UI menu bar
n Arbor Smart Bar — See “About the Arbor Smart Bar” on page 26.
About the UI menu bar

The UI menu bar indicates which menu is active and allows you to navigate to the UI
menus and pages. The menus that are available depend on the user group to which you
are assigned.
Navigation menu bar in APS Console

The menu bar is divided into the following menus:
Navigation menus
Menu Description
Dashboard View an overview of the security status of your network.
Summary View a summary of the status for APS Console.
Explore Use the options on the menus as follows:

n View the ATLAS threat categories that block inbound traffic and
outbound traffic on all of the APS devices that APS Console
manages.
n View information about the traffic that is blocked by the
managed APS devices.
n View APS Console system alerts.
Protect Assign APS devices to protection groups and add hosts to the
inbound and outbound blacklists and whitelists.
Reports Configure and manage centralized reports.
Administration View and change the APS Console system settings.
About submenus
You can hover your mouse pointer over a menu item to view submenus for that item.
Using Help
When you click the Help button on any UI page, a window appears that contains
information about the page that you are viewing.
In the Help window, you can do any of the following tasks:

n Read about the functions that are available on the current APS Console page.
n Scroll through the table of contents for the User Guide and Advanced Configuration
Guide .
n Search for topics in the User Guide and Advanced Configuration Guide .

Finding licensing and copyright information

The APS Console About window displays information about the installed software and
hardware, including the version number, build numbers, and the Arbor Software License
Agreement.
To view licensing and copyright information:

1. In the lower-right corner of any page in the UI, click the copyright notice link.
2. In the About window, you can view the following license information:
l Information about the installed software and hardware
l Arbor License — Use the scrollbar to view the entire license.
l Associated licenses — Click the copyright notice and the associated licensing link.
l GPL-based software licenses — Click the support@arbornetworks.com link to
email a request for copies of additional licenses that are based on the General
Public License (GPL).
About the error page

The system displays an error page when unexpected errors or internal errors occur. This
page includes a link that you can click to send a report to the Arbor Technical Assistance
Center. If you click this link and you do not have an SMTP server configured, then the
system displays an error message advising you to configure the SMTP server. Click the link
that appears in the error message to navigate to the Configure General Settings page,
where you can configure the server.

Using Navigation Controls

The APS Console navigation controls help you access traffic and policy data.
Navigating paged tables

Data is often displayed in tables that continue on multiple pages. In these cases, APS
Console displays the page number of the current page, in relation to the number of pages
that exist (for example, 1/3). It displays the current page number as a text box. You can
type a different page number in the text box to navigate directly to that page.
Paging icons
The system also displays the following paging icons that allow you to move forward and
backward through the pages:
Paging icons
Description Function
> Navigates to the next page.
>> Navigates to the last page.
< Navigates to the previous page.
<< Navigates to the first page.
Refreshing pages
You can click (refresh) on the Arbor Smart Bar to manually update the page with the
most current data.
To configure APS Console to automatically refresh pages throughout the UI:

1. Click Summary in the navigation menu.
2. Click (Turn On Auto-Refresh ) on the Arbor Smart Bar.
For more information, see “About the Arbor Smart Bar” on page 26 .
Selecting all
Some tables include check boxes that you can use to select specific rows. These tables also
include a Select All check box next to the column header. When you select this check box
and then click an action button, the system selects all of the rows on the current page of
the table and acts upon them simultaneously.
Sorting information in tables

In some of the tables in the UI, you can sort by certain columns. If a column can be sorted,
its column heading appears as a link. An up arrow or down arrow next to the column
header indicates how the column is sorted.
The columns that contain alphabetical data are initially sorted in alphabetical order. Click
an alphabetical column header to re-sort the table by that column in reverse order (Z-A).

The alphabetical sort is case-sensitive. For example, in an alphabetical sort, Atlas would
appear before arbor.
The columns that contain numerical data are initially sorted in ascending order. Click a
numerical column header to re-sort the table by that column in descending order.
Navigation icons
The following table shows the navigation icons and how you use them:
Navigation icons
Icon Function
Expand table rows or choose reporting components.
Collapse table rows or remove reporting components.
Toggle timeframe entry format.
Toggle search entry format.
Refresh items.
Perform an ascending sort. When this icon appears, the column is sorted in
descending order. Click the icon to sort in ascending order.
Perform a descending sort. When this icon appears, the column is sorted in
ascending order. Click the icon to sort in descending order.
or Display a context menu, which provides options that are relevant to the
context (or page) in which the menu appears. These options link to other
pages in the UI.

About the Arbor Smart Bar

The Arbor Smart Bar is located in the upper-right corner of each page. It contains icons
that allow you to perform common functions. For example, you can email the page as a
PDF file.
If a function is not applicable to a page, its icon does not appear.
If the icons are available when a detail window is open, then their actions apply to the
detail window only. For example, if a detail window is open and you save as a PDF file, the
resulting file contains only the information in the detail window.
Functions
You can perform the following functions on the Arbor Smart Bar:
Functions on the Arbor Smart Bar

Function Icon Description
Create a PDF Click to create a PDF of a page and save it to your local
machine.
Email This Page Click to email a page and an optional message to

recipients.
Print This Page Click to open your browser’s print window and print a
page.
Refresh This Page Click to refresh the data on a page.

Saving and Emailing Pages from the UI

The Arbor Smart Bar is located in the upper-right corner of each page in the UI. It contains
icons that allow you to save pages as PDF files and to email pages.
If the icons are available when a detail window is open, then their actions apply to the
contents of the detail window only. For example, if a detail window is open and you save
as a PDF file, only the contents of the detail window are included in the PDF file.
Note
Before you can send email from APS Console, you must configure an SMTP Server and a
Default URL Hostname . See “Configuring General Settings” on page 32.
Saving a page as a PDF file

To save a UI page as a PDF file:
1. Navigate to the page that you want to save.
2. In the Arbor Smart Bar, click (Create a PDF).
3. Open or save the file according to your browser options.
Emailing a page as a PDF file

When you send an email message that contains a PDF of a UI page, the subject line
contains “APS Console:” followed by the name of the page. The “from” address uses the
Default URL Hostname. For example, if the hostname is 123.example.com, then the
“from” address is root@123.example.com.
To email a UI page as a PDF file:

1. Navigate to the page that you want to email.
2. In the Arbor Smart Bar, click (Email this page).
3. In the Email Page window, type the following information:
Setting Description
Email to box Type the recipient’s email address.
Comment box Type a message to include in the body of the email.
4. Click Send Email.

Viewing Graphs in the UI

APS Console uses graphs to represent your organization’s traffic in real time.
By default, the graphs display traffic statistics for each minute of the last hour. This level of
visibility allows you to inspect the traffic on a much deeper scale. On some pages, you can
change the timeframe and unit of measure in which the graphs are displayed.
About stacked graphs

Stacked graphs allow you to see specific types of graph data more clearly. Each data type
in a stacked graph has its own color-coded segment. The height of the stack segment
represents that segment’s data as a percentage of the total data.
Examples of the pages that contain stacked graphs are the Dashboard page and the View
Protection Group page.
About minigraphs
Changing the display timeframe
On certain pages in the UI, you can change the timeframe for which the traffic data is
displayed. The timeframe can represent a specific time increment or a time range.
Examples of the pages that contain the timeframe display are the View Protection Group
page and the Dashboard page.
To change the display timeframe to a specific increment:

n In the time selector on the page, select one of the following options:
l Past 5m — the last five minutes
l Past Hour — the last hour
l Past Day — the last 24 hours
l Past Week — the last week
To change the display timeframe to a time range:
1. In the time selector on the page, select From.
2. In the Start box, select the starting date and time from the calendar or click Now to
select the current date and time.
3. In the End box, select the ending date and time from the calendar or click Now to
select the current date and time.
4. Click Done.
The display change might take a few seconds.
Changing the display unit of measure

On certain pages in the UI, you can display the traffic data in terms of bytes or packets.
To change the display unit of measure:

n To the far right of the time selector on the page, click Bytes or Packets.
Note
The bits per second (bps) values that APS displays for traffic statistics are based on the
layer 3 packet size.

Part II:
APS Console Configuration

Section 3:
Configuring APS Console
This section describes how to set up the basic components of APS Console.
In this section
Configuring General Settings 32

About SNMP Polling 34
About User Accounts 36
About User Groups 38
Configuring User Accounts 39
Configuring the Audit Trail Settings 41
Configuring System Alerts 42
Configuring Remote Backup Settings 44
Using a Custom SSL Certificate for User Authentication 47
Adding a Custom Logo to the UI 49

Configuring General Settings

The general settings define the servers that APS Console interacts with as well as other
system preferences, such as the system date format.
Configuring General Settings

To configure the general settings:
1. Select Administration > General.
2. On the Configure General Settings page, configure the settings. See “General Settings”
below.
3. Click Save.
General Settings
Details about General Settings
Setting Description
DNS box Type the IP addresses of your DNS servers, to map IP addresses
to hostnames in APS Console. Type multiple servers as a
comma-separated list of IP addresses.
APS Console tries to connect to the first IP address in the list as
the primary name server. If that address fails, then APS Console
tries the subsequent addresses in the list as backup name
servers.
SMTP Server box Type the IP address or domain name for the SMTP server that
APS Console uses to send email notifications. You can specify
one SMTP server.
SNMP Agent Type the community string (password) to authenticate the

Community box external sources that poll APS Console through SNMP.
The maximum length of this string is 32 characters. You can use
any characters except the following:
n quotation mark (")
n apostrophe (‘)
n backslash (\)
n pipe (|)
n tab
See “About SNMP Polling” on page 34.

Section 3: Configuring APS Console
Details about General Settings (continued)

Setting Description
Default URL Type a hostname or a fully qualified domain name that appears
Hostname box as a link in the notification and emails that originate from APS
Console. For example, console.example.com. APS Console also
uses this URL as the “from” address when you send an email
message that contains a PDF of a UI page.
Date Format list Select the format in which to display dates throughout the
system:
n mm/dd/yy (month/day/year)
n dd/mm/yy (day/month/year)
n yy/mm/dd (year/month/day)

About SNMP Polling

APS Console supports polling by third-party SNMP monitoring systems, which allows you
to fit your APS Console workflow into existing network monitoring tools. These monitoring
tools can poll APS Console for management information such as the system status and
configurations.
The SNMP agent runs only when the APS Console services run. When you stop the
services, SNMP is not available.
Configuring APS Console for SNMP polling

APS Console supports SNMPv1 and SNMPv2c for remote SNMP polling. To enable SNMP
polling, configure the following settings:
Process for configuring SNMP

Step Action Details
1 Set a community string to In the UI, on the Configure General Settings page,
authenticate the external type a string in the SNMP Agent Community box.
sources that poll APS See “About the SNMP Agent Community string” on
Console. the facing page.
2 Create an IP access rule To create an IP access rule:

to allow SNMP access to 1. Log in to the CLI with your administrator user
APS Console. name and password.
2. To create an IP access rule to allow SNMP
access, enter / ip access add snmp {mgt0 |
mgt1 | all} CIDR
{mgt0 | mgt1 | all} = the name of the
management interface on which to apply a
service exclusively, or to apply the rule to all
of the interfaces
CIDR = the address range from which you
want to allow communications to a service
3. Type ip access commit, and then press
ENTER.
4. To save the configuration, enter config write
About the SNMP traps that APS Console sends

APS Console can send notifications to a network management system as SNMP traps. See
“About Notifications” on page 66.
SNMP MIB files can help you decode the SNMP traps that APS Console sends for
notifications. The MIB files can also help you understand the OIDs (object identifiers) that
can be queried on APS Console. You can download and view the MIB files from the Files
page (Administration > Files). See “Managing the Files on APS Console and Managed
APS Devices” on page 326.

About the SNMP Agent Community string

External sources can poll APS Console through SNMP for the following system status and
configuration information:
n Disk Space Free/Used
n APS Console configuration
If you want to limit the external sources that can use SNMP to poll APS Console. configure
a unique SNMP Agent Community string. This string is used to authenticate external
sources. See “Configuring General Settings” on page 32.

About User Accounts

Each person who uses APS Console requires a unique user account that contains their
login information and determines the levels of system access that they are allowed.
About configuring user accounts

You configure the user account settings on the Configure User Accounts page
(Administration > User Accounts). See “Configuring User Accounts” on page 39.
For information about editing your own user account, see “Editing Your User Account” on
page 20.
About access to user accounts

Administrators can view all of the user accounts, edit and delete accounts, and create new
accounts. Non-administrators can view and edit their own user accounts only. For
example, they can reset their passwords or update their email addresses.
For information about the different levels of system access, see “Editing Your User
Account” on page 20.
Criteria for secure and acceptable passwords

A user’s account contains a password, which allows the user to access APS Console.
Passwords must meet the following criteria:

n must be between 7 and 72 characters long
Administrators can configure a different minimum length and maximum length for
passwords.
n can include special characters, spaces, and quotation marks
n cannot be all digits
n cannot be all lowercase letters or all uppercase letters
n cannot be only letters followed by only digits (for example, abcd123)
n cannot be only digits followed by only letters (for example, 123abcd)
n cannot consist of alternating letter-digit combinations (for example, 1a3A4c1 or
a2B4c1d)
See “Configuring the Password Length Requirements” in the APS Console Advanced
Configuration Guide .
Information on the Configure User Accounts page

For administrative users, the Configure User Accounts page displays the following
information for each user:
User account details

Information Description
Username Displays the user name as a link to the Edit Existing Account
window.
Real Name Displays the user’s real name.

User account details (continued)

Group Displays the user group to which the user belongs.
Email Displays the user’s email address.
Location Displays the IP address from which the user last connected to APS
Console.
Time Displays the last time the user logged in to APS Console.
Failures Indicates the number of times that the user tried to log in but was
unsuccessful. This number is cleared when the user successfully
logs in to the system.
Selection check Allows you to select the user account for deletion.
box

About User Groups

User groups allow you to organize APS Console users by the different levels of system
access that they are allowed. When you create a user account, you assign it to a group. The
owner of that account inherits the access levels that are assigned to that group. APS
Console contains several predefined user groups and allows you to create additional
custom user groups.
You can assign users to user groups on the User Accounts page in the user interface (UI),
or in the command line interface (CLI). See “Adding Users to User Groups” in the APS
Console Advanced Configuration Guide .
About the predefined user groups

APS Console contains the following predefined user groups:
Predefined user groups

User Privileges
system_admin The users in this group have full read and write access to all pages
of the UI and can run all of the CLI commands.
system_user The users in this group have read-only access to most of the UI
pages and can edit and update their own user account settings.
They can log in to the CLI and run limited CLI commands. For
example, they can view the current system configuration.
system_none The users in this group have no access to APS Console.

When your organization uses RADIUS or TACACS+ authentication, it
is possible for all users who have an account on the authentication
server to access APS Console. Use this group as the default to lock
out the unwanted users, and then assign other groups to the users
who need to access APS Console.
See “Changing the Default User Group for RADIUS and TACACS+” in
the APS Console Advanced Configuration Guide .
About custom user groups

For additional flexibility in assigning user permissions, administrators can define custom
user groups in the CLI. These custom user groups appear as options on the User Accounts
page in the UI. See “Adding and Deleting User Groups” in the APS Console Advanced

Configuring User Accounts

The user account settings identify the people who use APS Console. These settings define
the users’ login information and determine the levels of system access that the users are
allowed.
You add, edit, and delete the user accounts on the Configure User Accounts
(Administration > User Accounts) page.
See “About User Accounts” on page 36.
Adding and editing user accounts

Important
After you add new users, advise them to change their passwords to maintain security.
See “Criteria for secure and acceptable passwords” on page 36.
To add or edit user accounts:
2. On the Configure User Accounts page, complete one of the following steps:
l To add a new user, click Add Account .
l To edit an existing user account, click the user’s name link.
If you are a non-administrative user, your own account page appears by default.
3. In the Add New Account window or Edit Existing Account window, configure the
settings.
See “User account settings” below.
4. Click Save.
User account settings

Settings for configuring user accounts
Setting Description
Username box Type a unique name for this user.

The user name must meet the following criteria:
n must contain 1 to 32 characters
n can contain any combination of letters (A-Z, a-z), numbers, or
both
n cannot begin with a hyphen or underscore but can include
them
n cannot include a period (.)
You cannot edit the user name after the user account is created.
If you make a mistake in the user name, delete the account and
re-create it.
Real Name box Type the user’s full name.

Settings for configuring user accounts (continued)

Setting Description
Group list Select the user group to assign to this user. The user group
determines the user’s level of system access.
This list does not appear for non-administrative users. You
cannot change the group for the default “admin” user.
See “About User Groups” on page 38.
Email box Type the user’s email address as a fully qualified domain name.
For example, user@example.com.
When you enter an email address for a user account, APS
Console creates a notification for that email address. If you
change or delete a user’s email address, be sure to edit or delete
any related notification on the Configure Notifications page
(Administration > Notifications). See “Configuring
Notifications” on page 68.
Password box Type a password, and then re-type it to confirm it.

Confirm box
Deleting user accounts

You cannot delete your own user account. Your security level determines whether you can
delete the accounts of other users.
To delete a user account:

2. On the Configure User Accounts page, complete one of the following steps:
l To delete individual user accounts, select the check boxes that correspond to the
user accounts that you want to delete.
l To delete all of the user accounts on the current page, select the Select All check
box in the table heading row.
3. Click Delete.
4. In the confirmation message that appears, click OK .

Configuring the Audit Trail Settings

When you make a change in the APS Console UI, the Audit Trail window appears and
prompts you to describe the change. By default, the Audit Trail window appears for all
changes and does not include a default change message. On the Audit Trail page, you can
specify a default change message and enable or disable the Audit Trail window for certain
changes or all changes.
The Audit Trail page also allows you to view the audit trail log. See “Viewing the Audit Trail
Log” on page 319.
For general information about the audit trail, see “About the Audit Trail” on page 316 .
Changing the Audit Trail default settings

To change the default settings for the audit trail:
1. Select Administration > Audit Trail.
2. On the Audit Trail page, select the Audit Settings tab.
3. (Optional) In the Change Message box, type a default change message that appears
in the Audit Trail window whenever a user makes a change.
When the Audit Trail window appears to users, they can accept this default message,
add to it, or override it by typing new text.
4. In the list of settings, choose one of the following options:
Option Steps
Enable or disable the For the Globally enable or disable the audit trail
Audit Trail window for dialogs setting, select Enable or Disable.
all changes.
Enable or disable the For each setting, select Show or Don’t Show.
Audit Trail window for
individual changes.
5. Click Save.
Disabling the Audit Trail window

If you disable the Audit Trail window for a specific change, then the window does not
appear when users make that type of change. The system still logs the changes but it does
not include any change messages.
Additional audit trail configuration

In the command line interface (CLI), you can configure a syslog destination, to which you
can export audit trail entries.
See “Configuring the Syslog Destination for the Audit Trail” in the APS Console Advanced

Configuring System Alerts

APS Console monitors certain system events and creates alerts when those events occur.
APS Console events are predefined and you cannot add or delete them. However, you can
enable or disable them, change their severity levels, and configure their notification
settings. You edit the alert settings for system events on the Configure System Alerts page
(Administration > System Alerts).
Note
The alert settings that you configure apply to future alerts only. They do not apply to
alerts that APS Console has already generated.
Types of system events

APS Console monitors the following system events:
Types of system events

System event Trigger
APS A managed APS reaches the capacity of its blacklist or whitelist.
Blacklist/Whitelist See “About the Capacity of the Blacklists and Whitelists” on
Table Full page 172.
APS Up/Down An APS device changes state.
Misc. System APS Console detects health-related system behaviors. These

events may represent normal behaviors or abnormal behaviors;
for example, an APS device synchronization or an SMTP failure
on APS Console.
Before you configure alerting for system events

If you want to send notifications when these system events occur, then you first must
configure at least one notification. A notification defines the users and the systems to
notify when these system alerts occur.
For example, if you want to send notifications as syslog messages to an external system,
then configure a syslog notification. When you configure the alert settings, you select the
syslog notification as its destination.
See “Configuring Notifications” on page 68.
Configuring system alerts

To configure system alerts:
1. Select Administration > System Alerts from the menu.
2. On the Configure System Alerts page, select the event to configure in one of the
following ways:
l Click the Edit button for the alert.
l Click the name of the alert.
3. In the Configure window, configure the following settings:

Setting Description
Notification Select Yes to enable notifications for this alert. Select No to
Enabled options disable the notifications.
By default, notifications are disabled for all of the system
alerts.
Note
The notifications for APS Up/Down events may be delayed
by up to five minutes. This delay occurs because APS
Console waits to make sure that an APS device is down and
not experiencing a temporary connection issue.
If you do not enable notifications, you do not have to configure the remaining
settings.
Severity level Select the severity level to assign to this system alert, where 1
is the least severe and 10 is the most severe.
See “About alert severity levels” on page 302.
Notification This section displays all of the notification destinations that

Destinations list are defined in APS Console. To indicate which destinations
should be notified when this alert occurs, select the check
boxes for one or more of the destinations.
If there are no notification destinations, you need to define
at least one notification. See “Configuring Notifications” on
page 68.
4. Click Save.

Configuring Remote Backup Settings

You can manage remote backups for APS Console configuration settings and data on the
Backup Settings page.
Note
You also can run local backups. See “Running a Local Backup Manually” on page 332.
Types of backups
APS Console supports the following types of backups:
n remote backups that you run on a recurring backup schedule or that you run manually
n local backups that run automatically every night at midnight or that you run manually
For more information about these types of backups, see “About APS Console Backups”
on page 330 .
About restoring backup data

To restore APS Console from a backup, you must use the command line interface (CLI).
See “Restoring APS Console from a Backup” in the APS Console Advanced Configuration
Guide .
Specifying a remote backup schedule

To specify a remote backup schedule:
1. Select Administration > Backup.
2. On left side of the Backup Settings page, select APS Console Configuration and
Data. The amount of disk space that the data requires appears in parentheses.
3. Configure the remote backup settings. See “Remote backup settings” on the facing
page.
4. Click one of the following buttons:
l Test Connection — To test the connection settings for the copy method without
saving the settings. See “Testing the connection to the backup server” on page 46.
l Save and Run — To test the connection, save the settings, and then begin the
backup.
l Save — To save the connection settings without testing them or beginning the
backup.
Running a remote backup manually

To run a remote backup manually:
2. On left side of the Backup Settings page, select APS Console Configuration and
Data. The amount of disk space that the data requires appears in parentheses.
3. Configure the appropriate remote backup settings. See “Remote backup settings” on
the facing page.
4. Click Save and Run .

Remote backup settings

You configure the settings for a remote backup as follows:
Settings for scheduling a recurring remote backup

Setting Description
Schedule remote Select the backup frequency (Daily or Weekly), and then
backups to occur select the time of day at which the backup should begin.
section
Copy via options Select the way in which the backup is copied: SCP (Secure
Copy Protocol using SSH) or SMB (Server Message Block).
Host box Type the hostname or IP address of the server on which to

store the backups.
Port box Type the port on the backup server to which APS Console
connects. For SCP backups, the default port is 22. For SMB
backups, the default port is 139.
Share box For an SMB backup, type the file share for the file system
share.
Directory box Type the path to the target directory on the backup server.
The following guidelines apply:
n Use an absolute path for SCP. The path must start with a
forward slash (/) and may contain underscores (_) and
alphabetic and numeric characters.
n Use a relative path for SMB.
n Use a forward slash (/) as a directory separator.
Username box Type the user name with which to authenticate on the
backup server.
Authentication list For an SCP backup, select the authentication method:

Password or DSA Key.
Password box If you select Password authentication, type the password

Confirm box and then re-type the password to confirm it.
Generate Key button If you select DSA Key authentication and a key has not been
Download Public Key generated, click Generate Key to generate a DSA key.
button If a DSA key has been generated, click Download Public
Key to download a copy of the key.

Testing the connection to the backup server

When you test the connection to the backup server, APS Console tries to copy a file to the
location that you configured on the backup server. Then APS Console tries to remove the
file from the backup server. When the test is finished, a message reports the results.
To test the connection to the backup server:

2. On the Backup Settings page, click Test Connection .

Using a Custom SSL Certificate for User Authentication

APS Console uses a default SSL certificate when users log in to the UI. However, on the
Manage Files page (Administration > Files), you can upload a custom certificate, which
can prevent browser error messages and help you comply with company security policies.
You also can upload the CA certificate that is used to sign the custom SSL certificate.
See “About the Files Page” on page 324.
About certificate authority (CA) files

When you upload a custom SSL certificate, you must also upload a certificate authority
(CA) file. CA files legitimize your SSL certificates. A CA file can sign multiple certificates and is
necessary to validate a certificate.
Custom SSL certificate requirements

If you want to use a custom SSL certificate to connect to the UI, the certificate files must
meet the following requirements:
n The SSL file and CA file must be PEM-encoded (Privacy Enhanced Mail).
n The SSL file must contain the certificate and the key that was used to create the
certificate.
n The SSL file and CA file cannot be password protected.
Uploading a custom SSL certificate

To upload a custom SSL certificate:
1. Select Administration > Files.
2. On the Manage Files page, under SSL Certificate , click Upload SSL Cert.
3. In the Upload Certificate window, follow these steps:
a. Click Browse to locate a custom SSL certificate file.
b. Click Browse to locate the custom CA certificate file.
c. Click Upload.
4. In the confirmation window, click OK .
Note
Most browsers display an error message, which results from the change in the SSL
certificate mid-session.
6. Log out of APS Console, close your browser, and then restart your browser.
Using the APS Console default SSL certificate

This option is available only if someone previously uploaded a custom SSL certificate.
To revert to the APS Console default SSL certificate:

2. On the Manage Files page, under SSL Certificate , click Use Default.

5. Log out of APS Console, close your browser, and then restart your browser.

Adding a Custom Logo to the UI

You can customize the appearance of the APS Console UI by replacing the default APS
Console logo with your custom logo. To do so, you upload the logo file on the Files page.
When you upload a custom logo, it appears in the UI.
The custom logo image must be a GIF file that is smaller than 500 kB.
Note
For information about the other uses for the Files page, see “About the Files Page” on
page 324 .
Uploading a custom logo

To upload a custom logo:
2. On the Manage Files page, in the Logo section, click Use Custom.
3. In the Upload Logo window, click Browse to locate and select the logo file.
4. Click Upload.
6. If the custom logo does not appear on the page, then refresh your browser.
To change to a different custom logo, you first must revert to the default logo, and then
perform these steps again.
Reverting to the default logo

This option is available only if someone previously uploaded a custom logo.
To revert to the default logo:

2. On the Manage Files page, in the Logo section, click Use Default.
4. If the default logo does not appear on the page, refresh your browser.


Section 4:
Managing the ATLAS Intelligence Feed
This section describes how to use the ATLAS Intelligence Feed (AIF) to detect and stop
emerging botnet and application-layer attacks.
In this section
About the ATLAS Intelligence Feed 52

About the ATLAS Threat Policies 54
About the ATLAS Confidence Index 56
About Web Crawler Support 59
Configuring the ATLAS Intelligence Feed 60
Viewing the Status of ATLAS Intelligence Feed Updates 62
Viewing the AIF Traffic Statistics for a Protection Group 63

About the ATLAS Intelligence Feed

APS Console and APS can leverage our global threat intelligence to protect your network
against the latest threats by using the ATLAS Intelligence Feed (AIF).
The AIF is a global service of the Arbor Security Engineering and Response Team (ASERT).
The ASERT security researchers discover and analyze emerging threats and develop
targeted defenses, based on the data from Arbor’s Active Threat Level Analysis System
(ATLAS). For more information about ASERT and ATLAS, visit
https://www.netscout.com/global-threat-intelligence.
The AIF profiles emerging threats to facilitate the detection and mitigation of DDoS attacks,
malware, and other security hazards to help ensure service availability and data integrity.
About the AIF updates

Arbor frequently updates the feed to account for rapidly changing attacker behavior and
to provide more effective and accurate threat detection. The updates occur without
requiring any software upgrades, system downtime, or restarts.
When automatic AIF updates are enabled, APS Console uses HTTPS to download the latest
AIF information at regular intervals.
By default, the AIF updates run automatically every 24 hours. You can change the
frequency of the updates and you can force an update at any time.
See “Configuring the ATLAS Intelligence Feed” on page 60.
About the AIF components

The AIF consists of the following components, each of which APS downloads separately:
Components of the ATLAS Intelligence Feed

Component Feed name Description
Threat policies reputation_feed Collections of the rules and actions that
define threats. The threat policies are
organized into threat categories by type,
such as malware, command and control
botnets, location-based threats, and
targeted attacks. In APS, you can enable
threat blocking and view traffic statistics by
threat category.
See “About the ATLAS Threat Policies” on
page 54.
AIF botnet attack_rules HTTP header signatures that identify known

signatures botnets by their traffic patterns.

Section 4: Managing the ATLAS Intelligence Feed
Components of the ATLAS Intelligence Feed (continued)

Component Feed name Description
IP location data geoip_countries A list of country codes, IP addresses, and
regions, which are used to map specific IP
addresses to a country or region.
APS uses this information to identify the
geographic locations of the traffic sources.
APS also allows you to block the traffic that
originates from a specific location. When
you use APS Console to manage multiple
APS devices, APS Console uses the location
data in the same ways.
See “Viewing the Top IP Locations for a
Protection Group” on page 210.
n AIF Botnet Signatures

n Command and Control threat category
n DDoS Reputation threat category
n Email Threats threat category
n IP location data
n Location-based Threats threat category
n Malware threat category
n Mobile threat category
n Targeted Attacks threat category
Important
These components are subject to change as ASERT updates the feed.
Where to configure the AIF settings

Use the Configure AIF Settings page (Administration > ATLAS Intelligence Feed) to
configure the AIF settings. For example, you can configure a proxy server, change the
update interval, or disable the automatic updates. See “Configuring the ATLAS Intelligence
Feed” on page 60.
You configure the other AIF-related settings in the ATLAS Intelligence Feed section on the
following pages:
n Configure Server Type page (Protect > Inbound Protection > Server Type
Configuration ), for inbound traffic
n Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat
Filter), for outbound traffic
See “ATLAS Intelligence Feed Settings” on page 120.

About the ATLAS Threat Policies

One of the components of the ATLAS Intelligence Feed (AIF) is the threat information,
which consists of the policies that identify threats by their traffic patterns. APS uses this
information to protect your network against the latest threats by blocking any traffic that
matches the policies.
You enable the APS threat protection when you configure the server types or the
outbound threat filter (OTF). See “ATLAS Intelligence Feed Settings” on page 120.
For general information about AIF, see “About the ATLAS Intelligence Feed” on page 52 .
About the ATLAS threat policies

A threat policy is a collection of the rules and actions that the Arbor Security Engineering
and Response Team (ASERT) develops to define a given threat. A rule can consist of one or
more IP addresses, HTTP regular expressions, or DNS names.
ASERT organizes related threat policies into threat categories. Each threat category is
further subdivided into threat subcategories, which are limited collections of related threat
policies. For example, the Malware threat category might contain subcategories such as
RAT (remote access Trojan), Fake Antivirus, and other malware threats. Each of these
subcategories consists of the policies that define the specific threats.
The AIF is updated frequently as the ASERT researchers identify new threats. Although the
threat categories remain relatively static, they are subject to change.
In APS, you can enable threat blocking and view traffic statistics by threat category. When
you do so, you can also configure custom confidence values for specific threat categories.
The confidence value is a relative value on the ATLAS confidence index, which represents
ASERT’s confidence that the rules in a threat policy will identify malicious traffic. APS uses
the confidence value to determine whether to apply the corresponding rule to block
traffic.
About matching domain policies

The ATLAS threat categories contain threat policies that define domains that host threats.
When APS matches a domain threat policy, it does not block all of the traffic to the DNS
server and it does not block the host.
For outbound traffic, APS blocks the DNS request for a fully qualified domain name that is
known to be bad. For inbound traffic, APS blocks the response from the DNS server for a
fully qualified domain name that is known to be bad.
For example, an infected internal asset sends a request to a DNS host (192.0.2.1) to resolve
the IP address of a fully qualified domain name that is known to be bad. If the AIF threat
categories are enabled for inbound traffic only and the request matches a domain threat
policy, APS blocks the response from the DNS host.
APS only sees the request to the DNS server, not the resolution of the IP address for the
fully qualified domain name. Consequently, APS reports the DNS server as a blocked host
on the Blocked Hosts Log page. For the example above, 192.0.2.1 appears in the
Destination column on the Blocked Hosts Log page.
If the AIF threat categories are enabled for the outbound threat filter and the DNS request
matches a domain threat policy, APS blocks the request.

Note
For APS to block outbound DNS requests, you must enable the outbound threat filter
and the AIF threat categories for the outbound threat filter. See “Configuring the
Outbound Threat Filter” on page 115.
You can use a packet capture to determine the hostname that is being requested and
blocked. See “Investigate why a DNS server appears to be blocked” on page 263.
A DNS server can be blocked for some other reason, for example, if it is blacklisted or it
matches a DNS regular expression. In such cases, APS blocks all of the traffic to the DNS
server.

About the ATLAS Confidence Index

The ATLAS confidence index is a numeric scale from 1 to 100, which represents our
confidence that the rules in a threat policy will identify malicious traffic. ATLAS assigns a
relative numeric value, or confidence value, to every rule in a threat policy for each
protection level. As APS inspects traffic, it applies the rules whose confidence values match
or exceed the confidence value for the active protection level.
Configuring confidence values

In the ATLAS Intelligence Feed protection settings, the ATLAS confidence values become
the default confidence values for the threat categories. You can accept the default
confidence values or configure custom confidence values. You configure these settings
when you configure the server types or the outbound threat filter. See “ATLAS Intelligence
Feed Settings” on page 120.
For general information about AIF and the threat policies, see “About the ATLAS
Intelligence Feed” on page 52 and “About the ATLAS Threat Policies” on page 54.
How the ATLAS confidence index affects traffic

In general, a high confidence value indicates that there is more evidence to support the
classification of the traffic that matches the rule as malicious. A lower confidence value can
indicate that there is less supporting evidence for classifying the traffic as malicious.
Alternatively, a lower confidence value can represent the aging and associated reduction
of a formerly high confidence value.
APS applies the threat rules based on the ATLAS confidence values, the configured
confidence values for the associated threat categories, and the active protection level, as
follows:
n When the ATLAS confidence value is less than the threat category’s confidence value for
the active protection level, then APS passes the traffic.
n When the ATLAS confidence value is greater than or equal to the threat category’s
confidence value for the active protection level, then APS blocks the traffic.
At the higher protection levels, APS blocks more traffic; however, the lower confidence
values might cause some clean traffic to be blocked.
See “Example: How APS applies the threat rules” on the facing page.
How the ATLAS confidence values can change over time

The confidence values for rules are relative values that change over time, based on several
factors. An example of a factor that affects the adjustment of the confidence value is
whether ATLAS continues to observe the threat behavior that a rule defines. For example,
when ATLAS observes a threat from a particular IP address, it creates a rule for that threat
and IP address, and assigns a confidence value of 100. If ATLAS continues to observe
traffic that matches the rule, the rule confidence value remains at 100. When ATLAS no
longer observes traffic that matches the rule, the rule confidence value decreases. The rule
confidence value continues to decrease as time passes without further attack traffic from
that IP address.

Example
The following figure shows how the ATLAS confidence values for a rule can change over
time, given the following scenario:
n On Day 1, Day 2, and Day 3, ATLAS observes a malware threat from 192.0.2.1. ATLAS
creates a rule under the Malware threat category and assigns a confidence value of 100
to the new rule.
n Because no malware is observed from 192.0.2.1 after Day 3, the confidence value
decreases over time.
n On Day 29 and Day 30, ATLAS again detects a malware threat from 192.0.2.1, and resets
the confidence value to 100.
The confidence value changes do not adhere to a fixed timeframe. The date span in this
simplified example is for illustration purposes and does not necessarily represent an
actual timeframe for confidence value changes.
Example: How the ATLAS confidence values can change over time
Example: How APS applies the threat rules

The following example shows how APS applies the threat rules based on the changing
confidence values. For this example, assume these conditions:
n During a certain month, the AIF updates contain a rule for malware from 192.0.2.1, and
the rule confidence value changes over time as shown in the figure above.
n You receive traffic from 192.0.2.1 on the dates in the following table.
n In the ATLAS Intelligence Feed settings in APS, the confidence values for the Malware
threat category are configured as shown in the following table.

Given those conditions, the following table shows how APS would apply the threat rules to
the traffic:
Example: How APS applies the threat rules

Confidence values in APS
ATLAS confidence value
Date for the rule Low = 75 Medium = 50 High = 25
Day 2 100 block block block
Day 15 60 pass block block
Day 22 45 pass pass block

About Web Crawler Support

When protecting your HTTP servers from DDoS attacks, APS might prevent search engine
web crawlers from accessing your site. You can configure APS to pass traffic from certain
search engines with limited inspection, so that legitimate web crawlers can crawl your web
site more freely. As a result, you can maximize search engine page ranking while
maintaining protection from threats that are designed to imitate legitimate web crawlers.
How the web crawler support works

The web crawler support consists of the following features:
n In APS, the ATLAS Intelligence Feed (AIF) updates include a list of the IP address ranges
that Arbor considers to be legitimate search engine web crawlers. Each IP address
range is associated with the low, medium, or high protection level.
n Settings on the Configure AIF Settings page in APS allow you to enable the search
engines that can crawl your web site.
n On the Configure Server Type page, the Web Crawler Support setting allows you to
enable web crawler support by protection level. See “ATLAS Intelligence Feed Settings”
on page 120.
n Sections on the Summary page and the View Protection Group page in APS display
information about the web crawler traffic that APS detects and passes.
How APS passes web crawler traffic

APS passes search engine traffic in a manner that is similar to whitelisting, except that not
all search engine traffic is passed globally. The following criteria determine which search
engine traffic is passed:
n the search engines that are enabled on the Configure AIF Settings page
(Administration > ATLAS Intelligence Feed) in APS
n the protection level that is associated with each search engine’s IP address range in the
AIF updates
n the global protection level or protection group protection level
The protection levels determine which search engine traffic is inspected and which
protection categories are used, as follows:
Protection level Effect on search engine traffic

Low Traffic from all of the enabled search engines is passed without
further inspection.
Medium Traffic from a smaller set of enabled search engines is passed with
limited inspection.
High Traffic from an even smaller set of enabled search engines is

inspected by a majority of protection categories.

Configuring the ATLAS Intelligence Feed

You can configure the automatic updates for the ATLAS Intelligence Feed (AIF) on the
Configure AIF Settings page (Administration > ATLAS Intelligence Feed). The
automatic threat feed updates are enabled by default. However, you must configure
additional settings if you want to connect to the AIF server through a proxy server.
For more information about the AIF, see “About the ATLAS Intelligence Feed” on page 52 .
Note
You can also configure the AIF in the command line interface (CLI). See “Configuring the
ATLAS Intelligence Feed (AIF) in the CLI” in the APS Console Advanced Configuration
Guide .
About the Status section

The status section indicates the date and time of the most recent update. It also indicates
when the system last checked for an update.
Requirements
On APS Console, you must configure a valid DNS server that can contact the Arbor DNS
server for valid name resolution. You can configure this information on the Configure
General Settings page. See “Configuring General Settings” on page 32.
The AIF server uses your client certificate to authenticate an SSL session to allow you to
download the updated feed.
Enabling automatic AIF updates

To enable an automatic connection to AIF:
1. Select Administration > ATLAS Intelligence Feed .
2. On the Configure AIF Settings page, select the Enable Automatic Connection to
AIF check box.
3. Configure the remaining settings to define the update interval and, optionally, a proxy
server.
See “AIF settings” on the facing page.
4. Click Save to save the settings and poll the AIF server at the next interval.
6. (Optional) Click Update Now to test the connection.

AIF settings
When you enable the automatic AIF updates, configure the following settings:
Settings for configuring AIF updates

Setting Description
Check for AIF Type the interval at which APS Console should check the AIF
updates every box server for updates to the threat feed data. Type any number
of hours from 1 to 168 (7 days); the default interval is one
hour.
Update Now button (Optional) Click this button to force an AIF update at any time.
For example, when you first implement APS Console, you
might want to force an AIF update to test the connection.
If you made any configuration changes, they do not take
effect until you click Save.
Use proxy to connect (Optional) Select this check box to allow APS Console to
to AIF server check connect to the AIF server through a proxy server.
box If you do not select this check box, you can skip the
remaining settings in the AIF Proxy Configuration section.
Host box Type the IP address or the hostname for the proxy server.
Port box Type the port number for the proxy server.
Username box If necessary, type the user name that is required to access
the proxy server.
Password box If necessary, type the password that is required to access the
proxy server.
Authentication Select the type of authentication to use when APS Console

mode list connects to the AIF server:
n basic
n NTLM
n digest method

Viewing the Status of ATLAS Intelligence Feed Updates

You can view the status of the ATLAS Intelligence Feed (AIF) updates on the Configure AIF
Settings page and the Audit Trail Log.
On any of these pages, you can refresh your browser window to update the status
information.
Checking the status of the AIF updates

To check the status of the last automatic update or update request (from the Update
Now button):
n Select Administration > ATLAS Intelligence Feed to display the Configure AIF
Settings page, and view the Last Check information.
Viewing AIF updates in the Audit Trail Log

All of the automatic AIF updates are recorded and displayed in the Audit Trail Log
(Administration > Audit Trail). The AIF log entries contain information about which files
are updated.
You can search for “ATLAS” to filter the display for AIF entries. See “Viewing the Audit Trail
Log” on page 319.
About the AIF traffic statistics

You can use the View Protection Group page to view information about the attack traffic
that the AIF signatures detected and blocked. See “Viewing the AIF Traffic Statistics for a
Protection Group” on the facing page.

Viewing the AIF Traffic Statistics for a Protection Group

You can use the View Protection Group page to view information about the attack traffic
that the AIF botnet signatures detected and blocked. This information is displayed at the
protection group level.
For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence
Feed” on page 52.
Viewing the AIF traffic statistics for a protection group

To view the AIF traffic statistics for a protection group:
1. Select Protect > Inbound Protection > Protection Groups.
2. On the List Protection Groups page, click the name link of the protection group whose
data you want to view.
3. On the View Protection Group page, under the Attack Categories section, scroll to the
Botnet Prevention line and click Details.
4. In the subsection that opens, scroll to the AIF Botnet Signatures line and click Details.
This line appears only if traffic matched the AIF signatures and was blocked.
This subsection might also display information, under Basic Botnet Prevention, about
the traffic that is blocked as a result of the Botnet Prevention settings. That traffic is not
associated with the AIF botnet signatures.
5. When you finish viewing the detailed information, click Details to hide it.
AIF Botnet Signatures information

The AIF Botnet Signatures line displays the following information:
n a minigraph of the total traffic that was blocked by the AIF botnet signatures
You can hover your mouse pointer over the minigraph to view a larger version of the
graph.
n the total amount of traffic that was blocked, in bytes, bits per second (bps), packets, and
packets per second (pps)
AIF traffic details

When you click the Details button on the AIF Botnet Signatures line, the following
information appears for each protection level:
n a minigraph of the traffic that was detected or blocked by all of the AIF protection
settings at that level
n the status of each protection level
For example, if the protection level is set to medium, both the low level and medium
level of AIF traffic are marked as Active. The AIF signatures at both levels are used to
block traffic.
n the amount of traffic that was detected or blocked, in bytes, bits per second (bps),
packets, and packets per second (pps)
n the average number of hosts that were blocked
This information reflects the global protection level or the protection group’s protection
level, for those groups that have their own protection level configured.

For the active protection level and for any lower protection levels, the traffic statistics
represent the attacks that were blocked. For any protection level that is higher than the
active level, the traffic statistics represent the attacks that would be blocked if that level
were active.
A large graph represents the traffic that was detected and blocked at all of the levels.

Section 5:
Configuring Notifications
This section describes how to define destinations for sending alert notifications. You can
create notifications for any combination of email addresses, SNMP traps, and syslog
messages.
You can group similar recipients so that they all receive the same types of event
notifications. For example, you can create a notification that includes all of your network
security engineers.
User access
Users at all authorization levels can view the notification configurations. Only
administrators and can perform the configuration tasks that are described in this section.
In this section
About Notifications 66
Configuring Notifications 68
Viewing Notifications 72

About Notifications
When APS Console detects events, conditions, or errors in the system, it creates alerts to
inform users. You can configure APS Console to send notification messages to specified
destinations to communicate certain alerts. You do so by associating the alert with one or
more notifications.
A notification defines its destination and the means by which the notification is sent. You
can create notifications for different groups of users, mailing lists, and remote systems.
You also can create notifications when you add user accounts. When you enter an email
address for a user account, APS Console creates a notification for that email address. If
necessary, you can edit or delete these user-specific notifications on the Configure
Notifications page.
Viewing notifications
The Configure Notification page displays all of the notifications that are configured for APS
Console, and allows you to add, edit, and delete notifications. See “Viewing Notifications”
on page 72 and “Configuring Notifications” on page 68.
How APS Console uses the notifications

When you create a notification, it appears as a selection in the alert configuration for
system events. You can select one or more notifications for each alert configuration. When
an alert is triggered for the associated event, the notifications are sent to the destinations
that are defined in the alert’s notification.
Note
The notifications for APS Up/Down events may be delayed by up to five minutes. This
delay occurs because APS Console waits to make sure that an APS device is down and
not experiencing a temporary connection issue.
Notification contents
A typical notification contains the alert type and a description. It also includes the default
URL hostname, if one is configured on the Configure General Settings page
(Administration > General). The recipient can copy and paste the URL into a browser to
navigate directly to the event.
Depending on the alert type, the notification can contain additional information, such as
the associated rule, severity, client, server, service, and other messages.
See “Email Notification Examples” on page 338 or “Syslog Notification Examples” on

page 339 .

Section 5: Configuring Notifications
Notification types
The notification type defines how APS Console sends notifications. You can create
notifications for any combination of email addresses, SNMP traps, and syslog messages.
Types of notifications
Notification type Description

email APS Console sends email notifications to the destination addresses
that you specify, and the notifications appear to come from the
sender address that you specify. APS Console queues email
messages for one minute, and then sends them in a batch. When
an email notification contains multiple alerts, APS Console sends
one summary email.
The system sends the email notifications through the SMTP server
that you configure on the Configure General Settings page.
SNMP APS Console sends notifications to a network management system

as SNMP traps.
The Arbor SMI MIB and the APS Console MIB define the SNMP
notification format. See “About SNMP Polling” on page 34.
APS Console supports SNMP versions 1, 2, and 3 for notifications.
You can send test SNMP notification messages to verify that the
system is working properly before it generates an actual alert.
syslog APS Console sends notifications to a security event management

system as syslog messages.

Configuring Notifications
The Configure Notifications page allows you to configure notifications that APS Console
sends to specified destinations when certain system alerts and events occur.
See “About Notifications” on page 66.
Setting a default From address

You can set a default From address that is used in every new email notification that you
create, unless you specify otherwise.
To set a default From address:

1. Select Administration > Notifications.
2. At the bottom of the Configure Notifications page, in the Default ‘From’ Address
box, type a valid email address.
3. Click Save.
Configuring notifications
To add or edit a notification:
2. On the Configure Notifications page, complete one of the following steps:
l To add a new notification, click Add Notification .
l To edit an existing notification, click the notification name.
3. Configure the following settings:
Setting Description
Name box Type a unique name to identify the notification throughout
the UI. Use a name that helps users recognize the
destinations that it represents. You can use any combination
of letters and numbers.
Comment box (Optional) Provide descriptive information to further identify

the notification. The comment appears in the list of
notifications on the Configure Notifications page.
4. Configure the settings for one of the following destination types, and then click Save.
l Email — See “Email notification settings” on the facing page.
l SNMP — See “SNMP notification settings” on the facing page.
Tip
After you add an SNMP notification, you can click Test to send test SNMP
notification messages. This test allows you to verify that the system is working
properly before it generates an actual alert.
l Syslog — See “Syslog notification settings” on page 70.

Email notification settings

When you create or edit an email notification, configure the following settings:
Email notification settings

Setting Description
From box Type the email address that should appear as the sender. You
can use the APS Console name as the sender to easily identify
any APS Console notifications.
If you specified a default From address, it appears here. See
“Setting a default From address” on the previous page.
To box Type the recipient’s valid email address. Enter multiple email
addresses as a comma-separated list.
SNMP notification settings

When you create or edit an SNMP notification, configure the following settings:
SNMP notification settings

Settings Description
Destination IP box Type the IP address for each SNMP trap receiver. You can add
up to four IP addresses.
Use commas to separate multiple IP addresses.
Version list Select the SNMP version that you use.
Community box (Versions 1 and 2 only) Type the community string (password)
to use for authenticating the SNMP trap. Otherwise, the system
defaults to the standard public setting.
Agent IP box (Version 1 only) Type the IP address for the SNMP agent.
User Name box (Version 3 only) Type an SNMP user name.

This setting is required and must match one of the names that
is configured on your trap receiver.
Security Engine ID (Version 3 only) Type an SNMP security engine ID.

box This setting is required and must be an even-length string of
hex digits (0-9, A-F). It must match one of the security engine
IDs that are configured on your trap receiver.
Passphrase box (Version 3 only) Type the passphrase for the SNMP user name
that you specified above if the Security Level setting is set to
something other than No Authentication.

SNMP notification settings (continued)

Settings Description
Authentication (Version 3 only) Select an authentication protocol (MD5 or

Protocol list SHA).
If the Security Level setting is set to something other than No
Authentication, this value must match the value that is
expected by your trap receiver.
Security Level list (Version 3 only) Select one of the following security levels:
n No Authentication — No passphrase authentication is
performed.
n Authentication/No Privacy — Passphrase authentication
is performed, but there is no encryption of the data in the
trap messages.
n Authentication w/ Privacy — Passphrase authentication
is performed and the data in the trap messages is
encrypted.
Context Name box (Version 3 only, optional) Type the SNMP application context.
Because there is only one SNMP context on APS Console , this
setting typically is not required. However, if your trap receiver
expects a specific context name, then provide it.
Privacy Protocol list (Version 3 only) Verify that this value matches the value that is
expected by your trap receiver.
If you selected Authentication w/ Privacy from the
Security Level list, then select the appropriate privacy
protocol (DES or AES).
Verify that this value matches the value that is expected by your
trap receiver.
Privacy Passphrase (Version 3 only) If you selected Authentication w/ Privacy

box from the Security Level list, then type the privacy passphrase
that is expected by your trap receiver.
Syslog notification settings

When you create or edit a syslog notification, configure the following settings:
Syslog notification settings

Setting Description
Destination box Type the syslog host IP address.
Port box (Optional) The default setting is port 514. if you do not want to
use the default port, then type a new port number
For more information about setting the default syslog port, see
“Commands and Subcommands in the /services Menu” in the
APS Console Advanced Configuration Guide .

Syslog notification settings (continued)

Setting Description
Facility list Select a syslog facility value to indicate the source of the
message as defined in the syslog protocol RFC 3164.
The default facility is Daemon .
Severity list Select one of the following syslog severity values:

n alert — action must be taken immediately
n crit — critical condition
n debug — debug-level message
n emerg — emergency, system is unusable
n err — error condition
n info — informational message
n notice — normal but significant condition
n warning — warning condition
Deleting notifications
You cannot delete a notification that is referenced by a system alert.
To delete a notification:
2. On the Configure Notifications page, complete one of the following steps:
l To delete individual notifications, select the check boxes to the right of the
notifications.
l To delete all of the notifications on the current page, select the Select All check
box in the table heading row.
3. Click Delete.

Viewing Notifications
The Configure Notifications page displays all of the notifications in the system and allows
you to add, edit, and delete the notifications. See “Configuring Notifications” on page 68.
For general information about notifications, see “About Notifications” on page 66 .
Viewing the notifications

To view the existing notifications:
2. (Optional) On the Configure Notifications page, to find specific notifications, type a
string in the Search Notifications box, and then click Search .
Information on the Configure Notifications page

The Configure Notifications page displays the following information for each notification:
Notification details
Name Displays the name of the notification as a link that opens the Edit
Notification Settings page for that notification.
Email For email notifications, displays the email addresses that

notifications are sent to, and the email address that the
notifications appear to be sent from.
SNMP For SNMP notifications, displays the SNMP destination,

community, and version for the notification.
Syslog For Syslog notifications, displays the destination, facility, and

severity for the notification.
Comment Displays descriptive information that was entered when the

notification was configured.
Log Message Displays the most recent message that was logged for the
notification.
Creator Displays the name of the user who configured the notification.
Last Modified Indicates the last time that the notification was changed by a user
or by the system.
Used By Alert Displays the system alerts that reference the notification as links
Configurations to the corresponding alert Configuration window.
Selection check box Allows you to select the notification for deletion.

Part III:
APS Management

Section 6:
Introduction to APS Management
This section describes how to use APS Console as a system to manage multiple APS
devices.
User access
Users at all authorization levels can view the APS information. Only administrators and
analysts can perform the configuration tasks that are described in this section.
In this section
Configuring APS for APS Console Management 76

1About the APS Console - APS Data Synchronization 78
How Restoring Backups Affects the APS Console - APS Synchronization 82
Setting the Protection Mode (Active or Inactive) 84
About the Protection Levels 86
Deleting Offline Devices 89

Configuring APS for APS Console Management

You can manage multiple APS devices from APS Console. To do so, you connect each APS
to APS Console, to allow the systems to communicate.
Before you begin

Before you connect APS to APS Console, verify that the following requirements are met:
n APS is installed and configured as described in the APS Quick Start Card and in this
guide.
n Both APS Console and APS are running version 5.11 or later.
Connecting APS to APS Console

You configure the settings to manage APS through APS Console in APS.
To connect APS to APS Console:

1. Log in to the UI of the APS that you want to manage.
3. On the Configure General Settings page, configure the following settings:
Setting Description
APS Console box Type the IP address or hostname for APS Console.
Shared Secret box Type the shared secret to use to authenticate

communication with APS Console.
APS Console uses the shared secret to authenticate internal
communication. You must configure the same secret on all
of the APS devices that APS Console manages.
To delete an existing shared secret, click (Clear
Password).
4. Click Save.
About the Connection Status box

If the settings for managing APS through APS Console are configured, and a connection
error occurs, the connection status box appears. The connection status box provides
information about the connection error and contains a Test Connection button. After
you edit the connection settings or take other steps to fix the error, you can use the Test
Connection button to verify the connection.
Disconnecting APS from APS Console

In certain situations, you might need to disconnect an APS device from APS Console. For
example, you might need to move the device or return it for repair.
Also, certain backup and restore procedures require that you disconnect APS.
To disconnect APS from APS Console:

1. Log in to the UI of the APS.

Section 6: Introduction to APS Management
3. On the Configure General Settings page, delete the text in the APS Console box and
the Shared Secret box.
4. Click Save.

About the APS Console - APS Data Synchronization

When you use APS Console as a central management console for APS, you can create and
manage the configurations for multiple APS devices. You can configure server types,
protection groups, the outbound threat filter, blacklists, and whitelists in APS Console and
propagate the configurations to each managed APS as appropriate.
See “About Managing APS Devices from APS Console” on page 14.

When you first connect APS to APS Console, the applicable configurations on APS Console
are copied to APS. Any existing configurations on APS are copied to APS Console.
Thereafter, each APS periodically checks APS Console for configuration changes and
obtains the changes that apply to the APS.
For information about connecting APS to APS Console, see “Configuring APS for APS
Console Management” on page 76.
Viewing the APS synchronization status

In APS Console, you can view the synchronization status for a specific APS in the System
Information section on the Summary page. The possible statuses are as follows:
n Initial synchronization — A new APS is connected and the initial synchronization is in
progress.
n Preparing configuration — The system is in the process of updating the current
configurations.
n Good — The configurations on APS match the configurations on APS Console that apply
to the APS.
n Out of sync — One or more of the configurations on APS Console changed, and the APS
has not yet received those changes.
n APS version does not support synchronization — The APS version is earlier than 5.11.
Initial synchronization
When you first connect APS to APS Console, the following items are copied from APS
Console to the APS:
n all of the standard server types
n the outbound threat filter

n the default protection group
n the global items in the inbound blacklist and inbound whitelist
n all of the items in the outbound blacklist and outbound whitelist
No custom configurations or protection group-specific items are copied because no

custom protection groups have been assigned to the new APS yet.
If APS contains local configurations, they affect the synchronization as follows:

n If certain local configurations conflict with any of the configurations that are copied
from APS Console, they are duplicated on APS.
See “Initial synchronization of duplicate configurations” on the facing page.
n The local configurations are merged with the configurations on APS Console.
See “Configuration merges during the initial synchronization” on the facing page.

Initial synchronization of duplicate configurations

During the initial synchronization of an APS that has local configurations, a server type or
protection group on APS might conflict with one on APS Console. These conflicts are
treated as follows:
n If APS and APS Console contain a server type (standard or custom) with the same
name, a copy of that server type is created on APS. The copy of the server type has the
same name as the original server type, with the name of the APS appended to it. The
original server type on APS is updated with the configuration from APS Console. Any
protection groups that were associated with the original server type are updated to be
associated with the new server type.
n If APS and APS Console contain a protection group with the same name, a copy of that
protection group is created on APS. The copy of the protection group has the same
name as the original protection group, with the name of the APS appended to it. The
original protection group on APS is updated with the configuration from APS Console.
Consolidating the new configurations

After you connect each APS, you might review the APS for configurations that you can
consolidate.
For example, if an APS contains a protection group that is assigned to that APS only,
determine whether an existing protection group on APS Console would serve the same
purpose. If so, then in APS Console, unassign the APS from the local protection group and
assign it to the protection group on APS Console. Then delete the APS-specific protection
group.
Configuration merges during the initial synchronization

During the initial synchronization of an APS that has local configurations, the local items
are merged with the items on APS Console as described below.
Server type merges

All of the server types on APS are copied to APS Console.
These server types include any duplicate server types that APS might have created to
resolve conflicts with the server types that it received from APS Console. See “Initial
synchronization of duplicate configurations” above.
Protection group merges

n The default protection group on the APS is replaced with the one from APS Console,
which overwrites any local configuration changes.
n All of the custom protection groups on APS are copied to APS Console and assigned to
that APS.
These protection groups include any duplicate protection groups that APS might have
created to resolve conflicts with the server types that it received from APS Console. See
“Initial synchronization of duplicate configurations” above.
Outbound threat filter merge

The outbound threat filter on the APS is replaced with the one from APS Console, which
overwrites any local configuration changes.

Blacklist merges and whitelist merges

n The global items and protection group-specific items on APS that do not match any
items on APS Console are copied to APS Console.
n A global item on APS that matches a protection group-specific item on APS Console
replaces the APS Console item.
n A protection group-specific item on APS that matches a global item on APS Console is
deleted.
n If an item from APS causes APS Console to exceed its capacity, the item is added to APS
Console but disabled. The disabled item appears on the blacklist page or whitelist page
in the APS Console UI, but it is dimmed. Also, if you add a host entry on APS after
synchronization and the APS table becomes full, the APS Console stops synchronizing
hosts with the APS. To avoid these issues, we recommend that you do not add hosts to
the blacklists and whitelists on an APS if it is managed by APS Console.
See “About the Capacity of the Blacklists and Whitelists” on page 172.
n Any blacklisted CIDRs or whitelisted CIDRs on APS that overlap existing items on APS
Console are copied to APS Console but are not merged.
For example, assume that 192.0.2.0/16 is blacklisted in APS and 192.0.2.0./24 is
blacklisted in APS Console. Although the blacklisted address on APS includes the
subnet of the blacklisted address on APS Console, APS Console will contain both items.
Subsequent synchronizations
Periodically, any configuration changes (additions, modifications, and deletions) on APS
Console are propagated to each APS as applicable. As in the initial synchronization, each
APS obtains only the standard items, the global items, and the items that are specific to the
APS. No items are copied from APS to APS Console.
Caution
After the initial synchronization, the additions and changes to the configurations on APS
Console might overwrite the local configurations on APS. Generally, you should not make
local changes on a managed APS, although you might occasionally need to do so. For
example, you might lose the connection between APS Console and an APS during a high-
volume DDoS attack. In that case, you can make local changes on the APS to mitigate the
attack.
When you back up and restore APS Console and APS, you must follow certain guidelines
to maintain the synchronization. See “How Restoring Backups Affects the APS Console -
APS Synchronization” on page 82.

Synchronization after APS is disconnected from APS Console

If APS is disconnected from APS Console and then reconnected, the synchronization
process depends on the state of the APS when you reconnect it, as follows:
Synchronization after APS is disconnected from APS Console

Situation Synchronization process
An APS that contains configuration data The synchronization is the same as those that
is reconnected to the same APS occur after the initial synchronization. See
Console. “Subsequent synchronizations” on the
This situation typically occurs when the previous page.
communication between APS and APS
Console is interrupted, either because
you disconnect APS or because of some
other connection issue.
An APS that contains no configuration The synchronization is the same as when you
data is reconnected to the same APS connect a new APS. See “Initial
Console. synchronization” on page 78.
This situation might occur when you
return the APS for a repair, during
which the configuration data is erased.
An APS with or without configuration The synchronization is the same as when you
data is reconnected to a different APS connect a new APS. Any configurations that
Console. APS obtained from the original APS Console
This situation might occur when you are merged with the data from the new APS
move the APS to a different location in Console. See “Initial synchronization” on
your network or replace the original page 78.
APS Console.

How Restoring Backups Affects the APS Console - APS

Synchronization
When you use APS Console to manage APS devices, APS Console periodically copies its
configuration data for a managed APS to the managed APS itself. When you back up and
restore APS Console and APS, you must follow certain guidelines to maintain the data
synchronization.
Guidelines for restoring an APS Console backup

Important
Restore an APS Console backup only when all of the managed APS devices are
disconnected. If you restore APS Console while APS devices are connected, then during
the next synchronization, APS Console sends the old data to APS.
Before you restore an APS Console backup, follow these steps:

1. Disconnect each APS that is connected to APS Console as follows:
a. Log in to the UI of the APS.
b. Select Administration > General.
c. On the Configure General Settings page, clear the APS Console box and the
Shared Secret box, and then click Save.
2. Restore the APS Console backup. See “Restoring APS Console from a Backup” in the
APS Console Advanced Configuration Guide .
Now the data on APS Console is older than the data on APS.
3. Reconnect each APS. The data is synchronized as follows:
l If APS Console was backed up before the APS was connected, the synchronization
is the same as for a newly-connected APS. APS Console copies any configurations
from APS that postdate the backup. See “Initial synchronization” on page 78.
l If APS Console was backed up after the APS was connected, the synchronization is
the same as for any periodic synchronization. The configurations are copied from
APS Console to APS as appropriate. See “Subsequent synchronizations” on
page 80.

Guidelines for restoring an APS backup

When you run an APS backup, the state of the connection between APS Console and APS
determines how you must restore that backup.
Guidelines for restoring APS backups

Backup scenario How to restore APS
You back up APS while it is Restore the APS backup as usual. During the next
connected to APS Console. synchronization, APS Console updates APS.
You back up APS before it is 1. Restore the APS backup.

connected to APS Console. Later, Now APS is no longer connected to APS
after APS is connected to APS Console, because the backup does not include
Console, you need to restore the the connection configuration. However, APS
APS backup. Console still knows about the APS.
2. Connect APS to APS Console.
During the next synchronization, APS Console
updates APS.
You back up APS while it is 1. Restore the APS backup.

connected to APS Console. Later, 2. Connect APS to APS Console.
you disconnect APS. For example, During the next synchronization, APS Console
you might need to move the updates APS.
device or return it for repair.
Additional information about backups and data synchronization

For additional information, see the following topics:
n Backing up and restoring APS Console — see “About APS Console Backups” on
page 330 . Also see “Restoring APS Console from a Backup” in the APS Console
Advanced Configuration Guide .
n Connecting APS to APS Console — see “Configuring APS for APS Console
Management” on page 76.
n The data synchronization — see “1About the APS Console - APS Data Synchronization”
on page 78.

Setting the Protection Mode (Active or Inactive)

When APS is installed in the inline deployment mode, you can run it in one of the following
protection modes:
n active — In addition to monitoring traffic and detecting attacks, APS mitigates attacks.
n inactive — APS analyzes traffic and detects attacks without performing mitigations. You
can use the resulting information to set your policies for attack detection and
mitigation.
The inactive mode is most commonly used in trial implementations. See “Implementing
APS for Trial or Monitoring Only” in the APS User Guide .
You can set the protection mode for an individual protection group or the outbound
threat filter without affecting any other traffic. For example, you can set a new protection
group to inactive mode for testing while keeping the APS in active mode. See “Adding,
Editing, and Deleting Protection Groups” on page 231 and “Configuring the Outbound
Threat Filter” on page 115 .
About changing the protection mode for multiple APS devices

When you use APS Console to manage APS, you can set the protection mode for multiple
APS devices, as follows:
n By default, every APS to which a protection group is assigned uses the protection mode
that you configure for that protection group. However, for a specific APS, you can
override the protection group’s protection mode.
n For outbound traffic, all of the managed APS devices use the protection mode that is set
for the APS Console outbound threat filter.
Caution
If you make local changes on an APS device that is managed by APS Console, those
changes are not copied to APS Console. As a result, any changes that you make on an
APS are lost because the configurations from APS Console overwrite the configurations
on APS. Generally, you should not edit the configurations locally on a managed APS.
Viewing the current protection mode

You can view the current protection mode in the following places in the UI:
Where to view the current protection mode

Protection mode
type Where to view the protection mode
Protection group You can view the protection mode for a protection group on the
following pages:
n List Protection Groups (Protect > Inbound Protection >
Protection Groups)
n View Protection Group
Outbound threat You can view the protection mode for the outbound threat filter
filter on the Outbound Threat Filter page (Protect > Outbound
Protection > Outbound Threat Filter).

Changing the protection mode for a protection group

APS mitigates traffic for an active protection group only when the system’s protection
mode is active.
To change the protection mode for a protection group:

2. On the List Protection Groups page, click the name link of the protection group to edit.
3. On the View Protection Group page, in the header section, click Edit.
4. In Protection Group Mode, select Active or Inactive.
5. Click Save.
Changing the protection mode for the outbound threat filter

To change the protection mode for the outbound threat filter:
1. Select Protect > Outbound Protection > Outbound Threat Filter.
2. For Protection Mode, select Active or Inactive.
3. Click Save.

About the Protection Levels

The protection level defines the strength of protection that APS provides and the
associated intrusiveness and risk of blocking clean traffic. The protection levels are low,
medium, and high.
The protection levels are associated with different protection settings. These settings
include those that are not user-defined, such as the invalid packets protection category.
When the protection level is set, the protection settings that are associated with that level
are enabled.
User access
Only administrators can change the protection level. Non-administrative users can view
the current protection level but cannot make changes.
About the different protection levels

The protection level determines which protection settings are in use at any given time. For
example, if the protection level is low, then the low protection settings are used to inspect
the current traffic. You can change the protection level as needed to mitigate attacks. See
“Changing the Protection Level” on page 253.
Initially, APS uses a global protection level, which applies to the entire APS. You can
continue to use the global protection level, but you also can configure individual
protection levels for specific protection groups and the outbound threat filter. These
individual protection levels take precedence over the global protection level.
About the protection levels for protection groups and the outbound threat
filter
The protection level determines which protection settings are in use for a specific
protection group or the outbound threat filter. You might change the protection level for a
protection group or the outbound threat filter in the following situations:
n To respond to attacks and traffic spikes against one protection group without affecting
the traffic to the other protection groups.
n To respond to outbound threats without affecting the inbound traffic.
n To determine how different protection levels affect the traffic when you create a new
protection group or change the settings for an existing protection group.
You also can automate the protection level for a protection group. See “About protection
level automation” on page 235.
About the protection levels for the protection settings

For each of the protection settings, you can specify different values for the low, medium,
and high protection levels. The current protection level determines which of the settings
are used at any given time. For example, you might set conservative thresholds for the low
protection level and more aggressive thresholds for the medium and high protection
levels.
You also can leave the protection settings empty or disable one or more of the protection
levels. For example, you might disable a setting for the low protection level and then
enable it for the medium and high protection levels.

You configure the protection settings for multiple APS devices on the following pages:
n Configure Server Type page (Protect > Inbound Protection > Server Type
Configuration , click a server type name), for inbound traffic
n Outbound Threat Filter page (Protect > Outbound Protection > Outbound Threat
Filter), for outbound traffic. See “Configuring the Outbound Threat Filter” on
page 115.
Viewing the current protection level

Throughout the UI, the following icons represent the protection levels: global, low,
medium, and high. The current protection level is indicated by a check mark in the
corresponding icon.
You also can automate a protection group’s protection level. The following icons represent
the low automated protection level and the high automated protection level (there is no
medium automated protection level):
You can view the current protection level on the following pages:
Where you can view the protection level

Protection level Page How the protection level is indicated
Protection group List Protection To the far right of the protection group name, a
Groups page single icon indicates the protection group’s
protection level. If the protection group uses the
global protection level, no icon appears.
View Protection The header area contains text that indicates the
Group page protection group’s protection level.
When you edit a protection group, all of the
protection level icons appear. The protection
group’s current protection level is checked, and
you can click an icon to change the protection
level.
Outbound threat Outbound The header area contains text that indicates the
filter Threat Filter outbound threat filter’s protection level.
page When you edit the outbound threat filter, all the
protection level icons appear. The outbound
threat filter’s current protection level is checked,
and you can click an icon to change the
protection level.

Balancing protection and risk

The risk of blocking clean traffic increases with the level of protection. Generally, you
should set the protection level to low. Reserve the medium and high levels for use during
attack conditions.
The following table describes when to use the different protection levels and the levels of
protection and risk that are associated with each one:
Levels of protection and risk

Level When to use Level of protection and risk
Low Under normal This level is the safest but it offers the least
conditions protection.
n Only low-risk traffic is blocked.
n There is no tolerance for false positives.
Medium During a significant The protection settings are stricter. Clean traffic that
attack is unusual might be blocked.
High During a heavy This level provides the most aggressive protection
attack but it carries risks.
Blocking some clean traffic is acceptable as long as
most of the hosts are protected.
For protection groups, you can automate the protection level. When you automate the
protection level, APS uses a total traffic threshold to determine when to change the
protection level from low to high. See “About protection level automation” on page 235.
Recommended protection levels for protection settings

Your protection settings at the low level should protect your network against the majority
of attacks without blocking any clean traffic. If a large number of attacks are passed
through, then you might need to configure more aggressive thresholds at the low level.
Conversely, if too much clean traffic is blocked, then you might need to configure more
conservative thresholds at the low level. As you use APS and review the traffic information
that it provides, you can refine the settings to provide an acceptable balance between
protection and risk.

Deleting Offline Devices

If a managed device goes down, “Offline” appears in the Uptime column for that device on
the Summary page. If the device remains down for several minutes, a Delete button
appears at the far right of that device’s row. TheDelete button allows you to delete an
offline device from APS Console.
When you delete a device, it is removed from APS Console and all of its alerts and
protection groups are deleted from APS Console. The deletion does not affect the device
itself or any of the alerts or protection groups on that device.
If you delete a device prematurely and it comes back online, it re-appears in APS Console
and in the System Information section on the Summary page.
For general information about the Summary page, see “Viewing a Summary of System
Activity” on page 310 .
Deleting an offline device

To delete a device:
1. Select the Summary menu.
2. On the Summary page, in the System Information section, click the Delete button
that appears next to the offline appliance.


Section 7:
Managing Shared Server Types
This section describes how to configure and manage the server types that determine
which protection settings are available for each protection group. On APS Console, you
can manage the server types for all of the APS devices that APS Console manages. You also
can add and delete server types on APS Console.
In this section
About the Server Types 92

Viewing Server Types 96
edAdding and Deleting Custom Server Types 98
Changing the Protection Settings for Server Types 100
About Traffic Profiling for Protection Configuration 102
Capturing Traffic Profiles from APS Console 104
Using Traffic Profile Data to Configure Protection Settings 105
Restoring the Default Protection Settings 108

About the Server Types

A server type represents a class of hosts that a specific protection group protects. The
server type determines which protection settings are available for a protection group and
which application-specific data APS collects and displays for that group. Each protection
group is associated with a server type; multiple protection groups can be associated with
the same server type.
APS contains predefined, standard server types for IPv4 hosts and one standard server
type for IPv6 hosts. These standard server types offer protection settings that cover most
situations. To meet your organization’s more specific protection requirements, you can
create custom server types that are based on the standard server types.
You can add a maximum of 100 custom server types on an APS.
Navigating to the Server Types page

You add, edit, and delete the server types on the Server Types page (Protect > Inbound
Protection > Server Type Configuration ).
About managing the server types from APS Console

If you manage APS with APS Console, then you can configure server types in APS Console
and propagate the configurations to each managed APS. For a server type to be copied to
an APS, that server type must be associated with a protection group that is assigned to the
APS.
When you first connect APS to APS Console, the server types on APS Console are merged
with any existing server types on APS. Thereafter, any changes to the server types on APS
Console are periodically copied to each APS as appropriate. See “1About the APS Console
- APS Data Synchronization” on page 78.
Caution
Standard server types

The standard server types are as follows:
n Generic Server
The generic server type contains all of the protection settings and is associated with the
default protection group.
n Web Server
n DNS Server
n Mail Server
n VoIP Server
n VPN Server
n RLogin Server (remote login)

Section 7: Managing Shared Server Types
n File Server
n Generic IPv6 Server
About the custom server types

You can create custom server types on the Configure Server Type page. The custom server
types allow you to configure different protection settings for similar types of servers. For
example, you can add a custom server type to protect specific DNS servers with settings
that differ from the standard DNS Server settings.
You can associate a custom server type with any custom protection group. See “Adding,
Editing, and Deleting Protection Groups” on page 231.
Examples of custom server types

Examples of how you can use custom server types are as follows:
n Different content
Your organization might have one HTTP server that serves standard web pages,
another that serves video, and another with a heavy AJAX interaction. Some of the HTTP-
related protection categories, such as HTTP Rate Limiting, might not apply to all of those
servers. You can create a custom server type with the appropriate protection settings
for each of these HTTP servers.
n Different traffic rates
An excessive amount of inbound traffic and connections for one server might be
normal for another server. In such cases, setting appropriate thresholds for the rate-
based protection categories can be difficult. You can create custom server types that are
configured for different traffic rates.
n Separate server ownership
In some organizations, different web servers can fall under completely separate
ownership structures, in which different people are responsible for the availability of
the web service. You can create custom server types with separate protection settings
for separately owned servers.
Available protection settings for IPv4 standard server types

Certain protection settings are available for all of the IPv4 standard server types. Other
settings include application-specific behavior and are available only for the server type that
is associated with the application. For example, the HTTP Rate Limiting settings are
available for a Web Server but not for a DNS Server.
The categories of protection settings that are available for the IPv4 standard server types
are as follows:
Available protection settings for the IPv4 standard server types

Generic DNS File Mail RLogin VoIP VPN Web
Settings category Server Server Server Server Server Server Server Server
ATLAS Intelligence x x x x x x x x
Feed
Application x x x x x x
Misbehavior

Available protection settings for the IPv4 standard server types (continued)
Block Malformed x x
DNS Traffic
Block Malformed x x
SIP Traffic
Botnet Prevention x x x
CDN and Proxy x x

Support
DNS Authentication x x
DNS NXDomain x x
Rate Limiting
DNS Rate Limiting x x
DNS Regular x x
Expression
Filter List x x x x x x x x
Fragment x x x x x x x x
Detection
HTTP Header x x x x
Regular
Expressions
HTTP Rate Limiting x x x x
HTTP Reporting x x x
ICMP Flood x x x x x x x x
Detection
Malformed HTTP x x x
Filtering
Multicast Blocking x x x x x x x x
Payload Regular x x x x x x x x
Expression
Private Address x x x x x x x x
Blocking
Rate-based x x x x x x x x
Blocking
SIP Request x x
Limiting

Available protection settings for the IPv4 standard server types (continued)
Spoofed SYN Flood x x x x x x x x

Prevention
TCP Connection x x x x
Limiting
TCP Connection x x x x x x x x
Reset
TCP SYN Flood x x x x x x x x

Detection
TLS Attack x x x x x
Prevention
Traffic Shaping x x x x x x x x
UDP Flood x x x x x x x x
Detection
Available protection settings for the Generic IPv6 Server type

The categories of protection settings that are available for the Generic IPv6 Server type
are as follows:
n Block Malformed DNS Traffic
n DNS Authentication
n DNS NXDomain Rate Limiting
n DNS Rate Limiting
n DNS Regular Expression
n Filter List
n Payload Regular Expression
n Rate-based Blocking
n Spoofed SYN Flood Prevention
n TCP Connection Limiting
n TCP Connection Reset
n Traffic Shaping

Viewing Server Types

The Server Types page displays the server types that are shared by the APS devices that are
under APS Console management. Use the Server Types page to view information about
the server types, edit and manage existing server types, and create new custom server
types.
For general information about the server types, see “About the Server Types” on page 92 .
For information about editing the server types, see “edAdding and Deleting Custom
Server Types” on page 98 and “Changing the Protection Settings for Server Types” on
page 100 .
Viewing the server types

To view the server types:
1. Select Protect > Inbound Protection > Server Type Configuration .
2. (Optional) On the Server Types page, filter the list of servers. In the search box, type a
search string in any of the following ways, and then click Search .
l Type all or part of a server type name, base type name, or protection group name.
l Type multiple search strings in any combination, using commas to separate
multiple entries.
l Include a wildcard character: an underscore (_) matches any one character, and a
percent sign (%) matches any number of characters. For example, to find “DNS
Server”, you could type dns, _ns, or d%.
3. To view or edit the protection settings for a particular server type, click the server type’s
name link.
For information about the specific protection settings, see the topics under
“Configuring the Protection Settings” on page 109 .

About the Server Types page

The Server Types page contains the following information for each server type:
Information on the Server Types page

Column Description
Name Displays the server type’s name as a link that allows you to open the
Configure Server Type page. There, you can view and edit the server type
information. See “Changing the Protection Settings for Server Types” on
page 100.
Appears when you hover your mouse pointer over a source IP address. Click
(context to display the following options:
menu) n Restore Defaults — Restores the selected server type’s protection
settings to their default values.
When you restore the protection settings for a server type, it affects all of
the protection groups that are associated with that server type. See
“Restoring the Default Protection Settings” on page 108.
n Duplicate — Creates a custom server type that inherits the protection
settings from the selected server type. See “Duplicating an existing server
type” on page 99.
n Delete — (Custom server types only) Deletes the selected server type for
all of the APS devices with which it is associated.
Caution
When you delete a server type, all of the protection groups that are
associated with that server type are deleted. See “Deleting a custom
server type” on page 99.
Profile Capture — Allows you to perform a traffic profile on any of the
APS devices that are associated with the server type.
Base Indicates the standard server type on which a custom server type is based.
Type The base server type name appears as a link to the Configure Server Type
page, where you can view and edit the base server type.
Last Indicates the last time the server type was edited, which allows you to identify
Modified recent configuration changes.
In Use Displays the protection groups that use this server type.
By If multiple protection groups are associated with the server type, this column
displays the number of groups. You can display a list of those protection
groups by hovering your mouse pointer over the displayed number.
You can click a protection group’s name link to display the View Protection
Group page for that protection group.

Adding and Deleting Custom Server Types

Custom server types allow you to configure different protection settings for similar types of
servers. For example, you can add a custom server type to protect specific DNS servers
with settings that differ from the standard DNS Server settings. When you create a new
server type, it inherits the protection settings from the existing server type on which it is
based. You can edit the settings as necessary for the new server type.
For general information about the server types, see “About the Server Types” on page 92 .
Adding custom server types when you add a protection group

When you add a new protection group, you select a server type from the list of the
standard server types. When you save the protection group, APS creates a custom server
type that is based on the selected server type, with the same name as the protection
group.
APS adds this server type to the list of Custom Server Types on the Configure Server Type
page.
Adding a custom server type

Use this procedure to create a custom server type that inherits the protection settings from
one of the standard server types.
You can add a maximum of 100 custom server types on an APS.
To add a custom server type:

2. On the Server Types page, under Add A New Server Type , define the server type as
follows:
Setting Description
Server Type Name Type a name to identify the server type throughout the UI.
box
Base Server Type list Select the server type on which to base the new server
type.
3. Click Add Server Type.

4. (Optional) To edit the protection settings, follow these steps:
a. To go to the Configure Server Type page, click the Edit settings link in the
confirmation message that appears at the top of the page. You also can click the
name link for the new server type in the list on the Server Types page.
b. Edit the protection settings.
c. Click Save.

Duplicating an existing server type

Use this procedure to create a custom server type that inherits the protection settings from
any standard server type or custom server type.
To duplicate a server type:

2. On the Server Types page, click (context menu) next to the server type to duplicate,
and then select Duplicate .
3. In the Server Type Name box, type a name to identify the server type throughout the
UI.
4. (Optional) To edit the protection settings, follow these steps:
a. To go to the Configure Server Type page, click the Edit settings link in the
confirmation message that appears at the top of the page. You also can click the
name link for the new server type in the list on the Server Types page.
b. Edit the protection settings.
c. Click Save.
Deleting a custom server type

You can delete custom server types. You cannot delete standard server types.
Caution
When you delete a server type, APS deletes all of the protection groups that are
associated with that server type. Any IPv4 prefixes that the deleted protection group
protected are assigned to the default protection group unless they are included in
another custom protection group.
To delete a custom server type:

2. On the Server Types page, click (context menu) next to the server type to delete,
and then select Delete .
3. In the confirmation message that appears, select Delete.

Changing the Protection Settings for Server Types

The protection settings are the criteria by which APS defines clean traffic and attack traffic.
The default protection settings provide protection from the most common types of DDoS
attacks. These attacks include TCP stack attacks, host or pipe flooding, fragmentation
attacks, resource exhaustion, connection state attacks, botnet attacks, and vulnerability
exploits.
You can customize these settings to provide more directed protection for specific server
types, both standard and custom. If necessary, you can restore a particular server type’s
protection settings to their default values. See “Restoring the Default Protection Settings”
on page 108.
For information about the protection categories and suggestions for when to change the
protection settings, see “About the Protection Settings Configuration” on page 111 . For
general information about the server types, see “About the Server Types” on page 92 .
Using APS Console to manage protection settings

If you manage APS with APS Console, then you can configure server types in APS Console
and propagate the configurations to each managed APS.
Caution
Navigating to the protection settings

The Server Types page allows you to change the protection settings for each of the
protected server types.
To access the Server Types page, select Protect > Inbound Protection > Server Type
Configuration .
How changes affect the protection groups

When you add a protection group, you associate it with a server type. The protection
group inherits the protection settings for that server type. If you change the protection
settings for a server type, the change applies to all of the protection groups that have the
same server type. For example, if you change the Web Server settings, those settings apply
to all of the Web Server protection groups.
About capturing traffic profiles

APS can simplify the configuration of certain rate-based protection settings by learning
typical network behaviors and suggesting values that are appropriate for your network. To
determine these values, APS profiles your network by capturing statistical data about
certain types of traffic. You also can use the profile data to estimate how much traffic
would be passed at different thresholds and protection levels.
The profile data includes passed traffic and might include blocked traffic, depending on
why it was blocked. The data represents all of the protection groups that are associated
with the selected server type. Within each server type, the data applies to certain protection
settings only.

See “About Traffic Profiling for Protection Configuration” on the next page.
If you use APS Console to manage APS, you can manage the profile captures for multiple
APS devices from APS Console.
Configuring the protection settings

To configure the protection settings for a server type:
2. (Optional) On the Server Types page, filter the list of servers. In the search box, type a
search string in any of the following ways, and then click Search .
l Type all or part of a server type name, base type name, or protection group name.
l Type multiple search strings in any combination, using commas to separate
multiple entries.
l Include a wildcard character: an underscore (_) matches any one character, and a
percent sign (%) matches any number of characters. For example, to find “DNS
Server”, you could type dns, _ns, or d%.
3. In the Server Types list, click the name link of the server type to edit.
4. Edit the protection settings.
For information about the specific protection settings, see “About the Protection
Settings Configuration” on page 111 .
5. Click Save.

About Traffic Profiling for Protection Configuration

typical network behaviors and suggesting values that are appropriate for your network. To
determine these values, APS profiles your network by capturing statistical data about
certain types of traffic. You also can use the profile data to estimate how much traffic
would be passed at different thresholds and protection levels.
The profile data includes passed traffic and might include blocked traffic, depending on
why it was blocked. The data represents all of the protection groups that are associated
with the selected server type. Within each server type, the data applies to certain protection
settings only.
Traffic profiling on multiple APS devices

If you use APS Console to manage APS devices, you can select the APS devices on which to
start, stop, and check the status of a profile capture. The capture runs and the results
appear on each selected APS. You can use the profile data as a guide to configuring the
protection settings in APS Console.
Rate-based protection settings that APS uses for profiling

APS gathers profile data for the rate-based protection settings. When you start a profile
capture, APS applies the appropriate maximum values for these rate-based protection
settings to obtain accurate results.
However, the values that APS applies do not appear in the fields on the Configure Server
Type page. Any values that were set previously still appear in these fields.
Important
While the profiling is active, do not make any changes to these protection settings
because changes may cause inaccurate profile capture results.
Rate-based protection settings for profiling

Protection category Setting
Rate-based Blocking Bits per Second Threshold
Packets per Second Threshold
See “Rate-based Blocking Settings” on page 144.
TCP Connection Reset TCP Connection Initial Timeout

See “TCP Connection Reset Settings” on page 151.
DNS Rate Limiting DNS Query Rate Limit

See “DNS Rate Limiting Settings” on page 131.
DNS NXDomain Rate Limiting DNS NXDomain Rate Limit

See “DNS NXDomain Rate Limiting Settings” on
page 130.
HTTP Rate Limiting HTTP Request Limit

HTTP URL Limit
See “HTTP Rate Limiting Settings” on page 135.

Rate-based protection settings for profiling (continued)

Protection category Setting
SIP Request Limiting SIP Source Limit
See “SIP Request Limiting Settings” on page 145.
ICMP Flood Detection Maximum bps

Maximum pps
See “ICMP Flood Detection Settings” on page 137.
UDP Flood Detection Maximum bps

Maximum pps
See “UDP Flood Detection Settings” on page 158.
Fragment Detection Maximum bps

Maximum pps
See “Fragment Detection Settings” on page 133.

Capturing Traffic Profiles from APS Console

APS can profile your network by capturing statistical data about certain types of traffic. The
profile data can help you configure protection settings that are optimized for your server
types. See “About Traffic Profiling for Protection Configuration” on page 102.
If you use APS Console to manage APS devices, you can select the APS devices on which to
start, stop, and check the status of a profile capture. The capture runs and the results
appear on each selected APS. You can use the profile data as a guide to configuring the
protection settings in APS Console.
APS captures data by server type for the traffic that applies to certain protection settings
only. See “Rate-based protection settings that APS uses for profiling” on page 102.
Capturing traffic profiles

To start capturing traffic profiles from APS Console:
2. On the Server Types page, hover your mouse pointer over the name of a server type,
and then click (context menu).
3. In the context menu, select Profile Capture.
The Profile Capture option is available only if a server type is associated with a
protection group that has at least one APS assignment.
4. In the Profile Capture window, select the APS devices on which to perform a profile
capture.
5. To specify the duration of the capture, move the Length of capture slider.
If a capture is running already, the amount of time that remains is shown next to the
selected APS device names in the Stop Capture section.
6. Click Start.
7. To close the Profile Capture window, click Close.
The capture continues to run in the background.
Stopping traffic profile captures

You can stop a profile data capture at any time. To determine whether a capture is running
for a specific server type, you can view the capture status.
To stop a profile data capture from APS Console:

2. On the Server Types page, hover your mouse pointer over the name of a server type,
and then click (context menu).
3. In the context menu, select Profile Capture.
4. In the Profile Capture window, select the APS devices on which to stop the capture,
and then click Stop.
5. To close the Profile Capture window, click Close.

Using Traffic Profile Data to Configure Protection Settings

After you run a profile data capture in APS, you can view the profile data in a profile
window on the Configure Server Type page. For each of the settings that are profiled, you
can view the data from the most recent capture, or from the current capture if one is in
progress. You can use the profile data as a guide to help you configure the protection
settings that are appropriate for your network. You can also use the profile data to
estimate how much traffic would be passed at different thresholds and protection levels.
See “About Traffic Profiling for Protection Configuration” on page 102.
The data represents all the protection groups that are associated with the selected server
type. Within each server type, the data applies to certain protection settings only. See
“Rate-based protection settings that APS uses for profiling” on page 102.
Caution
Before you begin
Before you can view or use the profile data, you must run a profile data capture to collect
the data. See “Capturing Traffic Profiles from APS Console” on the previous page.
Viewing and using the traffic profile data

Profile data is visible in APS only.
To view the traffic profile data and use it to configure protection settings:
1. On APS Console, select Protect > Inbound Protection > Protection Groups.
2. To view the APS devices that are assigned to a protection group, click (expand) to
the left of a protection group name.
3. Click the name of an APS device.
4. Log into the APS.
6. On the Configure Server Type page, select Standard Server Types or Custom
Server Types, and then select a specific server type.
7. Click the (View profile ) icon that appears next to the settings that you want to
configure.
Note
If a capture was not run, or if the most recent capture did not observe any traffic that
applied to this setting, then the icon does not appear.
8. Review the suggested protection settings that appear in the profile window so that
you can configure the corresponding settings in APS Console.
Do not change any settings in APS.
9. Go to APS Console and select Protect > Inbound Protection > Server Type
Configuration .
10. On the Server Types page, click the name link for the server type that you want to

configure.
11. On the Server Types page, edit the protection settings.
Information in the profile window

In APS, the profile window displays the following information for a specific protection
setting:
Information in the profile window

last capture Displays the dates and times at which the capture began and
information ended.
histogram Displays the observed traffic volumes that apply to the current
protection setting.
For example, the histogram for the Bits per Second
Threshold setting displays the number of hosts that sent
certain volumes of traffic, measured in bits per second.
The gray area at the far right of the histogram represents
values that are out of the histogram’s displayed range.
Linear and Log Change the scale of the y axis in the histogram graph as
buttons follows:
n Linear presents the number of hosts on a linear scale, in
which the lines in the graph are proportional to the number
of hosts.
n Log presents the number of hosts on a logarithmic scale, in
which each unit increase represents an exponential increase
in the number of hosts.
markers: Indicate the points in the histogram that correspond to the

configured threshold values for the protection levels: high (H),
medium (M), and low (L). The markers work as follows:
n When you open the profile window, the markers reflect the
currently configured threshold values.
n When you click Auto, the markers, the displayed values, and
the protection setting fields change to the threshold values
that APS recommends based on the profile data.
n You can drag the markers to different points on the
histogram. As you drag the markers, the threshold values
change in both the profile window and the protection
setting fields.
n If you type different threshold values in the protection
setting fields, the markers and the displayed values in the
profile window change accordingly.
Caution
If you manage the server types in APS Console, do not edit
them in APS.

Information in the profile window (continued)

Low , Med, and High Display the threshold values and the approximate amounts of
values traffic that those thresholds would allow APS to pass at each
protection level.
Maximum x (where x Displays the highest value of the item that is measured.
varies depending on For example, if you view the values for the Bits per Second
the protection setting) Threshold setting, then this value represents the Maximum
bits per second.
Auto button Changes the threshold values in the profile window and the
protection setting fields to the recommended values.
Caution
If you manage the server types in APS Console, do not edit
them in APS.

Restoring the Default Protection Settings

You can change the protection settings for any standard server type or custom server type.
You also can restore a particular server type’s protection settings to its default values.
When you restore the protection settings for a server type, it affects each protection group
that is associated with that server type. If a protection group in APS Console is assigned to
one or more managed APS devices, the server type changes affect each assigned APS.
Restoring the protection settings affects the standard server types and custom server types
as follows:
n When you restore the protection settings for a standard server type, the settings of any
related custom server types are not affected.
n When you restore the protection settings for a custom server type, the settings are
returned to the default settings of the base server type. Any changes that might have
been made to the base server type’s settings are not applied to the custom server type.
For general information about the server types, see “About the Server Types” on page 92
and “edAdding and Deleting Custom Server Types” on page 98 .
Restoring the default protection settings

To restore the default protection settings:
2. On the Server Types page, click (context menu) next to the server type for which
you want to restore settings, and then select Restore Defaults.
4. To view the restored protection settings, click the server type’s name link to open the
Configure Server Type page.

Section 8:
Configuring the Protection Settings
You configure the protection settings to define how APS identifies and blocks malicious
traffic at each protection level.
In APS Console, you can configure the protection settings for multiple APS devices.
In this section
About the Protection Settings Configuration 111

About the Outbound Threat Filter 113
Configuring the Outbound Threat Filter 115
Validating the Outbound Threat Filter Configuration 116
Application Misbehavior Settings 119
ATLAS Intelligence Feed Settings 120
Block Malformed DNS Traffic Settings 124
Block Malformed SIP Traffic Settings 125
Botnet Prevention Settings 126
CDN and Proxy Support Settings 128
DNS Authentication Settings 129
DNS NXDomain Rate Limiting Settings 130
DNS Rate Limiting Settings 131
DNS Regular Expression Settings 132
Fragment Detection Settings 133
HTTP Header Regular Expressions Settings 134
HTTP Rate Limiting Settings 135
HTTP Reporting Settings 136
ICMP Flood Detection Settings 137
Malformed HTTP Filtering Settings 138
Multicast Blocking Settings 139
Payload Regular Expression Settings 140
Private Address Blocking Settings 143
Rate-based Blocking Settings 144
SIP Request Limiting Settings 145
Spoofed SYN Flood Prevention Settings 146
TCP Connection Limiting Settings 150
TCP Connection Reset Settings 151

TCP SYN Flood Detection Settings 153

TLS Attack Prevention Settings 155
Traffic Shaping Settings 157
UDP Flood Detection Settings 158

Section 8: Configuring the Protection Settings
About the Protection Settings Configuration

For example, if a setting specifies a threshold based on the number of requests per
second, then traffic that exceeds the threshold is considered to be an attack.
The default protection settings in APS provide protection from the most common types of
DDoS attacks. You can customize these settings to provide more directed protection for
specific types of servers and for your outbound traffic. In APS Console, you can customize
the protection settings for multiple APS devices.
For information about types of DDoS attacks, see “DDoS Attacks and APS Protections” in
the APS User Guide .
Navigating to the configuration pages

You configure the protection settings on the following pages in APS:
n Configure Server Type page, for inbound traffic
Allows you to change the protection settings for each of the protected server types. See
“Changing the Protection Settings for Server Types” on page 100.
n Outbound Threat Filter page, for outbound traffic
Allows you to configure the protection settings for the outbound threat filter. See
“Configuring the Outbound Threat Filter” on page 115.
About the protection categories

The protection settings are organized into categories, each of which detects a different
type of attack traffic.
For inbound traffic, each server type contains the categories of protection settings that are
most appropriate for that server type. Each protection group is associated with a server
type and one or more host servers of that type. For example, a Web Server protection
group contains the HTTP categories of settings, which detect HTTP-based attacks.
The outbound threat filter contains the categories of protection settings that are most
appropriate for outbound traffic.
About temporary blocking

Temporary blocking occurs dynamically as a result of the protection settings that are
configured for the protection groups. When APS encounters certain types of malicious
inbound traffic, it blocks the offending traffic.
Some of the protection categories temporarily block a host, which effectively blocks all of
the traffic from that host, including its clean traffic. The top 10 hosts that are blocked in this
way appear in the Temporarily Blocked Sources section on the View Protection Group
page. APS does not temporarily block the hosts for outbound traffic.
Other protection categories temporarily block a host’s offending traffic but not its clean
traffic or the host itself. Such hosts do not appear in the Temporarily Blocked Sources
section on the View Protection Group page, but they do appear in the blocked hosts log.
This blockout period typically lasts for several minutes. The protection category that
detects the malicious traffic determines the length of the blockout period, and this time
period cannot be changed.

About the protection levels for the protection settings

For each of the protection settings, you can specify different values for the low, medium,
and high protection levels. The current protection level determines which of the settings
are used at any given time. For example, you might set conservative thresholds for the low
protection level and more aggressive thresholds for the medium and high protection
levels.
You also can leave the protection settings empty or disable one or more of the protection
levels. For example, you might disable a setting for the low protection level and then
enable it for the medium and high protection levels.
See “About the Protection Levels” on page 86.
When to change the protection settings

Because you configure different settings for each protection level, you can vary the threat
detection criteria at any time by changing the protection level. You can change the
protection level globally or for one or more specific protection groups.
Typically, you use the default settings when you first install APS. As you use APS and
analyze its actions, you can customize as many settings as needed to secure your data
center from threats against availability. If you have historical traffic information and
statistics from an APS trial or monitor-only implementation, use that information as a
guide for refining the protection settings.
typical network behaviors and suggesting protection settings that are appropriate for your
network. See “About Traffic Profiling for Protection Configuration” on page 102.

About the Outbound Threat Filter

The outbound threat filter prevents malicious traffic from leaving your network. Unlike the
protection groups, which protect specific hosts, the single outbound threat filter protects
all of the outbound IPv4 traffic that passes through APS.
When you install or upgrade APS Console, the outbound threat filter and all of its ATLAS
Intelligence Feed (AIF) threat categories are enabled by default on APS Console. You can
disable the outbound threat filter and the AIF threat categories on the Outbound Threat
Filter page (Protect > Outbound Protection > Outbound Threat Filter). See
Important
For the outbound blacklist and outbound whitelist to work, you must leave the
outbound threat filter enabled. See "Blacklisting Outbound Traffic" on page 180 and
"Whitelisting Outbound Traffic" on page 188 .
About the protection settings

The outbound threat filter contains the categories of protection settings that are the most
appropriate for outbound traffic, to protect state-dependent devices such as load
balancers and next-generation firewalls. It also uses the ATLAS Intelligence Feed (AIF)
threat categories. These settings are the criteria by which APS defines clean traffic and
attack traffic.
You configure these protection settings on the Outbound Threat Filter page. You also can
configure the protection mode (active or inactive) and protection level (global, low,
medium, or high) for the outbound threat filter. See “Configuring the Outbound Threat
Filter” on page 115.
For information about the protection categories and suggestions for when to change the
protection settings, see “About the Protection Settings Configuration” on page 111 .
Note
If you turn on DNS Rate Limiting for a protection group, the outbound traffic may match
the protection group instead of the outbound threat filter. By default, DNS Rate Limiting is
turned on for the default IPv4 protection group and any protection groups that use a
DNS server. Custom protection groups also might have this protection turned on. See
“DNS Rate Limiting Settings” on page 131.
About the outbound threat filter’s protection mode and protection level
The outbound threat filter’s protection mode determines whether APS blocks malicious
outbound traffic. In the active mode, APS monitors traffic and mitigates attacks. In the
inactive mode, APS detects attacks but does not mitigate them. To test the outbound
threat filter, set the protection mode for the outbound threat filter to inactive.
The outbound threat filter’s protection level determines which protection settings are in
use for the outbound traffic. The outbound threat filter can use the global protection level
or a protection level that you configure for the outbound threat filter. The outbound threat
filter’s protection level takes precedence over the global protection level.
In APS Console, you can change the outbound threat filter’s protection mode or
protection level for all of the managed APS devices.

About managing the outbound threat filter from APS Console

When you use APS Console to manage APS, you can configure the outbound threat filter
in APS Console and propagate the configurations to each managed APS.
When you first connect APS to APS Console, the outbound threat filter on the APS is
replaced with the one from APS Console. Thereafter, any changes to the outbound threat
filter on APS Console are periodically copied to each APS. See “1About the APS Console -
APS Data Synchronization” on page 78.
Caution

Configuring the Outbound Threat Filter

You configure the protection settings for the outbound threat filter, to prevent malicious
traffic from leaving your network.
You can enable and disable the outbound threat filter, but you cannot delete it.
For more details about the outbound threat filter, see “About the Outbound Threat Filter”
on page 113 .
Important
If you deploy APS in the monitor mode, the outbound traffic does not go through APS.
Therefore, the traffic is not analyzed.
Configuring the outbound threat filter

To configure the outbound threat filter:
2. Select the Enable Outbound Threat Filter check box.
3. Configure the following settings:
Setting Description
Protection Mode Select Active or Inactive to configure the protection mode.
options For more information about the protection mode, see
“Setting the Protection Mode (Active or Inactive)” on
page 84.
Select an icon to set the protection level (global, low,

medium, or high) for the outbound threats. The global
(Protection Level)
protection level is the default. A check mark in the
corresponding icon shows which level is currently active.
For information about the global protection level, see
“About the Protection Levels” on page 86. Also see
“Changing the Protection Level” on page 253 .
4. For each protection level, configure the protection settings.

For information about the specific settings, see the following topics:
l “ATLAS Intelligence Feed Settings” on page 120
l “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter”
on page 164
l “Payload Regular Expression Settings” on page 140
l “DNS Rate Limiting Settings” on page 131
l “Malformed HTTP Filtering Settings” on page 138
5. Click Save.
After you configure the outbound threat filter, you can verify that you configured it
correctly. See “Validating the Outbound Threat Filter Configuration” on the next page.

Validating the Outbound Threat Filter Configuration

After you configure the outbound threat filter, we recommend that you validate its
configuration to ensure that the relevant traffic passes through APS.
There are several issues that may prevent the outbound threat filter from functioning as
expected, such as:
n misconfiguration of the APS
n an APS deployment that prevents traffic mitigation (for example, you deploy the APS in
an out-of-band mode or inactive mode)
n routing configurations that do not allow APS to see the relevant traffic
For more information, see “About the Outbound Threat Filter” on page 113 .
Testing guidelines
Required configuration settings
You must configure the following settings before testing the outbound threat filter:
n Enable the outbound threat filter.
n Set the protection mode to Active.
n Enable all of the AIF threat categories.
See “Configuring the Outbound Threat Filter” on the previous page.
IP address and domain name for testing

To test the outbound threat filter configuration, use the following IP address and domain
name
n 52.26.163.109
n arbor-aif-test.com
The AIF includes this IP address and domain name.
IP address testing
You can use the ping command on the operating system command line to test the
outbound threat filter configuration. This command is available for all of the standard
operating systems.
To use the ping command to test the outbound threat filter:

1. From a host inside a protection group, access the operating system’s command line.
2. On the command line, enter ping 52.26.163.109
Results of a successful ping test

If you configure the outbound threat filter correctly, the ping command is unsuccessful
and times out, as shown in the following image:

On the APS Summary Page , you should see a spike in the blocked traffic, as shown in the
following image:
On the Outbound Blocked Threats graph, you should see an increase in the number of
source hosts that APS blocked , as shown in the following image:
Results of an unsuccessful ping test

If the host receives a response to the ping command, as shown in the following image,
you should review the outbound threat filter configuration settings.
DNS query testing

You can use the nslookup command on the operating system command line to test the
outbound threat filter configuration. This command attempts to perform a DNS query.
The nslookup command is available for all of the standard operating systems.
To use the nslookup command to test the outbound threat filter:

1. From a host in a protection group, open up the operating system command line.
2. On the command line, enter nslookup arbor-aif-test.com

Results of a successful nslookup test

If you configure the outbound threat filter correctly, the nslookup command is
unsuccessful and times out, as shown in the following image:
On the APS Summary Page , you should see a spike in the blocked traffic, as shown in the
following image:
On the Outbound Blocked Threats graph, you should see an increase in the number of
source hosts that APS blocked, as shown in the following image:
Results of a unsuccessful nslookup test

If the host receives a response to the nslookup command, as shown in the following
image, you should review the outbound threat filter configuration settings.

Application Misbehavior Settings

Use the Application Misbehavior settings to detect application misbehavior patterns that
might not be specific to any protocol.
You configure these settings on the Configure Server Type page (Protect > Inbound
Protection > Server Type Configuration , and then click on a server type name). See
About these settings

These settings allow APS to detect request headers that are interrupted by a TCP FIN from
the client. APS counts a host’s interrupts until either of the following conditions is met:
n The number of interruptions exceeds the configured limit. In this case, APS temporarily
blocks the source host.
n The host completes a request without interruption.
In either case, the interrupt counter is reset to zero.
For example, some botnet attacks send multiple, small HTTP requests that cause a series
of bad request errors and overwhelm the victim server. The bot terminates each
connection before the request is complete.
Application Misbehavior settings

The Application Misbehavior category contains the following setting for each protection
level:
Application Misbehavior settings

Setting Description
Interrupt Count Type the number of TCP FIN interruptions that are allowed
box from a single client before that client is temporarily blocked.
To disable this setting, leave this box empty.
For a description of the protection levels, see “About the Protection Levels” on page 86 .

ATLAS Intelligence Feed Settings

The ATLAS Intelligence Feed (AIF) contains information about the latest advanced threats,
botnets, and web crawlers that our Active Threat Level Analysis System (ATLAS) has
identified. APS can use this information to detect threats, block attacks, and allow
legitimate search engine web crawlers to access your network.
When APS detects traffic that matches any of the HTTP header signatures or enabled
threat policies, it blocks the traffic. If the traffic is inbound, APS temporarily blocks the
source host.
For general information about ATLAS Intelligence Feed, see “About the ATLAS Intelligence
Feed” on page 52.
Enabling AIF updates

Important
These protection settings depend on the presence of an AIF update file. Before you
enable any of the ATLAS Intelligence Feed settings, either verify that the automatic AIF
updates are enabled or request an update. Some of these settings, such as the default
confidence values, do not appear if an AIF update file is not present.
Where to configure the AIF settings

In APS Console, you configure these settings for multiple APS devices on the following
pages:
n For inbound traffic: Configure Server Type page (Protect > Inbound Protection >
Server Type Configuration , then click on a server type name)
See “Changing the Protection Settings for Server Types” on page 100.
n For outbound traffic: Outbound Threat Filter page (Protect > Outbound Protection
> Outbound Threat Filter)
See “Configuring the Outbound Threat Filter” on page 115.


The ATLAS Intelligence Feed settings allow APS to use the information in the ATLAS
Intelligence Feed to block traffic as follows:
How APS uses the ATLAS Intelligence Feed settings

APS action Basis for action
Block attack The AIF updates include the policies that identify categories of
traffic known threats by their traffic patterns, which are defined by IP
addresses, HTTP regular expressions, or DNS names. When you
enable the Threat Categories settings, APS blocks any inbound
traffic or outbound traffic that matches the threat policies.
See “About the ATLAS Threat Policies” on page 54.
Block botnet (Inbound traffic only) Many botnets are known by their traffic
traffic patterns or profiles that suggest an attack. The AIF updates include
the policies (signatures) that identify known botnets. When you
enable the AIF Botnet Signatures settings, APS compares each
policy to the HTTP headers and HTTP requests. APS blocks any
traffic that matches any of the policies and temporarily blocks the
source host.
Pass web crawler (Inbound traffic only) In the process of protecting your servers from
traffic DDoS attacks, APS might prevent search engine web crawlers from
accessing your site. The AIF updates include a list of the IP address
ranges that Arbor considers to be legitimate search engine web
crawlers. When you enable the Web Crawler Support settings,
APS passes the traffic from the search engine IP addresses.
For more information, see “About Web Crawler Support” on
page 59.

ATLAS Intelligence Feed Settings

The ATLAS Intelligence Feed protection category contains the following settings for each
protection level:
ATLAS Intelligence Feed settings

Setting Description
Web Crawler Support (Inbound traffic only) Click one of these buttons to enable
buttons or disable the inspection of traffic for legitimate web crawler
search engines.
For APS to pass the traffic from specific web crawlers, those
web crawlers must be enabled on the Configure AIF Settings
page (Administration > ATLAS Intelligence Feed).
Initially, all of the web crawlers are enabled by default, but
you can choose which web crawlers to enable or disable.
This option is available for the following server types only:
Generic, DNS, and web.
AIF Botnet Signatures (Inbound traffic only) Click one of these buttons to enable
buttons or disable the inspection of traffic based on the traffic
patterns or profiles by which Arbor identifies known
botnets.
This option is available for the following server types only:
Generic, VOIP, and Web.
Threat Categories Click one of these buttons to enable or disable advanced

buttons threat detection based on the ATLAS threat policies, which
are grouped by threat category. See “About the ATLAS
Threat Policies” on page 54.
When you select the Threat Categories check box, the following ATLAS confidence
index settings become available. For more information about the ATLAS confidence
index and the confidence values, see “About the ATLAS Confidence Index” on page 56 .

ATLAS Intelligence Feed settings (continued)

Setting Description
ATLAS Confidence The default confidence value is applied to all of the rules in
Index options all of the enabled threat categories, except those for which
you define a category-specific confidence value. To specify
the default confidence value, select one of the following
options:
n Use Default — Use the confidence value that the Arbor
Security Engineering and Response Team (ASERT)
recommends, which appears in parentheses after this
option. This option is selected by default.
n Custom — Configure a custom confidence value to use
as the default. When you select this option, type a number
from 1 to 100 in the box to represent the confidence
value.
When APS inspects traffic, it applies the threat policy rules

whose confidence values match or exceed the default
confidence value.
Threat category check For each of the threat categories, you can configure the
boxes and confidence following settings:
value boxes n To enable or disable a threat category, select its check
box. By default, all of the threat categories are enabled.
n To configure a confidence value for an enabled threat
category, click to the right of the category’s check box to
display the confidence value box. Type a number from 1
to 100 to represent the confidence value.
The threat category confidence value overrides the
default confidence value for the specific category.

Block Malformed DNS Traffic Settings

Use the Block Malformed DNS Traffic protection settings to prevent attacks that send
invalid or blank DNS requests to a server. These attacks are intended to exhaust resources
or to exploit vulnerabilities.
These settings are available for the Generic IPv6 Server type and some of the IPv4 server
types. See “About the Server Types” on page 92.


When a DNS request arrives at port 53 (source or destination), APS performs the following
tests:
n Verifies that the packet contains a payload that could be part of a valid DNS message. If
the payload is missing, APS blocks the packet.
n Evaluates valid DNS requests for compliance with RFC standards. APS blocks any
requests that do not conform to the standards.
APS does not block the source host.
Block Malformed DNS Traffic settings

The Block Malformed DNS Traffic category contains the following setting for each
protection level:
Block Malformed DNS Traffic settings

Setting Description
Enabled and Disabled Click one of these buttons to enable or disable this
buttons category.

Block Malformed SIP Traffic Settings

Use the Block Malformed SIP Traffic settings to prevent attacks that disrupt VoIP service by
sending invalid or blank SIP requests.

When a UDP packet arrives at a SIP destination port (usually port 5060), APS performs the
following tests:
n Verifies that the packet contains a payload that could be part of a valid SIP request. If
the payload is missing, APS blocks the packet and temporarily blocks the source host.
n Evaluates valid SIP requests to verify that all of the headers that are specified in RFC
3261 section 8.1 are properly formatted and have reasonable values. APS blocks any
requests that do not conform to the standards and temporarily blocks the source host.
Block Malformed SIP Traffic settings

The Block Malformed SIP Traffic category contains the following setting for each protection
level:
Block Malformed SIP Traffic settings

Setting Description
buttons category.

Botnet Prevention Settings

Use the Botnet Prevention settings to prevent botnet attacks, in which a large set of
compromised computers generate a high-volume traffic attack that targets a victim server.
The Botnet Prevention settings allow APS to detect and block botnet attacks based on
known botnet behaviors.
You also can prevent botnet attacks based on the traffic patterns or profiles by which
Arbor identifies known botnets. See “ATLAS Intelligence Feed Settings” on page 120.

About botnets
The following patterns of behavior are common to many botnets:
n Sending requests with incomplete header fields
n Sending slow request attacks, which usually contain artificially truncated request
segments
For example, some botnets send multiple, small HTTP requests, and then terminate
each connection before the request is complete. This attack causes a series of bad
request errors and overwhelms the victim server.

To prevent botnet attacks, APS performs the following tests:
n Basic Botnet Prevention
Checks the packet headers for incomplete fields. APS blocks any packets whose
headers are incomplete and temporarily blocks the source host.
The fields that are checked vary by protection level, as follows:
Protection level Checks

Low Analyzes the Host field in HTTP 1.1 requests
Medium Analyzes the Host field in HTTP 1.1 requests
High Analyzes the following fields in all requests:

n Host
n User-Agent
n Connection
n Prevent Slow Request Attacks

Checks for HTTP requests that contain less than 500 bytes of data and do not end with
\n. Requests that match these criteria are likely to be part of a slow HTTP attack. APS
passes the first three packets that match these criteria and then drops the subsequent
packets and temporarily blocks the source host.

Botnet Prevention settings

Important
The Botnet Prevention settings work only if Malformed HTTP Filtering is enabled. If you
disable Malformed HTTP Filtering, the Botnet Prevention settings for the corresponding
protection levels are disabled also. If you enable one of the Botnet Prevention settings,
the Malformed HTTP Filtering is enabled for the corresponding protection levels. See
“Malformed HTTP Filtering Settings” on page 138.
The Botnet Prevention category contains the following settings for each protection level:
Botnet Prevention settings

Setting Description
Enable Basic Botnet Click one of these buttons to enable or disable the inspection
Prevention buttons of traffic for missing HTTP header fields, which are a common
indicator of botnet attacks.
Prevent Slow Click one of these buttons to enable or disable the inspection
Request Attacks of traffic for requests that are characteristic of slow HTTP
buttons attacks.

CDN and Proxy Support Settings

Use the CDN and Proxy Support settings to prevent the global blocking of all traffic from a
content delivery network (CDN) or proxy.
The protection categories in APS block malicious traffic, temporarily block malicious hosts,
or both. When traffic is routed through a CDN or proxy, the source IP address is that of the
last CDN or proxy device. That source IP address is shared by all of the users whose traffic
passes that device. Therefore, the protection settings that block an attacker’s IP address
might block all traffic from the CDN or proxy. To prevent the blocking of all traffic from a
CDN or proxy, enable CDN and Proxy Support.
When CDN and Proxy Support is enabled, APS relies on the protection categories that
block malicious traffic but do not block the attacker’s IP address. The clean traffic from the
CDN or proxy is passed.
CDN and Proxy Support settings

The CDN and Proxy Support category contains the following setting for each protection
level:
CDN and Proxy Support settings

Setting Description
buttons category.
By default, this category is disabled.

DNS Authentication Settings

Use the DNS Authentication category to protect against DNS attacks that originate from a
source that is not a valid host. These settings can protect any type of DNS server.
APS forces any clients that send DNS requests to change to TCP before the queries reach
the DNS server. This change validates that the original request came from a legitimate
client. APS blocks any requests that are not verified, but does not block the source hosts.
Important
If a cloud service provider forwards cleaned traffic through a GRE tunnel, then APS does
not inspect that traffic for Spoofed Syn Flood Prevention or DNS Authentication. In this
case, APS ignores these protection settings because it would have to send packets back
through the GRE tunnel.

Before you enable these settings for active mitigation, test them thoroughly in a lab
environment. Because these settings require two-way communications, they must be
tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active
protection mode. See “Setting the Deployment Mode” in the APS User Guide and “Setting
the Protection Mode (Active or Inactive)” on page 84.
DNS Authentication settings

The DNS Authentication category contains the following setting for each protection level:
DNS Authentication settings

Setting Description
buttons category.

DNS NXDomain Rate Limiting Settings

Use the DNS NXDomain Rate Limiting category to monitor response packets for hosts that
send requests that might cause the generation of a non-existent domain (NXDomain)
response. These settings protect against DNS cache poisoning and dictionary attacks.
APS temporarily blocks any host that generates more consecutive failed DNS requests
than the configured limit.

Requirement
If you plan to use these settings, your network must be configured so that APS can see the
DNS response traffic from the DNS server.
DNS NXDomain Rate Limiting settings

The DNS NXDomain Rate Limiting category contains the following setting for each
protection level. If (View profile ) appears next to a setting, you can use profile data to
help you configure the appropriate values for that setting. See “Using Traffic Profile Data
to Configure Protection Settings” on page 105.
DNS NXDomain Rate Limiting settings

Setting Description
DNS NXDomain Rate Type the number of failed queries to allow per second.
Limit box To disable this setting, leave this box empty.
If you do not configure the DNS NXDomain Rate Limiting settings, the processing of
outbound traffic is affected as follows:
n The following response-based protection categories do not block outbound traffic
(these protection categories are configured in the server types):
l Filter List. See “Configuring Filter Lists for Specific Server Types or the Outbound
Threat Filter” on page 164.
l Multicast Blocking. See “Multicast Blocking Settings” on page 139.
l Private Address Blocking. See “Private Address Blocking Settings” on page 143.
n The blacklist does not block outbound traffic.
n You cannot perform a packet capture on “int” interfaces.
To address these issues, you must enable the Outbound Threat Filter and add FCAP
expressions to the filter list to block outbound traffic. See “Configuring the Outbound
Threat Filter” on page 115.

DNS Rate Limiting Settings

Use the DNS Rate Limiting settings to prevent attacks from legitimate hosts who misuse
DNS requests to flood DNS servers.
APS inspects all of the DNS traffic that originates from a single source and records the
number of queries per second. It blocks any traffic that exceeds the configured rate limit. If
the traffic is inbound, APS temporarily blocks the source host.

pages:
DNS Rate Limiting settings

The DNS Rate Limiting category contains the following setting for each protection level. If
(View profile ) appears next to a setting, then you can use profile data to help you
configure the appropriate values for that setting. See “Using Traffic Profile Data to
Configure Protection Settings” on page 105.
DNS Rate Limiting settings

Setting Description
DNS Query Rate Type the maximum number of DNS queries per second that a
Limit box source can send before it is blocked.
This rate limit represents what you consider to be a reasonable
maximum amount of DNS traffic.

DNS Regular Expression Settings

The DNS Regular Expression settings allow you to target specific DNS traffic. APS inspects
all of the DNS traffic and applies each regular expression separately to each line of the
DNS requests. If traffic matches an expression, APS drops that traffic.

DNS Regular Expression settings

The DNS Regular Expression category contains the following setting for each protection
level:
DNS Regular Expression settings

Setting Description
DNS Regular Type a regular expression to filter out DNS traffic with
Expressions lines matching requests or headers. Use PCRE format.
You can type multiple regular expressions. APS uses the OR
operator for multiple regular expressions.

Fragment Detection Settings

Use the Fragment Detection settings to protect against attacks that send an excessive
number of IP packet fragments to a server to exhaust its resources.
About fragmentation attacks

A fragmentation attack is a flood of unwanted IP packet fragments. IP standards require a
receiving host to store packet fragments until the other fragments of that packet arrive and
the packet can be reassembled. If the other fragments never arrive, the original fragments
remain in the victim server’s buffers until a timeout marks them as too old. Such a large
number of fragments can fill the server buffer space and prevent the receipt of clean
traffic.
APS inspects the packet fragments that originate from a single source and records the bits
per second and packets per second. It blocks any traffic that exceeds the configured rate
limits. If the protection level is medium or high, it temporarily blocks the source host.

Fragment Detection settings

The Fragment Detection category contains the following settings for each protection level.
If (View profile ) appears next to a setting, then you can use profile data to help you
Fragment Detection settings

Setting Description
Enable Fragment Click one of these buttons to enable or disable this

Detection buttons category.
Maximum bps box Type the maximum amount of traffic (in bps) to allow
from a single source.
Maximum pps box Type the maximum amount of traffic (in pps) to allow

HTTP Header Regular Expressions Settings

Use the HTTP Header Regular Expressions settings to target specific HTTP traffic.
APS inspects HTTP traffic and applies each regular expression to each line of the HTTP
headers and HTTP requests. If any regular expression matches the first HTTP request or
HTTP header in a connection, then APS blocks that request and temporarily blocks the
source host. If any regular expression does not match the first HTTP request or HTTP
header in a connection, then APS whitelists all the HTTP requests for that connection.

HTTP Header Regular Expressions settings

The HTTP Header Regular Expressions category contains the following setting for each
protection level:
HTTP Header Regular Expressions settings

Setting Description
Header Regular Type a regular expression to match HTTP requests or

Expressions lines headers. Use PCRE format.
You can type multiple regular expressions. APS uses the OR
operator for multiple regular expressions.

HTTP Rate Limiting Settings

Use the HTTP Rate Limiting settings to limit the rates at which a source host can send HTTP
requests. These settings prevent a host from overwhelming the resources of a web server
by sending too many requests or by requesting too many unique HTTP objects. (An HTTP
object is a request for a specific resource.)


APS monitors the HTTP requests from each host and performs the following tests:
n Compares the number of requests per second to the configured rate limit. If the
request rate is too high, APS blocks the requests and temporarily blocks the source
host.
n Compares the number of unique HTTP objects per second to the configured URL limit.
If the object rate is too high, APS blocks the requests and temporarily blocks the source
host.
The default limits are usually acceptable for typical users. Because a web server can be
heavily loaded by a small number of HTTP requests, do not raise the limits by large
amounts without careful consideration. If you need to make an exception for a content
mirror server, you can add it to a pass rule in the Filter List settings. See “Configuring Filter
Lists for Specific Server Types or the Outbound Threat Filter” on page 164.
HTTP Rate Limiting settings

The HTTP Rate Limiting category contains the following settings for each protection level. If
(View profile ) appears next to a setting, then you can use profile data to help you
HTTP Rate Limiting settings

Setting Description
HTTP Request Type the number of HTTP requests to allow per second. An HTTP
Limit box request is any type of request such as GET, POST, HEAD, or
OPTIONS. To disable this setting, leave this box empty.
HTTP URL Limit Type the number of requests for a unique HTTP object (specific
box URL) to allow per second.
For example, the medium level defaults are 500 for the HTTP
Request Limit and 15 for the HTTP URL Limit . If 100 requests
for the same URL are received in one second, they are blocked
because they exceed the URL limit. To disable this setting, leave
this box empty.

HTTP Reporting Settings

Use the HTTP Reporting settings to enable or disable the display of the top URLs and top
domains on the View Protection Group page. This information appears in the Web Traffic
By URL section and the Web Traffic By Domain section, respectively.
The HTTP Reporting is enabled by default. By disabling the HTTP Reporting, you can
improve the performance of APS.
See the following topics for more information about these displays:
n “Viewing the Top URLs for a Protection Group” on page 206
n “Viewing the Top Domains for a Protection Group” on page 208

HTTP Reporting settings

The following setting applies to all protection levels:
HTTP Reporting settings

Setting Description
buttons category.

ICMP Flood Detection Settings

Use the ICMP Flood Detection settings to detect ICMP flood attacks.
An ICMP flood exploits the ping utility, which allows a user to verify that a particular IP
address exists and can accept requests. The attacker sends a large number of ICMP echo
requests to the victim web server. The server tries to respond to all of the requests until it
exhausts its resources and cannot respond to clean traffic.


Typically, a legitimate client does not send a large number of ICMP echo requests to a
single server. APS inspects the ICMP traffic that originates from a single source and records
the number of ICMP packets per second and bits per second. If the protection level is low,
then APS allows traffic up to the configured rate limit. If the protection level is medium or
high, APS blocks the hosts traffic and temporarily blocks the source host.
ICMP Flood Detection settings

The ICMP Flood Detection category contains the following settings for each protection level.
ICMP Flood Detection settings

Setting Description
Enable ICMP Flood Click one of these buttons to enable or disable this category.
Detection buttons
Maximum Request Type the maximum number of ICMP echo requests per
Rate box second that a source can send before it is blocked.
This rate limit represents what you consider to be a
reasonable amount of ICMP traffic.
Maximum bps box Type the maximum amount of traffic (in bps) to allow from a
single source.

Malformed HTTP Filtering Settings

Use the Malformed HTTP Filtering settings to protect against attacks that exhaust
resources by sending invalid or blank HTTP requests to a server.
The bots in a botnet sometimes manufacture the HTTP requests that they use to flood
victim servers, and these requests can be malformed. For example, the request header
might not conform to RFC 2616.

pages:

APS performs the following tests on HTTP requests:
n Verifies that the HTTP header conforms to RFC 2616 Section 2.2 "Basic Rules".
Exceptions to the RFC constraints on the space character are allowed.

n Verifies that the entire request is in a legal and consistent format.
If any of these evaluations fails, APS blocks the request. If the traffic is inbound, APS
temporarily blocks the source host or destination host.
Malformed HTTP Filtering settings

The Malformed HTTP Filtering category contains the following setting for each protection
level:
Malformed HTTP Filtering settings

Setting Description
Enabled and Click one of these buttons to enable or disable this category.
Disabled buttons Important
The Botnet Prevention settings work only if Malformed HTTP
Filtering is enabled. If you disable Malformed HTTP Filtering, the
Botnet Prevention settings for the corresponding protection
levels are disabled also. If you enable one of the Botnet
Prevention settings, the Malformed HTTP Filtering is enabled for
the corresponding protection levels. See “Botnet Prevention
Settings” on page 126.

Multicast Blocking Settings

Use the Multicast Blocking settings to protect against attacks that misuse multicast routing
to overwhelm a server’s resources.
About multicasting
Many attackers use multicasting to reflect and amplify attack traffic. For example, one type
of attack sends echo requests to a multicast address, spoofing the request source with the
victim’s IP address. The amplified request can result in an excessive number of responses
that overwhelm the victim server and prevent it from accepting clean traffic.
To protect against this kind of attack, APS blocks any inbound traffic whose source or
destination is a designated multicast address. APS also blocks any outbound traffic whose
source or destination is a designated multicast address.
Important
If you do not enable the DNS NXDomain Rate Limiting protection settings, the Multicast
Blocking settings do not block outbound traffic. In this situation, you must enable the
Outbound Threat Filter and add FCAP expressions to the filter list to block outbound
traffic. See “Configuring the Outbound Threat Filter” on page 115.

Multicast Blocking settings

The Multicast Blocking category contains the following setting for each protection level:
Multicast Blocking settings

Setting Description
buttons category.

Payload Regular Expression Settings

Use the Payload Regular Expression settings to drop malicious TCP traffic and UDP traffic
or to temporarily blacklist the hosts that sent the malicious traffic. Payload regular
expressions help you to identify attacks by packets that contain unique data patterns in
their payloads. You also can configure these protection settings to inspect packet headers.
Many application layer DDoS attacks and packet repetition attacks can be identified by
their payloads. The payload of a TCP packet or UDP packet consists of the data that
appears after the header.
The Payload Regular Expression protection settings are available for all of the IPv4 server
types and for the Generic IPv6 Server type. See “About the Server Types” on page 92.
You can configure the settings for each protection level. See “About the Protection Levels”
on page 86.
Navigating to the Payload Regular Expression settings

pages:

APS inspects all TCP traffic and UDP traffic sent from or sent to the specified ports, and
matches each regular expression against each payload's packet. If you enable the Apply
Regular Expression to Packet Headers setting, APS also matches each regular
expression against each packet's header.
You can select source or destination as the direction of the specified ports.
For inbound traffic, if the payload or header matches a regular expression, then APS
drops the packet or temporarily blocks all traffic from the host. For outbound traffic, if the
payload or header matches a regular expression, then APS drops the packet.
APS matches the regular expression against individual packets only. It does not detect
matching content that spans multiple packets.
Note
If you enter a regular expression, but you do not specify any ports or port ranges, APS
passes all TCP and UDP traffic.

Payload Regular Expression settings

The Payload Regular Expression category contains the following settings for each
protection level:
Payload Regular Expression settings

Setting Description
Enable Payload Click one of these buttons to enable or disable this category for
Regular Expression each protection level.
buttons
Port Direction To inspect traffic that is sent from TCP ports and UDP ports on
buttons source hosts, click Source . To inspect traffic that is sent to TCP
ports and UDP ports on destination hosts, click Destination .
Payload Regular Type the port numbers to define the TCP traffic to inspect. You
Expression TCP can enter port numbers and port ranges (for example, 10-22).
Ports box To inspect all TCP traffic, enter all.
Use spaces or commas to separate multiple port numbers.
If you set Port Direction to Source , APS matches the regular
expressions against TCP packets that are sent from the
specified ports. If you set Port Direction to Destination , APS
matches the regular expressions against TCP packets that are
sent to the specified ports.
Note
If you specify a regular expression, but you do not specify any
ports or port ranges, APS passes all TCP traffic.
Payload Regular Type the port numbers to define the UDP traffic to inspect. You
Expression UDP can enter single port numbers and port ranges (for example,
Ports box 10-22). To inspect all UDP traffic, enter all.
Use spaces or commas to separate multiple port numbers and
port ranges.
If you set Port Direction to Source , APS matches the regular
expressions against UDP packets that are sent from the
specified ports. If you set Port Direction to Destination , APS
matches the regular expressions against UDP packets that are
sent to the specified ports.
Note
If you specify a regular expression, but you do not specify any
ports or port ranges, APS passes all UDP traffic.

Payload Regular Expression settings (continued)

Setting Description
Payload Regular Type the regular expressions to match against packets sent
Expression box from or sent to the specified ports. Use PCRE format. If you add
multiple regular expressions, then press ENTER after each one.
APS uses the OR operator for multiple regular expressions.
Note
If you enter a regular expression, but you do not specify any
ports or port ranges, APS passes all TCP and UDP traffic.
If you enable the Apply Regular Expression to Packet
Headers option, then APS also matches these expressions
against the packet headers.
Apply Regular Click Enabled to match the regular expressions against packet
Expression to headers in addition to packet payloads. If you enable this
Packet Headers option, then APS blocks attacks based on specific patterns in
buttons packet headers.
To match the regular expressions against packet payloads only,
click Disabled.
Action to Apply Click Drop Packets to drop the packets that match regular
buttons expressions. Click Block Hosts to temporarily block all traffic
from the hosts of the packets that match the regular
expressions.
Note
This option only applies to inbound traffic. For outbound
traffic, APS always drops the packets that match the regular
expressions.

Private Address Blocking Settings

Use the Private Address Blocking settings to protect against attacks that spoof private IP
addresses.
on page 86.
Specific blocks of IP addresses are reserved for use on private networks and their traffic is
not intended to be routed to the internet. Typically, traffic from outside your network
should not originate from a private address. Such traffic is likely to be an attack in which
the private address is spoofed.
To protect against this kind of attack, APS inspects the inbound traffic and blocks any
traffic whose source or destination is a designated private address. APS also blocks any
outbound traffic whose source or destination is a designated private address.
Important
If you do not enable the DNS NXDomain Rate Limiting protection settings, the Private
Address Blocking settings do not block outbound traffic. In this situation, you must
enable the Outbound Threat Filter and add FCAP expressions to the filter list to block
outbound traffic. See “Configuring the Outbound Threat Filter” on page 115.

Private Address Blocking settings

The Private Address Blocking category contains the following setting for each protection
level:
Private Address Blocking settings

Setting Description
buttons category.

Rate-based Blocking Settings

The Rate-based Blocking settings use configured threshold values to identify and block
hosts that send excessive amounts of traffic to protected hosts or networks.
These protection settings are available for all of the IPv4 server types and for the Generic
IPv6 Server type. See “About the Server Types” on page 92.


You can configure these settings to help prevent flood, TCP SYN, and protocol attacks, as
well as connection table and request table exhaustion attacks. You also can configure
settings to prevent some user-initiated actions such as bulk content downloads and peer-
to-peer file hosting.
APS uses these settings to limit the rate at which any source host can send traffic. APS
constantly examines the bit rate and packet rate of traffic from each source host. If the
traffic exceeds either of the configured thresholds, APS temporarily blocks the source
host.
Typically, you should set the thresholds to rates that are higher than any legitimate host
would be expected to send on a sustained basis. These rates can vary depending on the
services that the hosts offer. For example, if the protected hosts are content servers and
the source hosts are clients that send only requests and acknowledgments, low traffic
rates are expected.
Note
APS uses a speed measurement algorithm that applies a smoothing function to reduce
the possibility that short-term, high-traffic spikes are treated as attacks.
Rate-based Blocking settings

The Rate-based Blocking category contains the following settings for each protection level.
Rate-based Blocking settings

Setting Description
Bits per Second Type the maximum rate of traffic in bits that a source can
Threshold box send before it is blocked.
Packets per Second Type the maximum rate of traffic in packets that a source
Threshold box can send before it is blocked.

SIP Request Limiting Settings

Use the SIP Request Limiting settings to limit the number of SIP requests that a host can
send per second. These settings prevent attacks that disrupt VoIP service by flooding the
VoIP network with too many SIP requests.


APS monitors the SIP requests from the source IP. It blocks any traffic that exceeds the
configured rate limit, and temporarily blocks the source host.
Because SIP servers can send a large amount of data in a single request, communications
between SIP servers may greatly exceed the rate limit. You can protect those servers by
adding them to a pass rule in the Filter List settings or adding them to the whitelist.
See “Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter” on
page 164 or “Whitelisting Inbound Traffic” on page 184 .
SIP Request Limiting settings

The SIP Request Limiting category contains the following setting for each protection level.
SIP Request Limiting settings

Setting Description
SIP Source Limit box Type the maximum number of SIP requests to allow per
second.

Spoofed SYN Flood Prevention Settings

Use the Spoofed SYN Flood Prevention settings to detect certain SYN flood attacks. A SYN
flood consists of a large number of uncompleted connection requests, which fill the
victim’s connection queues and consume its resources.
Important
If a cloud service provider forwards cleaned traffic through a GRE tunnel, then APS does
not inspect that traffic for Spoofed Syn Flood Prevention or DNS Authentication. In this
case, APS ignores these protection settings because it would have to send packets back
through the GRE tunnel.
The Spoofed SYN Flood Prevention protection settings are available for all of the IPv4 server
types and for the Generic IPv6 Server type. See “About the Server Types” on page 92.
About SYN flood attacks

A SYN flood attack exploits the TCP three-way handshake, which establishes a connection
between a client and a server. During a SYN flood attack, the attacker sends a large
number of SYN packets. However, because the SYN packets contain spoofed source IP
addresses, the handshake is never completed.
Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN
flood attacks. By forcing all TCP clients to authenticate that they are valid, Spoofed SYN
Flood Prevention can protect against highly distributed attacks.
If APS cannot authenticate a TCP connection, then it drops the traffic on that connection
but does not block the host.
Navigating to the Spoofed SYN Flood Prevention settings

About TCP authentication

APS authenticates TCP traffic in one of the following ways:
n APS replies to the client’s initial SYN packet with an ACK that has a special sequence
number. If the client responds with the correct ACK, then APS authenticates the client,
resets the connection, and passes its traffic without additional authentication.
n If TCP Out of Sequence Authentication is enabled, then APS replies to the client’s
initial SYN with an ACK that imitates an existing, half-open TCP connection. If the client
sends a reset, then APS authenticates the client, and the client opens a new TCP
connection to the protected host.
This authentication method targets non-HTTP protocols, such as HTTPS and SMTP, that
do not support session redirects or retries. This method allows clients to connect to
protected hosts without having to manually refresh their web browsers.

About HTTP authentication

If you enable HTTP authentication, then APS ensures that the source host is a valid HTTP
client in one of the following ways:
n HTTP redirect — APS replies to the client’s initial request with a 302 redirect. If the client
sends a redirected request, then APS authenticates the client and redirects it to the
original URL.
This authentication method causes the web browser to retry the request without a
connection reset.
n HTTP soft reset — In this simplified version of the HTTP redirect authentication, APS
replies to the client, asking it to resend its request. If the client resends the request, then
APS authenticates the client.
n HTTP JavaScript — In response to a request, APS sends a small amount of JavaScript to
the client. If the client responds with a redirect, then APS authenticates the client.
Automating Spoofed SYN Flood Prevention

You can automate Spoofed SYN Flood Prevention. To do this, you enable the Spoofed
SYN Flood Prevention Automation setting and then specify an automation threshold.
If the rate of SYN packets sent to any protected host in a protection group exceeds this
threshold, then APS performs TCP authentication or HTTP authentication as configured.
Otherwise, if all protected hosts in a protection group are receiving SYN packets at a rate
below the threshold, then APS does not perform the configured authentication.
Testing the settings

Before you enable these settings for active mitigation, test them thoroughly in a lab
environment. Because these settings require two-way communications, they must be
tested in an inline deployment mode (Inline Routed or Inline Bridged) and the active
protection mode. See “Setting the Deployment Mode” in the APS User Guide and “Setting

Spoofed SYN Flood Prevention settings

The Spoofed SYN Flood Prevention protection category contains the following settings for
each protection level.
Spoofed SYN Flood Prevention settings

Setting Description
Prevent Click one of the following buttons to select the authentication

Spoofed SYN method that APS uses to detect spoofed SYN flood attacks:
Floods buttons
n Off — Disables spoofed SYN flood attack detection.
n TCP — Enables TCP authentication. APS inspects TCP traffic, to
authenticate the connections.
n TCP+HTTP — Enables HTTP authentication in addition to TCP
authentication. APS authenticates TCP connections and ensures
that the source host is a valid HTTP client.
The option that you select determines which protection settings are
available for this protection category.
Except on ports For applications that have difficulty with spoofed SYN flood
box authentication, type the affected application ports. If the traffic’s
destination ports match any of these ports, then APS skips the TCP
authentication.
TCP Out of Click one of these buttons to enable or disable this authentication
Sequence method. If you enable this setting, then APS uses this method to
Authentication authenticate a TCP connection instead of attempting to complete
buttons the TCP 3-way-handshake. See “About TCP authentication” on
page 146.
Spoofed SYN Click one of these buttons to enable or disable automating this
Flood protection category. If you automate this protection category, then
Prevention you must specify an automation threshold.
Automation
buttons

Spoofed SYN Flood Prevention settings (continued)

Setting Description
Automation Enter a value in pps. APS performs TCP authentication or HTTP

Threshold box authentication as configured only if the rate of SYN packets sent to
any protected host in a protection group exceeds this threshold. If
the rate of SYN packets falls below this threshold, then APS stops
performing the configured authentication.
HTTP Click one of the following buttons to select the method that APS
Authentication uses to authenticate HTTP traffic on ports 80 and 8080:
Method buttons
n Redirect — Sends a 302 redirect to the client.
n Soft Reset — Asks the client to resend its request.
n JavaScript — Sends a JavaScript response to the client.
Note
If you select the JavaScript option, then legitimate clients that
do not have JavaScript enabled cannot connect to protected
hosts.

TCP Connection Limiting Settings

Use the TCP Connection Limiting settings to limit the number of concurrent TCP
connections that can originate from a single host. These settings prevent attacks that
overwhelm the victim's connection resources with an excessive number of TCP
connections.
For example, some botnets open hundreds of active or inactive TCP connections. A
sufficiently large number of connections can consume all of the server's resources and
prevent the server from accepting clean traffic.


APS monitors the TCP requests from the source IP and counts the number of SYN
messages that are followed by an ACK message. When the number of concurrent
connections from a single host exceeds a preconfigured rate limit, it blocks that traffic. It
does not block the source host.
TCP Connection Limiting settings

The TCP Connection Limiting category contains the following setting for each protection
level:
TCP Connection Limiting settings

Setting Description
Enabled and Disabled Click one of these buttons to enable or disable this category
buttons for a protection level.

TCP Connection Reset Settings

Use the TCP Connection Reset settings to track established TCP connections and drop the
traffic when a connection remains idle for too long. This category can protect against the
following types of TCP state exhaustion attacks:
n flood
n TCP SYN
n slow HTTP post
n protocol
The TCP Connection Reset settings also can protect against the exhaustion of TCP
connection resources that occur when server connection tables are filled. These problems
can be caused by idle TCP connections or user-initiated actions such as bulk content
downloads and peer-to-peer file hosting.

When APS monitors a TCP connection, it verifies that the source host sends the request
header within a certain amount of time. APS also verifies that the host maintains a
specified rate of transmission for the entire request.
If a TCP connection does not meet these requirements, APS resets the connection. Also, if
any source host exceeds the configured number of consecutive violations, APS
temporarily blocks the host.

About the protected ports

APS applies the TCP Connection Reset settings to the following ports:
n 80 — HTTP traffic (web traffic)
n 443 — HTTPS traffic (web traffic)

n 25 — SMTP traffic (email)
You cannot manually configure the ports for the TCP Connection Reset settings.

TCP Connection Reset settings

The TCP Connection Reset category contains the following settings for each protection
level.
TCP Connection Reset settings

Setting Description
Enable TCP Click one of these buttons to enable or disable this category.
Connection Reset
buttons
Minimum Request Type the minimum rate of bits per second that a host must
Bit Rate box maintain when sending an individual request. APS checks
several times per minute to verify that the transmitted data
does not fall below this limit.
If the data rate falls below this limit for a minimum of 60
seconds, APS resets the connection or blocks the host.
TCP Connection Type the number of seconds that must elapse before an idle
Idle Timeout box connection is reset or blocked. For the medium and high
protection levels, the default value is 120 seconds.
There is no default value for the low protection level.
Track Connections Click Enabled to track a connection after it leaves the initial
After Initial State state.
check box
TCP Connection Type the number of seconds that a connection can be idle after
Initial Timeout box it is first established before it is blocked.
Initial Timeout Type the number of bytes that a host must send within the
Required Data box initial timeout period for the timeout to be canceled.
For example, the default TCP Connection Initial Timeout is
10 seconds and the default Initial Timeout Required Data is
1 byte. In this case, the connection has 10 seconds in which to
send 1 byte of data. If the specified amount of data is not sent
within 10 seconds, then the connection is reset.
Consecutive Type the number of consecutive idle connections to allow

Violations before before a host is blocked.
Blocking Source You can enter a larger number for applications with multiple
box TCP control connections that might be idle simultaneously due
to a single lack of user action.

TCP SYN Flood Detection Settings

Use the TCP SYN Flood Detection settings to detect TCP SYN flood attacks, which are also
known as SYN floods. A SYN flood consists of a large number of connection requests that
cannot be completed. These requests fill the victim’s connection queues and consume its
resources.
on page 86.
About SYN flood attacks

The SYN flood attack exploits the TCP three-way handshake that establishes a connection
between a client and a server. During a SYN flood attack, the attacker sends a large
number of SYN packets. However, it does not return the final ACK responses and the
handshake is never completed.
The server waits for the ACK responses until it times out. A sufficiently large number of
half-open connections can consume all of the server’s resources and prevent the server
from accepting clean traffic.
Both Spoofed SYN Flood Prevention and TCP SYN Flood Detection protect against SYN
flood attacks. However, while Spoofed SYN Flood Prevention can protect against highly
distributed attacks, TCP SYN Flood Detection uses rate thresholds to detect high rate,
undistributed SYN flood attacks.


APS intercepts all TCP traffic that originates from a single source and then completes the
following tests:
n Compares the number of SYN packets per second to the configured SYN Rate .
n Subtracts the number of ACK packets from the number of SYN packets and compares
the result to the configured SYN ACK Delta Rate.
APS blocks any traffic that exceeds either of these rate limits and temporarily blocks the
source host.

TCP SYN Flood Detection settings

The TCP SYN Flood Detection category contains the following settings for each protection
level:
TCP SYN Flood Detection settings

Setting Description
Enable SYN Flood Click one of these buttons to enable or disable this category.
Detection buttons
SYN ACK Delta Type the allowable difference between the number of ACK
Rate box packets and the number of SYN packets (SYN - ACK = delta). This
rate should be lower than the SYN Rate.
In clean traffic, the number of ACK packets from a specific
source should exceed or be slightly less than the number of SYN
packets from that source. This threshold represents the
allowable difference between the two types of packets and
allows APS to detect attackers that send only SYN packets.
SYN Rate box Type the number of packets per second that a source can send
before it is blocked.
In a data center environment, a client typically does not establish
a large number of connections per second. This threshold
allows APS to detect very blatant SYN floods based on the
number of connection requests from a single source.

TLS Attack Prevention Settings

Use the TLS Attack Prevention settings to protect against attacks that exploit SSL or TLS on
application servers such as Web, Mail, or secure VPN servers.
The SSL (Secure Socket Layer) and TLS (Transport Layer Security) encryption protocols
underlie secure services on the internet. Because these protocols are resource intensive,
the services that rely on them are particularly vulnerable to resource exhaustion attacks.
During these attacks, clients send small requests that force the server to perform a
disproportionately large amount of work to set up a secure session.
The TLS Attack Prevention settings enforce correct protocol usage and block malformed
SSL and TLS requests. These settings also block clients that attempt to exploit the
protocols to exhaust server resources.
on page 86.


When an SSL or TLS request is received, APS performs the following tests:
n Validates the request according to the following criteria:
l The negotiation messages are well-formed.

l The protocol options are used properly.
l The message length and fragmentation are reasonable.
l The protocol version is acceptable.
n Verifies that acceptable SSL or TLS handshake behaviors occur as follows:
l The messages are sent in the correct sequence.
l Renegotiation requests do not occur outside of an established session.
n Verifies that the following items do not exceed the preconfigured limits:
l The number of cipher suites that are advertised.
l The number of extensions that are sent.
l The number of compression algorithms that are advertised.
l The number of connections that are closed before a handshake is completed.
If any of these evaluations fails, APS blocks the request and temporarily blocks the source
host.

TLS Attack Prevention settings

The TLS Attack Prevention category contains the following setting for each protection level:
TLS Attack Prevention settings

Setting Description
buttons category.

Traffic Shaping Settings

Use the Traffic Shaping settings to limit the forwarding rate of the traffic that matches a
specific filter. These settings limit attack traffic to a level that allows protected hosts to
function and allows some clean traffic to reach those hosts.
The Traffic Shaping protection settings are available for all of the IPv4 server types and for
the Generic IPv6 Server type. See “About the Server Types” on page 92.
Note
Traffic shaping is also known as rate limiting.


APS inspects each packet to determine if it matches the filter that you define. If the packet
matches or if no filter is defined, APS compares the packet forwarding rate to the
maximum rate settings. If the packet would cause the forwarding rate to exceed either of
the maximum rates, APS blocks the packet. It does not block the source host.
Caution
Traffic shaping restricts clean traffic and attack traffic equally.
Use traffic shaping in the following situations only:

n when other settings fail to mitigate an attack and you cannot mitigate it in another way
n when other settings succeed only partially and the traffic levels remain high enough to
be a continued threat
If you enable this category, you must set at least one of the maximum rate settings.
Traffic Shaping settings

The Traffic Shaping category contains the following settings for each protection level:
Traffic Shaping settings

Setting Description
Enable Traffic Click one of these buttons to enable or disable this category.
Shaping buttons
Maximum bps box Type the maximum amount of traffic (in bps) to allow.
Maximum pps box Type the maximum amount of traffic (in pps) to allow.
Filter box (Optional) Type an FCAP expression that corresponds to the

data that you want to match. For example, you can match IP
addresses, CIDRs, and other traffic attributes.
Type one expression per line. To include a comment, type a
number sign (#) at the beginning of each comment line.

UDP Flood Detection Settings

Use the UDP Flood Detection settings to protect against attacks that send an excessive
number of UDP packets to a server to exhaust its resources.
on page 86.
About UDP floods

A UDP flood occurs when an attacker sends a large number of UDP packets to random
ports on a server, often from a spoofed IP address. The server tries to determine the
applications that are listening on those ports. Because no applications are listening, the
server is forced to reply with many ICMP Destination Unreachable packets. If the number
of ICMP packets is great enough, the server becomes unavailable to other clients.
APS inspects the UDP traffic that originates from a single source and records the bits per
second and packets per second. It blocks any traffic that exceeds the configured rate
limits. If the protection level is medium or high, it temporarily blocks the source host.

UDP Flood Detection settings

The UDP Flood Detection category contains the following settings for each protection level.
UDP Flood Detection settings

Setting Description
Enable UDP Flood Click one of these buttons to enable or disable this
Detection buttons category.
Maximum bps box Type the maximum amount of traffic (in bps) to allow
Maximum pps box Type the maximum amount of traffic (in pps) to allow

Section 9:
Configuring Filter Lists to Drop and
Pass Traffic
Filter lists allow you to configure fingerprint expression (FCAP) filters (rules) that drop and
pass traffic without further inspection. You can configure two types of filter lists.
Master filter lists compare the FCAP expressions to all protection group traffic across all
protection levels.
Filter lists compare FCAP expressions only to traffic for specific server types or the
outbound threat filter. These filter lists also allow you to configure different expressions
for each protection level.
In APS Console, you can configure both types of filter lists for multiple APS devices.
In this section
About Filter Lists 160

Configuring Master Filter Lists 162
Configuring Filter Lists for Specific Server Types or the Outbound Threat Filter 164

About Filter Lists

Filter lists allow you to configure flow capture (FCAP) fingerprint expression rules that drop
and pass traffic without further inspection. You can configure two types of filter lists:
n Master filter lists for all protection groups across all protection levels. See “Master filter
lists” below.
n Filter lists for specific server types or the outbound threat filter. See “Filter lists for
specific server types or the outbound threat filter” below.
If a drop FCAP expression matches inbound traffic, then APS drops the matching traffic for
active protection groups only. If a drop FCAP expression matches outbound traffic, then
APS drops the matching traffic only when the outbound threat filter is enabled. See
“Setting the Protection Mode (Active or Inactive)” on page 84.
Note
If you manage multiple APS devices with APS Console, you can configure filter lists on
APS Console for the managed APS devices.
Master filter lists

Master filter lists contain drop and pass FCAP expressions that APS compares to all
inbound traffic. If any FCAP expression matches inbound traffic for an active protection
group, APS drops or passes the matching traffic without further inspection. See “Setting
Use master filter lists if you have a common list of FCAP expressions to apply to all
protection groups across all protection levels. When you use master filter lists, you do not
have to create filter lists for each server type at each protection level.
There are two master filter lists: a list for IPv4 protection groups and a list for IPv6
protection groups. Each time you edit a master filter list, APS applies the updated list to all
IPv4 protection groups or all IPv6 protection groups. APS also automatically applies the
master filter lists to new protection groups that you add.
See “Configuring Master Filter Lists” on page 162.
Filter lists for specific server types or the outbound threat filter
You can configure filter lists for specific server types. This type of filter list compares drop
and pass FCAP expressions to traffic for protection groups that are associated with a
specific server type. These filter lists let you configure different expressions for each
protection level. See “About the Protection Levels” on page 86.
You also can configure filter lists that compare FCAP expressions to outbound traffic. See
Use these filter lists to mitigate threats based on specific situations. For example, if the
mitigation protects a server group that obtains content from other sources, then add the
connections to those other sources to a pass rule. Because you know that those
connections are legitimate, you can exempt them from further inspection.
page 164.

Section 9: Configuring Filter Lists to Drop and Pass Traffic
How APS evaluates and processes packets

APS uses master filter lists and filter lists to evaluate and process packets as follows:
n Immediately drops any packets that match a drop rule. APS does not evaluate any
additional rules or apply further settings for those packets.
n Immediately passes any packets that match a pass rule. APS does not evaluate any
additional rules or apply further settings for those packets.
n Passes the packets to the next protection category for further evaluation if they do not
match a drop rule or a pass rule.
Alternate methods for passing and dropping traffic

If you prefer not to use FCAP expressions, you can add hosts to the blacklist and whitelist
to drop and pass traffic without further inspection. However, FCAP expressions are more
flexible and powerful in their ability to find specific traffic. See “About Blacklisting and
Whitelisting Traffic” on page 168.
Order of evaluation
APS evaluates the items to drop and pass on master filter lists, filter lists, and the blacklist
and whitelist in the following order:
n the host blacklist and the whitelist
n the master filter lists

n server-type filter lists
n the blacklists for countries, URLs, and domains
For example, consider the following rules:

n 192.0.2.0/24 in the whitelist
n drop 192.0.2.11 in the master filter list
APS applies the rules as follows:
n Passes all of the traffic from the addresses within the range 192.0.2.0/24.
n Passes the traffic from 192.0.2.11, because it falls within the 192.0.2.0/24 address range.
Therefore, the traffic from this address cannot be dropped.

Configuring Master Filter Lists

Use a master filter list to configure drop and pass flow capture (FCAP) fingerprint
expression rules to compare to traffic for IPv4 protection groups and IPv6 protection
groups. APS applies the FCAP expressions in the master filter lists across all protection
levels.
Master filter lists drop and pass inbound traffic only.
Important
If a drop FCAP expression matches inbound traffic, APS drops the matching traffic for
active protection groups only. See “Setting the Protection Mode (Active or Inactive)” on
page 84.
You also can configure filter lists that apply to a specific server type only or to the
outbound threat filter. These filter lists drop and pass inbound traffic and outbound traffic.
page 164.
About managing the master filter lists from APS Console

If you manage your APS devices from APS Console, then you can configure master filter
lists in APS Console and propagate the configurations to each managed APS.
Caution
When you connect an APS device to APS Console, the master filter lists on APS Console
replace the master filter lists on APS. Thereafter, any changes to the master filter lists on
APS Console are periodically copied to each APS. See “1About the APS Console - APS
Data Synchronization” on page 78.
changes are not copied to APS Console. As a result, any local changes that you make on
Configuring and editing master filter lists

To configure or edit a master filter list:
1. Select Protect > Inbound Protection > Master Filter Lists.
2. On the View Master Filter Lists page, click Edit.
3. In the IPv4 FCAP Expressions box and the IPv6 FCAP Expressions box, enter FCAP
expressions that correspond to the data to match. Enter expressions to match IP
addresses, CIDRs, and other traffic attributes.
Include a drop or pass keyword to specify the action to take on the matched data. If
you do not specify a keyword, then APS considers it a drop action.
Type one expression per line. To include a comment, type a number sign (#) at the
beginning of each comment line.
See “FCAP Expression Reference” on page 344.
4. To edit the lists, enter new expressions or delete the existing expressions in the FCAP
Expressions boxes.
5. Click Save.

Example: Master filter list settings

If you want to pass TCP/22 SSH traffic from a block of addresses and block all other
TCP/22 SSH traffic, then enter the following FCAP expressions:
pass port 22 and src 192.0.2.0/24
drop port 22
All the port 22 traffic from 192.0.2.0/24 passes automatically, and APS blocks the other port
22 traffic automatically.
Order of evaluation within the master filter lists

APS evaluates the FCAP expressions in the order in which they appear in the lists. For
example, consider the following rules:
pass src 192.0.2.11
drop proto udp
APS applies these rules as follows:

n Passes all of the traffic from 192.0.2.11, regardless of the protocol
n Drops all of the UDP traffic whose source is not 192.0.2.11

Configuring Filter Lists for Specific Server Types or the

Outbound Threat Filter
Use the filter list settings to configure a list of flow capture (FCAP) fingerprint expression
rules to drop and pass inbound traffic without further inspection. You configure a filter list
at the server-type level, so the filter list only applies to protection groups to which the
server type is assigned. This type of filter list lets you configure different expressions for
each protection level. See “About the Protection Levels” on page 86.
You also can use filter list settings to drop and pass outbound traffic. To compare FCAP
expressions in a filter list to outbound traffic, you configure the filter list settings for the
outbound threat filter. See “Configuring the Outbound Threat Filter” on page 115.
If a drop FCAP expression matches inbound traffic, then APS drops the matching traffic for
active protection groups only. If a drop FCAP expression matches outbound traffic, then
APS drops the matching traffic only when the outbound threat filter is enabled. See
“Setting the Protection Mode (Active or Inactive)” on page 84.
The Filter List protection settings are available for all of the IPv4 server types and for the
Generic IPv6 Server type. See “About the Server Types” on page 92.
Note
You can configure master filter lists that compare drop and pass FCAP expressions to
traffic for all protection groups. See “Configuring Master Filter Lists” on page 162.
Configuring and editing filter lists for server types

To configure or edit a filter list for a server type:
2. In the Server Types list, click the name link of the server type to edit.
3. In the left navigation menu, click Filtering.
4. In the Filter FCAP Expressions boxes in the Filter List section, enter the FCAP
expressions that correspond to the data to match. Enter expressions to match IP
addresses, CIDRs, and other traffic attributes. You can enter expressions for each
protection level.
you do not include a keyword, then APS considers it a drop action.
Important
You can use IPv6 addresses in FCAP expressions only for the standard Generic IPv6
Server type and custom server types that are based on it.
5. To edit the filter list, enter new expressions or delete the existing expressions in the
Filter FCAP Expressions boxes.
6. Click Save.

Configuring and editing filter lists for the outbound threat filter
To configure or edit a filter list for the outbound threat filter:
1. Select Protect > Inbound Protection > Outbound Threat Filter.
2. On the Outbound Threat Filter page, click Filtering.
3. Select the Enable Outbound Threat Filter check box.
4. In the Filter FCAP Expressions boxes, enter the FCA expressions that correspond to
the data to match. Enter expressions to match IPv4 IP addresses, IPv4 CIDRs, and
other traffic attributes. You can enter expressions for each protection level.
you do not include a keyword, then APS considers it a drop action.
5. To edit the filter list, enter new expressions or delete the existing expressions in the
Filter FCAP Expressions boxes.
6. Click Save.
Example: Filter list settings

If you want to pass TCP/22 SSH traffic from a block of addresses and block all other
TCP/22 SSH traffic, then enter the following FCAP expressions:
pass port 22 and src 192.0.2.0/24
drop port 22
All the port 22 traffic from 192.0.2.0/24 passes automatically, and APS blocks the other port
22 traffic automatically.
Order of evaluation within filter lists

APS evaluates the FCAP expressions in the order in which they appear in the lists. For
example, consider the following rules:
pass src 192.0.2.11
drop proto udp
APS applies these rules as follows:

n Passes all of the traffic from 192.0.2.11, regardless of the protocol
n Drops all of the UDP traffic whose source is not 192.0.2.11


Section 10:
Managing the Blacklists and Whitelists
APS uses blacklisting to protect your network from malicious traffic, and it uses whitelisting
to allow trusted traffic.
In this section
About Blacklisting and Whitelisting Traffic 168

About the Capacity of the Blacklists and Whitelists 172
Blacklisting Inbound Traffic 174
Viewing and Searching the Inbound Blacklist 177
Blacklisting Outbound Traffic 180
Viewing and Searching the Outbound Blacklist 182
Whitelisting Inbound Traffic 184
Viewing and Searching the Inbound Whitelist 186
Whitelisting Outbound Traffic 188
Viewing and Searching the Outbound Whitelist 190

About Blacklisting and Whitelisting Traffic

APS uses blacklisting to protect your network from malicious traffic, and it uses whitelisting
to allow trusted traffic. APS uses the blacklists and whitelists as filters to block or pass
traffic without further inspection, regardless of the current protection level.
About the blacklists and whitelists

Users configure the blacklists and whitelists; APS does not blacklist or whitelist hosts
automatically.
You can create and manage the following types of blacklists and whitelists:
Types of blacklists and whitelists

Items you can
List Purpose add
Inbound blacklist Blocks the inbound traffic that originates from Hosts (both
specific hosts or countries, or from the clients IPv4 and IPv6),
that access specific domains or URLs in your countries, and
network. domains
Inbound whitelist Passes the inbound traffic that originates from Hosts (both
specific hosts. IPv4 and IPv6),
countries, and
domains
Outbound Blocks the traffic that is sent from specific internal Hosts and
blacklist hosts or to specific external hosts. Also blocks the countries (IPv4
traffic that originates from your network and is only)
sent to specific countries.
Outbound Passes the traffic that originates from your Hosts (IPv4
whitelist network and is sent from specific hosts or to only)
specific hosts.
Note
The Invalid Packets category takes precedence over the whitelist and blacklist. As a result,
APS blocks invalid packets from whitelisted hosts. Also, any traffic from hosts on the
blacklist or whitelist that matches invalid packets is attributed to invalid packets in the
Attack Categories graphs.
APS combines the blacklist items and the whitelist items and stores them in a blacklist-
whitelist table, based on protocol. If an APS is managed by APS Console, any blacklist
items and whitelist items that are added in APS Console also are stored in the blacklist-
whitelist table. See “About the Capacity of the Blacklists and Whitelists” on page 172.

Section 10: Managing the Blacklists and Whitelists
About managing the blacklists and whitelists from APS Console

When you use APS Console to manage APS, you can configure blacklists and whitelists on
APS Console and propagate the configurations to each managed APS.
When you first connect an APS device to an APS Console, the blacklists and whitelists on
APS Console are copied to APS. Any blacklists or whitelists that were already on APS are
merged with the items from APS Console. Thereafter, any changes to the blacklists and
whitelists on APS Console are periodically copied to each managed APS device as
appropriate.
Caution
Blacklisting and whitelisting items

You can blacklist and whitelist items from the following areas in the UI.
Note
On the Outbound Blacklists page and the Outbound Whitelists page, you can blacklist
and whitelist IPv4 addresses only.
Locations for blacklisting and whitelisting items

Page Reference
Inbound Blacklists See “Blacklisting Inbound Traffic” on page 174.
Outbound See “Blacklisting Outbound Traffic” on page 180.

Blacklists
Inbound Whitelists See “Whitelisting Inbound Traffic” on page 184.
Outbound See “Whitelisting Outbound Traffic” on page 188.

Whitelists
View Protection Note

Group You can blacklist and whitelist IPv6 items globally, for all
protection groups. You cannot blacklist and whitelist IPv6 items
for individual protection groups.
See the following topics:
n “Viewing the Top IP Locations for a Protection Group” on
page 210
n “Viewing the Top URLs for a Protection Group” on page 206
n “Viewing the Top Domains for a Protection Group” on
page 208
Blocked Hosts Log See “Taking action on a blocked host” on page 262.

About blacklisting and whitelisting inbound traffic by protection group

You can blacklist and whitelist inbound traffic at the following levels.
Levels of blacklisting and whitelisting

Level Traffic that is affected
Individual The IPv4 traffic that is destined for one or more specific protection
protection group groups on an APS. For example, on the Summary page, you can
blacklist a country for a specific protection group.
Note
You can blacklist and whitelist IPv6 items globally, for all
protection groups. You cannot blacklist and whitelist IPv6 items
for individual protection groups.
All protection The traffic that is destined for all protection groups on an APS.
groups
Typically, the options to blacklist or whitelist IPv4 items for a specific protection group are
available on the pages that contain protection-group-level information. For example, on
the View Protection Group page, when you click the Blacklist button, the following
options appear: All PGs and For this PG.
When the items from the blacklist or whitelist appear throughout the UI, the associated
protection group information is displayed.
Note
Outbound traffic is not associated with protection groups.
About removing items from the blacklist

Certain areas of the UI that display blocked traffic allow you to remove an item from the
blacklist, which is also referred to as unblocking. For example, in the Top Countries section
of the Summary page, you can unblock a blacklisted country.
Unblocking an item removes it from the blacklist but does not add it to the whitelist.
How quickly do blacklisting, whitelisting, and unblocking affect the traffic?

When you blacklist, whitelist, or unblock a host, country, domain, or URL, its traffic is
affected as follows:
n When you blacklist or whitelist an item, APS begins to block or pass its traffic
immediately.
n When you unblock an item, APS can take several minutes to remove it from the blacklist
and pass its traffic.
n When you whitelist a host or remove a host from the blacklist, and that host is
temporarily blocked, it is removed from the Temporarily Blocked Sources list
immediately. When you do the same for a CIDR or country that contains temporarily
blocked hosts, those hosts are removed from the Temporarily Blocked Sources list
within five minutes. You can unblock an individual IP address immediately by
whitelisting that IP address.

After you blacklist, whitelist, or unblock an item in APS Console, the change is applied to
APS during the next synchronization. See “1About the APS Console - APS Data
Synchronization” on page 78.

About the Capacity of the Blacklists and Whitelists

APS combines the blacklist items and the whitelist items and stores them in a blacklist-
whitelist table, based on protocol. If an APS is managed by APS Console, any blacklist
items and whitelist items that are added in APS Console also are stored in the blacklist-
whitelist table. See “About managing the blacklists and whitelists from APS Console” on
page 169 .
Capacity of the blacklists and whitelists

The maximum number of IP addresses and CIDRs that APS stores in the IPv4 blacklist-
whitelist table is as follows. This total includes the items on the blacklists and whitelists for
inbound traffic and outbound traffic.
IPv4 blacklist-whitelist table

APS model Supported number of items
2800 16,000
2600 6,400
2100 6,400
vAPS 2,000
The maximum number of IP addresses and CIDRs that APS stores in the IPv6 blacklist-
whitelist table is as follows. This total includes the items on the blacklist and whitelist for
inbound traffic.
IPv6 blacklist-whitelist table

APS model Supported number of items
2800 5,091
2600 2,036
2100 4,072
vAPS 1,272
For domains, URLs, and countries, you can blacklist a combined total of 5,000 items.
For general information about the blacklists and whitelists, see “About Blacklisting and
Whitelisting Traffic” on page 168 .
What happens when the capacity is exceeded

If your blacklists and whitelists contain a large number of items, the addition of new items
can cause the blacklist-whitelist table to exceed the capacity. In APS, you cannot enter any
item that would exceed the capacity of the blacklists or whitelists. APS Console accepts the
excess items, whether they are entered in the UI or added during the initial
synchronization of APS.

When the addition of an item causes APS Console to exceed the capacity of its blacklist-
whitelist table, APS Console treats that item as follows:
n The excess item is added to the blacklist or whitelist on APS Console, but it is marked as
disabled and does not affect any traffic.
n The disabled item appears on the blacklist page or whitelist page in the APS Console UI,
but it is dimmed. You can delete the item as needed.
n When a non-disabled item is deleted from a blacklist or whitelist, space can become
available for the addition of a disabled item. APS Console finds the oldest disabled item
and enables it. A global inbound item is enabled for all of the protection groups; a
protection group-specific item is enabled for that protection group only.
How synchronization between APS Console and APS affects the capacity
During the synchronization of the blacklists and whitelists between APS Console and APS,
either APS Console or APS can exceed the capacity of the IPv4 blacklist-whitelist table. For
example, a global item on APS Console can combine with the existing items on APS to
exceed the capacity on APS. When an item from APS Console causes APS to exceed the
capacity, the new item is not added to APS.
During the initial synchronization, if the addition of existing items from APS to APS Console
causes APS Console to exceed the capacity, the following events occur:
n The item is added to APS Console, but is disabled.
n On APS, the item that caused APS Console to exceed its capacity is deleted.
n Other APS devices do not obtain the disabled item during synchronization, even if they
have the capacity to accept the item.
For example, a disabled inbound item might apply to a specific protection group. Even
if the protection group is assigned to an APS that is below its capacity, that APS does not
obtain the disabled item.
n When APS Console enables an item that was disabled, the item is applied to all of the
appropriate APS devices.

Blacklisting Inbound Traffic

Use inbound blacklisting to block the traffic to your network that originates from specific
hosts or countries, or from the clients that access specific domains in your network. APS
always blocks the traffic from the blacklisted hosts without further inspection, regardless
of the current protection level.
You can configure the blacklists in APS Console and propagate the configurations to each
managed APS as appropriate. You also can view the items that were added to the inbound
blacklist from APS Console and on all the APS devices that APS Console manages. See
“Viewing and Searching the Inbound Blacklist” on page 177.
For general information about blacklisting, see “About Blacklisting and Whitelisting
Traffic” on page 168 .
Caution
Because the configurations from APS Console can overwrite the configurations on APS,
any local changes that you make on APS might be lost. Generally, you should not edit the
configurations locally on a managed APS.
About the blacklist settings

On the Inbound Blacklists page, you can blacklist the traffic’s source in the following ways:
n by the IP address or CIDR
n by the country
n by the domain or URL that is specified in the HTTP request header
If the blacklists or whitelists contain an IP address and a CIDR that overlaps that IP
address, the most specific address always takes precedence. For example, if the IP
address 10.2.3.141 is on the whitelist, and you blacklist the CIDR 10.2.3.0/24, the IP address
remains whitelisted.
If you whitelist a host or remove a host from the blacklist, and that host is temporarily
blocked, it is removed from the Temporarily Blocked Sources list immediately. When you
do the same for a CIDR that contains temporarily blocked hosts, those hosts are removed
from the Temporarily Blocked Sources list within five minutes. You can unblock an
individual IP address immediately by whitelisting that IP address.
Adding items to the inbound blacklist

To add items to the inbound blacklist:
1. Select Protect > Inbound Protection > Blacklists.
2. On the Inbound Blacklists page, select one of the following tabs:
l Source IP Address tab — to blacklist an IP address or country
l Domains and URLs tab — to blacklist a domain or URL
3. In the Add box, type any combination of the following items separated by commas,
and then click Add:

Selected tab What you can add

Source IP Address n IPv4 or IPv6 address
tab n CIDR
n Country name
As you type the name, the system displays the countries
that match your entry, and you can select a country from
the list.
Domains and n Domain, for example, domain.com

URLs tab n URL, for example, www.domain.com/doc1/?search=text
When you blacklist a domain or URL, APS blocks the traffic
by matching the domain or URL that is specified in the HTTP
request header.
This audit trail information will be visible from the Inbound Blacklists page.
Deleting items from the inbound blacklist

Deleting an item from the blacklist does not add it to the whitelist. If you want to whitelist a
host from the Inbound Blacklists page, see “Whitelisting blacklisted hosts” below.
To delete an item from the inbound blacklist:

2. On the Inbound Blacklists page, select the tab for the item that you want to delete.
3. Delete the item as follows:
l To delete the item for all the protection groups, click (Remove ) to the far right of
the item.
l To delete the item for a specific protection group, hover your mouse pointer over
the protection group in the PGs Affected column. Click the (Remove ) icon that
appears.
Whitelisting blacklisted hosts

Because only IP addresses and CIDRs can be whitelisted, this option is available in the
Blacklisted Hosts section only.
When you whitelist a blacklisted host, it is removed from the blacklist and added to the
whitelist. If the host was blacklisted for specific protection groups only, then it is whitelisted
for those protection groups.
To whitelist a blacklisted host:

1. Select Protect > Inbound Protection > Whitelists.
2. On the Inbound Blacklists page, select the Source IP Address tab.
3. Click the Whitelist button to the far right of the IP address or CIDR.

This audit trail information will be visible from the Inbound Whitelists page.

Viewing and Searching the Inbound Blacklist

The Inbound Blacklists page in APS Console allows you to view the entire blacklist for all of
the APS devices managed by APS Console. You can search this blacklist for specific hosts,
CIDRs, countries, domains, or URLs. You can enter only one item per search but the search
can return multiple results.
You also can use the Inbound Blacklists page to blacklist inbound traffic for all of the
managed APS devices. See “Blacklisting Inbound Traffic” on page 174.
Viewing the inbound blacklist

To view the inbound blacklist:
2. On the Inbound Blacklists page, select the Source IP Address tab or the Domains
and URLs tab.
3. (Optional) You can collapse or expand the sections on the page at any time by clicking
(collapse) or (expand), respectively.
By default, all of the sections appear.
If the blacklisted items continue on multiple pages, you can use the paging icons at
the upper-right of each section to view additional items for that section. See “Using
Navigation Controls” on page 24.
4. To filter the list to display items of interest, you can search for specific blacklisted
items. See “Searching the inbound blacklist” below.
Searching the inbound blacklist

When you view the inbound blacklist, you can filter the list to display items of interest by
searching for one or more blacklisted items.
A search for any of the items on the Source IP Address tab returns any blacklisted IP
addresses, CIDRs, or countries that are associated with that address.
To search the inbound blacklist:

2. On the Inbound Blacklists page, select the Source IP Address tab or the Domains
and URLs tab.
3. In the Search box, type a search string as follows:

Selected tab Search strings

Source IP Address Type one of the following search strings:
tab n An IPv4 or IPv6 address.
n An IPv4 or IPv6 address range, with a hyphen to separate
the beginning IP address and ending IP address. For
example: 192.0.2.1-192.0.2.10
n A CIDR.
n A country name. As you type, the system displays the
countries that match your entry. You can continue to type
the country name or select a country from the list.
Domains and Type one of the following search strings:

URLs tab n A full domain name or partial domain name.
n A full URL or partial URL.
4. Click Search .
5. If an item that you searched for is not on the inbound blacklist, a message appears.
The following options might be available:
l You can click (add) in the message to add that item to the blacklist.
l (Source IP Address tab only) If the host is on the inbound whitelist, you can click
the link in the message to open the Inbound Whitelists page and display that host.
Information on the Inbound Blacklists page

By default, the inbound blacklist is sorted by the Since column, beginning with the most
recent items. You also can sort the inbound blacklist by the Hostname , Country, Domain
Name , or URLs columns on their respective tabs. For more information about sorting, see
“Sorting information in tables” on page 24.
For each blacklisted item, the Inbound Blacklists page displays the following information:

Inbound Blacklists details

Hosts (Source IP Address tab only) Displays the blacklisted host’s IP
address or CIDR. If the system can identify the host’s country, this
column also includes a flag icon that represents the country.
If the system can resolve the hostname, you can see the hostname
by hovering your mouse pointer over the IP address or CIDR. For
IPv4 hosts that are not private networks, you can see the country
name by hovering your mouse pointer over the flag icon.
Note
Country mappings do not exist for IPv6 addresses. If the source is
an IPv6 address, then this column includes an IPv6 flag icon
instead of a country flag icon. Also, for private networks, this
column includes a 10 icon or a 192 icon.
Country (Source IP Address tab only) Displays the blacklisted country. If

the system can identify the country’s flag, this column also displays
a flag icon.
Domain Name (Domains and URLs tab only) Displays the blacklisted domain.
URLs (Domains and URLs tab only) Displays the blacklisted URL.
Since Indicates the amount of time that the item has been on the
inbound blacklist.
(information) Displays the audit trail entry, if any, that was created when this item
was added to the list. Click next to the time period in the Since
column.
PGs Affected Displays the protection groups for which the item is blacklisted.
When multiple protection groups are listed, you can hover your
mouse pointer over a protection group to display (Remove ).
Click to remove the item from the blacklist for that protection
group only.
Whitelist button Allows you to add the item to the inbound whitelist.
Because you only can whitelist hosts, this option is available in the
Blacklisted Hosts section only.
(Remove ) Allows you to remove the item from the inbound blacklist for all of
the protection groups without whitelisting it.

Blacklisting Outbound Traffic

Use outbound blacklisting to block the IPv4 traffic that originates from your network and is
sent from specific internal hosts or to specific external hosts. APS always blocks the traffic
from the blacklisted hosts without further inspection, regardless of the current protection
level. For the outbound blacklist to take effect, you must enable the outbound threat filter.
Note
You cannot add IPv6 traffic to the outbound blacklist.
When you use APS Console to manage APS, you can configure the blacklists in APS
Console and propagate the configurations to each managed APS as appropriate. You also
can view the items that were added to the outbound blacklist from APS Console and on all
of the APS devices that APS Console manages. See “Viewing and Searching the Outbound
Blacklist” on page 182.
For general information about blacklisting, see “About Blacklisting and Whitelisting
Caution
Because the configurations from APS Console can overwrite the configurations on APS,
any local changes that you make on APS might be lost. Generally, you should not edit the
configurations locally on a managed APS.
About the outbound blacklist settings

On the Outbound Blacklists page, you can blacklist the traffic’s source or destination by
specifying an IPv4 address or CIDR.
Adding items to the outbound blacklist

To add items to the outbound blacklist:
1. Select Protect > Outbound Protection > Blacklists.
2. In the Add box, type one or more IPv4 addresses or CIDRs separated by commas.
3. Click Add.
This audit trail information will be visible from the Outbound Blacklists page.
Deleting items from the outbound blacklist

Deleting an item from the outbound blacklist does not add it to the outbound whitelist. If

you want to move a host from the outbound blacklist to the outbound whitelist, see
“Whitelisting blacklisted hosts” below.
To delete an item from the outbound blacklist:
2. On the Outbound Blacklists, click (Remove ) to the far right of the item.
Whitelisting blacklisted hosts

When you whitelist a blacklisted host, it is removed from the outbound blacklist and
added to the outbound whitelist.
To whitelist a blacklisted host:

2. On the Outbound Blacklists page, click the Whitelist button to the far right of the
item.
This audit trail information will be visible from the Outbound Whitelists page.

Viewing and Searching the Outbound Blacklist

The Outbound Blacklists page in APS Console allows you to view the entire outbound
blacklist for all of the APS devices managed by APS Console. You can search this blacklist
for specific IPv4 addresses or CIDRs, or for IPv4 addresses and CIDRs that match a specific
country.
Note
The outbound blacklist does not include IPv6 addresses.
You also can use the Outbound Blacklists page to blacklist outbound IPv4 traffic on any
APS device that is managed by APS Console. See “Blacklisting Outbound Traffic” on
page 180 .
Important
You must enable the outbound threat filter for the outbound blacklist to take effect. See
Viewing the outbound blacklist

To view the outbound blacklist:
2. If the blacklisted items continue on multiple pages, you can use the paging icons at
the upper-right of the page to view the additional items. See “Using Navigation
Controls” on page 24.
3. To filter the list to display items of interest, you can search for specific blacklisted
items. See “Searching the outbound blacklist” below.
Searching the outbound blacklist

When you view the outbound blacklist, you can filter the list to display items of interest by
searching for one or more blacklisted items.
To search the outbound blacklist:

2. In the Search box on the Outbound Blacklists page, type one of the following search
strings:
l An IPv4 address.
l An IPv4 address range, with a hyphen to separate the beginning IP address and
ending IP address. For example: 192.0.2.1-192.0.2.10
l A CIDR.
l A country name. As you type, the system displays the countries that match your
entry. You can continue to type the country name or select a country from the list.
3. Click Search .
4. If you search for a host that is not on the outbound blacklist, a message appears. The
following options might be available:
l You can click (add) in the message to add the host to the outbound blacklist.
l If the host is on the outbound whitelist, you can click the link in the message to
open the Outbound Whitelists page and display that host.

Information on the Outbound Blacklists page

By default, the outbound blacklist is sorted by the Since column, beginning with the most
recent items. You also can sort the outbound blacklist by the Hosts column. For more
information about sorting, see “Sorting information in tables” on page 24 .
For each blacklisted item, the Outbound Blacklists page displays the following information:
Outbound Blacklists details

Hosts Displays the blacklisted host’s IP address or CIDR. If the system can
identify the host’s country, this column also includes a flag icon that
represents the country.
outbound blacklist.
column.
Whitelist button Allows you to add the item to the outbound whitelist.
(Remove ) Allows you to remove the item from the outbound blacklist without
adding it to the outbound whitelist.

Whitelisting Inbound Traffic

Use inbound whitelisting to pass the inbound traffic that originates from specific external
hosts. APS always passes the traffic from the whitelisted hosts without further inspection,
regardless of the current protection level.
When you use APS Console to manage APS, you can configure the whitelists in APS
Console and propagate the configurations to each managed APS as appropriate.
For general information about whitelisting, see “About Blacklisting and Whitelisting
Whitelisting exception
An exception to the whitelisting behavior is when APS detects invalid packets. Because the
Invalid Packets protection takes precedence over the whitelist, APS blocks invalid packets
even if the source host is whitelisted. See “Invalid Packets” on page 202.
About the whitelist settings

On the Inbound Whitelists page, you can whitelist the traffic’s source by specifying an IP
address, hostname, or CIDR.
When you whitelist a host that is temporarily blocked, it is removed from the Temporarily
Blocked Sources list immediately. When you do the same for a CIDR that contains
temporarily blocked hosts, those hosts are removed from the Temporarily Blocked
Sources list within five minutes. You can unblock an individual IP address immediately by
Adding hosts to the inbound whitelist

To add hosts to the inbound whitelist:
2. In the Add box, type one or more IPv4 or IPv6 addresses or CIDRs separated by
commas, and then click Add.
This audit trail information will be visible from the Inbound Whitelists page.
Deleting items from the inbound whitelist

Deleting an item from the whitelist does not add it to the blacklist. If you want to blacklist
an item from the Inbound Whitelists page, see “Blacklisting whitelisted hosts” on the
facing page.

To delete an item from the inbound whitelist:

2. On the Inbound Whitelists page, delete the item as follows:
l To delete the item for all of the protection groups, click (Remove ) to the far right
of the item.
l To delete the item for a specific protection group, hover your mouse pointer over
the protection group in the PGs Affected column. Click the (Remove ) icon that
appears.
Blacklisting whitelisted hosts

When you blacklist a whitelisted host, it is removed from the whitelist and added to the
blacklist. If the host was whitelisted for specific protection groups only, then it is blacklisted
for those protection groups.
To blacklist a whitelisted host:

2. On the Inbound Whitelists page, click the Blacklist button to the far right of the item.
This audit trail information will be visible from the Inbound Blacklists page.

Viewing and Searching the Inbound Whitelist

The Inbound Whitelists page in APS Console allows you to view the entire whitelist for all of
the APS devices managed by APS Console. You can search this whitelist for specific IP
addresses or CIDRs, or for IP addresses and CIDRs that match a specific country. You can
enter only one item per search but the search can return multiple results.
You also can use the Inbound Whitelists page to whitelist inbound traffic for all of the
managed APS devices. See “Whitelisting Inbound Traffic” on page 184.
Viewing the inbound whitelist

To view the inbound whitelist:
2. If the whitelisted items continue on multiple pages, you can use the paging icons at
the upper-right of the section to view additional items. See “Using Navigation
Controls” on page 24.
3. To filter the list to display items of interest, you can search for specific whitelisted
items. See “Searching the inbound whitelist” below.
Searching the inbound whitelist

When you view the inbound whitelist, you can filter the list to display items of interest by
searching for one or more whitelisted items.
n re associated with that country.
To search the inbound whitelist:

2. On the Inbound Whitelists page, in the Search box, type one of the following search
strings:
l An IPv4 or IPv6 address.
l An IPv4 or IPv6 address range, with a hyphen to separate the beginning IP address
and ending IP address. For example: 192.0.2.1-192.0.2.10
l A CIDR.
3. Click Search .
4. If you search for a host that is not on the inbound whitelist, a message appears. The
following options might be available:
l You can click (add) in the message to add that host to the whitelist.
l If the host is on the inbound blacklist, you can click the link in the message to open
the Inbound Blacklists page and display that host.
Information on the Inbound Whitelists page

By default, the inbound whitelist is sorted by the Since column, beginning with the most
recent items. You also can sort the inbound whitelist by the Hostname column. For more
information about sorting, see “Sorting information in tables” on page 24

For each whitelisted item, the Inbound Whitelists page displays the following information:
Inbound Whitelists details

Hosts Displays the whitelisted host’s IP address or CIDR. If the system can
Note
Country mappings do not exist for IPv6 addresses. If the source is
an IPv6 address, then this column includes an IPv6 flag icon
instead of a country flag icon. Also, for private networks, this
column includes a 10 icon or a 192 icon.
inbound whitelist.
column.
PGs Affected Displays the protection groups for which the item is whitelisted.
When multiple protection groups are listed, you can hover your
mouse pointer over a protection group to display (Remove ).
Click to remove the item from the whitelist for that protection
group only.
Blacklist button Allows you to add the item to the inbound blacklist.
(Remove ) Allows you to remove the item from the inbound whitelist for all
the protection groups without blacklisting it.

Whitelisting Outbound Traffic

Use outbound whitelisting to pass the IPv4 traffic that originates from your network and is
sent from specific internal hosts or to specific external hosts. APS always passes the traffic
from or to the whitelisted hosts without further inspection, regardless of the current
protection level.
When you use APS Console to manage APS, you can configure the whitelists in APS
Console and propagate the configurations to each managed APS as appropriate.
Important
You must enable the outbound threat filter for the outbound whitelist to take effect. See
For general information about whitelisting, see “About Blacklisting and Whitelisting
Whitelisting exception
An exception to the whitelisting behavior is when APS detects invalid packets. Because the
Invalid Packets protection takes precedence over the whitelist, APS blocks invalid packets
even if the source host is whitelisted. See “Invalid Packets” on page 202.
About the outbound whitelist settings

On the Outbound Whitelists page, you can whitelist the traffic’s source by specifying an
IPv4 address or CIDR.
Note
You cannot add IPv6 traffic to the outbound whitelist.
When you whitelist a host that is temporarily blocked, it is removed from the Temporarily
Blocked Sources list immediately. When you do the same for a CIDR that contains
temporarily blocked hosts, those hosts are removed from the Temporarily Blocked
Sources list within five minutes. You can unblock an individual IP address immediately by
Important
When you deploy APS in monitor mode, the outbound traffic does not go through APS
and is not analyzed.
Adding hosts to the outbound whitelist

To add IPv4 hosts to the outbound whitelist:
1. Select Protect > Outbound Protection > Whitelists.
2. In the Add box, type one or more IPv4 addresses or CIDRs separated by commas.
3. Click Add.

This audit trail information will be visible from the Outbound Whitelists page.
Deleting items from the outbound whitelist

Deleting an item from the outbound whitelist does not add it to the outbound blacklist. If
you want to move a host from the outbound whitelist to the outbound blacklist, see
“Blacklisting whitelisted hosts” below.
To delete an item from the outbound whitelist:
2. On the Outbound Whitelists page, click (Remove ) to the far right of the item.
Blacklisting whitelisted hosts

When you blacklist a whitelisted host, it is removed from the outbound whitelist and
added to the outbound blacklist.
To blacklist a whitelisted host:

2. On the Outbound Whitelists page, click the Blacklist button to the far right of the
item.
This audit trail information will be visible from the Outbound Blacklists page.

Viewing and Searching the Outbound Whitelist

The Outbound Whitelists page in APS Console allows you to view the entire outbound
whitelist for all of the APS devices managed by APS Console. You can search this whitelist
for specific IPv4 addresses and CIDRs, or for IPv4 addresses and CIDRs that match a
specific country.
You also can use the Outbound Whitelists page to whitelist outbound IPv4 traffic on any
APS device that is managed by APS Console. See “Whitelisting Outbound Traffic” on
page 188 .
You must enable the outbound threat filter for the outbound whitelist to take effect. See
Note
The outbound whitelist does not include IPv6 addresses.
Viewing the outbound whitelist

To view the outbound whitelist:
2. If the whitelisted items continue on multiple pages, you can use the paging icons at
the upper-right of the page to view additional items. See “Using Navigation Controls”
on page 24.
3. To filter the list to display items of interest, you can search for specific whitelisted
items. See “Searching the outbound whitelist” below.
Searching the outbound whitelist

When you view the outbound whitelist, you can filter the list to display items of interest by
searching for one or more whitelisted items.
To search the outbound whitelist:

2. In the Search box on the Outbound Whitelists page, type one of the following search
strings:
l An IPv4 address.
l An IPv4 address range, with a hyphen to separate the beginning IP address and
ending IP address. For example: 192.0.2.1-192.0.2.10
l A CIDR.
3. Click Search .
4. If a host that you searched for is not on the outbound whitelist, a message appears.
The following options might be available:
l You can click (add) in the message to add the host to the outbound whitelist.
l If the host is on the outbound blacklist, you can click the link in the message to
open the Outbound Blacklists page and display that host.
Information on the Outbound Whitelists page

By default, the outbound whitelist is sorted by the Since column, beginning with the most

recent items. You also can sort the outbound whitelist by the Hosts column. For
information about sorting, see "Sorting information in tables" on page 24 .
For each whitelisted item, the Outbound Whitelists page displays the following
information:
Outbound Whitelists details

Hosts Displays the whitelisted host’s IP address or CIDR. If the system can
Since Indicates the amount of time that he item has been on the
outbound whitelist.
column.
Blacklist button Allows you to add the item to the outbound blacklist.
(Remove ) Allows you to remove the item from the outbound whitelist
without adding it to the outbound blacklist.


Section 11:
Viewing APS Traffic
This section describes the many ways in which you can view the traffic that APS inspects.
In this section
Viewing the Traffic Activity for a Protection Group 194

Viewing the Traffic Overview for a Protection Group 197
Filtering the Traffic Data by APS 199
Viewing the Attack Categories for a Protection Group 200
Viewing the Top URLs for a Protection Group 206
Viewing the Top Domains for a Protection Group 208
Viewing the Top IP Locations for a Protection Group 210
Viewing the Top Protocols for a Protection Group 212
Viewing the Top Services for a Protection Group 214

Viewing the Traffic Activity for a Protection Group

The View Protection Group page allows you to view information in real time about the
traffic that is destined for the prefixes in a protection group. The traffic information that
appears on this page is for incoming traffic only. The information does not include server
response traffic.
Use the information on this page to monitor how effectively the managed APS devices
mitigate attacks and to decide whether you need to take action to block the traffic.
The View Protection Group page displays aggregated traffic data for all of the APS devices
that are assigned to the protection group. You can filter the data on the View Protection
Group page to view information for a single APS. See “Filtering the traffic data for a single
APS” on page 199.
The View Protection Group page also allows you to blacklist certain hosts or remove them
from the blacklist, which is also referred to as unblocking. See “About Blacklisting and
Whitelisting Traffic” on page 168.
Navigating to the View Protection Group page

To navigate to the View Protection Group page:
2. (Optional) On the List Protection Groups page, filter the list to find a specific protection
group. See “Searching for protection groups” on page 226.
3. Click the protection group name.
Sections on the View Protection Group page

The View Protection Group page contains the following sections:
Sections on the View Protection Group page

Section Description and reference
Time selector Allows you to filter the information that appears on the View
Protection Group page by a specific increment or by a time range.
See “Changing the display timeframe” on page 28.
Bytes and Click Bytes or Packets to change the display unit of measure on
Packets buttons the View Protection Group page.
Protection Group Displays summary data about all of the protection group’s traffic
Overview during the selected timeframe.
See “Viewing the Traffic Overview for a Protection Group” on
page 197.
Total Protection Shows a stacked graph that represents the total passed traffic in
Group Traffic green and the total blocked traffic in red. Below the graph, you can
graph click (Passed) or (Blocked) to show and hide the different
types of traffic.

Section 11: Viewing APS Traffic
Sections on the View Protection Group page (continued)

Section Description and reference
Traffic Views Lists the different types of inbound traffic that are destined for the
prefixes in the protection group. You can click a link in the list to
view the data for that type of traffic.
See “Viewing the inbound traffic by type” below.
Select Display All to display the data for all of the traffic views, in
the order in which they appear in the list. To include all of the
traffic view data when you create a PDF of the View Protection
Group page, select this option.
See “About the Arbor Smart Bar” on page 26 for PDF instructions.
Attack Categories See “Viewing the Attack Categories for a Protection Group” on
page 200.
Viewing the inbound traffic by type

In the Traffic Views section, you can view the data for the inbound traffic that is destined
for the protection group’s prefixes.
To select the type of traffic to view:

n Click (expand), and then click a link in the list of traffic views. The graph and table
display the data for the selected type of traffic.
You can click (collapse) to hide the list of traffic views. When the list is hidden, the graph
and table continue to display the data for the selected type of traffic.
The types of traffic that are available in the list depend on the server type for the protection
group. For example, when you display this page for a Web Server protection group, only
the sections that are relevant for Web servers appear.
The list of traffic views can include the following types of traffic:
Types of Traffic in the Traffic Views section

Type Description and reference
Attack Categories Displays a graph of the attack categories that are responsible for
blocking current traffic.
See “Viewing the Attack Categories for a Protection Group” on
page 200.
Web Traffic by URL Displays the 10 URLs that have the highest amounts of inbound
IPv4 traffic.
See “Viewing the Top URLs for a Protection Group” on page 206.
Note
This traffic data is not available for IPv6 protection groups.

Types of Traffic in the Traffic Views section (continued)

Type Description and reference
Web Traffic by Displays the 10 domains that have the highest amounts of inbound
Domain IPv4 traffic.
See “Viewing the Top URLs for a Protection Group” on page 206.
Note
IP Location Displays the 10 identifiable countries that send the most IPv4
traffic.
See “Viewing the Top IP Locations for a Protection Group” on
page 210.
Note
Protocols Displays the 10 protocols that have the highest amounts of

inbound traffic.
See “Viewing the Top Protocols for a Protection Group” on
page 212 .
Services Displays the 10 services that have the highest amounts of inbound
traffic.
See “Viewing the Top Services for a Protection Group” on
page 214.

Viewing the Traffic Overview for a Protection Group

On the View Protection Group page, the Protection Group Overview section displays
summary data about the protection group’s traffic during the selected timeframe.
Use the information in this section to quickly view the protection group’s activity, assess its
performance, and look for problems. For example, a significant increase or a large spike in
the passed traffic might indicate an attack.
To view information in real time about the traffic that is destined to a protection group, see
“Viewing the Traffic Activity for a Protection Group” on page 194 .
Filtering traffic data

APS Console aggregates the traffic data for all of the APS devices that are assigned to the
protection group. To filter the page to view the traffic data for a single APS, click the All
APSes link under APS Assignments.
See “Filtering the Traffic Data by APS” on page 199.
Navigating to the View Protection Group page

To navigate to the View Protection Group page:
Information in the Protection Group Overview section

The Protection Group Overview section contains the following information:
Information in the Protection Group Overview section

Section Description
Total Traffic Displays a minigraph that represents the total traffic, and displays
the following values:
n Total summarizes the total amount of traffic during the specified
timeframe.
n Rate summarizes the average rate of this traffic during the
specified timeframe.
Passed Traffic Displays a minigraph that represents the passed traffic, and
displays the following values:
n Total summarizes the total amount of passed traffic during the
n Rate summarizes the average rate of the passed traffic during
the specified timeframe.

Information in the Protection Group Overview section (continued)

Section Description
Blocked Traffic Displays a minigraph that represents the blocked traffic, and
displays the following values:
n Total summarizes the total amount of blocked traffic during the
n Rate summarizes the average rate of the blocked traffic during
the specified timeframe.
Blocked Hosts Displays a minigraph that represents the blocked hosts. The
Average value indicates the average number of blocked hosts
during the specified timeframe.
Total Traffic Shows the percentage of the total traffic that is passed in green and
graph the percentage that is blocked in red.

Filtering the Traffic Data by APS

The View Protection Group page displays aggregated traffic data for all of the APS devices
that are assigned to the protection group. You can filter the data on the View Protection
Group page to view only the traffic data for a single APS.
After you filter the page, the APS remains selected even if you navigate away from the View
Protection Group page. You must clear the selection manually to revert to viewing the
traffic data for all the APS assignments. See “Viewing the traffic data for all the APS
assignments” below.
About APS Assignments

In the Protection Group Details section, under APS Assignments, APS Console indicates
whether it displays the traffic for all APS assignments or for a single APS. The APS
Assignments section also displays the total number of APS assignments for the protection
group.
Filtering the traffic data for a single APS

To filter the traffic data on the View Protection Group page for a single APS:
1. Navigate to the View Protection Group page as follows:
a. Select Protect > Inbound > Protection Groups.
b. (Optional) On the List Protection Groups page, filter the list to find a specific
protection group. See “Searching for protection groups” on page 226.
c. Click the protection group name.
2. At the top of the View Protection Group page, click the All APSes link to open the Filter
by APS window.
The Filter by APS window displays the following information for each APS:
l a graph that shows the percentage of blocked traffic
l the number of active alerts, if any
3. (Optional) In the Filter by APS name box, type all or part of a name to locate a
specific APS. As you type, the list displays only the APS names that match the string.
4. If there is only one match, the APS name is selected automatically. If there are multiple
matches, select an APS.
APS Console updates the sections for Total Protection Group Traffic, Mode , Traffic
Overview , and Recent Alerts to display data for the selected APS.
5. Click Apply.
After you apply the filter, the name of the selected APS replaces the All APSes link on
the View Protection Group page.
Viewing the traffic data for all the APS assignments

You can clear the selected APS to display data for all of the APS assignments on the View
Protection Group page:
n Click (clear). The All APSes link appears when the View Protection Group page is no
longer filtered for a specific APS.

Viewing the Attack Categories for a Protection Group

The Attack Categories section on the View Protection Group page displays the categories of
protections that are responsible for blocking current traffic.
The data display for the attack categories refreshes approximately every 60 seconds.
Use this information to determine why APS blocked the traffic. For example, if blocked
traffic is shown for the Invalid Packets category, you can display the details for that
category to view the reasons why that traffic was considered to be invalid.
For general information about the protection settings, see “About the Protection Settings
Configuration” on page 111 .
Navigating to the Attack Categories section

To navigate to the Attack Categories section on the View Protection Group page:
1. Select Protect > Inbound > Protection Groups.
4. (Optional) In the Traffic Views section, click (expand).
5. In the list of traffic views, select Attack Categories.
6. (Optional) Filter the information that appears on the page as follows:
l To change the timeframe for which the data is displayed, click one of the time
increments or click From and select a time range.
l To select the unit of measure for displaying traffic, click Bytes or Packets.
Information in the Attack Categories section

The Attack Categories section contains the following information:
Information in the Attack Categories section

Attack Categories APS Console updates the data display once per minute.
graph
Key Shows the color that represents the source in the Attack
Categories graph and allows you to filter the graph display. Click
the key for an attack category to hide or show that category on the
graph.
APS Console retains your selections until you navigate away from
Graph Represents the traffic that the category blocks. You can hover your
mouse pointer over the minigraph to view a larger version of the
graph.

Information in the Attack Categories section (continued)

Category Displays the attack category that is blocking the traffic.
Several of the categories do not correspond to specific protection
settings. See “About the non-configurable categories” on the next
page.
(context menu) Appears when you hover your mouse pointer over an attack
category name. You can click , and then select Blocked Hosts to
display the Blocked Hosts Log page for this protection group and
attack category.
See “About the Blocked Hosts Log” on page 260.
Bytes blocked Shows the amount of blocked traffic for the attack category in
Packets blocked bytes and packets.
bps blocked Shows the rate of blocked traffic for the attack category in bits per
pps blocked second and packets per second.
Details button Allows you to view additional information about the blocked
traffic. The information that APS displays varies for each attack
category. Detailed information is not available for all of the attack
categories.
You can hide the details by clicking Details again.

About the non-configurable categories

The Attack Categories section might include the following categories. These attack
categories are not configurable on the Configure Server Type page or Outbound Threat
Filter page.
Non-configurable categories
Category Description
Blacklisted Hosts The Blacklisted Hosts category represents the hosts that are
blocked because they are on the blacklist. You can configure the
blacklists on the Configure Inbound Blacklists page and the
Configure Outbound Blacklist page.
Note
The Invalid Packets category takes precedence over blacklists. As
a result, any traffic from blacklisted hosts that matches invalid
packets is attributed to invalid packets in the Attack Categories
graphs.
HTTP Blocked The HTTP Blocked Locations category represents the following
Locations hosts and domains:
n The domains that were blocked because they are on the
inbound blacklist
n The blocked hosts that appear in the Web Traffic By URL section
on the View Protection Group page
n The blocked domains that appear in the Web Traffic By Domain
section on the View Protection Group page
Invalid Packets The Invalid Packets category blocks invalid TCP/IP packets. Click
Details for this category to view the reasons that APS blocked the
packets.
Note
The Invalid Packets category takes precedence over the whitelist
and blacklist. As a result, APS blocks invalid packets from
whitelisted hosts. Also, any traffic from hosts on the blacklist or
whitelist that matches invalid packets is attributed to invalid
packets in the Attack Categories graphs.

Detailed information in the Attack Categories section for protection groups

Detailed information about blocked traffic is available for the protection group attack
categories.

Category Details
ATLAS Threat Lists the ATLAS threat categories that blocked traffic, and shows
Categories the amount of blocked traffic for each category. APS displays a
traffic minigraph for each category.
Application Shows the average number of blocked hosts.

Misbehavior
Block Malformed Shows statistics about the blocked hosts, including the total
SIP Traffic number of hosts that were blocked. See “About the total hosts
blocked” on page 205.
Botnet Prevention Displays blocking information for the following subcategories:

n Basic Botnet Prevention
These details show a graph and summary statistics of the
botnet traffic that would have been blocked under a higher
protection level.
They also show the average number of hosts that were blocked
and the number of requests that were examined.
n AIF Botnet Signatures
These details show the botnet traffic that was blocked or that
would be blocked by the AIF signatures that are associated with
each protection level. For example, if the active global
protection level is medium, the blocking details for the medium
protection level and low protection level represent traffic that
was blocked. The blocking details for the high protection level
represent traffic that would be blocked if you change to the high
protection level.
n Slow Request Attacks
These details show the average number of hosts that were
blocked and the number of requests that were examined.
DNS Shows the number of hosts that were tested and the number of
Authentication hosts that were validated.
DNS NXDomain Shows the average number of hosts and the total number of hosts
Rate Limiting that were blocked. See “About the total hosts blocked” on
page 205.
DNS Rate Limiting Shows statistics about the hosts that were blocked, including the
total number of hosts that were blocked. See “About the total
hosts blocked” on page 205.
Fragment Shows the average number of hosts that were blocked.

Detection


(continued)
Category Details
HTTP Header Shows the average number of hosts that were blocked.
Regular
Expressions
HTTP Rate Limiting Shows statistics about the hosts that were blocked and whether
they were blocked for exceeding the request limit or the URL limit.
This section also shows the total number of hosts that were
blocked. See “About the total hosts blocked” on the facing page.
ICMP Flood Shows the average number of hosts that were blocked.
Detection
Invalid Packets Lists the reasons why traffic was considered to be invalid and
shows the amount of traffic that was blocked for each reason. A
traffic minigraph is displayed for each reason, and a stacked graph
summarizes the blocked traffic with one row for each reason.
Malformed HTTP Shows the average number of hosts that were blocked and the
Filtering number of requests that were examined.
Rate-based Shows the average number of hosts that were blocked.

Blocking
SIP Request Shows the average number of hosts and the total number of hosts
Limiting that were blocked. See “About the total hosts blocked” on the
facing page.
Spoofed SYN Flood Shows statistics about the number of hosts that were allowed to
Prevention form connections, the total number of connections, and the total
number of HTTP requests on those connections.
TCP Connection Lists the top 10 hosts whose concurrent TCP connections
Limiting exceeded the rate limit, and shows the amount of traffic that was
blocked for each host. Connection statistics are displayed for each
host.
Important
This section includes traffic for all of the categories that affect
each host, not just the TCP Connection Limiting category.
TCP Connection Shows statistics for the connections and hosts that were blocked,
Reset including the total number of hosts that were blocked. See “About
the total hosts blocked” on the facing page.
TCP SYN Flood Shows the average number of hosts that were blocked.
Detection
TLS Attack Lists the reasons why the SSL or TLS traffic was considered to be
Prevention invalid and shows statistics about the traffic that was blocked for
each reason. You can click Details next to each reason to view the
average number of hosts that were blocked for that reason.


(continued)
Category Details
Traffic Shaping Shows statistics about the traffic that exceeded the configured
thresholds and the traffic that was passed.
UDP Flood Shows the average number of hosts that were blocked.
Detection
Detailed information in the Attack Categories section for the Outbound

Threat Filter
Detailed information about blocked traffic is available for outbound threat filter attack
categories.
Detailed information in the Attack Categories section for the Outbound

Threat Filter
Category Details
ATLAS Threat Lists the ATLAS threat categories that blocked traffic, and shows
Categories the amount of blocked traffic for each category. APS displays a
traffic minigraph for each category.
DNS Rate Limiting Shows statistics about the hosts that were blocked, including the
total number of hosts that were blocked. See “About the total
hosts blocked” below.
Malformed HTTP Shows the average number of hosts that were blocked and the
Filtering number of requests that were examined.
About the total hosts blocked

The detail information for several of the attack categories shows the total hosts blocked.
This number represents the total number of times that any and all hosts were blocked,
and might contain hosts that were blocked multiple times. For example, if one host is
blocked 15 times, then the total is 15.

Viewing the Top URLs for a Protection Group

The Web Traffic By URL section of the View Protection Group page identifies the top URLs
for all of the APS devices that are assigned to the protection group. If you filter the page to
view the data for only one APS, the Web Traffic By URL section displays the top URLs for
that APS only. See “Filtering the Traffic Data by APS” on page 199.
Use this information to identify problems or determine the target of an attack. For
example, a URL whose traffic is significantly higher than normal might be under attack.
Also, a URL that has a high percentage of the total HTTP traffic is often an attack target.
Note
Navigating to the Web Traffic By URL section

To navigate to the Web Traffic By URL section on the View Protection Group page:
5. In the list of traffic views, select Web Traffic By URL.
Information in the Web Traffic By URL section

The Web Traffic By URL section contains the following information:
Information in the Web Traffic By URL section

Web Traffic By URL Displays a stacked graph of the traffic for the top URLs in requests
graph per minute.
Key Shows the color that represents the specific URL in the Web Traffic
By URL graph and allows you to filter the graph display.
You can click the key for a URL to hide or show that URL on the
graph. Your selections are retained until you navigate away from
Graph Represents the number of requests per minute that are sent to the
URL. You can hover your mouse pointer over a minigraph to view
a larger version of the graph.

Information in the Web Traffic By URL section (continued)

URL Displays the URL for which the traffic is destined.
If “Other” appears in this list, it represents the aggregated traffic
data for the URLs that are not listed here.
Note
If a URL is truncated because it does not fit in the column, you
can view the entire URL by hovering your mouse pointer over it. If
you copy a truncated URL, the entire URL is copied.
Requests Displays the number of requests that are sent to the URL.
Percent Displays the percentage of the total HTTP traffic that the traffic for
that URL represents, shown as a figure and as a proportion bar.
The bar for the top URL is the full column width and the remaining
bars are in proportion to it.
Request bps Shows the average rate of the requests that are sent to the URL.
Blacklist button Allows you to add the URL to the inbound blacklist for this
protection group or for all IPv4 protection groups. When you
blacklist a URL, APS blocks all of the IPv4 traffic from the clients
that access the blacklisted URL.
See “About Blacklisting and Whitelisting Traffic” on page 168.
Unblock button Allows you to remove the URL from the inbound blacklist.
This button appears only when a URL has been blacklisted.

Viewing the Top Domains for a Protection Group

The Web Traffic By Domain section on the View Protection Group page identifies the top
domains for all of the APS devices that are assigned to the protection group. If you filter
the page to view the data for only one APS, the Web Traffic By Domain section displays the
top domains for that APS only. See “Filtering the Traffic Data by APS” on page 199.
Use this information to identify problems or determine the target of an attack. For
example, a domain whose traffic is significantly higher than normal might be under attack.
Also, a domain that has a high percentage of the total HTTP traffic is often an attack target.
The data display for the top domains refreshes approximately every five minutes. The
slower update rate is due to the way each APS collects and averages the domain data.
Note
Navigating to the Web Traffic By Domain section

To navigate to the Web Traffic By Domain section on the View Protection Group page:
5. In the list of traffic views, select Web Traffic By Domain .
Information in the Web Traffic By Domain section

The Web Traffic By Domain section contains the following information:
Information in the Web Traffic By Domain section

Web Traffic By Displays a stacked graph of the traffic for the top domains in
Domain graph requests per minute.
Key Shows the color that represents the specific domain in the Web
Traffic By Domain graph and allows you to filter the graph display.
You can click a domain’s key to hide or show that domain on the
Graph Represents the number of requests per minute that are sent to the
domain. You can hover your mouse pointer over a minigraph to
view a larger version of the graph.

Information in the Web Traffic By Domain section (continued)

Domain Name Displays the domain for which the traffic is destined.
If “Other” appears in this list, it represents the aggregated traffic
data for the domains that are not listed here.
Requests Shows the number of requests that are sent to the domain.
Percent Displays the percentage of the total HTTP traffic that the domain’s
traffic represents, shown as a figure and as a proportion bar. The
bar for the top domain is the full column width and the remaining
bars are in proportion to it.
Request bps Shows the average rate of the requests that are sent to the
domain.
Blacklist button Allows you to add the domain to the inbound blacklist for this
protection group or for all IPv4 protection groups. When you
blacklist a domain, APS blocks all of the IPv4 traffic from the clients
that access the blacklisted domain.
Unblock button Allows you to remove the domain from the inbound blacklist.
This button appears only when a domain has been blacklisted.

Viewing the Top IP Locations for a Protection Group

The IP Location section on the View Protection Group identifies the top countries for all of
the APS devices that are assigned to the protection group. If you filter the page to view the
data for only one APS, the IP Location section displays the top countries for that APS only.
See “Filtering the Traffic Data by APS” on page 199.
Use this section to identify problems or to determine the source of an attack. For example,
traffic that is significantly higher than normal or a spike in the passed traffic might indicate
an attack.
The data display for the top IP locations refreshes approximately every 60 seconds.
Note
Navigating to the IP Location section

To navigate to the IP Location section on the View Protection Group page:
5. In the list of traffic views, select IP Location .
Information in the IP Location section

The IP Location section contains the following information:
Information in the IP Location section

IP Location graph Displays a stacked graph of the total traffic from the top countries.
The graph displays the traffic in bytes per second or packets per
second, depending on the unit of measure that is selected.
Key Shows the color that represents the country in the IP Location
graph and allows you to filter the graph display.
You can click a country’s key to hide or show the data for that
country on the graph. Your selections are retained until you
navigate away from the View Protection Group page.
Country Displays the name of the country from which the traffic was sent.
The ATLAS Intelligence Feed (AIF) supplies the information that
identifies the country. See “About the ATLAS Intelligence Feed” on
page 52.

Information in the IP Location section (continued)

(context menu) Appears when you hover your mouse pointer over a country name
if the data on the page is for a single APS. You can select the
Packet Capture option on this menu to capture packets for the
protection group and the country.
When you select Packet Capture , it opens the Packet Capture
page on the selected APS. The protection group and the country
are selected as filter criteria on this page. You can start the packet
capture or you can specify additional filter criteria.
See “About Capturing Packets” on page 274.
Graph Represents the country’s passed traffic (green) and blocked traffic
(red). You can hover your mouse pointer over the minigraph to
view a larger version of the graph.
Passed Traffic Shows the average rate of the passed and blocked traffic for the
Blocked Traffic country.
Percent Bytes Displays the percentage of the total blocked traffic that the
country’s traffic represents, shown as a figure and as a proportion
bar. The bar for the top country is the full column width and the
remaining bars are in proportion to it.
Blacklist button Allows you to add the country to the inbound blacklist for this
protection group or for all protection groups. See “About
Blacklisting and Whitelisting Traffic” on page 168.
Unblock button Allows you to remove the country from the inbound blacklist.
This button appears only when a country has been blacklisted.

Viewing the Top Protocols for a Protection Group

The Protocols section on the View Protection Group page identifies the top protocols for all
of the APS devices that are assigned to the protection group. If you filter the page to view
the data for only one APS, the Protocols section displays the top protocols for that APS
only. See “Filtering the Traffic Data by APS” on page 199.
This information is provided primarily for informational purposes. However, any traffic on
your network that is unexpected could represent an attack. For example, if you expect
only TCP traffic, but traffic is displayed for the UDP protocol, you should investigate this
traffic.
The data display for the top protocols refreshes approximately every 60 seconds.
Navigating to the Protocols section

To navigate to the Protocols section on the View Protection Group page:
5. In the list of traffic views, select Protocols.
Information in the Protocols section

The Protocols section contains the following information:
Information in the Protocols section

Protocols graph Displays a stacked graph of the total traffic for the top protocols.
The graph displays the traffic in bytes per second or packets per
Key Shows the color that represents the specific protocol in the
Protocols graph and allows you to filter the graph display.
You can click a protocol’s key to hide or show that protocol on the
Graph Represents the total traffic for a specific protocol. You can hover
your mouse pointer over a minigraph to view a larger version of
the graph.

Information in the Protocols section (continued)

Protocol Displays the destination port number of the specific protocol and
the name of the protocol, if it is known. APS Console sorts the list
of protocols by bytes, in descending order.
If “Other” appears in this list, it represents the totals for all of the
other protocols that are not listed here.
Bytes Shows the amount of traffic for the specific protocol in bytes and
Packets packets.
bps Shows the rate of traffic for the specific protocol in bits per second
pps and packets per second.

Viewing the Top Services for a Protection Group

The Services section on the View Protection Group page identifies the top services for all of
the APS devices that are assigned to the protection group. If you filter the page to view the
data for only one APS, the Services section displays the top services for that APS only. See
“Filtering the Traffic Data by APS” on page 199.
The data display for the top services refreshes approximately every 60 seconds.
This information is provided primarily for informational purposes. However, any traffic on
your network that is unexpected could represent an attack. For example, if you expect
only web traffic, but traffic is displayed for SMTP, you should investigate the traffic further.
About service data for ephemeral ports

APS stores service data for individual ephemeral ports for one week, after which it
combines and stores the data in groups of 200 ephemeral ports.
An ephemeral port is a temporary port, numbered 1024 or greater, that the TCP/IP stack
allocates when a client does not specifically request a port number. When the
communication session terminates, the ephemeral port is available for reuse.
When the display timeframe on the View Protection Group page is more than one week,
the service data for ephemeral ports is displayed by port range. For example, when the
UDP service on port 5000 has a high amount of traffic and the display timeframe is one
hour, that traffic appears as UDP/5000. When the display timeframe is two weeks, that
traffic is included in the entry for UDP/5000-5199.
In the Services graph, the data for ephemeral ports is always displayed by port range,
regardless of the display timeframe.
Navigating to the Services section

To navigate to the Services section on the View Protection Group page:
5. In the list of traffic views, select Services.

Information in the Services section

The Services section contains the following information:
Information in the Services section

Services graph Displays a stacked graph of the total traffic for the top services. The
graph displays the traffic in bytes per second or packets per
The keys below the graph show the colors that represent the
specific services in the graph. You can click a service’s key to hide or
show that service on the graph. If you hide a service, then APS
Console also dims any rows in the table that are associated with
that service.
Your selections are retained until you navigate away from the View
Graph Represents the total traffic for a specific service. If the service is on
an ephemeral port, the data is always displayed by port range. See
“About service data for ephemeral ports” on the previous page.
You can hover your mouse pointer over a minigraph to view a
larger version of the graph.
Service Displays the name of the protocol and the port or the range of
ports. APS Console also displays the name of the service in
parentheses, if known.
If “Other” appears in this list, it represents the totals for all of the
other services that are not listed here.
APS Console sorts the list of services by bytes, in descending order.
(context menu) Appears when you hover your mouse pointer over a service if the
data on the page is for a single APS. You can select the Packet
Capture option on this menu to capture packets for the
protection group and the service on the selected APS.
When you select Packet Capture , it opens the Packet Capture
page on the selected APS. The protection group and the country
are selected as filter criteria on this page. You can start the packet
capture or you can specify additional filter criteria.
See “About Capturing Packets” on page 274.
bps Shows the rate of traffic for the specific service in bits per second
pps and packets per second.


Section 12:
Managing Protection Groups
This section describes how to manage protection groups on APS Console. It also describes
how to add new protection groups and how to assign APS devices to the protection
groups.
User access
Users at all authorization levels can view the protection groups. Only administrators can
perform the configuration tasks that are described in this section. See “About User
Accounts” on page 36.
In this section
About Protection Groups 218

About Bandwidth Alerts 223
Viewing the Status of Protection Groups 225
Adding, Editing, and Deleting Protection Groups 231
Assigning APS Devices to Protection Groups 237
Overriding a Protection Group’s Settings on a Managed APS 240

About Protection Groups

APS monitors your network traffic and mitigates attacks by using the protection settings
that are defined for one or more protection groups.
A protection group represents either IPv4 hosts or IPv6 hosts that you need to protect.
Each protection group is associated with a server type and one or more host servers of
that type. For example, a protection group can represent a single web server or a specific
group of DNS servers.
Maximum number of protection groups

vAPS supports a maximum of 50 protection groups. Because the default protection group
counts toward this maximum, you can add 49 custom protection groups.
Important
If you use the minimum vAPS configuration, vAPS only supports a maximum of 10
protection groups. Because the default protection group counts toward this maximum,
you can add 9 custom protection groups.
See the “Minimum System Resources” information in the Virtual APS Installation Guide .
About the default protection group

The default protection group provides protection for all of the IPv4 hosts in your
enterprise as soon as you put APS into an active protection mode. The default protection
group is preconfigured to protect all IPv4 hosts and is associated with the generic server
type, which contains nearly all of the protection settings categories.
You can edit the default protection group, but only to configure its protection mode,
protection level, and bandwidth alert thresholds. You cannot delete the default protection
group.
Note
The default protection group only protects IPv4 hosts. It does not protect IPv6 hosts.
You can configure a custom IPv6 protection group to serve as the default IPv6 protection
group. For an example that illustrates how to create a default protection group for all of
the unprotected IPv6 hosts, see the “IPv6 prefix matching example” on page 221 .
About custom protection groups

A custom protection group protects a specific host or group of hosts and allows you to
configure the most appropriate protection settings for those hosts. You can add
protection groups to protect either IPv4 hosts or IPv6 hosts.
Throughout APS and APS Console, you can monitor traffic and mitigate attacks by
protection group, so that you can focus your attention on your most critical hosts.
We recommend that you create a protection group for each of the services that you want
to protect. See “Adding, Editing, and Deleting Protection Groups” on page 231.

Section 12: Managing Protection Groups
Protection group concepts

A protection group is associated with the following items:
Protection group concepts

Concept Description
Protection You can create protection groups to protect IPv4 hosts or IPv6
protocol hosts.
Protected hosts Protection groups monitor and mitigate the traffic that is destined
for one or more host servers. You define the protected hosts by
their prefixes or a set of prefixes.
A protection group can protect either IPv4 hosts or IPv6 hosts. You
cannot add IPv4 hosts and IPv6 hosts to a single protection group.
See “Prefix matching in protection groups” on page 221.
Server type The server type represents a class of servers that APS protects. The
server type determines which protection settings are available for a
protection group and the application-specific data that APS collects
and displays for the group.
When you create an IPv4 protection group, you can select a
standard IPv4 server type or a custom IPv4 server type, if any. When
you create an IPv6 protection group, you can select the Generic
IPv6 Server standard server type or a custom IPv6 server type, if
any.
See “About the Server Types” on page 92.
Protection The protection settings are the criteria by which APS defines clean
settings traffic and attack traffic. For example, if a setting specifies a
threshold based on the number of requests per second, then traffic
that exceeds the threshold is considered to be an attack.
Protection The protection settings are organized into categories, each of which
categories detects a different type of attack traffic. A protection group contains
the categories of settings that are most appropriate for its server
type. For example, a Web Server protection group contains the
HTTP categories of settings, which detect HTTP-based attacks.

Protection group concepts (continued)

Concept Description
Protection levels For each of the protection settings, you can specify different values
for the low, medium, and high protection levels. The current
protection level determines which protection settings are in use at
any given time.
By default, all of the protection groups use a global protection level.
You can continue to use the global protection level or you can
configure individual protection levels for specific protection groups.
These individual protection levels take precedence over the global
protection level.
You also can use the total traffic threshold or the global total traffic
threshold to automate the protection level for a protection group.
See “About protection level automation” on page 235.
Protection mode The protection mode determines whether APS mitigates traffic. In
active mode, APS mitigates attacks in addition to monitoring traffic.
In inactive mode, APS detects attacks but does not mitigate them.
You can set the protection mode for an individual protection group
without affecting any other traffic. For example, you can set a
protection group to inactive mode for testing while keeping the rest
of the system in active mode. See “Setting the Protection Mode
(Active or Inactive)” on page 84.
About managing the protection groups from APS Console

When you use APS Console to manage APS devices, you can add the protection groups in
APS Console and then assign APS devices to those protection groups. See “Adding,
Editing, and Deleting Protection Groups” on page 231.
APS Console can determine how many protection groups an APS is assigned to. So if an
APS is assigned to the maximum number of protection groups, APS Console does not
allow you to assign that APS to another protection group.
Before APS Console allows you to assign the APS to another protection group, you must
unassign the APS from at least one protection group.
See “Maximum number of protection groups” on page 218.

When you first connect APS to APS Console, the protection groups on APS Console are
merged with any existing protection groups on the assigned APS devices. Thereafter, any
changes to the protection groups on APS Console are periodically copied to each APS that
is assigned to the protection group. See “1About the APS Console - APS Data
Caution

Prefix matching in protection groups

When different length prefixes of the same network are protected by one protection
group or separate protection groups, APS matches traffic to the most specific (longest)
prefix.
IPv4 prefix matching examples

In the first IPv4 prefix matching example, the protection groups protect the following IPv4
hosts:
n Protection Group 1 — 198.51.100.0/24
n Protection Group 2 — 198.51.100.5/32
When traffic is destined to the IP address 198.51.100.5, APS matches it to Protection Group
2, which is the most specific match.
In the second IPv4 prefix matching example, the protection groups protect the following
IPv4 hosts:
IPv4 prefix matching

Protection group Protected Hosts
name setting Matched traffic
Protection Group 192.0.2.2/32 All the traffic that is destined to 192.0.2.2
3
Protection Group 192.0.2.0/24 All the traffic that is destined to 192.0.2.0/24,

4 except for the traffic that is destined to
192.0.2.2
IPv4 default 0.0.0.0/0 All IPv4 traffic, except for the traffic that is
protection group destined to 192.0.2.0/24
IPv6 prefix matching example

In the following IPv6 prefix matching example, the protection groups protect the following
IPv6 hosts:
IPv6 prefix matching

Protection Group 5 fe80:22:ab00::3bf:159a:1/128 All the traffic that is destined to
fe80:22:ab00::3bf:159a:1
Protection Group 6 fe80:22:ab00::/40 All the traffic that is destined to

fe80:22:ab00::/40 except for the
traffic that is destined to
fe80:22:ab00::3bf:159a:1

IPv6 prefix matching (continued)

Protection Group 7 ::/0 All IPv6 traffic, except for the traffic
(serves as a default that is destined to
protection group fe80:22:ab00::/40
for IPv6 hosts)

About Bandwidth Alerts

APS uses bandwidth alerts to inform you about attacks and other traffic anomalies that
require your attention. To implement bandwidth alerts, you define traffic thresholds based
on traffic baselines and specific traffic rate limits for specific types of traffic. When the traffic
for a protection group exceeds a threshold, APS creates a bandwidth alert. The alert
includes the protection group name and the level of traffic that triggered the alert.
You can configure bandwidth alert thresholds globally or for individual protection groups.
The global thresholds are enabled by default. APS uses the global thresholds for any
protection group that does not have its own thresholds configured. The threshold settings
for a specific protection group override the global threshold settings.
You can view bandwidth alerts in several areas of the APS Console UI. See “Viewing a
Summary of Alerts” on page 304.
About the types of bandwidth alerts

You can configure baseline thresholds and specify rate limits to generate bandwidth alerts
for the following types of traffic:
Types of bandwidth alerts

Alert Description
Total traffic alert Occurs when a protection group’s total traffic exceeds the
threshold.
Total traffic alerts inform you of spikes in the traffic to protected
services so that you can investigate the cause and take action if
necessary.
Blocked traffic Occurs when a protection group’s blocked traffic exceeds the
alert threshold. A spike in blocked traffic typically indicates that an attack
is underway and is blocked.
Blocked traffic alerts inform you of the system’s response to an
attack so that you can respond with further actions. For example, if
you determine that the traffic is legitimate, you can whitelist the
source.
Botnet alert Occurs when a protection group’s unblocked botnet traffic exceeds
the threshold.
Botnet alerts indicate that a botnet attack might be underway and
suggest the protection level that would block the botnet traffic.
License limit alert Occurs when your system’s traffic exceeds 90 percent of its licensed
throughput limit. Your licensed throughput limit is the threshold for
the license limit alerts; this threshold is not user-configurable.
About traffic baselines

APS generates bandwidth alerts when a protection group’s total traffic, blocked traffic, or
botnet traffic exceeds a specified baseline threshold for the corresponding traffic type.

Before APS can evaluate traffic against the baseline thresholds, it must calculate the
baselines based on a protection group’s traffic for the past week. Therefore, the alerts may
not begin to appear until a week after you create a protection group.
After the APS calculates the initial baselines, it recalculates them every hour.
Configuring global bandwidth alerts

You configure the global bandwidth alert thresholds on the System Alerts page in APS. The
global thresholds are enabled by default, but you can change the default settings or turn
off some or all of the global bandwidth alerts.
A global bandwidth alert threshold consists of a baseline threshold, and, optionally, a

minimum threshold. The baseline threshold is a percentage of the traffic above the
baseline for the corresponding traffic type. The minimum threshold is a traffic rate that
you specify in bps or pps.
If you specify a minimum threshold, then a protection group’s traffic must exceed both the
baseline threshold and the minimum threshold before APS generates an alert. For
example, a specific protection group’s baseline might be a low level of traffic. If that
group’s traffic suddenly increases by the global percentage, no alerts are created if the
traffic level is still below the minimum threshold.
For more information, see “Configuring Global Thresholds for Bandwidth Alerts” in the
APS User Guide .
Configuring bandwidth alerts for individual protection groups

You configure protection group alert thresholds when you create a protection group in
APS Console. You can use the global thresholds that are configured on APS or specify
traffic thresholds for the protection group in bps or pps. You also can disable one or more
bandwidth alert types for a protection group.
See “Adding, Editing, and Deleting Protection Groups” on page 231.
Bandwidth alert expiration

Initially, a bandwidth alert remains active for one hour after it is created. The longer that a
bandwidth alert condition continues, the more the alert’s expiration time is extended. The
expiration time is never more than 24 hours after the alert condition disappears.
In addition, an alert expires instantly in the following situations:

n when you disable that type of alert in the configuration
n when you change the type of threshold (global threshold or specified traffic threshold)
for a protection group
n when you configure a protection group’s alert threshold to a level that is higher than the
level that triggered the alert
n (botnet alerts only) when the protection level is changed to be greater than or equal to
the level that triggered the alert
Configuring notifications for bandwidth alerts

In APS, you can configure notifications that send messages when a bandwidth alert
occurs. See “Configuring Notifications” in the APS User Guide .

Viewing the Status of Protection Groups

The List Protection Groups page displays the protection groups that are configured for the
APS devices that APS Console manages. This page allows you to view which protection
groups and which of the managed APS devices have active threshold alerts.
You can also add, edit, and delete protection groups on this page. See “Adding, Editing,
and Deleting Protection Groups” on page 231.
Viewing information for each protection group and its assigned APS devices
You can view the following information about each protection group in the list:
n the APS devices that are assigned to that protection group
n the server type and a list of the protected hosts
n the protection level and whether the protection level automation is enabled
n the protection mode
n the traffic that was passed and blocked during the past hour
n the configuration status for the bandwidth threshold alerts
n a description of the protection group, and information about when the protection
group was last modified
If you expand a protection group, you can view the following information about each APS
device that is assigned to the protection group:
n the protection level and whether the protection level automation is enabled
n the protection mode

n the traffic that was passed and blocked for the protection group on the APS during the
past hour
n the configuration status for the bandwidth threshold alerts
Viewing the Protection Groups list

To view the list of protection groups:
By default, all of the protection groups appear on the List Protection Groups page. The
number to the right of the Protection Group Configuration subheading at the top of
the page indicates the total number of protection groups in the list.
If the list contains more than 10 protection groups, use the paging controls at the
upper right of the page to view the additional protection groups. See “Using
Navigation Controls” on page 24.
2. (Optional) To filter the list, search for specific protection groups. See “Searching for
protection groups” on the next page.
3. View additional information about the protection groups in the following ways:
l To view traffic activity for a single protection group, click the protection group name
link. See “Viewing the Traffic Activity for a Protection Group” on page 194.
l To view all of the APS devices that are assigned to all of the protection groups, if
any, click Expand All. To hide all of the APS assignments, click Collapse All.
l To view the APS devices that are assigned to a single protection group, click

(expand) next to a protection group name. To hide APS assignments for a

protection group, click (collapse).
Searching for protection groups

By default, all of the protection groups appear on the List Protection Groups page, which
can span multiple pages. The number to the right of the Protection Group Configuration
section heading indicates the total number of protection groups in the list.
You can filter the list to view only specific protection groups.
To search for specific protection groups:

2. On the List Protection Groups page, In the Search box, type a search string in any of
the following ways:
l As the partial name or full name of a protection group, APS, or server type.
l As any portion of a protection group’s description.
l As a partial prefix or full prefix. The search returns only the protection groups that
contain an exact match to the partial prefix or full prefix. It does not return any
matches to the prefixes that are within a subnet mask.
3. Click Search .
4. To clear the results of a search and view the entire list of protection groups, click the x
in the Search box.
Information on the List Protection Groups page

By default, the protection groups are sorted by the Protection Group Name column in
ascending order. You also can sort the list by the following columns:
n Server Type
n Protection Mode
n Protection Level
n Alerts
n Last Modified
For more information about sorting, see “Sorting information in tables” on page 24 .
The List Protection Groups page contains the following information:
Information on the List Protection Groups page

Search box Allows you to filter the list of protection groups that appear on
the List Protection Groups page.
Add IPv4 Allow you to add an IPv4 protection group or an IPv6 protection
Protection Group, group.
Add IPv6 See “Adding, Editing, and Deleting Protection Groups” on
Protection Group page 231.
buttons

Information on the List Protection Groups page (continued)

Expand All, Allow you to view or hide the APS devices that are assigned to the
Collapse All protection groups, if any.
buttons
Protection Group Displays the protection group name in the form of a link. You can
Name column click the link to view the traffic activity for the protection group.
See “Viewing the Traffic Activity for a Protection Group” on
page 194.
This section also displays a list of the protected hosts. If the list
contains more than a few hosts, you can click [more] to view the
entire list. Click [less] to collapse the list.
(protection Appears when you hover your mouse pointer over a protection
group context group name.
menu) You can use the options on the protection group context menu
to perform the following actions:
n Edit or delete the protection group. See “Adding, Editing, and
Deleting Protection Groups” on page 231.
n Manage the APS devices that are assigned to the protection
group. See “Assigning APS Devices to Protection Groups” on
page 237.
n Delete the protection group.
n View the blocked hosts that are related to the protection
group on the Blocked Hosts Log page. See “Viewing the
Blocked Hosts Log” on page 262.
(APS context Appears when you hover your mouse pointer over the name of
menu) an APS.
You can use the options on the APS context menu to perform
the following actions:
n Change the protection group settings for protection level,
protection mode, and threshold alerts for the APS. See
“Overriding a Protection Group’s Settings on a Managed APS”
on page 240.
n View the blocked hosts that are related to the protection
group on the APS. See “Viewing the Blocked Hosts Log” on
page 262.
n Remove the APS from the protection group. See “Assigning
APS Devices to Protection Groups” on page 237.
n Capture information about packets destined for a protection
group’s prefixes on the APS. See “About Capturing Packets”
on page 274.


bps and pps Display minigraphs that represent the traffic flow during the last
columns hour for the protection group or the APS, in bits per second and
packets per second. Passed and Blocked show the average rate
of traffic that was passed and blocked by the protection group or
the APS during that time.
The y-axis scale for protection group minigraphs can vary.
However, for analysis purposes, the APS minigraphs for a
protection group use the same y-axis scale as the protection
group.
Every 60 seconds APS Console refreshes the data display for the
minigraphs and the Passed and Blocked statistics.
(cannot retrieve Indicates that APS Console cannot retrieve the data for a
data) protection group minigraph from at least one APS.
To identify the problem, expand the protection group and locate
each APS that has and a No Data message instead of a
minigraph.
You can hover your mouse over to view a warning message.
Server Type column Lists the type of server that the protection group protects, in the
form of a link. You can click the link to view or edit the protection
settings.
See “Changing the Protection Settings for Server Types” on
page 100.
(protection group Indicates an override of the original protection group setting for
setting override) an APS. See “Overriding a Protection Group’s Settings on a
Managed APS” on page 240.
The next to the setting in a protection group row indicates an
override for at least one APS. The next to the setting in an APS
row indicates an override for that APS.
Protection Mode Indicates whether the protection mode for the protection group
column or the APS is Active or Inactive .
See “Setting the Protection Mode (Active or Inactive)” on
page 84.


Protection Level Displays the protection level that is set for the protection group
column or the APS. The protection level determines which protection
settings the protection group uses.
The protection level icons are defined as follows:
n — Global, which indicates that the protection group
inherits the protection level of each APS to which it is assigned.
n — Low
n — Medium
n — High
n — low automated
n — high automated
To view the protection level for the APS devices that are assigned
to a protection group, click (expand) next to the protection
group name.
See “About the Protection Levels” on page 86. For information
about protection level automation, see “About protection level
automation” on page 235 .
(alerts Indicates that one or more of the bandwidth threshold alerts are
configured) configured for the protection group or for an assigned APS.
You can click this icon to view the threshold alert settings in the
Alerts window.
See “About Bandwidth Alerts” on page 223.
(alerts not Indicates that bandwidth threshold alerts are not configured for
the protection group or that the alerts are disabled for an APS
configured)
assignment.
(active alerts) Displays the total number of active bandwidth threshold alerts
for the protection group in the red circle (5 in this example). You
can click this icon to open the Alerts window to view additional
information about the active threshold alerts.
See “About the active threshold alerts” below.
Last Modified Indicates the last time that the protection group or the APS was
column changed by a user or by the system.
(information) Appears in the Last Modified column if there is an audit trail entry
for the last change to the protection group or the APS. You can
click this icon to view the audit trail entry.
To close the information window, click the x.
About the active threshold alerts

You can click (active alerts) to open the Alerts window.

When you click for a protection group, APS Console displays the following
information in the Alerts window:

n the total number of active alerts by type for the protection group
n the threshold alert settings for the protection group
When you click for an APS, APS Console displays the following information in the
Alerts window:
n the number of active alerts by type for the protection group on that APS
n the protection group’s threshold alert settings and any settings that have been
overridden on that APS
To close the Alerts window, click the x.
You also can click the View Alerts link in the Alerts window, which opens the Alerts page.
If you click (active alerts) for a protection group, APS Console filters the Alerts page to
display the active alerts for that protection group. If you click (active alerts) for an APS,
APS Console filters the Alerts page to display the active alerts for the protection group on
that APS.
See “Viewing a Summary of Alerts” on page 304.

Adding, Editing, and Deleting Protection Groups

In APS Console, you can create protection groups to protect hosts on one or more APS
devices, with the most appropriate protection settings for those hosts. We recommend
that you create a custom protection group for each of the services that you want to
protect.
See “About Protection Groups” on page 218.

After you add a protection group in APS Console, you can assign one or more APS devices
to it. See “Assigning APS Devices to Protection Groups” on page 237.
Adding a protection group

To add a protection group:
2. On the List Protection Groups page, click Add IPv4 Protection Group or Add IPv6
Protection Group.
Tip
If you add both IPv4 protection groups and IPv6 protection groups, we recommend
that you prepend “IPv4” or “IPv6” to the protection group name. This prefix helps you
to quickly identify the protection group’s protocol when you see the name.
3. In the Add Protection Group window, configure the protection group settings.
See “Protection group settings” on page 233.
4. Click Save.
6. On the List Protection Groups page, you can assign one or more APS devices to the
protection group in the following ways:
l In the status message at the top of the List Protection Groups page, click Assign it
to an APS.
l In the protection groups list, click (context menu) to the right of the protection
group name, and then select Manage APS Assignments.
You can assign an APS to a maximum of 50 protection groups. See “Assigning APS
Devices to Protection Groups” on page 237.
About editing a protection group

You can make the following changes to protection groups in APS Console:
n When you first create and test a new protection group, you can set its protection mode
to inactive so that it does not affect traffic. After you assign APS devices to the protection
group and test the protection group on those APS devices, you can change the
protection mode to active.
n You can change a protection group’s protection level to mitigate attacks against the
protected hosts on the APS devices that are assigned to the protection group.
n You can change the bandwidth thresholds that determine the amount of traffic that
automates the protection level or triggers an alert for a protection group.

n You can add or remove protected hosts. The default protection group protects any IPv4
hosts that are not assigned to a custom protection group.
n You can rename a protection group, and change its description.
Note
You can override a protection group’s settings for protection mode, protection level,
threshold alerts, and protection level automation on an individual APS. See “Overriding a
Protection Group’s Settings on a Managed APS” on page 240.
Editing a protection group

To edit a protection group:
3. Hover your mouse pointer over the protection group name, and then click
(context menu).
4. In the context menu, select Edit.
5. In the Edit Protection Group window, change the protection group settings.
See “Protection group settings” on the facing page.
6. Click Save.
About deleting a protection group

You can delete protection groups on the List Protection Groups page in APS Console.
However, you cannot delete the default protection group.
When you delete a protection group, APS Console makes the following changes on all of
the APS devices that are assigned to the protection group:
n removes the protection group, and the default protection group protects any of the
IPv4 prefixes that are not assigned to another protection group
Note
The default protection group does not protect IPv6 prefixes.
n removes the items that were blacklisted or whitelisted for that protection group
n removes the protection group from any scheduled reports in which the protection
group is included
Note
APS never removes data from existing reports.
Deleting a protection group

To delete a protection group:
3. Hover your mouse pointer over the protection group name, and then click
(context menu).

4. In the context menu, select Delete.

5. In the confirmation message window, click Delete.
Protection group settings

The following table describes the protection group settings in the Add Protection Group
window and Edit Protection Group window.
Protection group settings

Setting Description
Name box Type a name to identify the protection group throughout the UI.
Protected Hosts You can specify IPv4 hosts and IPv6 hosts in any of the following
box forms:
n A host IP address, such as 192.0.2.1 or 2001:DB8::2.

n A valid hostname, such as myserver.mycompany.net. The
hostname resolves to its corresponding IP address and prefix.
n An IP address and routing prefix in CIDR form, such as
192.0.2.0/24 or 2001:DB8::/32.
To protect a large number of hosts — for example, thousands of

hosts — We recommend that you use a CIDR prefix instead of
specifying individual prefixes.
Note
You can add the same prefix to multiple protection groups.
However, you cannot assign an APS device to multiple protection
groups that contain the same prefix.
Server Type list Select the type of server that the protection group protects. The
server type determines the protection settings that are available for
the protection group.
When you create an IPv4 protection group, you can select a
standard IPv4 server type.
When you create an IPv6 protection group, the Generic IPv6
Server server type is selected by default. This server type is the only
standard server type that is available for IPv6 protection groups.
Protection Mode Select Active or Inactive to configure the protection mode.

options APS mitigates traffic for a protection group only when the
protection mode is active for both the protection group and the
APS.
To change the protection mode for all of the APS devices that are
assigned to the protection group, see “About editing a protection
group” on page 231 . To change the protection mode for a specific
APS, see “Overriding a Protection Group’s Settings on a Managed
APS” on page 240 .
See “Setting the Protection Mode (Active or Inactive)” on page 84.

Protection group settings (continued)

Setting Description
Protection Level Select an icon to set the protection level for the protection group
options (global, low, medium, or high). A check mark in the icon indicates
which level is selected.
The protection level icons are defined as follows:
— Global
— Low
— Medium
— High
If you select the global icon, the protection group uses the APS
protection level. For information about the global protection level,
see “About the Protection Levels” on page 86 . Also, see “Changing
the Protection Level” on page 253 .
Note
To change the protection level for a protection group on a specific
APS, see “Overriding a Protection Group’s Settings on a Managed
APS” on page 240 .
Description box Type a description that can help to identify the protection group.
Detection and Use the settings in this section to configure alerting that is based on
Automation Policy a user-specified traffic threshold or a global traffic threshold. You
section also can automate the protection level for a protection group,
based on the total traffic threshold. See “About protection level
automation” on the facing page.
Total Traffic Select an option to configure the level of total traffic that causes the
options APS to automate the protection level or trigger total traffic alerts for
the protection group:
n Automatically change the protection level using the

global total traffic threshold setting on APS
APS uses the global total traffic threshold setting to determine
when to automate the protection level and trigger this type of
alert.
n Automatically change the protection level when traffic
exceeds
Specify a total traffic threshold in bps, pps, or both bps and pps.
n Alert using global total traffic threshold setting on APS
APS uses the global total traffic threshold setting to determine
when to trigger this type of alert.
n Alert when traffic exceeds
Specify a traffic threshold in bps, pps, or both bps and pps.
n Do not alert based on the total traffic threshold
Disables the protection level automation and total traffic alerts
for the protection group.

Protection group settings (continued)

Setting Description
Blocked Traffic Select an option to configure the level of blocked traffic that causes
options the APS to trigger blocked traffic alerts for the protection group:
n Alert using global blocked traffic threshold setting on

APS
APS uses the global blocked traffic threshold setting to
determine when to trigger this type of alert.
n Do not alert based on the blocked traffic threshold
Disables the blocked traffic alerts for the protection group.
Botnet Traffic (IPv4 protection groups only) Select an option to configure the level
options of botnet traffic that causes APS to trigger botnet traffic alerts for
the protection group:
n Alert using global botnet traffic threshold setting on APS

APS uses the global botnet traffic threshold setting to determine
when to trigger this type of alert.
n Do not alert based on botnet traffic threshold
Disables the botnet traffic alerts for the protection group.
About protection level automation

To automate the protection level for a protection group, you select a Detection and
Automation Policy for total traffic to change the protection level automatically . After you
select a policy that changes the protection level, APS sets the protection group’s protection
level to low. If traffic to the protection group exceeds the total traffic threshold, then, within
one minute, APS changes the protection level to high and triggers an alert.
The protection level remains high for at least five minutes. At any time after that, if the
traffic level falls below the threshold, the protection level returns to low.
After APS Console synchronizes with the managed APS devices, the protection group's
protection level is set to low on each APS that is assigned to the protection group.
However, after the synchronization, APS Console no longer controls the protection group’s
protection level on the APS devices.
Instead, on the List Protection Groups page, the Protection Level column for each APS
displays the current state of the protection level on that APS.
See “Viewing the Status of Protection Groups” on page 225.

If you change a protection group’s protection level when automation is enabled, then APS
Console disables automation and changes the protection level on the assigned APS
devices.

You also can disable the automation by changing the total traffic setting to an alerting
option or by turning off the automation and alerting. In this case, the protection level is set
to low on all of the APS devices, even APS devices that are at the high protection level.
To disable the protection level automation on a single APS, see “Overriding a Protection
Group’s Settings on a Managed APS” on page 240 .
Propagating protection group settings to APS devices

APS Console propagates the settings you configure for the protection groups to the APS
devices that are assigned to the protection groups.
Caution

Assigning APS Devices to Protection Groups

After you add a protection group in APS Console, you can assign one or more APS devices
to the protection group. After you assign an APS to a protection group, the next time APS
Console synchronizes with the APS devices it manages, it copies the protection group to
that APS.
The maximum number of custom protection groups to which you can assign APS
depends on the APS device, as shown in the following table.
Maximum number of APS assignments to custom protection groups

APS device Maximum number of assignments
2800 99
2600 99
2100 49
2000 49
vAPS 49
vAPS with a minimum configuration 9
Note
For information about the vAPS minimum configuration, see the Virtual APS Installation
Guide .
All of the APS devices that APS Console manages are assigned automatically to the default
protection group. However, the default protection group only protects IPv4 prefixes. The
default protection group does not protect IPv6 prefixes.
After you assign at least one APS device to a protection group, you can view the protection
group traffic on the View Protection Group page. See “Viewing the Traffic Activity for a
You can override the protection group settings for protection level, protection mode, and
threshold alerts on any managed APS. See “Overriding a Protection Group’s Settings on a
Managed APS” on page 240.
User access
Only administrators can assign APS devices to, or remove APS devices from, protection
groups. See “About User Groups” on page 38.

Assigning APS devices to a protection group

To assign APS devices to a protection group:
1. Navigate to the Manage APS Assignments window in one of the following ways:
From the status message Click the Assign it to an APS link.

that appears at the top of
the List Protection Groups
page after adding a
protection group
From the menu a. Select Protect > Inbound Protection >

Protection Groups.
b. (Optional) On the List Protection Groups page, filter
the list to find a specific protection group. See
“Searching for protection groups” on page 226.
c. Hover your mouse pointer over the name of a
specific protection group, and then click
(context menu).
d. In the context menu, select Manage APS
Assignments.
2. (Optional) In the Manage APS Assignments window, type a string in the Filter List
box to filter the APS names in the Available list.
The Available and Assigned lists display up to 25 characters of an APS name. If an APS
name exceeds 25 characters, hover your mouse pointer over it to view the entire
name.
3. Assign APS devices to the protection group in one of the following ways:
To assign all of the available Click Assign All.

APS devices
To assign individual APS a. Select the APS names in the Available list.
devices b. Click Assign .
To assign a single APS device Double-click the name in the Available list.
4. Click Save.
If a prefix in the protection group is included in a protection group that is already
assigned to a selected APS, you cannot save the assignments. You also cannot save
the assignments if a selected APS is assigned to its maximum number of protection
groups. To proceed, unassign any APS devices that cannot be assigned or click
Cancel.
Removing APS assignments from a protection group

To unassign APS devices that are assigned to a protection group:


3. Hover your mouse pointer over the protection group name, and then click (context
menu).
4. In the context menu, select Manage APS Assignments.
5. (Optional) In the Manage APS Assignments window, type a string in the Filter List
box to filter the names in the Assigned list.
The Available and Assigned lists display up to 25 characters of an APS name. If an APS
name exceeds 25 characters, hover your mouse pointer over it to view the entire
name.
6. Remove an APS from the protection group in one of the following ways:
To unassign a single APS Double-click the APS name in the Assigned list.
device
To unassign individual a. Select the APS names in the Assigned list.

APS devices b. Click Unassign .
To unassign all of the APS Click Unassign All.

devices
7. Click Save.
Removing a single APS assignment from a protection group

To unassign a single APS:
3. To view the APS devices that are assigned to a protection group, click (expand) to
the left of a protection group name.
4. Hover your mouse pointer over the name of a specific APS, and then click (context
menu).
5. In the context menu, select Unassign from Protection Group.

Overriding a Protection Group’s Settings on a Managed

APS
By default, every APS device that is assigned to a protection group uses the settings that
you configure for that protection group. However, for a specific APS device, you can
override the protection group’s settings for protection level, protection mode, and
bandwidth alerts.
Indicator of an override
To indicate the override of a protection group setting, APS Console displays (protection
group override) next to the setting on the List Protection Groups page.
The in a protection group row indicates that there is an override for the setting on at
least one APS device. The in the row for an APS device indicates that there is an override
for the setting on that APS.
Overriding a protection group’s settings for an APS

To override a protection group’s settings for a specific APS:
3. Click (expand) next to the name of a protection group to view its APS assignments.
4. Next to the name of an APS, click (context menu), and then select Edit .
5. In the Configure Protection Group on APS window, for each setting that you want to
change, click Configure the Protection Group Setting for this APS. You can
change the following settings:
l Protection level. You also can choose to automate the protection level by using a
total traffic threshold. See “About protection level automation” on page 235.
l Protection mode
l Threshold alerts for total traffic, blocked traffic, and botnet traffic
6. Configure the protection group settings that you selected to override on this APS. See
“Protection group settings” on page 233 for the descriptions of these settings.
7. Click Save.
Reverting to the original protection group settings

To revert to the original protection group settings for a specific APS:
3. Next to the name of a protection group, click (expand) to view its APS assignments.
4. Next to the name of an APS, click (context menu), and then select Edit .
5. In the Configure Protection Group on APS window, click Use the Protection Group

setting for each setting that you want to revert.

6. Click Save.


Section 13:
Mitigating Attacks
APS blocks attacks automatically based on the protection settings that define malicious
traffic. However, certain attacks may require that you take action to block them. This
section describes how to respond to attacks that are not blocked automatically.
In this section
About Attack Mitigation 244

Workflow for Routine System Monitoring 246
Indicators of Attacks and Mitigations 248
Mitigating an Attack by Raising the Protection Level 251
Changing the Protection Level 253
Identifying and Blocking an Attack 255

About Attack Mitigation

The focus of APS is on the automatic detection and mitigation of attacks. When APS is in
active mode, it continually blocks any malicious traffic that it detects. However, additional
solutions are available to help you to monitor the system and block the attacks that are
not mitigated automatically.
When to actively mitigate an attack

You might need to take steps to block an attack under the following conditions:
n The protection settings and thresholds for the active protection level do not block the
attack.
For example, if the ICMP Flood Detection settings are disabled for the low protection
level, then APS does not detect ICMP floods at that protection level.
n The threshold for automatic Cloud Signaling is disabled or no threshold is configured.
n APS cannot mitigate the attack for reasons beyond its control.
For example, if an attack overloads routers that are deployed upstream of APS, then
APS cannot detect or mitigate that attack.
About attack mitigation from APS Console

When you use APS Console to manage APS devices, you should perform any mitigation
tasks in APS Console.
Caution
Because the configurations from APS Console can overwrite the ones on APS, any local
changes that you make on APS might be lost. Generally, you should not make local
changes on a managed APS, although you might occasionally need to do so. For
example, you might lose the connection between APS Console and an APS during a high-
volume DDoS attack. In that case, you can make local changes on the APS to mitigate the
attack.

Section 13: Mitigating Attacks
Options for mitigating inbound attacks

The following table describes your options for blocking an attack that is not mitigated
automatically. The options that you use depend on the type of attack, your knowledge of
network security, and your organization's policies.
Options for mitigating inbound attacks

Option Description
Follow your If your organization has an attack policy, or playbook, follow the
organization’s procedures that are provided there. If your organization does not
standard have an attack playbook, then continue with the following steps.
procedures.
Raise the You can try to mitigate an attack by raising the global protection
protection level. level or the protection group protection level. Use this option when
you have little time or knowledge of network security and you
need to stop an attack as quickly as possible. Alternatively, you
might raise the protection level only after other attempts to
mitigate an attack are unsuccessful. See “Mitigating an Attack by
Raising the Protection Level” on page 251.
Remember that the risk of blocking clean traffic increases with the
level of protection. For information about the protection levels and
the protection and risk that are associated with each one, see
“About the Protection Levels” on page 86.
Identify and block If you can identify the source of an attack, you can block its traffic
specific attack in the following ways:
traffic. n Blacklist the traffic source.
n Create a regular expression to match the traffic and enter it in
the appropriate protection setting.
n Create an FCAP expression to match the traffic and enter it in
the appropriate protection setting.
See “Identifying and Blocking an Attack” on page 255.
Edit the protection If you can identify the type of attack, you can try to block it by
settings. changing the protection settings that typically block that type of
attack. See “Changing the Protection Settings for Server Types” on
page 100.
For example, your network experiences an ICMP flood but APS
does not detect it. If you can block the attack by changing the
Maximum Request Rate for the target protection group, you
can avoid changing the protection level.

Workflow for Routine System Monitoring

Because APS can detect and mitigate most attacks automatically, the majority of your
interaction with the system should be to monitor its operations. By developing a routine
system monitoring workflow, you can ensure that APS always provides optimum
protection from attacks.
Regular monitoring can help you to learn about your network’s normal traffic levels so that
you can more easily recognize anomalies. Regular monitoring can also help you to detect
the attacks that are not mitigated automatically. As you learn more about those types of
attacks, you can refine the protection settings so that APS can detect and mitigate them
according to your preferences.
When you use APS Console to manage APS, you can perform these tasks for multiple APS
devices or multiple protection groups.
Workflow
Your APS monitoring workflow should allow you to answer the following questions:
Workflow for routine system monitoring

Question Task
Do any system problems On the Dashboard page, view the Active Alerts section. See
need attention? “Viewing Active Alerts on the Dashboard” on page 297.
If you use APS Console In APS Console, view the connection status and
to manage APS, is the synchronization status for each managed APS in the System
APS connected and Information section on the Summary page.
synchronized?
Is the ATLAS Intelligence On the Configure AIF Settings page, view the status of the AIF
Feed (AIF) update update. On the Change Log page, view the update
working? information. See “Viewing the Status of ATLAS Intelligence
Feed Updates” on page 62.
Is the network under an APS can proactively inform you of attacks and other traffic
attack that APS is not anomalies that require your attention. If you have enabled
blocking? thresholds for total traffic alerts or botnet alerts, an alert
occurs when a protection group’s traffic exceeds one of the
thresholds. These alerts appear on the System Alerts page as
well on other pages in the UI.
In the absence of alerts, you can view specific pages in the UI
for information that can help you to detect an attack. See
“Indicators of Attacks and Mitigations” on page 248.

Workflow for routine system monitoring (continued)

Question Task
Is APS blocking the n Display and review the Blocked Hosts Log page. See
appropriate traffic? “Viewing the Blocked Hosts Log” on page 262.
n For each protection group, display and review the View
Protection Group page. See “Viewing the Traffic Activity
for a Protection Group” on page 194.
n Display and review the Blocked Hosts Log page. See
What hosts are currently
“Viewing the Blocked Hosts Log” on page 262.
blocked, and should
they be unblocked or
whitelisted?

Indicators of Attacks and Mitigations

APS provides several ways for you to determine whether your network is under attack and
whether APS is blocking the attack traffic.
If you have enabled alert thresholds, an alert can be the first sign that you are under
attack, in addition to any external indications. See “Alerts that indicate attacks” below and
“External attack symptoms” on page 250 .
Whether or not you receive an alert, you can view the extensive traffic statistics that appear
in APS Console. In particular, you can view the traffic graphs that provide a quick visual
indication of the state of your network traffic. Additional statistics provide more details
about the data that is provided in the graphs. See “Graphic indicators of an attack” on the
facing page.
For general information about mitigation, see “About Attack Mitigation” on page 244 .
How to verify that a mitigation is working

After you take steps to block an attack, confirm that the attack is blocked.
n View the protected service from a customer’s perspective. For example, open a web
browser and try to open the web site that was reported as unavailable.
n If you received a bandwidth alert, use the information in the alert to find where to view
the behavior that triggered the alert. You might also note whether the alert expired.
n View the graphs and statistics that indicated the attack.
Alerts that indicate attacks

If you have enabled thresholds for total traffic alerts or botnet alerts, an alert occurs when
a protection group’s traffic exceeds one of the thresholds. These alerts are collectively
called bandwidth alerts.
n Total traffic alerts inform you of spikes in the traffic to protected services so that you can
investigate the cause and take action if necessary.
n Botnet alerts indicate that a botnet attack might be underway and suggest the
protection level that would block the botnet traffic.
n Blocked host alerts inform you of spikes in the amount of blocked traffic, which might
indicate that an attack is underway. You might want to determine if blocking the traffic
restored a sufficient level of service or if you need to take action to block additional
traffic.
Each alert includes information that can help you to investigate the alerting behavior
further. The information varies by the type of alert. For example, an alert might include the
protection group name, the blocked host IP address, or a URL to the page where you can
view further information.
When you use APS Console to manage APS, you can view the alerts for multiple APS
devices. To do so, view the Dashboard page or the Alerts page (Explore > Alerts) in APS
Console.

Graphic indicators of an attack

In the absence of alerts, you can view specific pages in the UI for information that can help
you to detect an attack. In particular, look for a significant increase in traffic or an
unexpected traffic spike in any of the following graphs.
In APS Console, these graphs typically represent an aggregate of the inbound traffic for
multiple protection groups or multiple APS devices.
Total traffic graphs

This type of graph can represent the amount of traffic flow, the traffic rate, or the request
rate.
Depending on where the graph appears, the traffic might appear in a color other than
blue, and the graph might display stacked data.
Attack and mitigation indicators in the total traffic graphs

Graph Meaning
Unblocked attack — A significant increase in the level of total
traffic usually indicates an attack that is not sufficiently blocked.
Partially blocked attack — The graph shows only a minor drop in

the level of traffic. Additional mitigation steps might be necessary.
Blocked attack — The graph shows a significant drop in the level

of traffic. The level of traffic appears to be normal.
Blocked-passed traffic graph

This type of graph shows the level of passed traffic in green and the level of blocked traffic
in red, and appears in the following locations:
n On the Dashboard page, in the Total Inbound APS Traffic graph
n On the List Protection Groups page, in the minigraphs for the protection groups and
appliances
n On the View Protection Group page, in the following sections: Total Protection Group
Traffic and IP Location
Attack and mitigation indicators in the blocked-passed traffic graphs

Graph Meaning
Unblocked attack — A significant increase in the level of passed

traffic (green) and a low level of blocked traffic (red) usually
indicates an attack that is not sufficiently blocked.
Partially blocked attack — The graph shows only a minor drop in

the level of passed traffic (green). Additional mitigation steps might
be necessary.

Attack and mitigation indicators in the blocked-passed traffic graphs (con-

tinued)
Graph Meaning
Blocked attack — The graph shows a significant drop in the level of

passed traffic (green). The level of passed traffic appears to be
normal.
External attack symptoms

The initial signs of an attack might occur external to the APS Console UI. The United States
Computer Emergency Readiness Team (US-CERT) states that the following symptoms
could indicate a DoS attack or DDoS attack:
n unusually slow network performance (opening files or accessing web sites)
n unavailability of a particular web site

n inability to access any web site
n dramatic increase in the amount of spam you receive in your account
If you experience any of these symptoms, use the APS Console UI to investigate.

Mitigating an Attack by Raising the Protection Level

Typically, APS can block most attacks automatically. However, when an attack is not
blocked automatically, you must take some action to block the attack traffic.
You can try to mitigate an attack by raising the global protection level or the protection
group protection level. Use this option when you have little time or knowledge of network
security and you need to stop an attack as quickly as possible. Alternatively, you might
raise the protection level only after other attempts to mitigate an attack are unsuccessful.
For additional mitigation options, see “About Attack Mitigation” on page 244 .
The more finely tuned your protection settings are, the more successful this method of
blocking traffic will be.
On APS Console, you can change the protection level for a protection group. The new
protection level setting is then synchronized on all of the APS devices assigned to that
protection group.
Testing protection levels

Protection level icons
corresponding icon.
To change the protection level, you click the appropriate icon.

Mitigating an attack by raising the protection level

This workflow assumes that you are already aware of an attack on your network. It also
assumes that you can identify the protection group that is under attack. See “Indicators of
Attacks and Mitigations” on page 248 for information about how to recognize an attack.
Workflow for mitigating an attack by raising the protection level

Step Action
1 Does the attack affect all of the APS devices that are assigned to the protection
group?
n Yes — In the following steps, change the protection level for the protection
group. This setting is synchronized on all of the APS devices that are assigned
to the protection group. See “1About the APS Console - APS Data
n No — If the protection group is under attack on a specific APS, then in the
following steps, change the protection level for that APS.
2 Change the protection level to Medium in one of the following ways:

n For a protection group — On the View Protection Group page, edit the
protection group and select Medium. This setting is synchronized on all of
the APS devices that are assigned to the protection group. See “1About the
APS Console - APS Data Synchronization” on page 78.
n For an APS — On the List Protection Groups page, view the protection group’s
APS assignments and edit the affected APS to change its level to Medium.
If the attack is not blocked sufficiently, then change the protection level to High .
3 At the higher protection levels, APS might block valid hosts and services, such as
email servers, DNS servers, database servers, or VPNs.
When you raise the protection level, view the Blocked Hosts Log page. If you
identify a valid host, whitelist it by clicking its Details button, and then clicking
Whitelist in the Blocked Host Detail window . See “Viewing the Blocked Hosts
Log” on page 262.
4 Is the attack blocked now?

n Yes — Go to Step 6.
n No — Go to Step 5.
5 Follow your organization’s procedure for escalating the attack mitigation. This
procedure might include requesting cloud mitigation.
6 When the level of traffic returns to normal, it indicates that the attack stopped,
and you can reset the protection level to Low.
To remain protected in case the attack recurs, you might wait a few hours before
you reset the protection level.

Changing the Protection Level

The protection level determines which protection settings are in use at any given time. For
example, if the protection level is low, then the low protection settings are used to inspect
the current traffic. You can change the protection level as needed to mitigate attacks.
Generally, you should set the protection level to low, which offers the least protection but
reduces the risk of blocking clean traffic. Reserve the medium and high levels for
mitigating attacks. See “Balancing protection and risk” on page 88.
About the different protection levels

The global protection level in APS affects all of the protection groups except those that
have their own protection level configured. The protection group protection level
determines which protection settings are in use for a specific protection group. The
outbound threat filter can use the global protection level or it can have its own protection
level. The protection group protection levels and the outbound threat filter’s protection
level override the global protection level.
See “About the Protection Levels” on page 86.
Changing the protection level for multiple APS devices

When you use APS Console to manage APS, you can change the protection level for
multiple APS devices, as follows:
n By default, every APS to which a protection group is assigned uses the protection level
that you configure for that protection group. However, for a specific APS, you can
override the protection group’s protection level.
n All of the managed APS devices use the protection level that is set in the APS Console
outbound threat filter for outbound traffic.
For example, when an attack targets the servers that are protected by several protection
groups, you can raise the protection level for all of those protection groups.
Caution
Protection level icons

corresponding icon.

Changing the protection level for a protection group

To change the protection level for a specific protection group:
2. On the List Protection Groups page, hover your mouse pointer over the protection
group name, and then click (context menu).
3. In the context menu, select Edit.
4. In the Edit Protection Group window, under Protection Level, select Global, Low,
Medium, or High .
5. Click Save.
Changing the protection level for the outbound threat filter

To change the protection level for the outbound threat filter:
2. On the Outbound Threat Filter page, click (configure).
3. Under Protection Level, select Global, Low, Medium, or High .
4. Click Save.

Identifying and Blocking an Attack

Typically, APS can block most attacks automatically. However, when an attack is not
blocked automatically, you must take some action to block the attack traffic.
This process assumes that you are already aware of an attack on your network and that
APS is not blocking the attack. See “Indicators of Attacks and Mitigations” on page 248 for
information about how to recognize an attack.
If you do not want to spend time investigating, you can try to mitigate the attack by raising
the protection level or by some other method. For additional mitigation options, see
“About Attack Mitigation” on page 244 .
Identifying and blocking the source of an attack

We recommend the following process for identifying and blocking the source of an attack.
However, you can perform any of the steps in any order.
n Did you see a total traffic alert or a botnet alert, or did you receive a notification that
contained one of these alerts? Follow the link in the alert to view the View Protection
Group page.
If APS is not blocking the traffic that caused the alert, follow the next steps to investigate.
n View the Dashboard page and look for critical traffic alerts or traffic behavior that is
unusual or unexpected. See “Using the Dashboard page to identify an attack” below.
n Look for the ATLAS threat categories that are blocking attack traffic.
n If you can identify the protection group that is under attack, use the View Protection
Group page to try determine the source of the attack. See “Identifying an attack against
a protection group” on the next page.
n Run and review a packet capture and try to determine the nature of the attack. See
“Identifying an attack by examining captured packets” on page 257.
After any attempt to block the attack traffic, check the attack indicators to determine
whether your actions mitigated the attack. See “Indicators of Attacks and Mitigations” on
page 248.
Using the Dashboard page to identify an attack

View the active alerts, graphs, and data on the Dashboard page and look for traffic
behavior that is unusual or unexpected. In particular, look for unexplained traffic spikes or
a sudden, significant increase in the traffic level or traffic rate, or blocked threats.

If you see any suspicious traffic, you can take steps to investigate further.
Options for investigation or mitigation on the Dashboard page

Section Options for investigation or mitigation
Active Alerts n Go to the View Protection Group page for the alerting protection
group.
n Go to the Alerts page to view additional details about an alert or
find additional DDoS alerts. From there, you can go to the View
ATLAS Threat n Go to the Blocked Hosts Log page for a category and view the
Categories associated blocked hosts.
n Go to the Explore ATLAS Threat Categories page to examine the
threats that are blocked from your network as a result of the
ATLAS Intelligence Feed settings.
Identifying an attack against a protection group

If you can identify the protection group that is under attack, use the View Protection Group
page to try determine the source of the attack. You can view and take action on the
protection group information for an individual APS or for all of the managed APS devices.
Look for traffic behavior that is unusual or unexpected. In particular, look for unexplained
traffic spikes, a sudden, significant increase in the traffic level or traffic rate, or traffic from
an unknown or unexpected source. Also, a URL or domain that has a very high percentage
of the total traffic is often an attack target.
Options for investigation or mitigation on the View Protection Group page

Section Options for investigation or mitigation
Attack Categories Is one category blocking much more traffic than the others? If so, it
is possible that even more of that type of traffic is not blocked. If
the category is one that can be edited, edit its protection settings
so that more traffic is blocked at the lower protection levels.
Web Traffic By URL Blacklist the URL or domain.

and Web Traffic By
Domain
IP Location n Capture the packets for a country.

n Blacklist the country for the protection group or all protection
groups.
Protocols Create an FCAP expression to match a protocol and enter it in the

Filter List settings for the appropriate server type.
Services n Capture the packets for a service.

n Create an FCAP expression to match a service and enter it in the
Filter List settings for the appropriate server type.

Identifying an attack by examining captured packets

On the Packet Capture page, run and review a packet capture for a specific APS. By
examining the packet payloads, you might be able to determine the nature of the attack.
For example, you might see HTTP packets that are destined for a web page that does not
exist.
When you identify a pattern in the attack traffic, you can create a payload regular
expression to block that type of traffic. See “Configuring Regular Expression Settings from
Captured Packets” in the APS User Guide .
Investigating and blocking an attack from the Blocked Hosts Log page
After you identify the host IP address that is responsible for the attack, view information
about that host on the Blocked Hosts Log page. From there, you can add the host to the
blacklist to prevent future attacks from that host.
If you determine that the host is no longer a threat, you can remove that host from the
blacklist.
If you determine that a legitimate host is blocked, you can whitelist that host.


Section 14:
Traffic Forensics
APS provides reporting and packet capture features that enable you to gather forensic
information about traffic and attacks. In APS Console, you can view traffic information and
run packet captures for all of the instances of APS that are under management.
In this section
About the Blocked Hosts Log 260

Viewing the Blocked Hosts Log 262
Information on the Blocked Hosts Log Page 266
Viewing the ATLAS Threat Categories that Block Traffic 269
About Capturing Packets 274
Capturing Packet Information 275

About the Blocked Hosts Log

The Blocked Hosts Log page (Explore > Blocked Hosts) provides a single view of all the
DDoS attacks and threats that were blocked from your network. The Blocked Hosts Log
page displays the hosts that were blocked by all of the APS devices that are under APS
Console management. The blocked hosts data in APS Console is an aggregation of the
data from all of the APS devices.
You can specify search criteria to limit the scope of the list and you can export the resulting
list. For information about searching and viewing the Blocked Hosts Log page, see “Viewing
the Blocked Hosts Log” on page 262 .
The Blocked Hosts Log page allows you to navigate to other areas of the UI, where you can
take action on specific /blocked hosts. See “Taking action on a blocked host” on
page 262.
Why a host appears in the blocked hosts log

A source host can appear in the blocked hosts log for any of the following reasons:
n It is on the inbound blacklist and all of its traffic is blocked
n A protection category blocked its traffic and temporarily blocked the host.
n A protection category blocked some of its traffic but did not block the host.
For example, the TCP Connection Limiting category blocks the traffic that exceeds a
certain threshold but it does not block the host. In such cases, the host appears in the
blocked hosts log but not in the Temporarily Blocked Sources list.
The traffic that is blocked by the Traffic Shaping settings is an exception. Its source does
not appear in the blocked hosts log.
Because the outbound blacklist in APS and certain protection categories can block
outbound traffic, the blocked hosts log can contain hosts whose outbound traffic was
blocked.
In APS, you can configure notifications that send messages when a host is blocked.
How you can use the blocked hosts log

The following scenarios are examples of how you can use the blocked hosts log:
Global viewing of all blocked traffic

When the APS Traffic section on the Dashboard page shows a large amount of blocked
traffic, you can view the Blocked Hosts Log page to investigate. On the Blocked Hosts Log
page, you can view an aggregate of the traffic that is blocked for each host across all of the
APS devices. If you need to examine a specific host further, you can navigate to the
Blocked Hosts Log page in the APS that blocked the host.
Forensic reporting
After an attack on a specific server, you can search the blocked hosts log for that server’s
destination IP address. The resulting list shows the hosts that were involved in the attack.
You can export the list to a file and include it in a report on the attack.

Section 14: Traffic Forensics
Protection settings verification

After you configure a new protection group or change protection settings, you can search
the blocked hosts log for that group or attack category. Inspect the log to determine the
level of traffic that the protection group or attack category blocks, and use that information
to further refine the settings.
Debugging
When a customer reports that a legitimate host cannot access the server, you can search
the blocked hosts log for that source host. After you determine why the host was blocked,
you can edit your protection settings, whitelist that host, or relay the information to the
customer for corrective action.
Threat investigation
During or after an attack or another event, the traffic graphs and statistics might indicate
that certain traffic is blocked. The traffic may be blocked by an ATLAS threat category or by
the STIX IOCs in a TAXII collection. View the blocked hosts log to identify the specific threat
and the IP address (external or internal) from which the threat originated.
You can blacklist the IP address to block its traffic in the future. If the attack traffic
originated from within your network, you can notify your security operations center to the
possible threats that are in the network.

Viewing the Blocked Hosts Log

The Blocked Hosts Log page displays the hosts that are blocked now or that were blocked
in the past. You can specify search criteria to limit the scope of the list and you can export
the resulting list.
For general information about the Blocked Hosts Log page and how you can use it, see
“About the Blocked Hosts Log” on page 260 . For details about the information on the
Blocked Hosts Log page, see “Information on the Blocked Hosts Log Page” on page 266 .
Viewing blocked hosts

To view blocked hosts:
1. Select Explore > Blocked Hosts.
2. On the Blocked Hosts Log page, in the Filter section, specify the search criteria.
See “Blocked hosts search criteria” on page 264.
3. Click Search .
4. If you do not see the results you expect, adjust the search criteria and click Search
again.
From the Blocked Hosts Log page, you can navigate to other areas of the UI, where you can
take action on a specific blocked host. See “Taking action on a blocked host” below.
Opening the Blocked Hosts Log page from other UI pages

For your convenience, certain pages in the UI allow you to open the Blocked Hosts Log
page and focus on a specific item. The item that you are viewing, such as a protection
group or a source IP address, becomes the filter criteria for the page. You can search the
Blocked Hosts Log page with that filter or specify additional filter criteria. Typically, the
option to open the Blocked Hosts Log page is available from a context menu.
Taking action on a blocked host

As you review the information on the Blocked Hosts Log page, you can take action on a
specific blocked host. For example, after an attack, you can review the blocked hosts log to
determine the hosts that were involved in the attack.
You can export the blocked hosts information to a file for forensic reporting, and then
decide which of those hosts to blacklist to prevent future attacks.
The following actions are available from the Blocked Hosts Log page:
Blacklist or whitelist a blocked host

After you analyze a blocked host’s traffic, you can add the host to the blacklist or whitelist,
unblock the host, or remove the host from the whitelist. Unblocking a host removes it
from the blacklist.
In the Blocked Host Detail window, click one of the following buttons:
n Blacklist
n Whitelist
n Unblock
n Remove from Whitelist

The host’s current status determines which options are available. The direction of the
blocked traffic (inbound or outbound) determines whether the action affects the blacklist
or whitelist for inbound traffic or outbound traffic. If the host’s inbound traffic was
blocked, then these actions apply to all of the protection groups. (Outbound traffic is not
associated with the protection groups.)
Capture packets for a blocked host

You can navigate to the Packet Capture page and view the packet-level information about
the traffic on a specific blocked host.
Hover your mouse pointer over a source IP address, click (context menu), and then
select Packet Capture . When the Packet Capture page opens, the host’s IP address is
entered in the Filter section. You can start the packet capture or specify additional filter
criteria. See “Capturing Packet Information” on page 275.
View the blocking protection group

(Inbound traffic only) You can view information about the protection group that blocked a
host’s traffic by opening the View Protection Group page for that protection group.
On the Blocked Hosts Log page or in the Blocked Host Detail window, click the protection
group name link. See “Viewing the Traffic Activity for a Protection Group” on page 194.
Export the blocked hosts information

To save a record of the current blocked hosts view, you can export the blocked hosts
information in the following ways:
n Save as a PDF file by clicking (Create a PDF) on the Arbor Smart Bar. The PDF file
contains the hosts that appear on the current page.
Investigate why a DNS server appears to be blocked

The ATLAS threat categories contain threat policies that define domains that host threats.
When APS matches a domain threat policy, it does not block all of the traffic to the DNS
server and it does not block the host. APS only blocks the DNS request for a known bad
host. See “About matching domain policies” on page 54.
APS sees only the request to the DNS server, not the resolution of the IP address for the
bad host. However, the DNS server appears as a blocked destination IP address on the
Blocked Hosts Log page.
When a host is blocked by an ATLAS threat policy that contains domain-related rules,
appears next to the destination IP address on the Blocked Hosts Log page. Click to
display an explanatory message.
To determine the hostname that APS is blocking:

1. Click next to the destination address. Click the link in the message to open the
Packet Capture page with the host information entered in the Filter section.
2. On the Packet Capture page, run a packet capture and display the dropped packets.
See “Capturing Packet Information” on page 275.
If the DNS requests are intermittent, you might have to wait until the next occurrence.
3. Select a packet and view the packet details.
4. View the packet payload to see the hostname that is being requested and blocked.

If you think that the blocked traffic is legitimate, contact the Arbor Technical Assistance
Center (ATAC) at https://support.arbornetworks.com/. Your feedback helps us to
continually improve the AIF content.
Blocked hosts search criteria

The search criteria that you specify determine the blocked hosts that appear on the
Blocked Hosts Log page. For more information, see “Information on the Blocked Hosts
Log Page” on page 266 .
You can search for blocked hosts by completing any of the following options:
Blocked hosts search criteria

Option Description
Traffic Direction Select one of the following options:
options n Inbound — Displays the source hosts that are responsible for
the inbound blocked traffic. The Blocked Hosts Log page initially
defaults to the inbound blocked traffic.
n Outbound — Displays the source hosts or destination hosts
that are responsible for the outbound blocked traffic.
Time selector Select one of the time increments or click From to change the
timeframe for which the data is displayed. Only the hosts that were
blocked within this timeframe appear in the search results. See
“Changing the display timeframe” on page 28.
Filter box To find the hosts that were blocked for specific devices or
protection groups, click the Filter box and then select a device
from the list. If you are searching for inbound blocked hosts, you
also can select from a list of protection groups. If you are searching
for outbound blocked hosts, then the Outbound Threat Filter
option appears instead of the protection groups. You can select
additional devices and protection groups in any combination.
Attack To find the hosts that were blocked by one or more specific attack
Categories check categories, select the appropriate check boxes. You can select
boxes individual categories or groups of categories:
n To search all of the AIF threat categories, select the ATLAS
Threat Categories check box.
n To search all of the TAXII collections, select the STIX Threats
check box.
n To search all of the categories in the list, select the Attack
Categories check box.
Note
Blacklisted Hosts is considered a category. This category
displays the blocked traffic for blacklisted hosts.

Blocked hosts search criteria (continued)

Option Description
Threats list If you select one or more threat categories under ATLAS Threat
Categories, you can select a specific threat within the selected
categories. Select a threat from the list or type all or part of a threat
name. As you type, the system displays a list of matching threats
from which to select.
Source Hosts Type one or more hostnames, IP addresses, or CIDR blocks to

box specify the source hosts to find.
Type commas or press ENTER to separate multiple hosts.
See “Searching for hosts on the Blocked Hosts Log page” below.
Searching for hosts on the Blocked Hosts Log page

You can search for IPv4 hosts and IPv6 hosts that are on the Blocked Hosts Log page. If you
search for IPv6 hosts, you can specify IPv6 addresses that are compressed or expanded.
For example, APS searches for the same host whether you specify 2001:DB8:0:0:0:0:0:0/32
or 2001:DB8::/32.

Information on the Blocked Hosts Log Page

The Blocked Hosts Log page contains several options that allow you to take action on a
specific blocked host. See “Taking action on a blocked host” on page 262.
For information about viewing and using the blocked hosts log, see “Viewing the Blocked
Hosts Log” on page 262 .
For general information about the Blocked Hosts Log page and how you can use it, see
“About the Blocked Hosts Log” on page 260 .
About the Blocked Hosts Log page search

The search criteria that you specify determine the blocked hosts that appear on the
Blocked Hosts Log page. The display includes all of the available information about each
host as follows:
n If you search for a specific attack category, then the display includes all of the categories
or the TAXII collections that blocked each host within the selected timeframe.
The information about the hosts that are blocked by multiple instances of APS Console
can represent a large amount of data. For efficiency’s sake, when you open the Blocked
Hosts Log page, no data appears until you specify the search criteria. For more information
about searching on the Blocked Hosts Log page, see “Blocked hosts search criteria” on
page 264 .
When the search is complete, the resulting information remains on the Blocked Hosts Log
page for an hour, or until you perform another search or cancel a search. After an hour,
the system deletes the search results and resets the Blocked Hosts Log page to an empty
state.

Information on the Blocked Hosts Log page

After you complete the search, a summary of the search appears at the top of the Results
section. The Results section contains the following information:
Information on the Blocked Hosts Log page

Column Description
Source Displays the IP address of the source host.
For inbound traffic, this column represents the host that was
blocked. However, if outbound traffic was blocked because the
destination host is on the outbound blacklist, then this column
does not represent the blocked host. (A host that is on the
outbound blacklist is blocked when it is either the source or the
destination of traffic that originates from your network.)
Devices Displays the name of the APS that blocked the host and the
protection group for which the host is blocked.
If multiple APS devices blocked the host, or if multiple protection
groups are associated with the blocked host, this column displays
the number of devices or protection groups. You can view a list of
those devices and protection groups by hovering your mouse
pointer over the device name.
You can click the device name or protection group name to
navigate to the Blocked Hosts Log page in the APS that blocked the
host. The Blocked Hosts Log page displays the protection groups for
which the host is blocked.
Destination Lists the range of destination IP addresses that the blocked host
targeted. However, if outbound traffic was blocked because the
destination host is on the outbound blacklist, then this column
represents the blocked host. (A host that is on the outbound
blacklist is blocked when it is either the source or the destination of
traffic that originates from your network.)
When a host is blocked by an ATLAS threat policy that contains
domain-related rules, appears next to the destination IP address
on the Blocked Hosts Log page. The DNS server appears as the
blocked destination IP address. However, APS does not block all of
the traffic to the DNS server; it only blocks the DNS request for a
known bad host. See “About matching domain policies” on
page 54 and “Investigate why a DNS server appears to be
blocked” on page 263 .
Port Displays the destination port or destination port range on which

the traffic was blocked.

Information on the Blocked Hosts Log page (continued)

Column Description
Attack Category Displays the protection categories that blocked the traffic. If
multiple protection categories are associated with the blocked host,
this column displays the number of categories. You can hover your
mouse pointer over the number of protection categories to view a
list of the specific categories.
If the list includes the ATLAS Threat Categories, then the specific
threat categories are listed.
Note
Blacklisted Hosts is considered a category. This category
displays the blocked traffic for blacklisted hosts.
Threats Displays any threats that were blocked by the ATLAS threat
categories. Click next to a threat to view a description of that
threat.
Last Activity Displays the amount of time since the last time that the host’s traffic
was blocked. If multiple devices blocked the host, you can view a list
of those devices by hovering your mouse pointer over the Last
Activity entry. You can click a device name to navigate to the Blocked
Hosts Log page in the APS that blocked the host. The Blocked Hosts
Log page is filtered for that particular host.
Total Traffic Displays the amount of the host’s traffic that was blocked during
the specified time period. The traffic is displayed in bytes and
packets.
Traffic Rate Displays the rate of the host’s traffic that was blocked during the
specified time period. The traffic rate is displayed in bits per second
or packets per second.

Viewing the ATLAS Threat Categories that Block Traffic

The Explore ATLAS Threat Categories page displays the ATLAS threat categories that block
inbound traffic and outbound traffic on all of the APS that APS Console manages. Use this
information to examine the threats that are blocked from your network as a result of the
From this page, you can display the Threat Category Details page to view the specific
threats that each threat category blocked.
For general information about the threat categories, see “About the ATLAS Threat
Policies” on page 54.
Viewing the blocking ATLAS threat categories

To view the blocking ATLAS threat categories:
1. Select Explore > ATLAS Threat Categories.
2. (Optional) On the Explore ATLAS Threat Categories page, filter the information that
appears on the page as follows:
increments or click From, select a time range, and then click Update .
l To limit the display to specific APS devices, click the Showing All APSes link that
appears to the right of the time selector. In the Select APS Devices window, select
each APS whose traffic and threat categories that you want to view, and then click
Apply.
l To select the unit of measure for displaying traffic, click Bytes or Packets in the
upper-right corner of the page.
3. Select one of the following tabs:
l Inbound — To display the threat categories that are blocking inbound traffic.
l Outbound — To display the threat categories that are blocking outbound traffic.
4. On the Explore ATLAS Threat Categories page, you can view additional information
about the threat categories as follows:
l To hide or show the graph data for one or more threat categories, click the
category’s Key column.
l To view information about the threats that were blocked at a given time, hover your
mouse pointer over a section of a graph until a popup window appears.
5. To view the top 10 threats that a threat category blocked, click the category’s name link
or click in the area of the graph that represents the category.
When the Threat Category Details page appears, it is filtered by the same criteria as
the Explore ATLAS Threat Categories page. You can change the filter criteria as needed.
6. On the Threat Category Details page, you can view additional information about the
threats as follows:
l To hide or show the graph data for one or more threats, click the threat’s Key
column.
l To view information about the threats that were blocked at a given time, hover your
mouse pointer over a section of a graph until a popup window appears.

Information on the Explore ATLAS Threat Categories page

The Explore ATLAS Threat Categories page displays the following information for the threat
categories that blocked traffic within the display timeframe. The selected tab (Inbound or
Outbound) determines which columns appear.
Information on the Explore ATLAS Threat Categories page

Inbound Blocked (Inbound tab only) Represents the average rate of the inbound
Threats graph traffic that was blocked for all of the blocking threat categories.
You can hover your mouse pointer over a section of the graph
until a popup window appears. The popup window displays the
threat category name, amount of blocked traffic, and time that
are associated with the nearest data point on the graph. The
pointer on the popup window indicates the data point.
Outbound Blocked (Outbound tab only) Displays the blocked outbound traffic for
Threats graphs all of the blocking threat categories on the following graphs:
n The stacked graph represents the average rate of the
outbound traffic that was blocked, in bytes per second or
packets per second.
n The line graph represents the number of source hosts that
were blocked per minute.
You can hover your mouse pointer over a section of either graph
threat category name, amount of blocked traffic or blocked
hosts, and time that are associated with the nearest data point
on the graph. The pointer on the popup window indicates the
data point.
Key Shows the color that represents the specific threat category in
the blocked threat graphs and allows you to filter the graph
displays.
You can click a threat category’s key to hide or show that
category on the graph, so that you can focus on the traffic for
specific categories.
Category Displays the name of the threat category that blocked the traffic.
You can click the threat category’s name link to open the Threat
Category Details page for that category. See “Information on the
Threat Category Details page” on page 272.

Information on the Explore ATLAS Threat Categories page (continued)

(context menu) Appears when you hover your mouse pointer over a threat
category. Click , and then select one of the following options:
n Blocked Hosts — Displays the Blocked Hosts Log page with
the search criteria selected. You can start the search or specify
additional search criteria. See “Viewing the Blocked Hosts
Log” on page 262.
n (Learn more ) — Displays a description of the threat
category.
Source Hosts (Outbound tab only) Shows the aggregate sum of the hosts that
Blocked the threat category blocked for each minute of the display
timeframe. For example, if the timeframe is 1 hour, then this
column represents the sum of the hosts that were blocked for
each of the last 60 minutes.
Source Hosts (Outbound tab only) Shows the average number of source
Blocked Rate hosts per minute (pm) that the threat category blocked.
Total Bytes Blocked, Shows the amount of traffic and the average rate of traffic that
Bytes Blocked Rate the threat category blocked.
or Total Packets The traffic is displayed in bytes or packets, depending on the unit
Blocked, Packets of measure that is selected for this page.
Blocked Rate

Information on the Threat Category Details page

The Threat Category Details page displays the following information for the top 10 threats
that the selected threat category blocked. The selected tab (Inbound or Outbound)
determines which columns appear.
Information on the Threat Category Details page

Inbound Blocked (Inbound tab only) Represents the average rate of the inbound
Threats graph traffic that was blocked for the top 10 threats.
threat name, amount of blocked traffic, and time that are
associated with the nearest data point on the graph. The pointer
on the popup window indicates the data point.
Outbound Blocked (Outbound tab only) Displays the blocked outbound traffic for
Threats graphs the top 10 threats on the following graphs:
n The stacked graph represents the average rate of outbound
traffic that was blocked, in bytes per second or packets per
second.
n The line graph represents the number of source hosts that
were blocked per minute.
You can hover your mouse pointer over a section of either graph
threat name, amount of blocked traffic or blocked hosts, and
time that are associated with the nearest data point on the
graph. The pointer on the popup window indicates the data
point.
Key Shows the color that represents the specific threat in the blocked
threat graphs and allows you to filter the graph displays.
You can click a threat’s key to hide or show that threat on the
graphs, so that you can focus on the traffic for specific threats.
Threat Displays the name of the threat that the selected category
blocked.
(context menu) Appears when you hover your mouse pointer over a threat. Click
, and then select one of the following options:
n Blocked Hosts — Displays the Blocked Hosts Log page with
the search criteria selected. You can start the search or specify
additional search criteria. See “Viewing the Blocked Hosts
Log” on page 262.
n (Learn more ) — Displays a description of the threat.
Severity Indicates the severity level that ASERT assigned to this threat.

Information on the Threat Category Details page (continued)

Source Hosts (Outbound tab only) Shows the aggregate sum of the hosts that
Blocked were blocked for this threat for each minute of the display
timeframe. For example, if the timeframe is 1 hour, then this
column represents the sum of the hosts that were blocked for
each of the last 60 minutes.
Source Hosts (Outbound tab only) Shows the average number of source
Blocked Rate hosts per minute (pm) that were blocked for this threat.
Total Bytes Blocked, Shows the amount of traffic and the average rate of traffic that
Bytes Blocked Rate was blocked for this threat.
or Total Packets The traffic is displayed in bytes or packets, depending on the unit
Blocked, Packets of measure that is selected for this page.
Blocked Rate

About Capturing Packets

The Packet Capture page in APS allows you to sample the packets that APS inspects, and
capture information about the packets in real time. You can save the packet information
and you can use it to update protection settings to provide more targeted protection.
The packet capture provides a sample of the traffic data. It is not intended to capture
complete information about any given stream or application session.
How you can use captured packets

The following scenarios are examples of how you can use the captured packet
information:
How you can use captured packets

Use Scenario
Create protection Your network is under an attack that is outside the scope of the
settings for current protection settings; for example, a custom URL attack. You
unique attacks identify the target protection group and service, but you cannot
determine the target URL. You can capture and inspect the packets
that target the protection group and service. When you identify the
target URL, you can blacklist it from within the Packet Capture page
on APS to block all future traffic to that URL.
Forensic reporting During an attack on a specific service, you capture a sample of the
packets that contain headers for that service. After inspecting the
packets, you save the packet information to a packet capture
(PCAP) file. You can use the PCAP file in a packet analysis program,
save it for reporting purposes, or send it to Arbor for technical
assistance.
Investigate false Clean traffic is blocked and you need to determine the cause so
positives that you can change your protection settings or whitelist the host.
You can investigate false positives by capturing the packet or
packets that caused a specific host’s traffic to be blocked.

Capturing Packet Information

The Packet Capture page in APS allows you to sample the packets that APS inspects, and
capture information about the packets in real time.
Important
If multiple users on APS capture packets simultaneously, APS returns different packets
for each user. No two users receive the same packet.
You also can perform the following tasks on the Packet Capture page:
n Inspect the packet information. See “Information on the Packet Capture Page” in the
APS User Guide .
n Save the packet information to a packet capture (PCAP) file.
n Blacklist a packet’s source address, target domain, or target URL.
n Use the information from a captured packet to update the settings in the Payload
Regular Expression protection category. See “Configuring Regular Expression Settings
from Captured Packets” in the APS User Guide .
Capturing packet information

To capture packet information:
1. Navigate to the Packet Capture page on a managed APS in one of the following ways:
From the a. Select Protect > Inbound Protection > Protection

Protection Groups.
Groups page b. On the List Protection Groups page, click (expand) next
to a protection group name to view the APS assignments
for that protection group.
c. Hover your mouse pointer over an APS name, and then
click (context menu).
d. On the context menu, select Packet Capture.
From the Blocked a. Select Explore > Blocked Hosts.

Hosts Log page b. On the Blocked Hosts Log page, hover your mouse pointer
over a source IP address, and then click (context
menu).
c. On the context menu, select Packet Capture
2. On the Packet Capture page, in the Filter section, specify the criteria for filtering the
packet capture. See “Packet filter criteria” in the APS User Guide .
If you do not want to filter the packets, do not specify any filter criteria.
3. In the Capture section, click Start.
Note
If you specify filter criteria but do not click (add), that filter criteria is added for you
when you click Start .
4. To limit the display of the capture results, either during the capture or after the
capture, click Passed, Dropped, or All.

APS always captures all of the packets that match the criteria in the Filter section,
regardless of how you choose to display them.
5. When you want to stop the packet capture, click Pause.
If you do not stop the packet capture, it will stop automatically at 5,000 packets.
6. To view detailed information about a packet, click the packet, and then scroll down to
the Packet Details section.
7. (Optional) As you inspect the packet details, you can take action to block future traffic
from the source of the packet, as follows:
l To blacklist the source address, domain, or URL, click the associated Blacklist
button.
Note
The item is blacklisted for all IPv4 protection groups or all IPv6 protection groups.
l To add packet information to the Payload Regular Expression protection category,
click the Add to Payload Regex button. See “Configuring Regular Expression
Settings from Captured Packets” in the APS User Guide .

Section 15:
Managing Centralized Reports
This section provides information about how to configure and manage centralized reports
on the APS Console. A centralized report aggregates the data for multiple APS devices that
the APS Console manages.
In this section
About Centralized Reports 278

About the Centralized Executive Summary Report 279
Configuring On-Demand Centralized Reports 283
Viewing and Deleting Centralized Reports 286

About Centralized Reports

From the Centralized Reports page on the APS Console, you can create and manage
centralized reports. A centralized report aggregates the data for multiple APS devices that
the APS Console manages.
The report provides information about the attacks that one or more APS devices detected
and blocked on your network over time. The report also provides information about high-
level traffic trends on your network over time.
For details about how to configure a centralized report, see “Configuring On-Demand
Centralized Reports” on page 283 .
Selecting the APS devices to include in a centralized report

When you configure a centralized report, you can select the APS devices to include in the
report. You refine the report further by selecting the protection groups on those APS
devices whose data you want to include in the report.
Selecting the date range for a centralized report

When you configure a report, you select a timeframe for that report. You can select a
predefined timeframe for days, weeks, or months. You also can specify a custom
timeframe, to include data from a specific time period.
Generating a centralized report

After you configure and submit a centralized report, the APS Console generates the report.
The report runs on each of the selected APS devices and then APS Console aggregates the
data in the centralized report.
About the report data

A centralized report may include the following types of data if the data is available for the
selected protection groups:
n inbound traffic statistics
n top inbound sources

n top inbound destinations
n top inbound countries
n outbound traffic statistics
n top blocked threat categories
For more details about the information included in a centralized report, see “About the
Centralized Executive Summary Report” on the facing page.

Section 15: Managing Centralized Reports
About the Centralized Executive Summary Report

The centralized Executive Summary report provides information about the attacks that
one or more APS devices detected and blocked on your network over time. This report
also provides information about high-level traffic trends on your network over time.
You configure these reports on the Reports page. See “Configuring On-Demand
Centralized Reports” on page 283.
About the top hosts data

To include data about the top hosts in a report, you first must enable Top Sources and
Destinations tracking on the APS devices. See “Configuring General Settings” in the APS
User’s Guide
Important
Some of the data in the Executive Summary report is based on the traffic for the selected
protection groups. However, the data for the top hosts is based on all of the traffic for all
of the selected APS devices.
About the outbound traffic data

To include data about the outbound traffic in a report, you must enable the outbound
threat filter on the APS devices. See “Viewing the Outbound Threat Activity” in the APS
User’s Guide .
The outbound information includes IPv4 traffic data only.
Information in the Executive Summary report

Report header and footer
The report header contains descriptive information about the report. Some of this
information is configurable when you create the report.
Information in the report header

Section Description
Report name The user-configurable name of the report, which appears at the
top left of the page.
APS Console The hostname of the APS Console on which the report is run,
name which appears below the report name.
Description The optional user-configurable description for the report, which

appears below the APS Console name.
Summary A summary of the number of protection groups and APS devices

whose data is aggregated in the report. This information appears
below the description.
Logo The Arbor Networks logo.
Date range The user-selected date range for the data in the report, which
appears below the logo.

The report footer contains the following information:

n The user name of the person who requested the report
n The date and time on the APS Console when the report was generated
n Explanations about the data that was not included in the report, if applicable
Cloud Signaling
Important
protection groups. However, the data for Cloud Signaling is based on all of the traffic for
all of the selected APS devices.
If cloud-based mitigation occurred during the specified date range, the report includes
Cloud Signaling data. Events Mitigated shows the number of unique DDoS attacks that
were mitigated. Targeted IPs Protected shows the number of hosts in your network that
the selected APS devices protected from DDoS attacks by using cloud-based mitigation.
See “About Cloud Signaling for DDoS Protection” in the APS User Guide .
DDoS Protection
If data about the inbound traffic is available, the report includes the following information
for the selected protection groups:
n The amount of blocked inbound traffic, in bytes
n The percentage of inbound traffic that was blocked versus the total amount of inbound
traffic
n The number of unique hosts that were blocked
Note
If the number of blocked hosts exceeds 100,000, the report displays 100000+ as the
blocked hosts statistic.
n A stacked graph that displays the amount of blocked inbound traffic versus the amount
of passed inbound traffic
n The average daily amount, in bytes, of the total inbound traffic, blocked inbound traffic,
and passed inbound traffic during the specified date range
To calculate the average daily inbound traffic, the total amount of outbound traffic for
the selected APS devices is divided by the number of days in the specified date range.
n The average rate, in bps, for the total inbound traffic, the blocked inbound traffic, and
the passed inbound traffic during the specified date range
If data about the outbound traffic is available, the report includes the following
information for the selected protection groups:
n The amount of blocked outbound traffic, in bytes
n The percentage of outbound traffic that was blocked versus the total amount of
outbound traffic
n The number of unique hosts that were blocked
n A stacked graph that displays the amount of blocked outbound traffic versus the
amount of passed outbound traffic

n The average daily amount, in bytes, of the total outbound traffic, blocked total traffic,
and passed outbound traffic during the specified date range
To calculate the average daily outbound traffic, the total amount of outbound traffic for
the selected APS devices is divided by the number of days in the specified date range.
n The average rate, in bps, for the total outbound traffic, blocked outbound traffic, and
passed outbound traffic during the specified date range
If no outbound traffic is available during the specified date range, the report omits the
outbound traffic section.
Top Inbound Countries

If the data is available, the report includes the following information about the five
countries that sent the most traffic:
n A flag icon that represents the country
Note
In APS, country mappings do not exist for IPv6 addresses. As a result, the report
displays an IPv6 flag instead of a country flag when the source is an IPv6 address.
n A stacked graph that represents each country’s total passed traffic in green and its total
blocked traffic in red
n The amount of traffic from each country that was passed and blocked, in bps and pps
n The percentage of the total traffic that each country’s traffic represents, shown as a
number and as a proportion bar. The bar for the top country is the full column width
and the remaining bars are in proportion to it.
In this case, total traffic refers to the total traffic for the countries that are included in this
report.
Top Blocked Threat Categories

If the data is available, the report includes the following information about the five threat
categories in the ATLAS Intelligence Feed that blocked the most traffic:
n A stacked graph that represents the amount of inbound traffic that was blocked
n A stacked graph that represents the amount of outbound traffic that was blocked
n A key for each graph that shows the color that represents a specific threat category in
the graph
n The name of the threat category that blocked the traffic
n The amount of inbound traffic and the amount of outbound traffic that was blocked
Top Inbound Sources

Important
protection groups. However, the data for Top Inbound Sources is based on all of the
traffic for the selected APS devices.

If the data is available, the report includes the following information about the five external
IP addresses that sent the most traffic:
n The IP address for the source host. If APS can identify the host’s country, this column
also includes a flag icon that represents the country.
Note
In APS, country mappings do not exist for IPv6 addresses. As a result, the report
displays an IPv6 flag instead of a country flag when the source is an IPv6 address.
n A graph that represents the total traffic from the source
n The total amount of traffic from the source, in bytes and packets
n The average rate of traffic from the source, in bps and pps
Top Inbound Destinations

Important
protection groups. However, the data for Top Inbound Destinations is based on all of the
traffic for the selected APS devices.
If the data is available, the report includes information about the five internal IP addresses
groups that received the most traffic:
n The IP address to which the traffic is destined
n A graph that represents the total traffic to the destination

n The total amount of traffic to the destination, in bytes and packets
n The average rate of traffic to the destination, in bps and pps
APS Devices
This section lists the APS devices whose data is included in the report. You select the APS
devices when you configure the report. See “Configuring On-Demand Centralized
Reports” on the facing page.
Protection Groups
This section lists the protection groups whose data is included in the report. You select the
protection groups when you configure the report. See “Configuring On-Demand
Centralized Reports” on the facing page.

Configuring On-Demand Centralized Reports

You can configure centralized reports on the APS Console. Centralized reports aggregate
the data for multiple APS devices that the APS Console manages. The APS Console runs
the report once, immediately after you create the report.
Note
The time zone that appears on the report results is the time zone for the APS Console.
For an overview of centralized reports, see “About Centralized Reports” on page 278 . For
a description of the information that the APS Console includes in the report, see “About
the Centralized Executive Summary Report” on page 279 .
Configuring an on-demand centralized report

To configure an on-demand centralized report:
1. Select the Reports menu.
2. On the Centralized Reports page, click Configure New Report.
3. On the Step 1 page, select a date range for the data to include in the report in one of
the following ways:
l To select a predefined timeframe, select Quick Date Range, type a number in the
Last box, and select Days, Weeks, or Months.
Note
The report includes data for complete days, weeks, or months only. (A complete
week is Sunday through Saturday.) For example, if you specify a 2-month
timeframe and the APS Console generates the report on April 10, the report
includes the data for February and March only.
l To specify a custom timeframe, select Custom Date Range. Select a start date in
the From calendar and select an end date in the To calendar.
For guidelines on how to specify a custom date range, see “Setting a custom date
range” on page 285 .
4. Click Next.
5. On the Step 2 page, all of the APS devices that the APS Console manages are selected
by default. If you do not want to include all of the APS devices in the report, complete
one of the following steps:
l To deselect all of the APS devices, select the check box next to the APS column
header. Then select the check box next to each APS device to include.
l To exclude an APS device, clear the check box next to the APS device in the Name
column.
You must select at least one APS device before you can continue to the next step.
Tip
To filter a large list of APS devices, search by an APS device name or an IP address in
the Search box. To search by name, enter the full name or a partial name of one or
more APS devices. To search by IP address, enter the full IP address or a partial IP
address.
6. Click Next.

7. On the Step 3 page, all of the protection groups are selected by default. The list
includes all of the protection groups to which the selected APS devices are assigned. If
you do not want to include all of the protection groups in the report, complete one of
the following steps:
l To deselect all of the protection groups, select the check box next to the Protection
Groups column header. Then select the check box next to each protection group to
include.
l To exclude a protection group, clear the check box next to the protection group
name.
You must select at least one protection group before you can continue to the next
step.
Tip
To filter a large list of protection groups, enter the name of a protection group or a
server type in the Search box. You can enter the full name or the partial name of
one or more protection groups or server types.
8. Click Next.
9. On the Step 4 page, in the Reporting on section, review the settings that you selected
on the previous pages. To change any of these settings, click Previous to return to the
appropriate page.
10. In the Name box, type a name for the report. The name may contain up to 56
characters.
11. (Optional) In the Description box, type a description for the report. The description
may contain up to 132 characters.
12. (Optional) In the Audit Trail Change Message box, type a message that describes
the change. This message will appear in the audit trail. See “Viewing the Audit Trail
Log” on page 319.
13. (Optional) To deliver the report results as a PDF file to specific destinations, type one
or more email addresses in the Email Addresses box. Enter multiple emails as a
comma-separated list.
Important
To send emails from APS Console, you must configure an SMTP server on the
Configure General Settings page (Administration > General). See “Configuring
General Settings” on page 32.
14. Click Submit.
After you submit the report, the report is added to the list on the Centralized Reports page.
The location of the report in the list is based on the selected sort order. However, if you
sort the reports by Run Date (ascending or descending), any requested reports or running
reports appear at the top of the list. After APS Console generates the report, the report is
added to the list in the selected Run Date order.
For information about sort order, see “Sorting the list of reports” on page 288 . For
information about how to view the report results, see “Viewing the results for a
centralized report” on page 286 .

Setting a custom date range

When you specify a custom date range on the Step 1 page of the Configure New
Centralized Report wizard, the following guidelines apply:
n To change the month that appears in a calendar, click (previous) or (next).
n After you select a start date in the From calendar, you cannot select any dates prior to
that date in the To calendar.
n If you select start and end dates that are in the same month, you cannot select a new
start date in any month that follows the selected month. You have to pick a new date in
the To calendar first.
n In the To calendar, you cannot select an end date that falls after the current date.
n The timeframe for the report starts at 12:00 A.M. on the selected start date and ends at
11:59:59 P.M. on the selected end date.
Note
If you select the current day as the end date in the To calendar, the end time for the
report is the time at which you submit the report.
Viewing the results

After the APS Console generates a centralized report, you can view the results online with
your default browser. You also can export the results as a PDF file. See “Viewing and
Deleting Centralized Reports” on the next page.

Viewing and Deleting Centralized Reports

On the Centralized Reports page, you can view the centralized reports that you configure
and run on the APS Console. Centralized reports aggregate the data from multiple APS
devices that the APS Console manages.
You also can delete centralized reports on this page. See “Deleting centralized reports” on
page 288.
For instructions on how to configure centralized reports, see “Configuring On-Demand
Centralized Reports” on page 283 .
For a description of the information that the APS Console includes in these reports, see
“About the Centralized Executive Summary Report” on page 279 .
Viewing the results for a centralized report

To view the report results:
2. (Optional) On the Centralized Reports page, change the sort order of the reports in
the list. See “Sorting the list of reports” on page 288.
3. (Optional) To limit the number of reports in the list, filter the list. See “Filtering the list
of reports” on the facing page.
4. Complete one of the following steps:
l Click the report name link to view the report in your default browser.
l Click (context menu) to the right of the report name and select Export as PDF to
generate a PDF file of the report.
Information on the Centralized Reports page

The Centralized Reports page provides the following information:
Centralized Reports information

Search box Allows you to filter the list of reports by the information in the
following columns:
n Name
n Requested by
Configure New Allows you to configure an on-demand report that aggregates

Report button data from multiple APS devices that the APS Console manages.
See “Configuring On-Demand Centralized Reports” on page 283.
Selection check Allow you to select one or more of the reports to delete.
boxes You cannot delete reports with a status of Requested or Running.

Centralized Reports information (continued)

Name column Displays the name of the report. After the APS Console generates
the report, the report name appears in the form of a link. Click the
link to open the report in your default browser.
Note
If the report fails, the report name appears, but the name is not
linked to report results. Instead, the Report Status column
indicates that the report failed.
(context menu) Appears in the Name column. Click the icon and select Export as
PDF to generate a PDF file of the report.
Run Date column Indicates the date and time on which the APS Console generated
the report. The run date is based on the time zone for the APS
Console.
Report Status Indicates the state of the report. The possible states are as follows:
column n Requested — Appears after the report has been configured,
but before APS Console starts generating the report
n Running — Appears while APS Console is generating the report
n Completed — Appears after the report is complete, and you
can view the results
n Failed — Appears if the APS Console cannot complete the
report. If the report fails, click (error) to view the reason for
the failure.
Date Range Indicates the start date and the end date for the data in the report.
column
Requested by Indicates the name of the person who configured the report.
column
Delete button Deletes the selected reports.
Filtering the list of reports

To filter the list of reports on the Centralized Reports page, you can search for one or more
reports. You can search by report name or by the name of the person who requested the
report.
To filter the reports:

2. On the Centralized Reports page, in the Search box at the top of the page, enter any
of the following text strings:
l the full name or partial name of one or more reports
l the full name or partial name of a person who requested a report
The APS Console filters the list of reports as you type.

Note
If you enter the name of a report or the name of a requester that is not in the list, the
APS Console hides all of the reports.
3. To clear the filtered list and view all of the reports, click (clear).
Sorting the list of reports

On the Centralized Reports page, you can sort the reports by the information in the
following columns, in ascending or descending order:
n Name
n Run Date
n Report Status
n Requested By
The selected sort applies to all of the reports in the list, including reports that APS Console
is generating or reports that have the Requested status. However, if you sort the reports by
Run Date (ascending or descending), any requested reports or running reports always
appear at the top of the list. After the reports are complete, the APS Console adds them to
the list in the selected Run Date order.
To change the sort order of the reports on the Centralized Reports page:
2. On the Centralized Reports page, change the order of the reports in one of the
following ways:
l To change the direction of the sort in the currently selected column, click
(ascending) or (descending) to the right of the column name.
l To change the column to sort the reports by, click (ascending) or
(descending) to the right of different column name.
Deleting centralized reports

Caution
You cannot undo the deletion of reports.
To delete one or more of the centralized reports:

2. On the Centralized Reports page, complete one of the following steps:
l Select the check box for each report to delete, and then click Delete .
l Select the check box to the left of the Name column header to select all of the
reports, and then click Delete .
3. (Optional) in the Confirmation Needed window, type a message in the Audit Trail
Change Message box that describes the change. This message will appear in the
audit trail. See “Viewing the Audit Trail Log” on page 319.
4. Click Delete.

Part IV:
Network Management

Section 16:
Viewing Network Activity on the
Dashboard
This section describes how to use the Dashboard page to view the security status of your
network.
In this section
Viewing a Dashboard of Network Activity 292

Viewing APS Traffic on the Dashboard 294
Viewing Active Alerts on the Dashboard 297

Viewing a Dashboard of Network Activity

The Dashboard page provides an overview of the security status of your network. On the
Dashboard page, you can view an aggregation of the critical events, traffic, and threats that
are identified, blocked, and monitored by APS Console and APS.
The Dashboard page appears by default when you log in to APS Console.
Note
The filters for the timeframe and the unit of measure do not affect the Active Alerts
section.
Viewing the Dashboard page

To view the Dashboard page:
1. Select the Dashboard menu.
2. (Optional) On the Dashboard page, filter the information that appears on the page as
follows:
Apply.

Section 16: Viewing Network Activity on the Dashboard
Information on the Dashboard page

The Dashboard page contains the following sections:
Sections on the Dashboard page

Section Description
Active Alerts Displays the five most critical alerts of any type in APS Console and
any APS devices that it manages. Use this information to determine
which alerts require immediate attention.
See “Viewing Active Alerts on the Dashboard” on page 297.
APS Traffic Displays the following information about APS traffic:

n Total APS Traffic section — Displays a real-time aggregate of the
traffic that is blocked and passed by all of the APS devices across
the network over time.
Use this information to gain visibility into the combined
performance of the managed APS devices.
n ATLAS Threat Categories section — Displays the five threat
categories that were responsible for blocking the most inbound
traffic and outbound traffic across all the managed APS devices.
Use this information to determine the amount of traffic that was
blocked across all of the managed APS devices as a result of the
See “Viewing APS Traffic on the Dashboard” on the next page.

Viewing APS Traffic on the Dashboard

On the Dashboard page, the APS Traffic section displays information about the traffic for
all the managed APS devices.
If no APS devices are under APS Console management, then a “No Data” message
appears.
For general information about the Dashboard page, see “Viewing a Dashboard of
Network Activity” on page 292 .

To view the Dashboard page:
1. Select the Dashboard menu.
2. (Optional) On the Dashboard page, filter the information that appears on the page as
follows:
Apply.
Information in the Total APS Traffic section

This section displays a real-time aggregate of the traffic that is blocked and passed across
all of the managed APS devices over time.
Total APS Traffic details

Traffic graph Displays a stacked graph that represents the total passed traffic
in green and the total blocked traffic in red.
Below the traffic graph, you can click (Passed) or

(Blocked) to show and hide the different types of traffic. Your
selections are retained until you navigate away from the
Dashboard page.
APS devices reporting Displays the number of APS devices that are reporting traffic
message compared to the total number of APS devices that are under
management. This information can indicate any
communication errors that might affect the data in the graph.
Information in the ATLAS Threat Categories section

This section shows how the ATLAS Intelligence Feed (AIF) helps APS to block threats
automatically. This section displays the five ATLAS threat categories that blocked the most
inbound traffic and outbound traffic on all of the managed APS devices. Use this

information to examine the threats that are blocked from your network as a result of the
This section contains two graphs and their accompanying data tables; one for inbound
traffic and one for outbound traffic.
ATLAS Threat Categories details

Inbound Blocked Represents the average rate of the inbound traffic that was
Threats graph blocked for the top five threat categories.
threat category name, amount of blocked traffic, and time that are
Outbound Blocked For outbound traffic, represents the number of source hosts that
Threats graph were blocked per minute for the top five threat categories.
threat category name, number of blocked hosts, and time that are
Key Shows the color that represents the specific threat category in the
blocked threat graphs and allows you to filter the graph displays.
You can click a category’s key to hide or show that threat category
on the graphs, so that you can focus on the traffic for specific
categories.
Category Displays the category’s name as a link that allows you to open the
Threat Category Details page for the category. See “Information
on the Threat Category Details page” on page 272.
(context menu) Appears when you hover your mouse pointer over a threat
category. Click , and then select one of the following options:
n Blocked Hosts — Displays the Blocked Hosts Log page with the
search criteria selected. You can start the search or specify
additional search criteria. See “Viewing the Blocked Hosts Log”
on page 262.
n (Learn more ) — Displays a description of the threat category.
Bytes Blocked or (Inbound only) Shows the amount of inbound traffic that the
Packets Blocked threat category blocked.
The traffic is displayed in bytes or packets, depending on the unit
of measure that is selected for this page.

ATLAS Threat Categories details (continued)

Source Hosts (Outbound only) Shows the aggregate sum of the hosts that the
Blocked threat category blocked for each minute of the display timeframe.
For example, if the timeframe is 1 hour, then this column
represents the sum of the hosts that were blocked for each of the
last 60 minutes.
Explore ATLAS Displays the Explore ATLAS Threat Categories page, on which you
Threat can view the threat categories that are blocking traffic on all of the
Categories link managed APS devices. See “Viewing the ATLAS Threat Categories
that Block Traffic” on page 269.

Viewing Active Alerts on the Dashboard

On the Dashboard page, the Active Alerts section displays the five most critical alerts in APS
Console and on any APS devices that it manages. This section can include all types of
alerts. Use the Active Alerts section to determine which alerts require immediate attention.
For general information about the Dashboard page, see “Viewing a Dashboard of
Network Activity” on page 292 .
For general information about alerts, see “About Alerts” on page 302 .

The Dashboard page appears by default when you log in to APS Console.
To navigate to the Dashboard page from another page in the UI:

n Select the Dashboard menu.
Information in the Active Alerts section

The alerts are sorted by severity in descending order, and then by start time in ascending
order. This sorting results in a view of the most critical alerts that have been active for the
longest time.
Active Alerts details

Total, DDoS, Display the total number of active alerts and the number of DDoS
System alerts and system alerts.
You can click a number to open the Alerts page. The Alerts page is
filtered according to the number that you click. For example, if you
click the number of DDoS alerts, the Alerts page displays all of the
active DDoS alerts.
Alert description Displays a description of the alert and the hostname of the
appliance or other device that generated the alert.
You can click an alert to open a window that contains additional
information about that alert, including the appliance, severity, date,
duration, and category. The window can contain links to other
pages, where you can explore specific aspects of the alert. The type
of alert that you select determines the information and links that
appear. See “Links to additional alert information” on the next
page.
Date and time Indicates when the alert started.

Active Alerts details (continued)

Severity indicator Indicates the severity of the alert as follows:
box n — Low (1-3)
n — Medium (4-7)
n — High (8-10)
You can hover your mouse pointer over the severity box to view
the numerical severity value.
View All Alerts Displays the Alerts page, where you can view all of the alerts that
link were generated by APS Console and the managed APS devices.
See “Viewing a Summary of Alerts” on page 304.
Links to additional alert information

When you click an alert, the information window that appears may contain links to other
pages, where you can explore specific aspects of the alert. The type of alert that you select
determines the links that appear. You also can ignore alerts from the information window.
Note
Some of the links in the information window open APS. If your APS user account has the
same username as your APS Console user account, the APS opens without prompting
you to log in.
Links in the information window

Link Type of alert Description
Appliance APS alerts Opens the Summary page in the APS that
generated the alert, where you can view
information about the system condition or
traffic that caused the alert.
See “Viewing the Traffic Summary” in the APS
User Guide .
Protection Group APS alerts that Opens the View Protection Group page in the
are associated APS that generated the alert, where you can
with a protection view detailed information in real time about the
group protection group’s traffic.
See “Viewing the Traffic Activity for a
Ignore button All alerts Allows you to prevent a specific alert from
appearing on the Dashboard page.

Removing alerts from the Dashboard page

As you review the alerts, you might decide that a certain alert is not critical and does not
need to appear on the Dashboard page. You can prevent a specific alert from appearing
on the Dashboard page by setting it to be ignored.
When you ignore an alert, it is removed from the Dashboard page, but it is not removed
from the system. The alert still appears on the Alerts page, where its status is marked as
Active (Ignored). The alert remains ignored until it expires. If the associated event recurs
after the initial alert expires, a new alert is created.
You can remove an alert from the Dashboard page in the following ways:
n On the Dashboard page:
a. In the Active Alerts section, click the alert.

b. In the information window, click Ignore.
n On the Alerts page (Explore > Alerts):
l To ignore a single alert, click (context menu) for the alert, and then select Ignore.
l To ignore multiple alerts, select the check boxes that correspond to the alerts that
you want to ignore, and then click Ignore Alerts.


Section 17:
Monitoring Alerts
This section describes how to view all of the alerts in APS Console and any managed APS
devices to determine which alerts are the most critical.
In this section
About Alerts 302

Viewing a Summary of Alerts 304
Filtering the Alerts on the Alerts page 306

About Alerts
Alerts are indicators of certain system events and security events that occur in APS Console
or in managed APS devices. To organize and provide additional information about the
alerts, APS Console groups the alerts into categories. For example, you can filter the
display of the Alerts page by category, and the Dashboard page displays security alerts by
category.
About the alert categories

The alert categories are as follows:
Alert categories
Category and type Example
DDoS (security) The traffic on an APS device exceeds a configured threshold. You
can set thresholds for blocked traffic, botnet traffic, and total
traffic.
Internal Resource Issues with a resource that is internal to the device. For example:
(system) An interface is down, disk space is low, or a power supply fails.
Infrastructure Issues with a resource that is external to the device. For example:
(system) A GRE tunnel is down, Cloud Signaling fails, or a backup fails.
License (system) The APS Console license is about to expire or the traffic on an
APS device exceeds a certain percentage of its licensed
throughput limit.
About alert severity levels

The severity of an alert determines the level of attention that it should receive. APS Console
uses the severity level to rank alerts. The severity level also determines which alerts appear
on the Dashboard page.
You can use the severity level to search for alerts and to filter the display on the Alerts page.
The alert severity levels are expressed as either numbers or icons. Typically, when the
icons are displayed, you can hover your mouse over an icon to view the numerical value.
Alert severity levels

Icon Severity level Description
Low (1-3) Traffic is being monitored but does not yet require
investigation.
For example, a hardware device failure might mean that
a secondary power source is down, which does not
require immediate attention.
Medium (4-7) The problem is not severe but warrants investigation.

Section 17: Monitoring Alerts
Alert severity levels (continued)

Icon Severity level Description
High (8-10) The situation requires immediate attention.
For example, if a physical interface is down, then traffic
is not being forwarded.
The default severity level for all types of alerts is predefined. You can change the default
severity level for system event alerts. See “Configuring System Alerts” on page 42.
Where you can view alerts

You can view alerts on the following pages in APS Console:
Where to view alerts

Location Description
Dashboard page Displays the five most critical alerts of any type. See “Viewing Active
Alerts on the Dashboard” on page 297.
Alerts page Provides a single view of all the security alerts and system alerts
(Explore > Alerts) that are generated by APS Console and any APS devices that it
manages. See “Viewing a Summary of Alerts” on the next page.
About alert expiration

When an alert expires, it no longer appears in the UI, except for the Alerts page.
System alerts and APS alerts expire automatically when the behavior that triggered the
alert stops. For example, a device that was down is restarted, or the APS traffic drops
below a configured threshold.
About ignoring alerts

When you review the alerts in the system, you need to address the issues that the alerts
describe. For example, you might need to fix a hardware problem or adjust a configured
traffic threshold. Sometimes, you might decide that a certain alert is not critical and does
not need to appear on the Dashboard page.
You can prevent a specific alert from appearing on the Dashboard page by setting it to be
ignored. The options to ignore alerts appear on both the Dashboard page and the Alerts
page. Ignoring an alert does not delete it from the system. See “Removing alerts from the
Dashboard page” on page 299.

Viewing a Summary of Alerts

The Alerts page (Explore > Alerts) displays the alerts that are triggered by APS Console
and the APS devices that are under APS Console management. The list of alerts includes
system alerts and security alerts, and shows both active alerts and expired alerts. Use the
Alerts page to identify the most critical alerts.
The Alerts page includes active alerts and expired alerts. An alert continues to appear on
the Alerts page until you clear it or delete it. This page also serves as a starting point to
explore additional details about specific alerts on managed APS devices.
For general information about alerts, see “About Alerts” on page 302 .
Viewing a summary of all alerts

To view a summary of alerts, navigate to the Alerts page in one of the following ways:
n From the menu — Click the Explore > Alerts link.
n From the Dashboard page — Click the View All Alerts link in the Active Alerts section.
If a protection group has any active alerts, you also can access the Alerts page from the
Protection Group page and the View Protection Group page. See “Viewing the Status of
Protection Groups” on page 225 and “Viewing the Traffic Activity for a Protection
Group” on page 194 .
For each alert, the Alerts page displays the following information. By default, the alerts are
sorted by start time in descending order (the most recent alerts first). You can sort by any
of the columns on the Alerts page.
Alert details
Selection check Allows you to select the alert to be ignored. See “Removing alerts
box from the Dashboard page” on page 299.
The check box does not appear for the alerts that cannot be
ignored.
Severity Indicates the severity of the alert as follows:

n — Low (1-3)
n — Medium (4-7)
n — High (8-10)
To view the numerical severity value, hover your mouse pointer

over the severity box.
Description Displays information about the nature of the alert.
Category Displays the threat category to which the alert belongs.
Appliance Displays the hostname of the appliance that generated the alert.

Alert details (continued)

Status Indicates whether the alert is Active , Expired, or Active (Ignored).
A status of Active (Ignored) means that the alert has been ignored,
or removed from the Dashboard page, but it has not expired. See
“Removing alerts from the Dashboard page” on page 299.
Time Indicates when the alert began and displays the alert’s duration.
(context menu) Appears when you hover your mouse pointer over an active alert’s
name. The options that appear on the context menu allow you to
view additional information about the alert. The options that are
available depend on the type of alert.
The context menu is available for certain types of active alerts only.
Filtering the alerts

You can filter the display of alerts on the Alerts page, to view a subset of the alerts. For
example, you can view all of the active security alerts that have a high severity level. The list
of alerts on the Alerts page changes as you select the filter criteria. See “Filtering the Alerts
on the Alerts page” on the next page.
Alerts associated with protection groups

If a protection group is deleted from an APS device, then any active alerts that are
associated with that protection group are expired. Those alerts continue to appear on the
Alerts page, but their context menus are disabled.
Note
APS alerts appear on the Alerts page even if the associated protection group is inactive.
About ignoring alerts

As you review the alerts, you might decide that a certain alert is not critical and does not
need to appear on the Dashboard page. You can prevent a specific alert from appearing
on the Dashboard page by setting it to be ignored.
Options to ignore alerts appear on the Dashboard page and the Alerts page. See
“Removing alerts from the Dashboard page” on page 299.

Filtering the Alerts on the Alerts page

You can filter the display of alerts on the Alerts page, to view a subset of the alerts. For
example, you can view all of the active security alerts that have a high severity level. The list
of alerts on the Alerts page changes as you select the filter criteria.
Note
To sort the alerts by a specific column, click the column’s heading.
Options on the Alerts context menu

The options on the context menu allow you to view additional information about the alert
and edit the alert’s configuration. To access the context menu, if available, hover your
mouse pointer over the name of an alert.
For certain types of active alerts, the context menu also provides links to other pages,
some of which may be on an APS. The type of alert that you select determines the options
that appear on the context menu.
Filtering alerts
To filter alerts:
n On the Alerts page, specify one or more criteria to filter the alerts display. See Filter
criteria for alerts.
Note
The Alerts page is already filtered when you access the page from the List Protection
Groups page or the View Protection Group page.
Filter criteria for alerts

You can filter the alerts on the Alerts page using the following criteria:
Filter criteria for alerts

Option Description
Status buttons Select All, Active, or Expired.
Type buttons Select one of the following options:

n All
n Security — Alerts that provide information about advanced
network threats. The security alerts also provide information
about the availability threats that APS identified, blocked, and
monitored. These alerts occur when the traffic that flows into APS
exceeds a configured threshold.
n System — Alerts that provide information about the equipment
that APS Console manages.
Start box, End Define the timeframe for which to display the alerts, based on when
box the alerts were active. In the calendar that appears, select the date
and time or click Now to select the current date and time. Click
Done to close the calendar window.

Filter criteria for alerts (continued)

Option Description
Severity buttons Select any combination of the following options to display only the
alerts that have specific severity levels. For example, you can view
only the alerts with a high severity level or all of the alerts with a
medium severity level or high severity level.
n — Low (1-3)
n — Medium (4-7)
n — High (8-10)
To view all of the alerts, select all of the security level options, which
is the default setting.
Filter box Type all or part of a category name, appliance name,

protection group name, or a custom term by which to filter the
alerts list. As you type, the Filter box displays a list of the matching
categories, appliances, and protection groups. Your options are as
follows:
n Select a name in the list of Categories , Appliances , or Protection
Groups to filter by that selection.
n Type a custom term, and then press ENTER.
Use the custom term to filter by the alert descriptions,
hostnames, categories, appliances, and protection groups that
match the string.
You can use select multiple categories, appliances, protection

groups, and custom terms in any combination. See “How APS
Console combines multiple filter criteria” below.
How APS Console combines multiple filter criteria

When you specify multiple items in the Filter box, APS Console combines the items as
follows:
n The same types of items (category, appliance, protection group, or custom term) are
joined with ORs.
n The different types of items are joined with ANDs.
For example, if you enter category1, category2, appliance5, and appliance6, the system
filters the display as follows:
(category1 OR category2) AND (appliance5 OR appliance6)
Tip
You can use custom terms to filter different items with ORs. For example, to display the
alerts that belong to either category1 or appliance5, type each item as a separate custom
term.
n To ignore all of the active alerts on the current page, select the check box in the table
heading row, and then click Ignore Alerts.

You also can ignore alerts from the Dashboard page. See “Viewing Active Alerts on the
Dashboard” on page 297.
If necessary, you can unignore an ignored alert, which allows it to reappear on the
Dashboard page if it is among the most critical alerts.
To unignore an alert:
1. On the Alerts page, click (context menu) for the alert.
2. Select Unignore.

Section 18:
Monitoring the Status of the Network
and Devices
The Summary page provides an overview of the current state of your APS Console
deployment, including the historical traffic across your configured devices.
User access
System analysts and system users can search and view the summary information, but they
cannot access all the pages that are described in this section. Only administrators can
access all the pages and perform all the tasks that are available from the Summary page.
In this section
Viewing a Summary of System Activity 310

Viewing System Information on the Summary Page 311
Viewing Audit Trail Information on the Summary Page 313

Viewing a Summary of System Activity

The Summary page provides a snapshot of your system and includes links to additional
information. The system displays important status messages at the top of the page to alert
you to any problems that require immediate attention.
For more details, see “Viewing System Information on the Summary Page” on the facing
page.
Viewing the Summary page

To access the Summary page, select Summary from the menu.
Sections on the Summary page

The Summary page shows different aspects of the system status in the following sections:
Sections on the Summary page

Section Description
System response This section is located directly below the menu bar. It displays any
area critical messages.
System Status Displays the statistics for your APS Console. This section also lists
the total number of devices that are under APS Console
management.
System Displays detailed information about your APS Console and the
Information devices that are under APS Console management.
Audit Trail Displays the most recent Audit Trail entries. See “Viewing Audit
Trail Information on the Summary Page” on page 313.
Auto-refresh option on the Summary page

The data that appears on the Summary page refreshes automatically every 120 seconds.
To stop the automatic refresh of the page (for example, to preserve interesting data):
n Click (Auto-Refresh ) on the Arbor Smart Bar.
If you hover your mouse over the icon, it displays a message that indicates whether
clicking the icon will turn on or turn off the auto-refresh option.

Section 18: Monitoring the Status of the Network and Devices
Viewing System Information on the Summary Page

On the Summary page, the System Information section displays detailed information
about APS Console and the devices that it manages. Use the information in this section to
determine how the device is performing.
If a device experiences connectivity problems, then APS Console displays that device’s
status at the top of the Summary page to alert you immediately.
Activity” on the previous page.
Viewing the Summary page

To access the Summary page, select Summary from the menu.
Information in the System Status section

This section displays the following status information about APS Console:
Information in the System Status section
Last AIF Update Indicates the last time that APS Console polled the AIF server for
Check new information. You can update the AIF interval time and poll
the server on the Configure AIF Settings page.
If you do not enable automatic AIF updates, this area displays
Autoupdate Disabled instead of Last AIF Update Check .
See “Configuring the ATLAS Intelligence Feed” on page 60.
Last Backup Indicates the time at which the system backed up APS Console
data. The APS Console data is backed up automatically every 24
hours. You can download a copy of the last backup file or upload
an older saved version.
For a description and instructions, see “Configuring Remote
Backup Settings” on page 44.
Total Devices Displays the number of APS devices and AED devices under APS
Console management.
Information in the System Information section

This section displays the following information for each device:
System Information section

Column Description
Severity The relative severity of the alerts that are on the device. See “About
alert severity levels” on page 302.
Device Type Indicates whether the device is an APS Console, an APS, or an AED.
Hostname Displays the user-assigned hostname for the device.

System Information section (continued)

Column Description
Serial Number Displays the serial number for the device.
Uptime Displays the time that has elapsed since the device was last
restarted, in days, hours, and minutes.
If the device is down, “Offline” appears in this column. If the device
remains down, then you can delete it. See “Deleting Offline
Devices” on page 89.
Last Seen Indicates the last time that the device reported to APS Console.
Status Describes the overall status of a device. The status can be one of
the following messages:
n High memory usage: <usage percentage>
n High disk usage: <amount of MB remaining>
n Communication error, last heartbeat received: <time last
received>
n Synchronize times: skew is <amount of time>
n Device is down: last seen <time last seen>
n Multiple Problems: <the list of problems>
n Good
n RAID error: <error message>
n Preparing configuration
n Initial synchronization
n Out of sync
n Unsupported device version. The configurations cannot be
synchronized.
Version Displays the current software version that the appliance is running.

Section 18: Monitoring the Status of the Network and Devices
Viewing Audit Trail Information on the Summary Page

On the Summary page, the Audit Trail section displays the 10 most recent Audit Trail
entries. The Audit Trail section contains the same columns as the table on the Audit Trail
page (Administration > Audit Trail).
For more information about the Audit Trail, see “Information in the audit trail” on
page 319 and “ Including Change Messages in the Audit Trail” on page 318 .
Activity” on page 310 .
Viewing a complete Audit Trail entry

To view a detailed audit trail entry, including the long description, in the Audit Trail Entry
Viewer:
1. Select the Summary menu.
2. On the Summary page, in the Audit Trail section, click a More link that appears in the
Description column.
3. When you finish viewing the audit trail information, click Done.
Viewing all Audit Trail entries

To view all Audit Trail entries on the Audit Trail page:
n On the Summary page, in the lower right corner of the Audit Trail section, click the View
Full Audit Trail link.


Section 19:
Monitoring System Changes in the
Audit Trail
This section describes how to use the audit trail, which records all of the changes that are
made in APS Console.
User access
Users at all authorization levels can include change messages in the audit trail. Only
administrators can view the audit trail and configure the audit trail settings.
In this section
About the Audit Trail 316

Including Change Messages in the Audit Trail 318
Viewing the Audit Trail Log 319

About the Audit Trail

The audit trail records all of the changes that are made in APS Console, which allows you
to view and track the changes. You can view the audit trail entries on the Audit Trail page.
See “Viewing the Audit Trail Log” on page 319.
On the Audit Trail page, you can specify a default change message and configure the kinds
of changes that trigger the appearance of the Audit Trail window. See “Configuring the
Audit Trail Settings” on page 41.
About the Audit Trail window

By default, when a user makes a change in the APS Console UI, the Audit Trail window
appears and prompts the user to describe the change. See “ Including Change Messages
in the Audit Trail” on page 318.
If you disable the Audit Trail window for certain changes, the window does not appear
when users make those types of changes. APS Console logs the changes, but does not
include any messages.
When APS Console adds audit trail entries

APS Console adds audit trail entries in the following situations:
n System changes occur, such as an ATLAS update.
n Users make changes in the APS Console UI.
n Users export data from the system by sending email, creating PDF files, or exporting
CSV files.
n Users enter commands in the command line interface (CLI).
How CLI commands are logged in the audit trail

APS Console transfers entries from the command log to the audit trail at one-minute
intervals. The command information that is included in the audit trail depends on the type
of CLI command, as follows:
How CLI commands are logged in the audit trail

Command type What is included in the audit trail
All commands The following information is included in the audit trail for all
types of CLI commands:
n the time and date on which the change occurred
n the user who entered the command
n the component that was changed
n the command that was typed
Commands that The sensitive data is replaced with “*****”.

include a password or
secret

Section 19: Monitoring System Changes in the Audit Trail
How CLI commands are logged in the audit trail (continued)

Command type What is included in the audit trail
Commands that The absolute path is included and any abbreviations are
include abbreviations expanded to full words.
For example, the command / serv aps-console inter is
logged as / services aps-console interface.
Command help These commands are not included in the audit trail.
Directory help These commands are included in the audit trail.
About exporting the audit trail
You can export the audit trail in the following ways:

n As a comma-separated values (CSV) file.
See “Exporting the audit trail as a CSV file” on page 320.
n To a syslog destination that you configure in the CLI.
See “Configuring the Syslog Destination for the Audit Trail” in the APS Console Advanced

Including Change Messages in the Audit Trail

When you make a change in the APS Console UI, the system records the change in the
audit trail.
By default, when you make a change, the Audit Trail window appears and prompts you to
enter a change message. The best practice is to add a message that provides some insight
into what you did and why you made the change. However, you also have the following
options:
n Do not enter a change message.
n Enter a default message for all of the future changes that you make.
n Disable the Audit Trail window for all of the future changes of that type that you make.
Settings on the Audit Trail page determine the default change message (if any) and the
kinds of changes that trigger the appearance of the Audit Trail window. See “Configuring
the Audit Trail Settings” on page 41.
Administrators can view the audit trail log in the Audit Trail page (Administration >
Audit Trail). See “Viewing the Audit Trail Log” on the facing page.
For general information about the audit trail, see “About the Audit Trail” on page 316 .
Entering a change message in the Audit Trail window

To enter a change message in the Audit Trail window:
1. In the Audit Trail window, type a description of the change in the change message
box.
You can enter a maximum of 1024 characters.
2. (Optional) Select Set as my default audit trail message to use this change
message for all of the future changes that you make.
3. (Optional) Select Do not show this dialog again... to disable the Audit Trail window
for all of the future changes of this type that you make.
APS Console logs the changes even if the Audit Trail window is disabled.
4. Click Save.

Section 19: Monitoring System Changes in the Audit Trail
Viewing the Audit Trail Log

The audit trail records all of the changes that are made in APS Console, which allows you
to view and track the changes. See “About the Audit Trail” on page 316.
For information about recording changes to APS Console, see “ Including Change
Messages in the Audit Trail” on the previous page.
For information about editing the default settings for audit trail changes, see “Configuring
the Audit Trail Settings” on page 41.
Viewing the audit trail

To view the audit trail:
2. On the Audit Trail page, select the Audit Trail Log tab.
3. (Optional) To find specific entries, use the Search All Audit Trail Entries box.
4. (Optional) To view additional information about an entry, click the More link to the
right of the entry’s description.
Information in the audit trail

The Audit Trail page displays the following information for each entry:
Audit trail details

Time Displays the time and date on which the change occurred.
User Displays the user who made the change, or “system” if it is a

system-generated change.
Appliance Displays the APS Console name.
Action Indicates the type of change, such as Add, Edit, Delete , Update , and
so on.
Component Indicates the type of object that was changed.
Name Displays the name of the changed object, if it has one.
Message Displays the text from the change message that a user typed, or a
system message for system-generated entries.
Description Describes the change.
More link Allows you to view additional information about an entry by

opening the Audit Trail Entry Viewer window.
Note
You also can view the entries in the audit trail on the Summary page. See “Viewing Audit
Trail Information on the Summary Page” on page 313 .

Exporting the audit trail as a CSV file

You can save a copy of the audit trail by exporting it to a comma-separated values (CSV)
file.
To export the audit trail as a CSV file:

2. On the Audit Trail page, display the entries that you want to export, as described in
“Viewing the audit trail” on the previous page.
3. Select one of the following options:
l Export — Exports only the entries that appear on the current page.
If you use a search to filter the audit trail list, the exported file contains the search
results only.
l Export All — Exports all of the audit trail entries.
4. Open or save the file according to your browser options.

Part V:
APS Console Maintenance and
Management

Section 20:
Managing APS Console Files
This section describes how to use the Manage Files page (Administration > Files) to
manage the files that are on APS Console. You can also manage files that are on the APS
devices that APS Console manages.
User access
Only administrators can perform the tasks that are described in this section. System users
cannot view the Files page.
In this section
About the Files Page 324

Managing the Files on APS Console and Managed APS Devices 326
Managing Diagnostics Packages 328

About the Files Page

The Manage Files page (Administration > Files) is the central location from which you
can manage the files that are on APS Console. You also can use this page to manage the
files on the APS devices that APS Console manages.
The Files page is divided into sections that allow you to perform the following file
management tasks:
n Upload, download, and delete the files on APS Console and managed APS devices.
n View the amount of free space on the selected device.
See “Managing the Files on APS Console and Managed APS Devices” on page 326.
About the Files section

The Files section of the Manage Files page contains the following information:
n A Show files on list, from which you can select the device whose files you want to view.
n A disk space pie chart that displays the amount of used disk space and free disk space
on the selected device.
n A table that includes detailed information about the files on the selected device.
The tables displays the following information for each file that is on the selected device:
File listing details

Name The name of the file.
Size The size of the file.
Date The time and date when the file was uploaded.
Type The type of file. A file can be one of the following types:
n Text file
n Directory
n Gzip compressed
n Signed package
n SSH host keys
n Unknown
Status Indicates whether the file has been installed on the selected
device. This status applies to installation packages only.
Selection check Allows you to select the file for deletion.

box

Section 20: Managing APS Console Files
About the Diagnostics Packages section

Diagnostics packages are helpful if you need the Arbor Technical Assistance Center (ATAC)
to troubleshoot APS Console system problems. For information about creating the
diagnostics packages, see “Managing Diagnostics Packages” on page 328 .
The table in the Diagnostics Packages section contains the following information for each
package:
Diagnostics package details

Name The name of the diagnostics package. You can download the
package by clicking the name link.
Size The size of the diagnostics package.
Date The time and date on which a diagnostics package was

created.
Email button Allows you to email the diagnostics package.
Create Diagnostics Allows you to create a new diagnostics package.

Package button
About the SSL Certificate section

You can upload a custom SSL certificate to authenticate users in the APS Console UI. See
“Using a Custom SSL Certificate for User Authentication” on page 47.
About the Logo section

You can upload a custom logo to replace the default APS Console logo. See “Adding a
Custom Logo to the UI” on page 49.
About the System Files section

The System Files section allows you to download the MIB files from APS Console. The MIB
files can help you decode the SNMP traps that APS Console sends for notifications. The
MIB files can also help you understand the OIDs (object identifiers) that can be queried on
APS Console.
See “About SNMP Polling” on page 34.

For information about downloading the files, see “Managing the Files on APS Console and
Managed APS Devices” on the next page.

Managing the Files on APS Console and Managed APS

Devices
You can use the Manage Files page (Administration > Files) to manage the various files
that are on APS Console and managed APS devices.
When you manage files on the Manage Files page, the changes apply only to the device
that is selected in the Show files on list.
Viewing the files on a managed APS

By default, the Manage Files page lists the files that are on APS Console. You also can view
the files that are on APS devices that APS Console manages.
To view the files on a managed APS:

2. On the Manage Files page, in the Show files on list, select the device whose files you
want to view.
Uploading files to APS Console

To upload a file to APS Console using SCP or HTTP:
2. On the Manage Files page, in the Show files on list, select the APS Console.
3. Click Upload.
4. In the Upload File window, click Browse to locate the file.
5. In the File Upload window, select the file, and then click Open .
6. In the Upload File window, click Upload.
Deleting files from a managed APS

Caution
You cannot undo the deletion of files.
To delete a file from a managed APS:

2. On the Manage Files page, in the Show files on list, select the APS on which you want
to delete a file.
3. In the list of files, complete one of the following tasks:
l Select the check box for each file that you want to delete.
l Select the Select All check box to delete all of the files.
4. Click Delete.

Section 20: Managing APS Console Files
Downloading files from APS Console

You can download diagnostics packages and MIB files from the Manage Files page on APS
Console.
To download a file from APS Console:

2. On the Manage Files page, in the Show files on list, select the APS Console.
3. Select the file to download in any of the following ways:
l In the System Files section, click the APS Console MIB link or the SMI MIB link.
l In the Diagnostics Packages section, click the file name link.
4. Save the file according to your browser options.

Managing Diagnostics Packages

A diagnostics package contains debugging information for APS Console. The diagnostics
package helps the Arbor Technical Assistance Center (ATAC) to diagnose and correct any
potential issues that are related to your system.
You can create new diagnostics packages and download, email, and delete the packages.
Viewing diagnostics packages

The Files page displays the existing diagnostics packages and their creation dates, file
names, and file sizes.
For general information about the Files page, see “About the Files Page” on page 324 .
Creating a diagnostics package

To create a diagnostics package:
2. In the Diagnostics Packages section, click Create Diagnostics Package.
The package creation might take several minutes. A message at the top of the page
indicates that the package creation is in progress.
Tip
If the diagnostics package does not appear within a few minutes, click (Refresh This
Page) on the Arbor Smart Bar.
Emailing a diagnostics package to the Arbor Technical Assistance Center

To email a diagnostics package to the Arbor Technical Assistance Center (ATAC):
2. In the Diagnostics Packages section, to the right of the package that you want to send,
click Email.
3. In the Email Diagnostics window, type the following information:
Setting Description
From box Type your email address.
Subject box Type a subject for the email message.
Message box Type a message that explains how you want Arbor to
process the diagnostics package.
4. Click Email.
Downloading a diagnostics package

If you cannot email from APS Console, you can download the diagnostics package. See
“Downloading files from APS Console” on the previous page.

Section 21:
Backing Up APS Console
This section describes how to back up APS Console data.
User access
Users at all authorization levels can view the backup configurations. Only administrators
can perform the backup tasks that are described in this section.
In this section
About APS Console Backups 330

Running a Local Backup Manually 332

About APS Console Backups

APS Console supports remote backups and local backups. Both remote backups and local
backups copy the same APS Console configuration settings and data.
About remote backups

For remote backups, you configure a recurring backup schedule.
About remote backups
Typical use To recover data after a hardware failure or other outage.
How they are APS Console runs remote backups automatically, based on a user-
created defined schedule. You also can run a remote backup manually at
any time.
See “Configuring Remote Backup Settings” on page 44.
Where they are On a remote backup server.

stored
How many are 1

stored
About local backups

Local backups run automatically every night at midnight or that you can run manually.
About local backups
Typical use To restore a known configuration state. For example, you might
want to restore APS Console to a known configuration state after
you perform benchmark tests or try new configurations.
How they are APS Console runs local backups automatically, every night at
created midnight. You also can run a local backup manually at any time. See
“Running a Local Backup Manually” on page 332.
Where they are On APS Console.

stored
How many are 5

stored
About backing up and restoring in a central management environment

APS Console synchronizes configuration data with the APS devices that it manages by
copying the data that is specific to a managed APS to that APS. When you back up and
restore APS Console and APS, you must follow certain guidelines to maintain the data
synchronization. See “How Restoring Backups Affects the APS Console - APS

Section 21: Backing Up APS Console
About restoring backup data

To restore APS Console from a backup, you must use the command line interface (CLI).
See “Restoring APS Console from a Backup” in the APS Console Advanced Configuration
Guide .

Running a Local Backup Manually

APS Console generates a local backup automatically every night at midnight. The Backup
Settings page also allows you to run local backups manually.
You might back up APS Console locally in the following situations:
n To save the initial system configuration after you finish configuring settings.
n To save a known configuration state before you perform benchmark tests or try new
configurations. When you finish your tests, use the backup to restore APS Console to
the last known configuration.
n To save any configuration changes immediately instead of waiting for the next
scheduled backup.
For general information about backups, see “About APS Console Backups” on page 330 .
For information on configuring remote backups, see See “Configuring Remote Backup
Settings” on page 44.
Running a local backup manually

To run a local backup manually:
2. On the Backup Settings page, in the Local Backups of APS Console Configuration and
Data section, click Run Backup Now.
About the Backups list

A list of the last five local backups appears in the Local Backups of APS Console
Configuration and Data section on the Backup Settings page. The list includes the
following information for each backup:
Backup details
Date The date and time on which the backup was created.
Age The length of time since the backup was run.
Size The size of the backup file.
Username Displays APS Console for an automatic backup. For a manual

backup, this column displays the user name of the person who
requested the backup.
Download Downloads the backup file to a user-specified location. See

“Downloading a local backup file” on the facing page.

Section 21: Backing Up APS Console
Downloading a local backup file

You can download a local backup file at any time.
To download a local backup file:

2. On the Backup Settings page, in the Local Backups of APS Console Configuration and
Data section, click the Download button for the file to download.
3. Save the file according to your browser options.


Appendixes

Appendix A:
Notification Formats
This section provides examples of the notifications that APS Console sends to the
configured destinations when it detects system alerts.
In this section
Email Notification Examples 338

Syslog Notification Examples 339

Email Notification Examples

The following examples show the different types of email notifications that APS Console
sends when it detects system alerts.
APS down alert

The following example shows an APS down alert:
APS Down: system.arbor.net
Type: APS Down
URL: https://aps.example.com/summary/
APS: system.APS Console.net
Last seen: 20:07 09/03/16
APS up alert
The following example shows an APS up alert:
APS Up: system.arbor.net
Type: APS Up
APS: system.APS Console.net
Down since: 20:02 09/03/16
Downtime: 0h05m
Infrastructure alert
The following example shows an infrastructure alert:
Infrastructure: Your cert will expire in 1 day
Type: Infrastructure
Message: Your cert will expire in 1 day

Appendix A: Notification Formats
Syslog Notification Examples

The following examples show the different types of syslog notifications that APS Console
sends when it detects system alerts.
APS down alert

The following example shows an APS down alert:
APS Down: system.arbor.net,URL: https://aps.example.com/summary/,Last
seen: 20:23 09/03/16
APS up alert
The following example shows an APS up alert:
APS Up: system.arbor.net,URL: https://aps.example.com/summary/,Last
seen: 20:18 09/03/16,Downtime: 0h05m
Infrastructure alert
The following example shows an infrastructure alert:
Infrastructure: Your cert will expire in 1 day,URL:
https://aps.example.com/summary/


Appendix B:
Using FCAP Expressions
This section describes the FCAP (Flow Capture) fingerprint expression language that you
can use to match layer 3 traffic information. This expression language is an extended
version of the standard fingerprint expression language that is used by programs such as
tcpdump.
In this section
Available FCAP Expressions 342

FCAP Expression Reference 344
Logical Operators for Compound FCAP Expressions 349
FCAP Expressions that Indicate Direction 350
Examples of FCAP Expressions 351

Available FCAP Expressions

This topic discusses the basic FCAP expressions that APS supports, and well as the syntax
conventions in the documentation for these expressions.

The following table shows the syntax of commands and expressions. Do not type the
brackets, braces, or vertical bar in commands or expressions.

Convention Description
Monospaced bold Information that you must type exactly as shown.
Monospaced A variable for which you must supply a value.

italics
{ } (braces) A set of choices for options or variables, one of which is required.

For example: {option1 | option2}.
[ ] (square brackets) A set of choices for options or variables, any of which is optional.
For example: [variable1 | variable2].
| (vertical bar) Separates the mutually exclusive options or variables.
Basic FCAP expressions

These expressions are case insensitive. For example, both src and SRC are valid.
Available FCAP expressions

Expression Reference
[src | dst] [net | host] addr “Matching networks and hosts”
on page 344
[protocol | proto] protocol-name “Matching protocols” on

{protocol | proto} number page 345
{tflags | tcpflags} flags/flag-mask “Matching TCP flags” on page 345
[src | dst] port {port-name | number } [ .. “Matching ports” on page 346

{port-name | number} ]
bytesnumber [ ..number] “Matching IP length” on page 346
icmptype {icmptype | number} “Matching ICMP messages” on

icmpcodecode page 347

Appendix B: Using FCAP Expressions
Available FCAP expressions (continued)

Expression Reference
tosnumber “Matching the Type of Service” on
page 348
Note
This expression is for IPv4 traffic
only.
ttlnumber “Matching the Time to Live” on

page 348
Note
only.
frag “Matching fragments” on

page 348
Note
only.

FCAP Expression Reference

This topic describes how to use the FCAP expressions. For additional information, see the
following topics.
n basic expressions — See “Basic FCAP expressions” on page 342.
n the operators AND, OR, NOT, and () — See “Logical Operators for Compound FCAP
Expressions” on page 349.
n expressions that indicate direction — See “FCAP Expressions that Indicate Direction”
on page 350.
n examples — See “Examples of FCAP Expressions” on page 351.
Note
Unless otherwise noted, FCAP expressions are supported for IPv4 traffic and IPv6 traffic.
Comments in FCAP expressions

To add a comment to an FCAP expression, type the number sign (#) at the beginning of
the line of text.
Any line that begins with # is considered a comment and is not evaluated as part of the
FCAP expression.
Numbers in FCAP expressions

In expressions that contain a number, you can type the number in decimal notation or
hexadecimal notation. For example, the following expressions are equivalent:
tos 255
tos 0XFF
Action expressions that drop or pass traffic

Use the FCAP action expressions to either drop traffic or pass traffic without further
inspection. To specify which action to perform, precede the FCAP expressions with one of
the following expressions:
pass
drop
The action expression is optional. If you do not specify one, APS uses a drop action.
Matching networks and hosts

Use the following expression to match a network or a host:
[src | dst] [net | host] addr
To match a network or host, specify its IP address. You can use CIDR notation
(IP/number) to specify a network. For example:
net 192.0.2.0/24
host 192.0.2.1
If you specify an address without a netmask or without the expression net or host, the
address is assumed to be a host.

If you do not specify a direction, then both the source and the destination are evaluated.
See “FCAP Expressions that Indicate Direction” on page 350.
Additional examples of expressions for matching hosts or networks

Item to match Expression
any source or destination that is part of the Either of the following expressions:
network 198.51.100.0/24 192.0.2.0/24
src net 192.0.2.0/24 or dst net
203.113.0/24
any source that is part of the network src net 198.51.100.0/24

198.51.100.0/24
Matching protocols
Use the following expressions to match a protocol:
[protocol | proto] protocol-name
{protocol | proto} number
To match a protocol, specify its name or number. If you specify the protocol by name, you
can omit the expression protocol. For example:
protocol tcp
tcp
proto 6
Matching TCP flags

Use the following expression to match a packet’s TCP flags:
{tflags | tcpflags} flags/flag-mask

flags = the flag or flags that must be set for the expression to match
flag-mask = the flag or flags to examine
For example, tflags FSA/FSA matches all of the traffic whose SYN, ACK, and FIN flags
are set.
For the flag fields, you can specify any combination of the following TCP flags:
n F — FIN
n S — SYN
n R — RST (reset)
n P — PSH (push)
n A — ACK
n U — URG (urgent)
n E — ECE (ECN-Echo)
n W — CWR (Congestion Window Reduced)
Do not separate multiple flags with any characters, including spaces or commas.

Additional examples of expressions for matching TCP flags

packets that contain the SYN flag Either of the following expressions:
tflags S/S
proto tcp and (tflags S/S)
all of the TCP SYN traffic that is not SYN- Either of the following expressions:
ACK proto tcp and (tflags S/SA)
proto tcp and (tflags S/S) and !
(tflags SA/SA)
all of the traffic for which the A bit is set, tflags A/FA
but the F bit is not set
Matching ports
Use the following expression to match ports:
[src | dst] port {port-name | number} [ .. {port-name | number} ]
To match a port, specify its name or number. For example:

port http
port 22
To match a range of port numbers, separate the first number and the last number with
two periods. For example:
port 0..1024
If you do not specify the source or the destination, then both the source and the
destination are evaluated. See “FCAP Expressions that Indicate Direction” on page 350.
Additional examples of expressions for matching ports

IP address 192.0.2.1, port 22 host 192.0.2.1 port 22
any traffic with a destination IP address of dst host 192.0.2.1 and (dst
192.0.2.1 and a destination port of either 22 or 80 port 22 or dst port http)
Matching IP length
Use the following expression to match a packet’s IP length: bytes number [..number]
Specify the IP length as a number of bytes. For example: bytes 100
To match a range of bytes, separate the first number and the last number with two
periods. For example: bytes 100..102

Matching ICMP messages

Use the following expressions to match an ICMP message by specifying its type:
icmptype {name | number}

icmpcodecode
For example, to match ICMPv4 echo request traffic by type, you can use either of the
following expressions:
icmptype icmp-echo
icmptype 8
Note
APS supports both ICMPv4 and ICMPv6 message types. However, for ICMPv6, you can
specify message type numbers only. You cannot use message type names for ICMPv6.
The ICMP code is a subtype of a given type. For example, the following expressions match
the ICMP control message type “Destination Unreachable”, and the subtype of “Host
Unreachable” (ICMPv4) or “address unreachable” (ICMPv6):
n ICMPv4
icmptype icmp-unreach and icmpcode 1

n ICMPv6
icmptype 1 and icmpcode 3
The table below lists some common ICMPv4 message types.
ICMPv4 message types

ICMP type
number ICMP type name Description
0 icmp-echoreply Echo Reply
3 icmp-unreach Destination Unreachable
4 icmp-sourcequench Source Quench
5 icmp-redirect Redirect
8 icmp-echo Echo Request
9 icmp-routeradvert Router Advertisement
10 icmp-routersolicit Router Selection
11 icmp-timxceed Time Exceeded
12 icmp-paramprob Parameter Problem
13 icmp-tstamp Timestamp
14 icmp-tstampreply Timestamp Reply
15 icmp-ireq Information Request

ICMPv4 message types (continued)

ICMP type
number ICMP type name Description
16 icmp-ireqreply Information Reply
17 icmp-maskreq Address Mask Request
18 icmp-maskreply Address Mask Reply
For a complete list of the ICMPv4 message types and codes, refer to an IPv4 reference or
go to the following URL: http://www.iana.org/assignments/icmp-parameters/icmp-
parameters.xhtml
For a complete list of the ICMPv6 message types and codes, refer to an IPv6 reference or
go to the following URL: http://www.iana.org/assignments/icmpv6-parameters/icmpv6-
parameters.xhtml
Matching the Type of Service

Note
This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Traffic
Class.
Use the following expression to match the Type of Service (TOS):

tosnumber
Specify the eight-bit TOS field as a number from 0 to 255. For example:
tos 255
tos 0XFF
Matching the Time to Live

Note
This expression is for IPv4 traffic only. You cannot filter by the IPv6 header field Hop Limit.
Use the following expression to match the Time to Live (TTL ) value:
ttlnumber
Specify the eight-bit TTL field as a number from 0 to 255. For example:
ttl 6
Matching fragments
This expression is for IPv4 traffic only.
The following expression allows you to match IP fragments:

frag

Logical Operators for Compound FCAP Expressions

You can create compound FCAP expressions by using logical operators to join
expressions.
For more information about using FCAP expressions, see the following topics:
n “FCAP Expression Reference” on page 344
n “FCAP Expressions that Indicate Direction” on the next page
n “Available FCAP Expressions” on page 342
n “Examples of FCAP Expressions” on page 351
Operators for joining expressions

To join FCAP expressions, use the following operators:
n parentheses ( ) — establishes precedence for complex expressions
n NOT — negates an expression (negation)

For example, not port 33 matches all of the ports except port 33.
You can also use an exclamation mark (!) instead of not.
n OR — joins expressions where any can be true (alternation)
For example, dst port 22 or dst port 25 or dst port 80 matches all of the
traffic that is destined for any one of these three ports.
n AND — joins expressions where both are true (concatenation)
For example, dst host 192.0.2.1 and dst port 22 matches all of the traffic that
is destined for port 22 on the host 192.0.2.1.
How APS evaluates compound expressions

APS evaluates expressions in the following order:
1. Expressions in parentheses. If you use a combination of adjacent objects with AND
and OR operators, use parentheses so that APS knows the explicit order.
2. NOT expressions.
3. OR and AND expressions, which have equal precedence and are evaluated from left to
right.
For example, the following expressions are equivalent:

not tcp port 3128 and tcp port 23
(not tcp port 3128) and tcp port 23
Omitting the operators and parentheses can produce unexpected results. For example, to
block all TCP traffic on port 80 or port 443, you might type the following expression:
tcp port 80 or tcp port 443
However, this expression does not do what you intend because the order of operations
interprets it as follows:
tcp and (port 80 or tcp) and (port 443)
Instead, you should use one of the following expressions:

tcp (port 80 or port 443)
(tcp port 80) or (tcp port 443)

FCAP Expressions that Indicate Direction

The direction expressions indicate whether a network, host, or port represents the source
or the destination.
In an FCAP expression, the direction refers to the source or destination section of the
packets that are evaluated.
For information about how to use FCAP expressions, see “FCAP Expression Reference” on
page 344 .
Indicating direction
The following expressions indicate direction:
src — source
dst — destination
For example:
src host 192.0.2.1
dst port 33
Default direction
If you do not specify a direction, then both the source and the destination are evaluated.
For example, the following expressions are equivalent:
host 192.0.2.1
(src host 192.0.2.1) or (dst host 192.0.2.1)

Examples of FCAP Expressions

To help further your understanding of FCAP expressions, this topic provides examples of
expressions and shows how APS interprets them.
In particular, observe how APS interprets expressions when you omit certain components.
For example, you can omit the direction and the drop or pass action. You can also omit
the logical operators, although doing so can produce unexpected results.
For more information about FCAP expressions, see “FCAP Expression Reference” on
page 344 .
Examples
The following examples show how APS interprets FCAP expressions and how it makes
assumptions about any information that is omitted from the typed expressions.
Note
APS interprets FCAP expressions that use IPv6 addresses in the same way that it
interprets FCAP expressions that use IPv4 addresses.
FCAP expressions and how they are interpreted

Expression Interpretation
host 192.0.2.1 drop src host 192.0.2.1 or dst host 203.0.113.1
203.0.113.1
protocol tcp drop proto 6

tcp
tflags saf/saf drop tflags FSA/FSA

You do not have to type the flags in any particular order; the
system orders them for you.
port 33 drop src port 33 or dst port 33
not port 33 drop (src port 0..32 or src port 34..65535) and
(dst port 0..32 or dst port 34..65535)
dst host 192.0.2.1 drop dst host 192.0.2.1 and (src port 22 or dst
and port 22 port 22)
src 192.0.2.1 src drop (src net 0.0.0.0/0)

192.0.2.9 The system assumes that the two addresses are joined by an
AND operator. However, because no packet can ever have
two sources, the expression is interpreted as “drop
everything.”
src 192.0.2.4 or drop src host 192.0.2.4 or src host 192.0.2.9

src 192.0.2.9
src 192.0.2.1 dst drop src host 192.0.2.1 and dst host
203.0.113.1 203.0.113.1


Glossary
A
AAA (Authentication, Authorization, & Accounting) — An acronym that describes the process of
authorizing access to a system, authenticating the identity of users, and logging their behaviors.
ACL (Access Control List) — A list composed of rules and filters stored in a router to allow, deny, or
otherwise regulate network traffic based on network parameters such as IP addresses, protocol
types, and port numbers.
active mode — A state within the inline deployment modes, in which APS mitigates attacks in addition to
monitoring traffic and detecting attacks.
address — A coded representation that uniquely identifies a particular network identity.
AIF (ATLAS Intelligence Feed) — A service that downloads real-time threat information from our Active
Threat Level Analysis System (ATLAS). This information is used to detect and block emerging
botnet attacks and application-layer attacks.
alert — A message informing the user that certain events, conditions, or errors in the system have
occurred.
anomaly — An event or condition in the network that is identified as an abnormality when compared to a
predefined illegal traffic pattern.
API (Application Programming Interface) — A well-defined set of function calls providing high-level
controls for underlying services.
APS — A protection system that focuses on securing the internet data center edge from threats against
availability by analyzing and blocking malicious traffic.
APS Console — A single user interface that allows for the central management of multiple APS devices, to
more effectively monitor and respond to attacks across your network.
Arbor Cloud DDoS Protection — A cloud-based DDoS mitigation service that scrubs the high-
bandwidth, volumetric attacks that are too large to mitigate at the data center’s premises.
Arbor Smart bar — An area of the product's user interface that contains icons for performing certain
actions.
ArbOS — Arbor’s proprietary, embedded operating system.
ARP (Address Resolution Protocol) — A protocol for mapping an IP address to a physical machine
address.

ASCII (American Standard Code for Information Interchange) — A coded representation for
standard alphabetic, numeric, and punctuation characters, also referred to as “plain text”.
ATLAS (Active Threat Level Analysis System) — A globally scoped threat analysis network that
analyzes data from darknets and the core backbone of the internet to provide information to
participating customers about malware, exploits, phishing, and botnets.
authentication — An identity verification process.
B
black hole routing — A technique to route traffic to null interfaces that can never forward the traffic.
blacklist — A list of hosts whose traffic is blocked without further inspection. To add a host to the blacklist.
block — To prevent traffic from passing to the network, or to prevent a host from sending traffic. In APS,
blocking occurs for a specific length of time, after which the traffic is allowed to pass again.
bot — A program that runs automated tasks over the internet.
botnet — A set of compromised computers (bots) that respond to a controlling server to generate attack
traffic against a victim server.
bps — Bits per second.
Bps — Bytes per second.
C
CA (Certificate Authority) — A third party that issues digital certificates for use by other parties. CAs are
characteristic of many public key infrastructure (PKI) schemes.
CAR (Committed Access Rate) — A tool for managing bandwidth that provides the same control as ACL
with the additional property that traffic can be regulated based on bandwidth usage rates in bits
per second.
CDN (Content Delivery Network) — A collection of web servers that contain duplicated content and
are distributed across multiple locations to deliver content to users based on proximity.
cflowd — Developed to collect and analyze the information available from NetFlow. It allows the user to
store the information and enables several views of the data. It produces port matrices, AS matrices,
network matrices, and pure flow structures.
CIDR (Classless Inter-Domain Routing) — Method for classifying and grouping internet addresses.
CLI (command line interface) — A user interface that uses a command line, such as a terminal or
console (as opposed to a graphical user interface).
client — The component of client/server computing that uses a service offered by a server.
cloud — A metaphor for the internet.
Cloud Signaling — Cloud Signaling is the process of requesting and receiving cloud-based mitigation of
volumetric attacks in real time from an upstream service provider.

Glossary
Cloud Signaling widget — A graphical element in the UI that allows the user to monitor the status of the
Cloud Signaling connection and mitigations in real time. It also allows the user to enable, activate,
and deactivate Cloud Signaling.
Common Event Format (CEF) — An open log management standard, which Arbor APS can use to
format syslog notifications.
CSV (comma-separated values) file — A file that stores spreadsheet or database information in plain
text, with one record on each line, and each field within the record separated by a comma.
customer — An ISP, ASP, or enterprise user of APS.
customer edge — The location at the customer premises of the router that connects to the provider edge
of one or more service provider networks.
customer edge router — A router within a customer's network that is connected to an ISP's customer
peering edge.
D
Dark IP — Regions of the IP address space that are reserved or known to be unused.
data center — A centralized facility that houses computer systems and associated components, such as
telecommunications and storage systems, and is used for processing or transmitting data.
DDoS (Distributed Denial of Service) — An interruption of network availability typically caused by

many, distributed malicious sources.
deployment mode — Indicates how APS is installed in the network: inline bridged, inline routed (layer 3
traffic; vAPS only), or out-of-line through a span port or network tap (monitor).
DNS (Domain Name System) — A system that translates numeric IP addresses into meaningful,
human-consumable names and vice-versa.
DNS server — A server that uses the Domain Name System (DNS) to translate or resolve human-readable
domain names and hostnames into the machine-readable IP addresses.
DoS (Denial of Service) — An interruption of network availability typically caused by malicious sources.
E
edge — The outer perimeter of a network.
encryption — The process by which plain text is scrambled in such a way as to hide its content.
Ethernet — A series of technologies used for communication on local area networks.
exploit — Tools intended to take advantage of security holes or inherent flaws in the design of network
applications, devices, or infrastructures.

F
fail closed — The hardware bypass mode in which APS disconnects the protection interfaces and does
not allow traffic to pass after a system failure occurs. The hardware bypass mode is set from the
CLI.
fail open — The hardware bypass mode in which APS allows unmonitored network traffic to bypass the
protection interfaces after a system failure occurs. The hardware bypass mode is set from CLI.
failover — A configuration of two devices so that if one device fails, the second device takes over the
duties of the first, ensuring continued service.
FCAP — A fingerprint expression language that describes and matches traffic information.
Fibre Channel — Gigabit-speed network technology primarily used for storage networking.
fidelity period — The maximum amount of time for which APS saves data in the connection database.
fingerprint — A pattern or profile of traffic that suggests or represents an attack. Also known as a
signature.
firewall — A security measure that monitors and controls the types of packets allowed in and out of a
network, based on a set of configured rules and filters.
FQDN (Fully Qualified Domain Name) — A complete domain name, including both the registered
domain name and any preceding node information.
FTP (File Transfer Protocol) — A TCP/IP protocol for transferring files across a network.
G
Gb — Gigabit.
GB — Gigabyte.
Gbps — Gigabits per second.
global protection level — Determines which protection settings are in use for an APS.
GMT (Greenwich Mean Time) — A world time standard that is deprecated and replaced by UTC.
GRE (Generic Routing Encapsulation) — A protocol that is used to transport packets from one
network through another network.
GRE tunnel — A logical interface whose endpoints are the tunnel source address and tunnel destination
address.
H
handshake — The process or action that establishes communication between two telecommunications
devices.
header — The data that appears at the beginning of a packet to provide information about the file or the
transmission.

Glossary
heartbeat — A periodic signal generated by hardware or software to indicate that it is still running.
host — A networked computer (client or server); in contrast to a router or switch.
HTTP (HyperText Transfer Protocol) — A protocol used to transfer or convey information on the
World Wide Web. Its original purpose was to provide a way to publish and retrieve HTML pages.
HTTPS (HyperText Transfer Protocol over SSL) — The combination of a normal HTTP interaction
over an encrypted Secure Sockets Layer (SSL) or Transport Layer Security (TLS) transport
mechanism.
I
ICMP (Internet Control Message Protocol) — An IP protocol that delivers error and control messages
between TCP/IP enabled network devices, for example, ping packets.
IMAP (Internet Message Access Protocol) — An application layer internet protocol that allows a local
client to access email on a remote server. (Also known as Internet Mail Access Protocol, Interactive
Mail Access Protocol, and Interim Mail Access Protocol.)
inactive mode — A state within an inline deployment mode, in which APS analyzes traffic and detects
attacks without performing mitigations.
inline mode — A deployment mode in which APS acts as a physical connection between two end points.
All of the traffic that traverses the network flows through APS.
interface — An interconnection between routers, switches, or hosts.
IP (Internet Protocol) — A connectionless network layer protocol used for packet delivery between
hosts and devices on a TCP/IP network.
IP address — A unique identifier for a host or device on a TCP/IP network.
IPS (Intrusion Prevention System) — A computer security device that exercises access control to
protect computers from exploitation.
ISP (Internet Service Provider) — A business or organization that provides to consumers access to the
internet and related services.
L
LAN (Local Area Network) — A typically small network that is confined to a small geographic space.
Log Event Extended Format (LEEF) — An event format that Arbor APS can use to format syslog
notifications.
K
Kbps — Kilobits per second.
M
MAC (Media Access Control) Address — A unique hardware number associated with a networking
device.

malformed — Refers to requests or packets that do not conform to the RFC standards for internet
protocol. Such requests or packets are often used in DoS attacks.
Mbps — Megabits per second.
MBps — Megabytes per second.
MIB (Management Information Base) — A database used by the SNMP protocol to manage devices
in a network. Your SNMP polling device uses this database to understand APS SNMP traps.
mitigation — The process of using recommendations to apply policies to the network to reduce the
effects of an attack.
monitor mode — A deployment mode in which APS is deployed out-of-line through a span port or
network tap. APS monitors traffic and detects attacks but does not mitigate the attacks.
MPLS (Multiprotocol Label Switching) — A packet-switching protocol developed by the Internet

Engineering Task Force (IETF) initially to improve switching speeds, but other benefits are now
seen as being more important.
MSSP (Managed Security Service Provider) — An internet service provider (ISP) that provides an
organization with network security management,
multicast — Protocols that address multiple IP addresses with a single packet (as opposed to unicast and
broadcast protocols).
N
NetFlow — A technology that Cisco Systems, Inc. developed to allow routers and other network devices to
periodically export information about current network conditions and traffic volumes.
netmask — A dotted quad notation number that routers use to determine which part of the address is
the network address and which part is the host address.
network tap — A hardware device that sends a copy of network traffic to another attached device for
passive monitoring.
NIC (Network Interface Card) — A hardware component that maintains a network interface
connection.
notification — An email message, SNMP trap, or syslog message that is sent to specified destinations to
communicate certain alerts.
NTP (Network Time Protocol) — A protocol that synchronizes clock times in a network of computers.
NXDomain — A response that results when DNS cannot resolve a domain name.
O
outbound threat filter — A group of protection settings that block malicious outbound traffic.
out-of-band — Communication signals that occur outside of the channels that are normally used for data.

Glossary
P
packet — A unit of data transmitted across the network that includes control information along with
actual content.
password — A secret code used to gain access to a computer system.
payload — The data in a packet that follows the TCP and UDP header data.
PCAP (packet capture) file — A file that consists of data packets that have been sent over a network.
ping — An ICMP request to determine if a host is responsive.
policy — The set of rules that network operators determine to be acceptable or unacceptable for their
network.
POP (Post Office Protocol) — A TCP/IP email protocol for retrieving messages from a remote server.
PoP (Point of Presence) — A physical connection between telecommunications networks.
port — A field in TCP and UDP packet headers that corresponds to an application level service (for
example TCP port 80 corresponds to HTTP).
pps — Packets per second.
prefix — The initial part of a network address, which is used in address delegation and routing.
protection category — A group of related protection settings that detect a specific type of attack traffic.
protection group — A collection of one or more protected hosts that are associated with a specific type
of server.
protection level — Defines the strength of protection against a network attack and the associated
intrusiveness and risk of blocking clean traffic. The protection level can be set globally or for
specific protection groups.
protection mode — A state within an inline deployment mode, in which the mitigations are either active
or inactive.
protection settings — The criteria by which APS defines clean traffic and attack traffic.
protocol — A well-defined language used by networking entities to communicate with one another.
R
RADIUS (Remote Authentication Dial In User Service) — A client/server protocol that enables
remote access servers to communicate with a central server to authenticate dial-in users and
authorize their access to the requested system or service.
rate limit — The number of requests, packets, bits, or other measurement of data that a host is allowed
to send within a specified amount of time.
RDN (Registered Domain Name) — A domain name as registered, without any preceding node
information (for example, “example.net” instead of www.example.net).

real time — When systems respond or data is supplied as events happen.
redundancy — The duplication of devices, services, or connections so that, in the event of a failure, the
duplicate item can perform the work of the item that failed.
refinement — The process of continually gathering information about anomalous activity that is
observed on a network.
regular expression — A standard set of rules for matching a specified pattern in text. Often abbreviated
as regex or regexp.
report — An informational page that presents data about a traffic type or event.
route — A path that a packet takes through a network.
router — A device that connects one network to another. Packets are forwarded from one router to
another until they reach their ultimate destination.
S
secret key — A secret that is shared only between a sender and receiver of data.
server type — A class of servers that APS protects and that is associated with one or more protection
groups.
shared secret — A word or phrase that APS Console uses to authenticate the internal communication
between itself and APS devices.
signature — A pattern or profile of traffic that suggests or represents an attack. Also known as a
fingerprint.
SIP (Standard Initiation Protocol) — An IP network protocol that is used for VoIP (Voice Over IP)
telephony.
SMTP (Simple Mail Transfer Protocol) — The de facto standard protocol for email transmissions
across the internet.
SNMP (Simple Network Management Protocol) — A standard protocol that allows routers and other
network devices to export information about their routing tables and other state information.
span port — A designated port on a network switch onto which traffic from other ports is mirrored.
spoofing — A situation in which one person or program successfully masquerades as another by

falsifying data (usually an IP address) and thereby gains an illegitimate advantage.
SSH (Secure Shell) — A command line interface and protocol for securely accessing a remote computer.
SSH is also known as Secure Socket Shell.
SSL (Secure Sockets Layer) — A protocol for secure communications on the internet for such things as
web browsing, email, instant messaging, and other data transfers.
SSL certificate — A file that is installed on a secure web server to identify a web site and verify that the
web site is secure and reliable.

Glossary
stacked graph — A graph in an Arbor Networks product that displays multiple types of data in a color-
coded stack.
STIX™ (Structured Threat Information eXpression) — A language that describes cyber threat
information in a standardized and structured manner.
syslog — A file that records certain events or all of the events that occur in a particular system. Also, a
service for logging data.
T
TACACS+ (Terminal Access Controller Access Control System +) — An authentication protocol
common to UNIX networks that allows a remote access server to forward a user’s login password
to an authentication server to determine whether that user is allowed to access a given system.
target — A victim host or network of a malicious denial of service (DoS) attack.
TAXII™ (Trusted Automated Exchange of Intelligence Information) — An application layer

protocol for the communication of cyber threat information in a simple and scalable manner.
TCP (Transmission Control Protocol) — A connection-based, transport protocol that provides reliable
delivery of packets across the internet.
TCP/IP — A suite of protocols that controls the delivery of messages across the internet.
throughput — The data transfer rate of a network or device.
TLS (Transport Layer Security) — An encryption protocol for the secure transmission of data over the
internet. TLS is based on, and has succeeded, SSL.
U
UDP (User Datagram Protocol) — An unreliable, connectionless, communication protocol.
unblock — To remove a source or destination from the temporarily blocked list without adding it to the
whitelist.
UNC (Universal Naming Convention) — A standard which originated from UNIX for identifying
servers, printers, and other resources in a network.
URI (Uniform Resource Identifier) — A protocol, login, host, port, path, etc. in a standard format used
to reference a network resource, (for example http://example.net/).
URL (Uniform Resource Locator) — Usually a synonym for URI.
UTC (Universal Time Coordinated) — The time zone at zero degrees longitude, which replaces GMT as
the world time standard.
V
vAPS — The virtual version of APS that is hardware-independent. vAPS contains all of the APS software
packages and configurations but does not require a physical APS appliance.

VLAN (Virtual Local Area Network) — Hosts connected in an infrastructure that simulates a local area
network, when the hosts are remotely located, or to segment a physical local network into smaller,
virtual pieces.
VoIP (Voice over Internet Protocol) — Routing voice communications (such as phone calls) through
an IP network.
volumetric attack — A type of DDoS attack that is generally high bandwidth and that originates from a
large number of geographically distributed bots.
VPN (Virtual Private Network) — A private communications network that is often used within a
company, or by several companies or organizations, to communicate confidentially over a public
network using encrypted tunnels.
vulnerability — A security weakness that could potentially be exploited.
W
WAN (Wide Area Network) — A computer network that covers a broad area. (Also Wireless Area
Network, meaning a wireless network.)
UI (User Interface) — A web-based interface for using an Arbor Networks product.
whitelist — A list of hosts whose traffic is passed without further inspection. To add a host to the whitelist.
widget — A graphical element in a user interface that displays information about an application and
allows the user to interact with the application.
X
XML (eXtensible Markup Language) — A metalanguage written in Standard Generalized Markup
Language (SGML) that allows one to design a markup language for easy interchange of documents
on the World Wide Web.

Index
appliance
A deleting offline appliances 89
Application Misbehavior settings 119
About page 23
APS
active protection mode
aggregated data 283
about 84
assigning to a protection group 238
for a protection group 85
communications with APS Console 15
for the outbound threat filter 85
configuring for APS Console management 76
Active Threat Level Analysis System
log in from APS Console 15
See ATLAS 52
managing from APS Console 14
AIF
total traffic 294
enabling updates 60
traffic status 294
proxy server configuration 61
unassigning protection group from 239
AIF (ATLAS Intelligence Feed)
viewing traffic activity for 199
about 52
APS Console
attack rules 52
build number 23
botnet signatures 52
communicating with APS 14
components 52
data synchronization with APS 78
geoip_countries 53
initial requirements 18
location data 53
license 23
reputation feed 52
managing APS devices 14
status 62
APS Console - APS synchronization
threat policies 52, 54
effect of restoring backups 82
traffic statistics 63
APSlocal protection group settings 240
AIF updates
Arbor Smart Bar 26
configuring 60
Arbor Technical Assistance Center, contacting 10
proxy server configuration 61
Arbor Threat Feed
alert notifications
See ATLAS Intelligence Feed 60
about 66
See ATLAS Intellligence Feed 52
configuring 68
ATAC, contacting 10
email 67
ATF
SNMP 67
See ATLAS Intelligence Feed 52
syslog 67
ATLAS confidence index
alerts
about 56
about 302
confidence value 56
bandwidth 223
ATLAS Intelligence Feed
category 302
threat categories 269
for system events 42
ATLAS Intelligence Feed (AIF)
ignoring 299, 303
about 52
removing from the Dashboard 299
Also see AIF 52
summary 304
attack rules 52
viewing all 304
botnet signatures 52
viewing on the Dashboard 297
components 52
Alerts page
geoip_countries 53
contents 306
location data 53
viewing 304
reputation feed 52

Index: ATLAS threat categories – CDN and Proxy Support settings
settings 120 blacklist

status 62 about 168
threat policies 52, 54 by protection group 170
traffic statistics 63 capacity 172
ATLAS threat categories country 211
about 54 domain 209
ATLAS threat category global 170
viewing 269 URL 207
Attack Categories view 200 blacklist, inbound
attack detection creating 174, 180
attack indicators 248 searching 177
source identification 255 settings 174
attack mitigation 244 viewing 177
attack rules, AIF 52 blacklist, outbound
audit trail searching 182
about 316 settings 180
configuring settings 41 viewing 182
default change message 41 Block Malformed DNS Traffic settings 124
enabling change messages 41 Block Malformed SIP Traffic settings 125
entering change messages 318 block traffic
exporting to CSV 320 about 168
log 319 by protection level 251
recent entries 313 by URL 206
summary 313 See also blacklist 168
viewing 319 blocked host
audit trail log in blocked hosts log 260
viewing AIF updates 62 blocked hosts
authentication total number 205
custom SSL certificate 47 blocked hosts log
DNS 129 about 260
contents 266
B page 260
searching 264
backup
viewing 262
about 330
blocked traffic
configuration data 332
attack categories 200
configuring 44
blocked traffic alert 223
manual 332
botnet alert 223
policy data 332
botnet attack
recurring remote 44, 330
preventing 126
scheduling 44
Botnet Prevention settings 126
settings 44
botnet signatures, AIF 52
backups
build number, APS Console 23
restoring 82
bandwidth alerts
about 223 C
baselines 223-224 capacity, blacklist and whitelist 172
blocked traffic 223 capture packets 274
botnet 223 capture traffic data 104
configuration 223-224 categories, protection 111
expiration 224 category, alerts 302
thresholds, about 223-224 category, threat
total traffic 223 about 54
baseline calculation 223-224 CDN and Proxy Support settings 128

Index: central management from APS Console – FCAP expressions
central management from APS Console

about 14 D
configuring 76
dashboard
data synchronization 78
active alerts 297
centralized report
APS traffic 294
descripton of 279
ignoring alerts 299
centralized reports
viewing network activity on 292
about 278
data synchronization with APS Console 78
configuring 283
debugging information 328
deleting 288
default
filtering the list of 287
protection group 218
managing 286
default logo 49
sorting the list of 288
details
viewing results for 286
attack categories 203, 205
change messages in audit trail 318
diagnostics package 328
command syntax 9, 342
DNS Authentication settings 129
comment in FCAP 344
DNS malformed 124
components of AIF 52
DNS NXDomain Rate Limiting settings 130
confidence index
DNS Rate Limiting settings 131
about 56
DNS Regular Expression settings 132
confidence value 56
documentation 8
confidence value
domains
about 56
blacklisting 209
configuring 122
unblocking 209
configuration and policy backup
viewing traffic for 208
about 330
download file 327
creating 332
Configure Notifications page 72
connection limit, TCP 150 E
connection status email notifications
ATLAS Intelligence Feed 62 about 67
context menu configuring 69
on Alerts page 306 examples 338
context menu icon ephemeral ports in Services view 214
opening the Blocked Hosts Log 262 error page 23
conventions, typographic examples
commands 9, 342 email notifications 338
countries traffic syslog notifications 339
blacklisting 211 export
unblocking 211 to PDF file 27
viewing by protection group 210
custom logo 49 F
custom protection groups 218 FCAP expressions
custom server type about 342
about 93 comment line 344
adding 98 direction 350
deleting 98 examples 351
duplicating 99 filter lists 160, 164
maximum allowed 92, 98 joining 349
settings, configuring 100 master filter lists 162
customer support, contacting 10 operators 349
reference 344
specifying direction 350

Index: files – malformed SIP
files idle TCP attack 151

deleting from an appliance 326 ignore alerts
downloading from an appliance 327 about 303
Files page 324 inactive protection mode
uploading to an appliance 326 about 84
viewing 326 for a protection group 85
filter lists for the outbound threat filter 85
about 160 inbound blacklist
per server type 164 creating 174
filter lists for server types, about 160 searching 177, 182
flood attack settings 174
ICMP 137 viewing 177
spoofed SYN flood 146-147 Inbound Blacklist page 174
SYN flood detection 153 inbound traffic
TCP SYN flood detection 153 viewing by type 195
UDP flood detection 158 inbound whitelist
Fragment Detection settings 133 creating 184
fragmentation attack 133 searching 186
settings 184
G viewing 186
Inbound Whitelist page 184
general settings
installed hardware information 23
configuring 32
installed software information 23
global blacklist 170
Invalid Packets category 202
global protection level
IP fragmentation attack 133
about 86
IP locations
changing 253
location data updates 53
global whitelist 170
viewing traffic by protection group 210
graph data
IPv4 prefix matching in protection groups 221
about 28
changing timeframe 28
minigraph 28 L
stacked 28 license agreements 23
unit of measure 28 limits
custom protection groups 218
H custom server types 92
List Protection Groups page
help
viewing 226
using 22
log
histograms 105
audit trail 319
hosts
log in
total number blocked 205
from APS Console 15
HTTP attack
UI 19
malformed 138
log out
slow 127
UI 19
HTTP Blocked Locations category 202
logo
HTTP Header Regular Expressions settings 134
default 49
HTTP malformed attack
logo, adding to UI 49
protection settings 138
HTTP Rate Limiting settings 135
HTTP Reporting settings 136 M
malformed DNS 124
I Malformed HTTP Filtering settings 138
malformed SIP 125
ICMP Flood Detection settings 137

Index: manual backup – protection categories
manual backup searching 190

about 330 settings 188
creating 332 viewing 190
master filter lists Outbound Whitelist page 188
about 160
configuring 162 P
menu bar 22
packet capture
minigraph 28
about 274
mitigation
capturing packets 275
about 244
uses 274
by blocking source 255
packets
manual 251
evaluating and processing 161
options 245
page, UI
when to mitigate manually 244
creating PDF 27
workflow 251, 255
emailing as PDF 27
mode
password
protection, see protection mode 84
changing 20
monitoring traffic 246
choosing 36
Multicast Blocking settings 139
criteria 36
requirements 36
N payload inspection, UDP 140
navigation Payload Regular Expression settings
controls 24 about 140
UI 22 PDF file
network activity creating from UI page 27
viewing on dashboard 292 emailing UI page 27
notification exporting centralized report as 286
SNMP 67 permanent blacklist 168
syslog 67 permanent whitelist 168
notifications ping exploitation 137
about 66 policy and configuration backup 332
adding and editing 68 ports
email 67, 69 ephemeral 214
email examples 338 prefix matching
SNMP 69 IPv4 221
syslog 70 IPv6 221
syslog examples 339 prefix matching in protection groups 221
viewing 72 Private Address Blocking settings 143
private IP address 143
O profiling
changes made to protection categories 102
offline appliance 89
profiling traffic
outbound blacklist
about 102
creating 180
viewing data 105
settings 180
protected host
viewing 182
about 219
outbound Blacklist page 180
protection categories
outbound threat filter
about 111
configuring 113, 115
blocked traffic 200
filter lists 164
configuring from traffic profiles 105
protection level 253
configuring settings 100
protection mode 84-85
restoring default settings 108
outbound whitelist
creating 188

Index: protection group – routine monitoring
protection group protection settings

about 218 about 111
adding 231 categories 111
assigning APS to 238 configuring 100
blacklist 170 configuring from traffic profiles 105
custom 218 protection level 86, 112
default 218 restoring defaults 108
deleting 232 when to change 112
domain traffic 208 protocols, top 10 212
editing 231 proxy server
prefix matching 221 for AIF 61
removing from APS 239 proxy support settings 128
searching for 226 publications 8
settings 233
settings, configuring from traffic profiles 105 R
settings, restoring 108
Rate-based Blocking settings 144
top countries 210
rate-based protection categories
top protocols 212
changes for profiling 102
top services 214
rate limit
top URLs 206
any source host 144
traffic summary 197
DNS 131
viewing 225
DNS NXDomain 130
viewing traffic for 194
HTTP 135
whitelist 170
SIP 145
protection group protection level
traffic shaping 157
about 86
recurring remote backups
changing 253
about 330
changing from APS Console 253
creating 44
protection group protection mode
regular expression
changing 85
DNS 132
HTTP header 134
protection group settings
payload 140
original 240
reports
overriding 240
aggregated 286
revert to original 240
aggregated APS data 283
protection groups
custom date range 285
limits 218
reports, centralized
protection level
about 278
about 86
configuring 283
changing 253
deleting 288
description of 279
for protection settings 86, 112
exporting as PDF file 286
global 86
filtering the list of 287
protection group level 86
managing 286
recommendations 88
sorting the list of 288
viewing 87
viewing results for 286
protection mode
reputation feed, AIF 52
about 84
requirements
active and inactive 84
APS Console 18
changing by protection group 85
restoring backups
affect on synchronization 82
protection mode, outbound threat filter
routine monitoring 246
about 84
changing 85

Index: scheduled backups – traffic
syntax
S FCAP expressions 342
syntax, commands 9, 342
scheduled backups
syslog notifications
about 330
about 67
configuring 44
configuring 70
search engine
examples 339
web crawler support 59
system alerts
server types
configuring 42
about 92
System Information summary 311
adding 98
custom server types 98
deleting 98 T
duplicating 99 tables
filter lists for 160, 164 sorting by column 24
limits 92 TCP
restoring default settings 108 idle connections 151
settings, configuring 100 payload inspection 140
standard server types 92 TCP Connection Limiting settings 150
viewing 96 TCP Connection Reset settings 151
Server Types page 100 TCP SYN Flood Detection settings 153
services traffic 214 temporarily blocked hosts
sign-on in blocked hosts log 260
from APS Console 15 temporarily blocked sources
SIP malformed 125 in blocked hosts log 260
SIP Request Limiting settings 145 temporary ports in Services view 214
slow HTTP attack threat
preventing 127 blocked 269
SNMP notifications threat categories, ATLAS
about 67 about 54
configuring 69 threat category
SNMP polling viewing 269
about 34 threat policies, AIF 52
agent community 32, 35 threat policy, ATLAS
enabling 34 about 54
source of attack 255 categories 54
Spoofed SYN Flood Prevention settings 146 confidence index 56
automating 147 confidence value 56
SSL threshold, bandwidth alerts
attack, prevention 155 about 223-224
certificate, custom 47 timeframe, display
stacked graph 28 blocked hosts log 264
standard server types 92 changing 28
status View Protection Group page 194
ATLAS Intelligence Feed 62 TLS Attack Prevention settings 155
Summary page top domains per protection group 208
audit trail information 313 top IP locations per protection group 210
System Information 311 top protocols per protection group 212
viewing 310 top services per protection group 214
support, contacting 10 top URLs per protection group 206
SYN flood total traffic alert 223
spoofed 146-147 traffic
TCP 153 blocking, see block traffic 168
monitoring 246

Index: traffic alert – workflow
statistics, ATLAS Intelligence Feed 63 blacklisting domains 209

viewing for protection group 194 blacklisting URLs 207
traffic alert 223 unblocking countries 211
traffic data unblocking domains 209
filtering by APS 199 unblocking URLs 207
traffic profile viewing AIF updates 62
about 102 VoIP attack, preventing 145
capturing 104
stopping 104 W
viewing 105
web crawler support
traffic profile capture
about 59
changes for 102
Web Traffic By Domain
Traffic Shaping settings 157
disabling 136
traffic status, viewing 294
viewing 208
traffic summary for protection group 197
Web Traffic By URL
transient ports in Services view 214
disabling 136
typographic conventions
viewing 206
commands 9, 342
web UI
custom logo 49
U whitelist
UDP Flood Detection settings 158 about 168
UDP payload inspection 140 by protection group 170
UI capacity 172
about 16 global 170
log into and out of 19 whitelist, inbound
navigating 22 creating 184
unblock searching 186
country 211 settings 184
domain 209 viewing 186
URL 207 whitelist, outbound
unit of measure, graphs 28 creating 188
upload file 326 searching 190
URL settings 188
blacklisting 207 viewing 190
unblocking 207 workflow
viewing traffic for 206 manual mitigation 251
user account mitigation 255
about 36 routine system monitoring 246
adding 39
configuring 39
deleting 40
editing your account 20
password 36
user group, about 38
username
APS Console 15
entering 39
requirements 39
V
version number, APS Console 23
View Protection Group page 194
blacklisting countries 211

End User License Agreement
The end user license agreement (EULA) contains updated terms and conditions with respect to
your license of Arbor product and services and is deemed to replace any previous license terms
provided with respect thereto; provided, however, if you and Arbor have executed a direct
agreement, such direct agreement shall govern your license of Arbor product and services.
To read the complete end user license agreement online, click one of the following links:
Links to the EULA

Products EULA link
Arbor APS, Arbor https://www.netscout.com/cloud-and-managed-services-eula
Sightline, and Arbor
Threat Mitigation
System
Arbor Edge Defense https://www.netscout.com/sites/default/files/2018-06/NetScout-

and Edge Defense Systems-End-User-Product-License-Agreement.pdf
Manager

NETSCOUT Arbor APSConsole 6.3 User Guide PDF

Uploaded by

Copyright:

Available Formats

NETSCOUT Arbor APSConsole 6.3 User Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NETSCOUT Arbor APSConsole 6.3 User Guide PDF

Uploaded by

Copyright:

Available Formats

Arbor APS Console

Part I: APS Console Overview

Part II: APS Console Configuration

APS Console User Guide, Version 6.3 3

Part III: APS Management

4 Proprietary and Confidential Information of Arbor Networks, Inc.

Proprietary and Confidential Information of Arbor Networks, Inc. 5

Configuring On-Demand Centralized Reports 283

Part IV: Network Management

Part V: APS Console Maintenance and Management

End User License Agreement 371

6 Proprietary and Confidential Information of Arbor Networks, Inc.

About the APS Console Documentation 8

APS Console User Guide, Version 6.3 7

About the APS Console Documentation

APS Console Information about configuring advanced settings in APS Console,

8 Proprietary and Confidential Information of Arbor Networks, Inc.

Conventions for commands and expressions

Monospaced A variable for which you must supply a value.

{ } (braces) A set of choices for options or variables, one of which is required.

| (vertical bar) Separates the mutually exclusive options or variables.

Proprietary and Confidential Information of Arbor Networks, Inc. 9

Contacting the Arbor Technical Assistance Center

n Phone worldwide — +1 781 362 4301

Submitting documentation comments

n Document number (listed on the reverse side of the title page)

APS Console User Guide

10 Proprietary and Confidential Information of Arbor Networks, Inc.

12 Proprietary and Confidential Information of Arbor Networks, Inc.

About Managing APS Devices from APS Console 14

APS Console User Guide, Version 6.3 13

About Managing APS Devices from APS Console

APS Console features

APS management tasks

See “1About the APS Console - APS Data Synchronization” on page 78.

14 Proprietary and Confidential Information of Arbor Networks, Inc.

Communication between APS Console and APS

Proprietary and Confidential Information of Arbor Networks, Inc. 15

About the APS Console User Interfaces

About the CLI

16 Proprietary and Confidential Information of Arbor Networks, Inc.

Before You Begin to Use APS Console 18

APS Console User Guide, Version 6.3 17

Before You Begin to Use APS Console

n connected and configured your APS devices

Supported web browsers

Logging in as a new user

18 Proprietary and Confidential Information of Arbor Networks, Inc.

Logging in to and out of the APS Console UI

Logging in as a new user

Accepting the certificate

Logging in to the APS Console UI

To log in to the APS Console UI:

Logging out of the APS Console UI

Proprietary and Confidential Information of Arbor Networks, Inc. 19

Editing Your User Account

When to change your password

Editing your account

User account settings